package com.sun.identity.policy.plugins;

import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.sun.identity.common.LDAPConnectionPool;
import com.sun.identity.policy.ConditionDecision;
import com.sun.identity.policy.PolicyConfig;
import com.sun.identity.policy.PolicyEvaluator;
import com.sun.identity.policy.PolicyException;
import com.sun.identity.policy.PolicyUtils;
import com.sun.identity.policy.SubjectEvaluationCache;
import com.sun.identity.policy.Syntax;
import com.sun.identity.policy.interfaces.Condition;
import com.sun.identity.shared.debug.Debug;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import netscape.ldap.LDAPConnection;
import netscape.ldap.LDAPException;
import netscape.ldap.LDAPSearchConstraints;

/* loaded from: input_file:com/sun/identity/policy/plugins/LDAPFilterCondition.class */
public class LDAPFilterCondition implements Condition {
    static final String LDAP_SCOPE_BASE = "SCOPE_BASE";
    static final String LDAP_SCOPE_ONE = "SCOPE_ONE";
    private static final Debug debug = Debug.getInstance("amPolicy");
    private static List propertyNames = new ArrayList(1);
    private static final String AMPERSAND = "&";
    private static final String OPEN_PARENTHESIS = "(";
    private static final String CLOSE_PARENTHESIS = ")";
    private Map properties;
    private String ldapConditionFilter;
    private long policyConfigExpiresAt;
    private String authid;
    private String authpw;
    private String baseDN;
    private String userSearchFilter;
    private String userRDNAttrName;
    private int timeLimit;
    private int maxResults;
    private int minPoolSize;
    private int maxPoolSize;
    private String orgName;
    private LDAPConnectionPool connPool;
    private String ldapServer;
    private boolean aliasEnabled;
    private int userSearchScope = 2;
    private boolean sslEnabled = false;

    @Override // com.sun.identity.policy.interfaces.Condition
    public List getPropertyNames() {
        return Collections.unmodifiableList(propertyNames);
    }

    @Override // com.sun.identity.policy.interfaces.Condition
    public Syntax getPropertySyntax(String str) {
        return Syntax.ANY;
    }

    @Override // com.sun.identity.policy.interfaces.Condition
    public String getDisplayName(String str, Locale locale) throws PolicyException {
        return str;
    }

    @Override // com.sun.identity.policy.interfaces.Condition
    public Set getValidValues(String str) throws PolicyException {
        return Collections.EMPTY_SET;
    }

    @Override // com.sun.identity.policy.interfaces.Condition
    public void setProperties(Map map) throws PolicyException {
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("LDAPFilterCondition.setProperties():properties=").append(map).toString());
        }
        validateProperties(map);
        this.properties = map;
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("LDAPFilterCondition.setProperties():ldapConditionFilter=").append(this.ldapConditionFilter).toString());
        }
    }

    @Override // com.sun.identity.policy.interfaces.Condition
    public Map getProperties() {
        return Collections.unmodifiableMap(this.properties);
    }

    @Override // com.sun.identity.policy.interfaces.Condition
    public ConditionDecision getConditionDecision(SSOToken sSOToken, Map map) throws PolicyException, SSOException {
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("LDAPFilterCondition.getConditionDecision():entering:principalDN=").append(sSOToken.getPrincipal().getName()).append(":ldapConditionFilter=").append(this.ldapConditionFilter).toString());
        }
        resetPolicyConfig(map);
        boolean isMember = isMember(sSOToken);
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("LDAPFilterCondition.getConditionDecision():allowed= ").append(isMember).toString());
        }
        return new ConditionDecision(isMember);
    }

