package org.apache.cxf.ws.security.wss4j;

import java.security.Principal;
import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.namespace.QName;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.classloader.ClassLoaderUtils;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.headers.Header;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.interceptor.security.DefaultSecurityContext;
import org.apache.cxf.rt.security.SecurityConstants;
import org.apache.cxf.rt.security.utils.SecurityUtils;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoFactory;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SAMLCallback;
import org.apache.wss4j.common.saml.SAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.saml.bean.Version;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.processor.SAMLTokenProcessor;
import org.apache.wss4j.dom.saml.DOMSAMLUtil;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractToken;
import org.apache.wss4j.policy.model.SamlToken;
import org.opensaml.saml.common.SAMLVersion;
import org.w3c.dom.Element;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-441.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-rt-ws-security-3.1.5.redhat-630441.jar:org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.class */
public class SamlTokenInterceptor extends AbstractTokenInterceptor {
    @Override // org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor
    protected void processToken(SoapMessage soapMessage) {
        Header findSecurityHeader = findSecurityHeader(soapMessage, false);
        if (findSecurityHeader == null) {
            return;
        }
        Element firstElement = DOMUtils.getFirstElement((Element) findSecurityHeader.getObject());
        while (true) {
            Element element = firstElement;
            if (element == null) {
                return;
            }
            if ("Assertion".equals(element.getLocalName()) && ("urn:oasis:names:tc:SAML:1.0:assertion".equals(element.getNamespaceURI()) || "urn:oasis:names:tc:SAML:2.0:assertion".equals(element.getNamespaceURI()))) {
                try {
                    List<WSSecurityEngineResult> processToken = processToken(element, soapMessage);
                    if (processToken != null) {
                        List cast = CastUtils.cast((List<?>) soapMessage.get(WSHandlerConstants.RECV_RESULTS));
                        if (cast == null) {
                            cast = new ArrayList();
                            soapMessage.put(WSHandlerConstants.RECV_RESULTS, (Object) cast);
                        }
                        boolean z = false;
                        Iterator<WSSecurityEngineResult> it = processToken.iterator();
                        while (true) {
                            if (it.hasNext()) {
                                if (((SamlAssertionWrapper) it.next().get("saml-assertion")).isSigned()) {
                                    z = true;
                                    break;
                                }
                            } else {
                                break;
                            }
                        }
                        assertTokens(soapMessage, SPConstants.SAML_TOKEN, z);
                        cast.add(0, new WSHandlerResult(null, processToken, Collections.singletonMap(z ? 16 : 8, processToken)));
                        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
                        for (AssertionInfo assertionInfo : PolicyUtils.getAllAssertionsByLocalname(assertionInfoMap, SPConstants.SAML_TOKEN)) {
                            SamlToken samlToken = (SamlToken) assertionInfo.getAssertion();
                            Iterator<WSSecurityEngineResult> it2 = processToken.iterator();
                            while (it2.hasNext()) {
                                SamlAssertionWrapper samlAssertionWrapper = (SamlAssertionWrapper) it2.next().get("saml-assertion");
                                if (!checkVersion(assertionInfoMap, samlToken, samlAssertionWrapper)) {
                                    assertionInfo.setNotAsserted("Wrong SAML Version");
                                }
                                TLSSessionInfo tLSSessionInfo = (TLSSessionInfo) soapMessage.get(TLSSessionInfo.class);
                                Certificate[] peerCertificates = tLSSessionInfo != null ? tLSSessionInfo.getPeerCertificates() : null;
                                if (!DOMSAMLUtil.checkHolderOfKey(samlAssertionWrapper, null, peerCertificates)) {
                                    assertionInfo.setNotAsserted("Assertion fails holder-of-key requirements");
                                } else if (!DOMSAMLUtil.checkSenderVouches(samlAssertionWrapper, peerCertificates, null, null)) {
                                    assertionInfo.setNotAsserted("Assertion fails sender-vouches requirements");
                                }
                            }
                        }
                        if (z) {
                            Principal principal = (Principal) processToken.get(0).get("principal");
                            SecurityContext securityContext = (SecurityContext) soapMessage.get(SecurityContext.class);
                            if (securityContext == null || securityContext.getUserPrincipal() == null) {
                                soapMessage.put((Class<Class>) SecurityContext.class, (Class) new DefaultSecurityContext(principal, (Subject) null));
                            }
                        }
                    }
                } catch (WSSecurityException e) {
                    throw WSS4JUtils.createSoapFault(soapMessage, soapMessage.getVersion(), e);
                }
            }
            firstElement = DOMUtils.getNextElement(element);
        }
    }

