package org.apache.cxf.ws.security.wss4j;

import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.logging.Logger;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
import javax.xml.stream.XMLStreamException;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;
import org.apache.cxf.Bus;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.classloader.ClassLoaderUtils;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.helpers.MapNamespaceContext;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.resource.ResourceManager;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.service.model.EndpointInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil;
import org.apache.cxf.ws.security.wss4j.policyvalidators.AlgorithmSuitePolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.AsymmetricBindingPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.ConcreteSupportingTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.EncryptedTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingEncryptedTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.LayoutPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityContextTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEncryptedTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEndorsingEncryptedTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEndorsingTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.SymmetricBindingPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.TransportBindingPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.WSS11PolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.X509TokenPolicyValidator;
import org.apache.wss4j.common.ConfigurationConstants;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoFactory;
import org.apache.wss4j.common.crypto.JasyptPasswordEncryptor;
import org.apache.wss4j.common.crypto.PasswordEncryptor;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.util.Loader;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.message.token.Timestamp;
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SP13Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AlgorithmSuite;
import org.apache.wss4j.policy.model.Attachments;
import org.apache.wss4j.policy.model.Header;
import org.apache.wss4j.policy.model.RequiredElements;
import org.apache.wss4j.policy.model.RequiredParts;
import org.apache.wss4j.policy.model.SignedParts;
import org.apache.wss4j.policy.model.UsernameToken;
import org.apache.wss4j.policy.model.Wss11;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.class */
public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
    public static final PolicyBasedWSS4JInInterceptor INSTANCE = new PolicyBasedWSS4JInInterceptor();
    private static final Logger LOG = LogUtils.getL7dLogger(PolicyBasedWSS4JInInterceptor.class);

    public PolicyBasedWSS4JInInterceptor() {
        super(true);
    }

    @Override // org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor, org.apache.cxf.interceptor.Interceptor
    public void handleMessage(SoapMessage soapMessage) throws Fault {
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
        boolean isTrue = MessageUtils.isTrue(soapMessage.getContextualProperty(SecurityConstants.ENABLE_STREAMING_SECURITY));
        if (assertionInfoMap == null || isTrue) {
            return;
        }
        super.handleMessage(soapMessage);
    }

    private static Properties getProps(Object obj, URL url, SoapMessage soapMessage) {
        Properties properties = null;
        if (obj instanceof Properties) {
            properties = (Properties) obj;
        } else if (url != null) {
            try {
                properties = new Properties();
                InputStream openStream = url.openStream();
                properties.load(openStream);
                openStream.close();
            } catch (IOException e) {
                properties = null;
            }
        }
        return properties;
    }

    private URL getPropertiesFileURL(Object obj, SoapMessage soapMessage) {
        if (!(obj instanceof String)) {
            if (obj instanceof URL) {
                return (URL) obj;
            }
            return null;
        }
        URL url = (URL) ((ResourceManager) ((Bus) soapMessage.getExchange().get(Bus.class)).getExtension(ResourceManager.class)).resolveResource((String) obj, URL.class);
        if (url == null) {
            try {
                url = ClassLoaderUtils.getResource((String) obj, AbstractWSS4JInterceptor.class);
            } catch (IOException e) {
                return null;
            }
        }
        if (url == null) {
            url = new URL((String) obj);
        }
        return url;
    }

    private void handleWSS11(AssertionInfoMap assertionInfoMap, SoapMessage soapMessage) {
        if (isRequestor(soapMessage)) {
            soapMessage.put(ConfigurationConstants.ENABLE_SIGNATURE_CONFIRMATION, "false");
            Collection<AssertionInfo> allAssertionsByLocalname = getAllAssertionsByLocalname(assertionInfoMap, SPConstants.WSS11);
            if (allAssertionsByLocalname.isEmpty()) {
                return;
            }
            Iterator<AssertionInfo> it = allAssertionsByLocalname.iterator();
            while (it.hasNext()) {
                if (((Wss11) it.next().getAssertion()).isRequireSignatureConfirmation()) {
                    soapMessage.put(ConfigurationConstants.ENABLE_SIGNATURE_CONFIRMATION, "true");
                    return;
                }
            }
        }
    }

    private String addToAction(String str, String str2, boolean z) {
        return str.contains(str2) ? str : z ? str2 + " " + str : str + " " + str2;
    }

    private boolean assertPolicy(AssertionInfoMap assertionInfoMap, QName qName) {
        Collection<AssertionInfo> assertionInfo = assertionInfoMap.getAssertionInfo(qName);
        if (assertionInfo == null || assertionInfo.isEmpty()) {
            return false;
        }
        Iterator<AssertionInfo> it = assertionInfo.iterator();
        while (it.hasNext()) {
            it.next().setAsserted(true);
        }
        return true;
    }

    private boolean assertPolicy(AssertionInfoMap assertionInfoMap, String str) {
        Collection<AssertionInfo> allAssertionsByLocalname = getAllAssertionsByLocalname(assertionInfoMap, str);
        if (allAssertionsByLocalname.isEmpty()) {
            return false;
        }
        Iterator<AssertionInfo> it = allAssertionsByLocalname.iterator();
        while (it.hasNext()) {
            it.next().setAsserted(true);
        }
        return true;
    }

