package com.ibm.ws.wssecurity.cxf.interceptor;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.wssecurity.cxf.validator.UsernameTokenValidator;
import com.ibm.ws.wssecurity.cxf.validator.Utils;
import com.ibm.ws.wssecurity.cxf.validator.WssSamlAssertionValidator;
import com.ibm.ws.wssecurity.internal.WSSecurityConstants;
import com.ibm.ws.wssecurity.signature.SignatureAlgorithms;
import com.ibm.wsspi.kernel.service.utils.SerializableProtectedString;
import io.openliberty.wssecurity.WSSecurityFeatureHelper;
import java.net.URL;
import java.nio.file.Paths;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor;
import org.apache.cxf.common.util.PropertyUtils;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.rt.security.utils.SecurityUtils;
import org.apache.cxf.service.model.EndpointInfo;
import org.apache.cxf.ws.security.cache.CXFEHCacheReplayCache;
import org.apache.cxf.ws.security.tokenstore.EHCacheTokenStore;
import org.apache.cxf.ws.security.tokenstore.MemoryTokenStoreFactory;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.tokenstore.TokenStoreFactory;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor;
import org.apache.wss4j.common.cache.MemoryReplayCache;
import org.apache.wss4j.common.cache.ReplayCache;
import org.apache.wss4j.common.cache.WSS4JCacheUtil;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/wssecurity/cxf/interceptor/WSSecurityLibertyPluginInterceptor.class */
public class WSSecurityLibertyPluginInterceptor extends AbstractSoapInterceptor {
    private static final String SIGNATURE_METHOD = "signatureAlgorithm";
    static final long serialVersionUID = -5524650242869391722L;
    private static final Map<String, Object> providerConfigMap = Collections.synchronizedMap(new HashMap());
    private static final Map<String, Object> clientConfigMap = Collections.synchronizedMap(new HashMap());
    private static final TraceComponent tc = Tr.register(WSSecurityLibertyPluginInterceptor.class, "WSSecurity", "com.ibm.ws.wssecurity.resources.WSSecurityMessages");
    private static Map<String, Object> samlTokenConfigMap = null;
    private static boolean signatureConfigChanged = false;
    private static boolean clientSignatureConfigChanged = false;

    public WSSecurityLibertyPluginInterceptor() {
        super("pre-protocol");
        addBefore(PolicyBasedWSS4JInInterceptor.class.getName());
        addBefore(PolicyBasedWSS4JOutInterceptor.class.getName());
    }

    public static void setBindingsConfiguration(Map<String, Object> map) {
        signatureConfigChanged = true;
        if (map == null) {
            providerConfigMap.clear();
            return;
        }
        if (!providerConfigMap.isEmpty()) {
            providerConfigMap.clear();
        }
        providerConfigMap.putAll(map);
    }

    public static void setClientBindingsConfiguration(Map<String, Object> map) {
        clientSignatureConfigChanged = true;
        if (map == null) {
            clientConfigMap.clear();
            return;
        }
        if (!clientConfigMap.isEmpty()) {
            clientConfigMap.clear();
        }
        clientConfigMap.putAll(map);
    }

    public static void setSamlTokenConfiguration(Map<String, Object> map) {
        samlTokenConfigMap = map;
    }

