package org.apache.cxf.ws.security.wss4j;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.xml.namespace.QName;
import org.apache.cxf.binding.soap.SoapFault;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.SoapVersion;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.ws.addressing.AddressingProperties;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
import org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-416-02.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-rt-ws-security-3.1.5.redhat-630416-02.jar:org/apache/cxf/ws/security/wss4j/StaxCryptoCoverageChecker.class */
public class StaxCryptoCoverageChecker extends AbstractPhaseInterceptor<SoapMessage> {
    public static final String SOAP_NS = "http://schemas.xmlsoap.org/soap/envelope/";
    public static final String SOAP12_NS = "http://www.w3.org/2003/05/soap-envelope";
    public static final String WSU_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
    public static final String WSSE_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
    public static final String WSA_NS = "http://www.w3.org/2005/08/addressing";
    private boolean signBody;
    private boolean signTimestamp;
    private boolean encryptBody;
    private boolean signAddressingHeaders;
    private boolean signUsernameToken;
    private boolean encryptUsernameToken;

    public StaxCryptoCoverageChecker() {
        super(Phase.PRE_PROTOCOL);
        setSignBody(true);
        setSignTimestamp(true);
        setSignAddressingHeaders(true);
        setEncryptUsernameToken(true);
    }

    @Override // org.apache.cxf.interceptor.Interceptor
    public void handleMessage(SoapMessage soapMessage) throws Fault {
        List<SecurityEvent> list = (List) soapMessage.get(SecurityEvent.class.getName() + ".in");
        ArrayList arrayList = new ArrayList();
        if (list != null) {
            arrayList.addAll(getEventFromResults(WSSecurityEventConstants.SIGNED_PART, list));
            arrayList.addAll(getEventFromResults(WSSecurityEventConstants.SignedElement, list));
            if (this.encryptBody || this.encryptUsernameToken) {
                arrayList.addAll(getEventFromResults(WSSecurityEventConstants.ENCRYPTED_PART, list));
                arrayList.addAll(getEventFromResults(WSSecurityEventConstants.EncryptedElement, list));
            }
        }
        try {
            checkSignedBody(arrayList);
            checkEncryptedBody(arrayList);
            if (this.signTimestamp && !getEventFromResults(WSSecurityEventConstants.TIMESTAMP, list).isEmpty()) {
                checkSignedTimestamp(arrayList);
            }
            if (this.signAddressingHeaders) {
                checkSignedAddressing(arrayList, (AddressingProperties) soapMessage.get("javax.xml.ws.addressing.context.inbound"));
            }
            if ((this.signUsernameToken || this.encryptUsernameToken) && !getEventFromResults(WSSecurityEventConstants.USERNAME_TOKEN, list).isEmpty()) {
                if (this.signUsernameToken) {
                    checkSignedUsernameToken(arrayList);
                }
                if (this.encryptUsernameToken) {
                    checkEncryptedUsernameToken(arrayList);
                }
            }
        } catch (WSSecurityException e) {
            throw createSoapFault(soapMessage.getVersion(), e);
        }
    }

    private List<SecurityEvent> getEventFromResults(SecurityEventConstants.Event event, List<SecurityEvent> list) {
        ArrayList arrayList = new ArrayList();
        for (SecurityEvent securityEvent : list) {
            if (event == securityEvent.getSecurityEventType()) {
                arrayList.add(securityEvent);
            }
        }
        return arrayList;
    }

    private void checkSignedBody(List<SecurityEvent> list) throws WSSecurityException {
        if (this.signBody) {
            boolean z = false;
            Iterator<SecurityEvent> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                AbstractSecuredElementSecurityEvent abstractSecuredElementSecurityEvent = (AbstractSecuredElementSecurityEvent) it.next();
                if (abstractSecuredElementSecurityEvent.isSigned() && isBody(abstractSecuredElementSecurityEvent.getElementPath())) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, new Exception("The SOAP Body is not signed"));
            }
        }
    }

