package org.apache.cxf.ws.security.policy.interceptors;

import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import java.util.Properties;
import java.util.logging.Logger;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Exchange;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.staxutils.W3CDOMStreamWriter;
import org.apache.cxf.ws.addressing.AddressingProperties;
import org.apache.cxf.ws.addressing.JAXWSAConstants;
import org.apache.cxf.ws.addressing.soap.MAPCodec;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.policy.PolicyBuilder;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.SPConstants;
import org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider;
import org.apache.cxf.ws.security.policy.model.Binding;
import org.apache.cxf.ws.security.policy.model.Header;
import org.apache.cxf.ws.security.policy.model.ProtectionToken;
import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
import org.apache.cxf.ws.security.policy.model.Trust10;
import org.apache.cxf.ws.security.policy.model.Trust13;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.trust.STSClient;
import org.apache.cxf.ws.security.trust.STSUtils;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.neethi.All;
import org.apache.neethi.ExactlyOne;
import org.apache.neethi.Policy;
import org.apache.ws.security.message.token.SecurityContextToken;
import org.apache.ws.security.util.Base64;
import org.opensaml.ws.wstrust.Entropy;
import org.opensaml.ws.wstrust.RequestSecurityTokenResponseCollection;
import org.opensaml.ws.wstrust.RequestedAttachedReference;
import org.opensaml.ws.wstrust.RequestedUnattachedReference;
import org.w3c.dom.Element;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:cxf-bundle-2.7.14.jar:org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.class */
public class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessage> {
    static final Logger LOG = LogUtils.getL7dLogger(SecureConversationInInterceptor.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:cxf-bundle-2.7.14.jar:org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor$SecureConversationCancelInterceptor.class */
    public static class SecureConversationCancelInterceptor extends AbstractPhaseInterceptor<SoapMessage> {
        static final SecureConversationCancelInterceptor INSTANCE = new SecureConversationCancelInterceptor();

        public SecureConversationCancelInterceptor() {
            super(Phase.POST_LOGICAL);
        }

        @Override // org.apache.cxf.interceptor.Interceptor
        public void handleMessage(SoapMessage soapMessage) throws Fault {
            Collection<AssertionInfo> collection;
            AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
            if (assertionInfoMap == null || (collection = assertionInfoMap.get(SP12Constants.SECURE_CONVERSATION_TOKEN)) == null || collection.isEmpty()) {
                return;
            }
            doCancel(soapMessage, assertionInfoMap, (SecureConversationToken) collection.iterator().next().getAssertion());
        }

        private void doCancel(SoapMessage soapMessage, AssertionInfoMap assertionInfoMap, SecureConversationToken secureConversationToken) {
            String str;
            Message outMessage = soapMessage.getExchange().getOutMessage();
            SecurityToken securityToken = (SecurityToken) outMessage.getContextualProperty(SecurityConstants.TOKEN);
            if (securityToken == null && (str = (String) outMessage.getContextualProperty(SecurityConstants.TOKEN_ID)) != null) {
                securityToken = NegotiationUtils.getTokenStore(outMessage).getToken(str);
            }
            STSClient client = STSUtils.getClient(outMessage, "sct");
            AddressingProperties addressingProperties = (AddressingProperties) soapMessage.get("javax.xml.ws.addressing.context.inbound");
            if (addressingProperties == null) {
                addressingProperties = (AddressingProperties) outMessage.get(JAXWSAConstants.CLIENT_ADDRESSING_PROPERTIES);
            }
            synchronized (client) {
                try {
                    try {
                        SecureConversationTokenInterceptorProvider.setupClient(client, soapMessage, assertionInfoMap, secureConversationToken, true);
                        if (addressingProperties != null) {
                            client.setAddressingNamespace(addressingProperties.getNamespaceURI());
                        }
                        client.cancelSecurityToken(securityToken);
                        NegotiationUtils.getTokenStore(outMessage).remove(securityToken.getId());
                        outMessage.setContextualProperty(SecurityConstants.TOKEN, null);
                        client.setTrust((Trust10) null);
                        client.setTrust((Trust13) null);
                        client.setTemplate(null);
                        client.setLocation(null);
                        client.setAddressingNamespace(null);
                    } catch (Throwable th) {
                        client.setTrust((Trust10) null);
                        client.setTrust((Trust13) null);
                        client.setTemplate(null);
                        client.setLocation(null);
                        client.setAddressingNamespace(null);
                        throw th;
                    }
                } catch (RuntimeException e) {
                    throw e;
                } catch (Exception e2) {
                    throw new Fault(e2);
                }
            }
        }
    }

    /* loaded from: input_file:cxf-bundle-2.7.14.jar:org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor$SecureConversationSTSInvoker.class */
    public class SecureConversationSTSInvoker extends STSInvoker {
        public SecureConversationSTSInvoker() {
        }