    private Collection<AssertionInfo> getAllAssertionsByLocalname(AssertionInfoMap assertionInfoMap, String str) {
        Collection<AssertionInfo> collection = assertionInfoMap.get(new QName(SP11Constants.SP_NS, str));
        Collection<AssertionInfo> collection2 = assertionInfoMap.get(new QName(SP12Constants.SP_NS, str));
        if ((collection == null || collection.isEmpty()) && (collection2 == null || collection2.isEmpty())) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet();
        if (collection != null) {
            hashSet.addAll(collection);
        }
        if (collection2 != null) {
            hashSet.addAll(collection2);
        }
        return hashSet;
    }

    private String checkAsymmetricBinding(AssertionInfoMap assertionInfoMap, String str, SoapMessage soapMessage, RequestData requestData) throws WSSecurityException {
        if (getAllAssertionsByLocalname(assertionInfoMap, SPConstants.ASYMMETRIC_BINDING).isEmpty()) {
            return str;
        }
        String addToAction = addToAction(addToAction(str, "Signature", true), ConfigurationConstants.ENCRYPT, true);
        Object contextualProperty = soapMessage.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO);
        if (contextualProperty == null) {
            contextualProperty = soapMessage.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
        }
        Object contextualProperty2 = soapMessage.getContextualProperty(SecurityConstants.ENCRYPT_CRYPTO);
        if (contextualProperty2 == null) {
            contextualProperty2 = soapMessage.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
        }
        Crypto encryptionCrypto = getEncryptionCrypto(contextualProperty2, soapMessage, requestData);
        Crypto signatureCrypto = (contextualProperty2 == null || !contextualProperty2.equals(contextualProperty)) ? getSignatureCrypto(contextualProperty, soapMessage, requestData) : encryptionCrypto;
        if (signatureCrypto != null) {
            soapMessage.put(ConfigurationConstants.DEC_PROP_REF_ID, (Object) ("RefId-" + signatureCrypto.hashCode()));
            soapMessage.put("RefId-" + signatureCrypto.hashCode(), (Object) signatureCrypto);
        }
        if (encryptionCrypto != null) {
            soapMessage.put(ConfigurationConstants.SIG_VER_PROP_REF_ID, (Object) ("RefId-" + encryptionCrypto.hashCode()));
            soapMessage.put("RefId-" + encryptionCrypto.hashCode(), (Object) encryptionCrypto);
        } else if (signatureCrypto != null) {
            soapMessage.put(ConfigurationConstants.SIG_VER_PROP_REF_ID, (Object) ("RefId-" + signatureCrypto.hashCode()));
            soapMessage.put("RefId-" + signatureCrypto.hashCode(), (Object) signatureCrypto);
        }
        return addToAction;
    }

    private String checkDefaultBinding(AssertionInfoMap assertionInfoMap, String str, SoapMessage soapMessage, RequestData requestData) throws WSSecurityException {
        String addToAction = addToAction(addToAction(str, "Signature", true), ConfigurationConstants.ENCRYPT, true);
        Object contextualProperty = soapMessage.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO);
        if (contextualProperty == null) {
            contextualProperty = soapMessage.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
        }
        Object contextualProperty2 = soapMessage.getContextualProperty(SecurityConstants.ENCRYPT_CRYPTO);
        if (contextualProperty2 == null) {
            contextualProperty2 = soapMessage.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
        }
        Crypto encryptionCrypto = getEncryptionCrypto(contextualProperty2, soapMessage, requestData);
        Crypto signatureCrypto = (contextualProperty2 == null || !contextualProperty2.equals(contextualProperty)) ? getSignatureCrypto(contextualProperty, soapMessage, requestData) : encryptionCrypto;
        if (signatureCrypto != null) {
            soapMessage.put(ConfigurationConstants.DEC_PROP_REF_ID, (Object) ("RefId-" + signatureCrypto.hashCode()));
            soapMessage.put("RefId-" + signatureCrypto.hashCode(), (Object) signatureCrypto);
        }
        if (encryptionCrypto != null) {
            soapMessage.put(ConfigurationConstants.SIG_VER_PROP_REF_ID, (Object) ("RefId-" + encryptionCrypto.hashCode()));
            soapMessage.put("RefId-" + encryptionCrypto.hashCode(), (Object) encryptionCrypto);
        } else if (signatureCrypto != null) {
            soapMessage.put(ConfigurationConstants.SIG_VER_PROP_REF_ID, (Object) ("RefId-" + signatureCrypto.hashCode()));
            soapMessage.put("RefId-" + signatureCrypto.hashCode(), (Object) signatureCrypto);
        }
        return addToAction;
    }

    @Override // org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
    protected boolean isNonceCacheRequired(List<Integer> list, SoapMessage soapMessage) {
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
        return (assertionInfoMap == null || getAllAssertionsByLocalname(assertionInfoMap, "UsernameToken").isEmpty()) ? false : true;
    }

    @Override // org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
    protected boolean isTimestampCacheRequired(List<Integer> list, SoapMessage soapMessage) {
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
        return (assertionInfoMap == null || getAllAssertionsByLocalname(assertionInfoMap, SPConstants.INCLUDE_TIMESTAMP).isEmpty()) ? false : true;
    }

