package com.sun.identity.policy.client;

import com.iplanet.dpro.session.SessionException;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.log.LogRecord;
import com.sun.identity.log.Logger;
import com.sun.identity.policy.ActionDecision;
import com.sun.identity.policy.PolicyDecision;
import com.sun.identity.policy.PolicyException;
import com.sun.identity.policy.PolicyUtils;
import com.sun.identity.policy.ResBundleUtils;
import com.sun.identity.policy.remote.PolicyEvaluationException;
import com.sun.identity.security.AdminTokenAction;
import com.sun.identity.security.AppSSOTokenProvider;
import com.sun.identity.shared.debug.Debug;
import java.security.AccessController;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;

/* loaded from: input_file:com/sun/identity/policy/client/PolicyEvaluator.class */
public class PolicyEvaluator {
    static Debug debug = Debug.getInstance("amRemotePolicy");
    private PolicyProperties policyProperties;
    private String serviceName;
    private SSOTokenManager ssoTokenManager;
    private ResourceResultCache resourceResultCache;
    AppSSOTokenProvider appSSOTokenProvider;
    static Logger accessLogger;
    static Logger errorLogger;
    private static final String GET_RESPONSE_ATTRIBUTES = "Get_Response_Attributes";
    private SSOToken appSSOToken;
    private static final int RETRY_COUNT = 3;
    private String logActions;

    public PolicyEvaluator(String str) throws PolicyException, SSOException {
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("PolicyEvaluator():Creating PolicyEvaluator:serviceName=").append(str).toString());
        }
        init(str, null);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PolicyEvaluator(String str, AppSSOTokenProvider appSSOTokenProvider) throws PolicyException, SSOException {
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("PolicyEvaluator():Creating PolicyEvaluator:serviceName=").append(str).append(":appSSOTokenProvider=").append(appSSOTokenProvider).toString());
        }
        if (str != null) {
            init(str, appSSOTokenProvider);
        } else if (debug.warningEnabled()) {
            debug.warning("PolicyEvaluator():serviceName is null");
        }
    }

    private void init(String str, AppSSOTokenProvider appSSOTokenProvider) throws PolicyException, SSOException {
        this.ssoTokenManager = SSOTokenManager.getInstance();
        this.serviceName = str;
        this.appSSOTokenProvider = appSSOTokenProvider;
        this.policyProperties = new PolicyProperties();
        this.logActions = this.policyProperties.getLogActions();
        this.resourceResultCache = ResourceResultCache.getInstance(this.policyProperties);
        this.appSSOToken = getNewAppSSOToken();
        if (this.policyProperties.notificationEnabled()) {
            if (debug.messageEnabled()) {
                debug.message("PolicyEvaluator.init():adding remote policy listener with policy service");
            }
            this.resourceResultCache.addRemotePolicyListener(this.appSSOToken, str, this.policyProperties.getNotificationURL());
        }
        if (debug.messageEnabled()) {
            debug.message("PolicyEvaluator:initialized PolicyEvaluator");
        }
    }

    public boolean isAllowed(SSOToken sSOToken, String str, String str2) throws PolicyException, SSOException {
        return isAllowed(sSOToken, str, str2, null);
    }

    public boolean isAllowed(SSOToken sSOToken, String str, String str2, Map map) throws PolicyException, SSOException {
        Set values;
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("PolicyEvaluator:isAllowed():token=").append(sSOToken.getPrincipal().getName()).append(":resourceName=").append(str).append(":actionName=").append(str2).append(":envParameters) : entering").toString());
        }
        boolean z = false;
        HashSet hashSet = new HashSet(1);
        hashSet.add(str2);
        ActionDecision actionDecision = (ActionDecision) getPolicyDecision(sSOToken, str, hashSet, map).getActionDecisions().get(str2);
        String trueValue = this.policyProperties.getTrueValue(this.serviceName, str2);
        String falseValue = this.policyProperties.getFalseValue(this.serviceName, str2);
        if (actionDecision != null && trueValue != null && falseValue != null && (values = actionDecision.getValues()) != null) {
            if (values.contains(falseValue)) {
                z = false;
            } else if (values.contains(trueValue)) {
                z = true;
            }
        }
        String[] strArr = {str, str2, z ? "ALLOW" : "DENY"};
        if ("ALLOW".equals(this.logActions) && z) {
            logAccessMessage(Level.INFO, ResBundleUtils.getString("policy_eval_allow", strArr), sSOToken);
        } else if ("DENY".equals(this.logActions) && !z) {
            logAccessMessage(Level.INFO, ResBundleUtils.getString("policy_eval_deny", strArr), sSOToken);
        } else if ("BOTH".equals(this.logActions) || "DECISION".equals(this.logActions)) {
            logAccessMessage(Level.INFO, ResBundleUtils.getString("policy_eval_result", strArr), sSOToken);
        }
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("PolicyEvaluator.isAllowed():token=").append(sSOToken.getPrincipal().getName()).append(":resourceName=").append(str).append(":actionName=").append(str2).append(":returning: ").append(z).toString());
        }
        return z;
    }

