package com.sun.identity.policy.plugins;

import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.idm.IdType;
import com.sun.identity.idm.IdUtils;
import com.sun.identity.policy.ConditionDecision;
import com.sun.identity.policy.PolicyException;
import com.sun.identity.policy.Syntax;
import com.sun.identity.policy.interfaces.Condition;
import com.sun.identity.security.AdminTokenAction;
import com.sun.identity.shared.debug.Debug;
import java.security.AccessController;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;

/* loaded from: input_file:com/sun/identity/policy/plugins/AMIdentityMembershipCondition.class */
public class AMIdentityMembershipCondition implements Condition {
    private Map properties;
    private Set nameValues = new HashSet();
    private static final Debug DEBUG = Debug.getInstance("amPolicy");
    private static List propertyNames = new ArrayList(1);

    @Override // com.sun.identity.policy.interfaces.Condition
    public List getPropertyNames() {
        return new ArrayList(propertyNames);
    }

    @Override // com.sun.identity.policy.interfaces.Condition
    public Syntax getPropertySyntax(String str) {
        return Syntax.ANY;
    }

    @Override // com.sun.identity.policy.interfaces.Condition
    public String getDisplayName(String str, Locale locale) throws PolicyException {
        return str;
    }

    @Override // com.sun.identity.policy.interfaces.Condition
    public Set getValidValues(String str) throws PolicyException {
        return Collections.EMPTY_SET;
    }

    @Override // com.sun.identity.policy.interfaces.Condition
    public void setProperties(Map map) throws PolicyException {
        this.properties = (HashMap) map;
        if (map == null || map.keySet() == null) {
            throw new PolicyException("amPolicy", "properties_can_not_be_null_or_empty", null, null);
        }
        if (!Condition.AM_IDENTITY_NAME.equals((String) map.keySet().iterator().next())) {
            throw new PolicyException("amPolicy", "attempt_to_set_invalid_property", new String[]{Condition.AM_IDENTITY_NAME}, null);
        }
        Set set = (Set) map.get(Condition.AM_IDENTITY_NAME);
        if (set == null || set.isEmpty()) {
            throw new PolicyException("amPolicy", "property_does_not_allow_empty_values", new String[]{Condition.AM_IDENTITY_NAME}, null);
        }
        this.nameValues.addAll(set);
    }

    @Override // com.sun.identity.policy.interfaces.Condition
    public Map getProperties() {
        return this.properties;
    }

    @Override // com.sun.identity.policy.interfaces.Condition
    public ConditionDecision getConditionDecision(SSOToken sSOToken, Map map) throws SSOException, PolicyException {
        if (DEBUG.messageEnabled()) {
            DEBUG.message(new StringBuffer().append("At AMIdentityMembershipCondition.getConditionDecision(): entering, names:").append(this.nameValues).toString());
            DEBUG.message(new StringBuffer().append("At AMIdentityMembershipCondition.getConditionDecision(): environment.invocatorPrincipalUud:").append(map.get(Condition.INVOCATOR_PRINCIPAL_UUID)).toString());
        }
        boolean z = false;
        Set set = (Set) map.get(Condition.INVOCATOR_PRINCIPAL_UUID);
        if (set != null && !set.isEmpty()) {
            z = isMember((String) set.iterator().next());
        } else if (DEBUG.messageEnabled()) {
            DEBUG.message("At AMIdentityMembershipCondition.getConditionDecision(): invocatorUuidSet isnull or empty");
        }
        return new ConditionDecision(z);
    }

    @Override // com.sun.identity.policy.interfaces.Condition
    public Object clone() {
        try {
            AMIdentityMembershipCondition aMIdentityMembershipCondition = (AMIdentityMembershipCondition) super.clone();
            if (this.properties != null) {
                aMIdentityMembershipCondition.properties = new HashMap();
                for (Object obj : this.properties.keySet()) {
                    HashSet hashSet = new HashSet();
                    hashSet.addAll((Set) this.properties.get(obj));
                    aMIdentityMembershipCondition.properties.put(obj, hashSet);
                }
            }
            return aMIdentityMembershipCondition;
        } catch (CloneNotSupportedException e) {
            throw new InternalError();
        }
    }

