package cern.accsoft.security.rba.spi;

import cern.accsoft.commons.util.Assert;
import cern.accsoft.security.rba.RBASubject;
import cern.accsoft.security.rba.RBAToken;
import java.security.AccessController;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.Subject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:cern/accsoft/security/rba/spi/RBASubjectImpl.class */
public class RBASubjectImpl implements RBASubject {
    private static final Logger LOGGER = LoggerFactory.getLogger(RBASubjectImpl.class);
    private final Subject subject;

    public RBASubjectImpl() {
        this(obtainSubject());
    }

    public RBASubjectImpl(Subject subject) {
        this.subject = subject;
    }

    @Override // cern.accsoft.security.rba.RBASubject
    public RBAToken getAppToken() {
        return getToken(false, true);
    }

    @Override // cern.accsoft.security.rba.RBASubject
    public RBAToken getExpiredAppToken() {
        return getToken(false, false);
    }

    @Override // cern.accsoft.security.rba.RBASubject
    public RBAToken getMasterToken() {
        return getToken(true, true);
    }

    @Override // cern.accsoft.security.rba.RBASubject
    public RBAToken getExpiredMasterToken() {
        return getToken(true, false);
    }

    @Override // cern.accsoft.security.rba.RBASubject
    public boolean hasValidAppToken() {
        RBAToken appToken = getAppToken();
        return appToken != null && appToken.isValid();
    }

    @Override // cern.accsoft.security.rba.RBASubject
    public boolean hasValidMasterToken() {
        RBAToken masterToken = getMasterToken();
        return masterToken != null && masterToken.isValid();
    }

    @Override // cern.accsoft.security.rba.RBASubject
    public void setAppToken(RBAToken rBAToken) {
        setToken(rBAToken, false);
    }

    @Override // cern.accsoft.security.rba.RBASubject
    public void setMasterToken(RBAToken rBAToken) {
        setToken(rBAToken, true);
    }

    @Override // cern.accsoft.security.rba.RBASubject
    public void clear() {
        Set privateCredentials = getSubject().getPrivateCredentials(RBAToken.class);
        Iterator it = privateCredentials.iterator();
        while (it.hasNext()) {
            ((RBAToken) it.next()).removeExpirationListeners();
        }
        getSubject().getPrivateCredentials().removeAll(privateCredentials);
        getSubject().getPrincipals().clear();
    }

    @Override // cern.accsoft.security.rba.RBASubject
    public void clearAppToken() {
        RBAToken expiredAppToken = getExpiredAppToken();
        if (expiredAppToken != null) {
            expiredAppToken.removeExpirationListeners();
        }
        setAppToken(null);
    }

    @Override // cern.accsoft.security.rba.RBASubject
    public void clearMasterToken() {
        setMasterToken(null);
    }

    @Override // cern.accsoft.security.rba.RBASubject
    public void clearExpiredTokens() {
        for (RBAToken rBAToken : getSubject().getPrivateCredentials(RBAToken.class)) {
            if (!rBAToken.isValid()) {
                LOGGER.debug("clearExpiredTokens() clearing expired token {}", rBAToken);
                rBAToken.removeExpirationListeners();
                getSubject().getPrivateCredentials().remove(rBAToken);
            }
        }
    }

    @Override // cern.accsoft.security.rba.RBASubject
    public Subject getSubject() {
        return this.subject;
    }

    private static Subject obtainSubject() {
        Subject subject = Subject.getSubject(AccessController.getContext());
        return subject == null ? new Subject() : subject;
    }

    private RBAToken getToken(boolean z, boolean z2) {
        for (RBAToken rBAToken : getSubject().getPrivateCredentials(RBAToken.class)) {
            if (!z2 || rBAToken.isValid()) {
                if (z && rBAToken.getType().isMaster()) {
                    return rBAToken;
                }
                if (!z && rBAToken.getType().isApplication()) {
                    return rBAToken;
                }
            }
        }
        return null;
    }

    private void setToken(RBAToken rBAToken, boolean z) {
        if (rBAToken != null) {
            Assert.isTrue((z && rBAToken.getType().isMaster()) || (!z && rBAToken.getType().isApplication()));
        }
        for (RBAToken rBAToken2 : getSubject().getPrivateCredentials(RBAToken.class)) {
            if (z && rBAToken2.getType().isMaster()) {
                getSubject().getPrivateCredentials().remove(rBAToken2);
            } else if (!z && rBAToken2.getType().isApplication()) {
                getSubject().getPrivateCredentials().remove(rBAToken2);
            }
        }
        if (getSubject().getPrivateCredentials(RBAToken.class).isEmpty()) {
            getSubject().getPrincipals().clear();
        }
        if (rBAToken != null) {
            getSubject().getPrivateCredentials().add(rBAToken);
            getSubject().getPrincipals().add(rBAToken.getUser());
        }
    }
}
