package org.apache.cxf.ws.security.wss4j.policyvalidators;

import java.util.Collection;
import java.util.List;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.message.token.BinarySecurity;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.IssuedToken;
import org.opensaml.common.SAMLVersion;
import org.opensaml.ws.wstrust.Claims;
import org.opensaml.ws.wstrust.KeyType;
import org.opensaml.xml.signature.PublicKey;
import org.w3c.dom.Element;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-343-06.zip:modules/system/layers/fuse/org/apache/cxf/3.0/cxf-rt-ws-security-3.0.4.redhat-621343-06.jar:org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.class */
public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator {
    private List<WSSecurityEngineResult> signedResults;
    private Message message;
    private ClaimsPolicyValidator claimsValidator = new DefaultClaimsPolicyValidator();

    public IssuedTokenPolicyValidator(List<WSSecurityEngineResult> list, Message message) {
        this.signedResults = list;
        this.message = message;
    }

    public boolean validatePolicy(Collection<AssertionInfo> collection, SamlAssertionWrapper samlAssertionWrapper) {
        if (collection == null || collection.isEmpty()) {
            return true;
        }
        for (AssertionInfo assertionInfo : collection) {
            IssuedToken issuedToken = (IssuedToken) assertionInfo.getAssertion();
            assertionInfo.setAsserted(true);
            if (isTokenRequired(issuedToken, this.message)) {
                if (samlAssertionWrapper == null) {
                    assertionInfo.setNotAsserted("The received token does not match the token inclusion requirement");
                } else {
                    Element requestSecurityTokenTemplate = issuedToken.getRequestSecurityTokenTemplate();
                    if (requestSecurityTokenTemplate == null || checkIssuedTokenTemplate(requestSecurityTokenTemplate, samlAssertionWrapper)) {
                        Element claims = issuedToken.getClaims();
                        if (claims != null) {
                            if (this.claimsValidator.getDialect().equals(claims.getAttributeNS(null, Claims.DIALECT_ATTRIB_NAME)) && !this.claimsValidator.validatePolicy(claims, samlAssertionWrapper)) {
                                assertionInfo.setNotAsserted("Error in validating the Claims policy");
                            }
                        }
                        TLSSessionInfo tLSSessionInfo = (TLSSessionInfo) this.message.get(TLSSessionInfo.class);
                        if (!checkHolderOfKey(samlAssertionWrapper, this.signedResults, tLSSessionInfo != null ? tLSSessionInfo.getPeerCertificates() : null)) {
                            assertionInfo.setNotAsserted("Assertion fails holder-of-key requirements");
                        }
                    } else {
                        assertionInfo.setNotAsserted("Error in validating the IssuedToken policy");
                    }
                }
            }
        }
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) this.message.get(AssertionInfoMap.class);
        assertPolicy(assertionInfoMap, SPConstants.REQUIRE_INTERNAL_REFERENCE);
        assertPolicy(assertionInfoMap, SPConstants.REQUIRE_EXTERNAL_REFERENCE);
        return true;
    }

    public boolean validatePolicy(Collection<AssertionInfo> collection, BinarySecurity binarySecurity) {
        if (collection == null || collection.isEmpty()) {
            return true;
        }
        for (AssertionInfo assertionInfo : collection) {
            IssuedToken issuedToken = (IssuedToken) assertionInfo.getAssertion();
            assertionInfo.setAsserted(true);
            if (isTokenRequired(issuedToken, this.message)) {
                if (binarySecurity == null) {
                    assertionInfo.setNotAsserted("The received token does not match the token inclusion requirement");
                    return false;
                }
                Element requestSecurityTokenTemplate = issuedToken.getRequestSecurityTokenTemplate();
                if (requestSecurityTokenTemplate != null && !checkIssuedTokenTemplate(requestSecurityTokenTemplate, binarySecurity)) {
                    assertionInfo.setNotAsserted("Error in validating the IssuedToken policy");
                    return false;
                }
            }
        }
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) this.message.get(AssertionInfoMap.class);
        assertPolicy(assertionInfoMap, SPConstants.REQUIRE_INTERNAL_REFERENCE);
        assertPolicy(assertionInfoMap, SPConstants.REQUIRE_EXTERNAL_REFERENCE);
        return true;
    }

    private boolean checkIssuedTokenTemplate(Element element, SamlAssertionWrapper samlAssertionWrapper) {
        Element firstElement = DOMUtils.getFirstElement(element);
        while (true) {
            Element element2 = firstElement;
            if (element2 == null) {
                return true;
            }
            if ("TokenType".equals(element2.getLocalName())) {
                String textContent = element2.getTextContent();
                if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".equals(textContent) && samlAssertionWrapper.getSamlVersion() != SAMLVersion.VERSION_11) {
                    return false;
                }
                if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".equals(textContent) && samlAssertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20) {
                    return false;
                }
            } else if (KeyType.ELEMENT_LOCAL_NAME.equals(element2.getLocalName())) {
                String textContent2 = element2.getTextContent();
                if (textContent2.endsWith("SymmetricKey")) {
                    SAMLKeyInfo subjectKeyInfo = samlAssertionWrapper.getSubjectKeyInfo();
                    if (subjectKeyInfo == null || subjectKeyInfo.getSecret() == null) {
                        return false;
                    }
                } else if (textContent2.endsWith(PublicKey.DEFAULT_ELEMENT_LOCAL_NAME)) {
                    SAMLKeyInfo subjectKeyInfo2 = samlAssertionWrapper.getSubjectKeyInfo();
                    if (subjectKeyInfo2 == null) {
                        return false;
                    }
                    if (subjectKeyInfo2.getPublicKey() == null && subjectKeyInfo2.getCerts() == null) {
                        return false;
                    }
                } else {
                    continue;
                }
            } else if ("Claims".equals(element2.getLocalName())) {
                if (this.claimsValidator.getDialect().equals(element2.getAttributeNS(null, Claims.DIALECT_ATTRIB_NAME)) && !this.claimsValidator.validatePolicy(element2, samlAssertionWrapper)) {
                    return false;
                }
            } else {
                continue;
            }
            firstElement = DOMUtils.getNextElement(element2);
        }
    }

    private boolean checkIssuedTokenTemplate(Element element, BinarySecurity binarySecurity) {
        Element firstElement = DOMUtils.getFirstElement(element);
        while (true) {
            Element element2 = firstElement;
            if (element2 == null) {
                return true;
            }
            if ("TokenType".equals(element2.getLocalName()) && !element2.getTextContent().equals(binarySecurity.getValueType())) {
                return false;
            }
            firstElement = DOMUtils.getNextElement(element2);
        }
    }
}
