package org.apache.cxf.sts.token.validator;

import java.security.Principal;
import java.util.HashSet;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.bind.JAXBElement;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Marshaller;
import org.apache.cxf.common.jaxb.JAXBContextCache;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.sts.QNameConstants;
import org.apache.cxf.sts.STSConstants;
import org.apache.cxf.sts.STSPropertiesMBean;
import org.apache.cxf.sts.request.ReceivedToken;
import org.apache.cxf.sts.token.realm.UsernameTokenRealmCodec;
import org.apache.cxf.ws.security.sts.provider.model.ObjectFactory;
import org.apache.cxf.ws.security.sts.provider.model.secext.UsernameTokenType;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.wss4j.common.bsp.BSPEnforcer;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.principal.CustomTokenPrincipal;
import org.apache.wss4j.common.principal.WSUsernameTokenPrincipalImpl;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.message.token.UsernameToken;
import org.apache.wss4j.dom.validate.Credential;
import org.apache.wss4j.dom.validate.Validator;
import org.apache.xml.security.exceptions.Base64DecodingException;
import org.apache.xml.security.utils.Base64;
import org.w3c.dom.Element;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-377-03.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-services-sts-core-3.1.5.redhat-630377-03.jar:org/apache/cxf/sts/token/validator/UsernameTokenValidator.class */
public class UsernameTokenValidator implements TokenValidator {
    private static final Logger LOG = LogUtils.getL7dLogger(UsernameTokenValidator.class);
    private UsernameTokenRealmCodec usernameTokenRealmCodec;
    private Validator validator = new org.apache.wss4j.dom.validate.UsernameTokenValidator();
    private SubjectRoleParser roleParser = new DefaultSubjectRoleParser();

    public void setValidator(Validator validator) {
        this.validator = validator;
    }

    public void setUsernameTokenRealmCodec(UsernameTokenRealmCodec usernameTokenRealmCodec) {
        this.usernameTokenRealmCodec = usernameTokenRealmCodec;
    }

    @Override // org.apache.cxf.sts.token.validator.TokenValidator
    public boolean canHandleToken(ReceivedToken receivedToken) {
        return canHandleToken(receivedToken, null);
    }

    @Override // org.apache.cxf.sts.token.validator.TokenValidator
    public boolean canHandleToken(ReceivedToken receivedToken, String str) {
        return receivedToken.getToken() instanceof UsernameTokenType;
    }

