package org.apache.wss4j.stax.validate;

import org.apache.commons.codec.binary.Base64;
import org.apache.wss4j.binding.wss10.AttributedString;
import org.apache.wss4j.binding.wss10.EncodedString;
import org.apache.wss4j.binding.wss10.PasswordString;
import org.apache.wss4j.binding.wss10.UsernameTokenType;
import org.apache.wss4j.binding.wsu10.AttributedDateTime;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSUtils;
import org.apache.wss4j.stax.impl.securityToken.UsernameSecurityTokenImpl;
import org.apache.wss4j.stax.securityToken.UsernameSecurityToken;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.xml.security.stax.ext.XMLSecurityUtils;
import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-186.zip:modules/system/layers/fuse/org/apache/ws/security/2.0/wss4j-ws-security-stax-2.0.3.jar:org/apache/wss4j/stax/validate/UsernameTokenValidatorImpl.class */
public class UsernameTokenValidatorImpl implements UsernameTokenValidator {
    private static final transient Logger log = LoggerFactory.getLogger(UsernameTokenValidatorImpl.class);

    @Override // org.apache.wss4j.stax.validate.UsernameTokenValidator
    public <T extends UsernameSecurityToken & InboundSecurityToken> T validate(UsernameTokenType usernameTokenType, TokenContext tokenContext) throws WSSecurityException {
        String str;
        byte[] bArr = (byte[]) XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_wsse11_Salt);
        PasswordString passwordString = (PasswordString) XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_wsse_Password);
        Long l = (Long) XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_wsse11_Iteration);
        if (bArr != null && (passwordString != null || l == null)) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "badTokenType01", new Object[0]);
        }
        boolean handleCustomPasswordTypes = tokenContext.getWssSecurityProperties().getHandleCustomPasswordTypes();
        boolean z = tokenContext.getWssSecurityProperties().isAllowUsernameTokenNoPassword() || Boolean.parseBoolean((String) tokenContext.getWsSecurityContext().get(WSSConstants.PROP_ALLOW_USERNAMETOKEN_NOPASSWORD));
        WSSConstants.UsernameTokenPasswordType usernameTokenPasswordType = tokenContext.getWssSecurityProperties().getUsernameTokenPasswordType();
        if (usernameTokenPasswordType != null) {
            if (passwordString == null || passwordString.getType() == null) {
                if (log.isDebugEnabled()) {
                    log.debug("Authentication failed as the received password type does not match the required password type of: " + usernameTokenPasswordType);
                }
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
            if (usernameTokenPasswordType != WSSConstants.UsernameTokenPasswordType.getUsernameTokenPasswordType(passwordString.getType())) {
                if (log.isDebugEnabled()) {
                    log.debug("Authentication failed as the received password type does not match the required password type of: " + usernameTokenPasswordType);
                }
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
        }
        WSSConstants.UsernameTokenPasswordType usernameTokenPasswordType2 = WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE;
        if (passwordString != null && passwordString.getType() != null) {
            usernameTokenPasswordType2 = WSSConstants.UsernameTokenPasswordType.getUsernameTokenPasswordType(passwordString.getType());
        }
        AttributedString username = usernameTokenType.getUsername();
        if (username == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "badTokenType01", new Object[0]);
        }
        EncodedString encodedString = (EncodedString) XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_wsse_Nonce);
        byte[] bArr2 = null;
        if (encodedString != null && encodedString.getValue() != null) {
            bArr2 = Base64.decodeBase64(encodedString.getValue());
        }
        AttributedDateTime attributedDateTime = (AttributedDateTime) XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_wsu_Created);
        String str2 = null;
        if (attributedDateTime != null) {
            str2 = attributedDateTime.getValue();
        }
        if (usernameTokenPasswordType2 == WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST) {
            if (encodedString == null || attributedDateTime == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "badTokenType01", new Object[0]);
            }
            if (!"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary".equals(encodedString.getEncodingType())) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.UNSUPPORTED_SECURITY_TOKEN, "badTokenType01", new Object[0]);
            }
            verifyDigestPassword(username.getValue(), passwordString, bArr2, str2, tokenContext);
        } else if (usernameTokenPasswordType2 == WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT || !(passwordString == null || passwordString.getValue() == null || usernameTokenPasswordType2 != WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE)) {
            verifyPlaintextPassword(username.getValue(), passwordString, tokenContext);
        } else if (passwordString == null || passwordString.getValue() == null) {
            if (!z) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
        } else {
            if (!handleCustomPasswordTypes) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
            verifyCustomPassword(username.getValue(), passwordString, tokenContext);
        }
        if (passwordString != null) {
            str = passwordString.getValue();
        } else if (bArr != null) {
            WSPasswordCallback wSPasswordCallback = new WSPasswordCallback(username.getValue(), 2);
            try {
                WSSUtils.doPasswordCallback(tokenContext.getWssSecurityProperties().getCallbackHandler(), wSPasswordCallback);
                str = wSPasswordCallback.getPassword();
            } catch (WSSecurityException e) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e);
            }
        } else {
            str = null;
        }
        UsernameSecurityTokenImpl usernameSecurityTokenImpl = new UsernameSecurityTokenImpl(usernameTokenPasswordType2, username.getValue(), str, str2, bArr2, bArr, l, tokenContext.getWsSecurityContext(), usernameTokenType.getId(), WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference);
        usernameSecurityTokenImpl.setElementPath(tokenContext.getElementPath());
        usernameSecurityTokenImpl.setXMLSecEvent(tokenContext.getFirstXMLSecEvent());
        return usernameSecurityTokenImpl;
    }

    protected void verifyDigestPassword(String str, PasswordString passwordString, byte[] bArr, String str2, TokenContext tokenContext) throws WSSecurityException {
        WSPasswordCallback wSPasswordCallback = new WSPasswordCallback(str, null, passwordString.getType(), 2);
        try {
            WSSUtils.doPasswordCallback(tokenContext.getWssSecurityProperties().getCallbackHandler(), wSPasswordCallback);
            if (wSPasswordCallback.getPassword() == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
            if (!passwordString.getValue().equals(WSSUtils.doPasswordDigest(bArr, str2, wSPasswordCallback.getPassword()))) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
            passwordString.setValue(wSPasswordCallback.getPassword());
        } catch (WSSecurityException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e);
        }
    }

    protected void verifyPlaintextPassword(String str, PasswordString passwordString, TokenContext tokenContext) throws WSSecurityException {
        WSPasswordCallback wSPasswordCallback = new WSPasswordCallback(str, null, passwordString.getType(), 2);
        try {
            WSSUtils.doPasswordCallback(tokenContext.getWssSecurityProperties().getCallbackHandler(), wSPasswordCallback);
            if (wSPasswordCallback.getPassword() == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
            if (!passwordString.getValue().equals(wSPasswordCallback.getPassword())) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
            passwordString.setValue(wSPasswordCallback.getPassword());
        } catch (WSSecurityException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e);
        }
    }

    protected void verifyCustomPassword(String str, PasswordString passwordString, TokenContext tokenContext) throws WSSecurityException {
        verifyPlaintextPassword(str, passwordString, tokenContext);
    }
}
