package eu.unicore.security.wsutil.client;

import eu.emi.security.authn.x509.impl.X500NameUtils;
import eu.unicore.samly2.elements.SAMLAttribute;
import eu.unicore.security.UnicoreSecurityFactory;
import eu.unicore.security.dsig.DSigException;
import eu.unicore.security.etd.DelegationRestrictions;
import eu.unicore.security.etd.InconsistentTDChainException;
import eu.unicore.security.etd.TrustDelegation;
import eu.unicore.security.user.UserAssertion;
import eu.unicore.util.Log;
import eu.unicore.util.httpclient.ETDClientSettings;
import eu.unicore.util.httpclient.IClientConfiguration;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.List;
import java.util.Map;
import javax.security.auth.x500.X500Principal;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:eu/unicore/security/wsutil/client/ExtendedTDOutHandler.class */
public class ExtendedTDOutHandler extends TDOutHandler {
    private static final Logger logger = Log.getLogger("unicore.security", ExtendedTDOutHandler.class);
    private List<TrustDelegation> assertionList;
    private UserAssertion userAssertion;

    public ExtendedTDOutHandler(IClientConfiguration iClientConfiguration) {
        this.assertionList = null;
        this.userAssertion = null;
        ETDClientSettings eTDSettings = iClientConfiguration.getETDSettings();
        X509Certificate[] issuerCertificateChain = eTDSettings.getIssuerCertificateChain();
        if ((issuerCertificateChain == null || issuerCertificateChain.length == 0) && eTDSettings.getRequestedUser() == null) {
            logger.debug("Neither issuer was set, nor requestedUser. Won't add any ETD/User assertion");
            return;
        }
        String requestedUser = (issuerCertificateChain == null || issuerCertificateChain.length <= 0) ? eTDSettings.getRequestedUser() : issuerCertificateChain[0].getSubjectX500Principal().getName();
        this.assertionList = eTDSettings.getTrustDelegationTokens() != null ? eTDSettings.getTrustDelegationTokens() : new ArrayList<>();
        if (eTDSettings.isExtendTrustDelegation()) {
            try {
                setupExtendedAssertionList(iClientConfiguration);
            } catch (Exception e) {
                throw new RuntimeException("Error setting up (extended) TD chain", e);
            }
        }
        logger.debug("Initialised TD Outhandler, TD chain length = {}", Integer.valueOf(this.assertionList.size()));
        String requestedUser2 = eTDSettings.getRequestedUser();
        requestedUser2 = requestedUser2 == null ? this.assertionList.size() > 0 ? this.assertionList.get(0).getCustodianDN() : requestedUser : requestedUser2;
        if (!needCustomUserAssertion(eTDSettings)) {
            super.init(this.assertionList, null, requestedUser2, requestedUser);
            return;
        }
        this.userAssertion = super.createUserAssertion(null, requestedUser2, requestedUser);
        for (Map.Entry entry : eTDSettings.getRequestedUserAttributes2().entrySet()) {
            SAMLAttribute sAMLAttribute = new SAMLAttribute((String) entry.getKey(), "urn:unicore:subject-requested-attribute");
            for (String str : (String[]) entry.getValue()) {
                sAMLAttribute.addStringAttributeValue(str);
            }
            this.userAssertion.addAttribute(sAMLAttribute);
        }
        super.init(this.assertionList, this.userAssertion);
    }

    private void setupExtendedAssertionList(IClientConfiguration iClientConfiguration) throws DSigException, InconsistentTDChainException {
        ETDClientSettings eTDSettings = iClientConfiguration.getETDSettings();
        X509Certificate[] issuerCertificateChain = eTDSettings.getIssuerCertificateChain();
        PrivateKey key = iClientConfiguration.getCredential().getKey();
        X500Principal receiver = eTDSettings.getReceiver();
        if (receiver == null) {
            logger.debug("No receiver set, not creating TD assertion.");
            return;
        }
        String name = receiver.getName();
        DelegationRestrictions delegationRestrictions = eTDSettings.getDelegationRestrictions();
        if (eTDSettings.getRelativeDelegationValidityDays() != null) {
            Calendar calendar = Calendar.getInstance();
            calendar.add(10, -1);
            Calendar calendar2 = Calendar.getInstance();
            calendar2.add(6, eTDSettings.getRelativeDelegationValidityDays().intValue());
            delegationRestrictions.setNotBefore(calendar.getTime());
            delegationRestrictions.setNotOnOrAfter(calendar2.getTime());
        }
        if (this.assertionList.size() == 0) {
            this.assertionList.add(createAssertion(issuerCertificateChain, key, name, delegationRestrictions));
        } else {
            this.assertionList = extendAssertion(this.assertionList, issuerCertificateChain, key, name, delegationRestrictions);
        }
        logger.debug("Initialised trust delegation to receiver <{}>", X500NameUtils.getReadableForm(name));
    }

    private boolean needCustomUserAssertion(ETDClientSettings eTDClientSettings) {
        return eTDClientSettings != null && eTDClientSettings.getRequestedUserAttributes2().size() > 0;
    }

    protected synchronized TrustDelegation createAssertion(X509Certificate[] x509CertificateArr, PrivateKey privateKey, String str, DelegationRestrictions delegationRestrictions) throws DSigException {
        return UnicoreSecurityFactory.getETDEngine().generateTD(x509CertificateArr[0].getSubjectX500Principal().getName(), x509CertificateArr, privateKey, str, delegationRestrictions);
    }

    protected synchronized List<TrustDelegation> extendAssertion(List<TrustDelegation> list, X509Certificate[] x509CertificateArr, PrivateKey privateKey, String str, DelegationRestrictions delegationRestrictions) throws DSigException, InconsistentTDChainException {
        if (str.equals(list.get(list.size() - 1).getSubjectName())) {
            logger.debug("TD chain already includes receiver <{}>", str);
            return list;
        }
        logger.debug("Extending TD chain to receiver <{}>", str);
        return UnicoreSecurityFactory.getETDEngine().issueChainedTD(list, x509CertificateArr, privateKey, str, delegationRestrictions);
    }

    public List<TrustDelegation> getAssertionList() {
        return this.assertionList;
    }

    public UserAssertion getUserAssertion() {
        return this.userAssertion;
    }
}
