package com.sun.identity.policy.plugins;

import com.iplanet.am.util.Debug;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.sun.identity.policy.InvalidNameException;
import com.sun.identity.policy.NameNotFoundException;
import com.sun.identity.policy.PolicyConfig;
import com.sun.identity.policy.PolicyEvaluator;
import com.sun.identity.policy.PolicyException;
import com.sun.identity.policy.PolicyUtils;
import com.sun.identity.policy.SubjectEvaluationCache;
import com.sun.identity.policy.Syntax;
import com.sun.identity.policy.ValidValues;
import com.sun.identity.policy.interfaces.Subject;
import java.net.MalformedURLException;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import netscape.ldap.LDAPAttribute;
import netscape.ldap.LDAPConnection;
import netscape.ldap.LDAPEntry;
import netscape.ldap.LDAPException;
import netscape.ldap.LDAPReferralException;
import netscape.ldap.LDAPSearchConstraints;
import netscape.ldap.LDAPSearchResults;
import netscape.ldap.LDAPUrl;
import netscape.ldap.util.ConnectionPool;
import netscape.ldap.util.DN;

/* loaded from: input_file:115766-10/SUNWamsdk/reloc/SUNWam/lib/am_services.jar:com/sun/identity/policy/plugins/LDAPGroups.class */
public class LDAPGroups implements Subject {
    static final String STATIC_GROUP_MEMBER_ATTR = "uniqueMember";
    static final String DYNAMIC_GROUP_MEMBER_URL = "memberUrl";
    static final String LDAP_SCOPE_BASE = "SCOPE_BASE";
    static final String LDAP_SCOPE_ONE = "SCOPE_ONE";
    static final String LDAP_SCOPE_SUB = "SCOPE_SUB";
    private String authid;
    private String authpw;
    private String baseDN;
    private String groupSearchFilter;
    private String userSearchFilter;
    private String groupRDNAttrName;
    private String userRDNAttrName;
    private int timeLimit;
    private int maxResults;
    private int minPoolSize;
    private int maxPoolSize;
    private String orgName;
    private ConnectionPool connPool;
    private boolean localDS;
    private boolean aliasEnabled;
    private String ldapServer;
    static Debug debug = Debug.getInstance("amPolicy");
    private boolean initialized = false;
    private Set selectedGroupDNs = Collections.EMPTY_SET;
    private Set selectedRFCGroupDNs = Collections.EMPTY_SET;
    private int groupSearchScope = 2;
    private int userSearchScope = 2;
    private boolean sslEnabled = false;

    @Override // com.sun.identity.policy.interfaces.Subject
    public void initialize(Map map) throws PolicyException {
        if (map == null) {
            throw new PolicyException("amPolicy", "ldapgroups_initialization_failed", null, null);
        }
        this.ldapServer = ((String) map.get(PolicyConfig.LDAP_SERVER)).toLowerCase();
        this.localDS = PolicyUtils.isLocalDS(this.ldapServer);
        this.aliasEnabled = Boolean.valueOf((String) map.get(PolicyConfig.USER_ALIAS_ENABLED)).booleanValue();
        this.authid = (String) map.get(PolicyConfig.LDAP_BIND_DN);
        this.authpw = (String) map.get(PolicyConfig.LDAP_BIND_PASSWORD);
        this.baseDN = (String) map.get(PolicyConfig.LDAP_BASE_DN);
        this.groupSearchFilter = (String) map.get(PolicyConfig.LDAP_GROUP_SEARCH_FILTER);
        String str = (String) map.get(PolicyConfig.LDAP_GROUP_SEARCH_SCOPE);
        if (str.equalsIgnoreCase(LDAP_SCOPE_BASE)) {
            this.groupSearchScope = 0;
        } else if (str.equalsIgnoreCase(LDAP_SCOPE_ONE)) {
            this.groupSearchScope = 1;
        } else {
            this.groupSearchScope = 2;
        }
        this.groupRDNAttrName = (String) map.get(PolicyConfig.LDAP_GROUP_SEARCH_ATTRIBUTE);
        this.userSearchFilter = (String) map.get(PolicyConfig.LDAP_USERS_SEARCH_FILTER);
        String str2 = (String) map.get(PolicyConfig.LDAP_USERS_SEARCH_SCOPE);
        if (str2.equalsIgnoreCase(LDAP_SCOPE_BASE)) {
            this.userSearchScope = 0;
        } else if (str2.equalsIgnoreCase(LDAP_SCOPE_ONE)) {
            this.userSearchScope = 1;
        } else {
            this.userSearchScope = 2;
        }
        this.userRDNAttrName = (String) map.get(PolicyConfig.LDAP_USER_SEARCH_ATTRIBUTE);
        try {
            this.timeLimit = Integer.parseInt((String) map.get(PolicyConfig.LDAP_SEARCH_TIME_OUT));
            this.maxResults = Integer.parseInt((String) map.get(PolicyConfig.LDAP_SEARCH_LIMIT));
            this.minPoolSize = Integer.parseInt((String) map.get(PolicyConfig.LDAP_CONNECTION_POOL_MIN_SIZE));
            this.maxPoolSize = Integer.parseInt((String) map.get(PolicyConfig.LDAP_CONNECTION_POOL_MAX_SIZE));
            if (((String) map.get(PolicyConfig.LDAP_SSL_ENABLED)).equalsIgnoreCase("true")) {
                this.sslEnabled = true;
            } else {
                this.sslEnabled = false;
            }
            Set set = (Set) map.get("OrganizationName");
            if (set != null && set.size() != 0) {
                this.orgName = (String) set.iterator().next();
            }
