package org.apache.cxf.ws.security.wss4j;

import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.namespace.QName;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.headers.Header;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.security.DefaultSecurityContext;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.principal.UsernameTokenPrincipal;
import org.apache.wss4j.common.principal.WSUsernameTokenPrincipalImpl;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.WSSConfig;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.bsp.BSPEnforcer;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.message.WSSecUsernameToken;
import org.apache.wss4j.dom.message.token.UsernameToken;
import org.apache.wss4j.dom.processor.UsernameTokenProcessor;
import org.apache.wss4j.dom.validate.Validator;
import org.apache.wss4j.policy.SP13Constants;
import org.apache.wss4j.policy.model.AbstractToken;
import org.apache.wss4j.policy.model.SupportingTokens;
import org.apache.wss4j.policy.model.UsernameToken;
import org.apache.xml.security.exceptions.Base64DecodingException;
import org.apache.xml.security.utils.Base64;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.class */
public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
    @Override // org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor
    protected void processToken(SoapMessage soapMessage) {
        Principal principal;
        Header findSecurityHeader = findSecurityHeader(soapMessage, false);
        if (findSecurityHeader == null) {
            return;
        }
        boolean contextualBoolean = MessageUtils.getContextualBoolean(soapMessage, SecurityConstants.VALIDATE_TOKEN, true);
        Element firstElement = DOMUtils.getFirstElement((Element) findSecurityHeader.getObject());
        while (true) {
            Element element = firstElement;
            if (element == null) {
                return;
            }
            if ("UsernameToken".equals(element.getLocalName()) && "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd".equals(element.getNamespaceURI())) {
                Subject subject = null;
                if (contextualBoolean) {
                    try {
                        WSSecurityEngineResult validateToken = validateToken(element, soapMessage);
                        principal = (Principal) validateToken.get("principal");
                        subject = (Subject) validateToken.get("subject");
                    } catch (WSSecurityException e) {
                        throw new Fault(e);
                    } catch (Base64DecodingException e2) {
                        throw new Fault(e2);
                    }
                } else {
                    principal = parseTokenAndCreatePrincipal(element, isWsiBSPCompliant(soapMessage));
                    WSS4JTokenConverter.convertToken(soapMessage, principal);
                }
                SecurityContext securityContext = (SecurityContext) soapMessage.get(SecurityContext.class);
                if (securityContext == null || securityContext.getUserPrincipal() == null) {
                    if (subject != null && principal != null) {
                        soapMessage.put(SecurityContext.class, createSecurityContext(principal, subject));
                    } else if (principal instanceof UsernameTokenPrincipal) {
                        UsernameTokenPrincipal usernameTokenPrincipal = (UsernameTokenPrincipal) principal;
                        String str = null;
                        if (usernameTokenPrincipal.getNonce() != null) {
                            str = Base64.encode(usernameTokenPrincipal.getNonce());
                        }
                        soapMessage.put(SecurityContext.class, createSecurityContext(usernameTokenPrincipal, createSubject(usernameTokenPrincipal.getName(), usernameTokenPrincipal.getPassword(), usernameTokenPrincipal.isPasswordDigest(), str, usernameTokenPrincipal.getCreatedTime())));
                    }
                }
                if (principal instanceof UsernameTokenPrincipal) {
                    storeResults((UsernameTokenPrincipal) principal, soapMessage);
                }
            }
            firstElement = DOMUtils.getNextElement(element);
        }
    }

    @Deprecated
    protected UsernameTokenPrincipal getPrincipal(Element element, SoapMessage soapMessage) {
        return null;
    }

    private void storeResults(UsernameTokenPrincipal usernameTokenPrincipal, SoapMessage soapMessage) {
        ArrayList arrayList = new ArrayList();
        int i = 1;
        if (usernameTokenPrincipal.getPassword() == null) {
            i = 8192;
        }
        arrayList.add(0, new WSSecurityEngineResult(i, usernameTokenPrincipal, (X509Certificate[]) null, (List) null, (byte[]) null));
        List cast = CastUtils.cast((List) soapMessage.get("RECV_RESULTS"));
        if (cast == null) {
            cast = new ArrayList();
            soapMessage.put("RECV_RESULTS", cast);
        }
        cast.add(0, new WSHandlerResult((String) null, arrayList));
        assertTokens(soapMessage, usernameTokenPrincipal, false);
        soapMessage.put(WSS4JInInterceptor.PRINCIPAL_RESULT, usernameTokenPrincipal);
    }

