package org.apache.cxf.ws.security.wss4j;

import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.resource.spi.work.WorkException;
import javax.security.auth.Subject;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.headers.Header;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.security.DefaultSecurityContext;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.rt.security.claims.ClaimCollection;
import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext;
import org.apache.cxf.rt.security.saml.utils.SAMLUtils;
import org.apache.cxf.rt.security.utils.SecurityUtils;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.common.bsp.BSPEnforcer;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
import org.apache.wss4j.common.principal.UsernameTokenPrincipal;
import org.apache.wss4j.common.principal.WSUsernameTokenPrincipalImpl;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.message.WSSecUsernameToken;
import org.apache.wss4j.dom.message.token.UsernameToken;
import org.apache.wss4j.dom.processor.UsernameTokenProcessor;
import org.apache.wss4j.policy.SP13Constants;
import org.apache.wss4j.policy.model.AbstractToken;
import org.apache.wss4j.policy.model.SupportingTokens;
import org.apache.wss4j.policy.model.UsernameToken;
import org.apache.xml.security.exceptions.Base64DecodingException;
import org.apache.xml.security.utils.XMLUtils;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:lib/cxf-shade-8.0.16.jar:org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.class */
public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
    @Override // org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor
    protected void processToken(SoapMessage soapMessage) {
        Principal parseTokenAndCreatePrincipal;
        Header findSecurityHeader = findSecurityHeader(soapMessage, false);
        if (findSecurityHeader == null) {
            return;
        }
        boolean contextualBoolean = MessageUtils.getContextualBoolean(soapMessage, SecurityConstants.VALIDATE_TOKEN, true);
        Element firstElement = DOMUtils.getFirstElement((Element) findSecurityHeader.getObject());
        while (true) {
            Element element = firstElement;
            if (element == null) {
                return;
            }
            if ("UsernameToken".equals(element.getLocalName()) && "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd".equals(element.getNamespaceURI())) {
                try {
                    boolean isWsiBSPCompliant = isWsiBSPCompliant(soapMessage);
                    boolean allowNamespaceQualifiedPWDTypes = allowNamespaceQualifiedPWDTypes(soapMessage);
                    Subject subject = null;
                    Object obj = null;
                    if (contextualBoolean) {
                        WSSecurityEngineResult validateToken = validateToken(element, soapMessage);
                        subject = (Subject) validateToken.get("subject");
                        obj = validateToken.get("transformed-token");
                        parseTokenAndCreatePrincipal = (Principal) validateToken.get("principal");
                        if (parseTokenAndCreatePrincipal == null) {
                            parseTokenAndCreatePrincipal = parseTokenAndCreatePrincipal(element, isWsiBSPCompliant, allowNamespaceQualifiedPWDTypes);
                        }
                    } else {
                        parseTokenAndCreatePrincipal = parseTokenAndCreatePrincipal(element, isWsiBSPCompliant, allowNamespaceQualifiedPWDTypes);
                        WSS4JTokenConverter.convertToken(soapMessage, parseTokenAndCreatePrincipal);
                    }
                    SecurityContext securityContext = (SecurityContext) soapMessage.get(SecurityContext.class);
                    if (securityContext == null || securityContext.getUserPrincipal() == null) {
                        if (obj instanceof SamlAssertionWrapper) {
                            soapMessage.put((Class<Class>) SecurityContext.class, (Class) createSecurityContext(soapMessage, (SamlAssertionWrapper) obj));
                        } else if (subject == null || parseTokenAndCreatePrincipal == null) {
                            UsernameTokenPrincipal usernameTokenPrincipal = (UsernameTokenPrincipal) parseTokenAndCreatePrincipal;
                            String str = null;
                            if (usernameTokenPrincipal.getNonce() != null) {
                                str = XMLUtils.encodeToString(usernameTokenPrincipal.getNonce());
                            }
                            subject = createSubject(usernameTokenPrincipal.getName(), usernameTokenPrincipal.getPassword(), usernameTokenPrincipal.isPasswordDigest(), str, usernameTokenPrincipal.getCreatedTime());
                            soapMessage.put((Class<Class>) SecurityContext.class, (Class) createSecurityContext((Principal) usernameTokenPrincipal, subject));
                        } else {
                            soapMessage.put((Class<Class>) SecurityContext.class, (Class) createSecurityContext(parseTokenAndCreatePrincipal, subject));
                        }
                    }
                    if (parseTokenAndCreatePrincipal instanceof UsernameTokenPrincipal) {
                        storeResults((UsernameTokenPrincipal) parseTokenAndCreatePrincipal, subject, soapMessage);
                    }
                } catch (WSSecurityException | Base64DecodingException e) {
                    throw new Fault((Throwable) e);
                }
            }
            firstElement = DOMUtils.getNextElement(element);
        }
    }

