package org.forgerock.openam.entitlement.conditions.environment;

import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.sun.identity.entitlement.ConditionDecision;
import com.sun.identity.entitlement.EntitlementConditionAdaptor;
import com.sun.identity.entitlement.EntitlementException;
import com.sun.identity.entitlement.PrivilegeManager;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.idm.IdType;
import com.sun.identity.shared.debug.Debug;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import org.forgerock.openam.core.CoreWrapper;
import org.forgerock.openam.utils.CollectionUtils;
import org.forgerock.openam.utils.StringUtils;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONObject;

/* loaded from: input_file:org/forgerock/openam/entitlement/conditions/environment/AMIdentityMembershipCondition.class */
public class AMIdentityMembershipCondition extends EntitlementConditionAdaptor {
    private final Debug debug;
    private final CoreWrapper coreWrapper;
    private Set<String> amIdentityName;

    public AMIdentityMembershipCondition() {
        this(PrivilegeManager.debug, new CoreWrapper());
    }

    AMIdentityMembershipCondition(Debug debug, CoreWrapper coreWrapper) {
        this.amIdentityName = new HashSet();
        this.debug = debug;
        this.coreWrapper = coreWrapper;
    }

    public void setState(String str) {
        try {
            JSONObject jSONObject = new JSONObject(str);
            setState(jSONObject);
            JSONArray jSONArray = jSONObject.getJSONArray(ConditionConstants.AM_IDENTITY_NAME);
            for (int i = 0; i < jSONArray.length(); i++) {
                this.amIdentityName.add(jSONArray.getString(i));
            }
        } catch (JSONException e) {
            this.debug.message("AMIdentityMembershipCondition: Failed to set state", e);
        }
    }

    public String getState() {
        return toString();
    }

    public ConditionDecision evaluate(String str, Subject subject, String str2, Map<String, Set<String>> map) throws EntitlementException {
        if (this.debug.messageEnabled()) {
            this.debug.message("At AMIdentityMembershipCondition.getConditionDecision(): entering, names:" + this.amIdentityName);
            this.debug.message("At AMIdentityMembershipCondition.getConditionDecision(): environment.invocatorPrincipalUud:" + map.get(ConditionConstants.INVOCATOR_PRINCIPAL_UUID));
        }
        boolean z = false;
        Set<String> set = map.get(ConditionConstants.INVOCATOR_PRINCIPAL_UUID);
        if (set == null || set.isEmpty()) {
            this.debug.message("At AMIdentityMembershipCondition.getConditionDecision(): invocatorUuidSet is null or empty");
        } else {
            z = isMember(set.iterator().next());
        }
        return new ConditionDecision(z, Collections.emptyMap());
    }

