package com.ibm.ws.wssecurity.cxf.interceptor;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.wssecurity.WSSecurityPolicyException;
import com.ibm.ws.wssecurity.cxf.validator.Utils;
import com.ibm.ws.wssecurity.internal.WSSecurityConstants;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.namespace.QName;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.classloader.ClassLoaderUtils;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.message.WSSecUsernameToken;
import org.apache.wss4j.dom.processor.UsernameTokenProcessor;
import org.apache.wss4j.dom.validate.Validator;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.model.UsernameToken;
import org.apache.xml.security.exceptions.Base64DecodingException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/wssecurity/cxf/interceptor/UsernameTokenInterceptor.class */
public class UsernameTokenInterceptor extends org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor {
    protected static final TraceComponent tc = Tr.register(UsernameTokenInterceptor.class, "WSSecurity", "com.ibm.ws.wssecurity.resources.WSSecurityMessages");
    static final long serialVersionUID = -5509043952347295870L;

    public UsernameTokenInterceptor() {
        addBefore(WSSecurityLibertyCallerInterceptor.class.getName());
    }

    protected WSSecurityEngineResult validateToken(Element element, final SoapMessage soapMessage) throws WSSecurityException, Base64DecodingException {
        boolean isWsiBSPCompliant = isWsiBSPCompliant(soapMessage);
        boolean isAllowNoPassword = isAllowNoPassword((AssertionInfoMap) soapMessage.get(AssertionInfoMap.class));
        UsernameTokenProcessor usernameTokenProcessor = new UsernameTokenProcessor();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, " validateToken" + element.toString(), new Object[0]);
        }
        RequestData requestData = new RequestData() { // from class: com.ibm.ws.wssecurity.cxf.interceptor.UsernameTokenInterceptor.1
            static final long serialVersionUID = -6118596239391109734L;
            private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.wssecurity.cxf.interceptor.UsernameTokenInterceptor$1", AnonymousClass1.class, "WSSecurity", "com.ibm.ws.wssecurity.resources.WSSecurityMessages");

            public CallbackHandler getCallbackHandler() {
                return UsernameTokenInterceptor.this.getCallback(soapMessage);
            }

            public Validator getValidator(QName qName) throws WSSecurityException {
                Object contextualProperty = soapMessage.getContextualProperty("ws-security.ut.validator");
                return contextualProperty == null ? super.getValidator(qName) : (Validator) contextualProperty;
            }
        };
        requestData.setNonceReplayCache(WSS4JUtils.getReplayCache(soapMessage, "ws-security.enable.nonce.cache", "ws-security.nonce.cache.instance"));
        requestData.setAllowUsernameTokenNoPassword(isAllowNoPassword);
        requestData.setWssConfig(WSSConfig.getNewInstance());
        if (!isWsiBSPCompliant) {
            requestData.setDisableBSPEnforcement(true);
        }
        requestData.setMsgContext(soapMessage);
        translateSettingsFromMsgContext(requestData, soapMessage);
        requestData.setWsDocInfo(new WSDocInfo(element.getOwnerDocument()));
        List<WSSecurityEngineResult> handleToken = usernameTokenProcessor.handleToken(element, requestData);
        checkTokens(soapMessage, handleToken);
        return handleToken.get(0);
    }

    private boolean isAllowNoPassword(AssertionInfoMap assertionInfoMap) throws WSSecurityException {
        Collection allAssertionsByLocalname = PolicyUtils.getAllAssertionsByLocalname(assertionInfoMap, WSSecurityConstants.UNT_CALLER_NAME);
        if (allAssertionsByLocalname.isEmpty()) {
            return false;
        }
        Iterator it = allAssertionsByLocalname.iterator();
        while (it.hasNext()) {
            if (((AssertionInfo) it.next()).getAssertion().getPasswordType() == UsernameToken.PasswordType.NoPassword) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public CallbackHandler getCallback(@Sensitive SoapMessage soapMessage) {
        Object securityPropertyValue = Utils.getSecurityPropertyValue(WSSecurityConstants.SEC_CBH, soapMessage);
        CallbackHandler callbackHandler = null;
        if (securityPropertyValue instanceof CallbackHandler) {
            callbackHandler = (CallbackHandler) securityPropertyValue;
        } else if (securityPropertyValue instanceof String) {
            try {
                callbackHandler = (CallbackHandler) ClassLoaderUtils.loadClass((String) securityPropertyValue, getClass()).newInstance();
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.wssecurity.cxf.interceptor.UsernameTokenInterceptor", "147", this, new Object[]{"<sensitive org.apache.cxf.binding.soap.SoapMessage>"});
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Caught exception while getCallback handler :" + e, new Object[0]);
                }
                callbackHandler = null;
            }
        }
        return callbackHandler;
    }