    private SecurityContext createSecurityContext(Message message, SamlAssertionWrapper samlAssertionWrapper) {
        String str = (String) SecurityUtils.getSecurityPropertyValue(org.apache.cxf.rt.security.SecurityConstants.SAML_ROLE_ATTRIBUTENAME, message);
        if (str == null || str.length() == 0) {
            str = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
        }
        ClaimCollection claims = SAMLUtils.getClaims(samlAssertionWrapper);
        SAMLSecurityContext sAMLSecurityContext = new SAMLSecurityContext(new SAMLTokenPrincipalImpl(samlAssertionWrapper), SAMLUtils.parseRolesFromClaims(claims, str, null), claims);
        sAMLSecurityContext.setIssuer(SAMLUtils.getIssuer(samlAssertionWrapper));
        sAMLSecurityContext.setAssertionElement(SAMLUtils.getAssertionElement(samlAssertionWrapper));
        return sAMLSecurityContext;
    }

    private void storeResults(UsernameTokenPrincipal usernameTokenPrincipal, Subject subject, SoapMessage soapMessage) {
        ArrayList arrayList = new ArrayList();
        int i = 1;
        if (usernameTokenPrincipal.getPassword() == null) {
            i = 8192;
        }
        WSSecurityEngineResult wSSecurityEngineResult = new WSSecurityEngineResult(i, usernameTokenPrincipal, (X509Certificate[]) null, (List) null, (byte[]) null);
        if (subject != null) {
            wSSecurityEngineResult.put("subject", subject);
        }
        arrayList.add(0, wSSecurityEngineResult);
        List cast = CastUtils.cast((List<?>) soapMessage.get("RECV_RESULTS"));
        if (cast == null) {
            cast = new ArrayList();
            soapMessage.put("RECV_RESULTS", (Object) cast);
        }
        cast.add(0, new WSHandlerResult((String) null, arrayList, Collections.singletonMap(Integer.valueOf(i), arrayList)));
        assertTokens(soapMessage, usernameTokenPrincipal, false);
    }

    protected WSSecurityEngineResult validateToken(Element element, SoapMessage soapMessage) throws WSSecurityException, Base64DecodingException {
        boolean isWsiBSPCompliant = isWsiBSPCompliant(soapMessage);
        boolean isAllowNoPassword = isAllowNoPassword((AssertionInfoMap) soapMessage.get(AssertionInfoMap.class));
        UsernameTokenProcessor usernameTokenProcessor = new UsernameTokenProcessor();
        CXFRequestData cXFRequestData = new CXFRequestData();
        try {
            cXFRequestData.setCallbackHandler(SecurityUtils.getCallbackHandler(SecurityUtils.getSecurityPropertyValue(org.apache.cxf.rt.security.SecurityConstants.CALLBACK_HANDLER, soapMessage)));
            cXFRequestData.setMsgContext(soapMessage);
            cXFRequestData.setNonceReplayCache(WSS4JUtils.getReplayCache(soapMessage, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE));
            cXFRequestData.setAllowUsernameTokenNoPassword(isAllowNoPassword);
            cXFRequestData.setWssConfig(WSSConfig.getNewInstance());
            if (!isWsiBSPCompliant) {
                cXFRequestData.setDisableBSPEnforcement(true);
            }
            cXFRequestData.setMsgContext(soapMessage);
            cXFRequestData.setWsDocInfo(new WSDocInfo(element.getOwnerDocument()));
            try {
                return (WSSecurityEngineResult) usernameTokenProcessor.handleToken(element, cXFRequestData).get(0);
            } catch (WSSecurityException e) {
                throw WSS4JUtils.createSoapFault(soapMessage, soapMessage.getVersion(), e);
            }
        } catch (Exception e2) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e2);
        }
    }

