package org.projecthusky.xua.validation.subject;

import java.util.Optional;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.projecthusky.common.utils.OptionalUtils;
import org.projecthusky.communication.ch.enums.stable.Role;
import org.projecthusky.xua.ChEprXuaSpecifications;
import org.projecthusky.xua.validation.ChEprAssertionValidationParameters;
import org.projecthusky.xua.validation.ChEprAssertionValidator;
import org.projecthusky.xua.validation.ValidationUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/projecthusky/xua/validation/subject/ChEprSubjectConfirmationBearerValidator.class */
public class ChEprSubjectConfirmationBearerValidator implements SubjectConfirmationValidator {
    private static final Logger log = LoggerFactory.getLogger(ChEprSubjectConfirmationBearerValidator.class);

    public String getServicedMethod() {
        return "urn:oasis:names:tc:SAML:2.0:cm:bearer";
    }

    public ValidationResult validate(SubjectConfirmation subjectConfirmation, Assertion assertion, ValidationContext validationContext) {
        Role role = (Role) validationContext.getDynamicParameters().get(ChEprAssertionValidationParameters.CH_EPR_ROLE);
        if (role != Role.ASSISTANT && role != Role.TECHNICAL_USER) {
            return ValidationResult.VALID;
        }
        NameID nameID = subjectConfirmation.getNameID();
        if (nameID == null || nameID.getNameQualifier() == null || nameID.getValue() == null) {
            validationContext.setValidationFailureMessage("The SubjectConfirmation NameID is missing");
            return ValidationResult.INVALID;
        }
        if (role == Role.ASSISTANT) {
            if (!ChEprAssertionValidator.NAMESPACE_GS1_GLN.equals(nameID.getNameQualifier())) {
                validationContext.setValidationFailureMessage("The assistant GLN is missing in the SubjectConfirmation");
                return ValidationResult.INVALID;
            }
            String str = (String) validationContext.getDynamicParameters().get(ChEprAssertionValidationParameters.CH_EPR_ASSISTANT_GLN);
            if (str == null || !str.equals(nameID.getValue())) {
                validationContext.setValidationFailureMessage("The assistant GLN in the SubjectConfirmation is different from the one in the DelegationRestrictionType Condition");
                return ValidationResult.INVALID;
            }
        } else {
            if (!ChEprXuaSpecifications.TECHNICAL_USER_ID.equals(nameID.getNameQualifier())) {
                validationContext.setValidationFailureMessage("The technical user unique ID is missing in the SubjectConfirmation");
                return ValidationResult.INVALID;
            }
            String str2 = (String) validationContext.getDynamicParameters().get(ChEprAssertionValidationParameters.CH_EPR_TCU_ID);
            if (str2 == null || !str2.equals(ValidationUtils.trimOidUrn(nameID.getValue()))) {
                validationContext.setValidationFailureMessage("The technical user unique ID in the SubjectConfirmation is different from the one in the DelegationRestrictionType Condition");
                return ValidationResult.INVALID;
            }
        }
        if (role == Role.ASSISTANT) {
            Optional<String> extractAssistantName = extractAssistantName(subjectConfirmation);
            if (extractAssistantName.isEmpty()) {
                validationContext.setValidationFailureMessage("The assistant name is missing in the SubjectConfirmation");
                return ValidationResult.INVALID;
            }
            validationContext.getDynamicParameters().put(ChEprAssertionValidationParameters.CH_EPR_ASSISTANT_NAME, extractAssistantName.get());
        }
        return ValidationResult.VALID;
    }

    Optional<String> extractAssistantName(SubjectConfirmation subjectConfirmation) {
        return Optional.ofNullable(subjectConfirmation.getSubjectConfirmationData()).map((v0) -> {
            return v0.getOrderedChildren();
        }).map(OptionalUtils::getListOnlyElement).map(xMLObject -> {
            return (Attribute) OptionalUtils.castOrNull(xMLObject, Attribute.class);
        }).filter(attribute -> {
            return "urn:oasis:names:tc:xspa:1.0:subject:subject-id".equals(attribute.getName());
        }).map((v0) -> {
            return v0.getAttributeValues();
        }).map(OptionalUtils::getListOnlyElement).map(ValidationUtils::extractXsValue);
    }
}
