package org.apache.cxf.ws.security.wss4j;

import java.security.Principal;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.Subject;
import javax.xml.namespace.QName;
import org.apache.cxf.binding.soap.SoapFault;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.SoapVersion;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.security.DefaultSecurityContext;
import org.apache.cxf.interceptor.security.RolePrefixSecurityContextImpl;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.rt.security.claims.ClaimCollection;
import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext;
import org.apache.cxf.rt.security.saml.utils.SAMLUtils;
import org.apache.cxf.rt.security.utils.SecurityUtils;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.stax.securityEvent.KerberosTokenSecurityEvent;
import org.apache.wss4j.stax.securityEvent.KeyValueTokenSecurityEvent;
import org.apache.wss4j.stax.securityEvent.SamlTokenSecurityEvent;
import org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent;
import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
import org.apache.wss4j.stax.securityEvent.X509TokenSecurityEvent;
import org.apache.wss4j.stax.securityToken.SubjectAndPrincipalSecurityToken;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
import org.apache.xml.security.stax.securityToken.SecurityTokenConstants;

/* loaded from: input_file:org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.class */
public class StaxSecurityContextInInterceptor extends AbstractPhaseInterceptor<SoapMessage> {
    public static final String SAML_ROLE_ATTRIBUTENAME_DEFAULT = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";

    public StaxSecurityContextInInterceptor() {
        super("pre-protocol");
    }

    public void handleMessage(SoapMessage soapMessage) throws Fault {
        List<SecurityEvent> list = (List) soapMessage.get(SecurityEvent.class.getName() + ".in");
        if (list != null) {
            try {
                doResults(soapMessage, list);
            } catch (WSSecurityException e) {
                throw createSoapFault(soapMessage.getVersion(), e);
            }
        }
    }

    private void doResults(SoapMessage soapMessage, List<SecurityEvent> list) throws WSSecurityException {
        ArrayList<SecurityEventConstants.Event> arrayList = new ArrayList();
        arrayList.add(WSSecurityEventConstants.SAML_TOKEN);
        arrayList.add(WSSecurityEventConstants.USERNAME_TOKEN);
        arrayList.add(WSSecurityEventConstants.KERBEROS_TOKEN);
        arrayList.add(WSSecurityEventConstants.X509Token);
        arrayList.add(WSSecurityEventConstants.KeyValueToken);
        for (SecurityEventConstants.Event event : arrayList) {
            SubjectAndPrincipalSecurityToken subjectAndPrincipalSecurityToken = null;
            try {
                subjectAndPrincipalSecurityToken = getSubjectPrincipalToken(list, event);
            } catch (XMLSecurityException e) {
            }
            if (subjectAndPrincipalSecurityToken != null) {
                Principal principal = subjectAndPrincipalSecurityToken.getPrincipal();
                Subject subject = subjectAndPrincipalSecurityToken.getSubject();
                if (subject != null) {
                    String str = (String) soapMessage.getContextualProperty(SecurityConstants.SUBJECT_ROLE_CLASSIFIER);
                    if (str == null || "".equals(str)) {
                        soapMessage.put(SecurityContext.class, new DefaultSecurityContext(subject));
                        return;
                    }
                    String str2 = (String) soapMessage.getContextualProperty(SecurityConstants.SUBJECT_ROLE_CLASSIFIER_TYPE);
                    if (str2 == null || "".equals(str2)) {
                        str2 = "prefix";
                    }
                    soapMessage.put(SecurityContext.class, new RolePrefixSecurityContextImpl(subject, str, str2));
                    return;
                }
                if (principal != null) {
                    if (event != WSSecurityEventConstants.SAML_TOKEN) {
                        soapMessage.put(SecurityContext.class, createSecurityContext(principal));
                        return;
                    }
                    String str3 = (String) SecurityUtils.getSecurityPropertyValue("security.saml-role-attributename", soapMessage);
                    if (str3 == null || str3.length() == 0) {
                        str3 = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
                    }
                    SamlAssertionWrapper token = subjectAndPrincipalSecurityToken.getPrincipal().getToken();
                    if (token != null) {
                        ClaimCollection claims = SAMLUtils.getClaims(token);
                        soapMessage.put(SecurityContext.class, new SAMLSecurityContext(principal, SAMLUtils.parseRolesFromClaims(claims, str3, (String) null), claims));
                        return;
                    }
                    return;
                }
            }
        }
    }

