package org.forgerock.openam.rest.authz;

import com.iplanet.dpro.session.service.SessionService;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.sun.identity.shared.debug.Debug;
import javax.inject.Inject;
import javax.inject.Named;
import org.forgerock.authz.filter.api.AuthorizationResult;
import org.forgerock.json.resource.ActionRequest;
import org.forgerock.json.resource.CreateRequest;
import org.forgerock.json.resource.DeleteRequest;
import org.forgerock.json.resource.PatchRequest;
import org.forgerock.json.resource.QueryRequest;
import org.forgerock.json.resource.ReadRequest;
import org.forgerock.json.resource.ResourceException;
import org.forgerock.json.resource.UpdateRequest;
import org.forgerock.openam.forgerockrest.utils.AgentIdentity;
import org.forgerock.openam.rest.resource.SSOTokenContext;
import org.forgerock.openam.utils.Config;
import org.forgerock.services.context.Context;
import org.forgerock.util.promise.Promise;
import org.forgerock.util.promise.Promises;

/* loaded from: input_file:org/forgerock/openam/rest/authz/STSPublishServiceAuthzModule.class */
public class STSPublishServiceAuthzModule extends AdminOnlyAuthzModule {
    public static final String NAME = "STSPublishServiceAuthzModule";
    private final AgentIdentity agentIdentity;

    @Inject
    public STSPublishServiceAuthzModule(Config<SessionService> config, AgentIdentity agentIdentity, @Named("frRest") Debug debug) {
        super(config, debug);
        this.agentIdentity = agentIdentity;
    }

    @Override // org.forgerock.openam.rest.authz.AdminOnlyAuthzModule
    public String getName() {
        return NAME;
    }

    @Override // org.forgerock.openam.rest.authz.SSOTokenAuthzModule
    public Promise<AuthorizationResult, ResourceException> authorizeCreate(Context context, CreateRequest createRequest) {
        return authorizeAdmin(context);
    }

    @Override // org.forgerock.openam.rest.authz.SSOTokenAuthzModule
    public Promise<AuthorizationResult, ResourceException> authorizeRead(Context context, ReadRequest readRequest) {
        return authorizeSoapSTSAgentOrAdmin(context);
    }

    @Override // org.forgerock.openam.rest.authz.SSOTokenAuthzModule
    public Promise<AuthorizationResult, ResourceException> authorizeUpdate(Context context, UpdateRequest updateRequest) {
        return authorizeAdmin(context);
    }

    @Override // org.forgerock.openam.rest.authz.SSOTokenAuthzModule
    public Promise<AuthorizationResult, ResourceException> authorizeDelete(Context context, DeleteRequest deleteRequest) {
        return authorizeAdmin(context);
    }

    @Override // org.forgerock.openam.rest.authz.SSOTokenAuthzModule
    public Promise<AuthorizationResult, ResourceException> authorizePatch(Context context, PatchRequest patchRequest) {
        return rejectConsumption();
    }

    @Override // org.forgerock.openam.rest.authz.SSOTokenAuthzModule
    public Promise<AuthorizationResult, ResourceException> authorizeAction(Context context, ActionRequest actionRequest) {
        return rejectConsumption();
    }

    @Override // org.forgerock.openam.rest.authz.SSOTokenAuthzModule
    public Promise<AuthorizationResult, ResourceException> authorizeQuery(Context context, QueryRequest queryRequest) {
        return authorizeSoapSTSAgentOrAdmin(context);
    }

    private Promise<AuthorizationResult, ResourceException> rejectConsumption() {
        return Promises.newResultPromise(AuthorizationResult.accessDenied("STSPublishServiceAuthzModule: invoked functionality is not authorized for any user."));
    }

    Promise<AuthorizationResult, ResourceException> authorizeSoapSTSAgentOrAdmin(Context context) {
        try {
            return isSoapSTSAgent(context) ? Promises.newResultPromise(AuthorizationResult.accessPermitted()) : authorizeAdmin(context);
        } catch (ResourceException e) {
            return ResourceException.getException(401, e.getMessage(), e).asPromise();
        }
    }

    Promise<AuthorizationResult, ResourceException> authorizeAdmin(Context context) {
        return super.authorize(context);
    }

    private boolean isSoapSTSAgent(Context context) throws ResourceException {
        try {
            SSOToken callerSSOToken = ((SSOTokenContext) context.asContext(SSOTokenContext.class)).getCallerSSOToken();
            String name = callerSSOToken.getPrincipal().getName();
            if (this.agentIdentity.isSoapSTSAgent(callerSSOToken)) {
                if (!this.debug.messageEnabled()) {
                    return true;
                }
                this.debug.message("STSPublishServiceAuthzModule :: User " + name + " accepted as Soap STS Agent.");
                return true;
            }
            if (!this.debug.messageEnabled()) {
                return false;
            }
            this.debug.message("STSPublishServiceAuthzModule :: User " + name + " is not a Soap STS Agent.");
            return false;
        } catch (SSOException e) {
            if (this.debug.messageEnabled()) {
                this.debug.message("STSPublishServiceAuthzModule :: Unable to obtain SSOToken or principal", e);
            }
            throw ResourceException.getException(401, e.getMessage());
        }
    }
}
