package org.apache.cxf.ws.security.wss4j;

import java.io.IOException;
import java.security.Provider;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPBody;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPHeader;
import javax.xml.soap.SOAPMessage;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import javax.xml.transform.dom.DOMSource;
import org.apache.cxf.attachment.AttachmentUtil;
import org.apache.cxf.binding.soap.SoapFault;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.SoapVersion;
import org.apache.cxf.binding.soap.saaj.SAAJInInterceptor;
import org.apache.cxf.binding.soap.saaj.SAAJUtils;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.PropertyUtils;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.rt.security.saml.utils.SAMLUtils;
import org.apache.cxf.rt.security.utils.SecurityUtils;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.tokenstore.TokenStoreException;
import org.apache.cxf.ws.security.tokenstore.TokenStoreUtils;
import org.apache.wss4j.common.cache.ReplayCache;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.ThreadLocalSecurityProvider;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.engine.WSSecurityEngine;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.processor.Processor;
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.dom.validate.NoOpValidator;
import org.apache.wss4j.dom.validate.Validator;
import org.apache.xml.security.c14n.InvalidCanonicalizerException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.class */
public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
    public static final String SAML_ROLE_ATTRIBUTENAME_DEFAULT = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
    public static final String PROCESSOR_MAP = "wss4j.processor.map";
    public static final String VALIDATOR_MAP = "wss4j.validator.map";
    public static final String SECURITY_PROCESSED = WSS4JInInterceptor.class.getName() + ".DONE";
    private static final Logger LOG = LogUtils.getL7dLogger(WSS4JInInterceptor.class);
    private boolean ignoreActions;
    private WSSConfig defaultConfig;

    public WSS4JInInterceptor() {
        setPhase(Phase.PRE_PROTOCOL);
        getAfter().add(SAAJInInterceptor.class.getName());
        getAfter().add("org.apache.cxf.ws.addressing.soap.MAPCodec");
    }

    public WSS4JInInterceptor(boolean z) {
        this();
        this.ignoreActions = z;
    }

    public WSS4JInInterceptor(Map<String, Object> map) {
        this();
        setProperties(map);
        WSSConfig newInstance = WSSConfig.getNewInstance();
        Map cast = CastUtils.cast((Map<?, ?>) map.get(PROCESSOR_MAP));
        if (cast != null) {
            for (Map.Entry entry : cast.entrySet()) {
                Object value = entry.getValue();
                if (value instanceof Class) {
                    newInstance.setProcessor((QName) entry.getKey(), (Class) value);
                } else if (value instanceof Processor) {
                    newInstance.setProcessor((QName) entry.getKey(), (Processor) value);
                } else if (value == null) {
                    newInstance.setProcessor((QName) entry.getKey(), (Class) null);
                }
            }
        }
        Map cast2 = CastUtils.cast((Map<?, ?>) map.get(VALIDATOR_MAP));
        cast2 = cast2 == null ? CastUtils.cast((Map<?, ?>) map.get("validatorMap")) : cast2;
        if (cast2 != null) {
            for (Map.Entry entry2 : cast2.entrySet()) {
                Object value2 = entry2.getValue();
                if (value2 instanceof Class) {
                    newInstance.setValidator((QName) entry2.getKey(), (Class) value2);
                } else if (value2 instanceof Validator) {
                    newInstance.setValidator((QName) entry2.getKey(), (Validator) value2);
                }
            }
        }
        this.defaultConfig = newInstance;
    }

    public void setIgnoreActions(boolean z) {
        this.ignoreActions = z;
    }

    private SOAPMessage getSOAPMessage(SoapMessage soapMessage) {
        SAAJInInterceptor.INSTANCE.handleMessage(soapMessage);
        return (SOAPMessage) soapMessage.getContent(SOAPMessage.class);
    }

    @Override // org.apache.cxf.ws.security.wss4j.AbstractWSS4JInterceptor
    public Object getProperty(Object obj, String str) {
        Object property = super.getProperty(obj, str);
        if (property == null && "_sendSignatureValues_".equals(str) && isRequestor((SoapMessage) obj)) {
            property = ((SoapMessage) obj).getExchange().getOutMessage().get(str);
        }
        return property;
    }

    public final boolean isGET(SoapMessage soapMessage) {
        return "GET".equals((String) soapMessage.get(Message.HTTP_REQUEST_METHOD)) && soapMessage.getContent(XMLStreamReader.class) == null;
    }

