package org.forgerock.openam.scripting.service;

import com.google.inject.Inject;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.sun.identity.entitlement.opensso.SubjectUtils;
import com.sun.identity.shared.datastruct.CollectionHelper;
import com.sun.identity.shared.datastruct.ValueNotFoundException;
import com.sun.identity.sm.DNMapper;
import com.sun.identity.sm.SMSEntry;
import com.sun.identity.sm.SMSException;
import com.sun.identity.sm.ServiceConfig;
import com.sun.identity.sm.ServiceConfigManager;
import com.sun.identity.sm.ServiceListener;
import java.text.MessageFormat;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import javax.annotation.concurrent.GuardedBy;
import javax.security.auth.Subject;
import org.forgerock.openam.core.CoreWrapper;
import org.forgerock.openam.scripting.ScriptConstants;
import org.forgerock.openam.scripting.ScriptException;
import org.forgerock.openam.scripting.service.ScriptConfiguration;
import org.forgerock.openam.utils.Time;
import org.forgerock.util.Reject;
import org.forgerock.util.query.QueryFilter;
import org.slf4j.Logger;

/* loaded from: input_file:org/forgerock/openam/scripting/service/ScriptConfigurationService.class */
public class ScriptConfigurationService implements ScriptingService, ServiceListener {
    private static final ScriptConfigurationQueryFilterVisitor SCRIPT_CONFIGURATION_QUERY_FILTER_VISITOR = new ScriptConfigurationQueryFilterVisitor();
    private final Logger logger;
    private final String realm;
    private final CoreWrapper coreWrapper;
    private final ServiceConfigManager scm;
    private ReentrantReadWriteLock lock = new ReentrantReadWriteLock();

    @GuardedBy("lock")
    private Map<String, ScriptConfiguration> realmConfigurations;

    @GuardedBy("lock")
    private Map<String, ScriptConfiguration> globalConfigurations;

    @Inject
    public ScriptConfigurationService(Logger logger, String str, CoreWrapper coreWrapper, ServiceConfigManager serviceConfigManager) {
        Reject.ifNull(str);
        this.logger = logger;
        this.realm = str;
        this.coreWrapper = coreWrapper;
        this.scm = serviceConfigManager;
        init();
    }

    private void init() {
        reload();
        this.scm.addListener(this);
    }

    private void reload() {
        int readHoldCount = this.lock.getReadHoldCount();
        for (int i = 0; i < readHoldCount; i++) {
            this.lock.readLock().unlock();
        }
        this.lock.writeLock().lock();
        try {
            try {
                this.realmConfigurations = getScriptConfigurations(getSubOrgConfig());
                this.globalConfigurations = getScriptConfigurations(getSubGlobalConfig());
                for (int i2 = 0; i2 < readHoldCount; i2++) {
                    this.lock.readLock().lock();
                }
                this.lock.writeLock().unlock();
            } catch (SSOException | SMSException | ScriptException e) {
                throw new IllegalStateException("Could not initialise script configurations for realm " + this.realm, e);
            }
        } catch (Throwable th) {
            for (int i3 = 0; i3 < readHoldCount; i3++) {
                this.lock.readLock().lock();
            }
            this.lock.writeLock().unlock();
            throw th;
        }
    }

    private Map<String, ScriptConfiguration> getScriptConfigurations(ServiceConfig serviceConfig) throws SMSException, SSOException, ScriptException {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        for (String str : serviceConfig.getSubConfigNames()) {
            linkedHashMap.put(str, scriptConfigurationFromMap(str, serviceConfig.getSubConfig(str).getAttributesForRead()));
        }
        return linkedHashMap;
    }

    @Override // org.forgerock.openam.scripting.service.ScriptingService
    public ScriptConfiguration create(ScriptConfiguration scriptConfiguration, Subject subject) throws ScriptException {
        this.lock.readLock().lock();
        try {
            failIfUuidExists(scriptConfiguration.getId());
            failIfNameExists(scriptConfiguration.getName());
            ScriptConfiguration metaData = setMetaData(scriptConfiguration, subject);
            save(metaData);
            this.lock.readLock().unlock();
            return metaData;
        } catch (Throwable th) {
            this.lock.readLock().unlock();
            throw th;
        }
    }