    private boolean isMember(SSOToken sSOToken) throws SSOException, PolicyException {
        String name = sSOToken.getPrincipal().getName();
        String obj = sSOToken.getTokenID().toString();
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("LDAPFilterCondition.isMember(): userLocalDN from ssoToken is: ").append(name).toString());
        }
        Boolean isMember = SubjectEvaluationCache.isMember(obj, this.ldapServer, this.ldapConditionFilter);
        if (isMember != null) {
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("LDAPFilterCondition.isMember():Got membership from cache userLocalDN: ").append(name).append(", ldapConditionFilter: ").append(this.ldapConditionFilter).append(" , member:").append(isMember.booleanValue()).toString());
            }
            boolean booleanValue = isMember.booleanValue();
            if (booleanValue) {
                return booleanValue;
            }
        }
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("LDAPFilterCondition:isMember(): ldapConditionFilter:").append(this.ldapConditionFilter).append(" not in subject evaluation cache, ").append(" fetching from directory server.").toString());
        }
        int indexOf = name.indexOf("=");
        int indexOf2 = name.indexOf(",");
        if (indexOf <= 0 || indexOf2 <= 0 || indexOf >= indexOf2) {
            throw new PolicyException("amPolicy", "ldapusers_subject_invalid_local_user_dn", null, null);
        }
        String constructUserFilter = PolicyUtils.constructUserFilter(sSOToken, this.userRDNAttrName, name.substring(indexOf + 1, indexOf2), this.aliasEnabled);
        boolean z = false;
        String str = null;
        if (this.userSearchFilter != null && !this.userSearchFilter.equals("")) {
            str = new StringBuffer().append(trimAndParenthesise(this.userSearchFilter)).append(trimAndParenthesise(constructUserFilter)).toString();
            z = true;
        }
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("LDAPFilterCondition.getConditionDecision():  user search filter is: ").append(this.userSearchFilter).toString());
            debug.message(new StringBuffer().append("LDAPFilterCondition.getConditionDecision():  user mapping filter is: ").append(constructUserFilter).toString());
            debug.message(new StringBuffer().append("LDAPFilterCondition.getConditionDecision():  condition ldapConditionFilter is: ").append(this.ldapConditionFilter).toString());
        }
        if (this.ldapConditionFilter != null && this.ldapConditionFilter.length() != 0) {
            z = true;
            str = new StringBuffer().append(str).append(trimAndParenthesise(this.ldapConditionFilter)).toString();
        }
        if (z) {
            str = trimAndParenthesise(new StringBuffer().append("&").append(str).toString());
        }
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("LDAPFilterCondition.getConditionDecision():  combined filter : ").append(str).toString());
        }
        boolean searchFilterSatisfied = searchFilterSatisfied(str);
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("LDAPFilterCondition:isMember(): caching result, searchFilter:").append(str).append(", member:").append(searchFilterSatisfied).toString());
        }
        SubjectEvaluationCache.addEntry(obj, this.ldapServer, this.ldapConditionFilter, searchFilterSatisfied);
        if (0 == 0 && !PolicyEvaluator.ssoListenerRegistry.containsKey(obj)) {
            sSOToken.addSSOTokenListener(PolicyEvaluator.ssoListener);
            PolicyEvaluator.ssoListenerRegistry.put(obj, PolicyEvaluator.ssoListener);
            if (debug.messageEnabled()) {
                debug.message("LDAPFilterCondition.isMember(): sso listener added .\n");
            }
        }
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("LDAPFilterCondition.isMember():member=").append(searchFilterSatisfied).toString());
        }
        return searchFilterSatisfied;
    }

