package org.codice.ddf.security.common;

import ddf.security.Subject;
import ddf.security.service.SecurityManager;
import ddf.security.service.SecurityServiceException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Map;
import javax.xml.ws.handler.Handler;
import javax.xml.ws.handler.MessageContext;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.jaxws.context.WrappedMessageContext;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.transport.http.MessageTrustDecider;
import org.apache.cxf.transport.http.URLConnectionInfo;
import org.apache.cxf.transport.http.UntrustedURLConnectionIOException;
import org.apache.cxf.transport.https.HttpsURLConnectionInfo;
import org.codice.ddf.security.handler.api.PKIAuthenticationTokenFactory;

/* loaded from: input_file:ddf-security-common-2.9.1.jar:org/codice/ddf/security/common/OutgoingSubjectRetrievalInterceptor.class */
public class OutgoingSubjectRetrievalInterceptor extends AbstractPhaseInterceptor<Message> implements Handler<WrappedMessageContext> {
    private final SecurityManager securityManager;
    private final PKIAuthenticationTokenFactory tokenFactory;
    private EventSecurityEndingInterceptor ending;

    /* loaded from: input_file:ddf-security-common-2.9.1.jar:org/codice/ddf/security/common/OutgoingSubjectRetrievalInterceptor$EventSecurityEndingInterceptor.class */
    public static class EventSecurityEndingInterceptor extends AbstractPhaseInterceptor<Message> {
        public EventSecurityEndingInterceptor() {
            super("setup-ending");
        }

        public void handleMessage(Message message) throws Fault {
            ((Map) message.getExchange().getInMessage().get(Message.PROTOCOL_HEADERS)).put(Subject.class.toString(), Arrays.asList((Subject) message.get(Subject.class)));
        }
    }

    /* loaded from: input_file:ddf-security-common-2.9.1.jar:org/codice/ddf/security/common/OutgoingSubjectRetrievalInterceptor$ReceiverTrustDecider.class */
    public class ReceiverTrustDecider extends MessageTrustDecider {
        private final MessageTrustDecider orig;

        ReceiverTrustDecider(MessageTrustDecider messageTrustDecider) {
            this.orig = messageTrustDecider;
        }

        public void establishTrust(String str, URLConnectionInfo uRLConnectionInfo, Message message) throws UntrustedURLConnectionIOException {
            if (this.orig != null) {
                this.orig.establishTrust(str, uRLConnectionInfo, message);
            }
            HttpsURLConnectionInfo httpsURLConnectionInfo = (HttpsURLConnectionInfo) uRLConnectionInfo;
            if (httpsURLConnectionInfo.getServerCertificates() == null && httpsURLConnectionInfo.getServerCertificates().length == 0) {
                throw new UntrustedURLConnectionIOException("Unable to establish trust because no certificates were found.");
            }
            try {
                message.put(Subject.class, OutgoingSubjectRetrievalInterceptor.this.securityManager.getSubject(OutgoingSubjectRetrievalInterceptor.this.tokenFactory.getTokenFromCerts((X509Certificate[]) httpsURLConnectionInfo.getServerCertificates(), "*")));
            } catch (SecurityServiceException e) {
                UntrustedURLConnectionIOException untrustedURLConnectionIOException = new UntrustedURLConnectionIOException("Error trying to get receiver subject for event.");
                untrustedURLConnectionIOException.initCause(e);
                throw untrustedURLConnectionIOException;
            }
        }
    }

    public OutgoingSubjectRetrievalInterceptor() {
        super("pre-stream");
        this.ending = new EventSecurityEndingInterceptor();
        this.tokenFactory = new PKIAuthenticationTokenFactory();
        this.tokenFactory.setSignaturePropertiesPath(System.getProperty("ddf.home") + "/etc/ws-security/server/signature.properties");
        this.tokenFactory.init();
        this.securityManager = Security.getInstance().getSecurityManager();
    }

    public void handleMessage(Message message) throws Fault {
        if (isRequestor(message) && "https".equals(message.get("http.scheme"))) {
            message.put(MessageTrustDecider.class, new ReceiverTrustDecider((MessageTrustDecider) message.get(MessageTrustDecider.class)));
            message.getInterceptorChain().add(this.ending);
        }
    }

    public boolean handleMessage(WrappedMessageContext wrappedMessageContext) {
        handleMessage(wrappedMessageContext.getWrappedMessage());
        return true;
    }

    public boolean handleFault(WrappedMessageContext wrappedMessageContext) {
        return true;
    }

    public void close(MessageContext messageContext) {
    }
}
