package org.apache.cxf.ws.security.wss4j;

import java.io.IOException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Vector;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import javax.xml.transform.dom.DOMSource;
import org.apache.cxf.binding.http.HttpConstants;
import org.apache.cxf.binding.soap.SoapFault;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.SoapVersion;
import org.apache.cxf.binding.soap.saaj.SAAJInInterceptor;
import org.apache.cxf.common.classloader.ClassLoaderUtils;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.policy.SPConstants;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.handler.WSHandlerResult;
import org.apache.ws.security.message.token.Timestamp;
import org.apache.ws.security.processor.Processor;
import org.apache.ws.security.util.WSSecurityUtil;

/* loaded from: input_file:org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.class */
public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
    public static final String TIMESTAMP_RESULT = "wss4j.timestamp.result";
    public static final String SIGNATURE_RESULT = "wss4j.signature.result";
    public static final String PRINCIPAL_RESULT = "wss4j.principal.result";
    public static final String PROCESSOR_MAP = "wss4j.processor.map";
    public static final String SECURITY_PROCESSED;
    private static final Logger LOG;
    private static final Logger TIME_LOG;
    private SAAJInInterceptor saajIn;
    private boolean ignoreActions;
    private WSSecurityEngine secEngineOverride;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor$TokenStoreCallbackHandler.class */
    public class TokenStoreCallbackHandler implements CallbackHandler {
        private CallbackHandler internal;
        private TokenStore store;

        public TokenStoreCallbackHandler(CallbackHandler callbackHandler, TokenStore tokenStore) {
            this.internal = callbackHandler;
            this.store = tokenStore;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            for (Callback callback : callbackArr) {
                WSPasswordCallback wSPasswordCallback = (WSPasswordCallback) callback;
                String identifier = wSPasswordCallback.getIdentifier();
                if ("http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1".equals(wSPasswordCallback.getKeyType())) {
                    for (SecurityToken securityToken : this.store.getValidTokens()) {
                        if (identifier.equals(securityToken.getSHA1())) {
                            wSPasswordCallback.setKey(securityToken.getSecret());
                            return;
                        }
                    }
                } else {
                    SecurityToken token = this.store.getToken(identifier);
                    if (token != null) {
                        wSPasswordCallback.setKey(token.getSecret());
                        wSPasswordCallback.setCustomToken(token.getToken());
                        return;
                    }
                }
            }
            if (this.internal != null) {
                this.internal.handle(callbackArr);
            }
        }
    }

    public WSS4JInInterceptor() {
        this.saajIn = new SAAJInInterceptor();
        setPhase(Phase.PRE_PROTOCOL);
        getAfter().add(SAAJInInterceptor.class.getName());
    }

    public WSS4JInInterceptor(boolean z) {
        this();
        this.ignoreActions = z;
    }

    public WSS4JInInterceptor(Map<String, Object> map) {
        this();
        setProperties(map);
        Map cast = CastUtils.cast((Map<?, ?>) map.get(PROCESSOR_MAP));
        if (cast != null) {
            this.secEngineOverride = createSecurityEngine(cast);
        }
    }

    public void setIgnoreActions(boolean z) {
        this.ignoreActions = z;
    }

    private SOAPMessage getSOAPMessage(SoapMessage soapMessage) {
        SOAPMessage sOAPMessage = (SOAPMessage) soapMessage.getContent(SOAPMessage.class);
        if (sOAPMessage == null) {
            this.saajIn.handleMessage(soapMessage);
            sOAPMessage = (SOAPMessage) soapMessage.getContent(SOAPMessage.class);
        }
        return sOAPMessage;
    }

    @Override // org.apache.cxf.ws.security.wss4j.AbstractWSS4JInterceptor
    public Object getProperty(Object obj, String str) {
        Object property = super.getProperty(obj, str);
        if (property == null && str == "_sendSignatureValues_" && isRequestor((SoapMessage) obj)) {
            property = ((SoapMessage) obj).getExchange().getOutMessage().get(str);
        }
        return property;
    }

    public final boolean isGET(SoapMessage soapMessage) {
        return HttpConstants.GET.equals((String) soapMessage.get(Message.HTTP_REQUEST_METHOD)) && soapMessage.getContent(XMLStreamReader.class) == null;
    }

