package com.sun.identity.liberty.ws.disco;

import com.iplanet.am.util.Debug;
import com.iplanet.am.util.XMLUtils;
import com.iplanet.sso.SSOToken;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.idm.IdUtils;
import com.sun.identity.liberty.ws.common.LogUtil;
import com.sun.identity.liberty.ws.common.Status;
import com.sun.identity.liberty.ws.disco.common.DiscoConstants;
import com.sun.identity.liberty.ws.disco.common.DiscoServiceManager;
import com.sun.identity.liberty.ws.disco.common.DiscoUtils;
import com.sun.identity.liberty.ws.disco.jaxb.EncryptedResourceIDType;
import com.sun.identity.liberty.ws.disco.jaxb.InsertEntryType;
import com.sun.identity.liberty.ws.disco.jaxb.ModifyResponseElement;
import com.sun.identity.liberty.ws.disco.jaxb.ModifyType;
import com.sun.identity.liberty.ws.disco.jaxb.QueryType;
import com.sun.identity.liberty.ws.disco.jaxb.RemoveEntryType;
import com.sun.identity.liberty.ws.disco.jaxb.ResourceIDType;
import com.sun.identity.liberty.ws.disco.jaxb.StatusType;
import com.sun.identity.liberty.ws.disco.plugins.DiscoEntryHandler;
import com.sun.identity.liberty.ws.interfaces.Authorizer;
import com.sun.identity.liberty.ws.interfaces.ResourceIDMapper;
import com.sun.identity.liberty.ws.security.SecurityTokenManager;
import com.sun.identity.liberty.ws.soapbinding.Message;
import com.sun.identity.liberty.ws.soapbinding.ProviderHeader;
import com.sun.identity.liberty.ws.soapbinding.RequestHandler;
import com.sun.identity.liberty.ws.soapbinding.SOAPBindingConstants;
import com.sun.identity.liberty.ws.soapbinding.SOAPBindingException;
import com.sun.identity.liberty.ws.soapbinding.Utils;
import com.sun.identity.security.AdminTokenAction;
import java.security.AccessController;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import javax.xml.bind.JAXBException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:120955-01/SUNWamsdk/reloc/SUNWam/lib/am_services.jar:com/sun/identity/liberty/ws/disco/DiscoveryService.class */
public final class DiscoveryService implements RequestHandler {
    private static SecurityTokenManager stm;

    public DiscoveryService() {
        DiscoUtils.debug.message("In DiscoveryService constructor.");
    }

    @Override // com.sun.identity.liberty.ws.soapbinding.RequestHandler
    public Message processRequest(Message message) throws Exception {
        Message message2;
        List convertElementToJAXB = Utils.convertElementToJAXB(message.getBodies());
        if (convertElementToJAXB.size() != 1) {
            DiscoUtils.debug.error("DiscoService.processRequest: SOAP message didn't contain one SOAP body.");
            throw new Exception(DiscoUtils.bundle.getString("oneBody"));
        }
        String authenticationMechanism = message.getAuthenticationMechanism();
        if (DiscoUtils.debug.messageEnabled()) {
            DiscoUtils.debug.message(new StringBuffer().append("DiscoService.processRequest: authentication mechanism =").append(authenticationMechanism).toString());
        }
        Set supportedAuthenticationMechanisms = DiscoServiceManager.getSupportedAuthenticationMechanisms();
        if (supportedAuthenticationMechanisms == null || !supportedAuthenticationMechanisms.contains(authenticationMechanism)) {
            DiscoUtils.debug.error(new StringBuffer().append("DiscoService.processRequest: AuthenticationMechanism used is not supported by this service:").append(authenticationMechanism).toString());
            throw new Exception(DiscoUtils.bundle.getString("authnMechNotSupported"));
        }
        try {
            ProviderHeader providerHeader = new ProviderHeader(DiscoServiceManager.getDiscoProviderID());
            if (DiscoServiceManager.useResponseAuthentication() || authenticationMechanism.equals(Message.NULL_X509) || authenticationMechanism.equals(Message.NULL_SAML) || authenticationMechanism.equals(Message.NULL_BEARER) || authenticationMechanism.equals(Message.TLS_X509) || authenticationMechanism.equals(Message.TLS_SAML) || authenticationMechanism.equals(Message.TLS_BEARER) || authenticationMechanism.equals(Message.CLIENT_TLS_X509) || authenticationMechanism.equals(Message.CLIENT_TLS_SAML) || authenticationMechanism.equals(Message.CLIENT_TLS_BEARER)) {
                try {
                    message2 = new Message(providerHeader, stm.getX509CertificateToken());
                } catch (Exception e) {
                    DiscoUtils.debug.error("DiscoveryService.processRequest:couldn't generate Message with X509 token: ", e);
                    throw new DiscoveryException(e.getMessage());
                }
            } else {
                try {
                    message2 = new Message(providerHeader);
                } catch (Exception e2) {
                    DiscoUtils.debug.error("DiscoveryService.processRequest:couldn't generate Message: ", e2);
                    throw new DiscoveryException(e2.getMessage());
                }
            }
            Object next = convertElementToJAXB.iterator().next();
            if (next instanceof QueryType) {
                message2.setSOAPBody(lookup((QueryType) next, message));
            } else {
                if (!(next instanceof ModifyType)) {
                    DiscoUtils.debug.error("DiscoService.processRequest: SOAPBody is not a Disco message.");
                    throw new Exception(DiscoUtils.bundle.getString("bodyNotDisco"));
                }
                message2.setSOAPBody(Utils.convertJAXBToElement(update((ModifyType) next, message)));
            }
            return message2;
        } catch (SOAPBindingException e3) {
            throw new DiscoveryException(e3.getMessage());
        }
    }