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("LDAPGroups.initialize(): getting params\nldapServer: ").append(this.ldapServer).append("\nauthid: ").append(this.authid).append("\nbaseDN: ").append(this.baseDN).append("\ngroupSearchFilter: ").append(this.groupSearchFilter).append("\ngroupRDNAttrName: ").append(this.groupRDNAttrName).append("\nuserSearchFilter: ").append(this.userSearchFilter).append("\nuserRDNAttrName: ").append(this.userRDNAttrName).append("\ntimeLimit: ").append(this.timeLimit).append("\nmaxResults: ").append(this.maxResults).append("\nminPoolSize: ").append(this.minPoolSize).append("\nmaxPoolSize: ").append(this.maxPoolSize).append("\nSSLEnabled: ").append(this.sslEnabled).append("\nOrgName: ").append(this.orgName).toString());
            }
            LDAPConnectionPools.initConnectionPool(this.ldapServer, this.sslEnabled, this.minPoolSize, this.maxPoolSize);
            this.connPool = LDAPConnectionPools.getConnectionPool(this.ldapServer);
            this.initialized = true;
        } catch (NumberFormatException e) {
            throw new PolicyException(e);
        }
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public Syntax getValueSyntax(SSOToken sSOToken) throws SSOException {
        return Syntax.MULTIPLE_CHOICE;
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public ValidValues getValidValues(SSOToken sSOToken) throws SSOException, PolicyException {
        return getValidValues(sSOToken, "*");
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public ValidValues getValidValues(SSOToken sSOToken, String str) throws SSOException, PolicyException {
        if (!this.initialized) {
            throw new PolicyException("amPolicy", "ldapgroups_subject_not_yet_initialized", null, null);
        }
        HashSet hashSet = new HashSet();
        String stringBuffer = (str == null || str.equals("")) ? this.groupSearchFilter : new StringBuffer().append("(&").append(this.groupSearchFilter).append("(").append(this.groupRDNAttrName).append("=").append(str).append("))").toString();
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("LDAPGroups.getValidValues(): group search filter is: ").append(stringBuffer).toString());
        }
        LDAPConnection connection = this.connPool.getConnection();
        LDAPSearchConstraints searchConstraints = connection.getSearchConstraints();
        searchConstraints.setMaxResults(this.maxResults);
        searchConstraints.setServerTimeLimit(this.timeLimit);
        int i = 0;
        try {
            try {
                try {
                    connection.authenticate(this.authid, this.authpw);
                    LDAPSearchResults search = connection.search(this.baseDN, this.groupSearchScope, stringBuffer, (String[]) null, false, searchConstraints);
                    while (search.hasMoreElements()) {
                        try {
                            LDAPEntry next = search.next();
                            if (next != null) {
                                hashSet.add(next.getDN());
                                if (debug.messageEnabled()) {
                                    debug.message(new StringBuffer().append("LDAPGroups.getValidValues(): found group name=").append(next.getDN()).toString());
                                }
                            }
                        } catch (LDAPReferralException e) {
                        } catch (LDAPException e2) {
                            new String[1][0] = this.orgName;
                            int lDAPResultCode = e2.getLDAPResultCode();
                            if (lDAPResultCode == 4) {
                                debug.warning("LDAPGroups.getValidValues(): exceeded the size limit");
                                i = 1;
                            } else {
                                if (lDAPResultCode != 3) {
                                    throw new PolicyException(e2);
                                }
                                debug.warning("LDAPGroups.getValidValues(): exceeded the time limit");
                                i = 2;
                            }
                        }
                    }
                    return new ValidValues(i, hashSet);
                } catch (Exception e3) {
                    throw new PolicyException(e3);
                }
            } catch (LDAPException e4) {
                if (e4.getLDAPResultCode() == 49) {
                    throw new PolicyException("amPolicy", "ldap_invalid_password", null, null);
                }
                String message = e4.getMessage();
                String lDAPErrorMessage = e4.getLDAPErrorMessage();
                if (lDAPErrorMessage != null) {
                    throw new PolicyException(new StringBuffer().append(message).append(": ").append(lDAPErrorMessage).toString());
                }
                throw new PolicyException(message);
            }
        } finally {
            this.connPool.close(connection);
        }
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public String getDisplayNameForValue(String str, Locale locale) throws NameNotFoundException {
        return str;