    @Override // org.apache.cxf.interceptor.Interceptor
    public void handleMessage(SoapMessage soapMessage) throws Fault {
        if (soapMessage.containsKey(SECURITY_PROCESSED) || isGET(soapMessage) || soapMessage.getExchange() == null) {
            return;
        }
        Object obj = soapMessage.getExchange().get((Class<Object>) Provider.class);
        boolean z = obj != null && ThreadLocalSecurityProvider.isInstalled();
        if (z) {
            try {
                ThreadLocalSecurityProvider.setProvider((Provider) obj);
            } catch (Throwable th) {
                if (z) {
                    ThreadLocalSecurityProvider.unsetProvider();
                }
                throw th;
            }
        }
        handleMessageInternal(soapMessage);
        if (z) {
            ThreadLocalSecurityProvider.unsetProvider();
        }
    }

    private void handleMessageInternal(SoapMessage soapMessage) throws Fault {
        WSSecurityEngine securityEngine;
        boolean contextualBoolean = MessageUtils.getContextualBoolean(soapMessage, SecurityConstants.VALIDATE_TOKEN, true);
        translateProperties(soapMessage);
        CXFRequestData cXFRequestData = new CXFRequestData();
        WSSConfig wSSConfig = (WSSConfig) soapMessage.getContextualProperty(WSSConfig.class.getName());
        if (wSSConfig != null) {
            securityEngine = new WSSecurityEngine();
            securityEngine.setWssConfig(wSSConfig);
        } else {
            securityEngine = getSecurityEngine(contextualBoolean);
            if (securityEngine == null) {
                securityEngine = new WSSecurityEngine();
            }
            wSSConfig = securityEngine.getWssConfig();
        }
        cXFRequestData.setWssConfig(wSSConfig);
        cXFRequestData.setAudienceRestrictions(SAMLUtils.getAudienceRestrictions(soapMessage, true));
        SOAPMessage sOAPMessage = getSOAPMessage(soapMessage);
        boolean isLoggable = LOG.isLoggable(Level.FINE);
        SoapVersion version = soapMessage.getVersion();
        try {
            cXFRequestData.setEncryptionSerializer(new StaxSerializer());
            if (isLoggable) {
                LOG.fine("WSS4JInInterceptor: enter handleMessage()");
            }
            try {
                cXFRequestData.setMsgContext(soapMessage);
                cXFRequestData.setAttachmentCallbackHandler(new AttachmentCallbackHandler(soapMessage));
                setAlgorithmSuites(soapMessage, cXFRequestData);
                cXFRequestData.setCallbackHandler(getCallback(cXFRequestData, contextualBoolean));
                computeAction(soapMessage, cXFRequestData);
                List<Integer> decodeAction = WSSecurityUtil.decodeAction(getAction(soapMessage, version));
                String str = (String) getOption("actor");
                if (str == null) {
                    str = (String) soapMessage.getContextualProperty(SecurityConstants.ACTOR);
                }
                cXFRequestData.setActor(str);
                configureReplayCaches(cXFRequestData, decodeAction, soapMessage);
                TLSSessionInfo tLSSessionInfo = (TLSSessionInfo) soapMessage.get(TLSSessionInfo.class);
                if (tLSSessionInfo != null) {
                    cXFRequestData.setTlsCerts(tLSSessionInfo.getPeerCertificates());
                }
                doReceiverAction(decodeAction, cXFRequestData);
                if (getString("expandXOPIncludeForSignature", soapMessage) == null && getString("expandXOPInclude", soapMessage) == null) {
                    cXFRequestData.setExpandXopInclude(AttachmentUtil.isMtomEnabled(soapMessage));
                }
                cXFRequestData.setEnableRevocation(cXFRequestData.isRevocationEnabled() || PropertyUtils.isTrue(SecurityUtils.getSecurityPropertyValue(org.apache.cxf.rt.security.SecurityConstants.ENABLE_REVOCATION, soapMessage)));
                SOAPBody body = SAAJUtils.getBody(sOAPMessage);
                if (body != null) {
                    securityEngine.setCallbackLookup(new CXFCallbackLookup(body.getOwnerDocument(), body));
                }
                Element element = (Element) DOMUtils.getDomElement(WSSecurityUtil.getSecurityHeader(sOAPMessage.getSOAPHeader(), str, version.getVersion() != 1.1d));
                Node node = null;
                if (element != null) {
                    node = element.cloneNode(true);
                }
                WSHandlerResult processSecurityHeader = securityEngine.processSecurityHeader(element, cXFRequestData);
                importNewDomToSAAJ(sOAPMessage, element, node, processSecurityHeader);
                SOAPHeader header = SAAJUtils.getHeader(sOAPMessage);
                SOAPBody body2 = SAAJUtils.getBody(sOAPMessage);
                Element element2 = (Element) DOMUtils.getDomElement(header);
                Element element3 = (Element) DOMUtils.getDomElement(body2);
                if (processSecurityHeader.getResults() != null && !processSecurityHeader.getResults().isEmpty()) {
                    if (cXFRequestData.isEnableSignatureConfirmation()) {
                        checkSignatureConfirmation(cXFRequestData, processSecurityHeader);
                    }
                    checkActions(soapMessage, processSecurityHeader.getResults(), decodeAction);
                    doResults(soapMessage, str, element2, element3, processSecurityHeader, contextualBoolean);
                } else if (sOAPMessage.getSOAPPart().getEnvelope().getBody().hasFault() && isRequestor(soapMessage)) {
                    LOG.warning("The request is a SOAP Fault, but it is not secured");
                    doResults(soapMessage, str, element2, element3, processSecurityHeader, contextualBoolean);
                } else {
                    checkActions(soapMessage, processSecurityHeader.getResults(), decodeAction);
                    doResults(soapMessage, str, element2, element3, processSecurityHeader, contextualBoolean);
                }
                if (SAAJUtils.getBody(sOAPMessage) != null) {
                    advanceBody(soapMessage, element3);
                }
                SAAJInInterceptor.replaceHeaders(sOAPMessage, soapMessage);
                if (isLoggable) {
                    LOG.fine("WSS4JInInterceptor: exit handleMessage()");
                }
                soapMessage.put(SECURITY_PROCESSED, (Object) Boolean.TRUE);
            } catch (WSSecurityException e) {
                throw WSS4JUtils.createSoapFault(soapMessage, version, e);
            } catch (XMLStreamException e2) {
                throw new SoapFault(new org.apache.cxf.common.i18n.Message("STAX_EX", LOG, new Object[0]), (Throwable) e2, version.getSender());
            } catch (SOAPException e3) {
                throw new SoapFault(new org.apache.cxf.common.i18n.Message("SAAJ_EX", LOG, new Object[0]), (Throwable) e3, version.getSender());
            }
        } catch (InvalidCanonicalizerException e4) {
            throw new SoapFault(new org.apache.cxf.common.i18n.Message("SECURITY_FAILED", LOG, new Object[0]), (Throwable) e4, version.getReceiver());
        }
    }

