package ca.nrc.cadc.auth;

import ca.nrc.cadc.auth.NotAuthenticatedException;
import java.util.List;
import java.util.Set;
import javax.security.auth.Subject;
import org.apache.log4j.Logger;

/* loaded from: input_file:ca/nrc/cadc/auth/TokenValidator.class */
public class TokenValidator {
    private static Logger log = Logger.getLogger(TokenValidator.class);

    public static Subject validateTokens(Subject subject) throws NotAuthenticatedException {
        Set<CookiePrincipal> principals = subject.getPrincipals(CookiePrincipal.class);
        log.debug("validateTokens: found " + principals.size() + " cookie principals");
        if (!principals.isEmpty()) {
            SSOCookieManager sSOCookieManager = new SSOCookieManager();
            for (CookiePrincipal cookiePrincipal : principals) {
                try {
                    subject.getPrincipals().addAll(sSOCookieManager.parse(cookiePrincipal.getValue()).getIdentityPrincipals());
                    List<SSOCookieCredential> sSOCookieCredentials = sSOCookieManager.getSSOCookieCredentials(cookiePrincipal.getValue());
                    log.debug("Adding " + sSOCookieCredentials.size() + " cookie credentials to subject");
                    subject.getPublicCredentials().addAll(sSOCookieCredentials);
                    subject.getPrincipals().remove(cookiePrincipal);
                } catch (InvalidSignedTokenException e) {
                    throw new NotAuthenticatedException("invalid cookie: " + e.getMessage(), e);
                }
            }
        }
        Set<AuthorizationTokenPrincipal> principals2 = subject.getPrincipals(AuthorizationTokenPrincipal.class);
        log.debug("validateTokens: found " + principals2.size() + " token principals");
        for (AuthorizationTokenPrincipal authorizationTokenPrincipal : principals2) {
            log.debug("header key: " + authorizationTokenPrincipal.getHeaderKey());
            log.debug("header value: " + authorizationTokenPrincipal.getHeaderValue());
            String str = null;
            String str2 = null;
            if ("X-CADC-DelegationToken".equals(authorizationTokenPrincipal.getHeaderKey())) {
                str2 = "X-CADC-DelegationToken";
                str = authorizationTokenPrincipal.getHeaderValue().trim();
            } else if (AuthenticationUtil.AUTHORIZATION_HEADER.equals(authorizationTokenPrincipal.getHeaderKey())) {
                int indexOf = authorizationTokenPrincipal.getHeaderValue().indexOf(" ");
                if (indexOf == -1) {
                    throw new NotAuthenticatedException(null, NotAuthenticatedException.AuthError.INVALID_REQUEST, "missing authorization challenge");
                }
                str2 = authorizationTokenPrincipal.getHeaderValue().substring(0, indexOf).trim();
                if (AuthenticationUtil.CHALLENGE_TYPE_BEARER.equalsIgnoreCase(str2)) {
                    str = authorizationTokenPrincipal.getHeaderValue().substring(indexOf + 1).trim();
                }
            }
            if (str2 != null && str != null) {
                log.debug("challenge type: " + str2);
                log.debug("credentials: " + str);
                try {
                    SignedToken parse = SignedToken.parse(str);
                    subject.getPrincipals().add(parse.getUser());
                    AuthorizationToken authorizationToken = new AuthorizationToken(str2, str, parse.getDomains(), parse.getScope());
                    log.debug("Adding token credential to subject, removing token principal");
                    subject.getPublicCredentials().add(authorizationToken);
                    subject.getPrincipals().remove(authorizationTokenPrincipal);
                } catch (Exception e2) {
                    throw new NotAuthenticatedException(str2, NotAuthenticatedException.AuthError.INVALID_TOKEN, e2.getMessage(), e2);
                }
            }
        }
        return subject;
    }
}
