package cern.rbac.client.impl;

import cern.accsoft.commons.util.Assert;
import cern.rbac.client.RbaSubject;
import cern.rbac.common.RbaToken;
import java.security.AccessController;
import javax.security.auth.Subject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/rbac-client-6.0.2.jar:cern/rbac/client/impl/RbaSubjectImpl.class */
public class RbaSubjectImpl implements RbaSubject {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) RbaSubjectImpl.class);
    private final Subject subject;

    public RbaSubjectImpl() {
        this(obtainSubject());
    }

    public RbaSubjectImpl(Subject subject) {
        this.subject = subject;
    }

    private static Subject obtainSubject() {
        Subject subject = Subject.getSubject(AccessController.getContext());
        return subject == null ? new Subject() : subject;
    }

    @Override // cern.rbac.client.RbaSubject
    public RbaToken getAppToken() {
        return getToken(false, true);
    }

    @Override // cern.rbac.client.RbaSubject
    public void setAppToken(RbaToken rbaToken) {
        setToken(rbaToken, false);
    }

    @Override // cern.rbac.client.RbaSubject
    public RbaToken getExpiredAppToken() {
        return getToken(false, false);
    }

    @Override // cern.rbac.client.RbaSubject
    public RbaToken getMasterToken() {
        return getToken(true, true);
    }

    @Override // cern.rbac.client.RbaSubject
    public void setMasterToken(RbaToken rbaToken) {
        setToken(rbaToken, true);
    }

    @Override // cern.rbac.client.RbaSubject
    public RbaToken getExpiredMasterToken() {
        return getToken(true, false);
    }

    @Override // cern.rbac.client.RbaSubject
    public boolean hasValidAppToken() {
        RbaToken appToken = getAppToken();
        return appToken != null && appToken.isValid();
    }

    @Override // cern.rbac.client.RbaSubject
    public boolean hasValidMasterToken() {
        RbaToken masterToken = getMasterToken();
        return masterToken != null && masterToken.isValid();
    }

    @Override // cern.rbac.client.RbaSubject
    public void clear() {
        getSubject().getPrivateCredentials().removeAll(getSubject().getPrivateCredentials(RbaToken.class));
        getSubject().getPrincipals().clear();
    }

    @Override // cern.rbac.client.RbaSubject
    public void clearAppToken() {
        setAppToken(null);
    }

    @Override // cern.rbac.client.RbaSubject
    public void clearMasterToken() {
        setMasterToken(null);
    }

    @Override // cern.rbac.client.RbaSubject
    public void clearExpiredTokens() {
        for (RbaToken rbaToken : getSubject().getPrivateCredentials(RbaToken.class)) {
            if (!rbaToken.isValid()) {
                LOGGER.debug("clearExpiredTokens() clearing expired token {}", rbaToken);
                getSubject().getPrivateCredentials().remove(rbaToken);
            }
        }
    }

    @Override // cern.rbac.client.RbaSubject
    public Subject getSubject() {
        return this.subject;
    }

    private RbaToken getToken(boolean z, boolean z2) {
        for (RbaToken rbaToken : getSubject().getPrivateCredentials(RbaToken.class)) {
            if (!z2 || rbaToken.isValid()) {
                if (z && rbaToken.getType().isMaster()) {
                    return rbaToken;
                }
                if (!z && rbaToken.getType().isApplication()) {
                    return rbaToken;
                }
            }
        }
        return null;
    }

    private void setToken(RbaToken rbaToken, boolean z) {
        if (rbaToken != null) {
            Assert.isTrue((z && rbaToken.getType().isMaster()) || (!z && rbaToken.getType().isApplication()));
        }
        for (RbaToken rbaToken2 : getSubject().getPrivateCredentials(RbaToken.class)) {
            if (z && rbaToken2.getType().isMaster()) {
                getSubject().getPrivateCredentials().remove(rbaToken2);
            } else if (!z && rbaToken2.getType().isApplication()) {
                getSubject().getPrivateCredentials().remove(rbaToken2);
            }
        }
        if (getSubject().getPrivateCredentials(RbaToken.class).isEmpty()) {
            getSubject().getPrincipals().clear();
        }
        if (rbaToken != null) {
            getSubject().getPrivateCredentials().add(rbaToken);
            getSubject().getPrincipals().add(rbaToken.getUser());
        }
    }
}
