package org.forgerock.openam.entitlement.conditions.subject;

import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenID;
import com.iplanet.sso.SSOTokenListenersUnsupportedException;
import com.sun.identity.entitlement.EntitlementException;
import com.sun.identity.entitlement.EntitlementSubject;
import com.sun.identity.entitlement.SubjectAttributesManager;
import com.sun.identity.entitlement.SubjectDecision;
import com.sun.identity.entitlement.opensso.SubjectUtils;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.idm.IdType;
import com.sun.identity.idm.IdUtils;
import com.sun.identity.policy.PolicyEvaluator;
import com.sun.identity.policy.SubjectEvaluationCache;
import com.sun.identity.shared.debug.Debug;
import java.security.Principal;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import org.forgerock.openam.entitlement.utils.EntitlementUtils;
import org.forgerock.openam.utils.CollectionUtils;
import org.json.JSONArray;
import org.json.JSONException;

/* loaded from: input_file:org/forgerock/openam/entitlement/conditions/subject/IdentitySubject.class */
public class IdentitySubject implements EntitlementSubject {
    private static Debug debug = Debug.getInstance("amPolicy");
    private Set<String> subjectValues = new HashSet();

    public void setState(String str) {
        HashSet hashSet = new HashSet();
        try {
            JSONArray jSONArray = new JSONArray(str);
            for (int i = 0; i < jSONArray.length(); i++) {
                hashSet.add(jSONArray.getString(i));
            }
        } catch (JSONException e) {
            debug.error("IdentitySubject.setState", e);
        }
        this.subjectValues = hashSet;
    }

    public String getState() {
        return new JSONArray((Collection) this.subjectValues).toString();
    }

    public Map<String, Set<String>> getSearchIndexAttributes() {
        return CollectionUtils.isEmpty(this.subjectValues) ? Collections.singletonMap("identity:", Collections.singleton("all")) : Collections.singletonMap("identity:", this.subjectValues);
    }

    public Set<String> getRequiredAttributeNames() {
        return Collections.emptySet();
    }

