package org.apache.wss4j.policy.stax.assertionStates;

import java.net.URI;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import org.apache.wss4j.common.WSSPolicyException;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
import org.apache.wss4j.policy.model.AbstractToken;
import org.apache.wss4j.policy.model.IssuedToken;
import org.apache.wss4j.policy.stax.PolicyAsserter;
import org.apache.wss4j.stax.securityEvent.IssuedTokenSecurityEvent;
import org.apache.wss4j.stax.securityEvent.KerberosTokenSecurityEvent;
import org.apache.wss4j.stax.securityEvent.SamlTokenSecurityEvent;
import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
import org.apache.wss4j.stax.securityToken.SamlSecurityToken;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
import org.apache.xml.security.stax.securityToken.SecurityToken;
import org.opensaml.common.SAMLVersion;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.ws.wstrust.Claims;
import org.opensaml.ws.wstrust.KeyType;
import org.opensaml.xml.signature.PublicKey;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-343-06.zip:modules/system/layers/fuse/org/apache/ws/security/2.0/wss4j-ws-security-policy-stax-2.0.3.jar:org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.class */
public class IssuedTokenAssertionState extends TokenAssertionState {
    private static final String DEFAULT_CLAIMS_NAMESPACE = "http://schemas.xmlsoap.org/ws/2005/05/identity";

    public IssuedTokenAssertionState(AbstractSecurityAssertion abstractSecurityAssertion, boolean z, PolicyAsserter policyAsserter, boolean z2) {
        super(abstractSecurityAssertion, z, policyAsserter, z2);
    }

    @Override // org.apache.wss4j.policy.stax.Assertable
    public SecurityEventConstants.Event[] getSecurityEventType() {
        return new SecurityEventConstants.Event[]{WSSecurityEventConstants.KerberosToken, WSSecurityEventConstants.RelToken, WSSecurityEventConstants.SamlToken, WSSecurityEventConstants.SecurityContextToken};
    }

    @Override // org.apache.wss4j.policy.stax.assertionStates.TokenAssertionState
    public boolean assertToken(TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent, AbstractToken abstractToken) throws WSSPolicyException {
        String validateClaims;
        if (!(tokenSecurityEvent instanceof IssuedTokenSecurityEvent)) {
            throw new WSSPolicyException("Expected a IssuedTokenSecurityEvent but got " + tokenSecurityEvent.getClass().getName());
        }
        IssuedToken issuedToken = (IssuedToken) abstractToken;
        IssuedTokenSecurityEvent issuedTokenSecurityEvent = (IssuedTokenSecurityEvent) tokenSecurityEvent;
        try {
            if (issuedToken.getIssuerName() != null && !issuedToken.getIssuerName().equals(issuedTokenSecurityEvent.getIssuerName())) {
                setErrorMessage("IssuerName in Policy (" + issuedToken.getIssuerName() + ") didn't match with the one in the IssuedToken (" + issuedTokenSecurityEvent.getIssuerName() + ")");
                getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
                return false;
            }
            if (issuedToken.getRequestSecurityTokenTemplate() != null) {
                if (issuedTokenSecurityEvent instanceof SamlTokenSecurityEvent) {
                    String checkIssuedTokenTemplate = checkIssuedTokenTemplate(issuedToken.getRequestSecurityTokenTemplate(), (SamlTokenSecurityEvent) issuedTokenSecurityEvent);
                    if (checkIssuedTokenTemplate != null) {
                        setErrorMessage(checkIssuedTokenTemplate);
                        getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
                        return false;
                    }
                } else if (issuedTokenSecurityEvent instanceof KerberosTokenSecurityEvent) {
                    String checkIssuedTokenTemplate2 = checkIssuedTokenTemplate(issuedToken.getRequestSecurityTokenTemplate(), (KerberosTokenSecurityEvent) issuedTokenSecurityEvent);
                    if (checkIssuedTokenTemplate2 != null) {
                        setErrorMessage(checkIssuedTokenTemplate2);
                        getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
                        return false;
                    }
                }
            }
            Element claims = issuedToken.getClaims();
            if (claims == null || !(issuedTokenSecurityEvent instanceof SamlTokenSecurityEvent) || (validateClaims = validateClaims(claims, (SamlTokenSecurityEvent) issuedTokenSecurityEvent)) == null) {
                getPolicyAsserter().assertPolicy(getAssertion());
                return true;
            }
            setErrorMessage(validateClaims);
            getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
            return false;
        } catch (XMLSecurityException e) {
            getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
            throw new WSSPolicyException(e.getMessage(), e);
        }
    }

