package org.apache.cxf.sts.rest;

import java.io.StringWriter;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.logging.Logger;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import javax.xml.bind.JAXBElement;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.Base64Exception;
import org.apache.cxf.common.util.Base64Utility;
import org.apache.cxf.common.util.CompressionUtils;
import org.apache.cxf.common.util.PropertyUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.jaxrs.ext.MessageContext;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.PhaseInterceptorChain;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.sts.QNameConstants;
import org.apache.cxf.sts.STSConstants;
import org.apache.cxf.sts.rest.RESTSecurityTokenService;
import org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider;
import org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceImpl;
import org.apache.cxf.ws.security.sts.provider.model.ClaimsType;
import org.apache.cxf.ws.security.sts.provider.model.ObjectFactory;
import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType;
import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType;
import org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType;
import org.apache.cxf.ws.security.sts.provider.model.UseKeyType;
import org.apache.wss4j.common.util.DOM2Writer;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.content.X509Data;
import org.jruby.ext.openssl.impl.ASN1Registry;
import org.opensaml.soap.wstrust.RequestType;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-310-11.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-services-sts-core-3.1.5.redhat-630310-11.jar:org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.class */
public class RESTSecurityTokenServiceImpl extends SecurityTokenServiceImpl implements RESTSecurityTokenService {
    public static final Map<String, String> DEFAULT_TOKEN_TYPE_MAP;
    private static final String CLAIM_TYPE = "ClaimType";
    private static final String CLAIM_TYPE_NS = "http://schemas.xmlsoap.org/ws/2005/05/identity";

    @Context
    private MessageContext messageContext;

    @Context
    private SecurityContext securityContext;
    private List<String> defaultClaims;
    private static final Logger LOG = LogUtils.getL7dLogger(RESTSecurityTokenServiceImpl.class);
    public static final Map<String, String> DEFAULT_CLAIM_TYPE_MAP = new HashMap();
    private Map<String, String> claimTypeMap = DEFAULT_CLAIM_TYPE_MAP;
    private Map<String, String> tokenTypeMap = DEFAULT_TOKEN_TYPE_MAP;
    private String defaultKeyType = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer";
    private boolean requestClaimsOptional = true;
    private boolean useDeflateEncoding = true;

    /* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-310-11.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-services-sts-core-3.1.5.redhat-630310-11.jar:org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl$JSONWrapper.class */
    private static class JSONWrapper {
        private String token;

        JSONWrapper(String str) {
            this.token = str;
        }

        public String getToken() {
            return this.token;
        }
    }

    @Override // org.apache.cxf.sts.rest.RESTSecurityTokenService
    public Response getXMLToken(String str, String str2, List<String> list, String str3, boolean z) {
        RequestSecurityTokenResponseType issueToken = issueToken(str, str2, list, str3);
        return z ? Response.ok(QNameConstants.WS_TRUST_FACTORY.createRequestSecurityTokenResponse(issueToken)).build() : Response.ok(getRequestedSecurityToken(issueToken).getAny()).build();
    }

    @Override // org.apache.cxf.sts.rest.RESTSecurityTokenService
    public Response getJSONToken(String str, String str2, List<String> list, String str3) {
        return !"jwt".equals(str) ? Response.status(Response.Status.BAD_REQUEST).build() : Response.ok(new JSONWrapper(((Element) getRequestedSecurityToken(issueToken(str, str2, list, str3)).getAny()).getTextContent())).build();
    }

    @Override // org.apache.cxf.sts.rest.RESTSecurityTokenService
    public Response getPlainToken(String str, String str2, List<String> list, String str3) {
        RequestedSecurityTokenType requestedSecurityToken = getRequestedSecurityToken(issueToken(str, str2, list, str3));
        if ("jwt".equals(str)) {
            return Response.ok(((Element) requestedSecurityToken.getAny()).getTextContent()).build();
        }
        try {
            return Response.ok(encodeToken(DOM2Writer.nodeToString((Element) requestedSecurityToken.getAny()))).build();
        } catch (Exception e) {
            LOG.warning(e.getMessage());
            return Response.status(Response.Status.INTERNAL_SERVER_ERROR).build();
        }
    }

    private RequestedSecurityTokenType getRequestedSecurityToken(RequestSecurityTokenResponseType requestSecurityTokenResponseType) {
        for (Object obj : requestSecurityTokenResponseType.getAny()) {
            if (obj instanceof JAXBElement) {
                JAXBElement jAXBElement = (JAXBElement) obj;
                if ("RequestedSecurityToken".equals(jAXBElement.getName().getLocalPart())) {
                    return (RequestedSecurityTokenType) jAXBElement.getValue();
                }
            }
        }
        return null;
    }