    private void checkEncryptedBody(List<SecurityEvent> list) throws WSSecurityException {
        if (this.encryptBody) {
            boolean z = false;
            Iterator<SecurityEvent> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                AbstractSecuredElementSecurityEvent abstractSecuredElementSecurityEvent = (AbstractSecuredElementSecurityEvent) it.next();
                if (abstractSecuredElementSecurityEvent.isEncrypted() && isBody(abstractSecuredElementSecurityEvent.getElementPath())) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, new Exception("The SOAP Body is not encrypted"));
            }
        }
    }

    private void checkSignedTimestamp(List<SecurityEvent> list) throws WSSecurityException {
        if (this.signTimestamp) {
            boolean z = false;
            Iterator<SecurityEvent> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                AbstractSecuredElementSecurityEvent abstractSecuredElementSecurityEvent = (AbstractSecuredElementSecurityEvent) it.next();
                if (abstractSecuredElementSecurityEvent.isSigned() && isTimestamp(abstractSecuredElementSecurityEvent.getElementPath())) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, new Exception("The Timestamp is not signed"));
            }
        }
    }

    private void checkSignedAddressing(List<SecurityEvent> list, AddressingProperties addressingProperties) throws WSSecurityException {
        if (!this.signAddressingHeaders || addressingProperties == null) {
            return;
        }
        if (addressingProperties.getReplyTo() == null && addressingProperties.getFaultTo() == null) {
            return;
        }
        boolean z = false;
        boolean z2 = false;
        Iterator<SecurityEvent> it = list.iterator();
        while (it.hasNext()) {
            AbstractSecuredElementSecurityEvent abstractSecuredElementSecurityEvent = (AbstractSecuredElementSecurityEvent) it.next();
            if (abstractSecuredElementSecurityEvent.isSigned()) {
                List<QName> elementPath = abstractSecuredElementSecurityEvent.getElementPath();
                if (isReplyTo(elementPath)) {
                    z = true;
                }
                if (isFaultTo(elementPath)) {
                    z2 = true;
                }
                if (z && z2) {
                    break;
                }
            }
        }
        if (!z && addressingProperties.getReplyTo() != null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, new Exception("The Addressing headers are not signed"));
        }
        if (!z2 && addressingProperties.getFaultTo() != null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, new Exception("The Addressing headers are not signed"));
        }
    }

    private void checkSignedUsernameToken(List<SecurityEvent> list) throws WSSecurityException {
        if (this.signUsernameToken) {
            boolean z = false;
            Iterator<SecurityEvent> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                AbstractSecuredElementSecurityEvent abstractSecuredElementSecurityEvent = (AbstractSecuredElementSecurityEvent) it.next();
                if (abstractSecuredElementSecurityEvent.isSigned() && isUsernameToken(abstractSecuredElementSecurityEvent.getElementPath())) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, new Exception("The UsernameToken is not signed"));
            }
        }
    }

    private void checkEncryptedUsernameToken(List<SecurityEvent> list) throws WSSecurityException {
        if (this.encryptUsernameToken) {
            boolean z = false;
            Iterator<SecurityEvent> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                AbstractSecuredElementSecurityEvent abstractSecuredElementSecurityEvent = (AbstractSecuredElementSecurityEvent) it.next();
                if (abstractSecuredElementSecurityEvent.isEncrypted() && isUsernameToken(abstractSecuredElementSecurityEvent.getElementPath())) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, new Exception("The UsernameToken is not encrypted"));
            }
        }
    }

    private boolean isEnvelope(QName qName) {
        return "Envelope".equals(qName.getLocalPart()) && ("http://schemas.xmlsoap.org/soap/envelope/".equals(qName.getNamespaceURI()) || "http://www.w3.org/2003/05/soap-envelope".equals(qName.getNamespaceURI()));
    }