    private boolean searchFilterSatisfied(String str) throws SSOException, PolicyException {
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("LDAPFilterCondition.searchFilterSatified():entering, searchFitler=").append(str).toString());
        }
        boolean z = false;
        String[] strArr = {this.userRDNAttrName};
        LDAPConnection connection = this.connPool.getConnection();
        LDAPSearchConstraints searchConstraints = connection.getSearchConstraints();
        searchConstraints.setMaxResults(this.maxResults);
        searchConstraints.setServerTimeLimit(this.timeLimit);
        try {
            try {
                connection.authenticate(this.authid, this.authpw);
                if (connection.search(this.baseDN, this.userSearchScope, str, strArr, false, searchConstraints).hasMoreElements()) {
                    z = true;
                }
                if (debug.messageEnabled()) {
                    debug.message(new StringBuffer().append("LDAPFilterCondition.searchFilterSatified():returning, filterSatisfied=").append(z).toString());
                }
                return z;
            } catch (LDAPException e) {
                int lDAPResultCode = e.getLDAPResultCode();
                if (lDAPResultCode == 49) {
                    throw new PolicyException("amPolicy", "ldap_invalid_password", null, null);
                }
                if (lDAPResultCode == 32) {
                    throw new PolicyException("amPolicy", "no_such_ldap_users_base_dn", new String[]{this.baseDN}, null);
                }
                String lDAPErrorMessage = e.getLDAPErrorMessage();
                String errorCodeToString = e.errorCodeToString();
                if (errorCodeToString != null) {
                    throw new PolicyException(new StringBuffer().append(lDAPErrorMessage).append(": ").append(errorCodeToString).toString());
                }
                throw new PolicyException(lDAPErrorMessage);
            }
        } finally {
            this.connPool.close(connection);
        }
    }

    private void resetPolicyConfig(Map map) throws PolicyException {
        if (System.currentTimeMillis() > this.policyConfigExpiresAt) {
            setPolicyConfig((Map) map.get(PolicyEvaluator.SUN_AM_POLICY_CONFIG));
        }
    }

    private synchronized void setPolicyConfig(Map map) throws PolicyException {
        if (System.currentTimeMillis() < this.policyConfigExpiresAt) {
            return;
        }
        if (debug.messageEnabled()) {
            debug.message("LDAPFilterCondition.setPolicyConfig():policy config expired, resetting");
        }
        if (map == null) {
            debug.error("LDAPFilterCondition.setPolicyConfig():configParams is null");
            throw new PolicyException("amPolicy", "ldapfiltercondition_setpolicyconfig_null_policy_config", null, null);
        }
        String str = (String) map.get(PolicyConfig.LDAP_SERVER);
        if (str == null) {
            debug.error("LDAPFilterCondition.initialize(): failed to get LDAP server name. If you enter more than one server name in the policy config service's Primary LDAP Server field, please make sure the ldap server name is preceded with the local server name.");
            throw new PolicyException("amPolicy", "invalid_ldap_server_host", null, null);
        }
        this.ldapServer = str.toLowerCase();
        this.aliasEnabled = Boolean.valueOf((String) map.get(PolicyConfig.USER_ALIAS_ENABLED)).booleanValue();
        this.authid = (String) map.get(PolicyConfig.LDAP_BIND_DN);
        this.authpw = (String) map.get(PolicyConfig.LDAP_BIND_PASSWORD);
        this.baseDN = (String) map.get(PolicyConfig.LDAP_USERS_BASE_DN);
        this.userSearchFilter = (String) map.get(PolicyConfig.LDAP_USERS_SEARCH_FILTER);
        String str2 = (String) map.get(PolicyConfig.LDAP_USERS_SEARCH_SCOPE);
        if (str2.equalsIgnoreCase(LDAP_SCOPE_BASE)) {
            this.userSearchScope = 0;
        } else if (str2.equalsIgnoreCase(LDAP_SCOPE_ONE)) {
            this.userSearchScope = 1;
        } else {
            this.userSearchScope = 2;
        }
        this.userRDNAttrName = (String) map.get(PolicyConfig.LDAP_USER_SEARCH_ATTRIBUTE);
        try {
            this.timeLimit = Integer.parseInt((String) map.get(PolicyConfig.LDAP_SEARCH_TIME_OUT));
            this.maxResults = Integer.parseInt((String) map.get(PolicyConfig.LDAP_SEARCH_LIMIT));
            this.minPoolSize = Integer.parseInt((String) map.get(PolicyConfig.LDAP_CONNECTION_POOL_MIN_SIZE));
            this.maxPoolSize = Integer.parseInt((String) map.get(PolicyConfig.LDAP_CONNECTION_POOL_MAX_SIZE));
            if (((String) map.get(PolicyConfig.LDAP_SSL_ENABLED)).equalsIgnoreCase("true")) {
                this.sslEnabled = true;
            } else {
                this.sslEnabled = false;
            }
            Set set = (Set) map.get("OrganizationName");
            if (set != null && set.size() != 0) {
                this.orgName = (String) set.iterator().next();
            }
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("LDAPFilterCondition.setPolicyConfig(): getting params\nldapServer: ").append(this.ldapServer).append("\nauthid: ").append(this.authid).append("\nbaseDN: ").append(this.baseDN).append("\nuserSearchFilter: ").append(this.userSearchFilter).append("\nuserRDNAttrName: ").append(this.userRDNAttrName).append("\ntimeLimit: ").append(this.timeLimit).append("\nmaxResults: ").append(this.maxResults).append("\nminPoolSize: ").append(this.minPoolSize).append("\nmaxPoolSize: ").append(this.maxPoolSize).append("\nSSLEnabled: ").append(this.sslEnabled).append("\nOrgName: ").append(this.orgName).toString());
            }
            LDAPConnectionPools.initConnectionPool(this.ldapServer, this.authid, this.authpw, this.sslEnabled, this.minPoolSize, this.maxPoolSize);
            this.connPool = LDAPConnectionPools.getConnectionPool(this.ldapServer);
            this.policyConfigExpiresAt = System.currentTimeMillis() + PolicyConfig.getSubjectsResultTtl(map);
        } catch (NumberFormatException e) {
            throw new PolicyException(e);
        }
    }