    private Element lookup(QueryType queryType, Message message) throws JAXBException {
        String str;
        DiscoUtils.debug.message("in lookup.");
        Status status = new Status("urn:liberty:disco:2003-08", "disco");
        QueryResponse queryResponse = new QueryResponse(status);
        String discoProviderID = DiscoServiceManager.getDiscoProviderID();
        ResourceIDType resourceID = queryType.getResourceID();
        String resourceID2 = resourceID == null ? getResourceID(queryType.getEncryptedResourceID(), discoProviderID) : resourceID.getValue();
        ResourceIDMapper resourceIDMapper = DiscoServiceManager.getResourceIDMapper(discoProviderID);
        if (resourceIDMapper == null) {
            resourceIDMapper = DiscoServiceManager.getDefaultResourceIDMapper();
        }
        String userID = resourceIDMapper.getUserID(discoProviderID, resourceID2, message);
        if (userID == null) {
            DiscoUtils.debug.error(new StringBuffer().append("DiscoService.lookup: couldn't find the user associated with the resourceID:").append(resourceID2).toString());
            status.setCode(DiscoConstants.QNAME_FAILED);
            Document document = null;
            try {
                document = XMLUtils.newDocument();
            } catch (Exception e) {
                DiscoUtils.debug.error("DiscoService.lookup:", e);
            }
            DiscoUtils.getDiscoMarshaller().marshal(queryResponse, document);
            return document.getDocumentElement();
        }
        if (DiscoUtils.debug.messageEnabled()) {
            DiscoUtils.debug.message(new StringBuffer().append("DiscoService.lookup: userDN=").append(userID).toString());
        }
        Collection values = DiscoServiceManager.getDiscoEntryHandler().getDiscoEntries(userID, queryType.getRequestedServiceType()).values();
        new StringBuffer().append(DiscoUtils.bundle.getString(SOAPBindingConstants.ATTR_MESSAGE_ID)).append("=").append(message.getCorrelationHeader().getMessageID()).append(".").append(DiscoUtils.bundle.getString(SOAPBindingConstants.ATTR_PROVIDER_ID)).append("=").append(discoProviderID).append(".").append(DiscoUtils.bundle.getString("securityMechID")).append("=").append(message.getAuthenticationMechanism()).append(".").append(DiscoUtils.bundle.getString("resourceOfferingID")).append("=").append(resourceID2).append(".").append(DiscoUtils.bundle.getString("operation")).append("=").append("Lookup").toString();
        if (values.size() == 0) {
            if (DiscoUtils.debug.messageEnabled()) {
                DiscoUtils.debug.message(new StringBuffer().append("DiscoService.lookup: lookup NoResults for user:").append(userID).toString());
            }
            status.setCode(DiscoConstants.QNAME_FAILED);
            LogUtil.error(Level.INFO, LogUtil.DS_LOOKUP_FAILURE, new String[]{userID});
        } else {
            if (DiscoUtils.debug.messageEnabled()) {
                DiscoUtils.debug.message(new StringBuffer().append("DiscoService.lookup: find ").append(values.size()).append("ResourceOfferings for userDN:").append(userID).toString());
            }
            Authorizer authorizer = null;
            if (DiscoServiceManager.needPolicyEvalLookup()) {
                DiscoUtils.debug.message("DiscoService.lookup:needPolicyEval.");
                authorizer = DiscoServiceManager.getAuthorizer();
            }
            try {
                str = IdUtils.getIdentity((SSOToken) AccessController.doPrivileged(new AdminTokenAction()), userID).getDN();
            } catch (IdRepoException e2) {
                DiscoUtils.debug.error("DiscoService.lookup: couldn't get userDN", e2);
                str = userID;
            }
            Map checkPolicyAndHandleDirectives = DiscoUtils.checkPolicyAndHandleDirectives(str, message, values, authorizer, null, null, (SSOToken) message.getToken());
            List list = (List) checkPolicyAndHandleDirectives.get(DiscoUtils.OFFERINGS);
            if (list.isEmpty()) {
                if (DiscoUtils.debug.messageEnabled()) {
                    DiscoUtils.debug.message(new StringBuffer().append("DiscoService.lookup: after policy check and directive handling, NoResults for:").append(userID).toString());
                }
                status.setCode(DiscoConstants.QNAME_FAILED);
                LogUtil.error(Level.INFO, LogUtil.DS_LOOKUP_FAILURE, new String[]{userID});
            } else {
                queryResponse.setResourceOffering(list);
                DiscoUtils.debug.message("after resp.getresoff.addall");
                List list2 = (List) checkPolicyAndHandleDirectives.get(DiscoUtils.CREDENTIALS);
                if (list2 != null && !list2.isEmpty()) {
                    DiscoUtils.debug.message("DiscoService.lookup: has cred.");
                    queryResponse.setCredentials(list2);
                }
                status.setCode(DiscoConstants.QNAME_OK);
                LogUtil.access(Level.INFO, LogUtil.DS_LOOKUP_SUCCESS, new String[]{userID});
            }
        }
        return XMLUtils.toDOMDocument(queryResponse.toString(), (Debug) null).getDocumentElement();
    }

