package org.apache.wss4j.dom.processor;

import java.util.Collections;
import java.util.List;
import org.apache.wss4j.common.cache.ReplayCache;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
import org.apache.wss4j.common.principal.WSUsernameTokenPrincipalImpl;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.message.token.UsernameToken;
import org.apache.wss4j.dom.validate.Credential;
import org.apache.wss4j.dom.validate.Validator;
import org.apache.xml.security.utils.XMLUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;

/* loaded from: input_file:BOOT-INF/lib/wss4j-ws-security-dom-2.2.5.jar:org/apache/wss4j/dom/processor/UsernameTokenProcessor.class */
public class UsernameTokenProcessor implements Processor {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) UsernameTokenProcessor.class);

    @Override // org.apache.wss4j.dom.processor.Processor
    public List<WSSecurityEngineResult> handleToken(Element element, RequestData requestData) throws WSSecurityException {
        LOG.debug("Found UsernameToken list element");
        String attributeNS = element.getAttributeNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", "Id");
        if (!"".equals(attributeNS)) {
            Element tokenElement = requestData.getWsDocInfo().getTokenElement(attributeNS);
            if (element.equals(tokenElement)) {
                return Collections.singletonList(requestData.getWsDocInfo().getResult(attributeNS));
            }
            if (tokenElement != null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "duplicateError");
            }
        }
        Validator validator = requestData.getValidator(WSConstants.USERNAME_TOKEN);
        Credential handleUsernameToken = handleUsernameToken(element, validator, requestData);
        UsernameToken usernametoken = handleUsernameToken.getUsernametoken();
        int i = 1;
        byte[] bArr = null;
        if (usernametoken.getPassword() == null) {
            i = 8192;
            if (usernametoken.isDerivedKey()) {
                usernametoken.setRawPassword(requestData.getCallbackHandler());
                bArr = usernametoken.getDerivedKey(requestData.getBSPEnforcer());
            }
        }
        WSSecurityEngineResult wSSecurityEngineResult = new WSSecurityEngineResult(i, usernametoken);
        String id = usernametoken.getID();
        if (!"".equals(id)) {
            wSSecurityEngineResult.put("id", id);
        }
        wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_SECRET, bArr);
        if (validator != null) {
            wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_VALIDATED_TOKEN, Boolean.TRUE);
            if (handleUsernameToken.getTransformedToken() != null) {
                wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN, handleUsernameToken.getTransformedToken());
                if (handleUsernameToken.getPrincipal() != null) {
                    wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_PRINCIPAL, handleUsernameToken.getPrincipal());
                } else {
                    wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_PRINCIPAL, new SAMLTokenPrincipalImpl(handleUsernameToken.getTransformedToken()));
                }
            } else if (handleUsernameToken.getPrincipal() != null) {
                wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_PRINCIPAL, handleUsernameToken.getPrincipal());
            } else {
                WSUsernameTokenPrincipalImpl wSUsernameTokenPrincipalImpl = new WSUsernameTokenPrincipalImpl(usernametoken.getName(), usernametoken.isHashed());
                if (usernametoken.getNonce() != null) {
                    wSUsernameTokenPrincipalImpl.setNonce(XMLUtils.decode(usernametoken.getNonce()));
                }
                wSUsernameTokenPrincipalImpl.setPassword(usernametoken.getPassword());
                wSUsernameTokenPrincipalImpl.setCreatedTime(usernametoken.getCreated());
                wSUsernameTokenPrincipalImpl.setPasswordType(usernametoken.getPasswordType());
                wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_PRINCIPAL, wSUsernameTokenPrincipalImpl);
            }
            wSSecurityEngineResult.put("subject", handleUsernameToken.getSubject());
        }
        requestData.getWsDocInfo().addTokenElement(element);
        requestData.getWsDocInfo().addResult(wSSecurityEngineResult);
        return Collections.singletonList(wSSecurityEngineResult);
    }

    private Credential handleUsernameToken(Element element, Validator validator, RequestData requestData) throws WSSecurityException {
        boolean isAllowNamespaceQualifiedPasswordTypes = requestData.isAllowNamespaceQualifiedPasswordTypes();
        int utTTL = requestData.getUtTTL();
        int utFutureTTL = requestData.getUtFutureTTL();
        UsernameToken usernameToken = new UsernameToken(element, isAllowNamespaceQualifiedPasswordTypes, requestData.getBSPEnforcer());
        ReplayCache nonceReplayCache = requestData.getNonceReplayCache();
        if (nonceReplayCache != null && usernameToken.getNonce() != null) {
            if (nonceReplayCache.contains(usernameToken.getNonce())) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "badUsernameToken", new Object[]{"A replay attack has been detected"});
            }
            if (usernameToken.getCreatedDate() == null || utTTL <= 0) {
                nonceReplayCache.add(usernameToken.getNonce());
            } else {
                nonceReplayCache.add(usernameToken.getNonce(), utTTL + 1);
            }
        }
        if (!usernameToken.verifyCreated(utTTL, utFutureTTL)) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.MESSAGE_EXPIRED);
        }
        Credential credential = new Credential();
        credential.setUsernametoken(usernameToken);
        return validator != null ? validator.validate(credential, requestData) : credential;
    }
}