    private boolean validateProperties(Map map) throws PolicyException {
        if (map == null || map.keySet() == null) {
            throw new PolicyException("amPolicy", "properties_can_not_be_null_or_empty", null, null);
        }
        Set<String> keySet = map.keySet();
        if (!keySet.contains(Condition.LDAP_FILTER)) {
            throw new PolicyException("amPolicy", "property_value_not_defined", new String[]{Condition.LDAP_FILTER}, null);
        }
        for (String str : keySet) {
            if (!Condition.LDAP_FILTER.equals(str)) {
                throw new PolicyException("amPolicy", "attempt_to_set_invalid_property", new String[]{str}, null);
            }
        }
        Set set = (Set) map.get(Condition.LDAP_FILTER);
        if (set == null) {
            return true;
        }
        validateLdapFilterSet(set);
        return true;
    }

    private boolean validateLdapFilterSet(Set set) throws PolicyException {
        if (set.isEmpty()) {
            throw new PolicyException("amPolicy", "property_does_not_allow_empty_values", new String[]{Condition.LDAP_FILTER}, null);
        }
        if (set.size() > 1) {
            throw new PolicyException("amPolicy", "property_does_not_allow_multiple_values", new String[]{Condition.LDAP_FILTER}, null);
        }
        try {
            this.ldapConditionFilter = (String) set.iterator().next();
            return true;
        } catch (ClassCastException e) {
            throw new PolicyException("amPolicy", "property_is_not_a_String", new String[]{Condition.LDAP_FILTER}, null);
        }
    }

    private String trimAndParenthesise(String str) {
        String str2 = str;
        if (str != null) {
            String trim = str.trim();
            if (!trim.startsWith(OPEN_PARENTHESIS)) {
                str2 = new StringBuffer().append(OPEN_PARENTHESIS).append(trim).append(CLOSE_PARENTHESIS).toString();
            }
        } else {
            str2 = "()";
        }
        return str2;
    }

    @Override // com.sun.identity.policy.interfaces.Condition
    public Object clone() {
        try {
            LDAPFilterCondition lDAPFilterCondition = (LDAPFilterCondition) super.clone();
            if (this.properties != null) {
                lDAPFilterCondition.properties = new HashMap();
                for (Object obj : this.properties.keySet()) {
                    HashSet hashSet = new HashSet();
                    hashSet.addAll((Set) this.properties.get(obj));
                    lDAPFilterCondition.properties.put(obj, hashSet);
                }
            }
            return lDAPFilterCondition;
        } catch (CloneNotSupportedException e) {
            throw new InternalError();
        }
    }

    static {
        propertyNames.add(Condition.LDAP_FILTER);
    }
}
