package org.apache.cxf.sts.token.provider.jwt;

import java.security.Principal;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.UUID;
import java.util.logging.Logger;
import javax.security.auth.x500.X500Principal;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.sts.claims.ClaimsUtils;
import org.apache.cxf.sts.claims.ProcessedClaim;
import org.apache.cxf.sts.claims.ProcessedClaimCollection;
import org.apache.cxf.sts.request.Lifetime;
import org.apache.cxf.sts.request.Participants;
import org.apache.cxf.sts.request.ReceivedToken;
import org.apache.cxf.sts.token.provider.TokenProviderParameters;
import org.apache.cxf.sts.token.provider.TokenProviderUtils;
import org.apache.cxf.sts.token.renewer.SAMLTokenRenewer;
import org.apache.cxf.ws.security.sts.provider.STSException;
import org.apache.wss4j.dom.util.XmlSchemaDateFormat;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-416-04.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-services-sts-core-3.1.5.redhat-630416-04.jar:org/apache/cxf/sts/token/provider/jwt/DefaultJWTClaimsProvider.class */
public class DefaultJWTClaimsProvider implements JWTClaimsProvider {
    public static final long DEFAULT_MAX_LIFETIME = 43200;
    private static final Logger LOG = LogUtils.getL7dLogger(DefaultJWTClaimsProvider.class);
    private boolean useX500CN;
    private boolean acceptClientLifetime;
    private long lifetime = SAMLTokenRenewer.DEFAULT_MAX_EXPIRY;
    private long maxLifetime = 43200;
    private boolean failLifetimeExceedance = true;
    private long futureTimeToLive = 60;

    @Override // org.apache.cxf.sts.token.provider.jwt.JWTClaimsProvider
    public JwtClaims getJwtClaims(JWTClaimsProviderParameters jWTClaimsProviderParameters) {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setSubject(getSubjectName(jWTClaimsProviderParameters));
        jwtClaims.setTokenId(UUID.randomUUID().toString());
        String issuer = jWTClaimsProviderParameters.getIssuer();
        if (issuer == null) {
            jwtClaims.setIssuer(jWTClaimsProviderParameters.getProviderParameters().getStsProperties().getIssuer());
        } else {
            jwtClaims.setIssuer(issuer);
        }
        handleWSTrustClaims(jWTClaimsProviderParameters, jwtClaims);
        handleConditions(jWTClaimsProviderParameters, jwtClaims);
        handleAudienceRestriction(jWTClaimsProviderParameters, jwtClaims);
        return jwtClaims;
    }

    protected String getSubjectName(JWTClaimsProviderParameters jWTClaimsProviderParameters) {
        Principal principal = getPrincipal(jWTClaimsProviderParameters);
        if (principal == null) {
            LOG.fine("Error in getting principal");
            throw new STSException("Error in getting principal", STSException.REQUEST_FAILED);
        }
        String name = principal.getName();
        if (principal instanceof X500Principal) {
            try {
                String name2 = principal.getName();
                int indexOf = name2.indexOf(61);
                name = name2.substring(indexOf + 1, name2.indexOf(44, indexOf));
            } catch (Throwable th) {
                name = principal.getName();
            }
        }
        return name;
    }

    protected Principal getPrincipal(JWTClaimsProviderParameters jWTClaimsProviderParameters) {
        TokenProviderParameters providerParameters = jWTClaimsProviderParameters.getProviderParameters();
        Principal principal = null;
        if (providerParameters.getTokenRequirements().getOnBehalfOf() != null) {
            ReceivedToken onBehalfOf = providerParameters.getTokenRequirements().getOnBehalfOf();
            if (onBehalfOf.getState().equals(ReceivedToken.STATE.VALID)) {
                principal = onBehalfOf.getPrincipal();
            }
        } else if (providerParameters.getTokenRequirements().getActAs() != null) {
            ReceivedToken actAs = providerParameters.getTokenRequirements().getActAs();
            if (actAs.getState().equals(ReceivedToken.STATE.VALID)) {
                principal = actAs.getPrincipal();
            }
        } else if (providerParameters.getTokenRequirements().getValidateTarget() != null) {
            ReceivedToken validateTarget = providerParameters.getTokenRequirements().getValidateTarget();
            if (validateTarget.getState().equals(ReceivedToken.STATE.VALID)) {
                principal = validateTarget.getPrincipal();
            }
        } else {
            principal = providerParameters.getPrincipal();
        }
        return principal;
    }

    protected void handleWSTrustClaims(JWTClaimsProviderParameters jWTClaimsProviderParameters, JwtClaims jwtClaims) {
        ProcessedClaimCollection processClaims = ClaimsUtils.processClaims(jWTClaimsProviderParameters.getProviderParameters());
        if (processClaims != null) {
            Iterator<ProcessedClaim> it = processClaims.iterator();
            while (it.hasNext()) {
                ProcessedClaim next = it.next();
                if (next.getClaimType() != null && next.getValues() != null && !next.getValues().isEmpty()) {
                    Object values = next.getValues();
                    if (next.getValues().size() == 1) {
                        values = next.getValues().get(0);
                    }
                    jwtClaims.setProperty(next.getClaimType().toString(), values);
                }
            }
        }
    }

