package org.dcache.gridsite;

import eu.emi.security.authn.x509.X509Credential;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Stream;
import org.dcache.auth.FQAN;
import org.dcache.delegation.gridsite2.DelegationException;
import org.italiangrid.voms.VOMSAttribute;
import org.italiangrid.voms.ac.VOMSACValidator;
import org.springframework.beans.factory.annotation.Required;

/* loaded from: input_file:org/dcache/gridsite/InMemoryCredentialStore.class */
public class InMemoryCredentialStore implements CredentialStore {
    private final Map<DelegationIdentity, X509Credential> _storage = new HashMap();
    private VOMSACValidator validator;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/dcache/gridsite/InMemoryCredentialStore$DnFqanMatcher.class */
    public interface DnFqanMatcher {
        boolean matches(String str, String str2);
    }

    @Required
    public void setVomsValidator(VOMSACValidator vOMSACValidator) {
        this.validator = vOMSACValidator;
    }

    @Override // org.dcache.gridsite.CredentialStore
    public X509Credential get(DelegationIdentity delegationIdentity) throws DelegationException {
        X509Credential andCheckForExpired = getAndCheckForExpired(delegationIdentity);
        Utilities.assertThat(andCheckForExpired != null, "no credential", delegationIdentity);
        return andCheckForExpired;
    }

    private X509Credential getAndCheckForExpired(DelegationIdentity delegationIdentity) throws DelegationException {
        X509Credential x509Credential = this._storage.get(delegationIdentity);
        if (x509Credential != null && hasExpired(x509Credential)) {
            this._storage.remove(delegationIdentity);
            x509Credential = null;
        }
        return x509Credential;
    }

    @Override // org.dcache.gridsite.CredentialStore
    public void put(DelegationIdentity delegationIdentity, X509Credential x509Credential, FQAN fqan) {
        this._storage.put(delegationIdentity, x509Credential);
    }

    @Override // org.dcache.gridsite.CredentialStore
    public void remove(DelegationIdentity delegationIdentity) throws DelegationException {
        X509Credential remove = this._storage.remove(delegationIdentity);
        if (remove != null && hasExpired(remove)) {
            this._storage.remove(delegationIdentity);
            remove = null;
        }
        Utilities.assertThat(remove != null, "no credential", delegationIdentity);
    }

    @Override // org.dcache.gridsite.CredentialStore
    public boolean has(DelegationIdentity delegationIdentity) {
        try {
            return getAndCheckForExpired(delegationIdentity) != null;
        } catch (DelegationException e) {
            return false;
        }
    }

    @Override // org.dcache.gridsite.CredentialStore
    public Calendar getExpiry(DelegationIdentity delegationIdentity) throws DelegationException {
        X509Credential andCheckForExpired = getAndCheckForExpired(delegationIdentity);
        Utilities.assertThat(andCheckForExpired != null, "no credential", delegationIdentity);
        Date expiryOf = getExpiryOf(andCheckForExpired);
        Calendar calendar = Calendar.getInstance();
        calendar.setTime(expiryOf);
        return calendar;
    }

    private static Date getExpiryOf(X509Credential x509Credential) throws DelegationException {
        return (Date) Stream.of((Object[]) x509Credential.getCertificateChain()).map((v0) -> {
            return v0.getNotAfter();
        }).min((v0, v1) -> {
            return v0.compareTo(v1);
        }).orElseThrow(() -> {
            return new DelegationException("Certificate chain is empty.");
        });
    }

    private static boolean hasExpired(X509Credential x509Credential) throws DelegationException {
        return getExpiryOf(x509Credential).getTime() <= System.currentTimeMillis();
    }

    @Override // org.dcache.gridsite.CredentialStore
    public X509Credential search(String str) {
        return bestCredentialMatching((str2, str3) -> {
            return str.equals(str2);
        });
    }

    @Override // org.dcache.gridsite.CredentialStore
    public X509Credential search(String str, String str2) {
        return bestCredentialMatching((str3, str4) -> {
            return str.equals(str3) && Objects.equals(str2, str4);
        });
    }

    private X509Credential bestCredentialMatching(DnFqanMatcher dnFqanMatcher) {
        X509Credential x509Credential = null;
        Date date = new Date(0L);
        for (Map.Entry<DelegationIdentity, X509Credential> entry : this._storage.entrySet()) {
            try {
                X509Credential value = entry.getValue();
                if (dnFqanMatcher.matches(entry.getKey().getDn(), Objects.toString(getPrimary(this.validator.validate(value.getCertificateChain())), null))) {
                    Date expiryOf = getExpiryOf(value);
                    if (expiryOf.after(date)) {
                        date = expiryOf;
                        x509Credential = value;
                    }
                }
            } catch (DelegationException e) {
            }
        }
        return x509Credential;
    }

    private static FQAN getPrimary(List<VOMSAttribute> list) {
        return (FQAN) list.stream().flatMap(vOMSAttribute -> {
            return vOMSAttribute.getFQANs().stream();
        }).findFirst().map(FQAN::new).orElse(null);
    }
}