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public Set getValues() {
        if (debug.messageEnabled()) {
            debug.message("LDAPGroups.getValues() gets called");
        }
        return this.selectedGroupDNs;
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public void setValues(Set set) throws InvalidNameException {
        if (set == null) {
            debug.error("LDAPGroups.setValues(): Invalid names");
            throw new InvalidNameException("amPolicy", "ldapgroups_subject_invalid_group_names", null, null, 5);
        }
        this.selectedGroupDNs = new HashSet();
        this.selectedGroupDNs.addAll(set);
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("LDAPGroups.setValues(): selected group names=").append(this.selectedGroupDNs).toString());
        }
        this.selectedRFCGroupDNs = new HashSet();
        Iterator it = set.iterator();
        while (it.hasNext()) {
            this.selectedRFCGroupDNs.add(new DN((String) it.next()).toRFCString().toLowerCase());
        }
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public boolean isMember(SSOToken sSOToken) throws SSOException, PolicyException {
        if (sSOToken == null) {
            return false;
        }
        boolean z = false;
        String sSOTokenID = sSOToken.getTokenID().toString();
        String name = sSOToken.getPrincipal().getName();
        DN dn = null;
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("LDAPGroups.isMember(): user local DN is ").append(name).toString());
        }
        if (this.selectedRFCGroupDNs.size() > 0) {
            for (String str : this.selectedRFCGroupDNs) {
                Boolean isMember = SubjectEvaluationCache.isMember(sSOTokenID, this.ldapServer, str);
                if (isMember != null) {
                    if (debug.messageEnabled()) {
                        debug.message(new StringBuffer().append("LDAPGroups.isMember():Got membership from cache of ").append(name).append(" in group ").append(str).append(" :").append(isMember.booleanValue()).toString());
                    }
                    boolean booleanValue = isMember.booleanValue();
                    if (booleanValue) {
                        return booleanValue;
                    }
                } else {
                    if (debug.messageEnabled()) {
                        debug.message(new StringBuffer().append("LDAPGroups:isMember():entry for ").append(str).append(" not in subject evaluation cache,fetching from ").append("directory server.").toString());
                    }
                    String str2 = null;
                    if (dn == null) {
                        int indexOf = name.indexOf("=");
                        int indexOf2 = name.indexOf(",");
                        if (indexOf <= 0 || indexOf2 <= 0 || indexOf >= indexOf2) {
                            throw new PolicyException("amPolicy", "ldapgroups_subject_invalid_local_user_dn", null, null);
                        }
                        str2 = PolicyUtils.constructUserFilter(sSOToken, this.userRDNAttrName, name.substring(indexOf + 1, indexOf2), this.aliasEnabled);
                        dn = this.localDS ? new DN(name) : getUserDN(sSOToken, str2);
                        if (dn == null) {
                            if (!debug.messageEnabled()) {
                                return false;
                            }
                            debug.message(new StringBuffer().append("LDAPGroups.isMember(): User ").append(name).append(" is not found in the directory").toString());
                            return false;
                        }
                    }
                    if (!z && !PolicyEvaluator.ssoListenerRegistry.containsKey(sSOTokenID)) {
                        sSOToken.addSSOTokenListener(PolicyEvaluator.ssoListener);
                        PolicyEvaluator.ssoListenerRegistry.put(sSOTokenID, PolicyEvaluator.ssoListener);
                        if (debug.messageEnabled()) {
                            debug.message("LDAPGroups.isMember(): sso listener added .\n");
                        }
                        z = true;
                    }
                    if (isMemberOfGroup(str, dn, str2, sSOToken)) {
                        if (!debug.messageEnabled()) {
                            return true;
                        }
                        debug.message(new StringBuffer().append("LDAPGroups.isMember(): User ").append(dn.toRFCString()).append(" is a member of this LDAPGroups.").toString());
                        return true;
                    }
                }
            }
        }
        if (!debug.messageEnabled()) {
            return false;
        }
        debug.message(new StringBuffer().append("LDAPGroups.isMember(): User ").append(name).append(" is not a member of this LDAPGroups.").toString());
        return false;
    }

    private boolean isMemberOfGroup(String str, DN dn, String str2, SSOToken sSOToken) throws SSOException, PolicyException {
        LDAPAttribute attribute;
        if (str == null || str.equals("") || dn == null) {
