package org.apache.cxf.ws.security.wss4j;

import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.interceptor.security.DefaultSecurityContext;
import org.apache.cxf.interceptor.security.JAASLoginInterceptor;
import org.apache.cxf.interceptor.security.RolePrefixSecurityContextImpl;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.rt.security.SecurityConstants;
import org.apache.cxf.rt.security.claims.ClaimCollection;
import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext;
import org.apache.cxf.rt.security.saml.utils.SAMLUtils;
import org.apache.cxf.rt.security.utils.SecurityUtils;
import org.apache.cxf.security.SecurityContext;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.token.PKIPathSecurity;
import org.apache.wss4j.common.token.X509Security;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.WSHandlerResult;

/* loaded from: input_file:lib/cxf-shade-8.0.16.jar:org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.class */
public class DefaultWSS4JSecurityContextCreator implements WSS4JSecurityContextCreator {
    private static final List<Integer> DEFAULT_SECURITY_PRIORITIES = new ArrayList();
    private List<Integer> securityPriorities = new ArrayList(DEFAULT_SECURITY_PRIORITIES);

    @Override // org.apache.cxf.ws.security.wss4j.WSS4JSecurityContextCreator
    public void createSecurityContext(SoapMessage soapMessage, WSHandlerResult wSHandlerResult) {
        SecurityContext createSecurityContext;
        boolean securityPropertyBoolean = SecurityUtils.getSecurityPropertyBoolean(SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, soapMessage, false);
        boolean securityPropertyBoolean2 = SecurityUtils.getSecurityPropertyBoolean(SecurityConstants.ENABLE_UT_NOPASSWORD_PRINCIPAL, soapMessage, false);
        String str = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.SC_FROM_JAAS_SUBJECT, soapMessage);
        boolean parseBoolean = str != null ? Boolean.parseBoolean(str) : true;
        Map<Integer, List<WSSecurityEngineResult>> actionResults = wSHandlerResult.getActionResults();
        for (Integer num : this.securityPriorities) {
            if (num.intValue() != 8 || securityPropertyBoolean) {
                if (num.intValue() != 8192 || securityPropertyBoolean2) {
                    List<WSSecurityEngineResult> list = actionResults.get(num);
                    if (list != null && !list.isEmpty()) {
                        for (WSSecurityEngineResult wSSecurityEngineResult : list) {
                            if (!skipResult(num, wSSecurityEngineResult) && (createSecurityContext = createSecurityContext(soapMessage, parseBoolean, wSSecurityEngineResult)) != null) {
                                soapMessage.put((Class<Class>) SecurityContext.class, (Class) createSecurityContext);
                                return;
                            }
                        }
                    }
                }
            }
        }
    }

    private boolean skipResult(Integer num, WSSecurityEngineResult wSSecurityEngineResult) {
        Object obj = wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
        return (num.intValue() == 4096 && ((obj instanceof X509Security) || (obj instanceof PKIPathSecurity))) || (num.intValue() == 2 && ((PublicKey) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY)) == null && ((X509Certificate) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE)) == null);
    }

    protected SecurityContext createSecurityContext(SoapMessage soapMessage, boolean z, WSSecurityEngineResult wSSecurityEngineResult) {
        Principal principal = (Principal) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
        Subject subject = (Subject) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SUBJECT);
        if (subject != null && !(principal instanceof KerberosPrincipal) && z) {
            String str = (String) soapMessage.getContextualProperty(org.apache.cxf.ws.security.SecurityConstants.SUBJECT_ROLE_CLASSIFIER);
            if (str == null || "".equals(str)) {
                return new DefaultSecurityContext(principal, subject);
            }
            String str2 = (String) soapMessage.getContextualProperty(org.apache.cxf.ws.security.SecurityConstants.SUBJECT_ROLE_CLASSIFIER_TYPE);
            if (str2 == null || "".equals(str2)) {
                str2 = JAASLoginInterceptor.ROLE_CLASSIFIER_PREFIX;
            }
            return new RolePrefixSecurityContextImpl(subject, str, str2);
        }
        if (principal == null) {
            return null;
        }
        if (!MessageUtils.getContextualBoolean(soapMessage, org.apache.cxf.ws.security.SecurityConstants.VALIDATE_TOKEN, true)) {
            WSS4JTokenConverter.convertToken(soapMessage, principal);
        }
        Object obj = wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN);
        if (obj == null) {
            obj = wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
        }
        if (wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DELEGATION_CREDENTIAL) != null) {
            soapMessage.put(org.apache.cxf.ws.security.SecurityConstants.DELEGATED_CREDENTIAL, wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DELEGATION_CREDENTIAL));
        }
        if (!(obj instanceof SamlAssertionWrapper)) {
            return createSecurityContext(principal);
        }
        String str3 = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_ROLE_ATTRIBUTENAME, soapMessage);
        if (str3 == null || str3.length() == 0) {
            str3 = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
        }
        ClaimCollection claims = SAMLUtils.getClaims((SamlAssertionWrapper) obj);
        SAMLSecurityContext sAMLSecurityContext = new SAMLSecurityContext(principal, SAMLUtils.parseRolesFromClaims(claims, str3, null), claims);
        sAMLSecurityContext.setIssuer(SAMLUtils.getIssuer(obj));
        sAMLSecurityContext.setAssertionElement(SAMLUtils.getAssertionElement(obj));
        return sAMLSecurityContext;
    }

    protected SecurityContext createSecurityContext(final Principal principal) {
        return new SecurityContext() { // from class: org.apache.cxf.ws.security.wss4j.DefaultWSS4JSecurityContextCreator.1
            @Override // org.apache.cxf.security.SecurityContext
            public Principal getUserPrincipal() {
                return principal;
            }

            @Override // org.apache.cxf.security.SecurityContext
            public boolean isUserInRole(String str) {
                return false;
            }
        };
    }

    public List<Integer> getSecurityPriorities() {
        return this.securityPriorities;
    }

    public void setSecurityPriorities(List<Integer> list) {
        this.securityPriorities = list;
    }

    static {
        DEFAULT_SECURITY_PRIORITIES.add(16);
        DEFAULT_SECURITY_PRIORITIES.add(8);
        DEFAULT_SECURITY_PRIORITIES.add(1);
        DEFAULT_SECURITY_PRIORITIES.add(4096);
        DEFAULT_SECURITY_PRIORITIES.add(2);
        DEFAULT_SECURITY_PRIORITIES.add(8192);
    }
}
