package org.apache.cxf.ws.security.wss4j;

import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.namespace.QName;
import org.apache.cxf.Bus;
import org.apache.cxf.binding.soap.SoapHeader;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor;
import org.apache.cxf.common.classloader.ClassLoaderUtils;
import org.apache.cxf.common.i18n.Message;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.headers.Header;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.security.DefaultSecurityContext;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.resource.ResourceManager;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.service.model.EndpointInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.policy.PolicyException;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.cache.ReplayCacheFactory;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.model.SamlToken;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.cache.ReplayCache;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoFactory;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.handler.WSHandlerResult;
import org.apache.ws.security.processor.SAMLTokenProcessor;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.saml.ext.SAMLParms;
import org.apache.ws.security.validate.Validator;
import org.opensaml.common.SAMLVersion;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.class */
public class SamlTokenInterceptor extends AbstractSoapInterceptor {
    public static final String WSSEC = "ws-security";
    public static final String CXF_SIG_PROPS = "ws-security.signature.properties";
    public static final String CXF_ENC_PROPS = "ws-security.encryption.properties";
    public static final String SAML_ONE_TIME_USE_CACHE_INSTANCE = "ws-security.saml.cache.instance";
    public static final String ENABLE_SAML_ONE_TIME_USE_CACHE = "ws-security.enable.saml.cache";
    private static final Logger LOG = LogUtils.getL7dLogger(SamlTokenInterceptor.class);
    private static final Set<QName> HEADERS = new HashSet();

    public SamlTokenInterceptor() {
        super("pre-protocol");
        addAfter(PolicyBasedWSS4JOutInterceptor.class.getName());
        addAfter(PolicyBasedWSS4JInInterceptor.class.getName());
    }

    public Set<QName> getUnderstoodHeaders() {
        return HEADERS;
    }

    public void handleMessage(SoapMessage soapMessage) throws Fault {
        boolean isRequestor = MessageUtils.isRequestor(soapMessage);
        if (isRequestor != MessageUtils.isOutbound(soapMessage)) {
            assertSamlTokens(soapMessage);
            return;
        }
        if (isRequestor) {
            if (soapMessage.containsKey(PolicyBasedWSS4JOutInterceptor.SECURITY_PROCESSED)) {
                return;
            }
            addSamlToken(soapMessage);
        } else {
            if (soapMessage.containsKey(WSS4JInInterceptor.SECURITY_PROCESSED)) {
                return;
            }
            processSamlToken(soapMessage);
        }
    }

    private void processSamlToken(SoapMessage soapMessage) {
        Header findSecurityHeader = findSecurityHeader(soapMessage, false);
        if (findSecurityHeader == null) {
            return;
        }
        Element firstElement = DOMUtils.getFirstElement((Element) findSecurityHeader.getObject());
        while (true) {
            Element element = firstElement;
            if (element == null) {
                return;
            }
            if ("Assertion".equals(element.getLocalName())) {
                try {
                    List<WSSecurityEngineResult> processToken = processToken(element, soapMessage);
                    if (processToken != null) {
                        List cast = CastUtils.cast((List) soapMessage.get("RECV_RESULTS"));
                        if (cast == null) {
                            cast = new ArrayList();
                            soapMessage.put("RECV_RESULTS", cast);
                        }
                        cast.add(0, new WSHandlerResult((String) null, processToken));
                        assertSamlTokens(soapMessage);
                        Principal principal = (Principal) processToken.get(0).get("principal");
                        soapMessage.put(WSS4JInInterceptor.PRINCIPAL_RESULT, principal);
                        SecurityContext securityContext = (SecurityContext) soapMessage.get(SecurityContext.class);
                        if (securityContext == null || securityContext.getUserPrincipal() == null) {
                            soapMessage.put(SecurityContext.class, new DefaultSecurityContext(principal, (Subject) null));
                        }
                    }
                } catch (WSSecurityException e) {
                    throw new Fault(e);
                }
            }
            firstElement = DOMUtils.getNextElement(element);
        }
    }

    private List<WSSecurityEngineResult> processToken(Element element, final SoapMessage soapMessage) throws WSSecurityException {
        WSDocInfo wSDocInfo = new WSDocInfo(element.getOwnerDocument());
        RequestData requestData = new RequestData() { // from class: org.apache.cxf.ws.security.wss4j.SamlTokenInterceptor.1
            public CallbackHandler getCallbackHandler() {
                return SamlTokenInterceptor.this.getCallback(soapMessage);
            }

