package com.sun.identity.policy.plugins;

import com.iplanet.am.util.Debug;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenID;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.AMIdentityRepository;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.idm.IdType;
import com.sun.identity.idm.IdUtils;
import com.sun.identity.policy.InvalidNameException;
import com.sun.identity.policy.NameNotFoundException;
import com.sun.identity.policy.PolicyEvaluator;
import com.sun.identity.policy.PolicyException;
import com.sun.identity.policy.SubjectEvaluationCache;
import com.sun.identity.policy.Syntax;
import com.sun.identity.policy.ValidValues;
import com.sun.identity.policy.interfaces.Subject;
import com.sun.identity.security.AdminTokenAction;
import java.security.AccessController;
import java.security.Principal;
import java.util.Collections;
import java.util.HashSet;
import java.util.Locale;
import java.util.Map;
import java.util.Set;

/* JADX WARN: Classes with same name are omitted:
  input_file:120955-03/SUNWamclnt/reloc/SUNWam/lib/amclientsdk.jar:com/sun/identity/policy/plugins/AMIdentitySubject.class
 */
/* loaded from: input_file:120955-03/SUNWamsdk/reloc/SUNWam/lib/am_services.jar:com/sun/identity/policy/plugins/AMIdentitySubject.class */
public class AMIdentitySubject implements Subject {
    private boolean initialized;
    private String organizationDN;
    private Set subjectValues = new HashSet();
    private static Debug debug = Debug.getInstance("amPolicy");

