package org.projecthusky.xua.validation.condition;

import java.util.Optional;
import javax.annotation.concurrent.ThreadSafe;
import javax.xml.namespace.QName;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.ext.saml2delrestrict.DelegationRestrictionType;
import org.opensaml.saml.saml2.assertion.ConditionValidator;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Condition;
import org.opensaml.saml.saml2.core.NameID;
import org.projecthusky.common.utils.OptionalUtils;
import org.projecthusky.communication.ch.enums.stable.Role;
import org.projecthusky.xua.ChEprXuaSpecifications;
import org.projecthusky.xua.validation.ChEprAssertionValidationParameters;
import org.projecthusky.xua.validation.ChEprAssertionValidator;
import org.projecthusky.xua.validation.ValidationUtils;

@ThreadSafe
/* loaded from: input_file:org/projecthusky/xua/validation/condition/ChEprDelegationRestrictionConditionValidator.class */
public class ChEprDelegationRestrictionConditionValidator implements ConditionValidator {
    public QName getServicedCondition() {
        return DelegationRestrictionType.TYPE_NAME;
    }

    public ValidationResult validate(Condition condition, Assertion assertion, ValidationContext validationContext) {
        if (!(condition instanceof DelegationRestrictionType)) {
            return ValidationResult.INDETERMINATE;
        }
        DelegationRestrictionType delegationRestrictionType = (DelegationRestrictionType) condition;
        Role role = (Role) validationContext.getDynamicParameters().get(ChEprAssertionValidationParameters.CH_EPR_ROLE);
        if (role != Role.ASSISTANT && role != Role.TECHNICAL_USER) {
            validationContext.setValidationFailureMessage("The DelegationRestrictionType Condition shall not appear for other extensions than TCU and ASS");
            return ValidationResult.INVALID;
        }
        NameID nameID = (NameID) Optional.ofNullable(delegationRestrictionType.getDelegates()).map(OptionalUtils::getListOnlyElement).map((v0) -> {
            return v0.getNameID();
        }).filter(nameID2 -> {
            return "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent".equals(nameID2.getFormat());
        }).filter(nameID3 -> {
            return nameID3.getValue() != null;
        }).orElse(null);
        if (nameID == null) {
            validationContext.setValidationFailureMessage("The DelegationRestrictionType Condition doesn't contain a valid NameID");
            return ValidationResult.INVALID;
        }
        if (role == Role.ASSISTANT) {
            if (ChEprAssertionValidator.NAMESPACE_GS1_GLN.equals(nameID.getNameQualifier())) {
                validationContext.getDynamicParameters().put(ChEprAssertionValidationParameters.CH_EPR_ASSISTANT_GLN, nameID.getValue());
                return ValidationResult.VALID;
            }
            validationContext.setValidationFailureMessage("The DelegationRestrictionType Condition doesn't contain the assistant GLN");
            return ValidationResult.INVALID;
        }
        if (ChEprXuaSpecifications.TECHNICAL_USER_ID.equals(nameID.getNameQualifier())) {
            validationContext.getDynamicParameters().put(ChEprAssertionValidationParameters.CH_EPR_TCU_ID, ValidationUtils.trimOidUrn(nameID.getValue()));
            return ValidationResult.VALID;
        }
        validationContext.setValidationFailureMessage("The DelegationRestrictionType Condition doesn't contain the technical user unique ID");
        return ValidationResult.INVALID;
    }
}
