package edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.principalConnector;

import edu.internet2.middleware.shibboleth.common.attribute.resolver.AttributeResolutionException;
import edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethResolutionContext;
import edu.internet2.middleware.shibboleth.common.profile.provider.SAMLProfileRequestContext;
import edu.internet2.middleware.shibboleth.common.util.DataExpiredException;
import edu.internet2.middleware.shibboleth.common.util.DataSealer;
import edu.internet2.middleware.shibboleth.common.util.DataSealerException;
import org.opensaml.saml1.core.NameIdentifier;
import org.opensaml.saml2.core.NameID;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/common/attribute/resolver/provider/principalConnector/CryptoTransientPrincipalConnector.class */
public class CryptoTransientPrincipalConnector extends BasePrincipalConnector {
    private static Logger log = LoggerFactory.getLogger(CryptoTransientPrincipalConnector.class);
    private DataSealer dataSealer;

    public CryptoTransientPrincipalConnector(DataSealer dataSealer) {
        if (dataSealer == null) {
            throw new IllegalArgumentException("DataSealer may not be null.");
        }
        this.dataSealer = dataSealer;
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ResolutionPlugIn
    public String resolve(ShibbolethResolutionContext shibbolethResolutionContext) throws AttributeResolutionException {
        SAMLProfileRequestContext attributeRequestContext = shibbolethResolutionContext.getAttributeRequestContext();
        String str = null;
        String str2 = null;
        String str3 = null;
        if (attributeRequestContext.getSubjectNameIdentifier() instanceof NameIdentifier) {
            NameIdentifier subjectNameIdentifier = attributeRequestContext.getSubjectNameIdentifier();
            if (subjectNameIdentifier != null) {
                str = subjectNameIdentifier.getNameIdentifier();
                str2 = subjectNameIdentifier.getNameQualifier();
            }
        } else {
            if (!(attributeRequestContext.getSubjectNameIdentifier() instanceof NameID)) {
                throw new AttributeResolutionException("Subject name identifier is not of a supported type");
            }
            NameID subjectNameIdentifier2 = attributeRequestContext.getSubjectNameIdentifier();
            if (subjectNameIdentifier2 != null) {
                str = subjectNameIdentifier2.getValue();
                str2 = subjectNameIdentifier2.getNameQualifier();
                str3 = subjectNameIdentifier2.getSPNameQualifier();
            }
        }
        if (str == null) {
            throw new AttributeResolutionException("Invalid subject name identifier");
        }
        try {
            String unwrap = this.dataSealer.unwrap(str);
            if (unwrap == null) {
                throw new AttributeResolutionException("Unable to recover principal from transient identifier: " + str);
            }
            String[] split = unwrap.split("!");
            if (split.length != 3) {
                throw new AttributeResolutionException("Decoded principal information was invalid: " + unwrap);
            }
            if (str2 != null && !str2.equals(split[0])) {
                throw new AttributeResolutionException("Decoded NameQualifier (" + str2 + ") does not match supplied value (" + split[0] + ").");
            }
            if (str3 != null && !str3.equals(split[1])) {
                throw new AttributeResolutionException("Decoded SPNameQualifier (" + str3 + ") does not match supplied value (" + split[1] + ").");
            }
            if (!split[0].equals(attributeRequestContext.getOutboundMessageIssuer())) {
                throw new AttributeResolutionException("Decoded NameQualifier (" + split[0] + ") does not match issuer (" + attributeRequestContext.getOutboundMessageIssuer() + ").");
            }
            if (split[1].equals(attributeRequestContext.getInboundMessageIssuer())) {
                return split[2];
            }
            throw new AttributeResolutionException("Decoded SPNameQualifier (" + split[0] + ") does not match requester (" + attributeRequestContext.getInboundMessageIssuer() + ").");
        } catch (DataExpiredException e) {
            throw new AttributeResolutionException("Principal identifier has expired.");
        } catch (DataSealerException e2) {
            throw new AttributeResolutionException("Caught exception unwrapping principal identifier.", e2);
        }
    }

    @Override // edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ResolutionPlugIn
    public void validate() throws AttributeResolutionException {
        if (this.dataSealer == null) {
            log.error("CryptoTransientPrincipalConnector (" + getId() + ") must have a DataSealer object set.");
            throw new AttributeResolutionException("CryptoTransientPrincipalConnector (" + getId() + ") must have a DataSealer object set.");
        }
    }
}