    protected WSSecurityEngineResult validateToken(Element element, final SoapMessage soapMessage) throws WSSecurityException, Base64DecodingException {
        boolean isWsiBSPCompliant = isWsiBSPCompliant(soapMessage);
        boolean isAllowNoPassword = isAllowNoPassword((AssertionInfoMap) soapMessage.get(AssertionInfoMap.class));
        UsernameTokenProcessor usernameTokenProcessor = new UsernameTokenProcessor();
        WSDocInfo wSDocInfo = new WSDocInfo(element.getOwnerDocument());
        RequestData requestData = new RequestData() { // from class: org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.1
            public CallbackHandler getCallbackHandler() {
                return UsernameTokenInterceptor.this.getCallback(soapMessage);
            }

            public Validator getValidator(QName qName) throws WSSecurityException {
                Object contextualProperty = soapMessage.getContextualProperty(SecurityConstants.USERNAME_TOKEN_VALIDATOR);
                return contextualProperty == null ? super.getValidator(qName) : (Validator) contextualProperty;
            }
        };
        requestData.setNonceReplayCache(WSS4JUtils.getReplayCache(soapMessage, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE));
        WSSConfig newInstance = WSSConfig.getNewInstance();
        newInstance.setAllowUsernameTokenNoPassword(isAllowNoPassword);
        requestData.setWssConfig(newInstance);
        if (!isWsiBSPCompliant) {
            requestData.setDisableBSPEnforcement(true);
        }
        return (WSSecurityEngineResult) usernameTokenProcessor.handleToken(element, requestData, wSDocInfo).get(0);
    }

    protected UsernameTokenPrincipal parseTokenAndCreatePrincipal(Element element, boolean z) throws WSSecurityException, Base64DecodingException {
        UsernameToken usernameToken = new UsernameToken(element, false, new BSPEnforcer(!z));
        WSUsernameTokenPrincipalImpl wSUsernameTokenPrincipalImpl = new WSUsernameTokenPrincipalImpl(usernameToken.getName(), usernameToken.isHashed());
        if (usernameToken.getNonce() != null) {
            wSUsernameTokenPrincipalImpl.setNonce(Base64.decode(usernameToken.getNonce()));
        }
        wSUsernameTokenPrincipalImpl.setPassword(usernameToken.getPassword());
        wSUsernameTokenPrincipalImpl.setCreatedTime(usernameToken.getCreated());
        wSUsernameTokenPrincipalImpl.setPasswordType(usernameToken.getPasswordType());
        return wSUsernameTokenPrincipalImpl;
    }

    protected boolean isWsiBSPCompliant(SoapMessage soapMessage) {
        String str = (String) soapMessage.getContextualProperty(SecurityConstants.IS_BSP_COMPLIANT);
        return ("false".equals(str) || "0".equals(str)) ? false : true;
    }

    private boolean isAllowNoPassword(AssertionInfoMap assertionInfoMap) throws WSSecurityException {
        Collection<AssertionInfo> allAssertionsByLocalname = getAllAssertionsByLocalname(assertionInfoMap, "UsernameToken");
        if (allAssertionsByLocalname.isEmpty()) {
            return false;
        }
        Iterator<AssertionInfo> it = allAssertionsByLocalname.iterator();
        while (it.hasNext()) {
            if (it.next().getAssertion().getPasswordType() == UsernameToken.PasswordType.NoPassword) {
                return true;
            }
        }
        return false;
    }

    protected SecurityContext createSecurityContext(Principal principal, Subject subject) {
        return new DefaultSecurityContext(principal, subject);
    }

    protected Subject createSubject(String str, String str2, boolean z, String str3, String str4) throws SecurityException {
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor
    /* renamed from: assertTokens, reason: merged with bridge method [inline-methods] */
    public org.apache.wss4j.policy.model.UsernameToken mo39assertTokens(SoapMessage soapMessage) {
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
        assertPolicy(assertionInfoMap, "WssUsernameToken10");
        assertPolicy(assertionInfoMap, "WssUsernameToken11");
        assertPolicy(assertionInfoMap, "HashPassword");
        assertPolicy(assertionInfoMap, "NoPassword");
        assertPolicy(assertionInfoMap, SP13Constants.NONCE);
        assertPolicy(assertionInfoMap, SP13Constants.CREATED);
        return assertTokens(soapMessage, "UsernameToken", true);
    }