    @Override // org.forgerock.openam.scripting.service.ScriptingService
    public ScriptConfiguration update(ScriptConfiguration scriptConfiguration, Subject subject) throws ScriptException {
        this.lock.readLock().lock();
        try {
            if (!get(scriptConfiguration.getId()).getName().equals(scriptConfiguration.getName())) {
                failIfNameExists(scriptConfiguration.getName());
            }
            ScriptConfiguration metaData = setMetaData(scriptConfiguration, subject);
            save(metaData);
            this.lock.readLock().unlock();
            return metaData;
        } catch (Throwable th) {
            this.lock.readLock().unlock();
            throw th;
        }
    }

    @Override // org.forgerock.openam.scripting.service.ScriptingService
    public void delete(String str) throws ScriptException {
        Reject.ifTrue(this.lock.getReadHoldCount() > 0, "Should not already be locked for reading");
        this.lock.readLock().lock();
        try {
            failIfUuidDoesNotExist(str);
            ScriptConfiguration scriptConfiguration = get(str);
            if (containsGlobalUuid(str) || isDefaultScript(scriptConfiguration)) {
                throw new ScriptException(ScriptConstants.ScriptErrorCode.DELETING_DEFAULT_SCRIPT, scriptConfiguration.getName());
            }
            try {
                this.lock.readLock().unlock();
                this.lock.writeLock().lock();
                try {
                    int usageCount = getUsageCount(scriptConfiguration);
                    if (usageCount > 0) {
                        if (usageCount != 1) {
                            throw new ScriptException(ScriptConstants.ScriptErrorCode.DELETING_SCRIPT_IN_USE_PLURAL, scriptConfiguration.getName(), Integer.toString(usageCount));
                        }
                        throw new ScriptException(ScriptConstants.ScriptErrorCode.DELETING_SCRIPT_IN_USE_SINGULAR, scriptConfiguration.getName());
                    }
                    getSubOrgConfig().removeSubConfig(str);
                    this.realmConfigurations.remove(str);
                    this.lock.readLock().lock();
                    this.lock.writeLock().unlock();
                } catch (SSOException | SMSException e) {
                    throw ScriptException.createAndLogError(this.logger, ScriptConstants.ScriptErrorCode.DELETE_FAILED, e, str, this.realm);
                }
            } catch (Throwable th) {
                this.lock.readLock().lock();
                this.lock.writeLock().unlock();
                throw th;
            }
        } finally {
            this.lock.readLock().unlock();
        }
    }

    @Override // org.forgerock.openam.scripting.service.ScriptingService
    public Set<ScriptConfiguration> getAll() {
        HashSet hashSet = new HashSet();
        this.lock.readLock().lock();
        try {
            hashSet.addAll(this.realmConfigurations.values());
            hashSet.addAll(this.globalConfigurations.values());
            return hashSet;
        } finally {
            this.lock.readLock().unlock();
        }
    }

    @Override // org.forgerock.openam.scripting.service.ScriptingService
    public ScriptConfiguration get(String str) throws ScriptException {
        this.lock.readLock().lock();
        try {
            failIfUuidDoesNotExist(str);
            ScriptConfiguration scriptConfiguration = this.realmConfigurations.get(str);
            return scriptConfiguration != null ? scriptConfiguration : this.globalConfigurations.get(str);
        } finally {
            this.lock.readLock().unlock();
        }
    }

    @Override // org.forgerock.openam.scripting.service.ScriptingService
    public Set<ScriptConfiguration> get(QueryFilter<String> queryFilter) {
        return (Set) queryFilter.accept(SCRIPT_CONFIGURATION_QUERY_FILTER_VISITOR, getAll());
    }

    private void failIfNameExists(String str) throws ScriptException {
        if (containsName(str)) {
            throw ScriptException.createAndLogDebug(this.logger, ScriptConstants.ScriptErrorCode.SCRIPT_NAME_EXISTS, str, this.realm);
        }
    }

    private void failIfUuidExists(String str) throws ScriptException {
        if (containsUuid(str)) {
            throw ScriptException.createAndLogError(this.logger, ScriptConstants.ScriptErrorCode.SCRIPT_UUID_EXISTS, str, this.realm);
        }
    }

    private void failIfUuidDoesNotExist(String str) throws ScriptException {
        if (!containsUuid(str)) {
            throw ScriptException.createAndLogError(this.logger, ScriptConstants.ScriptErrorCode.SCRIPT_UUID_NOT_FOUND, str, this.realm);
        }
    }

