package org.projecthusky.xua.validation;

import java.time.Duration;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import javax.annotation.concurrent.ThreadSafe;
import javax.xml.namespace.QName;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import org.opensaml.saml.common.assertion.AssertionValidationException;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.ext.saml2delrestrict.DelegationRestrictionType;
import org.opensaml.saml.saml2.assertion.AssertionValidator;
import org.opensaml.saml.saml2.assertion.SAML20AssertionValidator;
import org.opensaml.saml.saml2.assertion.impl.OneTimeUseConditionValidator;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.impl.AttributeValueImpl;
import org.opensaml.storage.ReplayCache;
import org.opensaml.storage.impl.MemoryStorageService;
import org.opensaml.xmlsec.signature.support.SignaturePrevalidator;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.projecthusky.common.utils.OptionalUtils;
import org.projecthusky.communication.ch.enums.stable.Role;
import org.projecthusky.xua.ChEprXuaSpecifications;
import org.projecthusky.xua.hl7v3.impl.CodedWithEquivalentImpl;
import org.projecthusky.xua.validation.condition.ChEprAudienceRestrictionConditionValidator;
import org.projecthusky.xua.validation.condition.ChEprDelegationRestrictionConditionValidator;
import org.projecthusky.xua.validation.statement.ChEprAttributeStatementValidator;
import org.projecthusky.xua.validation.subject.ChEprSubjectConfirmationBearerValidator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafe
/* loaded from: input_file:org/projecthusky/xua/validation/ChEprAssertionValidator.class */
public class ChEprAssertionValidator {
    private static final Logger log = LoggerFactory.getLogger(ChEprAssertionValidator.class);
    public static final String ERRMSG_ATTRIBUTE = "The attribute '";
    public static final String ERRMSG_IS_MISSING = "' is missing";
    public static final String NAMESPACE_GS1_GLN = "urn:gs1:gln";
    public static final String ERRMSG_SUBJECT_CONFIRMATION_MISSING = "The SubjectConfirmation is missing";
    private final SAML20AssertionValidator validator;

    public ChEprAssertionValidator(Duration duration, SignatureTrustEngine signatureTrustEngine) throws ComponentInitializationException {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new ChEprAudienceRestrictionConditionValidator());
        arrayList.add(new ChEprDelegationRestrictionConditionValidator());
        if (duration != null) {
            MemoryStorageService memoryStorageService = new MemoryStorageService();
            memoryStorageService.setId("memory-storage-saml-onetimeuse");
            memoryStorageService.setCleanupInterval(Duration.ofSeconds(900L));
            memoryStorageService.initialize();
            ReplayCache replayCache = new ReplayCache();
            replayCache.setStorage(memoryStorageService);
            replayCache.initialize();
            arrayList.add(new OneTimeUseConditionValidator(replayCache, duration));
        }
        if (signatureTrustEngine == null) {
            log.warn("Using ChEprAssertionValidator without signature validator!");
        }
        this.validator = new SAML20AssertionValidator(arrayList, List.of(new ChEprSubjectConfirmationBearerValidator()), List.of(new ChEprAttributeStatementValidator()), (AssertionValidator) null, signatureTrustEngine, (SignaturePrevalidator) null);
    }

    public ChEprValidationResult validate(Assertion assertion, Map<String, Object> map) throws AssertionValidationException {
        Objects.requireNonNull(assertion, "assertion shall not be null in validate()");
        HashMap hashMap = map == null ? new HashMap() : new HashMap(map);
        hashMap.putIfAbsent("saml2.ClockSkew", Duration.ZERO);
        hashMap.put("saml2.SignatureRequired", true);
        ValidationContext validationContext = new ValidationContext(hashMap);
        ValidationResult validateRole = validateRole(assertion, validationContext);
        if (validateRole != ValidationResult.VALID) {
            return new ChEprValidationResult(validateRole, validationContext);
        }
        Role role = (Role) validationContext.getDynamicParameters().get(ChEprAssertionValidationParameters.CH_EPR_ROLE);
        ValidationResult validateSubject = validateSubject(assertion.getSubject(), validationContext, role);
        if (validateSubject != ValidationResult.VALID) {
            return new ChEprValidationResult(validateSubject, validationContext);
        }
        ValidationResult validate = this.validator.validate(assertion, validationContext);
        if (validate != ValidationResult.VALID) {
            return new ChEprValidationResult(validate, validationContext);
        }
        validationContext.getDynamicParameters().computeIfAbsent(ChEprAssertionValidationParameters.CH_EPR_ORGANIZATIONS_ID, str -> {
            return new ArrayList();
        });
        validationContext.getDynamicParameters().computeIfAbsent(ChEprAssertionValidationParameters.CH_EPR_ORGANIZATIONS_NAME, str2 -> {
            return new ArrayList();
        });
        return new ChEprValidationResult(validateRequiredAssertions(assertion, validationContext, role), validationContext);
    }