    protected UsernameTokenPrincipal parseTokenAndCreatePrincipal(Element element, boolean z, boolean z2) throws WSSecurityException, Base64DecodingException {
        UsernameToken usernameToken = new UsernameToken(element, z2, new BSPEnforcer(!z));
        WSUsernameTokenPrincipalImpl wSUsernameTokenPrincipalImpl = new WSUsernameTokenPrincipalImpl(usernameToken.getName(), usernameToken.isHashed());
        if (usernameToken.getNonce() != null) {
            wSUsernameTokenPrincipalImpl.setNonce(XMLUtils.decode(usernameToken.getNonce()));
        }
        wSUsernameTokenPrincipalImpl.setPassword(usernameToken.getPassword());
        wSUsernameTokenPrincipalImpl.setCreatedTime(usernameToken.getCreated());
        wSUsernameTokenPrincipalImpl.setPasswordType(usernameToken.getPasswordType());
        return wSUsernameTokenPrincipalImpl;
    }

    protected boolean isWsiBSPCompliant(SoapMessage soapMessage) {
        String str = (String) soapMessage.getContextualProperty(SecurityConstants.IS_BSP_COMPLIANT);
        return ("false".equals(str) || WorkException.UNDEFINED.equals(str)) ? false : true;
    }

    private boolean allowNamespaceQualifiedPWDTypes(SoapMessage soapMessage) {
        String str = (String) soapMessage.getContextualProperty("allowNamespaceQualifiedPasswordTypes");
        return "true".equals(str) || "1".equals(str);
    }

    private boolean isAllowNoPassword(AssertionInfoMap assertionInfoMap) throws WSSecurityException {
        Collection<AssertionInfo> allAssertionsByLocalname = PolicyUtils.getAllAssertionsByLocalname(assertionInfoMap, "UsernameToken");
        if (allAssertionsByLocalname.isEmpty()) {
            return false;
        }
        Iterator<AssertionInfo> it = allAssertionsByLocalname.iterator();
        while (it.hasNext()) {
            if (it.next().getAssertion().getPasswordType() == UsernameToken.PasswordType.NoPassword) {
                return true;
            }
        }
        return false;
    }

    protected SecurityContext createSecurityContext(Principal principal, Subject subject) {
        return new DefaultSecurityContext(principal, subject);
    }

    protected Subject createSubject(String str, String str2, boolean z, String str3, String str4) throws SecurityException {
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor
    /* renamed from: assertTokens, reason: merged with bridge method [inline-methods] */
    public org.apache.wss4j.policy.model.UsernameToken mo1639assertTokens(SoapMessage soapMessage) {
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
        PolicyUtils.assertPolicy(assertionInfoMap, "WssUsernameToken10");
        PolicyUtils.assertPolicy(assertionInfoMap, "WssUsernameToken11");
        PolicyUtils.assertPolicy(assertionInfoMap, "HashPassword");
        PolicyUtils.assertPolicy(assertionInfoMap, "NoPassword");
        PolicyUtils.assertPolicy(assertionInfoMap, SP13Constants.NONCE);
        PolicyUtils.assertPolicy(assertionInfoMap, SP13Constants.CREATED);
        return assertTokens(soapMessage, "UsernameToken", true);
    }

    private org.apache.wss4j.policy.model.UsernameToken assertTokens(SoapMessage soapMessage, UsernameTokenPrincipal usernameTokenPrincipal, boolean z) {
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
        org.apache.wss4j.policy.model.UsernameToken usernameToken = null;
        for (AssertionInfo assertionInfo : PolicyUtils.getAllAssertionsByLocalname(assertionInfoMap, "UsernameToken")) {
            usernameToken = (org.apache.wss4j.policy.model.UsernameToken) assertionInfo.getAssertion();
            assertionInfo.setAsserted(true);
            if (usernameToken.getPasswordType() != UsernameToken.PasswordType.HashPassword || (usernameTokenPrincipal != null && usernameTokenPrincipal.isPasswordDigest())) {
                PolicyUtils.assertPolicy(assertionInfoMap, "HashPassword");
            } else {
                assertionInfo.setNotAsserted("Password hashing policy not enforced");
            }
            if (usernameToken.getPasswordType() != UsernameToken.PasswordType.NoPassword && isNonEndorsingSupportingToken(usernameToken) && (usernameTokenPrincipal == null || usernameTokenPrincipal.getPassword() == null)) {
                assertionInfo.setNotAsserted("Username Token No Password supplied");
            } else {
                PolicyUtils.assertPolicy(assertionInfoMap, "NoPassword");
            }
            if (usernameToken.isCreated() && (usernameTokenPrincipal == null || usernameTokenPrincipal.getCreatedTime() == null)) {
                assertionInfo.setNotAsserted("No Created Time");
            } else {
                PolicyUtils.assertPolicy(assertionInfoMap, SP13Constants.CREATED);
            }
            if (usernameToken.isNonce() && usernameTokenPrincipal.getNonce() == null) {
                assertionInfo.setNotAsserted("No Nonce");
            } else {
                PolicyUtils.assertPolicy(assertionInfoMap, SP13Constants.NONCE);
            }
        }
        PolicyUtils.assertPolicy(assertionInfoMap, "WssUsernameToken10");
        PolicyUtils.assertPolicy(assertionInfoMap, "WssUsernameToken11");
        PolicyUtils.assertPolicy(assertionInfoMap, "SupportingTokens");
        if (z || isTLSInUse(soapMessage)) {
            PolicyUtils.assertPolicy(assertionInfoMap, "SignedSupportingTokens");
        }
        return usernameToken;
    }

