package org.apache.cxf.ws.security.policy.interceptors;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.xml.namespace.QName;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.rt.security.utils.SecurityUtils;
import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.trust.DefaultSTSTokenCacher;
import org.apache.cxf.ws.security.trust.STSTokenCacher;
import org.apache.cxf.ws.security.trust.STSTokenRetriever;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxInInterceptor;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxOutInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.policyvalidators.PolicyValidatorParameters;
import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.ValidatorUtils;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.IssuedToken;

/* loaded from: input_file:WEB-INF/lib/cxf-rt-ws-security-3.2.1.jar:org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.class */
public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorProvider {
    private static final long serialVersionUID = -6936475570762840527L;

    /* loaded from: input_file:WEB-INF/lib/cxf-rt-ws-security-3.2.1.jar:org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider$IssuedTokenInInterceptor.class */
    static class IssuedTokenInInterceptor extends AbstractPhaseInterceptor<Message> {
        IssuedTokenInInterceptor() {
            super(Phase.PRE_PROTOCOL);
            addAfter(WSS4JInInterceptor.class.getName());
            addAfter(PolicyBasedWSS4JInInterceptor.class.getName());
        }

        @Override // org.apache.cxf.interceptor.Interceptor
        public void handleMessage(Message message) throws Fault {
            AssertionInfoMap assertionInfoMap = (AssertionInfoMap) message.get(AssertionInfoMap.class);
            if (assertionInfoMap != null) {
                Collection<AssertionInfo> allAssertionsByLocalname = PolicyUtils.getAllAssertionsByLocalname(assertionInfoMap, SPConstants.ISSUED_TOKEN);
                if (allAssertionsByLocalname.isEmpty()) {
                    return;
                }
                IssuedTokenInterceptorProvider.assertIssuedToken((IssuedToken) allAssertionsByLocalname.iterator().next().getAssertion(), assertionInfoMap);
                if (isRequestor(message)) {
                    Iterator<AssertionInfo> it = allAssertionsByLocalname.iterator();
                    while (it.hasNext()) {
                        it.next().setAsserted(true);
                    }
                } else {
                    message.getExchange().remove(SecurityConstants.TOKEN);
                    List cast = CastUtils.cast((List<?>) message.get(WSHandlerConstants.RECV_RESULTS));
                    if (cast == null || cast.isEmpty()) {
                        return;
                    }
                    parseHandlerResults((WSHandlerResult) cast.get(0), message, allAssertionsByLocalname);
                }
            }
        }

        private void parseHandlerResults(WSHandlerResult wSHandlerResult, Message message, Collection<AssertionInfo> collection) {
            PolicyValidatorParameters policyValidatorParameters = new PolicyValidatorParameters();
            policyValidatorParameters.setAssertionInfoMap((AssertionInfoMap) message.get(AssertionInfoMap.class));
            policyValidatorParameters.setMessage(message);
            policyValidatorParameters.setResults(wSHandlerResult);
            policyValidatorParameters.setSignedResults(wSHandlerResult.getActionResults().get(2));
            ArrayList arrayList = new ArrayList();
            if (wSHandlerResult.getActionResults().containsKey(16)) {
                arrayList.addAll(wSHandlerResult.getActionResults().get(16));
            }
            if (wSHandlerResult.getActionResults().containsKey(8)) {
                arrayList.addAll(wSHandlerResult.getActionResults().get(8));
            }
            policyValidatorParameters.setSamlResults(arrayList);
            QName name = collection.iterator().next().getAssertion().getName();
            Map<QName, SecurityPolicyValidator> securityPolicyValidators = ValidatorUtils.getSecurityPolicyValidators(message);
            if (securityPolicyValidators.containsKey(name)) {
                securityPolicyValidators.get(name).validatePolicies(policyValidatorParameters, collection);
            }
        }
    }

    /* loaded from: input_file:WEB-INF/lib/cxf-rt-ws-security-3.2.1.jar:org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.class */
    static class IssuedTokenOutInterceptor extends AbstractPhaseInterceptor<Message> {
        IssuedTokenOutInterceptor() {
            super(Phase.PREPARE_SEND);
        }