    private RequestSecurityTokenResponseType issueToken(String str, String str2, List<String> list, String str3) {
        X509Certificate tLSClientCertificate;
        if (this.tokenTypeMap != null && this.tokenTypeMap.containsKey(str)) {
            str = this.tokenTypeMap.get(str);
        }
        ObjectFactory objectFactory = new ObjectFactory();
        RequestSecurityTokenType createRequestSecurityTokenType = objectFactory.createRequestSecurityTokenType();
        createRequestSecurityTokenType.getAny().add(objectFactory.createTokenType(str));
        createRequestSecurityTokenType.getAny().add(objectFactory.createRequestType(RequestType.ISSUE));
        String str4 = str2 != null ? str2 : this.defaultKeyType;
        createRequestSecurityTokenType.getAny().add(objectFactory.createKeyType(str4));
        if ("http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey".equals(str4) && (tLSClientCertificate = getTLSClientCertificate()) != null) {
            Document createDocument = DOMUtils.createDocument();
            Element createElementNS = createDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", "KeyInfo");
            try {
                X509Data x509Data = new X509Data(createDocument);
                x509Data.addCertificate(tLSClientCertificate);
                createElementNS.appendChild(x509Data.getElement());
                UseKeyType createUseKeyType = objectFactory.createUseKeyType();
                createUseKeyType.setAny(createElementNS);
                createRequestSecurityTokenType.getAny().add(objectFactory.createUseKey(createUseKeyType));
            } catch (XMLSecurityException e) {
                LOG.warning(e.getMessage());
            }
        }
        if (list == null || list.isEmpty()) {
            list = this.defaultClaims;
        }
        if (list != null && !list.isEmpty()) {
            ClaimsType createClaimsType = objectFactory.createClaimsType();
            createClaimsType.setDialect("http://schemas.xmlsoap.org/ws/2005/05/identity");
            JAXBElement<ClaimsType> createClaims = objectFactory.createClaims(createClaimsType);
            for (String str5 : list) {
                if (this.claimTypeMap != null && this.claimTypeMap.containsKey(str5)) {
                    str5 = this.claimTypeMap.get(str5);
                }
                Element createElementNS2 = DOMUtils.createDocument().createElementNS("http://schemas.xmlsoap.org/ws/2005/05/identity", CLAIM_TYPE);
                createElementNS2.setAttributeNS(null, "Uri", str5);
                createElementNS2.setAttributeNS(null, "Optional", Boolean.toString(this.requestClaimsOptional));
                createClaimsType.getAny().add(createElementNS2);
            }
            createRequestSecurityTokenType.getAny().add(createClaims);
        }
        if (str3 != null) {
            Document createDocument2 = DOMUtils.createDocument();
            Element createElementNS3 = createDocument2.createElementNS(STSConstants.WSP_NS, "AppliesTo");
            Element createElementNS4 = createDocument2.createElementNS("http://www.w3.org/2005/08/addressing", "EndpointReference");
            Element createElementNS5 = createDocument2.createElementNS("http://www.w3.org/2005/08/addressing", "Address");
            createElementNS5.setTextContent(str3);
            createElementNS4.appendChild(createElementNS5);
            createElementNS3.appendChild(createElementNS4);
            createRequestSecurityTokenType.getAny().add(createElementNS3);
        }
        return processRequest(RESTSecurityTokenService.Action.issue, createRequestSecurityTokenType);
    }

    @Override // org.apache.cxf.sts.rest.RESTSecurityTokenService
    public Response getToken(RESTSecurityTokenService.Action action, RequestSecurityTokenType requestSecurityTokenType) {
        return Response.ok(QNameConstants.WS_TRUST_FACTORY.createRequestSecurityTokenResponse(processRequest(action, requestSecurityTokenType))).build();
    }

    private RequestSecurityTokenResponseType processRequest(RESTSecurityTokenService.Action action, RequestSecurityTokenType requestSecurityTokenType) {
        switch (action) {
            case validate:
                return validate(requestSecurityTokenType);
            case renew:
                return renew(requestSecurityTokenType);
            case cancel:
                return cancel(requestSecurityTokenType);
            case issue:
            default:
                return issueSingle(requestSecurityTokenType);
        }
    }

    @Override // org.apache.cxf.sts.rest.RESTSecurityTokenService
    public Response removeToken(RequestSecurityTokenType requestSecurityTokenType) {
        return Response.ok(cancel(requestSecurityTokenType)).build();
    }