    protected String checkIssuedTokenTemplate(Element element, SamlTokenSecurityEvent samlTokenSecurityEvent) throws XMLSecurityException {
        String validateClaims;
        Node firstChild = element.getFirstChild();
        while (true) {
            Node node = firstChild;
            if (node == null) {
                return null;
            }
            if (node.getNodeType() != 1) {
                firstChild = node.getNextSibling();
            } else {
                if ("TokenType".equals(node.getLocalName())) {
                    String textContent = node.getTextContent();
                    SAMLVersion samlVersion = samlTokenSecurityEvent.getSamlAssertionWrapper().getSamlVersion();
                    if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".equals(textContent) && samlVersion != SAMLVersion.VERSION_11) {
                        return "Policy enforces SAML V1.1 token but got " + samlVersion.toString();
                    }
                    if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".equals(textContent) && samlVersion != SAMLVersion.VERSION_20) {
                        return "Policy enforces SAML V2.0 token but got " + samlVersion.toString();
                    }
                } else if (KeyType.ELEMENT_LOCAL_NAME.equals(node.getLocalName())) {
                    String textContent2 = node.getTextContent();
                    if (textContent2.endsWith("SymmetricKey")) {
                        if (((SamlSecurityToken) samlTokenSecurityEvent.getSecurityToken()).getSecretKey().isEmpty()) {
                            return "Policy enforces SAML token with a symmetric key";
                        }
                    } else if (textContent2.endsWith(PublicKey.DEFAULT_ELEMENT_LOCAL_NAME)) {
                        java.security.PublicKey publicKey = ((SamlSecurityToken) samlTokenSecurityEvent.getSecurityToken()).getPublicKey();
                        X509Certificate[] x509Certificates = ((SamlSecurityToken) samlTokenSecurityEvent.getSecurityToken()).getX509Certificates();
                        if (publicKey == null && x509Certificates == null) {
                            return "Policy enforces SAML token with an asymmetric key";
                        }
                    }
                } else if ("Claims".equals(node.getLocalName()) && (validateClaims = validateClaims((Element) node, samlTokenSecurityEvent)) != null) {
                    return validateClaims;
                }
                firstChild = node.getNextSibling();
            }
        }
    }

    private String checkIssuedTokenTemplate(Element element, KerberosTokenSecurityEvent kerberosTokenSecurityEvent) {
        Node firstChild = element.getFirstChild();
        while (true) {
            Node node = firstChild;
            if (node == null) {
                return null;
            }
            if (node.getNodeType() != 1) {
                firstChild = node.getNextSibling();
            } else {
                if ("TokenType".equals(node.getLocalName())) {
                    String textContent = node.getTextContent();
                    String kerberosTokenValueType = kerberosTokenSecurityEvent.getKerberosTokenValueType();
                    if (!textContent.equals(kerberosTokenValueType)) {
                        return "Policy enforces Kerberos token of type " + textContent + " but got " + kerberosTokenValueType;
                    }
                }
                firstChild = node.getNextSibling();
            }
        }
    }

    protected String validateClaims(Element element, SamlTokenSecurityEvent samlTokenSecurityEvent) throws WSSecurityException {
        String findClaimInAssertion;
        if (!"http://schemas.xmlsoap.org/ws/2005/05/identity".equals(element.getAttributeNS(null, Claims.DIALECT_ATTRIB_NAME))) {
            return null;
        }
        Node firstChild = element.getFirstChild();
        while (true) {
            Node node = firstChild;
            if (node == null) {
                return null;
            }
            if (node.getNodeType() != 1) {
                firstChild = node.getNextSibling();
            } else {
                if ("ClaimType".equals(node.getLocalName())) {
                    Element element2 = (Element) node;
                    String attributeNS = element2.getAttributeNS(null, "Uri");
                    String attributeNS2 = element2.getAttributeNS(null, "Optional");
                    if (("".equals(attributeNS2) || !Boolean.parseBoolean(attributeNS2)) && (findClaimInAssertion = findClaimInAssertion(samlTokenSecurityEvent.getSamlAssertionWrapper(), URI.create(attributeNS))) != null) {
                        return findClaimInAssertion;
                    }
                }
                firstChild = node.getNextSibling();
            }
        }
    }

    protected String findClaimInAssertion(SamlAssertionWrapper samlAssertionWrapper, URI uri) {
        return samlAssertionWrapper.getSaml1() != null ? findClaimInAssertion(samlAssertionWrapper.getSaml1(), uri) : samlAssertionWrapper.getSaml2() != null ? findClaimInAssertion(samlAssertionWrapper.getSaml2(), uri) : "Unsupported SAML version";
    }

    protected String findClaimInAssertion(Assertion assertion, URI uri) {
        List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
        if (attributeStatements == null || attributeStatements.isEmpty()) {
            return "Attribute " + uri + " not found in the SAMLAssertion";
        }
        Iterator<AttributeStatement> it = attributeStatements.iterator();
        while (it.hasNext()) {
            for (Attribute attribute : it.next().getAttributes()) {
                if (attribute.getName().equals(uri.toString()) && attribute.getAttributeValues() != null && !attribute.getAttributeValues().isEmpty()) {
                    return null;
                }
            }
        }
        return "Attribute " + uri + " not found in the SAMLAssertion";
    }

    protected String findClaimInAssertion(org.opensaml.saml1.core.Assertion assertion, URI uri) {
        List<org.opensaml.saml1.core.AttributeStatement> attributeStatements = assertion.getAttributeStatements();
        if (attributeStatements == null || attributeStatements.isEmpty()) {
            return "Attribute " + uri + " not found in the SAMLAssertion";
        }
        Iterator<org.opensaml.saml1.core.AttributeStatement> it = attributeStatements.iterator();
        while (it.hasNext()) {
            for (org.opensaml.saml1.core.Attribute attribute : it.next().getAttributes()) {
                if (attribute.getAttributeName().equals(URI.create(attribute.getAttributeNamespace()).relativize(uri).toString()) && attribute.getAttributeValues() != null && !attribute.getAttributeValues().isEmpty()) {
                    return null;
                }
            }
        }
        return "Attribute " + uri + " not found in the SAMLAssertion";
    }
}