    private boolean isMember(String str) throws EntitlementException {
        boolean z = false;
        if (str == null) {
            this.debug.warning("AMIdentityMembershipCondition.isMember():invocatorUuid is null");
            this.debug.warning("AMIdentityMembershipCondition.isMember():returning false");
            return false;
        }
        if (this.debug.messageEnabled()) {
            this.debug.warning("AMIdentityMembershipCondition.isMember():invocatorUuid:" + str);
        }
        if (!this.amIdentityName.isEmpty()) {
            for (String str2 : this.amIdentityName) {
                if (this.debug.messageEnabled()) {
                    this.debug.message("AMIndentityMembershipCondition.isMember(): checking membership with nameValue = " + str2 + ", invocatorUuid = " + str);
                }
                try {
                    AMIdentity identity = this.coreWrapper.getIdentity(getAdminToken(), str);
                    if (identity == null) {
                        if (!this.debug.messageEnabled()) {
                            return false;
                        }
                        this.debug.message("AMidentityMembershipCondition.isMember():invocatorIdentity is null for invocatorUuid = " + str);
                        this.debug.message("AMidentityMembershipCondition.isMember():returning false");
                        return false;
                    }
                    AMIdentity identity2 = this.coreWrapper.getIdentity(getAdminToken(), str2);
                    if (identity2 == null) {
                        if (!this.debug.messageEnabled()) {
                            return false;
                        }
                        this.debug.message("AMidentityMembershipCondition.isMember():nameValueidentity is null for nameValue = " + str2);
                        this.debug.message("AMidentityMembershipCondition.isMember():returning false");
                        return false;
                    }
                    IdType type = identity.getType();
                    IdType type2 = identity2.getType();
                    if (identity.equals(identity2)) {
                        if (this.debug.messageEnabled()) {
                            this.debug.message("AMidentityMembershipCondition.isMember():invocatorIdentity equals  nameValueIdentity:membership=true");
                        }
                        z = true;
                    } else {
                        Set canHaveMembers = type2.canHaveMembers();
                        if (canHaveMembers == null || !canHaveMembers.contains(type)) {
                            z = false;
                            if (this.debug.messageEnabled()) {
                                this.debug.message("AMIdentityMembershipCondition.isMember():invocatoridentityType " + type + " can be a member of nameValueIdentityType " + type2 + ":membership=false");
                            }
                        } else {
                            z = identity.isMember(identity2);
                            if (this.debug.messageEnabled()) {
                                this.debug.message("AMIdentityMembershipCondition.isMember():invocatorIdentityType " + type + " can be a member of nameValueIdentityType " + type2 + ":membership=" + z);
                            }
                        }
                    }
                    if (z) {
                        break;
                    }
                } catch (IdRepoException e) {
                    if (this.debug.warningEnabled()) {
                        this.debug.warning("AMIdentityMembershipCondition.isMember():can not check membership for invocator " + str + ", nameValue " + str2, e);
                    }
                    throw new EntitlementException(721, new String[]{str, str2});
                } catch (SSOException e2) {
                    this.debug.error("AMIdentityMembershipCondition: Condition evaluation failed", e2);
                    throw new EntitlementException(510, e2);
                }
            }
        }
        if (this.debug.messageEnabled()) {
            this.debug.message("AMIdentityMembershipCondition.isMember():invocatorUuid=" + str + ",amIdentityName=" + this.amIdentityName + ",subjectMatch=" + z);
        }
        return z;
    }

    private SSOToken getAdminToken() throws EntitlementException {
        SSOToken adminToken = this.coreWrapper.getAdminToken();
        if (adminToken == null) {
            throw new EntitlementException(720);
        }
        return adminToken;
    }

    private JSONObject toJSONObject() throws JSONException {
        JSONObject jSONObject = new JSONObject();
        toJSONObject(jSONObject);
        JSONArray jSONArray = new JSONArray();
        Iterator<String> it = this.amIdentityName.iterator();
        while (it.hasNext()) {
            jSONArray.put(it.next());
        }
        jSONObject.put(ConditionConstants.AM_IDENTITY_NAME, jSONArray);
        return jSONObject;
    }

    public String toString() {
        String str = null;
        try {
            str = toJSONObject().toString(2);
        } catch (JSONException e) {
            PrivilegeManager.debug.error("AMIdentityMembershipCondition.toString()", e);
        }
        return str;
    }

    public Set<String> getAmIdentityName() {
        return this.amIdentityName;
    }

    public void setAmIdentityNames(Set<String> set) {
        this.amIdentityName = set;
    }

    public void validate() throws EntitlementException {
        if (this.amIdentityName == null || this.amIdentityName.isEmpty()) {
            throw new EntitlementException(711, new Object[]{ConditionConstants.AM_IDENTITY_NAME});
        }
        if (StringUtils.isAnyBlank(this.amIdentityName)) {
            throw new EntitlementException(802, new Object[]{ConditionConstants.AM_IDENTITY_NAME});
        }
    }

    public boolean equals(Object obj) {
        if (super.equals(obj) && getClass().equals(obj.getClass())) {
            return CollectionUtils.genericCompare(this.amIdentityName, ((AMIdentityMembershipCondition) obj).amIdentityName);
        }
        return false;
    }

    public int hashCode() {
        int hashCode = super.hashCode();
        if (this.amIdentityName != null) {
            hashCode = (31 * hashCode) + this.amIdentityName.hashCode();
        }
        return hashCode;
    }
}