    @Override // com.sun.identity.policy.interfaces.Subject
    public void initialize(Map map) throws PolicyException {
        Set set = (Set) map.get("OrganizationName");
        if (set == null || set.isEmpty()) {
            debug.error("AMIdentitySubject.initialize(Map):  Organization name not set");
            throw new PolicyException("amPolicy", "org_name_not_set", null, null);
        }
        this.organizationDN = (String) set.iterator().next();
        this.initialized = true;
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public Syntax getValueSyntax(SSOToken sSOToken) throws SSOException {
        return Syntax.MULTIPLE_CHOICE;
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public ValidValues getValidValues(SSOToken sSOToken) throws SSOException, PolicyException {
        return getValidValues(sSOToken, "*");
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public ValidValues getValidValues(SSOToken sSOToken, String str) throws SSOException, PolicyException {
        if (this.initialized) {
            throw new PolicyException("amPolicy", "am_id_subject_does_not_support_getvalidvalues", null, null);
        }
        throw new PolicyException("amPolicy", "am_id_subject_not_initialized", null, null);
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public String getDisplayNameForValue(String str, Locale locale) throws NameNotFoundException {
        return str;
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public Set getValues() {
        return this.subjectValues == null ? Collections.EMPTY_SET : this.subjectValues;
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public void setValues(Set set) throws InvalidNameException {
        if (set == null) {
            throw new InvalidNameException("amPolicy", "amidentity_subject_invalid_subject_values", null, null, 5);
        }
        this.subjectValues.addAll(set);
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("AMIdentitySubejct set subjectValues to: ").append(this.subjectValues).toString());
        }
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public boolean isMember(SSOToken sSOToken) throws SSOException, PolicyException {
        SSOTokenID tokenID;
        String str = null;
        if (sSOToken != null && (tokenID = sSOToken.getTokenID()) != null) {
            str = tokenID.toString();
        }
        if (str == null) {
            if (!debug.warningEnabled()) {
                return false;
            }
            debug.warning("AMIdentitySubject.isMember():tokenID is null");
            debug.warning("AMIdentitySubject.isMember():returning false");
            return false;
        }
        Principal principal = sSOToken.getPrincipal();
        String name = principal != null ? principal.getName() : null;
        if (name == null) {
            if (!debug.warningEnabled()) {
                return false;
            }
            debug.warning("AMIdentitySubject.isMember():userDN is null");
            debug.warning("AMIdentitySubject.isMember():returning false");
            return false;
        }
        boolean z = false;
        boolean z2 = false;
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("AMIndentitySubject.isMember(): entering with userDN = ").append(name).toString());
        }
        if (this.subjectValues.size() > 0) {
            for (String str2 : this.subjectValues) {
                if (debug.messageEnabled()) {
                    debug.message(new StringBuffer().append("AMIndentitySubject.isMember(): checking membership with userDN = ").append(name).append(", subjectValue = ").append(str2).toString());
                }
                Boolean isMember = SubjectEvaluationCache.isMember(str, "AMIdentitySubject", str2);
                if (isMember != null) {
                    if (debug.messageEnabled()) {
                        debug.message(new StringBuffer().append("AMIdentitySubject.isMember():got membership from SubjectEvaluationCache  for userDN = ").append(name).append(", subjectValue = ").append(str2).append(", result = ").append(isMember.booleanValue()).toString());
                    }
                    boolean booleanValue = isMember.booleanValue();
                    if (booleanValue) {
                        if (debug.messageEnabled()) {
                            debug.message(new StringBuffer().append("AMIndentitySubject.isMember():  returning membership status = ").append(booleanValue).toString());
                        }
                        return booleanValue;
                    }
                } else {
                    if (debug.messageEnabled()) {
                        debug.message(new StringBuffer().append("AMIdentitySubject:isMember():entry for ").append(str2).append(" not in subject evaluation cache, ").append("so compute using IDRepo api").toString());
                    }
                    try {
                        new AMIdentityRepository(getAdminToken(), this.organizationDN);
                        AMIdentity identity = IdUtils.getIdentity(getAdminToken(), str2);
                        if (identity == null) {
                            if (!debug.messageEnabled()) {
                                return false;
                            }
                            debug.message(new StringBuffer().append("AMidentitySubject.isMember():subjectIdentity is null for subjectValue = ").append(str2).toString());
                            debug.message("AMidentitySubject.isMember():returning false");
                            return false;
                        }
                        AMIdentity identity2 = IdUtils.getIdentity(getAdminToken(), IdUtils.getUniversalId(IdUtils.getIdentity(sSOToken)));
                        if (identity2 == null) {
                            if (!debug.messageEnabled()) {
                                return false;
                            }
                            debug.message("AMidentitySubject.isMember():userIdentity is null");
                            debug.message("AMidentitySubject.isMember():returning false");
                            return false;
                        }
                        if (debug.messageEnabled()) {
                            debug.message(new StringBuffer().append("AMidentitySubject.isMember():user uuid = ").append(IdUtils.getUniversalId(identity2)).append(", subject uuid = ").append(IdUtils.getUniversalId(identity)).toString());
                        }
                        IdType type = identity2.getType();
                        IdType type2 = identity.getType();
                        if (identity2.equals(identity)) {
                            if (debug.messageEnabled()) {
                                debug.message("AMidentitySubject.isMember():userIdentity equals subjectIdentity:membership=true");
                            }
                            z2 = true;
                        } else {
                            Set canHaveMembers = type2.canHaveMembers();
                            if (canHaveMembers == null || !canHaveMembers.contains(type)) {
                                z2 = false;
                                if (debug.messageEnabled()) {
                                    debug.message(new StringBuffer().append("AMIdentitySubject.isMember():userIdentity type ").append(type).append(" can not be a member of ").append("subjectIdentityType ").append(type2).append(":membership=").append(false).toString());
                                }
                            } else {
                                z2 = identity2.isMember(identity);
                                if (debug.messageEnabled()) {
                                    debug.message(new StringBuffer().append("AMIdentitySubject.isMember():userIdentity type ").append(type).append(" can be a member of ").append("subjectIdentityType ").append(type2).append(":membership=").append(z2).toString());
                                }
                            }
                        }
                        if (debug.messageEnabled()) {
                            debug.message(new StringBuffer().append("AMIdentitySubject.isMember: adding entry in SubjectEvaluationCache for , for userDN = ").append(name).append(", subjectValue = ").append(str2).append(", subjectMatch = ").append(z2).toString());
                        }
                        SubjectEvaluationCache.addEntry(str, "AMIdentitySubject", str2, z2);
                        if (!z && !PolicyEvaluator.ssoListenerRegistry.containsKey(str)) {
                            sSOToken.addSSOTokenListener(PolicyEvaluator.ssoListener);
                            PolicyEvaluator.ssoListenerRegistry.put(str, PolicyEvaluator.ssoListener);
                            if (debug.messageEnabled()) {
                                debug.message("AMIdentitySubject.isMember(): sso listener added ");
                            }
                            z = true;
                        }
                        if (z2) {
                            break;
                        }
                    } catch (IdRepoException e) {
                        debug.warning(new StringBuffer().append("AMidentitySubject.isMember():can not check membership for user ").append(name).append(", subject ").append(str2).toString(), e);
                        throw new PolicyException("amPolicy", "am_id_subject_membership_evaluation_error", new String[]{name, str2}, e);
                    }
                }
            }
        }
        if (debug.messageEnabled()) {
            if (z2) {
                debug.message(new StringBuffer().append("AMIdentitySubject.isMember(): User ").append(name).append(" is a member of this subject").toString());
            } else {
                debug.message(new StringBuffer().append("AMIdentitySubject.isMember(): user ").append(name).append(" is not a member of this subject").toString());
            }
        }
        return z2;
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public int hashCode() {
        return this.subjectValues.hashCode();
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public boolean equals(Object obj) {
        if (obj instanceof AMIdentitySubject) {
            return this.subjectValues.equals(((AMIdentitySubject) obj).subjectValues);
        }
        return false;
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public Object clone() {
        try {
            AMIdentitySubject aMIdentitySubject = (AMIdentitySubject) super.clone();
            if (this.subjectValues != null) {
                aMIdentitySubject.subjectValues = new HashSet();
                aMIdentitySubject.subjectValues.addAll(this.subjectValues);
            }
            return aMIdentitySubject;
        } catch (CloneNotSupportedException e) {
            throw new InternalError();
        }
    }

    private SSOToken getAdminToken() throws SSOException {
        SSOToken sSOToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
        if (sSOToken == null) {
            throw new SSOException(new PolicyException("amPolicy", "invalid_admin", null, null));
        }
        return sSOToken;
    }
}
