package org.apache.wss4j.policy.stax.assertionStates;

import java.util.ArrayList;
import java.util.LinkedList;
import java.util.List;
import javax.xml.namespace.QName;
import org.apache.neethi.Assertion;
import org.apache.wss4j.common.WSSPolicyException;
import org.apache.wss4j.policy.AssertionState;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
import org.apache.wss4j.policy.stax.Assertable;
import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
import org.apache.wss4j.policy.stax.PolicyAsserter;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.wss4j.stax.utils.WSSUtils;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
import org.apache.xml.security.stax.securityEvent.SignedElementSecurityEvent;
import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
import org.apache.xml.security.stax.securityToken.SecurityToken;
import org.apache.xml.security.stax.securityToken.SecurityTokenConstants;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-415.zip:modules/system/layers/fuse/org/apache/ws/security/2.1/wss4j-ws-security-policy-stax-2.1.7.jar:org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.class */
public class TokenProtectionAssertionState extends AssertionState implements Assertable {
    private final List<SignedElementSecurityEvent> signedElementEvents;
    private final List<TokenSecurityEvent<? extends SecurityToken>> tokenSecurityEvents;
    private PolicyAsserter policyAsserter;

    public TokenProtectionAssertionState(Assertion assertion, PolicyAsserter policyAsserter, boolean z) {
        super(assertion, z);
        this.signedElementEvents = new ArrayList();
        this.tokenSecurityEvents = new ArrayList();
        this.policyAsserter = policyAsserter;
        if (this.policyAsserter == null) {
            this.policyAsserter = new DummyPolicyAsserter();
        }
        if (z) {
            policyAsserter.assertPolicy(new QName(getAssertion().getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
        }
    }

    @Override // org.apache.wss4j.policy.stax.Assertable
    public SecurityEventConstants.Event[] getSecurityEventType() {
        return new SecurityEventConstants.Event[]{SecurityEventConstants.SignedElement, WSSecurityEventConstants.EncryptedKeyToken, WSSecurityEventConstants.ISSUED_TOKEN, WSSecurityEventConstants.KERBEROS_TOKEN, SecurityEventConstants.KeyValueToken, WSSecurityEventConstants.REL_TOKEN, WSSecurityEventConstants.SAML_TOKEN, WSSecurityEventConstants.SECURITY_CONTEXT_TOKEN, WSSecurityEventConstants.USERNAME_TOKEN, SecurityEventConstants.X509Token, WSSecurityEventConstants.OPERATION};
    }

    @Override // org.apache.wss4j.policy.stax.Assertable
    public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException, XMLSecurityException {
        boolean isProtectTokens = ((AbstractSymmetricAsymmetricBinding) getAssertion()).isProtectTokens();
        String namespaceURI = getAssertion().getName().getNamespaceURI();
        if (securityEvent instanceof SignedElementSecurityEvent) {
            SignedElementSecurityEvent signedElementSecurityEvent = (SignedElementSecurityEvent) securityEvent;
            if (signedElementSecurityEvent.isSigned()) {
                this.signedElementEvents.add(signedElementSecurityEvent);
            }
        } else if (securityEvent instanceof TokenSecurityEvent) {
            this.tokenSecurityEvents.add((TokenSecurityEvent) securityEvent);
        } else {
            for (int i = 0; i < this.tokenSecurityEvents.size(); i++) {
                SecurityToken effectiveSignatureToken = getEffectiveSignatureToken(this.tokenSecurityEvents.get(i).getSecurityToken());
                if (((InboundSecurityToken) effectiveSignatureToken).isIncludedInMessage() && isSignatureToken(effectiveSignatureToken)) {
                    boolean signsItsSignatureToken = signsItsSignatureToken(effectiveSignatureToken);
                    if (isProtectTokens && !signsItsSignatureToken) {
                        setAsserted(false);
                        setErrorMessage("Token " + WSSUtils.pathAsString(((InboundSecurityToken) effectiveSignatureToken).getElementPath()) + " must be signed by its signature.");
                        this.policyAsserter.unassertPolicy(new QName(namespaceURI, SPConstants.PROTECT_TOKENS), getErrorMessage());
                        return false;
                    }
                    if (!isProtectTokens && signsItsSignatureToken) {
                        setAsserted(false);
                        setErrorMessage("Token " + WSSUtils.pathAsString(((InboundSecurityToken) effectiveSignatureToken).getElementPath()) + " must not be signed by its signature.");
                        this.policyAsserter.unassertPolicy(new QName(namespaceURI, SPConstants.PROTECT_TOKENS), getErrorMessage());
                        return false;
                    }
                }
                if (isEndorsingToken(effectiveSignatureToken) && !signsMainSignature(effectiveSignatureToken)) {
                    setAsserted(false);
                    setErrorMessage("Token " + WSSUtils.pathAsString(((InboundSecurityToken) effectiveSignatureToken).getElementPath()) + " must sign the main signature.");
                    this.policyAsserter.unassertPolicy(new QName(namespaceURI, SPConstants.PROTECT_TOKENS), getErrorMessage());
                    return false;
                }
                if (isMainSignatureToken(effectiveSignatureToken) && !signsSignedSupportingTokens(effectiveSignatureToken)) {
                    setAsserted(false);
                    setErrorMessage("Main signature must sign the Signed*Supporting-Tokens.");
                    this.policyAsserter.unassertPolicy(new QName(namespaceURI, SPConstants.PROTECT_TOKENS), getErrorMessage());
                    return false;
                }
            }
        }
        this.policyAsserter.assertPolicy(new QName(namespaceURI, SPConstants.PROTECT_TOKENS));
        return true;
    }