    public void handleMessage(@Sensitive SoapMessage soapMessage) throws Fault {
        String[] strArr;
        if (soapMessage == null) {
            return;
        }
        if (!MessageUtils.isRequestor(soapMessage)) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "provider side message = ", new Object[]{soapMessage});
            }
            if (soapMessage.getContextualProperty("ws-security.ut.validator") == null) {
                soapMessage.put("ws-security.ut.validator", new UsernameTokenValidator());
            }
            if (soapMessage.getContextualProperty("ws-security.saml2.validator") == null) {
                soapMessage.put("ws-security.saml2.validator", new WssSamlAssertionValidator(samlTokenConfigMap));
                if (samlTokenConfigMap != null && ((strArr = (String[]) samlTokenConfigMap.get(WSSecurityConstants.KEY_audienceRestrictions)) == null || strArr.length < 1)) {
                    if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "set audience restriction validation to false", new Object[0]);
                    }
                    soapMessage.put("security.validate.audience-restriction", false);
                }
            }
            for (String str : providerConfigMap.keySet()) {
                if (("ws-security.signature.properties".equals(str) || "security.signature.properties".equals(str)) && soapMessage.getContextualProperty("security.signature.properties") == null) {
                    Map map = (Map) providerConfigMap.get("security.signature.properties");
                    if (map == null) {
                        map = (Map) providerConfigMap.get("ws-security.signature.properties");
                    }
                    if (map != null) {
                        HashMap hashMap = new HashMap(map);
                        Utils.modifyConfigMap(hashMap);
                        Properties properties = new Properties();
                        properties.putAll(hashMap);
                        soapMessage.setContextualProperty(str, properties);
                        if (signatureConfigChanged) {
                            soapMessage.setContextualProperty(WSSecurityConstants.SEC_SIG_CRYPTO, (Object) null);
                            signatureConfigChanged = false;
                        }
                        soapMessage.setContextualProperty(WSSecurityConstants.SEC_SIG_CRYPTO, (Object) null);
                        SignatureAlgorithms.setAlgorithm(soapMessage, (String) map.get(SIGNATURE_METHOD));
                    }
                } else if (("ws-security.encryption.properties".equals(str) || "security.encryption.properties".equals(str)) && soapMessage.getContextualProperty("security.encryption.properties") == null) {
                    Map map2 = (Map) providerConfigMap.get("security.encryption.properties");
                    if (map2 == null) {
                        map2 = (Map) providerConfigMap.get("ws-security.encryption.properties");
                    }
                    if (map2 != null) {
                        HashMap hashMap2 = new HashMap(map2);
                        Utils.modifyConfigMap(hashMap2);
                        Properties properties2 = new Properties();
                        properties2.putAll(hashMap2);
                        soapMessage.setContextualProperty(str, properties2);
                    }
                } else if (WSSecurityConstants.CXF_NONCE_CACHE_CONFIG_FILE.equals(str)) {
                    handleehcacheconfigfile(providerConfigMap, soapMessage);
                } else {
                    soapMessage.setContextualProperty(str, providerConfigMap.get(str));
                }
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Provider Config attribute is set on message = ", new Object[]{str, ", value = ", providerConfigMap.get(str)});
                }
            }
            return;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "client side message = ", new Object[]{soapMessage});
        }
        boolean z = (soapMessage.getContextualProperty(WSSecurityConstants.CXF_USER_NAME) == null && soapMessage.getContextualProperty(WSSecurityConstants.SEC_USER_NAME) == null) ? false : true;
        for (String str2 : clientConfigMap.keySet()) {
            if (soapMessage.getContextualProperty(str2) == null) {
                if (("ws-security.signature.properties".equals(str2) || "security.signature.properties".equals(str2)) && soapMessage.getContextualProperty("security.signature.properties") == null) {
                    Map map3 = (Map) clientConfigMap.get("security.signature.properties");
                    if (map3 == null) {
                        map3 = (Map) clientConfigMap.get("ws-security.signature.properties");
                    }
                    if (map3 != null) {
                        HashMap hashMap3 = new HashMap(map3);
                        Utils.modifyConfigMap(hashMap3);
                        Properties properties3 = new Properties();
                        properties3.putAll(hashMap3);
                        soapMessage.setContextualProperty(str2, properties3);
                        if (clientSignatureConfigChanged) {
                            soapMessage.setContextualProperty(WSSecurityConstants.SEC_SIG_CRYPTO, (Object) null);
                            clientSignatureConfigChanged = false;
                        }
                        soapMessage.setContextualProperty(WSSecurityConstants.SEC_SIG_CRYPTO, (Object) null);
                        SignatureAlgorithms.setAlgorithm(soapMessage, (String) map3.get(SIGNATURE_METHOD));
                    }
                } else if (("ws-security.encryption.properties".equals(str2) || "security.encryption.properties".equals(str2)) && soapMessage.getContextualProperty("security.encryption.properties") == null) {
                    Map map4 = (Map) clientConfigMap.get("security.encryption.properties");
                    if (map4 == null) {
                        map4 = (Map) clientConfigMap.get("ws-security.encryption.properties");
                    }
                    if (map4 != null) {
                        HashMap hashMap4 = new HashMap(map4);
                        Utils.modifyConfigMap(hashMap4);
                        Properties properties4 = new Properties();
                        properties4.putAll(hashMap4);
                        soapMessage.setContextualProperty(str2, properties4);
                    }
                } else if (!WSSecurityConstants.CXF_USER_PASSWORD.equals(str2) && !WSSecurityConstants.SEC_USER_PASSWORD.equals(str2)) {
                    soapMessage.setContextualProperty(str2, clientConfigMap.get(str2));
                } else if (!z) {
                    String str3 = null;
                    if (clientConfigMap.get(WSSecurityConstants.SEC_USER_PASSWORD) != null) {
                        str3 = Utils.changePasswordType((SerializableProtectedString) clientConfigMap.get(WSSecurityConstants.SEC_USER_PASSWORD));
                    } else if (clientConfigMap.get(WSSecurityConstants.CXF_USER_PASSWORD) != null) {
                        str3 = Utils.changePasswordType((SerializableProtectedString) clientConfigMap.get(WSSecurityConstants.CXF_USER_PASSWORD));
                    }
                    soapMessage.setContextualProperty(str2, str3);
                }
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Client Config attribute is set on message = ", new Object[]{str2, ", value = ", clientConfigMap.get(str2)});
                }
            }
            String str4 = (String) soapMessage.getContextualProperty(WSSecurityConstants.CXF_SAML_CALLBACK_HANDLER);
            if (str4 == null || str4.isEmpty()) {
                soapMessage.setContextualProperty(WSSecurityConstants.CXF_SAML_CALLBACK_HANDLER, WSSecurityConstants.DEFAULT_SAML_CALLBACK_HANDLER);
            }
        }
    }