    @Override // org.apache.cxf.interceptor.Interceptor
    public void handleMessage(SoapMessage soapMessage) throws Fault {
        WSSecurityEngine securityEngine;
        if (soapMessage.containsKey(SECURITY_PROCESSED) || isGET(soapMessage)) {
            return;
        }
        soapMessage.put(SECURITY_PROCESSED, (Object) Boolean.TRUE);
        boolean z = !MessageUtils.getContextualBoolean(soapMessage, SecurityConstants.USERNAME_TOKEN_NO_CALLBACKS, false);
        WSSConfig wSSConfig = (WSSConfig) soapMessage.getContextualProperty(WSSConfig.class.getName());
        if (wSSConfig != null) {
            securityEngine = new WSSecurityEngine();
            securityEngine.setWssConfig(wSSConfig);
        } else {
            securityEngine = getSecurityEngine(z);
        }
        SOAPMessage sOAPMessage = getSOAPMessage(soapMessage);
        boolean isLoggable = LOG.isLoggable(Level.FINE);
        boolean isLoggable2 = TIME_LOG.isLoggable(Level.FINE);
        SoapVersion version = soapMessage.getVersion();
        if (isLoggable) {
            LOG.fine("WSS4JInInterceptor: enter handleMessage()");
        }
        long j = 0;
        long j2 = 0;
        long j3 = 0;
        if (isLoggable2) {
            j = System.currentTimeMillis();
        }
        RequestData requestData = new RequestData();
        try {
            try {
                try {
                    try {
                        requestData.setMsgContext(soapMessage);
                        computeAction(soapMessage, requestData);
                        Vector vector = new Vector();
                        int decodeAction = WSSecurityUtil.decodeAction(getAction(soapMessage, version), vector);
                        String str = (String) getOption("actor");
                        CallbackHandler callback = getCallback(requestData, decodeAction, z);
                        doReceiverAction(decodeAction, requestData);
                        if (isLoggable2) {
                            j2 = System.currentTimeMillis();
                        }
                        Vector processSecurityHeader = securityEngine.processSecurityHeader(sOAPMessage.getSOAPPart(), str, callback, requestData.getSigCrypto(), requestData.getDecCrypto());
                        if (isLoggable2) {
                            j3 = System.currentTimeMillis();
                        }
                        if (processSecurityHeader != null) {
                            if (requestData.getWssConfig().isEnableSignatureConfirmation()) {
                                checkSignatureConfirmation(requestData, processSecurityHeader);
                            }
                            checkSignatures(soapMessage, requestData, processSecurityHeader);
                            checkTimestamps(soapMessage, requestData, processSecurityHeader);
                            checkActions(soapMessage, requestData, processSecurityHeader, vector);
                            doResults(soapMessage, str, sOAPMessage, processSecurityHeader, z);
                        } else {
                            Vector vector2 = new Vector();
                            if (sOAPMessage.getSOAPPart().getEnvelope().getBody().hasFault()) {
                                LOG.warning("Request does not contain Security header, but it's a fault.");
                                doResults(soapMessage, str, sOAPMessage, vector2);
                            } else {
                                checkActions(soapMessage, requestData, vector2, vector);
                                doResults(soapMessage, str, sOAPMessage, vector2);
                            }
                        }
                        SAAJInInterceptor.replaceHeaders(sOAPMessage, soapMessage);
                        if (isLoggable2) {
                            long currentTimeMillis = System.currentTimeMillis();
                            TIME_LOG.fine("Receive request: total= " + (currentTimeMillis - j) + " request preparation= " + (j2 - j) + " request processing= " + (j3 - j2) + " header, cert verify, timestamp= " + (currentTimeMillis - j3) + "\n");
                        }
                        if (isLoggable) {
                            LOG.fine("WSS4JInInterceptor: exit handleMessage()");
                        }
                    } catch (XMLStreamException e) {
                        throw new SoapFault(new org.apache.cxf.common.i18n.Message("STAX_EX", LOG, new Object[0]), (Throwable) e, version.getSender());
                    }
                } catch (SOAPException e2) {
                    throw new SoapFault(new org.apache.cxf.common.i18n.Message("SAAJ_EX", LOG, new Object[0]), (Throwable) e2, version.getSender());
                }
            } catch (WSSecurityException e3) {
                LOG.log(Level.WARNING, "", e3);
                throw createSoapFault(version, e3);
            }
        } finally {
            requestData.clear();
        }
    }