    public SubjectDecision evaluate(String str, SubjectAttributesManager subjectAttributesManager, Subject subject, String str2, Map<String, Set<String>> map) throws EntitlementException {
        SSOTokenID tokenID;
        String str3 = null;
        SSOToken sSOToken = SubjectUtils.getSSOToken(subject);
        if (sSOToken != null && (tokenID = sSOToken.getTokenID()) != null) {
            str3 = tokenID.toString();
        }
        if (str3 == null) {
            if (debug.warningEnabled()) {
                debug.warning("IdentitySubject.isMember():tokenID is null");
                debug.warning("IdentitySubject.isMember():returning false");
            }
            return new SubjectDecision(false, Collections.EMPTY_MAP);
        }
        try {
            Principal principal = sSOToken.getPrincipal();
            String name = principal != null ? principal.getName() : null;
            if (name == null) {
                if (debug.warningEnabled()) {
                    debug.warning("IdentitySubject.isMember():userDN is null");
                    debug.warning("IdentitySubject.isMember():returning false");
                }
                return new SubjectDecision(false, Collections.EMPTY_MAP);
            }
            boolean z = false;
            if (debug.messageEnabled()) {
                debug.message("AMIndentitySubject.isMember(): entering with userDN = " + name);
            }
            if (this.subjectValues.size() > 0) {
                for (String str4 : this.subjectValues) {
                    if (debug.messageEnabled()) {
                        debug.message("AMIndentitySubject.isMember(): checking membership with userDN = " + name + ", subjectValue = " + str4);
                    }
                    Boolean isMember = SubjectEvaluationCache.isMember(str3, "IdentitySubject", str4);
                    if (isMember != null) {
                        if (debug.messageEnabled()) {
                            debug.message("IdentitySubject.isMember():got membership from SubjectEvaluationCache  for userDN = " + name + ", subjectValue = " + str4 + ", result = " + isMember.booleanValue());
                        }
                        boolean booleanValue = isMember.booleanValue();
                        if (booleanValue) {
                            if (debug.messageEnabled()) {
                                debug.message("AMIndentitySubject.isMember():  returning membership status = " + booleanValue);
                            }
                            return new SubjectDecision(booleanValue, Collections.EMPTY_MAP);
                        }
                    } else {
                        if (debug.messageEnabled()) {
                            debug.message("IdentitySubject:isMember():entry for " + str4 + " not in subject evaluation cache, so compute using IDRepo api");
                        }
                        try {
                            AMIdentity identity = IdUtils.getIdentity(EntitlementUtils.getAdminToken(), str4);
                            if (identity == null) {
                                if (debug.messageEnabled()) {
                                    debug.message("IdentitySubject.isMember():subjectIdentity is null for subjectValue = " + str4);
                                    debug.message("IdentitySubject.isMember():returning false");
                                }
                                return new SubjectDecision(false, Collections.EMPTY_MAP);
                            }
                            AMIdentity identity2 = IdUtils.getIdentity(EntitlementUtils.getAdminToken(), IdUtils.getUniversalId(IdUtils.getIdentity(sSOToken)));
                            if (identity2 == null) {
                                if (debug.messageEnabled()) {
                                    debug.message("IdentitySubject.isMember():userIdentity is null");
                                    debug.message("IdentitySubject.isMember():returning false");
                                }
                                return new SubjectDecision(false, Collections.EMPTY_MAP);
                            }
                            if (debug.messageEnabled()) {
                                debug.message("IdentitySubject.isMember():user uuid = " + IdUtils.getUniversalId(identity2) + ", subject uuid = " + IdUtils.getUniversalId(identity));
                            }
                            IdType type = identity2.getType();
                            IdType type2 = identity.getType();
                            if (identity2.equals(identity)) {
                                if (debug.messageEnabled()) {
                                    debug.message("IdentitySubject.isMember():userIdentity equals subjectIdentity:membership=true");
                                }
                                z = true;
                            } else {
                                Set canHaveMembers = type2.canHaveMembers();
                                if (canHaveMembers == null || !canHaveMembers.contains(type)) {
                                    z = false;
                                    if (debug.messageEnabled()) {
                                        debug.message("IdentitySubject.isMember():userIdentity type " + type + " can not be a member of subjectIdentityType " + type2 + ":membership=false");
                                    }
                                } else {
                                    z = identity2.isMember(identity);
                                    if (debug.messageEnabled()) {
                                        debug.message("IdentitySubject.isMember():userIdentity type " + type + " can be a member of subjectIdentityType " + type2 + ":membership=" + z);
                                    }
                                }
                            }
                            if (debug.messageEnabled()) {
                                debug.message("IdentitySubject.isMember: adding entry in SubjectEvaluationCache for , for userDN = " + name + ", subjectValue = " + str4 + ", subjectMatch = " + z);
                            }
                            if (!PolicyEvaluator.ssoListenerRegistry.containsKey(str3)) {
                                try {
                                    sSOToken.addSSOTokenListener(PolicyEvaluator.ssoListener);
                                    SubjectEvaluationCache.addEntry(str3, "IdentitySubject", str4, z);
                                    PolicyEvaluator.ssoListenerRegistry.put(str3, PolicyEvaluator.ssoListener);
                                    if (debug.messageEnabled()) {
                                        debug.message("IdentitySubject.isMember(): sso listener added ");
                                    }
                                } catch (SSOTokenListenersUnsupportedException e) {
                                    debug.message("IdentitySubject.isMember(): could not add sso listener: {}", new Object[]{e.getMessage()});
                                }
                            }
                            if (z) {
                                break;
                            }
                        } catch (IdRepoException e2) {
                            debug.warning("IdentitySubject.isMember():can not check membership for user " + name + ", subject " + str4, e2);
                            String[] strArr = {name, str4};
                            throw new EntitlementException(508, e2);
                        } catch (SSOException e3) {
                            throw new EntitlementException(508, e3);
                        }
                    }
                }
            }
            if (debug.messageEnabled()) {
                if (z) {
                    debug.message("IdentitySubject.isMember(): User " + name + " is a member of this subject");
                } else {
                    debug.message("IdentitySubject.isMember(): user " + name + " is not a member of this subject");
                }
            }
            return new SubjectDecision(z, Collections.emptyMap());
        } catch (SSOException e4) {
            throw new EntitlementException(508, e4);
        }
    }

    public boolean isIdentity() {
        return true;
    }

    public Set<String> getSubjectValues() {
        return this.subjectValues;
    }

    public void setSubjectValues(Set<String> set) {
        this.subjectValues = set;
    }
}
