package org.apache.cxf.ws.security.wss4j.policyhandlers;

import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStoreUtils;
import org.apache.cxf.ws.security.wss4j.TokenStoreCallbackHandler;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractToken;
import org.apache.wss4j.policy.model.Header;
import org.apache.wss4j.policy.model.IssuedToken;
import org.apache.wss4j.policy.model.KerberosToken;
import org.apache.wss4j.policy.model.KeyValueToken;
import org.apache.wss4j.policy.model.SamlToken;
import org.apache.wss4j.policy.model.SecureConversationToken;
import org.apache.wss4j.policy.model.SecurityContextToken;
import org.apache.wss4j.policy.model.SignedElements;
import org.apache.wss4j.policy.model.SignedParts;
import org.apache.wss4j.policy.model.SpnegoContextToken;
import org.apache.wss4j.policy.model.SupportingTokens;
import org.apache.wss4j.policy.model.TransportBinding;
import org.apache.wss4j.policy.model.TransportToken;
import org.apache.wss4j.policy.model.UsernameToken;
import org.apache.wss4j.policy.model.X509Token;
import org.apache.wss4j.policy.model.XPath;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSSecurityProperties;
import org.apache.xml.security.stax.ext.OutboundSecurityContext;
import org.apache.xml.security.stax.ext.SecurePart;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-444.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-rt-ws-security-3.1.5.redhat-630444.jar:org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.class */
public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
    private static final Logger LOG = LogUtils.getL7dLogger(StaxTransportBindingHandler.class);
    private TransportBinding tbinding;

    public StaxTransportBindingHandler(WSSSecurityProperties wSSSecurityProperties, SoapMessage soapMessage, TransportBinding transportBinding, OutboundSecurityContext outboundSecurityContext) {
        super(wSSSecurityProperties, soapMessage, transportBinding, outboundSecurityContext);
        this.tbinding = transportBinding;
    }

    public void handleBinding() {
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) getMessage().get(AssertionInfoMap.class);
        configureTimestamp(assertionInfoMap);
        if (isRequestor()) {
            if (this.tbinding != null) {
                assertPolicy(this.tbinding.getName());
                String str = (String) getMessage().getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
                if (str != null && this.tbinding.getAlgorithmSuite() != null) {
                    this.tbinding.getAlgorithmSuite().setAsymmetricSignature(str);
                }
                String str2 = (String) getMessage().getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM);
                if (str2 != null && this.tbinding.getAlgorithmSuite() != null) {
                    this.tbinding.getAlgorithmSuite().setSymmetricSignature(str2);
                }
                TransportToken transportToken = this.tbinding.getTransportToken();
                if (transportToken.getToken() instanceof IssuedToken) {
                    SecurityToken securityToken = getSecurityToken();
                    if (securityToken == null) {
                        unassertPolicy(transportToken.getToken(), "No transport token id");
                        return;
                    }
                    addIssuedToken((IssuedToken) transportToken.getToken(), securityToken, false, false);
                }
                assertToken(transportToken.getToken());
                assertTokenWrapper(transportToken);
            }
            try {
                handleNonEndorsingSupportingTokens(assertionInfoMap);
                handleEndorsingSupportingTokens(assertionInfoMap);
            } catch (Exception e) {
                LOG.log(Level.FINE, e.getMessage(), (Throwable) e);
                throw new Fault(e);
            }
        } else {
            try {
                handleNonEndorsingSupportingTokens(assertionInfoMap);
                if (this.tbinding != null) {
                    assertPolicy(this.tbinding.getName());
                    if (this.tbinding.getTransportToken() != null) {
                        assertTokenWrapper(this.tbinding.getTransportToken());
                        assertToken(this.tbinding.getTransportToken().getToken());
                        try {
                            handleEndorsingSupportingTokens(assertionInfoMap);
                        } catch (Exception e2) {
                            LOG.log(Level.FINE, e2.getMessage(), (Throwable) e2);
                            throw new Fault(e2);
                        }
                    }
                }
                addSignatureConfirmation(null);
            } catch (Exception e3) {
                LOG.log(Level.FINE, e3.getMessage(), (Throwable) e3);
                throw new Fault(e3);
            }
        }
        configureLayout(assertionInfoMap);
        if (this.tbinding != null) {
            assertAlgorithmSuite(this.tbinding.getAlgorithmSuite());
            assertWSSProperties(this.tbinding.getName().getNamespaceURI());
            assertTrustProperties(this.tbinding.getName().getNamespaceURI());
        }
        assertPolicy(SP12Constants.SIGNED_PARTS);
        assertPolicy(SP11Constants.SIGNED_PARTS);
        assertPolicy(SP12Constants.ENCRYPTED_PARTS);
        assertPolicy(SP11Constants.ENCRYPTED_PARTS);
        putCustomTokenAfterSignature();
    }