    protected WSSecUsernameToken addUsernameToken(@Sensitive SoapMessage soapMessage, Document document, @Sensitive UsernameToken usernameToken) {
        String str = null;
        Object securityPropertyValue = Utils.getSecurityPropertyValue(WSSecurityConstants.SEC_USER_NAME, soapMessage);
        if (securityPropertyValue != null) {
            str = (String) securityPropertyValue;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "add usernameToken" + str, new Object[0]);
        }
        if (((WSSConfig) soapMessage.getContextualProperty(WSSConfig.class.getName())) == null) {
            WSSConfig.getNewInstance();
        }
        if (StringUtils.isEmpty(str)) {
            policyNotAsserted(usernameToken, "No username available", soapMessage);
            return null;
        }
        boolean equals = UsernameToken.PasswordType.NoPassword.equals(usernameToken.getPasswordType());
        boolean equals2 = UsernameToken.PasswordType.HashPassword.equals(usernameToken.getPasswordType());
        if (equals) {
            WSSecUsernameToken wSSecUsernameToken = new WSSecUsernameToken(document);
            wSSecUsernameToken.setUserInfo(str, (String) null);
            wSSecUsernameToken.setPasswordType((String) null);
            if (usernameToken.isCreated() && !equals2) {
                wSSecUsernameToken.addCreated();
            }
            if (usernameToken.isNonce() && !equals2) {
                wSSecUsernameToken.addNonce();
            }
            return wSSecUsernameToken;
        }
        Object securityPropertyValue2 = Utils.getSecurityPropertyValue(WSSecurityConstants.SEC_USER_PASSWORD, soapMessage);
        String str2 = null;
        if (securityPropertyValue2 != null) {
            str2 = (String) securityPropertyValue2;
        }
        if (StringUtils.isEmpty(str2)) {
            str2 = getPassword(str, usernameToken, 2, soapMessage);
        }
        if (StringUtils.isEmpty(str2)) {
            policyNotAsserted(usernameToken, "No username available", soapMessage);
            return null;
        }
        WSSecUsernameToken wSSecUsernameToken2 = new WSSecUsernameToken(document);
        if (equals2) {
            wSSecUsernameToken2.setPasswordType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest");
        } else {
            wSSecUsernameToken2.setPasswordType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText");
        }
        wSSecUsernameToken2.setUserInfo(str, str2);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "addUsernameToken, " + str, new Object[0]);
        }
        if (usernameToken.isCreated() && !equals2) {
            wSSecUsernameToken2.addCreated();
        }
        if (usernameToken.isNonce() && !equals2) {
            wSSecUsernameToken2.addNonce();
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "addUsernameToken returns, " + wSSecUsernameToken2, new Object[0]);
        }
        return wSSecUsernameToken2;
    }