    private SubjectAndPrincipalSecurityToken getSubjectPrincipalToken(List<SecurityEvent> list, SecurityEventConstants.Event event) throws XMLSecurityException {
        Iterator<SecurityEvent> it = list.iterator();
        while (it.hasNext()) {
            SamlTokenSecurityEvent samlTokenSecurityEvent = (SecurityEvent) it.next();
            if (event == samlTokenSecurityEvent.getSecurityEventType()) {
                if (samlTokenSecurityEvent.getSecurityEventType() == WSSecurityEventConstants.USERNAME_TOKEN) {
                    return ((UsernameTokenSecurityEvent) samlTokenSecurityEvent).getSecurityToken();
                }
                if (samlTokenSecurityEvent.getSecurityEventType() == WSSecurityEventConstants.SAML_TOKEN && isSamlEventSigned(samlTokenSecurityEvent)) {
                    return samlTokenSecurityEvent.getSecurityToken();
                }
                if (samlTokenSecurityEvent.getSecurityEventType() == WSSecurityEventConstants.X509Token && isUsedForPublicKeySignature((SubjectAndPrincipalSecurityToken) ((X509TokenSecurityEvent) samlTokenSecurityEvent).getSecurityToken())) {
                    return ((X509TokenSecurityEvent) samlTokenSecurityEvent).getSecurityToken();
                }
                if (samlTokenSecurityEvent.getSecurityEventType() == WSSecurityEventConstants.KeyValueToken && isUsedForPublicKeySignature((SubjectAndPrincipalSecurityToken) ((KeyValueTokenSecurityEvent) samlTokenSecurityEvent).getSecurityToken())) {
                    return ((KeyValueTokenSecurityEvent) samlTokenSecurityEvent).getSecurityToken();
                }
                if (samlTokenSecurityEvent.getSecurityEventType() == WSSecurityEventConstants.KERBEROS_TOKEN) {
                    return ((KerberosTokenSecurityEvent) samlTokenSecurityEvent).getSecurityToken();
                }
            }
        }
        return null;
    }

    private boolean isUsedForPublicKeySignature(SubjectAndPrincipalSecurityToken subjectAndPrincipalSecurityToken) throws XMLSecurityException {
        if (subjectAndPrincipalSecurityToken == null) {
            return false;
        }
        List tokenUsages = subjectAndPrincipalSecurityToken.getTokenUsages();
        boolean z = false;
        if (tokenUsages != null) {
            Iterator it = tokenUsages.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if ("MainSignature".equals(((SecurityTokenConstants.TokenUsage) it.next()).getName())) {
                    z = true;
                    break;
                }
            }
        }
        if (z) {
            return subjectAndPrincipalSecurityToken.getPublicKey() != null || (subjectAndPrincipalSecurityToken.getX509Certificates() != null && subjectAndPrincipalSecurityToken.getX509Certificates().length > 0);
        }
        return false;
    }

    private boolean isSamlEventSigned(SamlTokenSecurityEvent samlTokenSecurityEvent) {
        return (samlTokenSecurityEvent == null || samlTokenSecurityEvent.getSecurityToken() == null || samlTokenSecurityEvent.getSecurityToken().getSamlAssertionWrapper() == null || !samlTokenSecurityEvent.getSecurityToken().getSamlAssertionWrapper().isSigned()) ? false : true;
    }

    private SecurityContext createSecurityContext(final Principal principal) {
        return new SecurityContext() { // from class: org.apache.cxf.ws.security.wss4j.StaxSecurityContextInInterceptor.1
            public Principal getUserPrincipal() {
                return principal;
            }

            public boolean isUserInRole(String str) {
                return false;
            }
        };
    }

    private SoapFault createSoapFault(SoapVersion soapVersion, WSSecurityException wSSecurityException) {
        SoapFault soapFault;
        QName faultCode = wSSecurityException.getFaultCode();
        if (soapVersion.getVersion() != 1.1d || faultCode == null) {
            soapFault = new SoapFault(wSSecurityException.getMessage(), wSSecurityException, soapVersion.getSender());
            if (soapVersion.getVersion() != 1.1d && faultCode != null) {
                soapFault.setSubCode(faultCode);
            }
        } else {
            soapFault = new SoapFault(wSSecurityException.getMessage(), wSSecurityException, faultCode);
        }
        return soapFault;
    }
}
