package org.forgerock.openam.rest;

import com.iplanet.am.util.SystemProperties;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.delegation.DelegationEvaluatorImpl;
import com.sun.identity.delegation.DelegationException;
import com.sun.identity.delegation.DelegationPermission;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.idm.IdType;
import com.sun.identity.rest.RestServiceManager;
import com.sun.identity.security.AdminTokenAction;
import com.sun.identity.session.util.SessionUtils;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.shared.xml.XMLUtils;
import com.sun.identity.sm.SMSException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import javax.mail.internet.MimeUtility;
import javax.servlet.http.HttpServletRequest;
import org.forgerock.http.header.AcceptApiVersionHeader;
import org.forgerock.http.routing.Version;
import org.forgerock.json.resource.BadRequestException;
import org.forgerock.json.resource.CreateRequest;
import org.forgerock.json.resource.ForbiddenException;
import org.forgerock.json.resource.NotFoundException;
import org.forgerock.json.resource.NotSupportedException;
import org.forgerock.json.resource.Request;
import org.forgerock.json.resource.ResourceException;
import org.forgerock.json.resource.http.HttpContext;
import org.forgerock.json.resource.http.HttpUtils;
import org.forgerock.openam.cors.CORSConstants;
import org.forgerock.openam.forgerockrest.utils.ServerContextUtils;
import org.forgerock.openam.utils.CollectionUtils;
import org.forgerock.openam.utils.StringUtils;
import org.forgerock.services.context.Context;
import org.forgerock.util.Reject;
import org.forgerock.util.promise.Promise;
import org.w3c.dom.Document;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:org/forgerock/openam/rest/RestUtils.class */
public final class RestUtils {
    private static final Debug debug = Debug.getInstance("frRest");
    private static Map<String, List<String>> adminUserIds = new ConcurrentHashMap();

    /* loaded from: input_file:org/forgerock/openam/rest/RestUtils$AdminUserIdHolder.class */
    private static final class AdminUserIdHolder {
        static final AMIdentity superAdminUserId;

        private AdminUserIdHolder() {
        }

        static {
            SSOToken token = RestUtils.getToken();
            String str = SystemProperties.get("com.sun.identity.authentication.super.user");
            if (str != null) {
                superAdminUserId = new AMIdentity(token, str, IdType.USER, "/", (String) null);
            } else {
                superAdminUserId = null;
                RestUtils.debug.error("SystemProperties AUTHENTICATION_SUPER_USER not set");
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/forgerock/openam/rest/RestUtils$LegacyUIConfigHolder.class */
    public static final class LegacyUIConfigHolder {
        private static final String CONFIG_FILENAME = "/amConsoleConfig.xml";
        private static Set<String> globalService = new HashSet();
        private static Set<String> realmService = new HashSet();

        private LegacyUIConfigHolder() {
        }

        private static void loadLegacyConsoleConfig(Document document) {
            NamedNodeMap attributes;
            NodeList elementsByTagName = document.getElementsByTagName("tabs");
            if (elementsByTagName == null || elementsByTagName.getLength() != 1) {
                RestUtils.debug.error("RestUtils.loadLegacyConsoleConfig(): failed to load tab config");
                return;
            }
            NodeList childNodes = elementsByTagName.item(0).getChildNodes();
            for (int i = 0; i < childNodes.getLength(); i++) {
                Node item = childNodes.item(i);
                if (item.getNodeName().equalsIgnoreCase("tab") && (attributes = item.getAttributes()) != null) {
                    List<String> attributes2 = getAttributes(attributes, "accesslevel");
                    List<String> attributes3 = getAttributes(attributes, "permissions");
                    if (CollectionUtils.isEmpty(attributes2)) {
                        realmService.addAll(attributes3);
                    } else {
                        globalService.addAll(attributes3);
                    }
                }
            }
        }

        private static List<String> getAttributes(NamedNodeMap namedNodeMap, String str) {
            Node namedItem = namedNodeMap.getNamedItem(str);
            if (namedItem != null) {
                String trim = namedItem.getNodeValue().trim();
                if (StringUtils.isNotEmpty(trim)) {
                    return Arrays.asList(trim.split(","));
                }
            }
            return Collections.EMPTY_LIST;
        }

        private static Document parseDocument(String str) {
            Document document = null;
            try {
                InputStream resourceAsStream = RestUtils.class.getClassLoader().getResourceAsStream(str);
                Throwable th = null;
                try {
                    try {
                        document = XMLUtils.getSafeDocumentBuilder(false).parse(resourceAsStream);
                        if (resourceAsStream != null) {
                            if (0 != 0) {
                                try {
                                    resourceAsStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                resourceAsStream.close();
                            }
                        }
                    } finally {
                    }
                } finally {
                }
            } catch (Exception e) {
                RestUtils.debug.error("RestUtils.parseDocument", e);
            }
            return document;
        }

        static {
            Document parseDocument = parseDocument(CONFIG_FILENAME);
            if (parseDocument != null) {
                loadLegacyConsoleConfig(parseDocument);
            }
        }
    }

    public static String getCookieFromServerContext(Context context) {
        return ServerContextHelper.getCookieFromServerContext(context);
    }

    public static boolean isAdmin(Context context) {
        return isAdmin(context, null);
    }