        @Override // org.apache.cxf.interceptor.Interceptor
        public void handleMessage(Message message) throws Fault {
            AssertionInfoMap assertionInfoMap = (AssertionInfoMap) message.get(AssertionInfoMap.class);
            if (assertionInfoMap != null) {
                Collection<AssertionInfo> allAssertionsByLocalname = PolicyUtils.getAllAssertionsByLocalname(assertionInfoMap, SPConstants.ISSUED_TOKEN);
                if (allAssertionsByLocalname.isEmpty()) {
                    return;
                }
                if (!isRequestor(message)) {
                    Iterator<AssertionInfo> it = allAssertionsByLocalname.iterator();
                    while (it.hasNext()) {
                        it.next().setAsserted(true);
                    }
                    IssuedTokenInterceptorProvider.assertIssuedToken((IssuedToken) allAssertionsByLocalname.iterator().next().getAssertion(), assertionInfoMap);
                    return;
                }
                IssuedToken issuedToken = (IssuedToken) allAssertionsByLocalname.iterator().next().getAssertion();
                STSTokenRetriever.TokenRequestParams tokenRequestParams = new STSTokenRetriever.TokenRequestParams();
                tokenRequestParams.setIssuer(issuedToken.getIssuer());
                tokenRequestParams.setClaims(issuedToken.getClaims());
                if (issuedToken.getPolicy() != null) {
                    tokenRequestParams.setWspNamespace(issuedToken.getPolicy().getNamespace());
                }
                tokenRequestParams.setTrust10(NegotiationUtils.getTrust10(assertionInfoMap));
                tokenRequestParams.setTrust13(NegotiationUtils.getTrust13(assertionInfoMap));
                tokenRequestParams.setTokenTemplate(issuedToken.getRequestSecurityTokenTemplate());
                STSTokenCacher sTSTokenCacher = (STSTokenCacher) SecurityUtils.getSecurityPropertyValue(org.apache.cxf.rt.security.SecurityConstants.STS_TOKEN_CACHER_IMPL, message);
                if (sTSTokenCacher == null) {
                    sTSTokenCacher = new DefaultSTSTokenCacher();
                }
                if (STSTokenRetriever.getToken(message, tokenRequestParams, sTSTokenCacher) != null) {
                    IssuedTokenInterceptorProvider.assertIssuedToken(issuedToken, assertionInfoMap);
                    Iterator<AssertionInfo> it2 = allAssertionsByLocalname.iterator();
                    while (it2.hasNext()) {
                        it2.next().setAsserted(true);
                    }
                }
            }
        }
    }

    public IssuedTokenInterceptorProvider() {
        super(Arrays.asList(SP11Constants.ISSUED_TOKEN, SP12Constants.ISSUED_TOKEN));
        PolicyBasedWSS4JInInterceptor policyBasedWSS4JInInterceptor = new PolicyBasedWSS4JInInterceptor();
        getOutInterceptors().add(PolicyBasedWSS4JOutInterceptor.INSTANCE);
        getOutFaultInterceptors().add(PolicyBasedWSS4JOutInterceptor.INSTANCE);
        getInInterceptors().add(policyBasedWSS4JInInterceptor);
        getInFaultInterceptors().add(policyBasedWSS4JInInterceptor);
        getOutInterceptors().add(new IssuedTokenOutInterceptor());
        getOutFaultInterceptors().add(new IssuedTokenOutInterceptor());
        getInInterceptors().add(new IssuedTokenInInterceptor());
        getInFaultInterceptors().add(new IssuedTokenInInterceptor());
        PolicyBasedWSS4JStaxOutInterceptor policyBasedWSS4JStaxOutInterceptor = new PolicyBasedWSS4JStaxOutInterceptor();
        PolicyBasedWSS4JStaxInInterceptor policyBasedWSS4JStaxInInterceptor = new PolicyBasedWSS4JStaxInInterceptor();
        getOutInterceptors().add(policyBasedWSS4JStaxOutInterceptor);
        getOutFaultInterceptors().add(policyBasedWSS4JStaxOutInterceptor);
        getInInterceptors().add(policyBasedWSS4JStaxInInterceptor);
        getInFaultInterceptors().add(policyBasedWSS4JStaxInInterceptor);
    }

    protected static void assertIssuedToken(IssuedToken issuedToken, AssertionInfoMap assertionInfoMap) {
        if (issuedToken == null) {
            return;
        }
        if (issuedToken.isRequireExternalReference()) {
            PolicyUtils.assertPolicy(assertionInfoMap, new QName(issuedToken.getName().getNamespaceURI(), SPConstants.REQUIRE_EXTERNAL_REFERENCE));
        }
        if (issuedToken.isRequireInternalReference()) {
            PolicyUtils.assertPolicy(assertionInfoMap, new QName(issuedToken.getName().getNamespaceURI(), SPConstants.REQUIRE_INTERNAL_REFERENCE));
        }
    }
}