    private List<WSSecurityEngineResult> processToken(Element element, SoapMessage soapMessage) throws WSSecurityException {
        WSDocInfo wSDocInfo = new WSDocInfo(element.getOwnerDocument());
        CXFRequestData cXFRequestData = new CXFRequestData();
        try {
            cXFRequestData.setCallbackHandler(SecurityUtils.getCallbackHandler(SecurityUtils.getSecurityPropertyValue(SecurityConstants.CALLBACK_HANDLER, soapMessage)));
            cXFRequestData.setMsgContext(soapMessage);
            cXFRequestData.setWssConfig(WSSConfig.getNewInstance());
            cXFRequestData.setSigVerCrypto(getCrypto(null, SecurityConstants.SIGNATURE_CRYPTO, SecurityConstants.SIGNATURE_PROPERTIES, soapMessage));
            return new SAMLTokenProcessor().handleToken(element, cXFRequestData, wSDocInfo);
        } catch (Exception e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
        }
    }

    @Override // org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor
    protected AbstractToken assertTokens(SoapMessage soapMessage) {
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
        PolicyUtils.assertPolicy(assertionInfoMap, "WssSamlV11Token10");
        PolicyUtils.assertPolicy(assertionInfoMap, "WssSamlV11Token11");
        PolicyUtils.assertPolicy(assertionInfoMap, "WssSamlV20Token11");
        return assertTokens(soapMessage, SPConstants.SAML_TOKEN, true);
    }

    @Override // org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor
    protected void addToken(SoapMessage soapMessage) {
        WSSConfig.init();
        SamlToken samlToken = (SamlToken) assertTokens(soapMessage);
        Header findSecurityHeader = findSecurityHeader(soapMessage, true);
        try {
            SamlAssertionWrapper addSamlToken = addSamlToken(samlToken, soapMessage);
            if (addSamlToken != null) {
                Element element = (Element) findSecurityHeader.getObject();
                element.appendChild(addSamlToken.toDOM(element.getOwnerDocument()));
                return;
            }
            for (AssertionInfo assertionInfo : PolicyUtils.getAllAssertionsByLocalname((AssertionInfoMap) soapMessage.get(AssertionInfoMap.class), SPConstants.SAML_TOKEN)) {
                if (assertionInfo.isAsserted()) {
                    assertionInfo.setAsserted(false);
                }
            }
        } catch (WSSecurityException e) {
            policyNotAsserted(samlToken, e.getMessage(), soapMessage);
        }
    }