    public PolicyDecision getPolicyDecision(SSOToken sSOToken, String str, Set set) throws PolicyException, SSOException {
        return getPolicyDecision(sSOToken, str, set, null);
    }

    public PolicyDecision getPolicyDecision(SSOToken sSOToken, String str, Set set, Map map) throws PolicyException, SSOException {
        PolicyDecision policyDecision;
        this.ssoTokenManager.validateToken(sSOToken);
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("PolicyEvaluator:getPolicyDecision():token=").append(sSOToken.getPrincipal().getName()).append(":resourceName=").append(str).append(":actionName=").append(set).append(":entering").toString());
        }
        try {
            policyDecision = this.resourceResultCache.getPolicyDecision(this.appSSOToken, this.serviceName, sSOToken, str, set, map, 3);
        } catch (InvalidAppSSOTokenException e) {
            if (debug.warningEnabled()) {
                debug.warning("PolicyEvaluator.getPolicyDecision():InvalidAppSSOTokenException occured:getting new appssotoken");
            }
            this.appSSOToken = getNewAppSSOToken();
            if (this.policyProperties.notificationEnabled()) {
                if (debug.warningEnabled()) {
                    debug.warning("PolicyEvaluator.getPolicyDecision():InvalidAppSSOTokenException occured:reRegistering remote policy listener");
                }
                reRegisterRemotePolicyListener(this.appSSOToken);
            }
            policyDecision = this.resourceResultCache.getPolicyDecision(this.appSSOToken, this.serviceName, sSOToken, str, set, map, 3);
        }
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("PolicyEvaluator:getPolicyDecision():token=").append(sSOToken.getPrincipal().getName()).append(":resourceName=").append(str).append(":actionNames=").append(set).append(":returning policyDecision:").append(policyDecision.toXML()).toString());
        }
        Object[] objArr = {str, set, policyDecision.toXML()};
        if ("DECISION".equals(this.logActions)) {
            logAccessMessage(Level.INFO, ResBundleUtils.getString("policy_eval_decision", objArr), sSOToken);
        }
        return policyDecision;
    }

    private SSOToken getNewAppSSOToken() throws PolicyException {
        SSOToken sSOToken;
        if (debug.messageEnabled()) {
            debug.message("PolicyEvaluator.getNewAppSSOToken():entering");
        }
        if (this.appSSOTokenProvider != null) {
            sSOToken = this.appSSOTokenProvider.getAppSSOToken();
            try {
                this.ssoTokenManager.refreshSession(sSOToken);
                if (!this.ssoTokenManager.isValidToken(sSOToken)) {
                    if (debug.messageEnabled()) {
                        debug.message("PolicyEvaluator.getNewAppSSOToken():AdminTokenAction returned  expired token, trying again");
                    }
                    sSOToken = this.appSSOTokenProvider.getAppSSOToken();
                }
            } catch (SSOException e) {
                if (debug.warningEnabled()) {
                    debug.warning("PolicyEvaluator.getNewAppSSOToken():could not refresh session:", e);
                }
                sSOToken = this.appSSOTokenProvider.getAppSSOToken();
            }
        } else {
            sSOToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
            try {
                this.ssoTokenManager.refreshSession(sSOToken);
                if (!this.ssoTokenManager.isValidToken(sSOToken)) {
                    if (debug.messageEnabled()) {
                        debug.message("PolicyEvaluator.getNewAppSSOToken():AdminTokenAction returned  expired token, trying again");
                    }
                    sSOToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
                }
            } catch (SSOException e2) {
                if (debug.warningEnabled()) {
                    debug.warning("PolicyEvaluator.getNewAppSSOToken():could not refresh session:", e2);
                }
                sSOToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
            }
        }
        if (sSOToken == null) {
            debug.error("PolicyEvaluator.getNewAppSSOToken():, cannot obtain application SSO token");
            throw new PolicyException("amPolicy", "can_not_create_app_sso_token", null, null);
        }
        if (debug.messageEnabled()) {
            debug.message("PolicyEvaluator.getNewAppSSOToken():returning token");
        }
        return sSOToken;
    }

