package org.apache.cxf.ws.security.wss4j;

import java.io.IOException;
import java.security.Provider;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.logging.Logger;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import javax.xml.stream.util.StreamReaderDelegate;
import org.apache.cxf.binding.soap.SoapFault;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.classloader.ClassLoaderUtils;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.StaxInInterceptor;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.wss4j.common.ConfigurationConstants;
import org.apache.wss4j.common.WSSPolicyException;
import org.apache.wss4j.common.cache.ReplayCache;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.ThreadLocalSecurityProvider;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.stax.ConfigurationConverter;
import org.apache.wss4j.stax.WSSec;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSSecurityProperties;
import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
import org.apache.wss4j.stax.validate.Validator;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEventListener;
import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-107.zip:modules/system/layers/fuse/org/apache/cxf/3.0/cxf-rt-ws-security-3.0.4.redhat-621107.jar:org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.class */
public class WSS4JStaxInInterceptor extends AbstractWSS4JStaxInterceptor {
    public static final String SECURITY_PROCESSED = WSS4JStaxInInterceptor.class.getName() + ".DONE";
    private static final Logger LOG = LogUtils.getL7dLogger(WSS4JStaxInInterceptor.class);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-107.zip:modules/system/layers/fuse/org/apache/cxf/3.0/cxf-rt-ws-security-3.0.4.redhat-621107.jar:org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor$TokenStoreCallbackHandler.class */
    public class TokenStoreCallbackHandler implements CallbackHandler {
        private CallbackHandler internal;
        private TokenStore store;

        public TokenStoreCallbackHandler(CallbackHandler callbackHandler, TokenStore tokenStore) {
            this.internal = callbackHandler;
            this.store = tokenStore;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            for (int i = 0; i < callbackArr.length; i++) {
                if (callbackArr[i] instanceof WSPasswordCallback) {
                    WSPasswordCallback wSPasswordCallback = (WSPasswordCallback) callbackArr[i];
                    SecurityToken token = this.store.getToken(wSPasswordCallback.getIdentifier());
                    if (token != null && !token.isExpired()) {
                        wSPasswordCallback.setKey(token.getSecret());
                        wSPasswordCallback.setKey(token.getKey());
                        wSPasswordCallback.setCustomToken(token.getToken());
                        return;
                    }
                }
            }
            if (this.internal != null) {
                this.internal.handle(callbackArr);
            }
        }
    }

    public WSS4JStaxInInterceptor(WSSSecurityProperties wSSSecurityProperties) {
        super(wSSSecurityProperties);
        setPhase(Phase.POST_STREAM);
        getAfter().add(StaxInInterceptor.class.getName());
    }

    public WSS4JStaxInInterceptor(Map<String, Object> map) {
        super(map);
        setPhase(Phase.POST_STREAM);
        getAfter().add(StaxInInterceptor.class.getName());
    }

    public WSS4JStaxInInterceptor() {
        setPhase(Phase.POST_STREAM);
        getAfter().add(StaxInInterceptor.class.getName());
    }