    private ScriptConfiguration setMetaData(ScriptConfiguration scriptConfiguration, Subject subject) throws ScriptException {
        long time = Time.newDate().getTime();
        String principalId = SubjectUtils.getPrincipalId(subject);
        ScriptConfiguration.Builder populatedBuilder = scriptConfiguration.populatedBuilder();
        if (containsUuid(scriptConfiguration.getId())) {
            ScriptConfiguration scriptConfiguration2 = get(scriptConfiguration.getId());
            populatedBuilder.setCreatedBy(scriptConfiguration2.getCreatedBy());
            populatedBuilder.setCreationDate(scriptConfiguration2.getCreationDate());
        } else {
            populatedBuilder.setCreatedBy(principalId);
            populatedBuilder.setCreationDate(time);
        }
        populatedBuilder.setLastModifiedBy(principalId);
        populatedBuilder.setLastModifiedDate(time);
        return populatedBuilder.build();
    }

    private void save(ScriptConfiguration scriptConfiguration) throws ScriptException {
        this.lock.readLock().unlock();
        this.lock.writeLock().lock();
        try {
            try {
                createCollectionConfig();
                Map<String, Set<String>> scriptConfigurationData = getScriptConfigurationData(scriptConfiguration);
                if (containsGlobalUuid(scriptConfiguration.getId())) {
                    getSubGlobalConfig().getSubConfig(scriptConfiguration.getId()).setAttributes(scriptConfigurationData);
                    this.globalConfigurations.put(scriptConfiguration.getId(), scriptConfiguration);
                } else {
                    if (containsOrgUuid(scriptConfiguration.getId())) {
                        getSubOrgConfig().getSubConfig(scriptConfiguration.getId()).setAttributes(scriptConfigurationData);
                    } else {
                        getSubOrgConfig().addSubConfig(scriptConfiguration.getId(), ScriptConstants.SCRIPT_CONFIGURATION, 0, scriptConfigurationData);
                    }
                    this.realmConfigurations.put(scriptConfiguration.getId(), scriptConfiguration);
                }
            } catch (SSOException | SMSException e) {
                if (!"sms-INSUFFICIENT_ACCESS_RIGHTS".equals(e.getErrorCode())) {
                    throw ScriptException.createAndLogError(this.logger, ScriptConstants.ScriptErrorCode.SAVE_FAILED, e, scriptConfiguration.getId(), this.realm);
                }
                throw ScriptException.createAndLogError(this.logger, ScriptConstants.ScriptErrorCode.INSUFFICIENT_PRIVILEGES, e, scriptConfiguration.getName());
            }
        } finally {
            this.lock.readLock().lock();
            this.lock.writeLock().unlock();
        }
    }

    private boolean containsUuid(String str) throws ScriptException {
        return containsOrgUuid(str) || containsGlobalUuid(str);
    }

    private boolean containsOrgUuid(String str) throws ScriptException {
        return this.realmConfigurations.containsKey(str);
    }

    private boolean containsGlobalUuid(String str) throws ScriptException {
        return this.globalConfigurations.containsKey(str);
    }

    private boolean containsName(String str) throws ScriptException {
        Iterator it = Arrays.asList(this.globalConfigurations, this.realmConfigurations).iterator();
        while (it.hasNext()) {
            Iterator it2 = ((Map) it.next()).values().iterator();
            while (it2.hasNext()) {
                if (((ScriptConfiguration) it2.next()).getName().equalsIgnoreCase(str)) {
                    return true;
                }
            }
        }
        return false;
    }

    private Map<String, Set<String>> getScriptConfigurationData(ScriptConfiguration scriptConfiguration) {
        HashMap hashMap = new HashMap();
        hashMap.put(ScriptConstants.SCRIPT_NAME, Collections.singleton(scriptConfiguration.getName()));
        hashMap.put(ScriptConstants.SCRIPT_DESCRIPTION, Collections.singleton(scriptConfiguration.getDescription()));
        hashMap.put(ScriptConstants.SCRIPT_TEXT, Collections.singleton(scriptConfiguration.getScript()));
        hashMap.put(ScriptConstants.SCRIPT_CONTEXT, Collections.singleton(scriptConfiguration.getContext().name()));
        hashMap.put(ScriptConstants.SCRIPT_LANGUAGE, Collections.singleton(scriptConfiguration.getLanguage().name()));
        hashMap.put(ScriptConstants.SCRIPT_CREATED_BY, Collections.singleton(scriptConfiguration.getCreatedBy()));
        hashMap.put(ScriptConstants.SCRIPT_CREATION_DATE, Collections.singleton(String.valueOf(scriptConfiguration.getCreationDate())));
        hashMap.put(ScriptConstants.SCRIPT_LAST_MODIFIED_BY, Collections.singleton(scriptConfiguration.getLastModifiedBy()));
        hashMap.put(ScriptConstants.SCRIPT_LAST_MODIFIED_DATE, Collections.singleton(String.valueOf(scriptConfiguration.getLastModifiedDate())));
        return hashMap;
    }