        @Override // org.apache.cxf.ws.security.policy.interceptors.STSInvoker
        void doIssue(Element element, Exchange exchange, Element element2, W3CDOMStreamWriter w3CDOMStreamWriter, String str, String str2) throws Exception {
            if ("http://docs.oasis-open.org/ws-sx/ws-trust/200512".equals(str2)) {
                w3CDOMStreamWriter.writeStartElement(str, RequestSecurityTokenResponseCollection.ELEMENT_LOCAL_NAME, str2);
            }
            w3CDOMStreamWriter.writeStartElement(str, "RequestSecurityTokenResponse", str2);
            byte[] bArr = null;
            int i = 256;
            String str3 = null;
            Element firstElement = DOMUtils.getFirstElement(element);
            while (true) {
                Element element3 = firstElement;
                if (element3 == null) {
                    break;
                }
                String localName = element3.getLocalName();
                if (str2.equals(element3.getNamespaceURI())) {
                    if (Entropy.ELEMENT_LOCAL_NAME.equals(localName)) {
                        Element firstElement2 = DOMUtils.getFirstElement(element3);
                        if (firstElement2 != null) {
                            bArr = Base64.decode(firstElement2.getTextContent());
                        }
                    } else if ("KeySize".equals(localName)) {
                        i = Integer.parseInt(element3.getTextContent());
                    } else if ("TokenType".equals(localName)) {
                        str3 = element3.getTextContent();
                    }
                }
                firstElement = DOMUtils.getNextElement(element3);
            }
            if (i < 128 || i > 512) {
                i = 256;
            }
            w3CDOMStreamWriter.writeStartElement(str, "RequestedSecurityToken", str2);
            SecurityContextToken securityContextToken = new SecurityContextToken(NegotiationUtils.getWSCVersion(str3), w3CDOMStreamWriter.getDocument());
            Date date = new Date();
            Date date2 = new Date();
            date2.setTime(date.getTime() + 300000);
            SecurityToken securityToken = new SecurityToken(securityContextToken.getIdentifier(), date, date2);
            securityToken.setToken(securityContextToken.getElement());
            securityToken.setTokenType(securityContextToken.getTokenType());
            w3CDOMStreamWriter.getCurrentNode().appendChild(securityContextToken.getElement());
            w3CDOMStreamWriter.writeEndElement();
            w3CDOMStreamWriter.writeStartElement(str, RequestedAttachedReference.ELEMENT_LOCAL_NAME, str2);
            securityToken.setAttachedReference(writeSecurityTokenReference(w3CDOMStreamWriter, "#" + securityContextToken.getID(), str3));
            w3CDOMStreamWriter.writeEndElement();
            w3CDOMStreamWriter.writeStartElement(str, RequestedUnattachedReference.ELEMENT_LOCAL_NAME, str2);
            securityToken.setUnattachedReference(writeSecurityTokenReference(w3CDOMStreamWriter, securityContextToken.getIdentifier(), str3));
            w3CDOMStreamWriter.writeEndElement();
            writeLifetime(w3CDOMStreamWriter, date, date2, str, str2);
            securityToken.setSecret(writeProofToken(str, str2, w3CDOMStreamWriter, bArr, i));
            SecurityContext securityContext = (SecurityContext) exchange.getInMessage().get(SecurityContext.class);
            if (securityContext != null) {
                securityToken.setSecurityContext(securityContext);
            }
            SecurityToken bootstrapToken = getBootstrapToken(exchange.getInMessage());
            if (bootstrapToken != null) {
                Properties properties = new Properties();
                properties.put(SecurityToken.BOOTSTRAP_TOKEN_ID, bootstrapToken.getId());
                securityToken.setProperties(properties);
            }
            ((TokenStore) ((Endpoint) exchange.get(Endpoint.class)).getEndpointInfo().getProperty(TokenStore.class.getName())).add(securityToken);
            w3CDOMStreamWriter.writeEndElement();
            if ("http://docs.oasis-open.org/ws-sx/ws-trust/200512".equals(str2)) {
                w3CDOMStreamWriter.writeEndElement();
            }
        }

        private SecurityToken getBootstrapToken(Message message) {
            String str;
            SecurityToken securityToken = (SecurityToken) message.getContextualProperty(SecurityConstants.TOKEN);
            if (securityToken == null && (str = (String) message.getContextualProperty(SecurityConstants.TOKEN_ID)) != null) {
                securityToken = NegotiationUtils.getTokenStore(message).getToken(str);
            }
            return securityToken;
        }