    @Override // org.apache.cxf.sts.token.validator.TokenValidator
    public TokenValidatorResponse validateToken(TokenValidatorParameters tokenValidatorParameters) {
        UsernameToken usernameToken;
        Map<String, Object> properties;
        LOG.fine("Validating UsernameToken");
        STSPropertiesMBean stsProperties = tokenValidatorParameters.getStsProperties();
        Crypto signatureCrypto = stsProperties.getSignatureCrypto();
        CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
        RequestData requestData = new RequestData();
        requestData.setSigVerCrypto(signatureCrypto);
        requestData.setWssConfig(WSSConfig.getNewInstance());
        requestData.setCallbackHandler(callbackHandler);
        requestData.setMsgContext(tokenValidatorParameters.getMessageContext());
        TokenValidatorResponse tokenValidatorResponse = new TokenValidatorResponse();
        ReceivedToken token = tokenValidatorParameters.getToken();
        token.setState(ReceivedToken.STATE.INVALID);
        tokenValidatorResponse.setToken(token);
        if (!token.isUsernameToken()) {
            return tokenValidatorResponse;
        }
        UsernameTokenType usernameTokenType = (UsernameTokenType) token.getToken();
        try {
            HashSet hashSet = new HashSet();
            hashSet.add(ObjectFactory.class);
            hashSet.add(org.apache.cxf.ws.security.sts.provider.model.wstrust14.ObjectFactory.class);
            Marshaller createMarshaller = JAXBContextCache.getCachedContextAndSchemas(hashSet, null, null, null, false).getContext().createMarshaller();
            Element createElement = DOMUtils.createDocument().createElement("root-element");
            createMarshaller.marshal(new JAXBElement(QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameTokenType), createElement);
            try {
                usernameToken = new UsernameToken((Element) createElement.getFirstChild(), requestData.isAllowNamespaceQualifiedPasswordTypes(), new BSPEnforcer());
                tokenValidatorResponse.setPrincipal(new CustomTokenPrincipal(usernameToken.getName()));
            } catch (WSSecurityException e) {
                LOG.log(Level.WARNING, "", (Throwable) e);
            } catch (Base64DecodingException e2) {
                LOG.log(Level.WARNING, "", (Throwable) e2);
            }
            if (usernameToken.getPassword() == null) {
                return tokenValidatorResponse;
            }
            int hashCode = usernameToken.hashCode();
            SecurityToken securityToken = null;
            if (tokenValidatorParameters.getTokenStore() != null) {
                securityToken = tokenValidatorParameters.getTokenStore().getToken(Integer.toString(hashCode));
                if (securityToken != null && (securityToken.getTokenHash() != hashCode || securityToken.isExpired())) {
                    securityToken = null;
                }
            }
            Principal principal = null;
            if (securityToken == null) {
                Credential credential = new Credential();
                credential.setUsernametoken(usernameToken);
                Credential validate = this.validator.validate(credential, requestData);
                principal = validate.getPrincipal();
                if (validate.getSubject() != null && this.roleParser != null) {
                    tokenValidatorResponse.setRoles(this.roleParser.parseRolesFromSubject(principal, validate.getSubject()));
                }
            }
            if (principal == null) {
                principal = createPrincipal(usernameToken.getName(), usernameToken.getPassword(), usernameToken.getPasswordType(), usernameToken.getNonce(), usernameToken.getCreated());
            }
            String str = null;
            if (this.usernameTokenRealmCodec != null) {
                str = this.usernameTokenRealmCodec.getRealmFromToken(usernameToken);
                if (securityToken != null && (properties = securityToken.getProperties()) != null && !str.equals((String) properties.get(STSConstants.TOKEN_REALM))) {
                    return tokenValidatorResponse;
                }
            }
            if (tokenValidatorParameters.getTokenStore() != null && securityToken == null) {
                SecurityToken securityToken2 = new SecurityToken(usernameToken.getID());
                securityToken2.setToken(usernameToken.getElement());
                int hashCode2 = usernameToken.hashCode();
                String num = Integer.toString(hashCode2);
                securityToken2.setTokenHash(hashCode2);
                tokenValidatorParameters.getTokenStore().add(num, securityToken2);
            }
            tokenValidatorResponse.setPrincipal(principal);
            tokenValidatorResponse.setTokenRealm(str);
            token.setState(ReceivedToken.STATE.VALID);
            LOG.fine("Username Token successfully validated");
            return tokenValidatorResponse;
        } catch (JAXBException e3) {
            LOG.log(Level.WARNING, "", e3);
            return tokenValidatorResponse;
        }
    }

    private Principal createPrincipal(String str, String str2, String str3, String str4, String str5) throws Base64DecodingException {
        boolean z = false;
        if ("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest".equals(str3)) {
            z = true;
        }
        WSUsernameTokenPrincipalImpl wSUsernameTokenPrincipalImpl = new WSUsernameTokenPrincipalImpl(str, z);
        wSUsernameTokenPrincipalImpl.setNonce(Base64.decode(str4));
        wSUsernameTokenPrincipalImpl.setPassword(str2);
        wSUsernameTokenPrincipalImpl.setCreatedTime(str5);
        wSUsernameTokenPrincipalImpl.setPasswordType(str3);
        return wSUsernameTokenPrincipalImpl;
    }

    public SubjectRoleParser getRoleParser() {
        return this.roleParser;
    }

    public void setRoleParser(SubjectRoleParser subjectRoleParser) {
        this.roleParser = subjectRoleParser;
    }
}