    private org.apache.wss4j.policy.model.UsernameToken assertTokens(SoapMessage soapMessage, UsernameTokenPrincipal usernameTokenPrincipal, boolean z) {
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
        org.apache.wss4j.policy.model.UsernameToken usernameToken = null;
        for (AssertionInfo assertionInfo : getAllAssertionsByLocalname(assertionInfoMap, "UsernameToken")) {
            usernameToken = (org.apache.wss4j.policy.model.UsernameToken) assertionInfo.getAssertion();
            assertionInfo.setAsserted(true);
            if (usernameToken.getPasswordType() != UsernameToken.PasswordType.HashPassword || (usernameTokenPrincipal != null && usernameTokenPrincipal.isPasswordDigest())) {
                assertPolicy(assertionInfoMap, "HashPassword");
            } else {
                assertionInfo.setNotAsserted("Password hashing policy not enforced");
            }
            if (usernameToken.getPasswordType() != UsernameToken.PasswordType.NoPassword && isNonEndorsingSupportingToken(usernameToken) && (usernameTokenPrincipal == null || usernameTokenPrincipal.getPassword() == null)) {
                assertionInfo.setNotAsserted("Username Token No Password supplied");
            } else {
                assertPolicy(assertionInfoMap, "NoPassword");
            }
            if (usernameToken.isCreated() && usernameTokenPrincipal.getCreatedTime() == null) {
                assertionInfo.setNotAsserted("No Created Time");
            } else {
                assertPolicy(assertionInfoMap, SP13Constants.CREATED);
            }
            if (usernameToken.isNonce() && usernameTokenPrincipal.getNonce() == null) {
                assertionInfo.setNotAsserted("No Nonce");
            } else {
                assertPolicy(assertionInfoMap, SP13Constants.NONCE);
            }
        }
        assertPolicy(assertionInfoMap, "WssUsernameToken10");
        assertPolicy(assertionInfoMap, "WssUsernameToken11");
        assertPolicy(assertionInfoMap, "SupportingTokens");
        if (z || isTLSInUse(soapMessage)) {
            assertPolicy(assertionInfoMap, "SignedSupportingTokens");
        }
        return usernameToken;
    }

    private boolean isNonEndorsingSupportingToken(org.apache.wss4j.policy.model.UsernameToken usernameToken) {
        SupportingTokens parentAssertion = usernameToken.getParentAssertion();
        return ((parentAssertion instanceof SupportingTokens) && parentAssertion.isEndorsing()) ? false : true;
    }

    @Override // org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor
    protected void addToken(SoapMessage soapMessage) {
        org.apache.wss4j.policy.model.UsernameToken mo39assertTokens = mo39assertTokens(soapMessage);
        Header findSecurityHeader = findSecurityHeader(soapMessage, true);
        WSSecUsernameToken addUsernameToken = addUsernameToken(soapMessage, mo39assertTokens);
        if (addUsernameToken != null) {
            Element element = (Element) findSecurityHeader.getObject();
            addUsernameToken.prepare(element.getOwnerDocument());
            element.appendChild(addUsernameToken.getUsernameTokenElement());
        } else {
            for (AssertionInfo assertionInfo : getAllAssertionsByLocalname((AssertionInfoMap) soapMessage.get(AssertionInfoMap.class), "UsernameToken")) {
                if (assertionInfo.isAsserted()) {
                    assertionInfo.setAsserted(false);
                }
            }
        }
    }

    protected WSSecUsernameToken addUsernameToken(SoapMessage soapMessage, org.apache.wss4j.policy.model.UsernameToken usernameToken) {
        String str = (String) soapMessage.getContextualProperty(SecurityConstants.USERNAME);
        WSSConfig wSSConfig = (WSSConfig) soapMessage.getContextualProperty(WSSConfig.class.getName());
        if (wSSConfig == null) {
            wSSConfig = WSSConfig.getNewInstance();
        }
        if (StringUtils.isEmpty(str)) {
            policyNotAsserted((AbstractToken) usernameToken, "No username available", soapMessage);
            return null;
        }
        if (usernameToken.getPasswordType() == UsernameToken.PasswordType.NoPassword) {
            WSSecUsernameToken wSSecUsernameToken = new WSSecUsernameToken(wSSConfig);
            wSSecUsernameToken.setUserInfo(str, (String) null);
            wSSecUsernameToken.setPasswordType((String) null);
            return wSSecUsernameToken;
        }
        String str2 = (String) soapMessage.getContextualProperty(SecurityConstants.PASSWORD);
        if (StringUtils.isEmpty(str2)) {
            str2 = getPassword(str, usernameToken, 2, soapMessage);
        }
        if (StringUtils.isEmpty(str2)) {
            policyNotAsserted((AbstractToken) usernameToken, "No username available", soapMessage);
            return null;
        }
        WSSecUsernameToken wSSecUsernameToken2 = new WSSecUsernameToken(wSSConfig);
        if (usernameToken.getPasswordType() == UsernameToken.PasswordType.HashPassword) {
            wSSecUsernameToken2.setPasswordType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest");
        } else {
            wSSecUsernameToken2.setPasswordType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText");
        }
        wSSecUsernameToken2.setUserInfo(str, str2);
        return wSSecUsernameToken2;
    }
}
