package org.apache.cxf.sts.token.renewer;

import java.security.Principal;
import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.callback.CallbackHandler;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.sts.STSConstants;
import org.apache.cxf.sts.STSPropertiesMBean;
import org.apache.cxf.sts.cache.CacheUtils;
import org.apache.cxf.sts.request.ReceivedToken;
import org.apache.cxf.sts.token.provider.AbstractSAMLTokenProvider;
import org.apache.cxf.sts.token.provider.ConditionsProvider;
import org.apache.cxf.sts.token.provider.DefaultConditionsProvider;
import org.apache.cxf.sts.token.provider.TokenProviderParameters;
import org.apache.cxf.sts.token.realm.RealmProperties;
import org.apache.cxf.ws.security.sts.provider.STSException;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.saml.bean.ConditionsBean;
import org.apache.wss4j.common.saml.builder.SAML1ComponentBuilder;
import org.apache.wss4j.common.saml.builder.SAML2ComponentBuilder;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.saml.DOMSAMLUtil;
import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
import org.apache.xml.security.stax.impl.util.IDGenerator;
import org.joda.time.DateTime;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.saml1.core.Assertion;
import org.opensaml.saml.saml1.core.Audience;
import org.opensaml.saml.saml1.core.AudienceRestrictionCondition;
import org.opensaml.saml.saml2.core.AudienceRestriction;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-361.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-services-sts-core-3.1.5.redhat-630361.jar:org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.class */
public class SAMLTokenRenewer extends AbstractSAMLTokenProvider implements TokenRenewer {
    public static final long DEFAULT_MAX_EXPIRY = 1800;
    private static final Logger LOG = LogUtils.getL7dLogger(SAMLTokenRenewer.class);
    private boolean signToken = true;
    private ConditionsProvider conditionsProvider = new DefaultConditionsProvider();
    private Map<String, RealmProperties> realmMap = new HashMap();
    private long maxExpiry = DEFAULT_MAX_EXPIRY;
    private boolean verifyProofOfPossession = true;
    private boolean allowRenewalAfterExpiry;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-361.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-services-sts-core-3.1.5.redhat-630361.jar:org/apache/cxf/sts/token/renewer/SAMLTokenRenewer$ProofOfPossessionValidator.class */
    public static class ProofOfPossessionValidator {
        private ProofOfPossessionValidator() {
        }

        public boolean checkProofOfPossession(TokenRenewerParameters tokenRenewerParameters, SAMLKeyInfo sAMLKeyInfo) {
            Map<String, Object> messageContext = tokenRenewerParameters.getMessageContext();
            List cast = CastUtils.cast((List<?>) messageContext.get(WSHandlerConstants.RECV_RESULTS));
            ArrayList arrayList = new ArrayList();
            if (cast != null && cast.size() > 0) {
                WSHandlerResult wSHandlerResult = (WSHandlerResult) cast.get(0);
                if (wSHandlerResult.getActionResults().containsKey(2)) {
                    arrayList.addAll(wSHandlerResult.getActionResults().get(2));
                }
                if (wSHandlerResult.getActionResults().containsKey(64)) {
                    arrayList.addAll(wSHandlerResult.getActionResults().get(64));
                }
            }
            TLSSessionInfo tLSSessionInfo = (TLSSessionInfo) messageContext.get(TLSSessionInfo.class.getName());
            Certificate[] certificateArr = null;
            if (tLSSessionInfo != null) {
                certificateArr = tLSSessionInfo.getPeerCertificates();
            }
            return DOMSAMLUtil.compareCredentials(sAMLKeyInfo, arrayList, certificateArr);
        }
    }

    @Override // org.apache.cxf.sts.token.renewer.TokenRenewer
    public boolean canHandleToken(ReceivedToken receivedToken) {
        return canHandleToken(receivedToken, null);
    }

