package org.apache.cxf.ws.security.wss4j.policyvalidators;

import java.net.URI;
import java.util.Iterator;
import java.util.List;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.ws.wstrust.Claims;
import org.w3c.dom.Element;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-169.zip:modules/system/layers/fuse/org/apache/cxf/3.0/cxf-rt-ws-security-3.0.4.redhat-621169.jar:org/apache/cxf/ws/security/wss4j/policyvalidators/DefaultClaimsPolicyValidator.class */
public class DefaultClaimsPolicyValidator implements ClaimsPolicyValidator {
    private static final String DEFAULT_CLAIMS_NAMESPACE = "http://schemas.xmlsoap.org/ws/2005/05/identity";

    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.ClaimsPolicyValidator
    public boolean validatePolicy(Element element, SamlAssertionWrapper samlAssertionWrapper) {
        if (element == null || !"http://schemas.xmlsoap.org/ws/2005/05/identity".equals(element.getAttributeNS(null, Claims.DIALECT_ATTRIB_NAME))) {
            return false;
        }
        Element firstElement = DOMUtils.getFirstElement(element);
        while (true) {
            Element element2 = firstElement;
            if (element2 == null) {
                return true;
            }
            if ("ClaimType".equals(element2.getLocalName())) {
                String attributeNS = element2.getAttributeNS(null, "Uri");
                String attributeNS2 = element2.getAttributeNS(null, "Optional");
                if (("".equals(attributeNS2) || !Boolean.parseBoolean(attributeNS2)) && !findClaimInAssertion(samlAssertionWrapper, URI.create(attributeNS))) {
                    return false;
                }
            }
            firstElement = DOMUtils.getNextElement(element2);
        }
    }

    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.ClaimsPolicyValidator
    public String getDialect() {
        return "http://schemas.xmlsoap.org/ws/2005/05/identity";
    }

    private boolean findClaimInAssertion(SamlAssertionWrapper samlAssertionWrapper, URI uri) {
        if (samlAssertionWrapper.getSaml1() != null) {
            return findClaimInAssertion(samlAssertionWrapper.getSaml1(), uri);
        }
        if (samlAssertionWrapper.getSaml2() != null) {
            return findClaimInAssertion(samlAssertionWrapper.getSaml2(), uri);
        }
        return false;
    }

    private boolean findClaimInAssertion(Assertion assertion, URI uri) {
        List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
        if (attributeStatements == null || attributeStatements.isEmpty()) {
            return false;
        }
        Iterator<AttributeStatement> it = attributeStatements.iterator();
        while (it.hasNext()) {
            for (Attribute attribute : it.next().getAttributes()) {
                if (attribute.getName().equals(uri.toString()) && attribute.getAttributeValues() != null && !attribute.getAttributeValues().isEmpty()) {
                    return true;
                }
            }
        }
        return false;
    }

    private boolean findClaimInAssertion(org.opensaml.saml1.core.Assertion assertion, URI uri) {
        List<org.opensaml.saml1.core.AttributeStatement> attributeStatements = assertion.getAttributeStatements();
        if (attributeStatements == null || attributeStatements.isEmpty()) {
            return false;
        }
        Iterator<org.opensaml.saml1.core.AttributeStatement> it = attributeStatements.iterator();
        while (it.hasNext()) {
            for (org.opensaml.saml1.core.Attribute attribute : it.next().getAttributes()) {
                if (attribute.getAttributeName().equals(URI.create(attribute.getAttributeNamespace()).relativize(uri).toString()) && attribute.getAttributeValues() != null && !attribute.getAttributeValues().isEmpty()) {
                    return true;
                }
            }
        }
        return false;
    }
}
