package org.forgerock.openam.entitlement.conditions.environment;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.inject.Key;
import com.google.inject.TypeLiteral;
import com.google.inject.name.Names;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.sun.identity.entitlement.ConditionDecision;
import com.sun.identity.entitlement.EntitlementConditionAdaptor;
import com.sun.identity.entitlement.EntitlementException;
import com.sun.identity.entitlement.opensso.SubjectUtils;
import com.sun.identity.idm.IdRepoException;
import java.io.IOException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.script.SimpleBindings;
import javax.security.auth.Subject;
import org.forgerock.guice.core.InjectorHolder;
import org.forgerock.http.client.RestletHttpClient;
import org.forgerock.json.JsonValue;
import org.forgerock.openam.core.CoreWrapper;
import org.forgerock.openam.entitlement.PolicyConstants;
import org.forgerock.openam.scripting.ScriptConstants;
import org.forgerock.openam.scripting.ScriptEvaluator;
import org.forgerock.openam.scripting.ScriptException;
import org.forgerock.openam.scripting.ScriptObject;
import org.forgerock.openam.scripting.SupportedScriptingLanguage;
import org.forgerock.openam.scripting.api.ScriptedIdentity;
import org.forgerock.openam.scripting.api.ScriptedSession;
import org.forgerock.openam.scripting.service.ScriptConfiguration;
import org.forgerock.openam.scripting.service.ScriptingServiceFactory;
import org.forgerock.openam.utils.CollectionUtils;
import org.forgerock.openam.utils.StringUtils;
import org.forgerock.util.Function;
import org.forgerock.util.Reject;
import org.forgerock.util.promise.NeverThrowsException;

/* loaded from: input_file:org/forgerock/openam/entitlement/conditions/environment/ScriptCondition.class */
public class ScriptCondition extends EntitlementConditionAdaptor {
    private static final ListToSetTransformation<String> LIST_TO_SET = new ListToSetTransformation<>();
    private static final String SCRIPT_ID = "scriptId";
    private final ScriptingServiceFactory scriptingServiceFactory = (ScriptingServiceFactory) InjectorHolder.getInstance(Key.get(new TypeLiteral<ScriptingServiceFactory>() { // from class: org.forgerock.openam.entitlement.conditions.environment.ScriptCondition.1
    }));
    private final ScriptEvaluator evaluator = (ScriptEvaluator) InjectorHolder.getInstance(Key.get(ScriptEvaluator.class, Names.named(ScriptConstants.ScriptContext.POLICY_CONDITION.name())));
    private final CoreWrapper coreWrapper = (CoreWrapper) InjectorHolder.getInstance(CoreWrapper.class);
    private String scriptId;

    /* loaded from: input_file:org/forgerock/openam/entitlement/conditions/environment/ScriptCondition$ListToSetTransformation.class */
    private static final class ListToSetTransformation<T> implements Function<List<T>, Set<T>, NeverThrowsException> {
        private ListToSetTransformation() {
        }

        public Set<T> apply(List<T> list) {
            return new HashSet(list);
        }
    }

    public void setState(String str) {
        try {
            this.scriptId = new ObjectMapper().readTree(str).get(SCRIPT_ID).asText();
        } catch (IOException e) {
            throw new IllegalStateException("Script condition is in an invalid state", e);
        }
    }

    public String getState() {
        return JsonValue.json(JsonValue.object(new Map.Entry[]{JsonValue.field(SCRIPT_ID, this.scriptId)})).toString();
    }

    public void validate() throws EntitlementException {
        if (StringUtils.isEmpty(this.scriptId)) {
            throw new EntitlementException(711, new Object[]{SCRIPT_ID});
        }
    }

    public ConditionDecision evaluate(String str, Subject subject, String str2, Map<String, Set<String>> map) throws EntitlementException {
        try {
            ScriptConfiguration scriptConfiguration = getScriptConfiguration(str);
            if (scriptConfiguration == null) {
                throw new EntitlementException(760, new Object[]{this.scriptId});
            }
            ScriptObject scriptObject = new ScriptObject(scriptConfiguration.getName(), scriptConfiguration.getScript(), scriptConfiguration.getLanguage());
            HashMap hashMap = new HashMap();
            HashMap hashMap2 = new HashMap();
            SimpleBindings simpleBindings = new SimpleBindings();
            simpleBindings.put("logger", PolicyConstants.DEBUG);
            simpleBindings.put("username", SubjectUtils.getPrincipalId(subject));
            simpleBindings.put("resourceURI", str2);
            simpleBindings.put("environment", map);
            simpleBindings.put("advice", hashMap);
            simpleBindings.put("responseAttributes", hashMap2);
            simpleBindings.put("httpClient", getHttpClient(scriptConfiguration.getLanguage()));
            simpleBindings.put("authorized", Boolean.FALSE);
            simpleBindings.put("ttl", Long.MAX_VALUE);
            SSOToken sSOToken = SubjectUtils.getSSOToken(subject);
            if (sSOToken != null) {
                simpleBindings.put("identity", new ScriptedIdentity(this.coreWrapper.getIdentity(sSOToken)));
                simpleBindings.put("session", new ScriptedSession(sSOToken));
            }
            this.evaluator.evaluateScript(scriptObject, simpleBindings);
            return !((Boolean) simpleBindings.get("authorized")).booleanValue() ? ConditionDecision.newFailureBuilder().setAdvice(CollectionUtils.transformMap(hashMap, LIST_TO_SET)).setResponseAttributes(CollectionUtils.transformMap(hashMap2, LIST_TO_SET)).build() : ConditionDecision.newSuccessBuilder().setResponseAttributes(CollectionUtils.transformMap(hashMap2, LIST_TO_SET)).setTimeToLive(((Number) simpleBindings.get("ttl")).longValue()).build();
        } catch (ScriptException | javax.script.ScriptException | IdRepoException | SSOException e) {
            throw new EntitlementException(510, e);
        }
    }

    protected ScriptConfiguration getScriptConfiguration(String str) throws ScriptException {
        return this.scriptingServiceFactory.create(str).get(this.scriptId);
    }

    private RestletHttpClient getHttpClient(SupportedScriptingLanguage supportedScriptingLanguage) {
        Reject.ifNull(supportedScriptingLanguage);
        return (RestletHttpClient) InjectorHolder.getInstance(Key.get(RestletHttpClient.class, Names.named(supportedScriptingLanguage.name())));
    }

    public String getScriptId() {
        return this.scriptId;
    }

    public void setScriptId(String str) {
        this.scriptId = str;
    }
}