    private ModifyResponseElement update(ModifyType modifyType, Message message) throws JAXBException {
        DiscoUtils.debug.message("in update.");
        try {
            ModifyResponseElement createModifyResponseElement = DiscoUtils.getDiscoFactory().createModifyResponseElement();
            StatusType createStatusType = DiscoUtils.getDiscoFactory().createStatusType();
            createModifyResponseElement.setStatus(createStatusType);
            String discoProviderID = DiscoServiceManager.getDiscoProviderID();
            ResourceIDType resourceID = modifyType.getResourceID();
            String resourceID2 = resourceID == null ? getResourceID(modifyType.getEncryptedResourceID(), discoProviderID) : resourceID.getValue();
            ResourceIDMapper resourceIDMapper = DiscoServiceManager.getResourceIDMapper(discoProviderID);
            if (resourceIDMapper == null) {
                resourceIDMapper = DiscoServiceManager.getDefaultResourceIDMapper();
            }
            String userID = resourceIDMapper.getUserID(discoProviderID, resourceID2, message);
            String stringBuffer = new StringBuffer().append(DiscoUtils.bundle.getString(SOAPBindingConstants.ATTR_MESSAGE_ID)).append("=").append(message.getCorrelationHeader().getMessageID()).append(".").append(DiscoUtils.bundle.getString(SOAPBindingConstants.ATTR_PROVIDER_ID)).append("=").append(discoProviderID).append(".").append(DiscoUtils.bundle.getString("securityMechID")).append("=").append(message.getAuthenticationMechanism()).append(".").append(DiscoUtils.bundle.getString("resourceOfferingID")).append("=").append(resourceID2).append(".").append(DiscoUtils.bundle.getString("operation")).append("=").append("Update").toString();
            if (userID == null) {
                DiscoUtils.debug.error(new StringBuffer().append("DiscoService.update: couldn't find user from resourceID: ").append(resourceID2).toString());
                createStatusType.setCode(DiscoConstants.QNAME_FAILED);
                LogUtil.error(Level.INFO, LogUtil.DS_UPDATE_FAILURE, new String[]{resourceID2});
                return createModifyResponseElement;
            }
            DiscoEntryHandler discoEntryHandler = DiscoServiceManager.getDiscoEntryHandler();
            if (DiscoServiceManager.needPolicyEvalUpdate()) {
                DiscoUtils.debug.message("DiscoService.lookup: needPolicyEval.");
                if (!isUpdateAllowed(userID, message, modifyType.getRemoveEntry(), modifyType.getInsertEntry(), discoEntryHandler, DiscoServiceManager.getAuthorizer())) {
                    createStatusType.setCode(DiscoConstants.QNAME_FAILED);
                    LogUtil.error(Level.INFO, LogUtil.DS_UPDATE_FAILURE, new String[]{userID});
                    return createModifyResponseElement;
                }
            }
            Map modifyDiscoEntries = discoEntryHandler.modifyDiscoEntries(userID, modifyType.getRemoveEntry(), modifyType.getInsertEntry());
            if (((String) modifyDiscoEntries.get(DiscoEntryHandler.STATUS_CODE)).equals("OK")) {
                if (DiscoUtils.debug.messageEnabled()) {
                    DiscoUtils.debug.message("DiscoService.update: modified DiscoEntries through DiscoEntryHandler successfully.");
                }
                createStatusType.setCode(DiscoConstants.QNAME_OK);
                List list = (List) modifyDiscoEntries.get(DiscoEntryHandler.NEW_ENTRY_IDS);
                if (list != null && list.size() != 0) {
                    createModifyResponseElement.getNewEntryIDs().addAll(list);
                }
                LogUtil.access(Level.INFO, LogUtil.DS_UPDATE_SUCCESS, new String[]{stringBuffer});
            } else {
                DiscoUtils.debug.error("DiscoService.update: couldn't modify DiscoEntries through DiscoEntryHandler.");
                createStatusType.setCode(DiscoConstants.QNAME_FAILED);
                LogUtil.error(Level.INFO, LogUtil.DS_UPDATE_FAILURE, new String[]{stringBuffer});
            }
            return createModifyResponseElement;
        } catch (JAXBException e) {
            DiscoUtils.debug.error("DiscoService.update: couldn't form ModifyResponse.");
            throw e;
        }
    }