    public boolean checkTokens(@Sensitive SoapMessage soapMessage, List<WSSecurityEngineResult> list) throws WSSecurityException {
        Collection assertionInfo = ((AssertionInfoMap) soapMessage.get(AssertionInfoMap.class)).getAssertionInfo(SP12Constants.USERNAME_TOKEN);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "ais in checkTokens is '" + assertionInfo + "'", new Object[0]);
        }
        UsernameToken usernameToken = null;
        Object[] array = assertionInfo.toArray();
        AssertionInfo assertionInfo2 = null;
        if (array.length > 0) {
            assertionInfo2 = (AssertionInfo) array[0];
            usernameToken = (UsernameToken) assertionInfo2.getAssertion();
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "ai in checkTokens is '" + assertionInfo2 + "'", new Object[0]);
            Tr.debug(tc, "usernameTokenPolicy is '" + usernameToken + "'", new Object[0]);
        }
        boolean z = true;
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        Iterator<WSSecurityEngineResult> it = list.iterator();
        while (it.hasNext()) {
            org.apache.wss4j.dom.message.token.UsernameToken usernameToken2 = (org.apache.wss4j.dom.message.token.UsernameToken) it.next().get("username-token");
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "usernameToken is '" + usernameToken2 + "'", new Object[0]);
            }
            if (UsernameToken.PasswordType.HashPassword.equals(usernameToken.getPasswordType()) != usernameToken2.isHashed()) {
                linkedHashSet.add("Password hashing policy not enforced");
                z = false;
            }
            if (UsernameToken.PasswordType.NoPassword.equals(usernameToken.getPasswordType()) && usernameToken2.getPassword() != null) {
                linkedHashSet.add("Username Token NoPassword policy not enforced");
                z = false;
            }
            if (usernameToken.isCreated() && (usernameToken2.getCreated() == null || usernameToken2.isHashed())) {
                linkedHashSet.add("Username Token Created policy not enforced");
                z = false;
            }
            if (usernameToken.isNonce() && (usernameToken2.getNonce() == null || usernameToken2.isHashed())) {
                linkedHashSet.add("Username Token Nonce policy not enforced");
                z = false;
            }
        }
        if (z) {
            return true;
        }
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, new WSSecurityPolicyException(linkedHashSet.toString()));
    }

    void translateSettingsFromMsgContext(RequestData requestData, @Sensitive SoapMessage soapMessage) {
        WSSConfig wssConfig = requestData.getWssConfig();
        if (wssConfig == null) {
            wssConfig = WSSConfig.getNewInstance();
            requestData.setWssConfig(wssConfig);
        }
        requestData.getMsgContext();
        requestData.setUtTTL(decodeTimeToLive(requestData, soapMessage, false));
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "unt TTL '" + requestData.getUtTTL() + "'", new Object[0]);
        }
        requestData.setUtFutureTTL(decodeFutureTimeToLive(requestData, soapMessage, false));
        requestData.setWssConfig(wssConfig);
    }

    public int decodeTimeToLive(RequestData requestData, @Sensitive SoapMessage soapMessage, boolean z) {
        String str = (String) soapMessage.getContextualProperty(z ? "ws-security.timestamp.timeToLive" : "ws-security.usernametoken.timeToLive");
        int i = 0;
        if (str != null) {
            try {
                i = Integer.parseInt(str);
            } catch (NumberFormatException e) {
                FFDCFilter.processException(e, "com.ibm.ws.wssecurity.cxf.interceptor.UsernameTokenInterceptor", "339", this, new Object[]{requestData, "<sensitive org.apache.cxf.binding.soap.SoapMessage>", Boolean.valueOf(z)});
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "ttl string is malformat '" + str + "'" + e.getMessage(), new Object[0]);
                }
                i = z ? requestData.getTimeStampTTL() : requestData.getUtTTL();
            }
        }
        if (i <= 0) {
            i = z ? requestData.getTimeStampTTL() : requestData.getUtTTL();
        }
        return i;
    }

    protected int decodeFutureTimeToLive(RequestData requestData, @Sensitive SoapMessage soapMessage, boolean z) {
        String str = (String) soapMessage.getContextualProperty(z ? "ws-security.timestamp.futureTimeToLive" : "ws-security.usernametoken.futureTimeToLive");
        if (str == null) {
            return 60;
        }
        try {
            int parseInt = Integer.parseInt(str);
            if (parseInt < 0) {
                return 60;
            }
            return parseInt;
        } catch (NumberFormatException e) {
            FFDCFilter.processException(e, "com.ibm.ws.wssecurity.cxf.interceptor.UsernameTokenInterceptor", "374", this, new Object[]{requestData, "<sensitive org.apache.cxf.binding.soap.SoapMessage>", Boolean.valueOf(z)});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "future ttl string is malformat '" + str + "'" + e.getMessage(), new Object[0]);
            }
            return 60;
        }
    }
}