    @Override // org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
    protected boolean isSamlCacheRequired(List<Integer> list, SoapMessage soapMessage) {
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
        return (assertionInfoMap == null || getAllAssertionsByLocalname(assertionInfoMap, SPConstants.SAML_TOKEN).isEmpty()) ? false : true;
    }

    private void checkUsernameToken(AssertionInfoMap assertionInfoMap, SoapMessage soapMessage) throws WSSecurityException {
        Collection<AssertionInfo> allAssertionsByLocalname = getAllAssertionsByLocalname(assertionInfoMap, "UsernameToken");
        if (allAssertionsByLocalname.isEmpty()) {
            return;
        }
        Iterator<AssertionInfo> it = allAssertionsByLocalname.iterator();
        while (it.hasNext()) {
            if (((UsernameToken) it.next().getAssertion()).getPasswordType() == UsernameToken.PasswordType.NoPassword) {
                soapMessage.put(ConfigurationConstants.ALLOW_USERNAMETOKEN_NOPASSWORD, "true");
            }
        }
    }

    private String checkSymmetricBinding(AssertionInfoMap assertionInfoMap, String str, SoapMessage soapMessage, RequestData requestData) throws WSSecurityException {
        if (getAllAssertionsByLocalname(assertionInfoMap, SPConstants.SYMMETRIC_BINDING).isEmpty()) {
            return str;
        }
        String addToAction = addToAction(addToAction(str, "Signature", true), ConfigurationConstants.ENCRYPT, true);
        Object contextualProperty = soapMessage.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO);
        if (contextualProperty == null) {
            contextualProperty = soapMessage.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
        }
        Object contextualProperty2 = soapMessage.getContextualProperty(SecurityConstants.ENCRYPT_CRYPTO);
        if (contextualProperty2 == null) {
            contextualProperty2 = soapMessage.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
        }
        Crypto encryptionCrypto = getEncryptionCrypto(contextualProperty2, soapMessage, requestData);
        Crypto signatureCrypto = (contextualProperty2 == null || !contextualProperty2.equals(contextualProperty)) ? getSignatureCrypto(contextualProperty, soapMessage, requestData) : encryptionCrypto;
        if (isRequestor(soapMessage)) {
            Crypto crypto = encryptionCrypto;
            if (crypto == null) {
                crypto = signatureCrypto;
            }
            if (crypto != null) {
                soapMessage.put(ConfigurationConstants.SIG_VER_PROP_REF_ID, (Object) ("RefId-" + crypto.hashCode()));
                soapMessage.put("RefId-" + crypto.hashCode(), (Object) crypto);
            }
            Crypto crypto2 = signatureCrypto;
            if (crypto2 == null) {
                crypto2 = encryptionCrypto;
            }
            if (crypto2 != null) {
                soapMessage.put(ConfigurationConstants.DEC_PROP_REF_ID, (Object) ("RefId-" + crypto2.hashCode()));
                soapMessage.put("RefId-" + crypto2.hashCode(), (Object) crypto2);
            }
        } else {
            Crypto crypto3 = signatureCrypto;
            if (crypto3 == null) {
                crypto3 = encryptionCrypto;
            }
            if (crypto3 != null) {
                soapMessage.put(ConfigurationConstants.SIG_VER_PROP_REF_ID, (Object) ("RefId-" + crypto3.hashCode()));
                soapMessage.put("RefId-" + crypto3.hashCode(), (Object) crypto3);
            }
            Crypto crypto4 = encryptionCrypto;
            if (crypto4 == null) {
                crypto4 = signatureCrypto;
            }
            if (crypto4 != null) {
                soapMessage.put(ConfigurationConstants.DEC_PROP_REF_ID, (Object) ("RefId-" + crypto4.hashCode()));
                soapMessage.put("RefId-" + crypto4.hashCode(), (Object) crypto4);
            }
        }
        return addToAction;
    }

    private Crypto getEncryptionCrypto(Object obj, SoapMessage soapMessage, RequestData requestData) throws WSSecurityException {
        Crypto crypto = null;
        if (obj instanceof Crypto) {
            crypto = (Crypto) obj;
        } else if (obj != null) {
            Properties props = getProps(obj, getPropertiesFileURL(obj, soapMessage), soapMessage);
            if (props == null) {
                LOG.fine("Cannot find Crypto Encryption properties: " + obj);
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, new Exception("Cannot find Crypto Encryption properties: " + obj));
            }
            crypto = CryptoFactory.getInstance(props, Loader.getClassLoader(CryptoFactory.class), getPasswordEncryptor(soapMessage, requestData));
            EndpointInfo endpointInfo = ((Endpoint) soapMessage.getExchange().get(Endpoint.class)).getEndpointInfo();
            synchronized (endpointInfo) {
                endpointInfo.setProperty(SecurityConstants.ENCRYPT_CRYPTO, crypto);
            }
        }
        return crypto;
    }

    private PasswordEncryptor getPasswordEncryptor(SoapMessage soapMessage, RequestData requestData) {
        PasswordEncryptor passwordEncryptor = (PasswordEncryptor) soapMessage.getContextualProperty(SecurityConstants.PASSWORD_ENCRYPTOR_INSTANCE);
        if (passwordEncryptor != null) {
            return passwordEncryptor;
        }
        if (requestData.getPasswordEncryptor() != null) {
            return requestData.getPasswordEncryptor();
        }
        CallbackHandler callbackHandler = requestData.getCallbackHandler();
        if (callbackHandler != null) {
            return new JasyptPasswordEncryptor(callbackHandler);
        }
        return null;
    }