    private void importNewDomToSAAJ(SOAPMessage sOAPMessage, Element element, Node node, WSHandlerResult wSHandlerResult) throws SOAPException {
        if (!DOMUtils.isJava9SAAJ() || node == null || node.isEqualNode(element)) {
            return;
        }
        Node node2 = null;
        SOAPBody body = SAAJUtils.getBody(sOAPMessage);
        Document ownerDocument = body != null ? body.getOwnerDocument() : null;
        if (element != null && element.getOwnerDocument() != null && element.getOwnerDocument().getDocumentElement() != null) {
            node2 = element.getOwnerDocument().getDocumentElement().getFirstChild().getNextSibling().getFirstChild();
        }
        if (ownerDocument == null || node2 == null) {
            return;
        }
        try {
            Node domElement = DOMUtils.getDomElement(ownerDocument.importNode(node2, true));
            element.getOwnerDocument().getDocumentElement().getFirstChild().getNextSibling().replaceChild(domElement, node2);
            if (((List) wSHandlerResult.getActionResults().get(4)) != null) {
                Iterator it = ((List) wSHandlerResult.getActionResults().get(4)).iterator();
                while (it.hasNext()) {
                    for (WSDataRef wSDataRef : CastUtils.cast((List<?>) ((WSSecurityEngineResult) it.next()).get("data-ref-uris"))) {
                        if (wSDataRef.getProtectedElement() == node2) {
                            wSDataRef.setProtectedElement((Element) domElement);
                        }
                    }
                }
            }
            ArrayList arrayList = new ArrayList();
            if (wSHandlerResult.getActionResults().containsKey(2)) {
                arrayList.addAll((Collection) wSHandlerResult.getActionResults().get(2));
            }
            if (wSHandlerResult.getActionResults().containsKey(64)) {
                arrayList.addAll((Collection) wSHandlerResult.getActionResults().get(64));
            }
            if (wSHandlerResult.getActionResults().containsKey(16)) {
                arrayList.addAll((Collection) wSHandlerResult.getActionResults().get(16));
            }
            Iterator it2 = arrayList.iterator();
            while (it2.hasNext()) {
                for (WSDataRef wSDataRef2 : CastUtils.cast((List<?>) ((WSSecurityEngineResult) it2.next()).get("data-ref-uris"))) {
                    if (wSDataRef2.getProtectedElement() == node2) {
                        wSDataRef2.setProtectedElement((Element) domElement);
                    }
                }
            }
        } catch (Exception e) {
            LOG.log(Level.FINE, "Something wrong during importNewDomToSAAJ", (Throwable) e);
        }
    }