    private boolean isSoapHeader(QName qName) {
        return "Header".equals(qName.getLocalPart()) && ("http://schemas.xmlsoap.org/soap/envelope/".equals(qName.getNamespaceURI()) || "http://www.w3.org/2003/05/soap-envelope".equals(qName.getNamespaceURI()));
    }

    private boolean isSecurityHeader(QName qName) {
        return "Security".equals(qName.getLocalPart()) && "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd".equals(qName.getNamespaceURI());
    }

    private boolean isTimestamp(List<QName> list) {
        return list != null && list.size() == 4 && isEnvelope(list.get(0)) && isSoapHeader(list.get(1)) && isSecurityHeader(list.get(2)) && "Timestamp".equals(list.get(3).getLocalPart()) && "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd".equals(list.get(3).getNamespaceURI());
    }

    private boolean isReplyTo(List<QName> list) {
        return list != null && list.size() == 3 && isEnvelope(list.get(0)) && isSoapHeader(list.get(1)) && "ReplyTo".equals(list.get(2).getLocalPart()) && "http://www.w3.org/2005/08/addressing".equals(list.get(2).getNamespaceURI());
    }

    private boolean isFaultTo(List<QName> list) {
        return list != null && list.size() == 3 && isEnvelope(list.get(0)) && isSoapHeader(list.get(1)) && "FaultTo".equals(list.get(2).getLocalPart()) && "http://www.w3.org/2005/08/addressing".equals(list.get(2).getNamespaceURI());
    }

    private boolean isBody(List<QName> list) {
        return list != null && list.size() == 2 && isEnvelope(list.get(0)) && "Body".equals(list.get(1).getLocalPart()) && ("http://schemas.xmlsoap.org/soap/envelope/".equals(list.get(1).getNamespaceURI()) || "http://www.w3.org/2003/05/soap-envelope".equals(list.get(1).getNamespaceURI()));
    }

    private boolean isUsernameToken(List<QName> list) {
        return list != null && list.size() == 4 && isEnvelope(list.get(0)) && isSoapHeader(list.get(1)) && isSecurityHeader(list.get(2)) && "UsernameToken".equals(list.get(3).getLocalPart()) && "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd".equals(list.get(3).getNamespaceURI());
    }

    public boolean isSignBody() {
        return this.signBody;
    }

    public final void setSignBody(boolean z) {
        this.signBody = z;
    }

    public boolean isSignTimestamp() {
        return this.signTimestamp;
    }

    public final void setSignTimestamp(boolean z) {
        this.signTimestamp = z;
    }

    public boolean isEncryptBody() {
        return this.encryptBody;
    }

    public final void setEncryptBody(boolean z) {
        this.encryptBody = z;
    }

    public boolean isSignAddressingHeaders() {
        return this.signAddressingHeaders;
    }

    public final void setSignAddressingHeaders(boolean z) {
        this.signAddressingHeaders = z;
    }

    private SoapFault createSoapFault(SoapVersion soapVersion, WSSecurityException wSSecurityException) {
        SoapFault soapFault;
        QName faultCode = wSSecurityException.getFaultCode();
        if (soapVersion.getVersion() != 1.1d || faultCode == null) {
            soapFault = new SoapFault(wSSecurityException.getMessage(), wSSecurityException, soapVersion.getSender());
            if (soapVersion.getVersion() != 1.1d && faultCode != null) {
                soapFault.setSubCode(faultCode);
            }
        } else {
            soapFault = new SoapFault(wSSecurityException.getMessage(), wSSecurityException, faultCode);
        }
        return soapFault;
    }

    public boolean isSignUsernameToken() {
        return this.signUsernameToken;
    }

    public void setSignUsernameToken(boolean z) {
        this.signUsernameToken = z;
    }

    public boolean isEncryptUsernameToken() {
        return this.encryptUsernameToken;
    }

    public void setEncryptUsernameToken(boolean z) {
        this.encryptUsernameToken = z;
    }
}