    public static boolean isAdmin(Context context, String str) {
        boolean z = false;
        try {
            String asPath = context.asContext(RealmContext.class).getRealm().asPath();
            SSOToken createSSOToken = SSOTokenManager.getInstance().createSSOToken(getCookieFromServerContext(context));
            String name = createSSOToken.getPrincipal().getName();
            List<String> list = adminUserIds.get(name);
            if ((list != null && list.contains(str)) || SessionUtils.isAdmin((SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance()), createSSOToken)) {
                return true;
            }
            DelegationEvaluatorImpl delegationEvaluatorImpl = new DelegationEvaluatorImpl();
            DelegationPermission delegationPermission = new DelegationPermission();
            Map emptyMap = Collections.emptyMap();
            if (isGlobalRole(str)) {
                delegationPermission.setVersion("1.0");
                delegationPermission.setConfigType("organizationconfig");
                delegationPermission.setOrganizationName(asPath);
                delegationPermission.setServiceName("sunAMRealmService");
                delegationPermission.setActions(CollectionUtils.asSet(new String[]{"DELEGATE"}));
                z = delegationEvaluatorImpl.isAllowed(createSSOToken, delegationPermission, emptyMap);
                if (!z) {
                    return false;
                }
            } else {
                delegationPermission.setConfigType((String) null);
                delegationPermission.setVersion(CORSConstants.ALL);
                delegationPermission.setSubConfigName("default");
                delegationPermission.setOrganizationName(asPath);
                delegationPermission.setActions(CollectionUtils.asSet(new String[]{ServerContextUtils.READ}));
                Iterator<String> it = getServiceNames(str).iterator();
                while (it.hasNext()) {
                    delegationPermission.setServiceName(it.next());
                    z = delegationEvaluatorImpl.isAllowed(createSSOToken, delegationPermission, emptyMap);
                    if (!z) {
                        return false;
                    }
                }
            }
            if (list == null) {
                list = new ArrayList();
            }
            list.add(str);
            adminUserIds.put(name, list);
            return z;
        } catch (DelegationException | SSOException | SMSException e) {
            debug.error("RestUtils::Failed to determine if user is an admin", e);
            adminUserIds.clear();
            return z;
        }
    }

    private static Set<String> getServiceNames(String str) throws SMSException, SSOException {
        return isGlobalRole(str) ? LegacyUIConfigHolder.globalService : LegacyUIConfigHolder.realmService;
    }

    private static boolean isGlobalRole(String str) {
        return StringUtils.isNotEmpty(str) && str.contains("global");
    }

    public static void hasPermission(Context context) throws SSOException, IdRepoException, ForbiddenException {
        SSOTokenManager sSOTokenManager = SSOTokenManager.getInstance();
        SSOToken createSSOToken = sSOTokenManager.createSSOToken(getCookieFromServerContext(context));
        sSOTokenManager.validateToken(createSSOToken);
        sSOTokenManager.refreshSession(createSSOToken);
        if (new AMIdentity(createSSOToken).equals(AdminUserIdHolder.superAdminUserId)) {
            return;
        }
        debug.error("Unauthorized user.");
        throw new ForbiddenException("Access Denied");
    }

    public static <T> Promise<T, ResourceException> generateUnsupportedOperation() {
        return new NotSupportedException("Operation is not supported.").asPromise();
    }

    public static <T> Promise<T, ResourceException> generateBadRequestException() {
        return generateBadRequestException("Bad request.");
    }

    public static <T> Promise<T, ResourceException> generateBadRequestException(String str) {
        return new BadRequestException(str).asPromise();
    }

    public static <T> Promise<T, ResourceException> generateNotFoundException(Request request) {
        return new NotFoundException("Resource '" + request.getResourcePath() + "' not found").asPromise();
    }

    public static StringBuilder getFullDeploymentURI(String str) throws URISyntaxException {
        String str2 = null;
        URI uri = new URI(str);
        String path = uri.getPath();
        int indexOf = path.indexOf("/", path.indexOf("/") + 1);
        if (indexOf != -1) {
            str2 = path.substring(0, indexOf);
        }
        StringBuilder sb = new StringBuilder(100);
        sb.append(uri.getScheme()).append("://").append(uri.getHost()).append(RestServiceManager.SUBJECT_DELIMITER).append(uri.getPort()).append(str2);
        return sb;
    }

    public static SSOToken getToken() {
        return (SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance());
    }

    public static String getMimeHeaderValue(Context context, String str) {
        String headerAsString = context.asContext(HttpContext.class).getHeaderAsString(str);
        if (headerAsString == null) {
            return null;
        }
        try {
            return MimeUtility.decodeText(headerAsString);
        } catch (UnsupportedEncodingException e) {
            if (debug.warningEnabled()) {
                debug.warning("Unable to decode mime header: " + e);
            }
            return headerAsString;
        }
    }

    public static String getMimeHeaderValue(HttpServletRequest httpServletRequest, String str) {
        String header = httpServletRequest.getHeader(str);
        if (header == null) {
            return null;
        }
        try {
            return MimeUtility.decodeText(header);
        } catch (UnsupportedEncodingException e) {
            if (debug.warningEnabled()) {
                debug.warning("Unable to decode mime header: " + e);
            }
            return header;
        }
    }

    public static Version crestProtocolVersion(Context context) {
        Version protocolVersion;
        Reject.ifFalse(context.containsContext(HttpContext.class), "Context does not contain an HttpContext");
        String headerAsString = context.asContext(HttpContext.class).getHeaderAsString("Accept-API-Version");
        if (headerAsString != null && (protocolVersion = AcceptApiVersionHeader.valueOf(headerAsString).getProtocolVersion()) != null) {
            return protocolVersion;
        }
        return HttpUtils.DEFAULT_PROTOCOL_VERSION;
    }

    public static boolean isContractConformantUserProvidedIdCreate(Context context, CreateRequest createRequest) {
        return createRequest.getNewResourceId() != null && crestProtocolVersion(context).compareTo(HttpUtils.PROTOCOL_VERSION_1) > 0;
    }
}
