package org.apache.cxf.ws.security.wss4j;

import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Vector;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import javax.xml.transform.dom.DOMSource;
import org.apache.cxf.binding.soap.SoapFault;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.SoapVersion;
import org.apache.cxf.binding.soap.saaj.SAAJInInterceptor;
import org.apache.cxf.common.i18n.Message;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.handler.WSHandlerResult;
import org.apache.ws.security.message.token.Timestamp;
import org.apache.ws.security.util.WSSecurityUtil;

/* loaded from: input_file:org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.class */
public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
    public static final String TIMESTAMP_RESULT = "wss4j.timestamp.result";
    public static final String SIGNATURE_RESULT = "wss4j.signature.result";
    public static final String PRINCIPAL_RESULT = "wss4j.principal.result";
    public static final String PROCESSOR_MAP = "wss4j.processor.map";
    private static final Logger LOG;
    private static final Logger TIME_LOG;
    private SAAJInInterceptor saajIn;
    private WSSecurityEngine secEngineOverride;
    static final /* synthetic */ boolean $assertionsDisabled;

    public WSS4JInInterceptor() {
        this.saajIn = new SAAJInInterceptor();
        setPhase(Phase.PRE_PROTOCOL);
        getAfter().add(SAAJInInterceptor.class.getName());
    }

    public WSS4JInInterceptor(Map<String, Object> map) {
        this();
        setProperties(map);
        Map<QName, String> cast = CastUtils.cast((Map<?, ?>) map.get(PROCESSOR_MAP));
        if (cast != null) {
            this.secEngineOverride = createSecurityEngine(cast);
        }
    }

    private SOAPMessage getSOAPMessage(SoapMessage soapMessage) {
        SOAPMessage sOAPMessage = (SOAPMessage) soapMessage.getContent(SOAPMessage.class);
        if (sOAPMessage == null) {
            this.saajIn.handleMessage(soapMessage);
            sOAPMessage = (SOAPMessage) soapMessage.getContent(SOAPMessage.class);
        }
        return sOAPMessage;
    }

    @Override // org.apache.cxf.interceptor.Interceptor
    public void handleMessage(SoapMessage soapMessage) throws Fault {
        SOAPMessage sOAPMessage = getSOAPMessage(soapMessage);
        boolean isLoggable = LOG.isLoggable(Level.FINE);
        boolean isLoggable2 = TIME_LOG.isLoggable(Level.FINE);
        SoapVersion version = soapMessage.getVersion();
        if (isLoggable) {
            LOG.fine("WSS4JInInterceptor: enter handleMessage()");
        }
        long j = 0;
        long j2 = 0;
        long j3 = 0;
        if (isLoggable2) {
            j = System.currentTimeMillis();
        }
        RequestData requestData = new RequestData();
        try {
            try {
                try {
                    requestData.setMsgContext(soapMessage);
                    Vector vector = new Vector();
                    int decodeAction = WSSecurityUtil.decodeAction(getAction(soapMessage, version), vector);
                    String str = (String) getOption("actor");
                    CallbackHandler callback = getCallback(requestData, decodeAction);
                    doReceiverAction(decodeAction, requestData);
                    if (isLoggable2) {
                        j2 = System.currentTimeMillis();
                    }
                    Vector processSecurityHeader = getSecurityEngine().processSecurityHeader(sOAPMessage.getSOAPPart(), str, callback, requestData.getSigCrypto(), requestData.getDecCrypto());
                    if (isLoggable2) {
                        j3 = System.currentTimeMillis();
                    }
                    if (processSecurityHeader == null) {
                        if (decodeAction == 0) {
                            return;
                        }
                        if (!sOAPMessage.getSOAPPart().getEnvelope().getBody().hasFault()) {
                            LOG.warning("Request does not contain required Security header");
                            throw new WSSecurityException(3);
                        }
                        LOG.warning("Request does not contain required Security header, but it's a fault.");
                        requestData.clear();
                        return;
                    }
                    if (requestData.getWssConfig().isEnableSignatureConfirmation()) {
                        checkSignatureConfirmation(requestData, processSecurityHeader);
                    }
                    WSSecurityEngineResult fetchActionResult = WSSecurityUtil.fetchActionResult(processSecurityHeader, 2);
                    if (fetchActionResult != null) {
                        X509Certificate x509Certificate = (X509Certificate) fetchActionResult.get("x509-certificate");
                        if (x509Certificate != null && !verifyTrust(x509Certificate, requestData)) {
                            LOG.warning("The certificate used for the signature is not trusted");
                            throw new WSSecurityException(6);
                        }
                        soapMessage.put(SIGNATURE_RESULT, (Object) fetchActionResult);
                    }
                    WSSecurityEngineResult fetchActionResult2 = WSSecurityUtil.fetchActionResult(processSecurityHeader, 32);
                    if (fetchActionResult2 != null) {
                        Timestamp timestamp = (Timestamp) fetchActionResult2.get("timestamp");
                        if (timestamp != null && !verifyTimestamp(timestamp, decodeTimeToLive(requestData))) {
                            LOG.warning("The timestamp could not be validated");
                            throw new WSSecurityException(8);
                        }
                        soapMessage.put(TIMESTAMP_RESULT, (Object) fetchActionResult2);
                    }
                    if (!checkReceiverResults(processSecurityHeader, vector)) {
                        LOG.warning("Security processing failed (actions mismatch)");
                        throw new WSSecurityException(3);
                    }
                    doResults(soapMessage, str, sOAPMessage, processSecurityHeader);
                    if (isLoggable2) {
                        long currentTimeMillis = System.currentTimeMillis();
                        TIME_LOG.fine("Receive request: total= " + (currentTimeMillis - j) + " request preparation= " + (j2 - j) + " request processing= " + (j3 - j2) + " header, cert verify, timestamp= " + (currentTimeMillis - j3) + "\n");
                    }
                    if (isLoggable) {
                        LOG.fine("WSS4JInInterceptor: exit handleMessage()");
                    }
                    requestData.clear();
                } catch (XMLStreamException e) {
                    throw new SoapFault(new Message("STAX_EX", LOG, new Object[0]), (Throwable) e, version.getSender());
                }
            } catch (SOAPException e2) {
                throw new SoapFault(new Message("SAAJ_EX", LOG, new Object[0]), (Throwable) e2, version.getSender());
            } catch (WSSecurityException e3) {
                LOG.log(Level.WARNING, "", e3);
                throw createSoapFault(version, e3);
            }
        } finally {
            requestData.clear();
        }
    }