    private Crypto getSignatureCrypto(Object obj, SoapMessage soapMessage, RequestData requestData) throws WSSecurityException {
        Crypto crypto = null;
        if (obj instanceof Crypto) {
            crypto = (Crypto) obj;
        } else if (obj != null) {
            Properties props = getProps(obj, getPropertiesFileURL(obj, soapMessage), soapMessage);
            if (props == null) {
                LOG.fine("Cannot find Crypto Signature properties: " + obj);
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, new Exception("Cannot find Crypto Signature properties: " + obj));
            }
            crypto = CryptoFactory.getInstance(props, Loader.getClassLoader(CryptoFactory.class), getPasswordEncryptor(soapMessage, requestData));
            EndpointInfo endpointInfo = ((Endpoint) soapMessage.getExchange().get(Endpoint.class)).getEndpointInfo();
            synchronized (endpointInfo) {
                endpointInfo.setProperty(SecurityConstants.SIGNATURE_CRYPTO, crypto);
            }
        }
        return crypto;
    }

    private boolean assertXPathTokens(AssertionInfoMap assertionInfoMap, String str, Collection<WSDataRef> collection, Element element, CryptoCoverageUtil.CoverageType coverageType, CryptoCoverageUtil.CoverageScope coverageScope, XPath xPath) throws SOAPException {
        Collection<AssertionInfo> allAssertionsByLocalname = getAllAssertionsByLocalname(assertionInfoMap, str);
        if (allAssertionsByLocalname.isEmpty()) {
            return true;
        }
        for (AssertionInfo assertionInfo : allAssertionsByLocalname) {
            assertionInfo.setAsserted(true);
            RequiredElements requiredElements = (RequiredElements) assertionInfo.getAssertion();
            if (requiredElements != null && requiredElements.getXPaths() != null && !requiredElements.getXPaths().isEmpty()) {
                ArrayList arrayList = new ArrayList();
                Iterator<org.apache.wss4j.policy.model.XPath> it = requiredElements.getXPaths().iterator();
                while (it.hasNext()) {
                    arrayList.add(it.next().getXPath());
                }
                if (requiredElements.getXPaths().get(0).getPrefixNamespaceMap() != null) {
                    xPath.setNamespaceContext(new MapNamespaceContext(requiredElements.getXPaths().get(0).getPrefixNamespaceMap()));
                }
                try {
                    CryptoCoverageUtil.checkCoverage(element, collection, xPath, arrayList, coverageType, coverageScope);
                } catch (WSSecurityException e) {
                    assertionInfo.setNotAsserted("No " + coverageType + " element found matching one of the XPaths " + Arrays.toString(arrayList.toArray()));
                }
            }
        }
        return true;
    }

    private boolean assertTokens(AssertionInfoMap assertionInfoMap, String str, Collection<WSDataRef> collection, SoapMessage soapMessage, Element element, Element element2, CryptoCoverageUtil.CoverageType coverageType) throws SOAPException {
        Collection<AssertionInfo> allAssertionsByLocalname = getAllAssertionsByLocalname(assertionInfoMap, str);
        if (allAssertionsByLocalname.isEmpty()) {
            return true;
        }
        for (AssertionInfo assertionInfo : allAssertionsByLocalname) {
            assertionInfo.setAsserted(true);
            SignedParts signedParts = (SignedParts) assertionInfo.getAssertion();
            if (signedParts.isBody()) {
                try {
                    if (CryptoCoverageUtil.CoverageType.SIGNED.equals(coverageType)) {
                        CryptoCoverageUtil.checkBodyCoverage(element2, collection, coverageType, CryptoCoverageUtil.CoverageScope.ELEMENT);
                    } else {
                        CryptoCoverageUtil.checkBodyCoverage(element2, collection, coverageType, CryptoCoverageUtil.CoverageScope.CONTENT);
                    }
                } catch (WSSecurityException e) {
                    assertionInfo.setNotAsserted(soapMessage.getVersion().getBody() + " not " + coverageType);
                }
            }
            for (Header header : signedParts.getHeaders()) {
                try {
                    CryptoCoverageUtil.checkHeaderCoverage(element, collection, header.getNamespace(), header.getName(), coverageType, CryptoCoverageUtil.CoverageScope.ELEMENT);
                } catch (WSSecurityException e2) {
                    assertionInfo.setNotAsserted(header.getNamespace() + ":" + header.getName() + " not + " + coverageType);
                }
            }
            Attachments attachments = signedParts.getAttachments();
            if (attachments != null) {
                try {
                    CryptoCoverageUtil.CoverageScope coverageScope = CryptoCoverageUtil.CoverageScope.ELEMENT;
                    if (attachments.isContentSignatureTransform()) {
                        coverageScope = CryptoCoverageUtil.CoverageScope.CONTENT;
                    }
                    CryptoCoverageUtil.checkAttachmentsCoverage(soapMessage.getAttachments(), collection, coverageType, coverageScope);
                } catch (WSSecurityException e3) {
                    assertionInfo.setNotAsserted("An attachment was not signed/encrypted");
                }
            }
        }
        return true;
    }

