package org.apache.cxf.ws.security.wss4j.policyvalidators;

import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import javax.xml.namespace.QName;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.IssuedToken;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.soap.wstrust.Claims;
import org.opensaml.soap.wstrust.KeyType;
import org.opensaml.xmlsec.signature.PublicKey;
import org.w3c.dom.Element;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-310-02.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-rt-ws-security-3.1.5.redhat-630310-02.jar:org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.class */
public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator {
    private ClaimsPolicyValidator claimsValidator = new DefaultClaimsPolicyValidator();

    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator
    public boolean canValidatePolicy(AssertionInfo assertionInfo) {
        return assertionInfo.getAssertion() != null && (SP12Constants.ISSUED_TOKEN.equals(assertionInfo.getAssertion().getName()) || SP11Constants.ISSUED_TOKEN.equals(assertionInfo.getAssertion().getName()));
    }

    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator
    public void validatePolicies(PolicyValidatorParameters policyValidatorParameters, Collection<AssertionInfo> collection) {
        List<WSSecurityEngineResult> samlResults = policyValidatorParameters.getSamlResults();
        if (samlResults != null) {
            Iterator<WSSecurityEngineResult> it = samlResults.iterator();
            while (it.hasNext()) {
                SamlAssertionWrapper samlAssertionWrapper = (SamlAssertionWrapper) it.next().get("saml-assertion");
                if (validateSAMLToken(policyValidatorParameters, samlAssertionWrapper, collection)) {
                    policyValidatorParameters.getMessage().getExchange().put(SecurityConstants.TOKEN, createSecurityToken(samlAssertionWrapper));
                    return;
                }
            }
        }
        List<WSSecurityEngineResult> list = policyValidatorParameters.getResults().getActionResults().get(4096);
        if (list != null) {
            for (WSSecurityEngineResult wSSecurityEngineResult : list) {
                BinarySecurity binarySecurity = (BinarySecurity) wSSecurityEngineResult.get("binary-security-token");
                if (Boolean.TRUE.equals(wSSecurityEngineResult.get("validated-token")) && validateBinarySecurityToken(policyValidatorParameters, binarySecurity, collection)) {
                    policyValidatorParameters.getMessage().getExchange().put(SecurityConstants.TOKEN, createSecurityToken(binarySecurity));
                    return;
                }
            }
        }
    }

    private boolean validateSAMLToken(PolicyValidatorParameters policyValidatorParameters, SamlAssertionWrapper samlAssertionWrapper, Collection<AssertionInfo> collection) {
        boolean z = true;
        for (AssertionInfo assertionInfo : collection) {
            IssuedToken issuedToken = (IssuedToken) assertionInfo.getAssertion();
            assertionInfo.setAsserted(true);
            assertToken(issuedToken, policyValidatorParameters.getAssertionInfoMap());
            if (isTokenRequired(issuedToken, policyValidatorParameters.getMessage())) {
                if (samlAssertionWrapper == null) {
                    z = false;
                    assertionInfo.setNotAsserted("The received token does not match the token inclusion requirement");
                } else {
                    Element requestSecurityTokenTemplate = issuedToken.getRequestSecurityTokenTemplate();
                    if (requestSecurityTokenTemplate == null || checkIssuedTokenTemplate(requestSecurityTokenTemplate, samlAssertionWrapper)) {
                        Element claims = issuedToken.getClaims();
                        if (claims != null) {
                            if (this.claimsValidator.getDialect().equals(claims.getAttributeNS(null, Claims.DIALECT_ATTRIB_NAME)) && !this.claimsValidator.validatePolicy(claims, samlAssertionWrapper)) {
                                z = false;
                                assertionInfo.setNotAsserted("Error in validating the Claims policy");
                            }
                        }
                        TLSSessionInfo tLSSessionInfo = (TLSSessionInfo) policyValidatorParameters.getMessage().get(TLSSessionInfo.class);
                        if (!checkHolderOfKey(samlAssertionWrapper, policyValidatorParameters.getSignedResults(), tLSSessionInfo != null ? tLSSessionInfo.getPeerCertificates() : null)) {
                            z = false;
                            assertionInfo.setNotAsserted("Assertion fails holder-of-key requirements");
                        }
                    } else {
                        z = false;
                        assertionInfo.setNotAsserted("Error in validating the IssuedToken policy");
                    }
                }
            }
        }
        return z;
    }

    private boolean validateBinarySecurityToken(PolicyValidatorParameters policyValidatorParameters, BinarySecurity binarySecurity, Collection<AssertionInfo> collection) {
        boolean z = true;
        for (AssertionInfo assertionInfo : collection) {
            IssuedToken issuedToken = (IssuedToken) assertionInfo.getAssertion();
            assertionInfo.setAsserted(true);
            z = true;
            assertToken(issuedToken, policyValidatorParameters.getAssertionInfoMap());
            if (isTokenRequired(issuedToken, policyValidatorParameters.getMessage())) {
                if (binarySecurity == null) {
                    z = false;
                    assertionInfo.setNotAsserted("The received token does not match the token inclusion requirement");
                } else {
                    Element requestSecurityTokenTemplate = issuedToken.getRequestSecurityTokenTemplate();
                    if (requestSecurityTokenTemplate != null && !checkIssuedTokenTemplate(requestSecurityTokenTemplate, binarySecurity)) {
                        z = false;
                        assertionInfo.setNotAsserted("Error in validating the IssuedToken policy");
                    }
                }
            }
        }
        return z;
    }

