package org.jboss.wsf.stack.cxf.security.authentication;

import java.security.Principal;
import java.security.acl.Group;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.security.SecurityToken;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.security.DefaultSecurityContext;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.PhaseInterceptorChain;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.WSSecurityEngine;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.message.token.UsernameToken;
import org.apache.wss4j.dom.validate.UsernameTokenValidator;
import org.jboss.wsf.spi.deployment.Endpoint;
import org.jboss.wsf.spi.security.SecurityDomainContext;
import org.jboss.wsf.stack.cxf.security.nonce.NonceStore;

/* loaded from: input_file:org/jboss/wsf/stack/cxf/security/authentication/SubjectCreatingInterceptor.class */
public class SubjectCreatingInterceptor extends WSS4JInInterceptor {
    protected final SubjectCreator helper;
    private static final Logger LOG = LogUtils.getL7dLogger(SubjectCreatingInterceptor.class);
    private final ThreadLocal<SecurityDomainContext> sdc;
    private boolean supportDigestPasswords;

    /* loaded from: input_file:org/jboss/wsf/stack/cxf/security/authentication/SubjectCreatingInterceptor$CustomValidator.class */
    protected class CustomValidator extends UsernameTokenValidator {
        protected CustomValidator() {
        }

        protected void verifyCustomPassword(UsernameToken usernameToken, RequestData requestData) throws WSSecurityException {
            SubjectCreatingInterceptor.this.setSubject(usernameToken.getName(), usernameToken.getPassword(), false, null, null);
        }

        protected void verifyPlaintextPassword(UsernameToken usernameToken, RequestData requestData) throws WSSecurityException {
            SubjectCreatingInterceptor.this.setSubject(usernameToken.getName(), usernameToken.getPassword(), false, null, null);
        }

        protected void verifyDigestPassword(UsernameToken usernameToken, RequestData requestData) throws WSSecurityException {
            if (!SubjectCreatingInterceptor.this.supportDigestPasswords) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
            SubjectCreatingInterceptor.this.setSubject(usernameToken.getName(), usernameToken.getPassword(), usernameToken.isHashed(), usernameToken.getNonce(), usernameToken.getCreated());
        }

        protected void verifyUnknownPassword(UsernameToken usernameToken, RequestData requestData) throws WSSecurityException {
            SubjectCreatingInterceptor.this.setSubject(usernameToken.getName(), null, false, null, null);
        }
    }

    public SubjectCreatingInterceptor() {
        this(new HashMap());
    }

    public SubjectCreatingInterceptor(Map<String, Object> map) {
        super(map);
        this.helper = new SubjectCreator();
        this.sdc = new ThreadLocal<>();
        getAfter().add(PolicyBasedWSS4JInInterceptor.class.getName());
    }

    public void setSupportDigestPasswords(boolean z) {
        this.supportDigestPasswords = z;
    }

    public boolean getSupportDigestPasswords() {
        return this.supportDigestPasswords;
    }

    public void handleMessage(SoapMessage soapMessage) throws Fault {
        this.sdc.set(((Endpoint) soapMessage.getExchange().get(Endpoint.class)).getSecurityDomainContext());
        try {
            org.apache.cxf.common.security.UsernameToken usernameToken = (SecurityToken) soapMessage.get(SecurityToken.class);
            SecurityContext securityContext = (SecurityContext) soapMessage.get(SecurityContext.class);
            if (usernameToken == null || securityContext == null || securityContext.getUserPrincipal() == null) {
                super.handleMessage(soapMessage);
                if (this.sdc != null) {
                    this.sdc.remove();
                    return;
                }
                return;
            }
            org.apache.cxf.common.security.UsernameToken usernameToken2 = usernameToken;
            soapMessage.put(SecurityContext.class, doCreateSecurityContext(securityContext.getUserPrincipal(), createSubject(usernameToken2.getName(), usernameToken2.getPassword(), usernameToken2.isHashed(), usernameToken2.getNonce(), usernameToken2.getCreatedTime())));
            if (this.sdc != null) {
                this.sdc.remove();
            }
        } catch (Throwable th) {
            if (this.sdc != null) {
                this.sdc.remove();
            }
            throw th;
        }
    }

    protected SecurityContext createSecurityContext(Principal principal) {
        Message currentMessage = PhaseInterceptorChain.getCurrentMessage();
        if (currentMessage == null) {
            throw new IllegalStateException("Current message is not available");
        }
        return doCreateSecurityContext(principal, (Subject) currentMessage.get(Subject.class));
    }

    protected SecurityContext doCreateSecurityContext(Principal principal, Subject subject) {
        return new DefaultSecurityContext(principal, subject);
    }

    protected void setSubject(String str, String str2, boolean z, String str3, String str4) throws WSSecurityException {
        Message currentMessage = PhaseInterceptorChain.getCurrentMessage();
        if (currentMessage == null) {
            throw new IllegalStateException("Current message is not available");
        }
        try {
            Subject createSubject = createSubject(str, str2, z, str3, str4);
            if (createSubject == null || createSubject.getPrincipals().size() == 0 || !checkUserPrincipal(createSubject.getPrincipals(), str)) {
                LOG.severe("Failed Authentication : Invalid Subject");
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
            currentMessage.put(Subject.class, createSubject);
        } catch (Exception e) {
            LOG.severe("Failed Authentication : Subject has not been created");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
        }
    }

    private boolean checkUserPrincipal(Set<Principal> set, String str) {
        for (Principal principal : set) {
            if (!(principal instanceof Group)) {
                return principal.getName().equals(str);
            }
        }
        return false;
    }

    protected WSSecurityEngine getSecurityEngine(boolean z) {
        HashMap hashMap = new HashMap(1);
        hashMap.put(WSSecurityEngine.USERNAME_TOKEN, new CustomValidator());
        return createSecurityEngine(hashMap);
    }

    public Subject createSubject(String str, String str2, boolean z, String str3, String str4) {
        return this.helper.createSubject(this.sdc.get(), str, str2, z, str3, str4);
    }

    public void setPropagateContext(boolean z) {
        this.helper.setPropagateContext(z);
    }

    public void setTimestampThreshold(int i) {
        this.helper.setTimestampThreshold(i);
    }

    public void setNonceStore(NonceStore nonceStore) {
        this.helper.setNonceStore(nonceStore);
    }

    public void setDecodeNonce(boolean z) {
        this.helper.setDecodeNonce(z);
    }
}