    @Override // org.apache.cxf.sts.token.renewer.TokenRenewer
    public boolean canHandleToken(ReceivedToken receivedToken, String str) {
        if (str != null && !this.realmMap.containsKey(str)) {
            return false;
        }
        Object token = receivedToken.getToken();
        if (!(token instanceof Element)) {
            return false;
        }
        Element element = (Element) token;
        String namespaceURI = element.getNamespaceURI();
        return ("urn:oasis:names:tc:SAML:1.0:assertion".equals(namespaceURI) || "urn:oasis:names:tc:SAML:2.0:assertion".equals(namespaceURI)) && "Assertion".equals(element.getLocalName());
    }

    @Override // org.apache.cxf.sts.token.renewer.TokenRenewer
    public void setVerifyProofOfPossession(boolean z) {
        this.verifyProofOfPossession = z;
    }

    public boolean isAllowRenewalAfterExpiry() {
        return this.allowRenewalAfterExpiry;
    }

    @Override // org.apache.cxf.sts.token.renewer.TokenRenewer
    public void setAllowRenewalAfterExpiry(boolean z) {
        this.allowRenewalAfterExpiry = z;
    }

    public void setMaxExpiry(long j) {
        this.maxExpiry = j;
    }

    public long getMaxExpiry() {
        return this.maxExpiry;
    }

    @Override // org.apache.cxf.sts.token.renewer.TokenRenewer
    public TokenRenewerResponse renewToken(TokenRenewerParameters tokenRenewerParameters) {
        DateTime notBefore;
        DateTime notOnOrAfter;
        TokenRenewerResponse tokenRenewerResponse = new TokenRenewerResponse();
        ReceivedToken token = tokenRenewerParameters.getToken();
        if (token == null || token.getToken() == null || !(token.getState() == ReceivedToken.STATE.EXPIRED || token.getState() == ReceivedToken.STATE.VALID)) {
            LOG.log(Level.WARNING, "The token to renew is null or invalid");
            throw new STSException("The token to renew is null or invalid", STSException.INVALID_REQUEST);
        }
        TokenStore tokenStore = tokenRenewerParameters.getTokenStore();
        if (tokenStore == null) {
            LOG.log(Level.FINE, "A cache must be configured to use the SAMLTokenRenewer");
            throw new STSException("Can't renew SAML assertion", STSException.REQUEST_FAILED);
        }
        try {
            SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper((Element) token.getToken());
            int hashCode = Arrays.hashCode(samlAssertionWrapper.getSignatureValue());
            SecurityToken token2 = tokenStore.getToken(Integer.toString(hashCode));
            if (token2 == null) {
                LOG.log(Level.FINE, "The token to be renewed must be stored in the cache");
                throw new STSException("Can't renew SAML assertion", STSException.REQUEST_FAILED);
            }
            validateAssertion(samlAssertionWrapper, token, token2, tokenRenewerParameters);
            SamlAssertionWrapper samlAssertionWrapper2 = new SamlAssertionWrapper(samlAssertionWrapper.getSamlObject());
            tokenStore.remove(createNewId(samlAssertionWrapper2));
            tokenStore.remove(Integer.toString(hashCode));
            createNewConditions(samlAssertionWrapper2, tokenRenewerParameters);
            signAssertion(samlAssertionWrapper2, tokenRenewerParameters);
            Document createDocument = DOMUtils.createDocument();
            Element dom = samlAssertionWrapper2.toDOM(createDocument);
            if (samlAssertionWrapper2.getSaml1() != null) {
                dom.setIdAttributeNS(null, "AssertionID", true);
            } else {
                dom.setIdAttributeNS(null, "ID", true);
            }
            createDocument.appendChild(dom);
            storeTokenInCache(tokenStore, samlAssertionWrapper2, tokenRenewerParameters.getPrincipal(), tokenRenewerParameters);
            tokenRenewerResponse.setToken(dom);
            tokenRenewerResponse.setTokenId(samlAssertionWrapper2.getId());
            if (samlAssertionWrapper2.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
                notBefore = samlAssertionWrapper2.getSaml2().getConditions().getNotBefore();
                notOnOrAfter = samlAssertionWrapper2.getSaml2().getConditions().getNotOnOrAfter();
            } else {
                notBefore = samlAssertionWrapper2.getSaml1().getConditions().getNotBefore();
                notOnOrAfter = samlAssertionWrapper2.getSaml1().getConditions().getNotOnOrAfter();
            }
            tokenRenewerResponse.setCreated(notBefore.toDate());
            tokenRenewerResponse.setExpires(notOnOrAfter.toDate());
            LOG.fine("SAML Token successfully renewed");
            return tokenRenewerResponse;
        } catch (Exception e) {
            LOG.log(Level.WARNING, "", (Throwable) e);
            throw new STSException("Can't renew SAML assertion", e, STSException.REQUEST_FAILED);
        }
    }