    private SamlAssertionWrapper addSamlToken(SamlToken samlToken, SoapMessage soapMessage) throws WSSecurityException {
        Object securityPropertyValue = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_CALLBACK_HANDLER, soapMessage);
        CallbackHandler callbackHandler = null;
        if (securityPropertyValue instanceof CallbackHandler) {
            callbackHandler = (CallbackHandler) securityPropertyValue;
        } else if (securityPropertyValue instanceof String) {
            try {
                callbackHandler = (CallbackHandler) ClassLoaderUtils.loadClass((String) securityPropertyValue, getClass()).newInstance();
            } catch (Exception e) {
                callbackHandler = null;
            }
        }
        if (callbackHandler == null) {
            return null;
        }
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
        SAMLCallback sAMLCallback = new SAMLCallback();
        SamlToken.SamlTokenType samlTokenType = samlToken.getSamlTokenType();
        if (samlTokenType == SamlToken.SamlTokenType.WssSamlV11Token10 || samlTokenType == SamlToken.SamlTokenType.WssSamlV11Token11) {
            sAMLCallback.setSamlVersion(Version.SAML_11);
            PolicyUtils.assertPolicy(assertionInfoMap, "WssSamlV11Token10");
            PolicyUtils.assertPolicy(assertionInfoMap, "WssSamlV11Token11");
        } else if (samlTokenType == SamlToken.SamlTokenType.WssSamlV20Token11) {
            sAMLCallback.setSamlVersion(Version.SAML_20);
            PolicyUtils.assertPolicy(assertionInfoMap, "WssSamlV20Token11");
        }
        SAMLUtil.doSAMLCallback(callbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        if (sAMLCallback.isSignAssertion()) {
            String issuerKeyName = sAMLCallback.getIssuerKeyName();
            if (issuerKeyName == null) {
                issuerKeyName = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_USERNAME, soapMessage);
            }
            String issuerKeyPassword = sAMLCallback.getIssuerKeyPassword();
            if (issuerKeyPassword == null) {
                issuerKeyPassword = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.PASSWORD, soapMessage);
                if (StringUtils.isEmpty(issuerKeyPassword)) {
                    issuerKeyPassword = getPassword(issuerKeyName, samlToken, 3, soapMessage);
                }
            }
            Crypto issuerCrypto = sAMLCallback.getIssuerCrypto();
            if (issuerCrypto == null) {
                issuerCrypto = getCrypto(samlToken, SecurityConstants.SIGNATURE_CRYPTO, SecurityConstants.SIGNATURE_PROPERTIES, soapMessage);
            }
            samlAssertionWrapper.signAssertion(issuerKeyName, issuerKeyPassword, issuerCrypto, sAMLCallback.isSendKeyValue(), sAMLCallback.getCanonicalizationAlgorithm(), sAMLCallback.getSignatureAlgorithm());
        }
        return samlAssertionWrapper;
    }

    private Crypto getCrypto(SamlToken samlToken, String str, String str2, SoapMessage soapMessage) throws WSSecurityException {
        Crypto crypto = (Crypto) SecurityUtils.getSecurityPropertyValue(str, soapMessage);
        if (crypto != null) {
            return crypto;
        }
        Object securityPropertyValue = SecurityUtils.getSecurityPropertyValue(str2, soapMessage);
        if (securityPropertyValue == null) {
            return null;
        }
        Properties props = WSS4JUtils.getProps(securityPropertyValue, SecurityUtils.loadResource(soapMessage, securityPropertyValue));
        if (props != null) {
            crypto = CryptoFactory.getInstance(props, getClass().getClassLoader(), WSS4JUtils.getPasswordEncryptor(soapMessage));
        }
        return crypto;
    }

    private boolean checkVersion(AssertionInfoMap assertionInfoMap, SamlToken samlToken, SamlAssertionWrapper samlAssertionWrapper) {
        SamlToken.SamlTokenType samlTokenType = samlToken.getSamlTokenType();
        if ((samlTokenType == SamlToken.SamlTokenType.WssSamlV11Token10 || samlTokenType == SamlToken.SamlTokenType.WssSamlV11Token11) && samlAssertionWrapper.getSamlVersion() != SAMLVersion.VERSION_11) {
            return false;
        }
        if (samlTokenType == SamlToken.SamlTokenType.WssSamlV20Token11 && samlAssertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20) {
            return false;
        }
        PolicyUtils.assertPolicy(assertionInfoMap, new QName(samlToken.getVersion().getNamespace(), samlTokenType.name()));
        return true;
    }
}