    protected void checkActions(SoapMessage soapMessage, List<WSSecurityEngineResult> list, List<Integer> list2) throws WSSecurityException {
        if (this.ignoreActions) {
            return;
        }
        if (!checkReceiverResultsAnyOrder(list, list2)) {
            LOG.warning("Security processing failed (actions mismatch)");
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
        }
        if (((String) getProperty(soapMessage, "signatureParts")) != null) {
            LOG.warning("To enforce that particular elements were signed you must either use WS-SecurityPolicy, or else use the CryptoCoverageChecker or DefaultCryptoCoverageChecker");
        }
    }

    protected void computeAction(SoapMessage soapMessage, RequestData requestData) throws WSSecurityException {
        Crypto crypto = (Crypto) SecurityUtils.getSecurityPropertyValue(org.apache.cxf.rt.security.SecurityConstants.ENCRYPT_CRYPTO, soapMessage);
        if (crypto != null) {
            requestData.setDecCrypto(crypto);
        }
        Crypto crypto2 = (Crypto) SecurityUtils.getSecurityPropertyValue(org.apache.cxf.rt.security.SecurityConstants.SIGNATURE_CRYPTO, soapMessage);
        if (crypto2 != null) {
            requestData.setSigVerCrypto(crypto2);
        }
    }

    protected void configureReplayCaches(RequestData requestData, List<Integer> list, SoapMessage soapMessage) throws WSSecurityException {
        if (isNonceCacheRequired(list, soapMessage)) {
            requestData.setNonceReplayCache(getReplayCache(soapMessage, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE));
        }
        if (isTimestampCacheRequired(list, soapMessage)) {
            requestData.setTimestampReplayCache(getReplayCache(soapMessage, SecurityConstants.ENABLE_TIMESTAMP_CACHE, SecurityConstants.TIMESTAMP_CACHE_INSTANCE));
        }
        if (isSamlCacheRequired(list, soapMessage)) {
            requestData.setSamlOneTimeUseReplayCache(getReplayCache(soapMessage, SecurityConstants.ENABLE_SAML_ONE_TIME_USE_CACHE, SecurityConstants.SAML_ONE_TIME_USE_CACHE_INSTANCE));
        }
    }

    protected boolean isNonceCacheRequired(List<Integer> list, SoapMessage soapMessage) {
        return list.contains(1) || list.contains(8192);
    }

    protected boolean isTimestampCacheRequired(List<Integer> list, SoapMessage soapMessage) {
        return list.contains(32);
    }

    protected boolean isSamlCacheRequired(List<Integer> list, SoapMessage soapMessage) {
        return list.contains(8) || list.contains(16);
    }

    protected void setAlgorithmSuites(SoapMessage soapMessage, RequestData requestData) throws WSSecurityException {
        super.decodeAlgorithmSuite(requestData);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void doResults(SoapMessage soapMessage, String str, Element element, Element element2, WSHandlerResult wSHandlerResult, boolean z) throws SOAPException, XMLStreamException, WSSecurityException {
        List cast = CastUtils.cast((List<?>) soapMessage.get("RECV_RESULTS"));
        if (cast == null) {
            cast = new LinkedList();
            soapMessage.put("RECV_RESULTS", (Object) cast);
        }
        cast.add(0, wSHandlerResult);
        WSS4JSecurityContextCreator wSS4JSecurityContextCreator = (WSS4JSecurityContextCreator) SecurityUtils.getSecurityPropertyValue(SecurityConstants.SECURITY_CONTEXT_CREATOR, soapMessage);
        if (wSS4JSecurityContextCreator != null) {
            wSS4JSecurityContextCreator.createSecurityContext(soapMessage, wSHandlerResult);
        } else {
            new DefaultWSS4JSecurityContextCreator().createSecurityContext(soapMessage, wSHandlerResult);
        }
    }