    private ScriptConfiguration scriptConfigurationFromMap(String str, Map<String, Set<String>> map) throws ScriptException {
        String mapAttr = CollectionHelper.getMapAttr(map, ScriptConstants.SCRIPT_TEXT);
        return ScriptConfiguration.builder().setId(str).setName(CollectionHelper.getMapAttr(map, ScriptConstants.SCRIPT_NAME)).setDescription(CollectionHelper.getMapAttr(map, ScriptConstants.SCRIPT_DESCRIPTION)).setContext(ScriptConstants.getContextFromString(CollectionHelper.getMapAttr(map, ScriptConstants.SCRIPT_CONTEXT))).setLanguage(ScriptConstants.getLanguageFromString(CollectionHelper.getMapAttr(map, ScriptConstants.SCRIPT_LANGUAGE))).setScript(mapAttr == null ? ScriptConstants.EMPTY : mapAttr).setCreatedBy(CollectionHelper.getMapAttr(map, ScriptConstants.SCRIPT_CREATED_BY, ScriptConstants.EMPTY)).setCreationDate(CollectionHelper.getMapAttrAsDateLong(map, ScriptConstants.SCRIPT_CREATION_DATE, this.logger)).setLastModifiedBy(CollectionHelper.getMapAttr(map, ScriptConstants.SCRIPT_LAST_MODIFIED_BY, ScriptConstants.EMPTY)).setLastModifiedDate(CollectionHelper.getMapAttrAsDateLong(map, ScriptConstants.SCRIPT_LAST_MODIFIED_DATE, this.logger)).build();
    }

    private void createCollectionConfig() throws SSOException, SMSException {
        ServiceConfig orgConfig = getOrgConfig();
        if (orgConfig.getSubConfig(ScriptConstants.SCRIPT_CONFIGURATIONS) == null) {
            orgConfig.addSubConfig(ScriptConstants.SCRIPT_CONFIGURATIONS, ScriptConstants.SCRIPT_CONFIGURATIONS, 0, Collections.EMPTY_MAP);
        }
    }

    private ServiceConfig getOrgConfig() throws SMSException, SSOException {
        ServiceConfig organizationConfig = this.scm.getOrganizationConfig(this.realm, (String) null);
        if (organizationConfig == null) {
            throw new SMSException("Configuration 'ScriptingService' in realm '" + this.realm + "' could not be retrieved.");
        }
        return organizationConfig;
    }

    private ServiceConfig getGlobalConfig() throws SMSException, SSOException {
        ServiceConfig globalConfig = this.scm.getGlobalConfig((String) null);
        if (globalConfig == null) {
            throw new SMSException("Global Configuration for 'ScriptingService' could not be retrieved.");
        }
        return globalConfig;
    }

    private ServiceConfig getSubOrgConfig() throws SMSException, SSOException {
        ServiceConfig subConfig = getOrgConfig().getSubConfig(ScriptConstants.SCRIPT_CONFIGURATIONS);
        if (subConfig == null) {
            throw new SMSException("Configuration 'scriptConfigurations' in organization 'ScriptingService' could not be retrieved.");
        }
        return subConfig;
    }

    private ServiceConfig getSubGlobalConfig() throws SMSException, SSOException {
        ServiceConfig subConfig = getGlobalConfig().getSubConfig("globalScripts");
        if (subConfig == null) {
            throw new SMSException("Global Configuration for 'ScriptingService' could not be retrieved.");
        }
        return subConfig;
    }

    private SSOToken getToken() throws SSOException {
        return this.coreWrapper.getAdminToken();
    }

    private int getUsageCount(ScriptConfiguration scriptConfiguration) throws ScriptException {
        try {
            switch (scriptConfiguration.getContext()) {
                case AUTHENTICATION_CLIENT_SIDE:
                    return clientSideAuthenticationUsageCount(scriptConfiguration.getId());
                case AUTHENTICATION_SERVER_SIDE:
                    return serverSideAuthenticationUsageCount(scriptConfiguration.getId());
                case OIDC_CLAIMS:
                    return oidcClaimsUsageCount(scriptConfiguration.getId());
                case POLICY_CONDITION:
                    return policyConditionUsageCount(scriptConfiguration.getId());
                default:
                    throw new IllegalArgumentException(MessageFormat.format("unknown script context {} in script {}", scriptConfiguration.getContext(), scriptConfiguration.getName()));
            }
        } catch (SSOException | SMSException e) {
            this.logger.error("getUsageCount failed with exception with script {} id {}", new Object[]{scriptConfiguration.getName(), scriptConfiguration.getId(), e});
            return 0;
        }
    }