    protected void handleConditions(JWTClaimsProviderParameters jWTClaimsProviderParameters, JwtClaims jwtClaims) {
        TokenProviderParameters providerParameters = jWTClaimsProviderParameters.getProviderParameters();
        long time = new Date().getTime() / 1000;
        jwtClaims.setIssuedAt(Long.valueOf(time));
        jwtClaims.setNotBefore(Long.valueOf(time));
        jwtClaims.setExpiryTime(Long.valueOf(time + this.lifetime));
        Lifetime lifetime = providerParameters.getTokenRequirements().getLifetime();
        if (this.lifetime <= 0 || !this.acceptClientLifetime || lifetime == null || lifetime.getCreated() == null || lifetime.getExpires() == null) {
            return;
        }
        try {
            XmlSchemaDateFormat xmlSchemaDateFormat = new XmlSchemaDateFormat();
            Date parse = xmlSchemaDateFormat.parse(lifetime.getCreated());
            Date parse2 = xmlSchemaDateFormat.parse(lifetime.getExpires());
            if (parse == null || parse2 == null) {
                LOG.fine("Error in parsing Timestamp Created or Expiration Strings");
                throw new STSException("Error in parsing Timestamp Created or Expiration Strings", STSException.INVALID_TIME);
            }
            Date date = new Date();
            long time2 = date.getTime();
            if (this.futureTimeToLive > 0) {
                date.setTime(time2 + (this.futureTimeToLive * 1000));
            }
            if (parse.after(date)) {
                LOG.fine("The Created Time is too far in the future");
                throw new STSException("The Created Time is too far in the future", STSException.INVALID_TIME);
            }
            long time3 = parse2.getTime() - parse.getTime();
            if (time3 > getMaxLifetime() * 1000) {
                StringBuilder sb = new StringBuilder();
                sb.append("Requested lifetime [").append(time3 / 1000);
                sb.append(" sec] exceed configured maximum lifetime [").append(getMaxLifetime());
                sb.append(" sec]");
                LOG.warning(sb.toString());
                if (isFailLifetimeExceedance()) {
                    throw new STSException("Requested lifetime exceeds maximum lifetime", STSException.INVALID_TIME);
                }
                parse2.setTime(parse.getTime() + (getMaxLifetime() * 1000));
            }
            long time4 = parse.getTime() / 1000;
            jwtClaims.setIssuedAt(Long.valueOf(time4));
            jwtClaims.setNotBefore(Long.valueOf(time4));
            jwtClaims.setExpiryTime(Long.valueOf(parse2.getTime() / 1000));
        } catch (ParseException e) {
            LOG.warning("Failed to parse life time element: " + e.getMessage());
        }
    }

    protected void handleAudienceRestriction(JWTClaimsProviderParameters jWTClaimsProviderParameters, JwtClaims jwtClaims) {
        String extractAddressFromParticipantsEPR;
        TokenProviderParameters providerParameters = jWTClaimsProviderParameters.getProviderParameters();
        ArrayList arrayList = new ArrayList();
        String appliesToAddress = providerParameters.getAppliesToAddress();
        if (appliesToAddress != null) {
            arrayList.add(appliesToAddress);
        }
        Participants participants = providerParameters.getTokenRequirements().getParticipants();
        if (participants != null) {
            String extractAddressFromParticipantsEPR2 = TokenProviderUtils.extractAddressFromParticipantsEPR(participants.getPrimaryParticipant());
            if (extractAddressFromParticipantsEPR2 != null) {
                arrayList.add(extractAddressFromParticipantsEPR2);
            }
            if (participants.getParticipants() != null) {
                for (Object obj : participants.getParticipants()) {
                    if (obj != null && (extractAddressFromParticipantsEPR = TokenProviderUtils.extractAddressFromParticipantsEPR(obj)) != null) {
                        arrayList.add(extractAddressFromParticipantsEPR);
                    }
                }
            }
        }
        if (arrayList.isEmpty()) {
            return;
        }
        jwtClaims.setAudiences(arrayList);
    }

    public boolean isUseX500CN() {
        return this.useX500CN;
    }

    public void setUseX500CN(boolean z) {
        this.useX500CN = z;
    }

    public long getFutureTimeToLive() {
        return this.futureTimeToLive;
    }

    public void setFutureTimeToLive(long j) {
        this.futureTimeToLive = j;
    }

    public void setLifetime(long j) {
        this.lifetime = j;
    }

    public long getLifetime() {
        return this.lifetime;
    }

    public void setMaxLifetime(long j) {
        this.maxLifetime = j;
    }

    public long getMaxLifetime() {
        return this.maxLifetime;
    }

    public boolean isAcceptClientLifetime() {
        return this.acceptClientLifetime;
    }

    public void setAcceptClientLifetime(boolean z) {
        this.acceptClientLifetime = z;
    }

    public boolean isFailLifetimeExceedance() {
        return this.failLifetimeExceedance;
    }

    public void setFailLifetimeExceedance(boolean z) {
        this.failLifetimeExceedance = z;
    }
}