    public void setConditionsProvider(ConditionsProvider conditionsProvider) {
        this.conditionsProvider = conditionsProvider;
    }

    public ConditionsProvider getConditionsProvider() {
        return this.conditionsProvider;
    }

    public boolean isSignToken() {
        return this.signToken;
    }

    public void setSignToken(boolean z) {
        this.signToken = z;
    }

    public void setRealmMap(Map<String, ? extends RealmProperties> map) {
        this.realmMap.clear();
        this.realmMap.putAll(map);
    }

    public Map<String, RealmProperties> getRealmMap() {
        return Collections.unmodifiableMap(this.realmMap);
    }

    private void validateAssertion(SamlAssertionWrapper samlAssertionWrapper, ReceivedToken receivedToken, SecurityToken securityToken, TokenRenewerParameters tokenRenewerParameters) throws WSSecurityException {
        Map<String, Object> properties = securityToken.getProperties();
        if (properties == null) {
            LOG.log(Level.WARNING, "Error in getting properties from cached token");
            throw new STSException("Error in getting properties from cached token", STSException.REQUEST_FAILED);
        }
        String str = (String) properties.get(STSConstants.TOKEN_RENEWING_ALLOW);
        String str2 = (String) properties.get(STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY);
        if (str == null || !Boolean.valueOf(str).booleanValue()) {
            LOG.log(Level.WARNING, "The token is not allowed to be renewed");
            throw new STSException("The token is not allowed to be renewed", STSException.REQUEST_FAILED);
        }
        if (receivedToken.getState() == ReceivedToken.STATE.EXPIRED) {
            if (!this.allowRenewalAfterExpiry || str2 == null || !Boolean.valueOf(str2).booleanValue()) {
                LOG.log(Level.WARNING, "Renewal after expiry is not allowed");
                throw new STSException("Renewal after expiry is not allowed", STSException.REQUEST_FAILED);
            }
            if (new DateTime().getMillis() - getExpiryDate(samlAssertionWrapper).getMillis() > this.maxExpiry * 1000) {
                LOG.log(Level.WARNING, "The token expired too long ago to be renewed");
                throw new STSException("The token expired too long ago to be renewed", STSException.REQUEST_FAILED);
            }
        }
        ProofOfPossessionValidator proofOfPossessionValidator = new ProofOfPossessionValidator();
        if (this.verifyProofOfPossession) {
            STSPropertiesMBean stsProperties = tokenRenewerParameters.getStsProperties();
            Crypto signatureCrypto = stsProperties.getSignatureCrypto();
            CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
            RequestData requestData = new RequestData();
            requestData.setSigVerCrypto(signatureCrypto);
            requestData.setWssConfig(WSSConfig.getNewInstance());
            requestData.setCallbackHandler(callbackHandler);
            samlAssertionWrapper.parseSubject(new WSSSAMLKeyInfoProcessor(requestData, new WSDocInfo(((Element) receivedToken.getToken()).getOwnerDocument())), signatureCrypto, callbackHandler);
            SAMLKeyInfo subjectKeyInfo = samlAssertionWrapper.getSubjectKeyInfo();
            if (subjectKeyInfo == null) {
                subjectKeyInfo = new SAMLKeyInfo((byte[]) null);
            }
            if (!proofOfPossessionValidator.checkProofOfPossession(tokenRenewerParameters, subjectKeyInfo)) {
                throw new STSException("Failed to verify the proof of possession of the key associated with the saml token. No matching key found in the request.", STSException.INVALID_REQUEST);
            }
        }
        String appliesToAddress = tokenRenewerParameters.getAppliesToAddress();
        if (appliesToAddress != null) {
            if (samlAssertionWrapper.getSaml1() != null) {
                if (matchSaml1AudienceRestriction(appliesToAddress, samlAssertionWrapper.getSaml1().getConditions().getAudienceRestrictionConditions())) {
                    return;
                }
                LOG.log(Level.WARNING, "The AppliesTo address does not match the Audience Restriction");
                throw new STSException("The AppliesTo address does not match the Audience Restriction", STSException.INVALID_REQUEST);
            }
            if (matchSaml2AudienceRestriction(appliesToAddress, samlAssertionWrapper.getSaml2().getConditions().getAudienceRestrictions())) {
                return;
            }
            LOG.log(Level.WARNING, "The AppliesTo address does not match the Audience Restriction");
            throw new STSException("The AppliesTo address does not match the Audience Restriction", STSException.INVALID_REQUEST);
        }
    }