    private void handleNonEndorsingSupportingTokens(AssertionInfoMap assertionInfoMap) throws Exception {
        Collection<AssertionInfo> allAssertionsByLocalname = PolicyUtils.getAllAssertionsByLocalname(assertionInfoMap, SPConstants.SIGNED_SUPPORTING_TOKENS);
        if (!allAssertionsByLocalname.isEmpty()) {
            for (AssertionInfo assertionInfo : allAssertionsByLocalname) {
                SupportingTokens supportingTokens = (SupportingTokens) assertionInfo.getAssertion();
                if (supportingTokens != null) {
                    addSignedSupportingTokens(supportingTokens);
                }
                assertionInfo.setAsserted(true);
            }
        }
        Collection<AssertionInfo> allAssertionsByLocalname2 = PolicyUtils.getAllAssertionsByLocalname(assertionInfoMap, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
        if (!allAssertionsByLocalname2.isEmpty()) {
            for (AssertionInfo assertionInfo2 : allAssertionsByLocalname2) {
                SupportingTokens supportingTokens2 = (SupportingTokens) assertionInfo2.getAssertion();
                if (supportingTokens2 != null) {
                    addSignedSupportingTokens(supportingTokens2);
                }
                assertionInfo2.setAsserted(true);
            }
        }
        Collection<AssertionInfo> allAssertionsByLocalname3 = PolicyUtils.getAllAssertionsByLocalname(assertionInfoMap, SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
        if (!allAssertionsByLocalname3.isEmpty()) {
            for (AssertionInfo assertionInfo3 : allAssertionsByLocalname3) {
                SupportingTokens supportingTokens3 = (SupportingTokens) assertionInfo3.getAssertion();
                if (supportingTokens3 != null) {
                    addSignedSupportingTokens(supportingTokens3);
                }
                assertionInfo3.setAsserted(true);
            }
        }
        Collection<AssertionInfo> allAssertionsByLocalname4 = PolicyUtils.getAllAssertionsByLocalname(assertionInfoMap, SPConstants.SUPPORTING_TOKENS);
        if (allAssertionsByLocalname4.isEmpty()) {
            return;
        }
        for (AssertionInfo assertionInfo4 : allAssertionsByLocalname4) {
            SupportingTokens supportingTokens4 = (SupportingTokens) assertionInfo4.getAssertion();
            if (supportingTokens4 != null && supportingTokens4.getTokens() != null && supportingTokens4.getTokens().size() > 0) {
                handleSupportingTokens(supportingTokens4, false, false);
            }
            assertionInfo4.setAsserted(true);
        }
    }

    private void addSignedSupportingTokens(SupportingTokens supportingTokens) throws Exception {
        for (AbstractToken abstractToken : supportingTokens.getTokens()) {
            assertToken(abstractToken);
            if (abstractToken == null || isTokenRequired(abstractToken.getIncludeTokenType())) {
                if (abstractToken instanceof UsernameToken) {
                    addUsernameToken((UsernameToken) abstractToken);
                } else if (abstractToken instanceof IssuedToken) {
                    addIssuedToken((IssuedToken) abstractToken, getSecurityToken(), false, false);
                } else if (abstractToken instanceof KerberosToken) {
                    addKerberosToken((KerberosToken) abstractToken, false, false, false);
                } else {
                    if (!(abstractToken instanceof SamlToken)) {
                        if (abstractToken == null) {
                            throw new Exception("A null token was supplied to the streaming code");
                        }
                        throw new Exception(abstractToken.getName() + " is not supported in the streaming code");
                    }
                    addSamlToken((SamlToken) abstractToken, false, false);
                }
            }
        }
    }