            public Validator getValidator(QName qName) throws WSSecurityException {
                String str = null;
                if (WSSecurityEngine.SAML_TOKEN.equals(qName)) {
                    str = SecurityConstants.SAML1_TOKEN_VALIDATOR;
                } else if (WSSecurityEngine.SAML2_TOKEN.equals(qName)) {
                    str = SecurityConstants.SAML2_TOKEN_VALIDATOR;
                }
                if (str != null) {
                    Object contextualProperty = soapMessage.getContextualProperty(str);
                    try {
                        if (contextualProperty instanceof Validator) {
                            return (Validator) contextualProperty;
                        }
                        if (contextualProperty instanceof Class) {
                            return (Validator) ((Class) contextualProperty).newInstance();
                        }
                        if (contextualProperty instanceof String) {
                            return (Validator) ClassLoaderUtils.loadClass(contextualProperty.toString(), SamlTokenInterceptor.class).newInstance();
                        }
                    } catch (RuntimeException e) {
                        throw e;
                    } catch (Throwable th) {
                        throw new WSSecurityException(th.getMessage(), th);
                    }
                }
                return super.getValidator(qName);
            }
        };
        requestData.setWssConfig(WSSConfig.getNewInstance());
        requestData.setSamlOneTimeUseReplayCache(getReplayCache(soapMessage, "ws-security.enable.saml.cache", "ws-security.saml.cache.instance"));
        SAMLTokenProcessor sAMLTokenProcessor = new SAMLTokenProcessor();
        Object contextualProperty = soapMessage.getContextualProperty("ws-security.signature.properties");
        if (contextualProperty != null) {
            Map map = (Map) contextualProperty;
            Properties properties = new Properties();
            properties.putAll(map);
            properties.put("org.apache.ws.security.crypto.provider", "org.apache.ws.security.components.crypto.Merlin");
            requestData.setEncCrypto(CryptoFactory.getInstance(properties));
        }
        Object contextualProperty2 = soapMessage.getContextualProperty("ws-security.encryption.properties");
        if (contextualProperty2 != null) {
            Map map2 = (Map) contextualProperty2;
            Properties properties2 = new Properties();
            properties2.putAll(map2);
            requestData.setSigCrypto(CryptoFactory.getInstance(properties2));
        }
        return sAMLTokenProcessor.handleToken(element, requestData, wSDocInfo);
    }

    protected ReplayCache getReplayCache(SoapMessage soapMessage, String str, String str2) {
        Endpoint endpoint;
        ReplayCache replayCache;
        boolean z = false;
        Object contextualProperty = soapMessage.getContextualProperty(str);
        if (contextualProperty != null) {
            if (!MessageUtils.isTrue(contextualProperty)) {
                return null;
            }
            z = true;
        }
        if ((!z && MessageUtils.isRequestor(soapMessage)) || (endpoint = (Endpoint) soapMessage.getExchange().get(Endpoint.class)) == null || endpoint.getEndpointInfo() == null) {
            return null;
        }
        EndpointInfo endpointInfo = endpoint.getEndpointInfo();
        synchronized (endpointInfo) {
            ReplayCache replayCache2 = (ReplayCache) soapMessage.getContextualProperty(str2);
            if (replayCache2 == null) {
                replayCache2 = (ReplayCache) endpointInfo.getProperty(str2);
            }
            if (replayCache2 == null) {
                ReplayCacheFactory newInstance = ReplayCacheFactory.newInstance();
                String str3 = str2;
                if (endpointInfo.getName() != null) {
                    str3 = str3 + "-" + endpointInfo.getName().toString().hashCode();
                }
                replayCache2 = newInstance.newReplayCache(str3, soapMessage);
                endpointInfo.setProperty(str2, replayCache2);
            }
            replayCache = replayCache2;
        }
        return replayCache;
    }

    private SamlToken assertSamlTokens(SoapMessage soapMessage) {
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
        SamlToken samlToken = null;
        for (AssertionInfo assertionInfo : assertionInfoMap.getAssertionInfo(SP12Constants.SAML_TOKEN)) {
            samlToken = (SamlToken) assertionInfo.getAssertion();
            assertionInfo.setAsserted(true);
        }
        Iterator it = assertionInfoMap.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS).iterator();
        while (it.hasNext()) {
            ((AssertionInfo) it.next()).setAsserted(true);
        }
        Iterator it2 = assertionInfoMap.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS).iterator();
        while (it2.hasNext()) {
            ((AssertionInfo) it2.next()).setAsserted(true);
        }
        return samlToken;
    }