    private void checkActions(SoapMessage soapMessage, RequestData requestData, Vector vector, Vector vector2) throws WSSecurityException {
        if (this.ignoreActions || checkReceiverResultsAnyOrder(vector, vector2)) {
            return;
        }
        LOG.warning("Security processing failed (actions mismatch)");
        throw new WSSecurityException(3);
    }

    private void checkSignatures(SoapMessage soapMessage, RequestData requestData, Vector vector) throws WSSecurityException {
        Vector fetchAllActionResults = WSSecurityUtil.fetchAllActionResults(vector, 2, new Vector());
        if (fetchAllActionResults.isEmpty()) {
            return;
        }
        for (int i = 0; i < fetchAllActionResults.size(); i++) {
            WSSecurityEngineResult wSSecurityEngineResult = (WSSecurityEngineResult) fetchAllActionResults.get(i);
            X509Certificate x509Certificate = (X509Certificate) wSSecurityEngineResult.get("x509-certificate");
            X509Certificate[] x509CertificateArr = (X509Certificate[]) wSSecurityEngineResult.get("x509-certificates");
            if (x509CertificateArr != null && !verifyTrust(x509CertificateArr, requestData)) {
                LOG.warning("The certificate chain used for the signature is not trusted");
                throw new WSSecurityException(6);
            }
            if (x509Certificate != null && !verifyTrust(x509Certificate, requestData)) {
                LOG.warning("The certificate used for the signature is not trusted");
                throw new WSSecurityException(6);
            }
            soapMessage.put(SIGNATURE_RESULT, (Object) wSSecurityEngineResult);
        }
    }

    protected void checkTimestamps(SoapMessage soapMessage, RequestData requestData, Vector vector) throws WSSecurityException {
        Vector fetchAllActionResults = WSSecurityUtil.fetchAllActionResults(vector, 32, new Vector());
        if (fetchAllActionResults.isEmpty()) {
            return;
        }
        for (int i = 0; i < fetchAllActionResults.size(); i++) {
            WSSecurityEngineResult wSSecurityEngineResult = (WSSecurityEngineResult) fetchAllActionResults.get(i);
            Timestamp timestamp = (Timestamp) wSSecurityEngineResult.get("timestamp");
            String string = getString("futureTimeToLive", requestData.getMsgContext());
            int i2 = 60;
            if (string != null) {
                try {
                    i2 = Integer.parseInt(string);
                } catch (NumberFormatException e) {
                    i2 = 60;
                }
            }
            if (timestamp != null && !verifyTimestamp(timestamp, decodeTimeToLive(requestData), i2)) {
                LOG.warning("The timestamp could not be validated");
                throw new WSSecurityException(8);
            }
            soapMessage.put(TIMESTAMP_RESULT, (Object) wSSecurityEngineResult);
        }
    }

    protected void computeAction(SoapMessage soapMessage, RequestData requestData) {
    }