    ValidationResult validateRole(Assertion assertion, ValidationContext validationContext) {
        Attribute attribute = (Attribute) ((List) Optional.ofNullable(assertion.getAttributeStatements()).map(OptionalUtils::getListOnlyElement).map((v0) -> {
            return v0.getAttributes();
        }).orElse(Collections.emptyList())).stream().filter(attribute2 -> {
            return "urn:oasis:names:tc:xacml:2.0:subject:role".equals(attribute2.getName());
        }).findAny().orElse(null);
        if (attribute == null) {
            validationContext.setValidationFailureMessage("The attribute 'urn:oasis:names:tc:xacml:2.0:subject:role' is missing");
            return ValidationResult.INVALID;
        }
        Role role = (Role) Optional.ofNullable(attribute.getAttributeValues()).map(OptionalUtils::getListOnlyElement).map(xMLObject -> {
            return (AttributeValueImpl) OptionalUtils.castOrNull(xMLObject, AttributeValueImpl.class);
        }).map(attributeValueImpl -> {
            return attributeValueImpl.getUnknownXMLObjects(new QName("urn:hl7-org:v3", "Role"));
        }).map(OptionalUtils::getListOnlyElement).map(xMLObject2 -> {
            return (CodedWithEquivalentImpl) OptionalUtils.castOrNull(xMLObject2, CodedWithEquivalentImpl.class);
        }).filter(codedWithEquivalentImpl -> {
            return "2.16.756.5.30.1.127.3.10.6".equals(codedWithEquivalentImpl.getCodeSystem());
        }).map((v0) -> {
            return v0.getCode();
        }).map(Role::getEnum).filter(role2 -> {
            return (role2 == Role.ASSISTANT || role2 == Role.TECHNICAL_USER) ? false : true;
        }).orElse(null);
        if (role == null) {
            validationContext.setValidationFailureMessage("The attribute 'urn:oasis:names:tc:xacml:2.0:subject:role' contains an invalid value");
            return ValidationResult.INVALID;
        }
        if (role == Role.HEALTHCARE_PROFESSIONAL && assertion.getConditions() != null) {
            for (DelegationRestrictionType delegationRestrictionType : assertion.getConditions().getConditions(DelegationRestrictionType.TYPE_NAME)) {
                if (delegationRestrictionType instanceof DelegationRestrictionType) {
                    String str = (String) Optional.ofNullable(delegationRestrictionType.getDelegates()).map(OptionalUtils::getListOnlyElement).map((v0) -> {
                        return v0.getNameID();
                    }).filter(nameID -> {
                        return "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent".equals(nameID.getFormat());
                    }).map((v0) -> {
                        return v0.getNameQualifier();
                    }).orElse(null);
                    if (NAMESPACE_GS1_GLN.equals(str)) {
                        role = Role.ASSISTANT;
                    } else {
                        if (!ChEprXuaSpecifications.TECHNICAL_USER_ID.equals(str)) {
                            return ValidationResult.INVALID;
                        }
                        role = Role.TECHNICAL_USER;
                    }
                }
            }
        }
        validationContext.getDynamicParameters().put(ChEprAssertionValidationParameters.CH_EPR_ROLE, role);
        return ValidationResult.VALID;
    }

    ValidationResult validateSubject(Subject subject, ValidationContext validationContext, Role role) {
        if (subject == null) {
            validationContext.setValidationFailureMessage("The Subject is missing");
            return ValidationResult.INVALID;
        }
        NameID nameID = subject.getNameID();
        if (nameID == null || nameID.getNameQualifier() == null || nameID.getValue() == null) {
            validationContext.setValidationFailureMessage("The Subject NameID is missing");
            return ValidationResult.INVALID;
        }
        if ((role == Role.HEALTHCARE_PROFESSIONAL || role == Role.ASSISTANT || role == Role.TECHNICAL_USER) && !NAMESPACE_GS1_GLN.equals(nameID.getNameQualifier())) {
            validationContext.setValidationFailureMessage("The healthcare professional GLN is missing in the Subject");
            return ValidationResult.INVALID;
        }
        if (role == Role.POLICY_ADMINISTRATOR && !ChEprXuaSpecifications.POLICY_ADMINISTRATOR_ID.equals(nameID.getNameQualifier())) {
            validationContext.setValidationFailureMessage("The policy administrator ID is missing in the Subject");
            return ValidationResult.INVALID;
        }
        if (role == Role.DOCUMENT_ADMINISTRATOR && !ChEprXuaSpecifications.DOCUMENT_ADMINISTRATOR_ID.equals(nameID.getNameQualifier())) {
            validationContext.setValidationFailureMessage("The document administrator ID is missing in the Subject");
            return ValidationResult.INVALID;
        }
        if (role == Role.PATIENT && !"urn:e-health-suisse:2015:epr-spid".equals(nameID.getNameQualifier())) {
            validationContext.setValidationFailureMessage("The patient EPR-SPID is missing in the Subject");
            return ValidationResult.INVALID;
        }
        if (role != Role.REPRESENTATIVE || ChEprXuaSpecifications.REPRESENTATIVE_ID.equals(nameID.getNameQualifier())) {
            validationContext.getDynamicParameters().put(ChEprAssertionValidationParameters.CH_EPR_RESPONSIBLE_SUBJECT_ID, nameID.getValue());
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage("The representative ID is missing in the Subject");
        return ValidationResult.INVALID;
    }

