package org.apache.cxf.sts.token.delegation;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.sts.request.ReceivedToken;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.saml.builder.SAML1Constants;
import org.opensaml.saml1.core.Audience;
import org.opensaml.saml1.core.AudienceRestrictionCondition;
import org.opensaml.saml2.core.AudienceRestriction;
import org.w3c.dom.Element;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-020.zip:modules/system/layers/fuse/org/apache/cxf/3.0/cxf-services-sts-core-3.0.4.redhat-621020.jar:org/apache/cxf/sts/token/delegation/SAMLDelegationHandler.class */
public class SAMLDelegationHandler implements TokenDelegationHandler {
    private static final Logger LOG = LogUtils.getL7dLogger(SAMLDelegationHandler.class);
    private boolean checkAudienceRestriction;

    @Override // org.apache.cxf.sts.token.delegation.TokenDelegationHandler
    public boolean canHandleToken(ReceivedToken receivedToken) {
        Object token = receivedToken.getToken();
        if (!(token instanceof Element)) {
            return false;
        }
        Element element = (Element) token;
        String namespaceURI = element.getNamespaceURI();
        return ("urn:oasis:names:tc:SAML:1.0:assertion".equals(namespaceURI) || "urn:oasis:names:tc:SAML:2.0:assertion".equals(namespaceURI)) && "Assertion".equals(element.getLocalName());
    }

    @Override // org.apache.cxf.sts.token.delegation.TokenDelegationHandler
    public TokenDelegationResponse isDelegationAllowed(TokenDelegationParameters tokenDelegationParameters) {
        TokenDelegationResponse tokenDelegationResponse = new TokenDelegationResponse();
        ReceivedToken token = tokenDelegationParameters.getToken();
        tokenDelegationResponse.setToken(token);
        if (!token.isDOMElement()) {
            return tokenDelegationResponse;
        }
        if (isDelegationAllowed(token, tokenDelegationParameters.getAppliesToAddress())) {
            tokenDelegationResponse.setDelegationAllowed(true);
        }
        return tokenDelegationResponse;
    }

    protected boolean isDelegationAllowed(ReceivedToken receivedToken, String str) {
        try {
            SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper((Element) receivedToken.getToken());
            for (String str2 : samlAssertionWrapper.getConfirmationMethods()) {
                if (!SAML1Constants.CONF_BEARER.equals(str2) && !"urn:oasis:names:tc:SAML:2.0:cm:bearer".equals(str2)) {
                    LOG.fine("An unsupported Confirmation Method was used: " + str2);
                    return false;
                }
            }
            if (!this.checkAudienceRestriction || str == null) {
                return true;
            }
            List<String> audienceRestrictions = getAudienceRestrictions(samlAssertionWrapper);
            if (audienceRestrictions.isEmpty() || audienceRestrictions.contains(str)) {
                return true;
            }
            LOG.fine("The AppliesTo address " + str + " is not contained in the Audience Restriction addresses in the assertion");
            return false;
        } catch (WSSecurityException e) {
            LOG.log(Level.WARNING, "Error in ascertaining whether delegation is allowed", (Throwable) e);
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public List<String> getAudienceRestrictions(SamlAssertionWrapper samlAssertionWrapper) {
        ArrayList arrayList = new ArrayList();
        if (samlAssertionWrapper.getSaml1() != null) {
            Iterator<AudienceRestrictionCondition> it = samlAssertionWrapper.getSaml1().getConditions().getAudienceRestrictionConditions().iterator();
            while (it.hasNext()) {
                Iterator<Audience> it2 = it.next().getAudiences().iterator();
                while (it2.hasNext()) {
                    arrayList.add(it2.next().getUri());
                }
            }
        } else if (samlAssertionWrapper.getSaml2() != null) {
            Iterator<AudienceRestriction> it3 = samlAssertionWrapper.getSaml2().getConditions().getAudienceRestrictions().iterator();
            while (it3.hasNext()) {
                Iterator<org.opensaml.saml2.core.Audience> it4 = it3.next().getAudiences().iterator();
                while (it4.hasNext()) {
                    arrayList.add(it4.next().getAudienceURI());
                }
            }
        }
        return arrayList;
    }

    public boolean isCheckAudienceRestriction() {
        return this.checkAudienceRestriction;
    }

    public void setCheckAudienceRestriction(boolean z) {
        this.checkAudienceRestriction = z;
    }
}