    private boolean matchSaml1AudienceRestriction(String str, List<AudienceRestrictionCondition> list) {
        if (list != null && !list.isEmpty()) {
            for (AudienceRestrictionCondition audienceRestrictionCondition : list) {
                if (audienceRestrictionCondition.getAudiences() != null) {
                    Iterator<Audience> it = audienceRestrictionCondition.getAudiences().iterator();
                    while (it.hasNext()) {
                        if (str.equals(it.next().getUri())) {
                            return true;
                        }
                    }
                }
            }
        }
        return false;
    }

    private boolean matchSaml2AudienceRestriction(String str, List<AudienceRestriction> list) {
        if (list != null && !list.isEmpty()) {
            for (AudienceRestriction audienceRestriction : list) {
                if (audienceRestriction.getAudiences() != null) {
                    Iterator<org.opensaml.saml.saml2.core.Audience> it = audienceRestriction.getAudiences().iterator();
                    while (it.hasNext()) {
                        if (str.equals(it.next().getAudienceURI())) {
                            return true;
                        }
                    }
                }
            }
        }
        return false;
    }

    private void signAssertion(SamlAssertionWrapper samlAssertionWrapper, TokenRenewerParameters tokenRenewerParameters) throws Exception {
        if (!this.signToken) {
            if (samlAssertionWrapper.getSaml1().getSignature() != null) {
                samlAssertionWrapper.getSaml1().setSignature(null);
                return;
            } else {
                if (samlAssertionWrapper.getSaml2().getSignature() != null) {
                    samlAssertionWrapper.getSaml2().setSignature(null);
                    return;
                }
                return;
            }
        }
        STSPropertiesMBean stsProperties = tokenRenewerParameters.getStsProperties();
        String realm = tokenRenewerParameters.getRealm();
        RealmProperties realmProperties = null;
        if (realm != null && this.realmMap.containsKey(realm)) {
            realmProperties = this.realmMap.get(realm);
        }
        signToken(samlAssertionWrapper, realmProperties, stsProperties, tokenRenewerParameters.getKeyRequirements());
    }