    private void addSamlToken(SoapMessage soapMessage) {
        SamlToken assertSamlTokens = assertSamlTokens(soapMessage);
        Header findSecurityHeader = findSecurityHeader(soapMessage, true);
        try {
            AssertionWrapper addSamlToken = addSamlToken(assertSamlTokens, soapMessage);
            if (addSamlToken != null) {
                Element element = (Element) DOMUtils.getDomElement((Element) findSecurityHeader.getObject());
                element.appendChild(addSamlToken.toDOM(element.getOwnerDocument()));
                return;
            }
            for (AssertionInfo assertionInfo : ((AssertionInfoMap) soapMessage.get(AssertionInfoMap.class)).getAssertionInfo(SP12Constants.SAML_TOKEN)) {
                if (assertionInfo.isAsserted()) {
                    assertionInfo.setAsserted(false);
                }
            }
        } catch (WSSecurityException e) {
            policyNotAsserted(assertSamlTokens, e.getMessage(), soapMessage);
        }
    }

    private AssertionWrapper addSamlToken(SamlToken samlToken, SoapMessage soapMessage) throws WSSecurityException {
        Object contextualProperty = soapMessage.getContextualProperty(SecurityConstants.SAML_CALLBACK_HANDLER);
        CallbackHandler callbackHandler = null;
        if (contextualProperty instanceof CallbackHandler) {
            callbackHandler = (CallbackHandler) contextualProperty;
        } else if (contextualProperty instanceof String) {
            try {
                callbackHandler = (CallbackHandler) ClassLoaderUtils.loadClass((String) contextualProperty, getClass()).newInstance();
            } catch (Exception e) {
                callbackHandler = null;
            }
        }
        if (callbackHandler == null) {
            return null;
        }
        SAMLParms sAMLParms = new SAMLParms();
        sAMLParms.setCallbackHandler(callbackHandler);
        if (samlToken.isUseSamlVersion11Profile10() || samlToken.isUseSamlVersion11Profile11()) {
            sAMLParms.setSAMLVersion(SAMLVersion.VERSION_11);
        } else if (samlToken.isUseSamlVersion20Profile11()) {
            sAMLParms.setSAMLVersion(SAMLVersion.VERSION_20);
        }
        AssertionWrapper assertionWrapper = new AssertionWrapper(sAMLParms);
        if (MessageUtils.getContextualBoolean(soapMessage, SecurityConstants.SELF_SIGN_SAML_ASSERTION, false)) {
            Crypto crypto = getCrypto(samlToken, SecurityConstants.SIGNATURE_CRYPTO, "ws-security.signature.properties", soapMessage);
            String str = (String) soapMessage.getContextualProperty(SecurityConstants.SIGNATURE_USERNAME);
            if (crypto != null && StringUtils.isEmpty(str)) {
                try {
                    str = crypto.getDefaultX509Identifier();
                } catch (WSSecurityException e2) {
                    throw new Fault(e2);
                }
            }
            if (StringUtils.isEmpty(str)) {
                return null;
            }
            String str2 = (String) soapMessage.getContextualProperty(SecurityConstants.PASSWORD);
            if (StringUtils.isEmpty(str2)) {
                str2 = getPassword(str, samlToken, 3, soapMessage);
            }
            if (str2 == null) {
                str2 = "";
            }
            assertionWrapper.signAssertion(str, str2, crypto, false);
        }
        return assertionWrapper;
    }

    private Crypto getCrypto(SamlToken samlToken, String str, String str2, SoapMessage soapMessage) throws WSSecurityException {
        Crypto crypto = (Crypto) soapMessage.getContextualProperty(str);
        if (crypto != null) {
            return crypto;
        }
        Object contextualProperty = soapMessage.getContextualProperty(str2);
        if (contextualProperty == null) {
            return null;
        }
        Properties properties = null;
        if (contextualProperty instanceof Properties) {
            properties = (Properties) contextualProperty;
        } else if (contextualProperty instanceof String) {
            URL url = (URL) ((ResourceManager) ((Bus) soapMessage.getExchange().get(Bus.class)).getExtension(ResourceManager.class)).resolveResource((String) contextualProperty, URL.class);
            if (url == null) {
                try {
                    url = ClassLoaderUtils.getResource((String) contextualProperty, getClass());
                } catch (IOException e) {
                    if (samlToken != null) {
                        policyNotAsserted(samlToken, e.getMessage(), soapMessage);
                    }
                }
            }
            if (url == null) {
                try {
                    url = new URL((String) contextualProperty);
                } catch (Exception e2) {
                }
            }
            if (url != null) {
                InputStream openStream = url.openStream();
                properties = new Properties();
                properties.load(openStream);
                openStream.close();
            } else if (samlToken != null) {
                policyNotAsserted(samlToken, "Could not find properties file " + contextualProperty, soapMessage);
            }
        } else if (contextualProperty instanceof URL) {
            properties = new Properties();
            try {
                InputStream openStream2 = ((URL) contextualProperty).openStream();
                properties.load(openStream2);
                openStream2.close();
            } catch (IOException e3) {
                if (samlToken != null) {
                    policyNotAsserted(samlToken, e3.getMessage(), soapMessage);
                }
            }
        }
        if (properties != null) {
            crypto = CryptoFactory.getInstance(properties);
        }
        return crypto;
    }

