package org.apache.cxf.ws.security.wss4j.policyvalidators;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import javax.xml.namespace.QName;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStoreUtils;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.message.token.KerberosSecurity;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.KerberosToken;
import org.apache.xml.security.utils.Base64;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-487.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-rt-ws-security-3.1.5.redhat-630487.jar:org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.class */
public class KerberosTokenPolicyValidator extends AbstractSecurityPolicyValidator {
    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator
    public boolean canValidatePolicy(AssertionInfo assertionInfo) {
        return assertionInfo.getAssertion() != null && (SP12Constants.KERBEROS_TOKEN.equals(assertionInfo.getAssertion().getName()) || SP11Constants.KERBEROS_TOKEN.equals(assertionInfo.getAssertion().getName()));
    }

    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator
    public void validatePolicies(PolicyValidatorParameters policyValidatorParameters, Collection<AssertionInfo> collection) {
        for (WSSecurityEngineResult wSSecurityEngineResult : findKerberosResults(policyValidatorParameters.getResults().getActionResults().get(4096))) {
            KerberosSecurity kerberosSecurity = (KerberosSecurity) wSSecurityEngineResult.get("binary-security-token");
            boolean z = true;
            for (AssertionInfo assertionInfo : collection) {
                KerberosToken kerberosToken = (KerberosToken) assertionInfo.getAssertion();
                assertionInfo.setAsserted(true);
                assertToken(kerberosToken, policyValidatorParameters.getAssertionInfoMap());
                if (!isTokenRequired(kerberosToken, policyValidatorParameters.getMessage())) {
                    PolicyUtils.assertPolicy(policyValidatorParameters.getAssertionInfoMap(), new QName(kerberosToken.getVersion().getNamespace(), "WssKerberosV5ApReqToken11"));
                    PolicyUtils.assertPolicy(policyValidatorParameters.getAssertionInfoMap(), new QName(kerberosToken.getVersion().getNamespace(), "WssGssKerberosV5ApReqToken11"));
                } else if (!checkToken(policyValidatorParameters.getAssertionInfoMap(), kerberosToken, kerberosSecurity)) {
                    z = false;
                    assertionInfo.setNotAsserted("An incorrect Kerberos Token Type is detected");
                }
            }
            if (z) {
                SecurityToken createSecurityToken = createSecurityToken(kerberosSecurity);
                createSecurityToken.setSecret((byte[]) wSSecurityEngineResult.get("secret"));
                TokenStoreUtils.getTokenStore(policyValidatorParameters.getMessage()).add(createSecurityToken);
                policyValidatorParameters.getMessage().getExchange().put(SecurityConstants.TOKEN_ID, createSecurityToken.getId());
                return;
            }
        }
    }

    private void assertToken(KerberosToken kerberosToken, AssertionInfoMap assertionInfoMap) {
        String namespaceURI = kerberosToken.getName().getNamespaceURI();
        if (kerberosToken.isRequireKeyIdentifierReference()) {
            PolicyUtils.assertPolicy(assertionInfoMap, new QName(namespaceURI, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE));
        }
    }

    private boolean checkToken(AssertionInfoMap assertionInfoMap, KerberosToken kerberosToken, KerberosSecurity kerberosSecurity) {
        KerberosToken.ApReqTokenType apReqTokenType = kerberosToken.getApReqTokenType();
        if (apReqTokenType == KerberosToken.ApReqTokenType.WssKerberosV5ApReqToken11 && kerberosSecurity.isV5ApReq()) {
            PolicyUtils.assertPolicy(assertionInfoMap, new QName(kerberosToken.getVersion().getNamespace(), "WssKerberosV5ApReqToken11"));
            return true;
        }
        if (apReqTokenType != KerberosToken.ApReqTokenType.WssGssKerberosV5ApReqToken11 || !kerberosSecurity.isGssV5ApReq()) {
            return false;
        }
        PolicyUtils.assertPolicy(assertionInfoMap, new QName(kerberosToken.getVersion().getNamespace(), "WssGssKerberosV5ApReqToken11"));
        return true;
    }

    private List<WSSecurityEngineResult> findKerberosResults(List<WSSecurityEngineResult> list) {
        ArrayList arrayList = new ArrayList();
        if (list != null) {
            for (WSSecurityEngineResult wSSecurityEngineResult : list) {
                if (((BinarySecurity) wSSecurityEngineResult.get("binary-security-token")) instanceof KerberosSecurity) {
                    arrayList.add(wSSecurityEngineResult);
                }
            }
        }
        return arrayList;
    }

    private SecurityToken createSecurityToken(KerberosSecurity kerberosSecurity) {
        SecurityToken securityToken = new SecurityToken(kerberosSecurity.getID());
        securityToken.setToken(kerberosSecurity.getElement());
        securityToken.setTokenType(kerberosSecurity.getValueType());
        try {
            securityToken.setSHA1(Base64.encode(KeyUtils.generateDigest(kerberosSecurity.getToken())));
        } catch (WSSecurityException e) {
        }
        return securityToken;
    }
}