    @Override // org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
    protected void setAlgorithmSuites(SoapMessage soapMessage, RequestData requestData) throws WSSecurityException {
        new AlgorithmSuiteTranslater().translateAlgorithmSuites((AssertionInfoMap) soapMessage.get(AssertionInfoMap.class), requestData);
        String str = (String) soapMessage.getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
        if (str == null || requestData.getAlgorithmSuite() == null) {
            return;
        }
        requestData.getAlgorithmSuite().getSignatureMethods().clear();
        requestData.getAlgorithmSuite().getSignatureMethods().add(str);
    }

    @Override // org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
    protected void computeAction(SoapMessage soapMessage, RequestData requestData) throws WSSecurityException {
        Collection<AssertionInfo> collection;
        String string = getString("action", soapMessage);
        if (string == null) {
            string = "";
        }
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
        if (assertionInfoMap != null) {
            handleWSS11(assertionInfoMap, soapMessage);
            String checkSymmetricBinding = checkSymmetricBinding(assertionInfoMap, checkAsymmetricBinding(assertionInfoMap, string, soapMessage, requestData), soapMessage, requestData);
            Collection<AssertionInfo> collection2 = assertionInfoMap.get(SP12Constants.TRANSPORT_BINDING);
            if ("".equals(checkSymmetricBinding) || (collection2 != null && !collection2.isEmpty())) {
                checkSymmetricBinding = checkDefaultBinding(assertionInfoMap, checkSymmetricBinding, soapMessage, requestData);
            }
            String str = (String) soapMessage.getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
            if (str != null && (collection = assertionInfoMap.get(SP12Constants.ALGORITHM_SUITE)) != null && !collection.isEmpty()) {
                Iterator<AssertionInfo> it = collection.iterator();
                while (it.hasNext()) {
                    ((AlgorithmSuite) it.next().getAssertion()).setAsymmetricSignature(str);
                }
            }
            checkUsernameToken(assertionInfoMap, soapMessage);
            assertPolicy(assertionInfoMap, SPConstants.KEY_VALUE_TOKEN);
            assertPolicy(assertionInfoMap, SPConstants.RSA_KEY_VALUE);
            Collection<AssertionInfo> allAssertionsByLocalname = getAllAssertionsByLocalname(assertionInfoMap, SPConstants.WSS10);
            if (!allAssertionsByLocalname.isEmpty()) {
                Iterator<AssertionInfo> it2 = allAssertionsByLocalname.iterator();
                while (it2.hasNext()) {
                    it2.next().setAsserted(true);
                }
                assertPolicy(assertionInfoMap, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER);
                assertPolicy(assertionInfoMap, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL);
                assertPolicy(assertionInfoMap, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI);
                assertPolicy(assertionInfoMap, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN);
            }
            Collection<AssertionInfo> allAssertionsByLocalname2 = getAllAssertionsByLocalname(assertionInfoMap, SPConstants.TRUST_10);
            boolean z = false;
            if (!allAssertionsByLocalname2.isEmpty()) {
                Iterator<AssertionInfo> it3 = allAssertionsByLocalname2.iterator();
                while (it3.hasNext()) {
                    it3.next().setAsserted(true);
                }
                assertPolicy(assertionInfoMap, SPConstants.MUST_SUPPORT_CLIENT_CHALLENGE);
                assertPolicy(assertionInfoMap, SPConstants.MUST_SUPPORT_SERVER_CHALLENGE);
                assertPolicy(assertionInfoMap, SPConstants.REQUIRE_CLIENT_ENTROPY);
                assertPolicy(assertionInfoMap, SPConstants.REQUIRE_SERVER_ENTROPY);
                assertPolicy(assertionInfoMap, SPConstants.MUST_SUPPORT_ISSUED_TOKENS);
                z = true;
            }
            Collection<AssertionInfo> allAssertionsByLocalname3 = getAllAssertionsByLocalname(assertionInfoMap, SPConstants.TRUST_13);
            if (!allAssertionsByLocalname3.isEmpty()) {
                Iterator<AssertionInfo> it4 = allAssertionsByLocalname3.iterator();
                while (it4.hasNext()) {
                    it4.next().setAsserted(true);
                }
                assertPolicy(assertionInfoMap, SP12Constants.REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION);
                assertPolicy(assertionInfoMap, SP12Constants.REQUIRE_APPLIES_TO);
                assertPolicy(assertionInfoMap, SP13Constants.SCOPE_POLICY_15);
                assertPolicy(assertionInfoMap, SP13Constants.MUST_SUPPORT_INTERACTIVE_CHALLENGE);
                if (!z) {
                    assertPolicy(assertionInfoMap, SPConstants.MUST_SUPPORT_CLIENT_CHALLENGE);
                    assertPolicy(assertionInfoMap, SPConstants.MUST_SUPPORT_SERVER_CHALLENGE);
                    assertPolicy(assertionInfoMap, SPConstants.REQUIRE_CLIENT_ENTROPY);
                    assertPolicy(assertionInfoMap, SPConstants.REQUIRE_SERVER_ENTROPY);
                    assertPolicy(assertionInfoMap, SPConstants.MUST_SUPPORT_ISSUED_TOKENS);
                }
            }
            soapMessage.put("action", (Object) checkSymmetricBinding.trim());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
    public void doResults(SoapMessage soapMessage, String str, Element element, Element element2, List<WSSecurityEngineResult> list, boolean z) throws SOAPException, XMLStreamException, WSSecurityException {
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        ArrayList arrayList = new ArrayList(2);
        arrayList.add(2);
        arrayList.add(64);
        List<WSSecurityEngineResult> fetchAllActionResults = WSSecurityUtil.fetchAllActionResults(list, arrayList);
        Iterator<WSSecurityEngineResult> it = fetchAllActionResults.iterator();
        while (it.hasNext()) {
            List cast = CastUtils.cast((List<?>) it.next().get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            if (cast != null) {
                Iterator it2 = cast.iterator();
                while (it2.hasNext()) {
                    hashSet.add((WSDataRef) it2.next());
                }
            }
        }
        List<WSSecurityEngineResult> fetchAllActionResults2 = WSSecurityUtil.fetchAllActionResults(list, 4);
        Iterator<WSSecurityEngineResult> it3 = fetchAllActionResults2.iterator();
        while (it3.hasNext()) {
            List cast2 = CastUtils.cast((List<?>) it3.next().get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            if (cast2 != null) {
                Iterator it4 = cast2.iterator();
                while (it4.hasNext()) {
                    hashSet2.add((WSDataRef) it4.next());
                }
            }
        }
        if (!checkSignedEncryptedCoverage(assertionInfoMap, soapMessage, element, element2, hashSet, hashSet2)) {
            LOG.fine("Incoming request failed signed-encrypted policy validation");
        }
        if (!checkTokenCoverage(assertionInfoMap, soapMessage, element2, list, fetchAllActionResults)) {
            LOG.fine("Incoming request failed token policy validation");
        }
        if (!checkBindingCoverage(assertionInfoMap, soapMessage, element2, list, fetchAllActionResults, fetchAllActionResults2)) {
            LOG.fine("Incoming request failed binding policy validation");
        }
        if (!checkSupportingTokenCoverage(assertionInfoMap, soapMessage, list, fetchAllActionResults, fetchAllActionResults2, z)) {
            LOG.fine("Incoming request failed supporting token policy validation");
        }
        super.doResults(soapMessage, str, element, element2, list, z);
    }