    private boolean isUpdateAllowed(String str, Message message, List list, List list2, DiscoEntryHandler discoEntryHandler, Authorizer authorizer) {
        DiscoUtils.debug.message("DiscoService.isUpdateAllowed.");
        HashMap hashMap = null;
        if (list != null && list.size() != 0) {
            Map discoEntries = discoEntryHandler.getDiscoEntries(str, null);
            Iterator it = list.iterator();
            while (it.hasNext()) {
                String entryID = ((RemoveEntryType) it.next()).getEntryID();
                if (!discoEntries.containsKey(entryID)) {
                    DiscoUtils.debug.error(new StringBuffer().append("DiscoveryService.isUpdateAllowed: remove entry not exits: ").append(entryID).toString());
                    return false;
                }
                if (hashMap == null) {
                    hashMap = new HashMap();
                    hashMap.put(Authorizer.USER_ID, str);
                    hashMap.put(Authorizer.AUTH_TYPE, message.getAuthenticationMechanism());
                    hashMap.put("message", message);
                }
                if (!authorizer.isAuthorized(message.getToken(), DiscoConstants.ACTION_UPDATE, ((InsertEntryType) discoEntries.get(entryID)).getResourceOffering(), hashMap)) {
                    DiscoUtils.debug.error(new StringBuffer().append("DiscoveryService.isUpdateAllowed: WSC is not authorized to remove entry: ").append(entryID).toString());
                    return false;
                }
            }
        }
        if (list2 == null || list2.size() == 0) {
            return true;
        }
        Iterator it2 = list2.iterator();
        while (it2.hasNext()) {
            if (hashMap == null) {
                hashMap = new HashMap();
                hashMap.put(Authorizer.USER_ID, str);
                hashMap.put(Authorizer.AUTH_TYPE, message.getAuthenticationMechanism());
                hashMap.put("message", message);
            }
            if (!authorizer.isAuthorized(message.getToken(), DiscoConstants.ACTION_UPDATE, ((InsertEntryType) it2.next()).getResourceOffering(), hashMap)) {
                DiscoUtils.debug.error("DiscoveryService.isUpdateAllowed: WSC is not authorized to insert entry.");
                return false;
            }
        }
        return true;
    }

    private String getResourceID(EncryptedResourceIDType encryptedResourceIDType, String str) {
        if (encryptedResourceIDType == null || str == null) {
            return null;
        }
        String str2 = null;
        try {
            ResourceID decryptedResourceID = EncryptedResourceID.getDecryptedResourceID(new EncryptedResourceID(Utils.convertJAXBToElement(encryptedResourceIDType, false)), str);
            if (decryptedResourceID != null) {
                str2 = decryptedResourceID.getResourceID();
            }
        } catch (Exception e) {
            DiscoUtils.debug.error("DiscoveryService.getResourceID: Exception:", e);
        }
        return str2;
    }

    static {
        stm = null;
        try {
            stm = new SecurityTokenManager((SSOToken) AccessController.doPrivileged(new AdminTokenAction()));
        } catch (Exception e) {
            DiscoUtils.debug.error("DiscoveryService.static: unable to get SecurityTokenManager: ", e);
        }
    }
}
