package org.forgerock.openam.authz;

import com.iplanet.dpro.session.Session;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.delegation.DelegationEvaluator;
import com.sun.identity.delegation.DelegationException;
import com.sun.identity.delegation.DelegationPermissionFactory;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import org.forgerock.authz.filter.api.AuthorizationResult;
import org.forgerock.http.routing.UriRouterContext;
import org.forgerock.json.resource.InternalServerErrorException;
import org.forgerock.openam.authz.PrivilegeDefinition;
import org.forgerock.openam.core.CoreWrapper;
import org.forgerock.openam.identity.idm.IdentityUtils;
import org.forgerock.openam.rest.RealmContext;
import org.forgerock.openam.rest.resource.SubjectContext;
import org.forgerock.openam.utils.CollectionUtils;
import org.forgerock.openam.utils.RealmUtils;
import org.forgerock.services.context.Context;
import org.forgerock.util.Function;
import org.forgerock.util.promise.NeverThrowsException;

/* loaded from: input_file:org/forgerock/openam/authz/PrivilegeAuthzModule.class */
public abstract class PrivilegeAuthzModule {
    public static final String NAME = "DelegationFilter";
    public static final PrivilegeDefinition MODIFY = PrivilegeDefinition.getInstance("modify", PrivilegeDefinition.Action.MODIFY);
    public static final PrivilegeDefinition READ = PrivilegeDefinition.getInstance("read", PrivilegeDefinition.Action.READ);
    private static final ActionToStringMapper ACTION_TO_STRING_MAPPER = new ActionToStringMapper();
    private static final String REST = "rest";
    private static final String VERSION = "1.0";
    private final DelegationEvaluator evaluator;
    private final DelegationPermissionFactory permissionFactory;
    private final CoreWrapper coreWrapper;
    private final SSOTokenManager ssoTokenManager;
    protected final Map<String, PrivilegeDefinition> actionToDefinition;

    /* loaded from: input_file:org/forgerock/openam/authz/PrivilegeAuthzModule$ActionToStringMapper.class */
    private static final class ActionToStringMapper implements Function<PrivilegeDefinition.Action, String, NeverThrowsException> {
        private ActionToStringMapper() {
        }

        public String apply(PrivilegeDefinition.Action action) {
            return action.toString();
        }
    }

    public PrivilegeAuthzModule(DelegationEvaluator delegationEvaluator, Map<String, PrivilegeDefinition> map, DelegationPermissionFactory delegationPermissionFactory, CoreWrapper coreWrapper, SSOTokenManager sSOTokenManager) {
        this.evaluator = delegationEvaluator;
        this.actionToDefinition = map;
        this.permissionFactory = delegationPermissionFactory;
        this.coreWrapper = coreWrapper;
        this.ssoTokenManager = sSOTokenManager;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthorizationResult evaluate(Context context, PrivilegeDefinition privilegeDefinition) throws InternalServerErrorException {
        String asPath = context.containsContext(RealmContext.class) ? context.asContext(RealmContext.class).getRealm().asPath() : "/";
        SubjectContext subjectContext = (SubjectContext) context.asContext(SubjectContext.class);
        UriRouterContext asContext = context.asContext(UriRouterContext.class);
        Set transformSet = CollectionUtils.transformSet(privilegeDefinition.getActions(), ACTION_TO_STRING_MAPPER);
        try {
            Session callerSession = subjectContext.getCallerSession();
            if (callerSession == null) {
                return AuthorizationResult.accessDenied("No session for request.");
            }
            SSOToken callerSSOToken = subjectContext.getCallerSSOToken();
            if (!this.ssoTokenManager.isValidToken(callerSSOToken)) {
                return AuthorizationResult.accessDenied("No valid session in request.");
            }
            String convertOrgNameToRealmName = this.coreWrapper.convertOrgNameToRealmName(callerSession.getClientDomain());
            return (this.evaluator.isAllowed(subjectContext.getCallerSSOToken(), this.permissionFactory.newInstance(convertOrgNameToRealmName, REST, VERSION, asContext.getMatchedUri(), privilegeDefinition.getCommonVerb(), transformSet, Collections.emptyMap()), Collections.emptyMap()) && (IdentityUtils.isCASPAorJASPA(callerSSOToken) || loggedIntoValidRealm(asPath, convertOrgNameToRealmName))) ? AuthorizationResult.accessPermitted() : AuthorizationResult.accessDenied("The user has insufficient privileges");
        } catch (SSOException e) {
            return AuthorizationResult.accessDenied("No valid user supplied in request.");
        } catch (DelegationException e2) {
            throw new InternalServerErrorException("Attempt to authorise the user has failed", e2);
        }
    }

    protected boolean loggedIntoValidRealm(String str, String str2) {
        return str.equalsIgnoreCase(str2) || RealmUtils.isParentRealm(str2, str);
    }
}