    private void logAccessMessage(Level level, String str, SSOToken sSOToken) {
        try {
            if (accessLogger == null) {
                accessLogger = (Logger) Logger.getLogger("amRemotePolicy.access");
                if (accessLogger == null) {
                    if (debug.warningEnabled()) {
                        debug.warning("PolicyEvaluator.logAccessMessage:Failed to create Logger");
                        return;
                    }
                    return;
                }
            }
            accessLogger.log(new LogRecord(level, str, sSOToken), this.appSSOToken);
        } catch (Throwable th) {
            if (debug.warningEnabled()) {
                debug.warning("PolicyEvaluator.logAccessMessage:Error writing access logs");
            }
        }
    }

    AppSSOTokenProvider getAppSSOTokenProvider() {
        return this.appSSOTokenProvider;
    }

    public Set getAdvicesHandleableByAM(boolean z) throws InvalidAppSSOTokenException, PolicyEvaluationException, PolicyException, SSOException {
        Set advicesHandleableByAM;
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("PolicyEvaluator.getAdvicesHandleableByAM(): EnteringrefetchFromServer=").append(z).toString());
        }
        try {
            advicesHandleableByAM = this.resourceResultCache.getAdvicesHandleableByAM(this.appSSOToken, z);
        } catch (InvalidAppSSOTokenException e) {
            if (debug.warningEnabled()) {
                debug.warning("PolicyEvaluator.getAdvicesHandleableByAM():got InvalidAppSSOTokenException,  retrying with new app token");
            }
            advicesHandleableByAM = this.resourceResultCache.getAdvicesHandleableByAM(getNewAppSSOToken(), z);
        } catch (PolicyException e2) {
            Throwable nestedException = e2.getNestedException();
            if (nestedException == null || !(nestedException instanceof SessionException)) {
                throw e2;
            }
            if (debug.warningEnabled()) {
                debug.warning("PolicyEvaluator.getAdvicesHandleableByAM():got SessionException,  retrying with new app token");
            }
            advicesHandleableByAM = this.resourceResultCache.getAdvicesHandleableByAM(getNewAppSSOToken(), z);
        }
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("PolicyEvaluator.getAdvicesHandleableByAM(): Returning advicesHandleableByAM=").append(advicesHandleableByAM).toString());
        }
        return advicesHandleableByAM;
    }

    public String getCompositeAdvice(ActionDecision actionDecision) throws PolicyException, SSOException {
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("PolicyEvaluator.getCompositeAdvice(): entering, actionDecision = ").append(actionDecision.toXML()).toString());
        }
        String str = null;
        boolean z = false;
        Map map = null;
        if (actionDecision != null) {
            map = actionDecision.getAdvices();
        }
        Set advicesHandleableByAM = getAdvicesHandleableByAM(false);
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("PolicyEvaluator.getCompositeAdvice(): handleableAdvices = ").append(advicesHandleableByAM).toString());
        }
        if (map != null && !map.isEmpty() && advicesHandleableByAM != null && !advicesHandleableByAM.isEmpty()) {
            Set keySet = map.keySet();
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("PolicyEvaluator.getCompositeAdvice(): adviceKeys = ").append(keySet).toString());
            }
            Iterator it = keySet.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Object next = it.next();
                if (advicesHandleableByAM.contains(next)) {
                    z = true;
                    if (debug.messageEnabled()) {
                        debug.message(new StringBuffer().append("PolicyEvaluator.getCompositeAdvice(): matchFound = ").append(true).toString());
                        debug.message(new StringBuffer().append("PolicyEvaluator.getCompositeAdvice(): common key = ").append(next).toString());
                    }
                }
            }
        }
        if (z) {
            str = PolicyUtils.advicesToXMLString(map);
        }
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("PolicyEvaluator.getCompositeAdvice(): returning, compositeAdvcie = ").append(str).toString());
        }
        return str;
    }

    void reRegisterRemotePolicyListener(SSOToken sSOToken) throws PolicyException {
        if (debug.messageEnabled()) {
            debug.message("PolicyEvaluator.reRegisterRemotePolicyListener():entering");
        }
        this.resourceResultCache.addRemotePolicyListener(this.appSSOToken, this.serviceName, this.policyProperties.getNotificationURL(), true);
        this.resourceResultCache.clearCachedDecisionsForService(this.serviceName);
        if (debug.messageEnabled()) {
            debug.message("PolicyEvaluator.reRegisterRemotePolicyListener():returning");
        }
    }
}