    private boolean isMember(String str) throws SSOException, PolicyException {
        boolean z = false;
        if (str == null) {
            if (!DEBUG.warningEnabled()) {
                return false;
            }
            DEBUG.warning("AMIdentityMembershipCondition.isMember():invocatorUuid is null");
            DEBUG.warning("AMIdentityMembershipCondition.isMember():returning false");
            return false;
        }
        if (DEBUG.messageEnabled()) {
            DEBUG.warning(new StringBuffer().append("AMIdentityMembershipCondition.isMember():invocatorUuid:").append(str).toString());
        }
        if (!this.nameValues.isEmpty()) {
            for (String str2 : this.nameValues) {
                if (DEBUG.messageEnabled()) {
                    DEBUG.message(new StringBuffer().append("AMIndentityMembershipCondition.isMember(): checking membership with nameValue = ").append(str2).append(", invocatorUuid = ").append(str).toString());
                }
                try {
                    AMIdentity identity = IdUtils.getIdentity(getAdminToken(), str);
                    if (identity == null) {
                        if (!DEBUG.messageEnabled()) {
                            return false;
                        }
                        DEBUG.message(new StringBuffer().append("AMidentityMembershipCondition.isMember():invocatorIdentity is null for invocatorUuid = ").append(str).toString());
                        DEBUG.message("AMidentityMembershipCondition.isMember():returning false");
                        return false;
                    }
                    AMIdentity identity2 = IdUtils.getIdentity(getAdminToken(), str2);
                    if (identity2 == null) {
                        if (!DEBUG.messageEnabled()) {
                            return false;
                        }
                        DEBUG.message(new StringBuffer().append("AMidentityMembershipCondition.isMember():nameValueidentity is null for nameValue = ").append(str2).toString());
                        DEBUG.message("AMidentityMembershipCondition.isMember():returning false");
                        return false;
                    }
                    IdType type = identity.getType();
                    IdType type2 = identity2.getType();
                    if (identity.equals(identity2)) {
                        if (DEBUG.messageEnabled()) {
                            DEBUG.message("AMidentityMembershipCondition.isMember():invocatorIdentity equals  nameValueIdentity:membership=true");
                        }
                        z = true;
                    } else {
                        Set canHaveMembers = type2.canHaveMembers();
                        if (canHaveMembers == null || !canHaveMembers.contains(type)) {
                            z = false;
                            if (DEBUG.messageEnabled()) {
                                DEBUG.message(new StringBuffer().append("AMIdentityMembershipCondition.isMember():invocatoridentityType ").append(type).append(" can be a member of ").append(" nameValueIdentityType ").append(type2).append(":membership=").append(false).toString());
                            }
                        } else {
                            z = identity.isMember(identity2);
                            if (DEBUG.messageEnabled()) {
                                DEBUG.message(new StringBuffer().append("AMIdentityMembershipCondition.isMember():invocatorIdentityType ").append(type).append(" can be a member of ").append(" nameValueIdentityType ").append(type2).append(":membership=").append(z).toString());
                            }
                        }
                    }
                    if (z) {
                        break;
                    }
                } catch (IdRepoException e) {
                    DEBUG.warning(new StringBuffer().append("AMidentityMembershipCondition.isMember():can not check membership for invocator ").append(str).append(", nameValue ").append(str2).toString(), e);
                    throw new PolicyException("amPolicy", "am_id_subject_membership_evaluation_error", new String[]{str, str2}, e);
                }
            }
        }
        if (DEBUG.messageEnabled()) {
            DEBUG.message(new StringBuffer().append("AMIdentityMembershipCondition.isMember():invocatorUuidr=").append(str).append(",nameValues=").append(this.nameValues).append(",subjectMatch=").append(z).toString());
        }
        return z;
    }

    private SSOToken getAdminToken() throws SSOException {
        SSOToken sSOToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
        if (sSOToken == null) {
            throw new SSOException(new PolicyException("amPolicy", "invalid_admin", null, null));
        }
        return sSOToken;
    }

    static {
        propertyNames.add(Condition.AM_IDENTITY_NAME);
    }
}