    private boolean isNonEndorsingSupportingToken(org.apache.wss4j.policy.model.UsernameToken usernameToken) {
        SupportingTokens parentAssertion = usernameToken.getParentAssertion();
        return ((parentAssertion instanceof SupportingTokens) && parentAssertion.isEndorsing()) ? false : true;
    }

    @Override // org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor
    protected void addToken(SoapMessage soapMessage) {
        org.apache.wss4j.policy.model.UsernameToken mo1639assertTokens = mo1639assertTokens(soapMessage);
        Element element = (Element) findSecurityHeader(soapMessage, true).getObject();
        WSSecUsernameToken addUsernameToken = addUsernameToken(soapMessage, element.getOwnerDocument(), mo1639assertTokens);
        if (addUsernameToken != null) {
            addUsernameToken.prepare();
            element.appendChild(addUsernameToken.getUsernameTokenElement());
            return;
        }
        for (AssertionInfo assertionInfo : PolicyUtils.getAllAssertionsByLocalname((AssertionInfoMap) soapMessage.get(AssertionInfoMap.class), "UsernameToken")) {
            if (assertionInfo.isAsserted()) {
                assertionInfo.setAsserted(false);
            }
        }
    }

    protected WSSecUsernameToken addUsernameToken(SoapMessage soapMessage, Document document, org.apache.wss4j.policy.model.UsernameToken usernameToken) {
        String str = (String) SecurityUtils.getSecurityPropertyValue(org.apache.cxf.rt.security.SecurityConstants.USERNAME, soapMessage);
        WSSConfig wSSConfig = (WSSConfig) soapMessage.getContextualProperty(WSSConfig.class.getName());
        if (wSSConfig == null) {
            wSSConfig = WSSConfig.getNewInstance();
        }
        if (StringUtils.isEmpty(str)) {
            policyNotAsserted((AbstractToken) usernameToken, "No username available", soapMessage);
            return null;
        }
        if (usernameToken.getPasswordType() == UsernameToken.PasswordType.NoPassword) {
            WSSecUsernameToken wSSecUsernameToken = new WSSecUsernameToken(document);
            wSSecUsernameToken.setIdAllocator(wSSConfig.getIdAllocator());
            wSSecUsernameToken.setWsTimeSource(wSSConfig.getCurrentTime());
            wSSecUsernameToken.setUserInfo(str, (String) null);
            wSSecUsernameToken.setPasswordType((String) null);
            return wSSecUsernameToken;
        }
        String str2 = (String) SecurityUtils.getSecurityPropertyValue(org.apache.cxf.rt.security.SecurityConstants.PASSWORD, soapMessage);
        if (StringUtils.isEmpty(str2)) {
            str2 = getPassword(str, usernameToken, 2, soapMessage);
        }
        if (StringUtils.isEmpty(str2)) {
            policyNotAsserted((AbstractToken) usernameToken, "No username available", soapMessage);
            return null;
        }
        WSSecUsernameToken wSSecUsernameToken2 = new WSSecUsernameToken(document);
        wSSecUsernameToken2.setIdAllocator(wSSConfig.getIdAllocator());
        wSSecUsernameToken2.setWsTimeSource(wSSConfig.getCurrentTime());
        if (usernameToken.getPasswordType() == UsernameToken.PasswordType.HashPassword) {
            wSSecUsernameToken2.setPasswordType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest");
        } else {
            wSSecUsernameToken2.setPasswordType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText");
        }
        if (usernameToken.isCreated()) {
            wSSecUsernameToken2.addCreated();
        }
        if (usernameToken.isNonce()) {
            wSSecUsernameToken2.addNonce();
        }
        wSSecUsernameToken2.setUserInfo(str, str2);
        return wSSecUsernameToken2;
    }
}