    protected void advanceBody(SoapMessage soapMessage, Node node) throws SOAPException, XMLStreamException, WSSecurityException {
        XMLStreamReader createXMLStreamReader = StaxUtils.createXMLStreamReader(new DOMSource(node));
        int next = createXMLStreamReader.next();
        if (createXMLStreamReader.hasNext() && next != 2) {
            createXMLStreamReader.next();
        }
        soapMessage.setContent(XMLStreamReader.class, createXMLStreamReader);
    }

    private String getAction(SoapMessage soapMessage, SoapVersion soapVersion) {
        String str = (String) getOption("action");
        if (str == null) {
            str = (String) soapMessage.get("action");
        }
        if (str != null || this.ignoreActions) {
            return str;
        }
        LOG.warning("No security action was defined!");
        throw new SoapFault("No security action was defined!", soapVersion.getReceiver());
    }

    protected CallbackHandler getCallback(RequestData requestData, boolean z) throws WSSecurityException {
        if (z) {
            try {
                return getCallback(requestData);
            } catch (TokenStoreException e) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
            }
        }
        CallbackHandler callbackHandler = null;
        try {
            callbackHandler = getCallback(requestData);
        } catch (Exception e2) {
        }
        return new DelegatingCallbackHandler(callbackHandler);
    }

    protected CallbackHandler getCallback(RequestData requestData) throws WSSecurityException, TokenStoreException {
        try {
            CallbackHandler callbackHandler = SecurityUtils.getCallbackHandler(SecurityUtils.getSecurityPropertyValue(org.apache.cxf.rt.security.SecurityConstants.CALLBACK_HANDLER, (SoapMessage) requestData.getMsgContext()));
            if (callbackHandler == null) {
                try {
                    callbackHandler = getPasswordCallbackHandler(requestData);
                } catch (WSSecurityException e) {
                    Endpoint endpoint = ((SoapMessage) requestData.getMsgContext()).getExchange().getEndpoint();
                    if (endpoint == null || endpoint.getEndpointInfo() == null) {
                        throw e;
                    }
                    return new TokenStoreCallbackHandler(null, TokenStoreUtils.getTokenStore((SoapMessage) requestData.getMsgContext()));
                }
            }
            if (callbackHandler == null) {
                final String str = (String) SecurityUtils.getSecurityPropertyValue(org.apache.cxf.rt.security.SecurityConstants.SIGNATURE_USERNAME, (SoapMessage) requestData.getMsgContext());
                final String str2 = (String) SecurityUtils.getSecurityPropertyValue(org.apache.cxf.rt.security.SecurityConstants.SIGNATURE_PASSWORD, (SoapMessage) requestData.getMsgContext());
                if (!StringUtils.isEmpty(str) && !StringUtils.isEmpty(str2)) {
                    callbackHandler = new CallbackHandler() { // from class: org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.1
                        @Override // javax.security.auth.callback.CallbackHandler
                        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                            for (Callback callback : callbackArr) {
                                WSPasswordCallback wSPasswordCallback = (WSPasswordCallback) callback;
                                if (1 == wSPasswordCallback.getUsage() && str.equals(wSPasswordCallback.getIdentifier())) {
                                    wSPasswordCallback.setPassword(str2);
                                }
                            }
                        }
                    };
                }
            }
            Endpoint endpoint2 = ((SoapMessage) requestData.getMsgContext()).getExchange().getEndpoint();
            if (endpoint2 == null || endpoint2.getEndpointInfo() == null) {
                return callbackHandler;
            }
            return new TokenStoreCallbackHandler(callbackHandler, TokenStoreUtils.getTokenStore((SoapMessage) requestData.getMsgContext()));
        } catch (Exception e2) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e2);
        }
    }

    protected WSSecurityEngine getSecurityEngine(boolean z) {
        if (z) {
            if (this.defaultConfig == null) {
                return null;
            }
            WSSecurityEngine wSSecurityEngine = new WSSecurityEngine();
            wSSecurityEngine.setWssConfig(this.defaultConfig);
            return wSSecurityEngine;
        }
        WSSConfig newInstance = WSSConfig.getNewInstance();
        newInstance.setValidator(WSConstants.USERNAME_TOKEN, new NoOpValidator());
        WSSecurityEngine wSSecurityEngine2 = new WSSecurityEngine();
        wSSecurityEngine2.setWssConfig(newInstance);
        return wSSecurityEngine2;
    }

    protected ReplayCache getReplayCache(SoapMessage soapMessage, String str, String str2) throws WSSecurityException {
        return WSS4JUtils.getReplayCache(soapMessage, str, str2);
    }
}
