package org.apache.cxf.ws.security.trust;

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.HashMap;
import java.util.Map;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
import org.apache.cxf.rt.security.SecurityConstants;
import org.apache.cxf.rt.security.utils.SecurityUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.tokenstore.TokenStoreUtils;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.xml.security.utils.Base64;
import org.w3c.dom.Element;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-441.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-rt-ws-security-3.1.5.redhat-630441.jar:org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.class */
public class DefaultSTSTokenCacher implements STSTokenCacher {
    @Override // org.apache.cxf.ws.security.trust.STSTokenCacher
    public SecurityToken retrieveToken(Message message) {
        SecurityToken securityToken;
        String str;
        String str2;
        if (SecurityUtils.getSecurityPropertyBoolean(SecurityConstants.CACHE_ISSUED_TOKEN_IN_ENDPOINT, message, true)) {
            securityToken = (SecurityToken) message.getContextualProperty(org.apache.cxf.ws.security.SecurityConstants.TOKEN);
            if (securityToken == null && (str2 = (String) message.getContextualProperty(org.apache.cxf.ws.security.SecurityConstants.TOKEN_ID)) != null) {
                securityToken = TokenStoreUtils.getTokenStore(message).getToken(str2);
            }
        } else {
            securityToken = (SecurityToken) message.get(org.apache.cxf.ws.security.SecurityConstants.TOKEN);
            if (securityToken == null && (str = (String) message.get(org.apache.cxf.ws.security.SecurityConstants.TOKEN_ID)) != null) {
                securityToken = TokenStoreUtils.getTokenStore(message).getToken(str);
            }
        }
        return securityToken;
    }

    @Override // org.apache.cxf.ws.security.trust.STSTokenCacher
    public SecurityToken retrieveToken(Message message, Element element, String str) {
        TokenStore tokenStore;
        SecurityToken token;
        Map<String, Object> properties;
        SecurityToken token2;
        if (element == null || (token = (tokenStore = TokenStoreUtils.getTokenStore(message)).getToken(getIdFromToken(element))) == null || (properties = token.getProperties()) == null || !properties.containsKey(str) || (token2 = tokenStore.getToken((String) properties.get(str))) == null) {
            return null;
        }
        return token2;
    }

    @Override // org.apache.cxf.ws.security.trust.STSTokenCacher
    public void storeToken(Message message, SecurityToken securityToken) {
        if (SecurityUtils.getSecurityPropertyBoolean(SecurityConstants.CACHE_ISSUED_TOKEN_IN_ENDPOINT, message, true) && !isOneTimeUse(securityToken)) {
            message.getExchange().getEndpoint().put(org.apache.cxf.ws.security.SecurityConstants.TOKEN, securityToken);
            message.getExchange().put(org.apache.cxf.ws.security.SecurityConstants.TOKEN, securityToken);
            message.put(org.apache.cxf.ws.security.SecurityConstants.TOKEN_ELEMENT, securityToken.getToken());
            message.getExchange().put(org.apache.cxf.ws.security.SecurityConstants.TOKEN_ID, securityToken.getId());
            message.getExchange().getEndpoint().put(org.apache.cxf.ws.security.SecurityConstants.TOKEN_ID, securityToken.getId());
        } else {
            message.put(org.apache.cxf.ws.security.SecurityConstants.TOKEN, securityToken);
            message.put(org.apache.cxf.ws.security.SecurityConstants.TOKEN_ID, securityToken.getId());
            message.put(org.apache.cxf.ws.security.SecurityConstants.TOKEN_ELEMENT, securityToken.getToken());
        }
        TokenStoreUtils.getTokenStore(message).add(securityToken);
    }

    @Override // org.apache.cxf.ws.security.trust.STSTokenCacher
    public void storeToken(Message message, Element element, String str, String str2) {
        if (str == null || element == null) {
            return;
        }
        TokenStore tokenStore = TokenStoreUtils.getTokenStore(message);
        String idFromToken = getIdFromToken(element);
        SecurityToken token = tokenStore.getToken(idFromToken);
        if (token == null) {
            token = new SecurityToken(idFromToken);
            token.setToken(element);
        }
        Map<String, Object> properties = token.getProperties();
        if (properties == null) {
            properties = new HashMap();
            token.setProperties(properties);
        }
        properties.put(str2, str);
        tokenStore.add(token);
    }

    @Override // org.apache.cxf.ws.security.trust.STSTokenCacher
    public void removeToken(Message message, SecurityToken securityToken) {
        message.getExchange().getEndpoint().remove(org.apache.cxf.ws.security.SecurityConstants.TOKEN);
        message.getExchange().getEndpoint().remove(org.apache.cxf.ws.security.SecurityConstants.TOKEN_ID);
        message.getExchange().remove(org.apache.cxf.ws.security.SecurityConstants.TOKEN_ID);
        message.getExchange().remove(org.apache.cxf.ws.security.SecurityConstants.TOKEN);
        if (securityToken != null) {
            TokenStoreUtils.getTokenStore(message).remove(securityToken.getId());
        }
    }

    private static boolean isOneTimeUse(SecurityToken securityToken) {
        Element token = securityToken.getToken();
        if (token == null || !"Assertion".equals(token.getLocalName()) || !"urn:oasis:names:tc:SAML:2.0:assertion".equals(token.getNamespaceURI())) {
            return false;
        }
        try {
            SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(token);
            if (samlAssertionWrapper.getSaml2().getConditions() != null) {
                return samlAssertionWrapper.getSaml2().getConditions().getOneTimeUse() != null;
            }
            return false;
        } catch (WSSecurityException e) {
            throw new Fault(e);
        }
    }

    private static String getIdFromToken(Element element) {
        String elementText;
        Element directChildElement;
        if (element == null) {
            return "";
        }
        if ("Assertion".equals(element.getLocalName()) && "urn:oasis:names:tc:SAML:2.0:assertion".equals(element.getNamespaceURI())) {
            return element.getAttributeNS(null, "ID");
        }
        if ("Assertion".equals(element.getLocalName()) && "urn:oasis:names:tc:SAML:1.0:assertion".equals(element.getNamespaceURI())) {
            return element.getAttributeNS(null, "AssertionID");
        }
        if ("UsernameToken".equals(element.getLocalName()) && "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd".equals(element.getNamespaceURI()) && (directChildElement = XMLUtils.getDirectChildElement(element, "Username", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd")) != null) {
            return XMLUtils.getElementText(directChildElement);
        }
        if (!"BinarySecurityToken".equals(element.getLocalName()) || !"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd".equals(element.getNamespaceURI()) || (elementText = XMLUtils.getElementText(element)) == null || "".equals(elementText)) {
            return "";
        }
        try {
            return Base64.encode(MessageDigest.getInstance("SHA-256").digest(elementText.getBytes()));
        } catch (NoSuchAlgorithmException e) {
            return "";
        }
    }
}
