package eu.emi.security.authn.x509.helpers.ns;

import eu.emi.security.authn.x509.NamespaceCheckingMode;
import eu.emi.security.authn.x509.ValidationError;
import eu.emi.security.authn.x509.ValidationErrorCode;
import eu.emi.security.authn.x509.impl.X500NameUtils;
import eu.emi.security.authn.x509.proxy.ProxyUtils;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.security.auth.x500.X500Principal;

/* loaded from: input_file:eu/emi/security/authn/x509/helpers/ns/NamespaceChecker.class */
public class NamespaceChecker {
    private boolean namespaceRequired;
    private boolean checkAll;
    private NamespacesStore[] nsStores;

    public NamespaceChecker(NamespaceCheckingMode namespaceCheckingMode, NamespacesStore namespacesStore, NamespacesStore namespacesStore2) {
        this.namespaceRequired = namespaceCheckingMode.isRequired();
        this.checkAll = namespaceCheckingMode == NamespaceCheckingMode.EUGRIDPMA_AND_GLOBUS || namespaceCheckingMode == NamespaceCheckingMode.EUGRIDPMA_AND_GLOBUS_REQUIRE;
        int i = namespaceCheckingMode.globusEnabled() ? 0 + 1 : 0;
        this.nsStores = new NamespacesStore[namespaceCheckingMode.euGridPmaEnabled() ? i + 1 : i];
        if (namespaceCheckingMode.isGlobusFirst()) {
            this.nsStores[0] = namespacesStore2;
            if (namespaceCheckingMode.euGridPmaEnabled()) {
                this.nsStores[1] = namespacesStore;
                return;
            }
            return;
        }
        if (namespaceCheckingMode.euGridPmaEnabled()) {
            this.nsStores[0] = namespacesStore;
        }
        if (namespaceCheckingMode.globusEnabled()) {
            this.nsStores[1] = namespacesStore2;
        }
    }

    public List<ValidationError> check(X509Certificate[] x509CertificateArr) {
        if (this.nsStores.length == 0) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < x509CertificateArr.length; i++) {
            boolean z = false;
            X500Principal issuerX500Principal = x509CertificateArr[i].getIssuerX500Principal();
            X500Principal subjectX500Principal = x509CertificateArr[i].getSubjectX500Principal();
            if (!issuerX500Principal.equals(subjectX500Principal) && !ProxyUtils.isProxy(x509CertificateArr[i])) {
                for (NamespacesStore namespacesStore : this.nsStores) {
                    List<NamespacePolicy> policies = namespacesStore.getPolicies(x509CertificateArr, i);
                    if (policies != null && policies.size() != 0) {
                        z = true;
                        doCheck(subjectX500Principal, policies, arrayList, i, x509CertificateArr);
                        if (!this.checkAll) {
                            break;
                        }
                    }
                }
                if (!z && this.namespaceRequired) {
                    arrayList.add(new ValidationError(x509CertificateArr, i, ValidationErrorCode.nsUndefinedAndRequired, X500NameUtils.getReadableForm(issuerX500Principal)));
                }
            }
        }
        return arrayList;
    }

    private void doCheck(X500Principal x500Principal, List<NamespacePolicy> list, List<ValidationError> list2, int i, X509Certificate[] x509CertificateArr) {
        boolean z = false;
        StringBuilder sb = new StringBuilder();
        for (NamespacePolicy namespacePolicy : list) {
            sb.append(namespacePolicy.getIdentification()).append(" ");
            if (namespacePolicy.isSubjectMatching(x500Principal)) {
                if (namespacePolicy.isPermit()) {
                    z = true;
                } else {
                    list2.add(new ValidationError(x509CertificateArr, i, ValidationErrorCode.nsDeny, X500NameUtils.getReadableForm(x500Principal), namespacePolicy.getIdentification()));
                }
            }
        }
        if (z) {
            return;
        }
        list2.add(new ValidationError(x509CertificateArr, i, ValidationErrorCode.nsNotAccepted, X500NameUtils.getReadableForm(x500Principal), sb.toString()));
    }
}