        @Override // org.apache.cxf.ws.security.policy.interceptors.STSInvoker, org.apache.cxf.service.invoker.Invoker
        public /* bridge */ /* synthetic */ Object invoke(Exchange exchange, Object obj) {
            return super.invoke(exchange, obj);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:cxf-bundle-2.7.14.jar:org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor$SecureConversationTokenFinderInterceptor.class */
    public static final class SecureConversationTokenFinderInterceptor extends AbstractPhaseInterceptor<SoapMessage> {
        static final SecureConversationTokenFinderInterceptor INSTANCE = new SecureConversationTokenFinderInterceptor();

        private SecureConversationTokenFinderInterceptor() {
            super(Phase.PRE_PROTOCOL);
            addAfter(WSS4JInInterceptor.class.getName());
        }

        @Override // org.apache.cxf.interceptor.Interceptor
        public void handleMessage(SoapMessage soapMessage) throws Fault {
            Collection<AssertionInfo> collection;
            boolean parseSCTResult = NegotiationUtils.parseSCTResult(soapMessage);
            AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
            if (assertionInfoMap == null || (collection = assertionInfoMap.get(SP12Constants.SECURE_CONVERSATION_TOKEN)) == null || collection.isEmpty()) {
                return;
            }
            for (AssertionInfo assertionInfo : collection) {
                if (parseSCTResult) {
                    assertionInfo.setAsserted(true);
                } else {
                    assertionInfo.setNotAsserted("No SecureConversation token found in message.");
                }
            }
        }
    }

    public SecureConversationInInterceptor() {
        super(Phase.PRE_STREAM);
        addBefore(HttpsTokenInterceptorProvider.HttpsTokenInInterceptor.class.getName());
    }

    private Binding getBinding(AssertionInfoMap assertionInfoMap) {
        Collection<AssertionInfo> collection = assertionInfoMap.get(SP12Constants.SYMMETRIC_BINDING);
        if (collection != null && !collection.isEmpty()) {
            return (Binding) collection.iterator().next().getAssertion();
        }
        Collection<AssertionInfo> collection2 = assertionInfoMap.get(SP12Constants.ASYMMETRIC_BINDING);
        if (collection2 != null && !collection2.isEmpty()) {
            return (Binding) collection2.iterator().next().getAssertion();
        }
        Collection<AssertionInfo> collection3 = assertionInfoMap.get(SP12Constants.TRANSPORT_BINDING);
        if (collection3 == null || collection3.isEmpty()) {
            return null;
        }
        return (Binding) collection3.iterator().next().getAssertion();
    }

    @Override // org.apache.cxf.interceptor.Interceptor
    public void handleMessage(SoapMessage soapMessage) throws Fault {
        final Collection<AssertionInfo> collection;
        final AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
        if (assertionInfoMap == null || (collection = assertionInfoMap.get(SP12Constants.SECURE_CONVERSATION_TOKEN)) == null || collection.isEmpty()) {
            return;
        }
        if (isRequestor(soapMessage)) {
            Iterator<AssertionInfo> it = collection.iterator();
            while (it.hasNext()) {
                it.next().setAsserted(true);
            }
            Object contextualProperty = soapMessage.getContextualProperty(SecurityConstants.STS_TOKEN_DO_CANCEL);
            if (contextualProperty != null) {
                if (Boolean.TRUE.equals(contextualProperty) || "true".equalsIgnoreCase(contextualProperty.toString())) {
                    soapMessage.getInterceptorChain().add(SecureConversationCancelInterceptor.INSTANCE);
                    return;
                }
                return;
            }
            return;
        }
        String str = (String) soapMessage.get("SOAPAction");
        if (str == null) {
            str = SoapActionInInterceptor.getSoapAction(soapMessage);
        }
        if (str != null) {
            handleMessageForAction(soapMessage, str, assertionInfoMap, collection);
            return;
        }
        AbstractPhaseInterceptor<SoapMessage> abstractPhaseInterceptor = new AbstractPhaseInterceptor<SoapMessage>(Phase.PRE_PROTOCOL) { // from class: org.apache.cxf.ws.security.policy.interceptors.SecureConversationInInterceptor.1
            @Override // org.apache.cxf.interceptor.Interceptor
            public void handleMessage(SoapMessage soapMessage2) throws Fault {
                String str2 = (String) soapMessage2.get("SOAPAction");
                if (str2 == null) {
                    str2 = SoapActionInInterceptor.getSoapAction(soapMessage2);
                }
                SecureConversationInInterceptor.this.handleMessageForAction(soapMessage2, str2, assertionInfoMap, collection);
            }
        };
        abstractPhaseInterceptor.addAfter(MAPCodec.class.getName());
        abstractPhaseInterceptor.addBefore(PolicyBasedWSS4JInInterceptor.class.getName());
        soapMessage.getInterceptorChain().add(abstractPhaseInterceptor);
    }