    ValidationResult validateRequiredAssertions(Assertion assertion, ValidationContext validationContext, Role role) {
        if (validationContext.getDynamicParameters().getOrDefault(ChEprAssertionValidationParameters.CH_EPR_PURPOSE_OF_USE, null) == null) {
            validationContext.setValidationFailureMessage("The attribute 'urn:oasis:names:tc:xspa:1.0:subject:purposeofuse' is missing");
            return ValidationResult.INVALID;
        }
        if (validationContext.getDynamicParameters().getOrDefault(ChEprAssertionValidationParameters.CH_EPR_ORGANIZATIONS_NAME, null) == null) {
            validationContext.setValidationFailureMessage("The attribute 'urn:oasis:names:tc:xspa:1.0:subject:organization' is missing");
            return ValidationResult.INVALID;
        }
        if (validationContext.getDynamicParameters().getOrDefault(ChEprAssertionValidationParameters.CH_EPR_ORGANIZATIONS_ID, null) == null) {
            validationContext.setValidationFailureMessage("The attribute 'urn:oasis:names:tc:xspa:1.0:subject:organization-id' is missing");
            return ValidationResult.INVALID;
        }
        if (role == Role.HEALTHCARE_PROFESSIONAL || role == Role.ASSISTANT || role == Role.TECHNICAL_USER) {
            if (((List) validationContext.getDynamicParameters().get(ChEprAssertionValidationParameters.CH_EPR_ORGANIZATIONS_NAME)).isEmpty()) {
                validationContext.setValidationFailureMessage("The attribute 'urn:oasis:names:tc:xspa:1.0:subject:organization' shall not be empty");
                return ValidationResult.INVALID;
            }
            if (((List) validationContext.getDynamicParameters().get(ChEprAssertionValidationParameters.CH_EPR_ORGANIZATIONS_ID)).isEmpty()) {
                validationContext.setValidationFailureMessage("The attribute 'urn:oasis:names:tc:xspa:1.0:subject:organization-id' shall not be empty");
                return ValidationResult.INVALID;
            }
        }
        if (validationContext.getDynamicParameters().getOrDefault(ChEprAssertionValidationParameters.CH_EPR_HOME_COMMUNITY_ID, null) == null) {
            validationContext.setValidationFailureMessage("The attribute 'urn:ihe:iti:xca:2010:homeCommunityId' is missing");
            return ValidationResult.INVALID;
        }
        if (validationContext.getDynamicParameters().getOrDefault(ChEprAssertionValidationParameters.CH_EPR_RESPONSIBLE_SUBJECT_ID, null) == null) {
            validationContext.setValidationFailureMessage("The Subject is missing");
            return ValidationResult.INVALID;
        }
        if (role == Role.ASSISTANT) {
            if (validationContext.getDynamicParameters().getOrDefault(ChEprAssertionValidationParameters.CH_EPR_ASSISTANT_NAME, null) == null) {
                validationContext.setValidationFailureMessage(ERRMSG_SUBJECT_CONFIRMATION_MISSING);
                return ValidationResult.INVALID;
            }
            if (validationContext.getDynamicParameters().getOrDefault(ChEprAssertionValidationParameters.CH_EPR_ASSISTANT_GLN, null) == null) {
                validationContext.setValidationFailureMessage(ERRMSG_SUBJECT_CONFIRMATION_MISSING);
                return ValidationResult.INVALID;
            }
        }
        if (role == Role.TECHNICAL_USER && validationContext.getDynamicParameters().getOrDefault(ChEprAssertionValidationParameters.CH_EPR_TCU_ID, null) == null) {
            validationContext.setValidationFailureMessage(ERRMSG_SUBJECT_CONFIRMATION_MISSING);
            return ValidationResult.INVALID;
        }
        if (assertion.getConditions() == null || assertion.getConditions().getNotBefore() == null) {
            validationContext.setValidationFailureMessage("The Condition NotBefore attribute is missing");
            return ValidationResult.INVALID;
        }
        if (assertion.getConditions().getNotOnOrAfter() != null) {
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage("The Condition NotOnOrAfter attribute is missing");
        return ValidationResult.INVALID;
    }
}