    protected void doResults(SoapMessage soapMessage, String str, SOAPMessage sOAPMessage, Vector vector) throws SOAPException, XMLStreamException, WSSecurityException {
        doResults(soapMessage, str, sOAPMessage, vector, false);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void doResults(SoapMessage soapMessage, String str, SOAPMessage sOAPMessage, Vector vector, boolean z) throws SOAPException, XMLStreamException, WSSecurityException {
        List cast = CastUtils.cast((List<?>) soapMessage.get("RECV_RESULTS"));
        if (cast == null) {
            cast = new Vector();
            soapMessage.put("RECV_RESULTS", (Object) cast);
        }
        cast.add(0, new WSHandlerResult(str, vector));
        XMLStreamReader createXMLStreamReader = StaxUtils.createXMLStreamReader(new DOMSource(sOAPMessage.getSOAPBody()));
        int next = createXMLStreamReader.next();
        for (int i = 0; createXMLStreamReader.hasNext() && i < 1 && (next != 2 || next != 1); i++) {
            createXMLStreamReader.next();
        }
        soapMessage.setContent(XMLStreamReader.class, createXMLStreamReader);
        if ("PasswordDigest".equals((String) getProperty(soapMessage, "passwordType"))) {
            for (WSSecurityEngineResult wSSecurityEngineResult : CastUtils.cast((List<?>) vector, WSSecurityEngineResult.class)) {
                if (((Integer) wSSecurityEngineResult.get("action")).intValue() == 1 && !((WSUsernameTokenPrincipal) wSSecurityEngineResult.get("principal")).isPasswordDigest()) {
                    LOG.warning("Non-digest UsernameToken found, but digest required");
                    throw new WSSecurityException(3);
                }
            }
        }
        Iterator it = CastUtils.cast((List<?>) vector, WSSecurityEngineResult.class).iterator();
        while (it.hasNext()) {
            Principal principal = (Principal) ((WSSecurityEngineResult) it.next()).get("principal");
            if (principal != null && isSecurityContextPrincipal(principal, vector)) {
                soapMessage.put(PRINCIPAL_RESULT, (Object) principal);
                if (!z) {
                    WSS4JTokenConverter.convertToken(soapMessage, principal);
                }
                SecurityContext securityContext = (SecurityContext) soapMessage.get(SecurityContext.class);
                if (securityContext == null || securityContext.getUserPrincipal() == null) {
                    soapMessage.put((Class<Class>) SecurityContext.class, (Class) createSecurityContext(principal));
                    return;
                }
            }
        }
    }

    protected boolean isSecurityContextPrincipal(Principal principal, List<WSSecurityEngineResult> list) {
        return !(principal instanceof WSDerivedKeyTokenPrincipal) || list.size() <= 1;
    }

    protected SecurityContext createSecurityContext(final Principal principal) {
        return new SecurityContext() { // from class: org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.1
            @Override // org.apache.cxf.security.SecurityContext
            public Principal getUserPrincipal() {
                return principal;
            }

            @Override // org.apache.cxf.security.SecurityContext
            public boolean isUserInRole(String str) {
                return false;
            }
        };
    }