    void handleMessageForAction(SoapMessage soapMessage, String str, AssertionInfoMap assertionInfoMap, Collection<AssertionInfo> collection) {
        Policy policy;
        String str2 = null;
        AddressingProperties addressingProperties = (AddressingProperties) soapMessage.getContextualProperty("javax.xml.ws.addressing.context.inbound");
        if (addressingProperties != null) {
            str2 = addressingProperties.getNamespaceURI();
            if (str == null) {
                str = addressingProperties.getAction().getValue();
            }
        }
        if (str == null || !str.contains("/RST/SCT") || (!str.startsWith("http://schemas.xmlsoap.org/ws/2005/02/trust") && !str.startsWith("http://docs.oasis-open.org/ws-sx/ws-trust/200512"))) {
            soapMessage.getInterceptorChain().add(SecureConversationTokenFinderInterceptor.INSTANCE);
            return;
        }
        Policy bootstrapPolicy = ((SecureConversationToken) collection.iterator().next().getAssertion()).getBootstrapPolicy();
        if (str.endsWith("Cancel") || str.endsWith("/Renew")) {
            Policy policy2 = new Policy();
            ExactlyOne exactlyOne = new ExactlyOne();
            policy2.addPolicyComponent(exactlyOne);
            All all = new All();
            all.addPolicyComponent(NegotiationUtils.getAddressingPolicy(assertionInfoMap, false));
            exactlyOne.addPolicyComponent(all);
            PolicyBuilder policyBuilder = (PolicyBuilder) soapMessage.getExchange().getBus().getExtension(PolicyBuilder.class);
            SymmetricBinding symmetricBinding = new SymmetricBinding(SP12Constants.INSTANCE, policyBuilder);
            symmetricBinding.setIncludeTimestamp(true);
            ProtectionToken protectionToken = new ProtectionToken(SP12Constants.INSTANCE, policyBuilder);
            SecureConversationToken secureConversationToken = new SecureConversationToken(SP12Constants.INSTANCE);
            secureConversationToken.setInclusion(SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT);
            protectionToken.setToken(secureConversationToken);
            symmetricBinding.setProtectionToken(protectionToken);
            symmetricBinding.setEntireHeadersAndBodySignatures(true);
            symmetricBinding.setAlgorithmSuite(getBinding(assertionInfoMap).getAlgorithmSuite());
            all.addPolicyComponent(symmetricBinding);
            SignedEncryptedParts signedEncryptedParts = new SignedEncryptedParts(true, SP12Constants.INSTANCE);
            signedEncryptedParts.setBody(true);
            if (str2 != null) {
                signedEncryptedParts.addHeader(new Header("To", str2));
                signedEncryptedParts.addHeader(new Header("From", str2));
                signedEncryptedParts.addHeader(new Header("FaultTo", str2));
                signedEncryptedParts.addHeader(new Header("ReplyTO", str2));
                signedEncryptedParts.addHeader(new Header("MessageID", str2));
                signedEncryptedParts.addHeader(new Header("RelatesTo", str2));
                signedEncryptedParts.addHeader(new Header("Action", str2));
            }
            all.addPolicyComponent(signedEncryptedParts);
            policy = policy2;
            soapMessage.getInterceptorChain().add(SecureConversationTokenFinderInterceptor.INSTANCE);
        } else {
            Policy policy3 = new Policy();
            ExactlyOne exactlyOne2 = new ExactlyOne();
            policy3.addPolicyComponent(exactlyOne2);
            All all2 = new All();
            all2.addPolicyComponent(NegotiationUtils.getAddressingPolicy(assertionInfoMap, false));
            exactlyOne2.addPolicyComponent(all2);
            policy = policy3.merge(bootstrapPolicy);
        }
        unmapSecurityProps(soapMessage);
        NegotiationUtils.recalcEffectivePolicy(soapMessage, str.startsWith("http://schemas.xmlsoap.org/ws/2005/02/trust") ? "http://schemas.xmlsoap.org/ws/2005/02/trust" : "http://docs.oasis-open.org/ws-sx/ws-trust/200512", policy, new SecureConversationSTSInvoker(), true);
        SoapActionInInterceptor.getAndSetOperation(soapMessage, str);
    }

    private void unmapSecurityProps(Message message) {
        Exchange exchange = message.getExchange();
        for (String str : SecurityConstants.ALL_PROPERTIES) {
            Object contextualProperty = message.getContextualProperty(str + ".sct");
            if (contextualProperty == null) {
                contextualProperty = message.getContextualProperty(str);
            }
            if (contextualProperty != null) {
                exchange.put(str, contextualProperty);
            }
        }
    }
}
