package org.apache.cxf.ws.security.wss4j.policyvalidators;

import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import javax.xml.namespace.QName;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SP13Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
import org.apache.wss4j.policy.model.SupportingTokens;
import org.apache.wss4j.policy.model.UsernameToken;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-310-11.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-rt-ws-security-3.1.5.redhat-630310-11.jar:org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.class */
public class UsernameTokenPolicyValidator extends AbstractSecurityPolicyValidator {
    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator
    public boolean canValidatePolicy(AssertionInfo assertionInfo) {
        return assertionInfo.getAssertion() != null && (SP12Constants.USERNAME_TOKEN.equals(assertionInfo.getAssertion().getName()) || SP11Constants.USERNAME_TOKEN.equals(assertionInfo.getAssertion().getName()));
    }

    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator
    public void validatePolicies(PolicyValidatorParameters policyValidatorParameters, Collection<AssertionInfo> collection) {
        for (AssertionInfo assertionInfo : collection) {
            UsernameToken usernameToken = (UsernameToken) assertionInfo.getAssertion();
            assertionInfo.setAsserted(true);
            assertToken(usernameToken, policyValidatorParameters.getAssertionInfoMap());
            if (isTokenRequired(usernameToken, policyValidatorParameters.getMessage())) {
                if (policyValidatorParameters.getUsernameTokenResults().isEmpty()) {
                    assertionInfo.setNotAsserted("The received token does not match the token inclusion requirement");
                } else if (!checkTokens(usernameToken, assertionInfo, policyValidatorParameters.getUsernameTokenResults())) {
                }
            }
        }
    }

    private void assertToken(UsernameToken usernameToken, AssertionInfoMap assertionInfoMap) {
        String namespaceURI = usernameToken.getName().getNamespaceURI();
        if (usernameToken.isCreated()) {
            PolicyUtils.assertPolicy(assertionInfoMap, SP13Constants.CREATED);
        }
        if (usernameToken.isNonce()) {
            PolicyUtils.assertPolicy(assertionInfoMap, SP13Constants.NONCE);
        }
        UsernameToken.PasswordType passwordType = usernameToken.getPasswordType();
        if (passwordType != null) {
            PolicyUtils.assertPolicy(assertionInfoMap, new QName(namespaceURI, passwordType.name()));
        }
        UsernameToken.UsernameTokenType usernameTokenType = usernameToken.getUsernameTokenType();
        if (usernameTokenType != null) {
            PolicyUtils.assertPolicy(assertionInfoMap, new QName(namespaceURI, usernameTokenType.name()));
        }
    }

    public boolean checkTokens(UsernameToken usernameToken, AssertionInfo assertionInfo, List<WSSecurityEngineResult> list) {
        Iterator<WSSecurityEngineResult> it = list.iterator();
        while (it.hasNext()) {
            org.apache.wss4j.dom.message.token.UsernameToken usernameToken2 = (org.apache.wss4j.dom.message.token.UsernameToken) it.next().get("username-token");
            UsernameToken.PasswordType passwordType = usernameToken.getPasswordType();
            boolean z = passwordType == UsernameToken.PasswordType.HashPassword;
            boolean z2 = passwordType == UsernameToken.PasswordType.NoPassword;
            if (z != usernameToken2.isHashed()) {
                assertionInfo.setNotAsserted("Password hashing policy not enforced");
                return false;
            }
            if (z2 && usernameToken2.getPassword() != null) {
                assertionInfo.setNotAsserted("Username Token NoPassword policy not enforced");
                return false;
            }
            if (!z2 && usernameToken2.getPassword() == null && isNonEndorsingSupportingToken(usernameToken)) {
                assertionInfo.setNotAsserted("Username Token No Password supplied");
                return false;
            }
            if (usernameToken.isCreated() && (usernameToken2.getCreated() == null || usernameToken2.isHashed())) {
                assertionInfo.setNotAsserted("Username Token Created policy not enforced");
                return false;
            }
            if (usernameToken.isNonce() && (usernameToken2.getNonce() == null || usernameToken2.isHashed())) {
                assertionInfo.setNotAsserted("Username Token Nonce policy not enforced");
                return false;
            }
        }
        return true;
    }

    private boolean isNonEndorsingSupportingToken(UsernameToken usernameToken) {
        AbstractSecurityAssertion parentAssertion = usernameToken.getParentAssertion();
        if (!(parentAssertion instanceof SupportingTokens)) {
            return false;
        }
        String localPart = ((SupportingTokens) parentAssertion).getName().getLocalPart();
        return localPart.equals(SPConstants.SUPPORTING_TOKENS) || localPart.equals(SPConstants.SIGNED_SUPPORTING_TOKENS) || localPart.equals(SPConstants.ENCRYPTED_SUPPORTING_TOKENS) || localPart.equals(SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
    }
}