            return false;
        }
        String sSOTokenID = sSOToken.getTokenID().toString();
        boolean z = false;
        LDAPConnection connection = this.connPool.getConnection();
        try {
            connection.authenticate(this.authid, this.authpw);
            LDAPEntry read = connection.read(str);
            LDAPAttribute attribute2 = read.getAttribute(STATIC_GROUP_MEMBER_ATTR);
            if (attribute2 != null) {
                Enumeration stringValues = attribute2.getStringValues();
                while (true) {
                    if (stringValues == null || !stringValues.hasMoreElements()) {
                        break;
                    }
                    if (dn.equals(new DN((String) stringValues.nextElement()))) {
                        z = true;
                        break;
                    }
                }
            }
            if (!z && (attribute = read.getAttribute(DYNAMIC_GROUP_MEMBER_URL)) != null) {
                Enumeration stringValues2 = attribute.getStringValues();
                while (stringValues2 != null && stringValues2.hasMoreElements()) {
                    try {
                        Iterator it = findDynamicGroupMembersByUrl(new LDAPUrl((String) stringValues2.nextElement()), str2).iterator();
                        while (true) {
                            if (it.hasNext()) {
                                if (dn.equals(new DN((String) it.next()))) {
                                    z = true;
                                    break;
                                }
                            }
                        }
                    } catch (MalformedURLException e) {
                        throw new PolicyException(e);
                    }
                }
            }
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("LDAPGroups.isMemberOfGroup():adding entry ").append(sSOTokenID).append(" ").append(this.ldapServer).append(" ").append(str).append(" ").append(z).append(" in subject evaluation cache.").toString());
            }
            SubjectEvaluationCache.addEntry(sSOTokenID, this.ldapServer, str, z);
            return z;
        } catch (Exception e2) {
            debug.warning(new StringBuffer().append("LDAPGroups: invalid group name ").append(str).append(" specified in the policy definition.").toString());
            return false;
        } finally {
            this.connPool.close(connection);
        }
    }

    private Set findDynamicGroupMembersByUrl(LDAPUrl lDAPUrl, String str) throws PolicyException {
        LDAPConnection connection = this.connPool.getConnection();
        LDAPSearchConstraints searchConstraints = connection.getSearchConstraints();
        searchConstraints.setMaxResults(this.maxResults);
        searchConstraints.setServerTimeLimit(this.timeLimit);
        HashSet hashSet = new HashSet();
        try {
            try {
                connection.authenticate(this.authid, this.authpw);
                StringBuffer stringBuffer = new StringBuffer(25);
                stringBuffer.append("(&").append(str);
                String filter = lDAPUrl.getFilter();
                if (filter.indexOf("(") != 0) {
                    stringBuffer.append("(").append(filter).append("))");
                } else {
                    stringBuffer.append(filter).append(")");
                }
                if (debug.messageEnabled()) {
                    debug.message(new StringBuffer().append("search filter in LDAPGroups : ").append((Object) stringBuffer).toString());
                }
                LDAPSearchResults search = connection.search(lDAPUrl.getDN(), lDAPUrl.getScope(), stringBuffer.toString(), (String[]) null, false, searchConstraints);
                while (search.hasMoreElements()) {
                    try {
                        LDAPEntry next = search.next();
                        if (next != null) {
                            hashSet.add(next.getDN());
                        }
                    } catch (LDAPReferralException e) {
                    } catch (LDAPException e2) {
                        String[] strArr = {this.orgName};
                        int lDAPResultCode = e2.getLDAPResultCode();
                        if (lDAPResultCode == 4) {
                            debug.warning("LDAPGroups.findDynamicGroupMembersByUrl(): exceeded the size limit");
                            throw new PolicyException("amPolicy", "ldap_search_exceed_size_limit", strArr, null);
                        }
                        if (lDAPResultCode != 3) {
                            throw new PolicyException(e2);
                        }
                        debug.warning("LDAPGroups.findDynamicGroupMembersByUrl(): exceeded the time limit");
                        throw new PolicyException("amPolicy", "ldap_search_exceed_time_limit", strArr, null);
                    }
                }
                return hashSet;
            } catch (Exception e3) {
                throw new PolicyException(e3);
            }
