package org.apache.cxf.ws.security.policy.interceptors;

import java.net.HttpURLConnection;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Comparator;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.TreeMap;
import javax.net.ssl.HttpsURLConnection;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.HttpHeaderHelper;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.transport.http.MessageTrustDecider;
import org.apache.cxf.transport.http.URLConnectionInfo;
import org.apache.cxf.transport.http.UntrustedURLConnectionIOException;
import org.apache.cxf.transport.http.auth.HttpAuthHeader;
import org.apache.cxf.transport.https.HttpsURLConnectionInfo;
import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.policy.PolicyException;
import org.apache.cxf.ws.security.policy.SP11Constants;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.model.HttpsToken;

/* loaded from: input_file:wlp/lib/com.ibm.ws.org.apache.cxf.ws.security.2.6.2_1.0.9.jar:org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.class */
public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProvider {
    private static final long serialVersionUID = -13951002554477036L;

    /* loaded from: input_file:wlp/lib/com.ibm.ws.org.apache.cxf.ws.security.2.6.2_1.0.9.jar:org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider$HttpsTokenInInterceptor.class */
    static class HttpsTokenInInterceptor extends AbstractPhaseInterceptor<Message> {
        public HttpsTokenInInterceptor() {
            super(Phase.PRE_STREAM);
        }

        @Override // org.apache.cxf.interceptor.Interceptor
        public void handleMessage(Message message) throws Fault {
            Collection<AssertionInfo> collection;
            TLSSessionInfo tLSSessionInfo;
            AssertionInfoMap assertionInfoMap = (AssertionInfoMap) message.get(AssertionInfoMap.class);
            if (assertionInfoMap == null || (collection = assertionInfoMap.get(SP12Constants.HTTPS_TOKEN)) == null) {
                return;
            }
            if (isRequestor(message)) {
                Iterator<AssertionInfo> it = collection.iterator();
                while (it.hasNext()) {
                    it.next().setAsserted(true);
                }
                return;
            }
            assertHttps(collection, message);
            SecurityContext securityContext = (SecurityContext) message.get(SecurityContext.class);
            if ((securityContext == null || securityContext.getUserPrincipal() == null) && (tLSSessionInfo = (TLSSessionInfo) message.get(TLSSessionInfo.class)) != null && tLSSessionInfo.getPeerCertificates() != null && tLSSessionInfo.getPeerCertificates().length > 0 && (tLSSessionInfo.getPeerCertificates()[0] instanceof X509Certificate)) {
                message.put((Class<Class>) SecurityContext.class, (Class) createSecurityContext(((X509Certificate) tLSSessionInfo.getPeerCertificates()[0]).getSubjectX500Principal()));
            }
        }

        private void assertHttps(Collection<AssertionInfo> collection, Message message) {
            List list;
            List list2;
            for (AssertionInfo assertionInfo : collection) {
                boolean z = true;
                HttpsToken httpsToken = (HttpsToken) assertionInfo.getAssertion();
                Map setProtocolHeaders = HttpsTokenInterceptorProvider.getSetProtocolHeaders(message);
                if (httpsToken.isHttpBasicAuthentication() && ((list2 = (List) setProtocolHeaders.get(HttpHeaderHelper.AUTHORIZATION)) == null || list2.size() == 0 || !((String) list2.get(0)).startsWith(HttpAuthHeader.AUTH_TYPE_BASIC))) {
                    z = false;
                }
                if (httpsToken.isHttpDigestAuthentication() && ((list = (List) setProtocolHeaders.get(HttpHeaderHelper.AUTHORIZATION)) == null || list.size() == 0 || !((String) list.get(0)).startsWith("Digest"))) {
                    z = false;
                }
                TLSSessionInfo tLSSessionInfo = (TLSSessionInfo) message.get(TLSSessionInfo.class);
                if (tLSSessionInfo == null) {
                    z = false;
                } else if (httpsToken.isRequireClientCertificate() && (tLSSessionInfo.getPeerCertificates() == null || tLSSessionInfo.getPeerCertificates().length == 0)) {
                    z = false;
                }
                assertionInfo.setAsserted(z);
            }
        }

        private SecurityContext createSecurityContext(final Principal principal) {
            return new SecurityContext() { // from class: org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider.HttpsTokenInInterceptor.1
                @Override // org.apache.cxf.security.SecurityContext
                public Principal getUserPrincipal() {
                    return principal;
                }

                @Override // org.apache.cxf.security.SecurityContext
                public boolean isUserInRole(String str) {
                    return false;
                }
            };
        }
    }

