package org.apache.cxf.ws.security.wss4j.policyvalidators;

import java.util.Collection;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractSecuredParts;
import org.apache.wss4j.policy.model.Attachments;
import org.apache.wss4j.policy.model.Header;
import org.hsqldb.Tokens;
import org.w3c.dom.Element;

/* loaded from: input_file:lib/cxf-shade-8.0.16.jar:org/apache/cxf/ws/security/wss4j/policyvalidators/SecuredPartsPolicyValidator.class */
public class SecuredPartsPolicyValidator implements SecurityPolicyValidator {
    private CryptoCoverageUtil.CoverageType coverageType = CryptoCoverageUtil.CoverageType.ENCRYPTED;

    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator
    public boolean canValidatePolicy(AssertionInfo assertionInfo) {
        return this.coverageType == CryptoCoverageUtil.CoverageType.SIGNED ? assertionInfo.getAssertion() != null && (SP12Constants.SIGNED_PARTS.equals(assertionInfo.getAssertion().getName()) || SP11Constants.SIGNED_PARTS.equals(assertionInfo.getAssertion().getName())) : assertionInfo.getAssertion() != null && (SP12Constants.ENCRYPTED_PARTS.equals(assertionInfo.getAssertion().getName()) || SP11Constants.ENCRYPTED_PARTS.equals(assertionInfo.getAssertion().getName()));
    }

    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator
    public void validatePolicies(PolicyValidatorParameters policyValidatorParameters, Collection<AssertionInfo> collection) {
        if (isTransportBinding(policyValidatorParameters.getAssertionInfoMap(), policyValidatorParameters.getMessage())) {
            return;
        }
        Message message = policyValidatorParameters.getMessage();
        Element soapBody = policyValidatorParameters.getSoapBody();
        Element soapHeader = policyValidatorParameters.getSoapHeader();
        Element element = (Element) DOMUtils.getDomElement(soapBody);
        Element element2 = (Element) DOMUtils.getDomElement(soapHeader);
        Collection<WSDataRef> encrypted = policyValidatorParameters.getEncrypted();
        if (this.coverageType == CryptoCoverageUtil.CoverageType.SIGNED) {
            encrypted = policyValidatorParameters.getSigned();
        }
        for (AssertionInfo assertionInfo : collection) {
            if (!assertionInfo.isAsserted()) {
                AbstractSecuredParts abstractSecuredParts = (AbstractSecuredParts) assertionInfo.getAssertion();
                assertionInfo.setAsserted(true);
                if (abstractSecuredParts.isBody()) {
                    try {
                        if (this.coverageType == CryptoCoverageUtil.CoverageType.SIGNED) {
                            CryptoCoverageUtil.checkBodyCoverage(element, encrypted, CryptoCoverageUtil.CoverageType.SIGNED, CryptoCoverageUtil.CoverageScope.ELEMENT);
                        } else {
                            CryptoCoverageUtil.checkBodyCoverage(element, encrypted, CryptoCoverageUtil.CoverageType.ENCRYPTED, CryptoCoverageUtil.CoverageScope.CONTENT);
                        }
                    } catch (WSSecurityException e) {
                        assertionInfo.setNotAsserted("Soap Body is not " + this.coverageType);
                    }
                }
                for (Header header : abstractSecuredParts.getHeaders()) {
                    if (element2 == null) {
                        assertionInfo.setNotAsserted(header.getNamespace() + Tokens.T_COLON + header.getName() + " not + " + this.coverageType);
                    } else {
                        try {
                            CryptoCoverageUtil.checkHeaderCoverage(element2, encrypted, header.getNamespace(), header.getName(), this.coverageType, CryptoCoverageUtil.CoverageScope.ELEMENT);
                        } catch (WSSecurityException e2) {
                            assertionInfo.setNotAsserted(header.getNamespace() + Tokens.T_COLON + header.getName() + " not + " + this.coverageType);
                        }
                    }
                }
                Attachments attachments = abstractSecuredParts.getAttachments();
                if (attachments != null) {
                    try {
                        CryptoCoverageUtil.CoverageScope coverageScope = CryptoCoverageUtil.CoverageScope.ELEMENT;
                        if (attachments.isContentSignatureTransform()) {
                            coverageScope = CryptoCoverageUtil.CoverageScope.CONTENT;
                        }
                        CryptoCoverageUtil.checkAttachmentsCoverage(message.getAttachments(), encrypted, this.coverageType, coverageScope);
                    } catch (WSSecurityException e3) {
                        assertionInfo.setNotAsserted("An attachment was not signed/encrypted");
                    }
                }
            }
        }
    }

    private boolean isTransportBinding(AssertionInfoMap assertionInfoMap, Message message) {
        if (PolicyUtils.getFirstAssertionByLocalname(assertionInfoMap, SPConstants.SYMMETRIC_BINDING) != null || PolicyUtils.getFirstAssertionByLocalname(assertionInfoMap, SPConstants.ASYMMETRIC_BINDING) != null) {
            return false;
        }
        if (PolicyUtils.getFirstAssertionByLocalname(assertionInfoMap, SPConstants.TRANSPORT_BINDING) != null) {
            return true;
        }
        if (((TLSSessionInfo) message.get(TLSSessionInfo.class)) == null) {
            return false;
        }
        PolicyUtils.assertPolicy(assertionInfoMap, SP12Constants.ENCRYPTED_PARTS);
        PolicyUtils.assertPolicy(assertionInfoMap, SP11Constants.ENCRYPTED_PARTS);
        PolicyUtils.assertPolicy(assertionInfoMap, SP12Constants.SIGNED_PARTS);
        PolicyUtils.assertPolicy(assertionInfoMap, SP11Constants.SIGNED_PARTS);
        return true;
    }

    public CryptoCoverageUtil.CoverageType getCoverageType() {
        return this.coverageType;
    }

    public void setCoverageType(CryptoCoverageUtil.CoverageType coverageType) {
        this.coverageType = coverageType;
    }
}