    @Override // org.apache.cxf.sts.rest.RESTSecurityTokenService
    public Response getKeyExchangeToken(RequestSecurityTokenType requestSecurityTokenType) {
        return Response.ok(keyExchangeToken(requestSecurityTokenType)).build();
    }

    public Map<String, String> getTokenTypeMap() {
        return this.tokenTypeMap;
    }

    public void setTokenTypeMap(Map<String, String> map) {
        this.tokenTypeMap = map;
    }

    public String getDefaultKeyType() {
        return this.defaultKeyType;
    }

    public void setDefaultKeyType(String str) {
        this.defaultKeyType = str;
    }

    public boolean isRequestClaimsOptional() {
        return this.requestClaimsOptional;
    }

    public void setRequestClaimsOptional(boolean z) {
        this.requestClaimsOptional = z;
    }

    public Map<String, String> getClaimTypeMap() {
        return this.claimTypeMap;
    }

    public void setClaimTypeMap(Map<String, String> map) {
        this.claimTypeMap = map;
    }

    @Override // org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceImpl
    protected Principal getPrincipal() {
        if (this.securityContext != null && this.securityContext.getUserPrincipal() != null) {
            return this.securityContext.getUserPrincipal();
        }
        org.apache.cxf.security.SecurityContext securityContext = (org.apache.cxf.security.SecurityContext) this.messageContext.get(org.apache.cxf.security.SecurityContext.class);
        if (securityContext != null && securityContext.getUserPrincipal() != null) {
            return securityContext.getUserPrincipal();
        }
        X509Certificate tLSClientCertificate = getTLSClientCertificate();
        if (tLSClientCertificate != null) {
            return tLSClientCertificate.getSubjectX500Principal();
        }
        return null;
    }

    private X509Certificate getTLSClientCertificate() {
        TLSSessionInfo tLSSessionInfo = (TLSSessionInfo) PhaseInterceptorChain.getCurrentMessage().get(TLSSessionInfo.class);
        if (tLSSessionInfo == null || tLSSessionInfo.getPeerCertificates() == null || tLSSessionInfo.getPeerCertificates().length <= 0 || !(tLSSessionInfo.getPeerCertificates()[0] instanceof X509Certificate)) {
            return null;
        }
        return (X509Certificate) tLSSessionInfo.getPeerCertificates()[0];
    }

    @Override // org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceImpl
    protected Map<String, Object> getMessageContext() {
        return PhaseInterceptorChain.getCurrentMessage();
    }

    public void setUseDeflateEncoding(boolean z) {
        this.useDeflateEncoding = z;
    }

    protected String encodeToken(String str) throws Base64Exception {
        byte[] bytes = str.getBytes(StandardCharsets.UTF_8);
        if (this.useDeflateEncoding) {
            bytes = CompressionUtils.deflate(bytes, getDeflateLevel(), true);
        }
        StringWriter stringWriter = new StringWriter();
        Base64Utility.encode(bytes, 0, bytes.length, stringWriter);
        return stringWriter.toString();
    }

    private static int getDeflateLevel() {
        Integer num = null;
        Message currentMessage = PhaseInterceptorChain.getCurrentMessage();
        if (currentMessage != null) {
            num = PropertyUtils.getInteger(currentMessage, "deflate.level");
        }
        if (num == null) {
            num = 8;
        }
        return num.intValue();
    }

    static {
        DEFAULT_CLAIM_TYPE_MAP.put("emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress");
        DEFAULT_CLAIM_TYPE_MAP.put("role", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role");
        DEFAULT_CLAIM_TYPE_MAP.put(ASN1Registry.LN_surname, "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname");
        DEFAULT_CLAIM_TYPE_MAP.put("givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname");
        DEFAULT_CLAIM_TYPE_MAP.put("name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name");
        DEFAULT_CLAIM_TYPE_MAP.put("upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn");
        DEFAULT_CLAIM_TYPE_MAP.put("nameidentifier", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier");
        DEFAULT_TOKEN_TYPE_MAP = new HashMap();
        DEFAULT_TOKEN_TYPE_MAP.put("saml", "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
        DEFAULT_TOKEN_TYPE_MAP.put("saml2.0", "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
        DEFAULT_TOKEN_TYPE_MAP.put("saml1.1", "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1");
        DEFAULT_TOKEN_TYPE_MAP.put("jwt", JWTTokenProvider.JWT_TOKEN_TYPE);
        DEFAULT_TOKEN_TYPE_MAP.put("sct", "http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct");
    }
}