    /* loaded from: input_file:wlp/lib/com.ibm.ws.org.apache.cxf.ws.security.2.6.2_1.0.9.jar:org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor.class */
    static class HttpsTokenOutInterceptor extends AbstractPhaseInterceptor<Message> {
        public HttpsTokenOutInterceptor() {
            super(Phase.PRE_STREAM);
        }

        @Override // org.apache.cxf.interceptor.Interceptor
        public void handleMessage(Message message) throws Fault {
            Collection<AssertionInfo> collection;
            AssertionInfoMap assertionInfoMap = (AssertionInfoMap) message.get(AssertionInfoMap.class);
            if (assertionInfoMap == null || (collection = assertionInfoMap.get(SP12Constants.HTTPS_TOKEN)) == null) {
                return;
            }
            if (isRequestor(message)) {
                assertHttps(collection, message);
                return;
            }
            Iterator<AssertionInfo> it = collection.iterator();
            while (it.hasNext()) {
                it.next().setAsserted(true);
            }
        }

        private void assertHttps(Collection<AssertionInfo> collection, Message message) {
            List list;
            List list2;
            for (AssertionInfo assertionInfo : collection) {
                HttpsToken httpsToken = (HttpsToken) assertionInfo.getAssertion();
                HttpURLConnection httpURLConnection = (HttpURLConnection) message.get("http.connection");
                assertionInfo.setAsserted(true);
                Map setProtocolHeaders = HttpsTokenInterceptorProvider.getSetProtocolHeaders(message);
                if (httpURLConnection instanceof HttpsURLConnection) {
                    if (httpsToken.isRequireClientCertificate()) {
                        final MessageTrustDecider messageTrustDecider = (MessageTrustDecider) message.get(MessageTrustDecider.class);
                        message.put((Class<Class>) MessageTrustDecider.class, (Class) new MessageTrustDecider() { // from class: org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider.HttpsTokenOutInterceptor.1
                            @Override // org.apache.cxf.transport.http.MessageTrustDecider
                            public void establishTrust(String str, URLConnectionInfo uRLConnectionInfo, Message message2) throws UntrustedURLConnectionIOException {
                                if (messageTrustDecider != null) {
                                    messageTrustDecider.establishTrust(str, uRLConnectionInfo, message2);
                                }
                                HttpsURLConnectionInfo httpsURLConnectionInfo = (HttpsURLConnectionInfo) uRLConnectionInfo;
                                if (httpsURLConnectionInfo.getLocalCertificates() == null || httpsURLConnectionInfo.getLocalCertificates().length == 0) {
                                    throw new UntrustedURLConnectionIOException("RequireClientCertificate is set, but no local certificates were negotiated.  Is the server set to ask for client authorization?");
                                }
                            }
                        });
                    }
                    if (httpsToken.isHttpBasicAuthentication() && ((list2 = (List) setProtocolHeaders.get(HttpHeaderHelper.AUTHORIZATION)) == null || list2.size() == 0 || !((String) list2.get(0)).startsWith(HttpAuthHeader.AUTH_TYPE_BASIC))) {
                        assertionInfo.setNotAsserted("HttpBasicAuthentication is set, but not being used");
                    }
                    if (httpsToken.isHttpDigestAuthentication() && ((list = (List) setProtocolHeaders.get(HttpHeaderHelper.AUTHORIZATION)) == null || list.size() == 0 || !((String) list.get(0)).startsWith("Digest"))) {
                        assertionInfo.setNotAsserted("HttpDigestAuthentication is set, but not being used");
                    }
                } else {
                    assertionInfo.setNotAsserted("HttpURLConnection is not a HttpsURLConnection");
                }
                if (!assertionInfo.isAsserted()) {
                    throw new PolicyException(assertionInfo);
                }
            }
        }
    }

    public HttpsTokenInterceptorProvider() {
        super(Arrays.asList(SP11Constants.HTTPS_TOKEN, SP12Constants.HTTPS_TOKEN));
        getOutInterceptors().add(new HttpsTokenOutInterceptor());
        getOutFaultInterceptors().add(new HttpsTokenOutInterceptor());
        getInInterceptors().add(new HttpsTokenInInterceptor());
        getInFaultInterceptors().add(new HttpsTokenInInterceptor());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Map<String, List<String>> getSetProtocolHeaders(Message message) {
        Map<String, List<String>> cast = CastUtils.cast((Map<?, ?>) message.get(Message.PROTOCOL_HEADERS));
        if (null == cast) {
            cast = new TreeMap((Comparator<? super String>) String.CASE_INSENSITIVE_ORDER);
            message.put(Message.PROTOCOL_HEADERS, cast);
        }
        return cast;
    }
}