    private void handleEndorsingSupportingTokens(AssertionInfoMap assertionInfoMap) throws Exception {
        Collection<AssertionInfo> allAssertionsByLocalname = PolicyUtils.getAllAssertionsByLocalname(assertionInfoMap, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
        if (!allAssertionsByLocalname.isEmpty()) {
            SupportingTokens supportingTokens = null;
            for (AssertionInfo assertionInfo : allAssertionsByLocalname) {
                supportingTokens = (SupportingTokens) assertionInfo.getAssertion();
                assertionInfo.setAsserted(true);
            }
            if (supportingTokens != null) {
                Iterator<AbstractToken> it = supportingTokens.getTokens().iterator();
                while (it.hasNext()) {
                    handleEndorsingToken(it.next(), supportingTokens);
                }
            }
        }
        Collection<AssertionInfo> allAssertionsByLocalname2 = PolicyUtils.getAllAssertionsByLocalname(assertionInfoMap, SPConstants.ENDORSING_SUPPORTING_TOKENS);
        if (!allAssertionsByLocalname2.isEmpty()) {
            SupportingTokens supportingTokens2 = null;
            for (AssertionInfo assertionInfo2 : allAssertionsByLocalname2) {
                supportingTokens2 = (SupportingTokens) assertionInfo2.getAssertion();
                assertionInfo2.setAsserted(true);
            }
            if (supportingTokens2 != null) {
                Iterator<AbstractToken> it2 = supportingTokens2.getTokens().iterator();
                while (it2.hasNext()) {
                    handleEndorsingToken(it2.next(), supportingTokens2);
                }
            }
        }
        Collection<AssertionInfo> allAssertionsByLocalname3 = PolicyUtils.getAllAssertionsByLocalname(assertionInfoMap, SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
        if (!allAssertionsByLocalname3.isEmpty()) {
            SupportingTokens supportingTokens3 = null;
            for (AssertionInfo assertionInfo3 : allAssertionsByLocalname3) {
                supportingTokens3 = (SupportingTokens) assertionInfo3.getAssertion();
                assertionInfo3.setAsserted(true);
            }
            if (supportingTokens3 != null) {
                Iterator<AbstractToken> it3 = supportingTokens3.getTokens().iterator();
                while (it3.hasNext()) {
                    handleEndorsingToken(it3.next(), supportingTokens3);
                }
            }
        }
        Collection<AssertionInfo> allAssertionsByLocalname4 = PolicyUtils.getAllAssertionsByLocalname(assertionInfoMap, SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
        if (allAssertionsByLocalname4.isEmpty()) {
            return;
        }
        SupportingTokens supportingTokens4 = null;
        for (AssertionInfo assertionInfo4 : allAssertionsByLocalname4) {
            supportingTokens4 = (SupportingTokens) assertionInfo4.getAssertion();
            assertionInfo4.setAsserted(true);
        }
        if (supportingTokens4 != null) {
            Iterator<AbstractToken> it4 = supportingTokens4.getTokens().iterator();
            while (it4.hasNext()) {
                handleEndorsingToken(it4.next(), supportingTokens4);
            }
        }
    }