    private Header findSecurityHeader(SoapMessage soapMessage, boolean z) {
        for (Header header : soapMessage.getHeaders()) {
            QName name = header.getName();
            if (name.getLocalPart().equals("Security") && (name.getNamespaceURI().equals(DefaultCryptoCoverageChecker.WSSE_NS) || name.getNamespaceURI().equals("http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"))) {
                return header;
            }
        }
        if (!z) {
            return null;
        }
        Element createElementNS = DOMUtils.createDocument().createElementNS(DefaultCryptoCoverageChecker.WSSE_NS, "wsse:Security");
        createElementNS.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:wsse", DefaultCryptoCoverageChecker.WSSE_NS);
        SoapHeader soapHeader = new SoapHeader(new QName(DefaultCryptoCoverageChecker.WSSE_NS, "Security"), createElementNS);
        soapHeader.setMustUnderstand(true);
        soapMessage.getHeaders().add(soapHeader);
        return soapHeader;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public CallbackHandler getCallback(SoapMessage soapMessage) {
        Object contextualProperty = soapMessage.getContextualProperty(SecurityConstants.CALLBACK_HANDLER);
        CallbackHandler callbackHandler = null;
        if (contextualProperty instanceof CallbackHandler) {
            callbackHandler = (CallbackHandler) contextualProperty;
        } else if (contextualProperty instanceof String) {
            try {
                callbackHandler = (CallbackHandler) ClassLoaderUtils.loadClass((String) contextualProperty, getClass()).newInstance();
            } catch (Exception e) {
                callbackHandler = null;
            }
        }
        return callbackHandler;
    }

    public String getPassword(String str, SamlToken samlToken, int i, SoapMessage soapMessage) {
        CallbackHandler callback = getCallback(soapMessage);
        if (callback == null) {
            policyNotAsserted(samlToken, "No callback handler and no password available", soapMessage);
            return null;
        }
        WSPasswordCallback[] wSPasswordCallbackArr = {new WSPasswordCallback(str, i)};
        try {
            callback.handle(wSPasswordCallbackArr);
        } catch (Exception e) {
            policyNotAsserted(samlToken, e, soapMessage);
        }
        return wSPasswordCallbackArr[0].getPassword();
    }

    protected void policyNotAsserted(SamlToken samlToken, String str, SoapMessage soapMessage) {
        if (samlToken == null) {
            return;
        }
        Collection<AssertionInfo> collection = (Collection) ((AssertionInfoMap) soapMessage.get(AssertionInfoMap.class)).get(samlToken.getName());
        if (collection != null) {
            for (AssertionInfo assertionInfo : collection) {
                if (assertionInfo.getAssertion() == samlToken) {
                    assertionInfo.setNotAsserted(str);
                }
            }
        }
        if (!samlToken.isOptional()) {
            throw new PolicyException(new Message(str, LOG, new Object[0]));
        }
    }

    protected void policyNotAsserted(SamlToken samlToken, Exception exc, SoapMessage soapMessage) {
        if (samlToken == null) {
            return;
        }
        Collection<AssertionInfo> collection = (Collection) ((AssertionInfoMap) soapMessage.get(AssertionInfoMap.class)).get(samlToken.getName());
        if (collection != null) {
            for (AssertionInfo assertionInfo : collection) {
                if (assertionInfo.getAssertion() == samlToken) {
                    assertionInfo.setNotAsserted(exc.getMessage());
                }
            }
        }
        throw new PolicyException(exc);
    }

    static {
        HEADERS.add(new QName(DefaultCryptoCoverageChecker.WSSE_NS, "Security"));
        HEADERS.add(new QName("http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd", "Security"));
    }
}