    private String getAction(SoapMessage soapMessage, SoapVersion soapVersion) {
        String str = (String) getOption("action");
        if (str == null) {
            str = (String) soapMessage.get("action");
        }
        if (str != null) {
            return str;
        }
        LOG.warning("No security action was defined!");
        throw new SoapFault("No security action was defined!", soapVersion.getReceiver());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CallbackHandler getCallback(RequestData requestData, int i, boolean z) throws WSSecurityException {
        if (z || (i & 1) == 0) {
            return getCallback(requestData, i);
        }
        CallbackHandler callbackHandler = null;
        try {
            callbackHandler = getCallback(requestData, i);
        } catch (Exception e) {
        }
        return new DelegatingCallbackHandler(callbackHandler);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v29, types: [java.lang.Object] */
    /* JADX WARN: Type inference failed for: r10v1 */
    protected CallbackHandler getCallback(RequestData requestData, int i) throws WSSecurityException {
        TokenStore tokenStore;
        TokenStore tokenStore2;
        CallbackHandler callbackHandler = null;
        if ((i & 5) != 0) {
            ?? contextualProperty = ((SoapMessage) requestData.getMsgContext()).getContextualProperty(SecurityConstants.CALLBACK_HANDLER);
            boolean z = contextualProperty instanceof String;
            CallbackHandler newInstance = contextualProperty;
            if (z) {
                try {
                    newInstance = ClassLoaderUtils.loadClass((String) contextualProperty, getClass()).newInstance();
                } catch (Exception e) {
                    throw new WSSecurityException(e.getMessage(), e);
                }
            }
            if (newInstance instanceof CallbackHandler) {
                callbackHandler = newInstance;
            }
            if (callbackHandler == null) {
                try {
                    callbackHandler = getPasswordCB(requestData);
                } catch (WSSecurityException e2) {
                    Endpoint endpoint = (Endpoint) ((SoapMessage) requestData.getMsgContext()).getExchange().get(Endpoint.class);
                    if (endpoint == null || endpoint.getEndpointInfo() == null || (tokenStore2 = (TokenStore) endpoint.getEndpointInfo().getProperty(TokenStore.class.getName())) == null) {
                        throw e2;
                    }
                    return new TokenStoreCallbackHandler(callbackHandler, tokenStore2);
                }
            }
        }
        Endpoint endpoint2 = (Endpoint) ((SoapMessage) requestData.getMsgContext()).getExchange().get(Endpoint.class);
        return (endpoint2 == null || endpoint2.getEndpointInfo() == null || (tokenStore = (TokenStore) endpoint2.getEndpointInfo().getProperty(TokenStore.class.getName())) == null) ? callbackHandler : new TokenStoreCallbackHandler(callbackHandler, tokenStore);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public WSSecurityEngine getSecurityEngine(boolean z) {
        if (this.secEngineOverride != null) {
            return this.secEngineOverride;
        }
        if (z) {
            return secEngine;
        }
        HashMap hashMap = new HashMap(3);
        UsernameTokenProcessorWithoutCallbacks usernameTokenProcessorWithoutCallbacks = new UsernameTokenProcessorWithoutCallbacks();
        hashMap.put(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", SPConstants.USERNAME_TOKEN), usernameTokenProcessorWithoutCallbacks);
        hashMap.put(new QName("http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd", SPConstants.USERNAME_TOKEN), usernameTokenProcessorWithoutCallbacks);
        return createSecurityEngine(hashMap);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static WSSecurityEngine createSecurityEngine(Map<QName, Object> map) {
        if (!$assertionsDisabled && map == null) {
            throw new AssertionError();
        }
        WSSConfig newInstance = WSSConfig.getNewInstance();
        for (Map.Entry<QName, Object> entry : map.entrySet()) {
            QName key = entry.getKey();
            Object value = entry.getValue();
            if (value instanceof String) {
                String trim = ((String) value).trim();
                if ("null".equals(trim) || trim.length() == 0) {
                    trim = null;
                }
                newInstance.setProcessor(key, trim);
            } else if (value instanceof Processor) {
                newInstance.setProcessor(key, (Processor) value);
            } else if (value == null) {
                newInstance.setProcessor(key, (String) value);
            }
        }
        WSSecurityEngine wSSecurityEngine = new WSSecurityEngine();
        wSSecurityEngine.setWssConfig(newInstance);
        return wSSecurityEngine;
    }

    private SoapFault createSoapFault(SoapVersion soapVersion, WSSecurityException wSSecurityException) {
        SoapFault soapFault;
        QName faultCode = wSSecurityException.getFaultCode();
        if (soapVersion.getVersion() != 1.1d || faultCode == null) {
            soapFault = new SoapFault(wSSecurityException.getMessage(), (Throwable) wSSecurityException, soapVersion.getSender());
            if (soapVersion.getVersion() != 1.1d && faultCode != null) {
                soapFault.setSubCode(faultCode);
            }
        } else {
            soapFault = new SoapFault(wSSecurityException.getMessage(), (Throwable) wSSecurityException, faultCode);
        }
        return soapFault;
    }

    static {
        $assertionsDisabled = !WSS4JInInterceptor.class.desiredAssertionStatus();
        SECURITY_PROCESSED = WSS4JInInterceptor.class.getName() + ".DONE";
        LOG = LogUtils.getL7dLogger(WSS4JInInterceptor.class);
        TIME_LOG = LogUtils.getL7dLogger(WSS4JInInterceptor.class, null, WSS4JInInterceptor.class.getName() + "-Time");
    }
}