    public final boolean isGET(SoapMessage soapMessage) {
        return "GET".equals((String) soapMessage.get(Message.HTTP_REQUEST_METHOD)) && soapMessage.getContent(XMLStreamReader.class) == null;
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.apache.cxf.interceptor.Interceptor
    public void handleMessage(SoapMessage soapMessage) throws Fault {
        if (soapMessage.containsKey(SECURITY_PROCESSED) || isGET(soapMessage)) {
            return;
        }
        XMLStreamReader xMLStreamReader = (XMLStreamReader) soapMessage.getContent(XMLStreamReader.class);
        soapMessage.getInterceptorChain().add(new StaxSecurityContextInInterceptor());
        try {
            List<SecurityEvent> list = (List) soapMessage.getExchange().get(SecurityEvent.class.getName() + ".out");
            WSSSecurityProperties createSecurityProperties = createSecurityProperties();
            translateProperties(soapMessage, createSecurityProperties);
            configureCallbackHandler(soapMessage, createSecurityProperties);
            configureProperties(soapMessage, createSecurityProperties);
            if (createSecurityProperties.getActions() != null && createSecurityProperties.getActions().size() > 0) {
                soapMessage.getInterceptorChain().add(new StaxActionInInterceptor(createSecurityProperties.getActions()));
            }
            if (createSecurityProperties.getAttachmentCallbackHandler() == null) {
                createSecurityProperties.setAttachmentCallbackHandler(new AttachmentCallbackHandler(soapMessage));
            }
            createSecurityProperties.setCallbackHandler(new TokenStoreCallbackHandler(createSecurityProperties.getCallbackHandler(), WSS4JUtils.getTokenStore(soapMessage)));
            setTokenValidators(createSecurityProperties, soapMessage);
            createSecurityProperties.setMsgContext(soapMessage);
            XMLStreamReader processInMessage = WSSec.getInboundWSSec(createSecurityProperties, MessageUtils.isRequestor(soapMessage), MessageUtils.getContextualBoolean(soapMessage, SecurityConstants.RETURN_SECURITY_ERROR, false)).processInMessage(xMLStreamReader, list, configureSecurityEventListeners(soapMessage, createSecurityProperties));
            final Object obj = soapMessage.getExchange().get((Class<Object>) Provider.class);
            if (obj != null && ThreadLocalSecurityProvider.isInstalled()) {
                processInMessage = new StreamReaderDelegate(processInMessage) { // from class: org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor.1
                    @Override // javax.xml.stream.util.StreamReaderDelegate, javax.xml.stream.XMLStreamReader
                    public int next() throws XMLStreamException {
                        try {
                            ThreadLocalSecurityProvider.setProvider((Provider) obj);
                            int next = super.next();
                            ThreadLocalSecurityProvider.unsetProvider();
                            return next;
                        } catch (Throwable th) {
                            ThreadLocalSecurityProvider.unsetProvider();
                            throw th;
                        }
                    }
                };
            }
            soapMessage.setContent(XMLStreamReader.class, processInMessage);
            soapMessage.put(SECURITY_PROCESSED, (Object) Boolean.TRUE);
        } catch (XMLStreamException e) {
            throw new SoapFault(new org.apache.cxf.common.i18n.Message("STAX_EX", LOG, new Object[0]), e, soapMessage.getVersion().getSender());
        } catch (WSSPolicyException e2) {
            throw new SoapFault(e2.getMessage(), e2, soapMessage.getVersion().getSender());
        } catch (WSSecurityException e3) {
            throw WSS4JUtils.createSoapFault(soapMessage, soapMessage.getVersion(), e3);
        } catch (XMLSecurityException e4) {
            throw new SoapFault(new org.apache.cxf.common.i18n.Message("STAX_EX", LOG, new Object[0]), e4, soapMessage.getVersion().getSender());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public List<SecurityEventListener> configureSecurityEventListeners(SoapMessage soapMessage, WSSSecurityProperties wSSSecurityProperties) throws WSSPolicyException {
        final LinkedList linkedList = new LinkedList();
