package com.sun.identity.rest.spi;

import com.iplanet.am.util.SystemProperties;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.delegation.DelegationEvaluatorImpl;
import com.sun.identity.delegation.DelegationPermission;
import com.sun.identity.entitlement.opensso.SubjectUtils;
import com.sun.identity.rest.ISubjectable;
import com.sun.identity.rest.RestException;
import com.sun.identity.rest.RestServiceManager;
import com.sun.identity.shared.encode.Hash;
import java.io.IOException;
import java.security.Principal;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import javax.security.auth.Subject;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.forgerock.openam.forgerockrest.utils.ServerContextUtils;

/* loaded from: input_file:com/sun/identity/rest/spi/SSOTokenAuthZ.class */
public class SSOTokenAuthZ implements IAuthorization {
    private static Map<String, String> mapMethodToAction = new HashMap();

    @Override // com.sun.identity.rest.spi.IAuthorization
    public String[] accept() {
        return new String[]{"ssotoken"};
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        int i = 200;
        String str = null;
        Principal userPrincipal = ((HttpServletRequest) servletRequest).getUserPrincipal();
        if (userPrincipal instanceof ISubjectable) {
            try {
                Subject createSubject = ((ISubjectable) userPrincipal).createSubject();
                DelegationEvaluatorImpl delegationEvaluatorImpl = new DelegationEvaluatorImpl();
                SSOToken sSOToken = SubjectUtils.getSSOToken(createSubject);
                String str2 = mapMethodToAction.get(((HttpServletRequest) servletRequest).getMethod());
                if (str2 == null) {
                    i = 401;
                    str = "Unable to get HTTP method for request.";
                } else {
                    HashSet hashSet = new HashSet();
                    hashSet.add(str2);
                    if (!delegationEvaluatorImpl.isAllowed(sSOToken, new DelegationPermission("/", "sunEntitlementService", "1.0", "application", getURI(servletRequest), hashSet, (Map) null), Collections.EMPTY_MAP)) {
                        i = 401;
                        str = "Unauthorized.";
                    }
                }
            } catch (Exception e) {
                i = 401;
                str = e.getMessage();
            }
        } else {
            i = 401;
            str = "Unable to obtain subject.";
        }
        if (i == 200) {
            i = validateTokenId((HttpServletRequest) servletRequest);
            if (i == 200) {
                filterChain.doFilter(servletRequest, servletResponse);
            } else {
                str = "SSO token is invalid or has expired.";
            }
        }
        if (i != 200) {
            ((HttpServletResponse) servletResponse).sendError(i, str);
        }
    }

    private String getURI(ServletRequest servletRequest) {
        String requestURI = ((HttpServletRequest) servletRequest).getRequestURI();
        int indexOf = requestURI.indexOf(47, 1);
        return indexOf != -1 ? requestURI.substring(indexOf + 1) : requestURI;
    }

    private int validateTokenId(HttpServletRequest httpServletRequest) throws ServletException, IOException {
        String header = httpServletRequest.getHeader(RestServiceManager.SUBJECT_HEADER_NAME);
        String parameter = httpServletRequest.getParameter(RestServiceManager.HASHED_SUBJECT_QUERY);
        if ((header == null || header.trim().length() == 0) && (parameter == null || parameter.trim().length() == 0)) {
            return 200;
        }
        if (header == null || header.trim().length() == 0) {
            try {
                header = SSOTokenManager.getInstance().createSSOToken(httpServletRequest).getTokenID().toString();
            } catch (SSOException e) {
                return 401;
            }
        }
        if (Boolean.parseBoolean(SystemProperties.get(RestServiceManager.DISABLE_HASHED_SUBJECT_CHECK, "false"))) {
            return 200;
        }
        if (parameter == null || parameter.trim().length() == 0) {
            return 401;
        }
        int indexOf = header.indexOf(58);
        if (indexOf != -1) {
            header = header.substring(indexOf + 1);
        }
        return !Hash.hash(header).equals(parameter) ? 401 : 200;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void destroy() {
    }

    @Override // com.sun.identity.rest.spi.IAuthorization
    public Subject getAuthZSubject(HttpServletRequest httpServletRequest) throws RestException {
        try {
            String header = httpServletRequest.getHeader(RestServiceManager.SUBJECT_HEADER_NAME);
            if (header == null || header.trim().length() == 0) {
                return SubjectUtils.createSubject(SSOTokenManager.getInstance().createSSOToken(httpServletRequest));
            }
            int indexOf = header.indexOf(58);
            if (indexOf != -1) {
                header = header.substring(indexOf + 1);
            }
            return SubjectUtils.createSubject(SSOTokenManager.getInstance().createSSOToken(header));
        } catch (SSOException e) {
            throw new RestException(1, (Throwable) e);
        }
    }

    static {
        mapMethodToAction.put("GET", ServerContextUtils.READ);
        mapMethodToAction.put(ServerContextUtils.DELETE, "MODIFY");
        mapMethodToAction.put("POST", "MODIFY");
        mapMethodToAction.put("PUT", "MODIFY");
    }
}