    private void doResults(SoapMessage soapMessage, String str, SOAPMessage sOAPMessage, Vector vector) throws SOAPException, XMLStreamException {
        List cast = CastUtils.cast((List<?>) soapMessage.get("RECV_RESULTS"));
        if (cast == null) {
            cast = new Vector();
            soapMessage.put("RECV_RESULTS", (Object) cast);
        }
        cast.add(0, new WSHandlerResult(str, vector));
        XMLStreamReader createXMLStreamReader = StaxUtils.createXMLStreamReader(new DOMSource(sOAPMessage.getSOAPBody()));
        int next = createXMLStreamReader.next();
        for (int i = 0; createXMLStreamReader.hasNext() && i < 1 && (next != 2 || next != 1); i++) {
            createXMLStreamReader.next();
        }
        soapMessage.setContent(XMLStreamReader.class, createXMLStreamReader);
        Iterator it = CastUtils.cast((List<?>) vector, WSSecurityEngineResult.class).iterator();
        while (it.hasNext()) {
            final Principal principal = (Principal) ((WSSecurityEngineResult) it.next()).get("principal");
            if (principal != null) {
                soapMessage.put(PRINCIPAL_RESULT, (Object) principal);
                SecurityContext securityContext = (SecurityContext) soapMessage.get(SecurityContext.class);
                if (securityContext == null || securityContext.getUserPrincipal() == null) {
                    soapMessage.put((Class<Class>) SecurityContext.class, (Class) new SecurityContext() { // from class: org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.1
                        @Override // org.apache.cxf.security.SecurityContext
                        public Principal getUserPrincipal() {
                            return principal;
                        }

                        @Override // org.apache.cxf.security.SecurityContext
                        public boolean isUserInRole(String str2) {
                            return false;
                        }
                    });
                    return;
                }
            }
        }
    }

    private String getAction(SoapMessage soapMessage, SoapVersion soapVersion) {
        String str = (String) getOption("action");
        if (str == null) {
            str = (String) soapMessage.get("action");
        }
        if (str != null) {
            return str;
        }
        LOG.warning("No security action was defined!");
        throw new SoapFault("No security action was defined!", soapVersion.getReceiver());
    }

    private CallbackHandler getCallback(RequestData requestData, int i) throws WSSecurityException {
        CallbackHandler callbackHandler = null;
        if ((i & 5) != 0) {
            callbackHandler = getPasswordCB(requestData);
        }
        return callbackHandler;
    }

    private WSSecurityEngine getSecurityEngine() {
        return this.secEngineOverride != null ? this.secEngineOverride : secEngine;
    }

    private WSSecurityEngine createSecurityEngine(Map<QName, String> map) {
        if (!$assertionsDisabled && map == null) {
            throw new AssertionError();
        }
        WSSConfig newInstance = WSSConfig.getNewInstance();
        for (Map.Entry<QName, String> entry : map.entrySet()) {
            QName key = entry.getKey();
            String value = entry.getValue();
            if (value != null) {
                value = value.trim();
                if ("null".equals(value) || value.length() == 0) {
                    value = null;
                }
            }
            newInstance.setProcessor(key, value);
        }
        WSSecurityEngine wSSecurityEngine = new WSSecurityEngine();
        wSSecurityEngine.setWssConfig(newInstance);
        return wSSecurityEngine;
    }

    private SoapFault createSoapFault(SoapVersion soapVersion, WSSecurityException wSSecurityException) {
        SoapFault soapFault;
        QName faultCode = wSSecurityException.getFaultCode();
        if (soapVersion.getVersion() != 1.1d || faultCode == null) {
            soapFault = new SoapFault(wSSecurityException.getMessage(), (Throwable) wSSecurityException, soapVersion.getSender());
            if (soapVersion.getVersion() != 1.1d && faultCode != null) {
                soapFault.setSubCode(faultCode);
            }
        } else {
            soapFault = new SoapFault(wSSecurityException.getMessage(), (Throwable) wSSecurityException, faultCode);
        }
        return soapFault;
    }

    static {
        $assertionsDisabled = !WSS4JInInterceptor.class.desiredAssertionStatus();
        LOG = LogUtils.getL7dLogger(WSS4JInInterceptor.class);
        TIME_LOG = LogUtils.getL7dLogger(WSS4JInInterceptor.class, null, WSS4JInInterceptor.class.getName() + "-Time");
    }
}