    @FFDCIgnore({Exception.class})
    private void handleehcacheconfigfile(Map<String, Object> map, @Sensitive SoapMessage soapMessage) {
        WSSecurityFeatureHelper wSSecurityFeatureHelper = new WSSecurityFeatureHelper();
        if (!wSSecurityFeatureHelper.isWSSecurityFeatureHelperServiceActive()) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Ignoring cache file configuration property, this is not supported : ", new Object[]{WSSecurityConstants.CXF_NONCE_CACHE_CONFIG_FILE});
                return;
            }
            return;
        }
        try {
            boolean isWSS4JCacheEnabled = isWSS4JCacheEnabled("ws-security.enable.nonce.cache", soapMessage);
            boolean isWSS4JCacheEnabled2 = isWSS4JCacheEnabled("ws-security.enable.timestamp.cache", soapMessage);
            boolean isWSS4JCacheEnabled3 = isWSS4JCacheEnabled("ws-security.enable.saml.cache", soapMessage);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "are caches enabled? (nonce, timestamp, saml one time use) : ", new Object[]{Boolean.valueOf(isWSS4JCacheEnabled), Boolean.valueOf(isWSS4JCacheEnabled2), Boolean.valueOf(isWSS4JCacheEnabled3)});
                Tr.debug(tc, "setting up cache config file property on the message : ", new Object[]{WSSecurityConstants.CXF_NONCE_CACHE_CONFIG_FILE});
                Tr.debug(tc, "cache config file : ", new Object[]{map.get(WSSecurityConstants.CXF_NONCE_CACHE_CONFIG_FILE)});
            }
            soapMessage.setContextualProperty(WSSecurityConstants.CXF_NONCE_CACHE_CONFIG_FILE, map.get(WSSecurityConstants.CXF_NONCE_CACHE_CONFIG_FILE));
            URL configFileURL = SecurityUtils.getConfigFileURL(soapMessage, WSSecurityConstants.CXF_NONCE_CACHE_CONFIG_FILE, (String) null);
            if (configFileURL != null) {
                if (isWSS4JCacheEnabled && !ehcacheinstanceavailable("ws-security.nonce.cache.instance", soapMessage)) {
                    if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "try creating nonce cache using oldconfig ", new Object[0]);
                    }
                    wSSecurityFeatureHelper.handleEhcache2Mapping("ws-security.nonce.cache.instance", configFileURL, soapMessage);
                    createwss4jcacheinstance("ws-security.nonce.cache.instance", soapMessage);
                }
                if (isWSS4JCacheEnabled2 && !ehcacheinstanceavailable("ws-security.timestamp.cache.instance", soapMessage)) {
                    wSSecurityFeatureHelper.handleEhcache2Mapping("ws-security.timestamp.cache.instance", configFileURL, soapMessage);
                    createwss4jcacheinstance("ws-security.timestamp.cache.instance", soapMessage);
                }
                if (isWSS4JCacheEnabled3 && !ehcacheinstanceavailable("ws-security.saml.cache.instance", soapMessage)) {
                    wSSecurityFeatureHelper.handleEhcache2Mapping("ws-security.saml.cache.instance", configFileURL, soapMessage);
                    createwss4jcacheinstance("ws-security.saml.cache.instance", soapMessage);
                }
                if (!ehcacheinstanceavailable("org.apache.cxf.ws.security.tokenstore.TokenStore", soapMessage)) {
                    StringBuilder sb = new StringBuilder("org.apache.cxf.ws.security.tokenstore.TokenStore");
                    String str = (String) map.get("ws-security.cache.identifier");
                    if (str != null) {
                        sb.append('-').append(str);
                    }
                    wSSecurityFeatureHelper.handleEhcache2Mapping(sb.toString(), configFileURL, soapMessage);
                    createtokenstorecacheinstance(sb.toString(), soapMessage);
                }
            }
        } catch (Exception e) {
            soapMessage.setContextualProperty(WSSecurityConstants.CXF_NONCE_CACHE_CONFIG_FILE, map.get(WSSecurityConstants.CXF_NONCE_CACHE_CONFIG_FILE));
        }
    }