    private boolean checkSignedEncryptedCoverage(AssertionInfoMap assertionInfoMap, SoapMessage soapMessage, Element element, Element element2, Collection<WSDataRef> collection, Collection<WSDataRef> collection2) throws SOAPException {
        CryptoCoverageUtil.reconcileEncryptedSignedRefs(collection, collection2);
        boolean z = true;
        if (!isTransportBinding(assertionInfoMap, soapMessage)) {
            z = true & assertTokens(assertionInfoMap, SPConstants.SIGNED_PARTS, collection, soapMessage, element, element2, CryptoCoverageUtil.CoverageType.SIGNED) & assertTokens(assertionInfoMap, SPConstants.ENCRYPTED_PARTS, collection2, soapMessage, element, element2, CryptoCoverageUtil.CoverageType.ENCRYPTED);
        }
        Element documentElement = element.getOwnerDocument().getDocumentElement();
        if (containsXPathPolicy(assertionInfoMap)) {
            XPath newXPath = XPathFactory.newInstance().newXPath();
            z = z & assertXPathTokens(assertionInfoMap, SPConstants.SIGNED_ELEMENTS, collection, documentElement, CryptoCoverageUtil.CoverageType.SIGNED, CryptoCoverageUtil.CoverageScope.ELEMENT, newXPath) & assertXPathTokens(assertionInfoMap, SPConstants.ENCRYPTED_ELEMENTS, collection2, documentElement, CryptoCoverageUtil.CoverageType.ENCRYPTED, CryptoCoverageUtil.CoverageScope.ELEMENT, newXPath) & assertXPathTokens(assertionInfoMap, SPConstants.CONTENT_ENCRYPTED_ELEMENTS, collection2, documentElement, CryptoCoverageUtil.CoverageType.ENCRYPTED, CryptoCoverageUtil.CoverageScope.CONTENT, newXPath);
        }
        return z & assertHeadersExists(assertionInfoMap, soapMessage, element);
    }

    private boolean checkTokenCoverage(AssertionInfoMap assertionInfoMap, SoapMessage soapMessage, Element element, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        return true & new X509TokenPolicyValidator().validatePolicy(assertionInfoMap, soapMessage, element, list, list2) & new UsernameTokenPolicyValidator().validatePolicy(assertionInfoMap, soapMessage, element, list, list2) & new SamlTokenPolicyValidator().validatePolicy(assertionInfoMap, soapMessage, element, list, list2) & new SecurityContextTokenPolicyValidator().validatePolicy(assertionInfoMap, soapMessage, element, list, list2) & new WSS11PolicyValidator().validatePolicy(assertionInfoMap, soapMessage, element, list, list2);
    }