        soapMessage.getExchange().put(SecurityEvent.class.getName() + ".in", linkedList);
        soapMessage.put(SecurityEvent.class.getName() + ".in", (Object) linkedList);
        return Collections.singletonList(new SecurityEventListener() { // from class: org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor.2
            @Override // org.apache.xml.security.stax.securityEvent.SecurityEventListener
            public void registerSecurityEvent(SecurityEvent securityEvent) throws WSSecurityException {
                if (securityEvent.getSecurityEventType() == WSSecurityEventConstants.Timestamp || securityEvent.getSecurityEventType() == WSSecurityEventConstants.SignatureValue || (securityEvent instanceof TokenSecurityEvent) || (securityEvent instanceof AbstractSecuredElementSecurityEvent)) {
                    linkedList.add(securityEvent);
                }
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void configureProperties(SoapMessage soapMessage, WSSSecurityProperties wSSSecurityProperties) throws XMLSecurityException {
        ReplayCache replayCache = null;
        if (isNonceCacheRequired(soapMessage, wSSSecurityProperties)) {
            replayCache = WSS4JUtils.getReplayCache(soapMessage, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE);
        }
        if (replayCache == null) {
            wSSSecurityProperties.setEnableNonceReplayCache(false);
            wSSSecurityProperties.setNonceReplayCache(null);
        } else {
            wSSSecurityProperties.setEnableNonceReplayCache(true);
            wSSSecurityProperties.setNonceReplayCache(replayCache);
        }
        ReplayCache replayCache2 = null;
        if (isTimestampCacheRequired(soapMessage, wSSSecurityProperties)) {
            replayCache2 = WSS4JUtils.getReplayCache(soapMessage, SecurityConstants.ENABLE_TIMESTAMP_CACHE, SecurityConstants.TIMESTAMP_CACHE_INSTANCE);
        }
        if (replayCache2 == null) {
            wSSSecurityProperties.setEnableTimestampReplayCache(false);
            wSSSecurityProperties.setTimestampReplayCache(null);
        } else {
            wSSSecurityProperties.setEnableTimestampReplayCache(true);
            wSSSecurityProperties.setTimestampReplayCache(replayCache2);
        }
        ReplayCache replayCache3 = null;
        if (isSamlCacheRequired(soapMessage, wSSSecurityProperties)) {
            replayCache3 = WSS4JUtils.getReplayCache(soapMessage, SecurityConstants.ENABLE_SAML_ONE_TIME_USE_CACHE, SecurityConstants.SAML_ONE_TIME_USE_CACHE_INSTANCE);
        }
        if (replayCache3 == null) {
            wSSSecurityProperties.setEnableSamlOneTimeUseReplayCache(false);
            wSSSecurityProperties.setSamlOneTimeUseReplayCache(null);
        } else {
            wSSSecurityProperties.setEnableSamlOneTimeUseReplayCache(true);
            wSSSecurityProperties.setSamlOneTimeUseReplayCache(replayCache3);
        }
        wSSSecurityProperties.setEnableRevocation(MessageUtils.isTrue(soapMessage.getContextualProperty(SecurityConstants.ENABLE_REVOCATION)));
        Map<String, Object> properties = getProperties();
        if (properties != null && !properties.isEmpty()) {
            Crypto loadCrypto = loadCrypto(soapMessage, ConfigurationConstants.SIG_VER_PROP_FILE, ConfigurationConstants.SIG_VER_PROP_REF_ID, wSSSecurityProperties);
            if (loadCrypto == null) {
                loadCrypto = loadCrypto(soapMessage, ConfigurationConstants.SIG_PROP_FILE, ConfigurationConstants.SIG_PROP_REF_ID, wSSSecurityProperties);
            }
            if (loadCrypto != null) {
                properties.put(ConfigurationConstants.SIG_VER_PROP_REF_ID, "RefId-" + loadCrypto.hashCode());
                properties.put("RefId-" + loadCrypto.hashCode(), loadCrypto);
            }
            Crypto loadCrypto2 = loadCrypto(soapMessage, ConfigurationConstants.DEC_PROP_FILE, ConfigurationConstants.DEC_PROP_REF_ID, wSSSecurityProperties);
            if (loadCrypto2 != null) {
                properties.put(ConfigurationConstants.DEC_PROP_REF_ID, "RefId-" + loadCrypto2.hashCode());
                properties.put("RefId-" + loadCrypto2.hashCode(), loadCrypto2);
            }
            ConfigurationConverter.parseCrypto(properties, wSSSecurityProperties);
        }
        configureAudienceRestriction(soapMessage, wSSSecurityProperties);
    }