        } finally {
            this.connPool.close(connection);
        }
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public int hashCode() {
        return this.selectedGroupDNs.hashCode();
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public boolean equals(Object obj) {
        if (!(obj instanceof LDAPGroups)) {
            return false;
        }
        LDAPGroups lDAPGroups = (LDAPGroups) obj;
        return (this.selectedGroupDNs == null || lDAPGroups.selectedGroupDNs == null || !this.selectedGroupDNs.equals(lDAPGroups.selectedGroupDNs)) ? false : true;
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public Object clone() {
        try {
            LDAPGroups lDAPGroups = (LDAPGroups) super.clone();
            if (this.selectedGroupDNs != null) {
                lDAPGroups.selectedGroupDNs = new HashSet();
                lDAPGroups.selectedGroupDNs.addAll(this.selectedGroupDNs);
            }
            if (this.selectedRFCGroupDNs != null) {
                lDAPGroups.selectedRFCGroupDNs = new HashSet();
                lDAPGroups.selectedRFCGroupDNs.addAll(this.selectedRFCGroupDNs);
            }
            return lDAPGroups;
        } catch (CloneNotSupportedException e) {
            throw new InternalError();
        }
    }

    private DN getUserDN(SSOToken sSOToken, String str) throws SSOException, PolicyException {
        DN dn = null;
        if (str != null) {
            sSOToken.getPrincipal().getName();
            HashSet hashSet = new HashSet();
            String stringBuffer = (this.userSearchFilter == null || this.userSearchFilter.equals("")) ? str : new StringBuffer().append("(&").append(this.userSearchFilter).append(str).append(")").toString();
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("LDAPGroups.getUserDN(): search filter is: ").append(stringBuffer).toString());
            }
            LDAPConnection connection = this.connPool.getConnection();
            LDAPSearchConstraints searchConstraints = connection.getSearchConstraints();
            searchConstraints.setMaxResults(this.maxResults);
            searchConstraints.setServerTimeLimit(this.timeLimit);
            try {
                try {
                    try {
                        connection.authenticate(this.authid, this.authpw);
                        LDAPSearchResults search = connection.search(this.baseDN, this.userSearchScope, stringBuffer, (String[]) null, false, searchConstraints);
                        while (search.hasMoreElements()) {
                            try {
                                LDAPEntry next = search.next();
                                if (next != null) {
                                    hashSet.add(next.getDN());
                                }
                            } catch (LDAPReferralException e) {
                            } catch (LDAPException e2) {
                                String[] strArr = {this.orgName};
                                int lDAPResultCode = e2.getLDAPResultCode();
                                if (lDAPResultCode == 4) {
                                    debug.warning("LDAPGroups.isMember(): exceeded the size limit");
                                    throw new PolicyException("amPolicy", "ldap_search_exceed_size_limit", strArr, null);
                                }
                                if (lDAPResultCode != 3) {
                                    throw new PolicyException(e2);
                                }
                                debug.warning("LDAPGroups.isMember(): exceeded the time limit");
                                throw new PolicyException("amPolicy", "ldap_search_exceed_time_limit", strArr, null);
                            }
                        }
                        if (hashSet.size() > 0) {
                            if (debug.messageEnabled()) {
                                debug.message(new StringBuffer().append("LDAPGroups.getUserDN(): qualified users=").append(hashSet).toString());
                            }
                            dn = new DN((String) hashSet.iterator().next());
                        }
                    } catch (LDAPException e3) {
                        if (e3.getLDAPResultCode() == 49) {
                            throw new PolicyException("amPolicy", "ldap_invalid_password", null, null);
                        }
                        String message = e3.getMessage();
                        String lDAPErrorMessage = e3.getLDAPErrorMessage();
                        if (lDAPErrorMessage != null) {
                            throw new PolicyException(new StringBuffer().append(message).append(": ").append(lDAPErrorMessage).toString());
                        }
                        throw new PolicyException(message);
                    }
                } catch (Exception e4) {
                    throw new PolicyException(e4);
                }
            } finally {
                this.connPool.close(connection);
            }
        }
        return dn;
    }
}