    private boolean checkBindingCoverage(AssertionInfoMap assertionInfoMap, SoapMessage soapMessage, Element element, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2, List<WSSecurityEngineResult> list3) {
        return true & new TransportBindingPolicyValidator().validatePolicy(assertionInfoMap, soapMessage, element, list, list2, list3) & new SymmetricBindingPolicyValidator().validatePolicy(assertionInfoMap, soapMessage, element, list, list2, list3) & new AsymmetricBindingPolicyValidator().validatePolicy(assertionInfoMap, soapMessage, element, list, list2, list3) & new AlgorithmSuitePolicyValidator().validatePolicy(assertionInfoMap, soapMessage, element, list, list2) & new LayoutPolicyValidator().validatePolicy(assertionInfoMap, soapMessage, element, list, list2);
    }

    private boolean checkSupportingTokenCoverage(AssertionInfoMap assertionInfoMap, SoapMessage soapMessage, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2, List<WSSecurityEngineResult> list3, boolean z) {
        ArrayList arrayList = new ArrayList(2);
        arrayList.add(1);
        arrayList.add(8192);
        List<WSSecurityEngineResult> fetchAllActionResults = WSSecurityUtil.fetchAllActionResults(list, arrayList);
        ArrayList arrayList2 = new ArrayList(2);
        arrayList2.add(16);
        arrayList2.add(8);
        List<WSSecurityEngineResult> fetchAllActionResults2 = WSSecurityUtil.fetchAllActionResults(list, arrayList2);
        WSSecurityEngineResult fetchActionResult = WSSecurityUtil.fetchActionResult(list, 32);
        Element element = null;
        if (fetchActionResult != null) {
            element = ((Timestamp) fetchActionResult.get("timestamp")).getElement();
        }
        ConcreteSupportingTokenPolicyValidator concreteSupportingTokenPolicyValidator = new ConcreteSupportingTokenPolicyValidator();
        concreteSupportingTokenPolicyValidator.setUsernameTokenResults(fetchAllActionResults, z);
        concreteSupportingTokenPolicyValidator.setSAMLTokenResults(fetchAllActionResults2);
        concreteSupportingTokenPolicyValidator.setTimestampElement(element);
        boolean validatePolicy = true & concreteSupportingTokenPolicyValidator.validatePolicy(assertionInfoMap, soapMessage, list, list2, list3);
        SignedTokenPolicyValidator signedTokenPolicyValidator = new SignedTokenPolicyValidator();
        signedTokenPolicyValidator.setUsernameTokenResults(fetchAllActionResults, z);
        signedTokenPolicyValidator.setSAMLTokenResults(fetchAllActionResults2);
        signedTokenPolicyValidator.setTimestampElement(element);
        boolean validatePolicy2 = validatePolicy & signedTokenPolicyValidator.validatePolicy(assertionInfoMap, soapMessage, list, list2, list3);
        EndorsingTokenPolicyValidator endorsingTokenPolicyValidator = new EndorsingTokenPolicyValidator();
        endorsingTokenPolicyValidator.setUsernameTokenResults(fetchAllActionResults, z);
        endorsingTokenPolicyValidator.setSAMLTokenResults(fetchAllActionResults2);
        endorsingTokenPolicyValidator.setTimestampElement(element);
        boolean validatePolicy3 = validatePolicy2 & endorsingTokenPolicyValidator.validatePolicy(assertionInfoMap, soapMessage, list, list2, list3);
        SignedEndorsingTokenPolicyValidator signedEndorsingTokenPolicyValidator = new SignedEndorsingTokenPolicyValidator();
        signedEndorsingTokenPolicyValidator.setUsernameTokenResults(fetchAllActionResults, z);
        signedEndorsingTokenPolicyValidator.setSAMLTokenResults(fetchAllActionResults2);
        signedEndorsingTokenPolicyValidator.setTimestampElement(element);
        boolean validatePolicy4 = validatePolicy3 & signedEndorsingTokenPolicyValidator.validatePolicy(assertionInfoMap, soapMessage, list, list2, list3);
        SignedEncryptedTokenPolicyValidator signedEncryptedTokenPolicyValidator = new SignedEncryptedTokenPolicyValidator();
        signedEncryptedTokenPolicyValidator.setUsernameTokenResults(fetchAllActionResults, z);
        signedEncryptedTokenPolicyValidator.setSAMLTokenResults(fetchAllActionResults2);
        signedEncryptedTokenPolicyValidator.setTimestampElement(element);
        boolean validatePolicy5 = validatePolicy4 & signedEncryptedTokenPolicyValidator.validatePolicy(assertionInfoMap, soapMessage, list, list2, list3);
        EncryptedTokenPolicyValidator encryptedTokenPolicyValidator = new EncryptedTokenPolicyValidator();
        encryptedTokenPolicyValidator.setUsernameTokenResults(fetchAllActionResults, z);
        encryptedTokenPolicyValidator.setSAMLTokenResults(fetchAllActionResults2);
        encryptedTokenPolicyValidator.setTimestampElement(element);
        boolean validatePolicy6 = validatePolicy5 & encryptedTokenPolicyValidator.validatePolicy(assertionInfoMap, soapMessage, list, list2, list3);
        EndorsingEncryptedTokenPolicyValidator endorsingEncryptedTokenPolicyValidator = new EndorsingEncryptedTokenPolicyValidator();
        endorsingEncryptedTokenPolicyValidator.setUsernameTokenResults(fetchAllActionResults, z);
        endorsingEncryptedTokenPolicyValidator.setSAMLTokenResults(fetchAllActionResults2);
        endorsingEncryptedTokenPolicyValidator.setTimestampElement(element);
        boolean validatePolicy7 = validatePolicy6 & endorsingEncryptedTokenPolicyValidator.validatePolicy(assertionInfoMap, soapMessage, list, list2, list3);
        SignedEndorsingEncryptedTokenPolicyValidator signedEndorsingEncryptedTokenPolicyValidator = new SignedEndorsingEncryptedTokenPolicyValidator();
        signedEndorsingEncryptedTokenPolicyValidator.setUsernameTokenResults(fetchAllActionResults, z);
        signedEndorsingEncryptedTokenPolicyValidator.setSAMLTokenResults(fetchAllActionResults2);
        signedEndorsingEncryptedTokenPolicyValidator.setTimestampElement(element);
        return validatePolicy7 & signedEndorsingEncryptedTokenPolicyValidator.validatePolicy(assertionInfoMap, soapMessage, list, list2, list3);
    }