    private void createNewConditions(SamlAssertionWrapper samlAssertionWrapper, TokenRenewerParameters tokenRenewerParameters) {
        ConditionsBean conditions = this.conditionsProvider.getConditions(convertToProviderParameters(tokenRenewerParameters));
        if (samlAssertionWrapper.getSaml1() != null) {
            Assertion saml1 = samlAssertionWrapper.getSaml1();
            saml1.setIssueInstant(new DateTime());
            saml1.setConditions(SAML1ComponentBuilder.createSamlv1Conditions(conditions));
        } else {
            org.opensaml.saml.saml2.core.Assertion saml2 = samlAssertionWrapper.getSaml2();
            saml2.setIssueInstant(new DateTime());
            saml2.setConditions(SAML2ComponentBuilder.createConditions(conditions));
        }
    }

    private TokenProviderParameters convertToProviderParameters(TokenRenewerParameters tokenRenewerParameters) {
        TokenProviderParameters tokenProviderParameters = new TokenProviderParameters();
        tokenProviderParameters.setAppliesToAddress(tokenRenewerParameters.getAppliesToAddress());
        tokenProviderParameters.setEncryptionProperties(tokenRenewerParameters.getEncryptionProperties());
        tokenProviderParameters.setKeyRequirements(tokenRenewerParameters.getKeyRequirements());
        tokenProviderParameters.setPrincipal(tokenRenewerParameters.getPrincipal());
        tokenProviderParameters.setRealm(tokenRenewerParameters.getRealm());
        tokenProviderParameters.setStsProperties(tokenRenewerParameters.getStsProperties());
        tokenProviderParameters.setTokenRequirements(tokenRenewerParameters.getTokenRequirements());
        tokenProviderParameters.setTokenStore(tokenRenewerParameters.getTokenStore());
        tokenProviderParameters.setMessageContext(tokenRenewerParameters.getMessageContext());
        Map<String, Object> additionalProperties = tokenRenewerParameters.getAdditionalProperties();
        if (additionalProperties == null) {
            additionalProperties = new HashMap(1);
        }
        additionalProperties.put(ReceivedToken.class.getName(), tokenRenewerParameters.getToken());
        tokenProviderParameters.setAdditionalProperties(additionalProperties);
        return tokenProviderParameters;
    }

    private String createNewId(SamlAssertionWrapper samlAssertionWrapper) {
        if (samlAssertionWrapper.getSaml1() != null) {
            Assertion saml1 = samlAssertionWrapper.getSaml1();
            String id = saml1.getID();
            saml1.setID(IDGenerator.generateID("_"));
            return id;
        }
        org.opensaml.saml.saml2.core.Assertion saml2 = samlAssertionWrapper.getSaml2();
        String id2 = saml2.getID();
        saml2.setID(IDGenerator.generateID("_"));
        return id2;
    }

    private void storeTokenInCache(TokenStore tokenStore, SamlAssertionWrapper samlAssertionWrapper, Principal principal, TokenRenewerParameters tokenRenewerParameters) throws WSSecurityException {
        byte[] signatureValue = samlAssertionWrapper.getSignatureValue();
        if (tokenStore == null || signatureValue == null || signatureValue.length <= 0) {
            return;
        }
        CacheUtils.storeTokenInCache(CacheUtils.createSecurityTokenForStorage(samlAssertionWrapper.getElement(), samlAssertionWrapper.getId(), (samlAssertionWrapper.getSamlVersion().equals(SAMLVersion.VERSION_20) ? samlAssertionWrapper.getSaml2().getConditions().getNotOnOrAfter() : samlAssertionWrapper.getSaml1().getConditions().getNotOnOrAfter()).toDate(), tokenRenewerParameters.getPrincipal(), tokenRenewerParameters.getRealm(), tokenRenewerParameters.getTokenRequirements().getRenewing()), tokenRenewerParameters.getTokenStore(), signatureValue);
    }

    private DateTime getExpiryDate(SamlAssertionWrapper samlAssertionWrapper) {
        return samlAssertionWrapper.getSamlVersion().equals(SAMLVersion.VERSION_20) ? samlAssertionWrapper.getSaml2().getConditions().getNotOnOrAfter() : samlAssertionWrapper.getSaml1().getConditions().getNotOnOrAfter();
    }
}