    private int getUsageCount(String str, String str2) throws SSOException, SMSException {
        try {
            return SMSEntry.search(getToken(), str, str2, 0, 0, false, false).size();
        } catch (SMSException e) {
            return 0;
        }
    }

    private boolean isDefaultScript(ScriptConfiguration scriptConfiguration) {
        try {
            return getUsageCount(getScriptingServiceGlobalConfig(), getDefaultScriptSearchString(scriptConfiguration.getId())) > 0;
        } catch (SSOException | SMSException e) {
            this.logger.error("isDefaultScript caught exception with script {} UUID {}", new Object[]{scriptConfiguration.getName(), scriptConfiguration.getId(), e});
            return false;
        }
    }

    private int clientSideAuthenticationUsageCount(String str) throws SSOException, SMSException {
        return getUsageCount(getScriptedServiceBaseDN(), getClientSideScriptedAuthSearchString(str)) + getUsageCount(getDeviceIdMatchServiceBaseDN(), getClientSideScriptedAuthSearchString(str));
    }

    private int serverSideAuthenticationUsageCount(String str) throws SSOException, SMSException {
        return getUsageCount(getScriptedServiceBaseDN(), getServerSideScriptedAuthSearchString(str)) + getUsageCount(getDeviceIdMatchServiceBaseDN(), getServerSideScriptedAuthSearchString(str));
    }

    private int oidcClaimsUsageCount(String str) throws SSOException, SMSException {
        try {
            return CollectionHelper.getMapSetThrows(new SMSEntry(getToken(), getOAuth2ProviderBaseDN()).getAttributes(), "sunKeyValue").contains(new StringBuilder().append("forgerock-oauth2-provider-oidc-claims-extension-script=").append(str).toString()) ? 1 : 0;
        } catch (ValueNotFoundException e) {
            return 0;
        }
    }

    private int policyConditionUsageCount(String str) throws SSOException, SMSException {
        return getUsageCount(getPolicyBaseDN(), getPolicySearchString(str));
    }

    private String getScriptingServiceGlobalConfig() {
        return "ou=default,ou=GlobalConfig,ou=1.0,ou=ScriptingService,ou=services," + DNMapper.orgNameToDN(this.realm);
    }

    private String getOAuth2ProviderBaseDN() {
        return "ou=default,ou=OrganizationConfig,ou=1.0,ou=OAuth2Provider,ou=services," + DNMapper.orgNameToDN(this.realm);
    }

    private String getScriptedServiceBaseDN() {
        return "ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMAuthScriptedService,ou=services," + DNMapper.orgNameToDN(this.realm);
    }

    private String getDeviceIdMatchServiceBaseDN() {
        return "ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMAuthDeviceIdMatchService,ou=services," + DNMapper.orgNameToDN(this.realm);
    }

    private String getPolicyBaseDN() {
        return "ou=default,ou=default,ou=OrganizationConfig,ou=1.0,ou=sunEntitlementIndexes,ou=services," + DNMapper.orgNameToDN(this.realm);
    }

    private String getDefaultScriptSearchString(String str) {
        return "(&(sunserviceID=scriptContext)(sunKeyValue=defaultScript=" + str + "))";
    }

    private String getClientSideScriptedAuthSearchString(String str) {
        return "(&(sunserviceID=serverconfig)(sunKeyValue=iplanet-am-auth-scripted-client-script=" + str + "))";
    }

    private String getServerSideScriptedAuthSearchString(String str) {
        return "(&(sunserviceID=serverconfig)(sunKeyValue=iplanet-am-auth-scripted-server-script=" + str + "))";
    }

    private String getPolicySearchString(String str) {
        return "(&(sunserviceID=indexes)(sunKeyValue=serializable*" + str + "*))";
    }

    public void schemaChanged(String str, String str2) {
    }

    public void globalConfigChanged(String str, String str2, String str3, String str4, int i) {
        if (str.equals(ScriptConstants.SERVICE_NAME)) {
            reload();
        }
    }

    public void organizationConfigChanged(String str, String str2, String str3, String str4, String str5, int i) {
        if (str.equals(ScriptConstants.SERVICE_NAME)) {
            reload();
        }
    }
}