    private void configureAudienceRestriction(SoapMessage soapMessage, WSSSecurityProperties wSSSecurityProperties) {
        if (MessageUtils.getContextualBoolean(soapMessage, SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION, true)) {
            ArrayList arrayList = new ArrayList();
            if (soapMessage.getContextualProperty(Message.REQUEST_URL) != null) {
                arrayList.add((String) soapMessage.getContextualProperty(Message.REQUEST_URL));
            }
            if (soapMessage.getContextualProperty(Message.WSDL_SERVICE) != null) {
                arrayList.add(soapMessage.getContextualProperty(Message.WSDL_SERVICE).toString());
            }
            wSSSecurityProperties.setAudienceRestrictions(arrayList);
        }
    }

    protected boolean isNonceCacheRequired(SoapMessage soapMessage, WSSSecurityProperties wSSSecurityProperties) {
        if (wSSSecurityProperties == null || wSSSecurityProperties.getActions() == null) {
            return false;
        }
        Iterator<XMLSecurityConstants.Action> it = wSSSecurityProperties.getActions().iterator();
        while (it.hasNext()) {
            if (it.next() == WSSConstants.USERNAMETOKEN) {
                return true;
            }
        }
        return false;
    }

    protected boolean isTimestampCacheRequired(SoapMessage soapMessage, WSSSecurityProperties wSSSecurityProperties) {
        if (wSSSecurityProperties == null || wSSSecurityProperties.getActions() == null) {
            return false;
        }
        Iterator<XMLSecurityConstants.Action> it = wSSSecurityProperties.getActions().iterator();
        while (it.hasNext()) {
            if (it.next() == WSSConstants.TIMESTAMP) {
                return true;
            }
        }
        return false;
    }

    protected boolean isSamlCacheRequired(SoapMessage soapMessage, WSSSecurityProperties wSSSecurityProperties) {
        if (wSSSecurityProperties == null || wSSSecurityProperties.getActions() == null) {
            return false;
        }
        for (XMLSecurityConstants.Action action : wSSSecurityProperties.getActions()) {
            if (action == WSSConstants.SAML_TOKEN_UNSIGNED || action == WSSConstants.SAML_TOKEN_SIGNED) {
                return true;
            }
        }
        return false;
    }

    private void setTokenValidators(WSSSecurityProperties wSSSecurityProperties, SoapMessage soapMessage) throws WSSecurityException {
        Validator loadValidator = loadValidator(SecurityConstants.SAML1_TOKEN_VALIDATOR, soapMessage);
        if (loadValidator != null) {
            wSSSecurityProperties.addValidator(WSSConstants.TAG_saml_Assertion, loadValidator);
        }
        Validator loadValidator2 = loadValidator(SecurityConstants.SAML2_TOKEN_VALIDATOR, soapMessage);
        if (loadValidator2 != null) {
            wSSSecurityProperties.addValidator(WSSConstants.TAG_saml2_Assertion, loadValidator2);
        }
        Validator loadValidator3 = loadValidator(SecurityConstants.USERNAME_TOKEN_VALIDATOR, soapMessage);
        if (loadValidator3 != null) {
            wSSSecurityProperties.addValidator(WSSConstants.TAG_wsse_UsernameToken, loadValidator3);
        }
        Validator loadValidator4 = loadValidator(SecurityConstants.SIGNATURE_TOKEN_VALIDATOR, soapMessage);
        if (loadValidator4 != null) {
            wSSSecurityProperties.addValidator(WSSConstants.TAG_dsig_Signature, loadValidator4);
        }
        Validator loadValidator5 = loadValidator(SecurityConstants.TIMESTAMP_TOKEN_VALIDATOR, soapMessage);
        if (loadValidator5 != null) {
            wSSSecurityProperties.addValidator(WSSConstants.TAG_wsu_Timestamp, loadValidator5);
        }
        Validator loadValidator6 = loadValidator(SecurityConstants.BST_TOKEN_VALIDATOR, soapMessage);
        if (loadValidator6 != null) {
            wSSSecurityProperties.addValidator(WSSConstants.TAG_wsse_BinarySecurityToken, loadValidator6);
        }
        Validator loadValidator7 = loadValidator(SecurityConstants.SCT_TOKEN_VALIDATOR, soapMessage);
        if (loadValidator7 != null) {
            wSSSecurityProperties.addValidator(WSSConstants.TAG_wsc0502_SecurityContextToken, loadValidator7);
            wSSSecurityProperties.addValidator(WSSConstants.TAG_wsc0512_SecurityContextToken, loadValidator7);
        }
    }

    private Validator loadValidator(String str, SoapMessage soapMessage) throws WSSecurityException {
        Object contextualProperty = soapMessage.getContextualProperty(str);
        if (contextualProperty == null) {
            return null;
        }
        try {
            if (contextualProperty instanceof Validator) {
                return (Validator) contextualProperty;
            }
            if (contextualProperty instanceof Class) {
                return (Validator) ((Class) contextualProperty).newInstance();
            }
            if (contextualProperty instanceof String) {
                return (Validator) ClassLoaderUtils.loadClass(contextualProperty.toString(), WSS4JStaxInInterceptor.class).newInstance();
            }
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "Cannot load Validator: " + contextualProperty, new Object[0]);
        } catch (RuntimeException e) {
            throw e;
        } catch (Exception e2) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e2);
        }
    }
}