    private void createtokenstorecacheinstance(String str, @Sensitive SoapMessage soapMessage) throws Exception {
        EHCacheTokenStore newTokenStore;
        String concat = "liberty:".concat(str);
        if (soapMessage.getContextualProperty(concat) != null) {
            HashMap hashMap = (HashMap) soapMessage.getContextualProperty(concat);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "getting the old config from the message, key =  " + concat + ", disk store path = " + ((String) hashMap.get("getDiskStorePath")) + ", ttl = " + ((Long) hashMap.get("getTimeToLiveSeconds")).longValue() + ", tti = " + ((Long) hashMap.get("getTimeToIdleSeconds")).longValue(), new Object[0]);
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "getting the old config from the message, heap =  " + ((Long) hashMap.get("getMaxEntriesLocalHeap")).longValue() + ", disk elements = " + ((Integer) hashMap.get("getMaxElementsOnDisk")).intValue() + ", disk bytes? = " + ((Long) hashMap.get("getMaxBytesLocalDisk")).longValue() + ", overflow to disk = " + hashMap.get("isOverflowToDisk"), new Object[0]);
            }
            EndpointInfo endpointInfo = soapMessage.getExchange().getEndpoint().getEndpointInfo();
            synchronized (endpointInfo) {
                TokenStore tokenStore = (TokenStore) soapMessage.getContextualProperty("org.apache.cxf.ws.security.tokenstore.TokenStore");
                if (tokenStore == null) {
                    tokenStore = (TokenStore) endpointInfo.getProperty("org.apache.cxf.ws.security.tokenstore.TokenStore");
                }
                if (tokenStore == null) {
                    StringBuilder sb = new StringBuilder(str);
                    if (endpointInfo.getName() != null) {
                        int hashCode = endpointInfo.getName().toString().hashCode();
                        if (hashCode >= 0) {
                            sb.append('-');
                        }
                        sb.append(hashCode);
                    }
                    if (TokenStoreFactory.isEhCacheInstalled()) {
                        newTokenStore = new EHCacheTokenStore(sb.toString(), soapMessage.getExchange().getBus(), hashMap);
                    } else {
                        newTokenStore = new MemoryTokenStoreFactory().newTokenStore(sb.toString(), soapMessage);
                    }
                    endpointInfo.setProperty("org.apache.cxf.ws.security.tokenstore.TokenStore", newTokenStore);
                }
            }
            soapMessage.remove(concat);
        }
    }