    private boolean assertHeadersExists(AssertionInfoMap assertionInfoMap, SoapMessage soapMessage, Node node) throws SOAPException {
        Collection<AssertionInfo> allAssertionsByLocalname = getAllAssertionsByLocalname(assertionInfoMap, SPConstants.REQUIRED_PARTS);
        if (!allAssertionsByLocalname.isEmpty()) {
            for (AssertionInfo assertionInfo : allAssertionsByLocalname) {
                RequiredParts requiredParts = (RequiredParts) assertionInfo.getAssertion();
                assertionInfo.setAsserted(true);
                for (Header header : requiredParts.getHeaders()) {
                    QName qName = new QName(header.getNamespace(), header.getName());
                    if (node == null || DOMUtils.getFirstChildWithName((Element) node, qName) == null) {
                        assertionInfo.setNotAsserted("No header element of name " + qName + " found.");
                    }
                }
            }
        }
        Collection<AssertionInfo> allAssertionsByLocalname2 = getAllAssertionsByLocalname(assertionInfoMap, SPConstants.REQUIRED_ELEMENTS);
        if (allAssertionsByLocalname2.isEmpty()) {
            return true;
        }
        for (AssertionInfo assertionInfo2 : allAssertionsByLocalname2) {
            RequiredElements requiredElements = (RequiredElements) assertionInfo2.getAssertion();
            assertionInfo2.setAsserted(true);
            if (requiredElements != null && requiredElements.getXPaths() != null && !requiredElements.getXPaths().isEmpty()) {
                XPathFactory newInstance = XPathFactory.newInstance();
                for (org.apache.wss4j.policy.model.XPath xPath : requiredElements.getXPaths()) {
                    Map<String, String> prefixNamespaceMap = xPath.getPrefixNamespaceMap();
                    String xPath2 = xPath.getXPath();
                    XPath newXPath = newInstance.newXPath();
                    if (prefixNamespaceMap != null) {
                        newXPath.setNamespaceContext(new MapNamespaceContext(prefixNamespaceMap));
                    }
                    try {
                        if (((NodeList) newXPath.evaluate(xPath2, node, XPathConstants.NODESET)).getLength() == 0) {
                            assertionInfo2.setNotAsserted("No header element matching XPath " + xPath2 + " found.");
                        }
                    } catch (XPathExpressionException e) {
                        assertionInfo2.setNotAsserted("Invalid XPath expression " + xPath2 + " " + e.getMessage());
                    }
                }
            }
        }
        return true;
    }

    private boolean isTransportBinding(AssertionInfoMap assertionInfoMap, SoapMessage soapMessage) {
        if (getAllAssertionsByLocalname(assertionInfoMap, SPConstants.SYMMETRIC_BINDING).size() > 0 || getAllAssertionsByLocalname(assertionInfoMap, SPConstants.ASYMMETRIC_BINDING).size() > 0) {
            return false;
        }
        if (getAllAssertionsByLocalname(assertionInfoMap, SPConstants.TRANSPORT_BINDING).size() > 0) {
            return true;
        }
        if (((TLSSessionInfo) soapMessage.get(TLSSessionInfo.class)) == null) {
            return false;
        }
        assertPolicy(assertionInfoMap, SP12Constants.ENCRYPTED_PARTS);
        assertPolicy(assertionInfoMap, SP11Constants.ENCRYPTED_PARTS);
        assertPolicy(assertionInfoMap, SP12Constants.SIGNED_PARTS);
        assertPolicy(assertionInfoMap, SP11Constants.SIGNED_PARTS);
        return true;
    }

    private boolean containsXPathPolicy(AssertionInfoMap assertionInfoMap) {
        return getAllAssertionsByLocalname(assertionInfoMap, SPConstants.SIGNED_ELEMENTS).size() > 0 || getAllAssertionsByLocalname(assertionInfoMap, SPConstants.ENCRYPTED_ELEMENTS).size() > 0 || getAllAssertionsByLocalname(assertionInfoMap, SPConstants.CONTENT_ENCRYPTED_ELEMENTS).size() > 0;
    }
}