    private boolean isSignatureToken(SecurityToken securityToken) {
        List<SecurityTokenConstants.TokenUsage> tokenUsages = securityToken.getTokenUsages();
        for (int i = 0; i < tokenUsages.size(); i++) {
            SecurityTokenConstants.TokenUsage tokenUsage = tokenUsages.get(i);
            if (WSSecurityTokenConstants.TokenUsage_Signature.equals(tokenUsage) || WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE.equals(tokenUsage) || tokenUsage.getName().contains("Endorsing")) {
                return true;
            }
        }
        return false;
    }

    private boolean isEndorsingToken(SecurityToken securityToken) throws XMLSecurityException {
        List<SecurityTokenConstants.TokenUsage> tokenUsages = WSSUtils.getRootToken(securityToken).getTokenUsages();
        for (int i = 0; i < tokenUsages.size(); i++) {
            if (tokenUsages.get(i).getName().contains("Endorsing")) {
                return true;
            }
        }
        return false;
    }

    private boolean isSignedSupportingToken(SecurityToken securityToken) throws XMLSecurityException {
        List<SecurityTokenConstants.TokenUsage> tokenUsages = WSSUtils.getRootToken(securityToken).getTokenUsages();
        for (int i = 0; i < tokenUsages.size(); i++) {
            if (tokenUsages.get(i).getName().contains("Signed")) {
                return true;
            }
        }
        return false;
    }

    private boolean isMainSignatureToken(SecurityToken securityToken) throws XMLSecurityException {
        return WSSUtils.getRootToken(securityToken).getTokenUsages().contains(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
    }

    private boolean signsMainSignature(SecurityToken securityToken) throws XMLSecurityException {
        SecurityToken effectiveSignatureToken;
        LinkedList linkedList = new LinkedList();
        linkedList.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
        linkedList.add(WSSConstants.TAG_dsig_Signature);
        for (int i = 0; i < this.signedElementEvents.size(); i++) {
            SignedElementSecurityEvent signedElementSecurityEvent = this.signedElementEvents.get(i);
            if (WSSUtils.pathMatches(signedElementSecurityEvent.getElementPath(), linkedList, true, false) && (effectiveSignatureToken = getEffectiveSignatureToken(signedElementSecurityEvent.getSecurityToken())) != null && effectiveSignatureToken.getId().equals(securityToken.getId())) {
                return true;
            }
        }
        return false;
    }

    private boolean signsItsSignatureToken(SecurityToken securityToken) throws XMLSecurityException {
        for (int i = 0; i < this.signedElementEvents.size(); i++) {
            SignedElementSecurityEvent signedElementSecurityEvent = this.signedElementEvents.get(i);
            if (WSSUtils.pathMatches(signedElementSecurityEvent.getElementPath(), ((InboundSecurityToken) securityToken).getElementPath(), false, false) && getEffectiveSignatureToken(signedElementSecurityEvent.getSecurityToken()).getId().equals(securityToken.getId())) {
                for (int i2 = 0; i2 < this.tokenSecurityEvents.size(); i2++) {
                    SecurityToken effectiveSignatureToken = getEffectiveSignatureToken(this.tokenSecurityEvents.get(i2).getSecurityToken());
                    if (signedElementSecurityEvent.getXmlSecEvent() == ((InboundSecurityToken) effectiveSignatureToken).getXMLSecEvent() && effectiveSignatureToken.getId().equals(securityToken.getId())) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    private boolean signsSignedSupportingTokens(SecurityToken securityToken) throws XMLSecurityException {
        SecurityToken effectiveSignatureToken;
        LinkedList linkedList = new LinkedList();
        LinkedList linkedList2 = new LinkedList();
        for (int i = 0; i < this.tokenSecurityEvents.size(); i++) {
            SecurityToken securityToken2 = this.tokenSecurityEvents.get(i).getSecurityToken();
            if (isSignedSupportingToken(securityToken2) && !linkedList.contains(securityToken2)) {
                linkedList.add(securityToken2);
                List<QName> elementPath = ((InboundSecurityToken) securityToken2).getElementPath();
                boolean z = false;
                for (int i2 = 0; i2 < this.signedElementEvents.size(); i2++) {
                    SignedElementSecurityEvent signedElementSecurityEvent = this.signedElementEvents.get(i2);
                    if (WSSUtils.pathMatches(signedElementSecurityEvent.getElementPath(), elementPath, false, false) && (effectiveSignatureToken = getEffectiveSignatureToken(signedElementSecurityEvent.getSecurityToken())) != null && effectiveSignatureToken.getId().equals(securityToken.getId())) {
                        if (!linkedList2.contains(signedElementSecurityEvent)) {
                            linkedList2.add(signedElementSecurityEvent);
                        }
                        z = true;
                    }
                }
                if (!z) {
                    return false;
                }
            }
        }
        return linkedList.size() <= linkedList2.size();
    }

    private SecurityToken getEffectiveSignatureToken(SecurityToken securityToken) throws XMLSecurityException {
        SecurityToken rootToken = WSSUtils.getRootToken(securityToken);
        List<? extends SecurityToken> wrappedTokens = rootToken.getWrappedTokens();
        for (int i = 0; i < wrappedTokens.size(); i++) {
            SecurityToken securityToken2 = wrappedTokens.get(i);
            if (isSignatureToken(securityToken2)) {
                if (WSSecurityTokenConstants.DerivedKeyToken.equals(securityToken2.getTokenType())) {
                    return rootToken;
                }
                rootToken = securityToken2;
            }
        }
        return rootToken;
    }
}