    private void handleEndorsingToken(AbstractToken abstractToken, SupportingTokens supportingTokens) throws Exception {
        assertToken(abstractToken);
        if (abstractToken == null || isTokenRequired(abstractToken.getIncludeTokenType())) {
            if (abstractToken instanceof IssuedToken) {
                addIssuedToken(abstractToken, getSecurityToken(), false, true);
                signPartsAndElements(supportingTokens.getSignedParts(), supportingTokens.getSignedElements());
                return;
            }
            if ((abstractToken instanceof SecureConversationToken) || (abstractToken instanceof SecurityContextToken) || (abstractToken instanceof SpnegoContextToken)) {
                SecurityToken securityToken = getSecurityToken();
                addIssuedToken(abstractToken, securityToken, false, true);
                WSSSecurityProperties properties = getProperties();
                if (securityToken != null) {
                    storeSecurityToken(abstractToken, securityToken);
                    properties.setCallbackHandler(new TokenStoreCallbackHandler(properties.getCallbackHandler(), TokenStoreUtils.getTokenStore(this.message)));
                }
                doSignature(abstractToken, supportingTokens);
                properties.setIncludeSignatureToken(true);
                properties.setSignatureAlgorithm(this.tbinding.getAlgorithmSuite().getSymmetricSignature());
                properties.setSignatureCanonicalizationAlgorithm(this.tbinding.getAlgorithmSuite().getC14n().getValue());
                properties.setSignatureDigestAlgorithm(this.tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getDigest());
                return;
            }
            if ((abstractToken instanceof X509Token) || (abstractToken instanceof KeyValueToken)) {
                doSignature(abstractToken, supportingTokens);
                return;
            }
            if (abstractToken instanceof SamlToken) {
                addSamlToken((SamlToken) abstractToken, false, true);
                signPartsAndElements(supportingTokens.getSignedParts(), supportingTokens.getSignedElements());
                WSSSecurityProperties properties2 = getProperties();
                properties2.setSignatureAlgorithm(this.tbinding.getAlgorithmSuite().getAsymmetricSignature());
                properties2.setSignatureCanonicalizationAlgorithm(this.tbinding.getAlgorithmSuite().getC14n().getValue());
                properties2.setSignatureDigestAlgorithm(this.tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getDigest());
                return;
            }
            if (abstractToken instanceof UsernameToken) {
                throw new Exception("Endorsing UsernameTokens are not supported in the streaming code");
            }
            if (abstractToken instanceof KerberosToken) {
                WSSSecurityProperties properties3 = getProperties();
                properties3.addAction(WSSConstants.SIGNATURE);
                configureSignature(abstractToken, false);
                addKerberosToken((KerberosToken) abstractToken, false, true, false);
                signPartsAndElements(supportingTokens.getSignedParts(), supportingTokens.getSignedElements());
                properties3.setSignatureAlgorithm(this.tbinding.getAlgorithmSuite().getSymmetricSignature());
                properties3.setSignatureCanonicalizationAlgorithm(this.tbinding.getAlgorithmSuite().getC14n().getValue());
                properties3.setSignatureDigestAlgorithm(this.tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getDigest());
            }
        }
    }

    private void doSignature(AbstractToken abstractToken, SupportingTokens supportingTokens) throws Exception {
        signPartsAndElements(supportingTokens.getSignedParts(), supportingTokens.getSignedElements());
        WSSSecurityProperties properties = getProperties();
        XMLSecurityConstants.Action action = WSSConstants.SIGNATURE;
        if (abstractToken.getDerivedKeys() == AbstractToken.DerivedKeys.RequireDerivedKeys) {
            action = WSSConstants.SIGNATURE_WITH_DERIVED_KEY;
        }
        properties.addAction(action);
        configureSignature(abstractToken, false);
        if (abstractToken.getDerivedKeys() == AbstractToken.DerivedKeys.RequireDerivedKeys) {
            properties.setSignatureAlgorithm(this.tbinding.getAlgorithmSuite().getSymmetricSignature());
        }
    }

    private void signPartsAndElements(SignedParts signedParts, SignedElements signedElements) throws SOAPException {
        List<SecurePart> signatureSecureParts = getProperties().getSignatureSecureParts();
        if (this.timestampAdded) {
            signatureSecureParts.add(new SecurePart(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", "Timestamp"), SecurePart.Modifier.Element));
        }
        if (signedParts != null) {
            if (signedParts.isBody()) {
                signatureSecureParts.add(new SecurePart(new QName("http://schemas.xmlsoap.org/soap/envelope/", "Body"), SecurePart.Modifier.Element));
            }
            for (Header header : signedParts.getHeaders()) {
                SecurePart securePart = new SecurePart(new QName(header.getNamespace(), header.getName()), SecurePart.Modifier.Element);
                securePart.setRequired(false);
                signatureSecureParts.add(securePart);
            }
        }
        if (signedElements == null || signedElements.getXPaths() == null) {
            return;
        }
        Iterator<XPath> it = signedElements.getXPaths().iterator();
        while (it.hasNext()) {
            List<QName> elementPath = org.apache.wss4j.policy.stax.PolicyUtils.getElementPath(it.next());
            if (!elementPath.isEmpty()) {
                signatureSecureParts.add(new SecurePart(elementPath.get(elementPath.size() - 1), SecurePart.Modifier.Element));
            }
        }
    }
}