    private void createwss4jcacheinstance(String str, @Sensitive SoapMessage soapMessage) throws Exception {
        String concat = "liberty:".concat(str);
        if (soapMessage.getContextualProperty(concat) != null) {
            HashMap hashMap = (HashMap) soapMessage.getContextualProperty(concat);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "getting the old config from the message, key =  " + concat + ", disk store path = " + ((String) hashMap.get("getDiskStorePath")) + ", ttl = " + ((Long) hashMap.get("getTimeToLiveSeconds")).longValue() + ", tti = " + ((Long) hashMap.get("getTimeToIdleSeconds")).longValue(), new Object[0]);
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "getting the old config from the message, heap =  " + ((Long) hashMap.get("getMaxEntriesLocalHeap")).longValue() + ", disk elements = " + ((Integer) hashMap.get("getMaxElementsOnDisk")).intValue() + ", disk bytes? = " + ((Long) hashMap.get("getMaxBytesLocalDisk")).longValue() + ", overflow to disk = " + hashMap.get("isOverflowToDisk"), new Object[0]);
            }
            ReplayCache replayCache = (ReplayCache) soapMessage.getContextualProperty(str);
            Endpoint endpoint = soapMessage.getExchange().getEndpoint();
            if (replayCache == null && endpoint != null && endpoint.getEndpointInfo() != null) {
                EndpointInfo endpointInfo = endpoint.getEndpointInfo();
                synchronized (endpointInfo) {
                    if (((ReplayCache) endpointInfo.getProperty(str)) == null) {
                        String str2 = str;
                        if (endpointInfo.getName() != null) {
                            int hashCode = endpointInfo.getName().toString().hashCode();
                            str2 = hashCode < 0 ? str2 + hashCode : str2 + "-" + hashCode;
                        }
                        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                            Tr.debug(tc, "creating new cache using oldconfig, cache key =  ", new Object[]{str2});
                        }
                        endpointInfo.setProperty(str, WSS4JCacheUtil.isEhCacheInstalled() ? new CXFEHCacheReplayCache(str2, soapMessage.getExchange().getBus(), Paths.get((String) hashMap.get("getDiskStorePath"), new String[0]), hashMap) : new MemoryReplayCache());
                    }
                }
            }
            soapMessage.remove(concat);
        }
    }

    private boolean isWSS4JCacheEnabled(String str, @Sensitive SoapMessage soapMessage) {
        boolean z = false;
        Object contextualProperty = soapMessage.getContextualProperty(str);
        if (contextualProperty != null) {
            if (!PropertyUtils.isTrue(contextualProperty)) {
                return false;
            }
            z = true;
        }
        return z || !MessageUtils.isRequestor(soapMessage);
    }

    private boolean ehcacheinstanceavailable(String str, @Sensitive SoapMessage soapMessage) {
        if (soapMessage.getContextualProperty(str) != null) {
            return true;
        }
        Endpoint endpoint = soapMessage.getExchange().getEndpoint();
        if (endpoint == null || endpoint.getEndpointInfo() == null) {
            return false;
        }
        EndpointInfo endpointInfo = endpoint.getEndpointInfo();
        synchronized (endpointInfo) {
            return endpointInfo.getProperty(str) != null;
        }
    }
}