    private void assertToken(IssuedToken issuedToken, AssertionInfoMap assertionInfoMap) {
        String namespaceURI = issuedToken.getName().getNamespaceURI();
        if (issuedToken.isRequireExternalReference()) {
            PolicyUtils.assertPolicy(assertionInfoMap, new QName(namespaceURI, SPConstants.REQUIRE_EXTERNAL_REFERENCE));
        }
        if (issuedToken.isRequireInternalReference()) {
            PolicyUtils.assertPolicy(assertionInfoMap, new QName(namespaceURI, SPConstants.REQUIRE_INTERNAL_REFERENCE));
        }
    }

    private boolean checkIssuedTokenTemplate(Element element, SamlAssertionWrapper samlAssertionWrapper) {
        Element firstElement = DOMUtils.getFirstElement(element);
        while (true) {
            Element element2 = firstElement;
            if (element2 == null) {
                return true;
            }
            if ("TokenType".equals(element2.getLocalName())) {
                String textContent = element2.getTextContent();
                if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".equals(textContent) && samlAssertionWrapper.getSamlVersion() != SAMLVersion.VERSION_11) {
                    return false;
                }
                if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".equals(textContent) && samlAssertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20) {
                    return false;
                }
            } else if (KeyType.ELEMENT_LOCAL_NAME.equals(element2.getLocalName())) {
                String textContent2 = element2.getTextContent();
                if (textContent2.endsWith("SymmetricKey")) {
                    SAMLKeyInfo subjectKeyInfo = samlAssertionWrapper.getSubjectKeyInfo();
                    if (subjectKeyInfo == null || subjectKeyInfo.getSecret() == null) {
                        return false;
                    }
                } else if (textContent2.endsWith(PublicKey.DEFAULT_ELEMENT_LOCAL_NAME)) {
                    SAMLKeyInfo subjectKeyInfo2 = samlAssertionWrapper.getSubjectKeyInfo();
                    if (subjectKeyInfo2 == null) {
                        return false;
                    }
                    if (subjectKeyInfo2.getPublicKey() == null && subjectKeyInfo2.getCerts() == null) {
                        return false;
                    }
                } else {
                    continue;
                }
            } else if ("Claims".equals(element2.getLocalName())) {
                if (this.claimsValidator.getDialect().equals(element2.getAttributeNS(null, Claims.DIALECT_ATTRIB_NAME)) && !this.claimsValidator.validatePolicy(element2, samlAssertionWrapper)) {
                    return false;
                }
            } else {
                continue;
            }
            firstElement = DOMUtils.getNextElement(element2);
        }
    }

    private boolean checkIssuedTokenTemplate(Element element, BinarySecurity binarySecurity) {
        Element firstElement = DOMUtils.getFirstElement(element);
        while (true) {
            Element element2 = firstElement;
            if (element2 == null) {
                return true;
            }
            if ("TokenType".equals(element2.getLocalName()) && !element2.getTextContent().equals(binarySecurity.getValueType())) {
                return false;
            }
            firstElement = DOMUtils.getNextElement(element2);
        }
    }

    private SecurityToken createSecurityToken(SamlAssertionWrapper samlAssertionWrapper) {
        SecurityToken securityToken = new SecurityToken(samlAssertionWrapper.getId());
        SAMLKeyInfo subjectKeyInfo = samlAssertionWrapper.getSubjectKeyInfo();
        if (subjectKeyInfo != null) {
            securityToken.setSecret(subjectKeyInfo.getSecret());
            X509Certificate[] certs = subjectKeyInfo.getCerts();
            if (certs != null && certs.length > 0) {
                securityToken.setX509Certificate(certs[0], null);
            }
            if (subjectKeyInfo.getPublicKey() != null) {
                securityToken.setKey(subjectKeyInfo.getPublicKey());
            }
        }
        if (samlAssertionWrapper.getSaml1() != null) {
            securityToken.setTokenType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1");
        } else if (samlAssertionWrapper.getSaml2() != null) {
            securityToken.setTokenType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
        }
        securityToken.setToken(samlAssertionWrapper.getElement());
        return securityToken;
    }

    private SecurityToken createSecurityToken(BinarySecurity binarySecurity) {
        SecurityToken securityToken = new SecurityToken(binarySecurity.getID());
        securityToken.setToken(binarySecurity.getElement());
        securityToken.setSecret(binarySecurity.getToken());
        securityToken.setTokenType(binarySecurity.getValueType());
        return securityToken;
    }
}
