package org.forgerock.openam.selfservice;

import com.iplanet.dpro.session.service.SessionService;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.IdUtils;
import com.sun.identity.shared.debug.Debug;
import javax.inject.Inject;
import javax.inject.Named;
import org.forgerock.authz.filter.api.AuthorizationResult;
import org.forgerock.http.routing.UriRouterContext;
import org.forgerock.json.resource.InternalServerErrorException;
import org.forgerock.json.resource.ResourceException;
import org.forgerock.openam.rest.RealmContext;
import org.forgerock.openam.rest.authz.AdminOnlyAuthzModule;
import org.forgerock.openam.utils.Config;
import org.forgerock.services.context.Context;
import org.forgerock.util.promise.Promise;
import org.forgerock.util.promise.Promises;

/* loaded from: input_file:org/forgerock/openam/selfservice/ResourceOwnerOrSuperUserAuthzModuleForKBA.class */
public class ResourceOwnerOrSuperUserAuthzModuleForKBA extends AdminOnlyAuthzModule {
    public static final String NAME = "ResourceOwnerOrSuperUserAuthzModuleForKBA";

    @Inject
    public ResourceOwnerOrSuperUserAuthzModuleForKBA(Config<SessionService> config, @Named("frRest") Debug debug) {
        super(config, debug);
    }

    public String getName() {
        return NAME;
    }

    protected Promise<AuthorizationResult, ResourceException> validateToken(Context context, SSOToken sSOToken) throws SSOException, ResourceException {
        String userId = getUserId(sSOToken);
        if (isSuperUser(userId)) {
            this.debug.message("{} :: User, {} accepted as Super user", new Object[]{this.moduleName, userId});
            return Promises.newResultPromise(AuthorizationResult.accessPermitted());
        }
        if (userId.equalsIgnoreCase(getUserIdFromUri(context))) {
            this.debug.message("{} :: User, {} accepted as Resource Owner", new Object[]{this.moduleName, userId});
            return Promises.newResultPromise(AuthorizationResult.accessPermitted());
        }
        this.debug.warning("{} :: Denied access to {}", new Object[]{this.moduleName, userId});
        return Promises.newResultPromise(AuthorizationResult.accessDenied("User, " + userId + ", not authorized."));
    }

    protected String getUserIdFromUri(Context context) throws InternalServerErrorException {
        AMIdentity identity;
        String remainingUri = context.asContext(UriRouterContext.class).getRemainingUri();
        String asPath = context.asContext(RealmContext.class).getRealm().asPath();
        if (remainingUri == null || asPath == null || (identity = IdUtils.getIdentity(remainingUri, asPath)) == null) {
            return null;
        }
        return identity.getUniversalId();
    }
}
