package ddf.security.soap.impl;

import ddf.security.PropertiesLoader;
import ddf.security.Subject;
import ddf.security.assertion.SecurityAssertion;
import ddf.security.assertion.impl.SecurityAssertionImpl;
import ddf.security.sts.client.configuration.STSClientConfiguration;
import ddf.security.ws.proxy.ProxyServiceFactory;
import java.io.Serializable;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.xml.namespace.QName;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import org.apache.commons.lang.StringUtils;
import org.apache.cxf.Bus;
import org.apache.cxf.BusFactory;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.jaxws.JaxWsProxyFactoryBean;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.service.factory.ServiceConstructionException;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.trust.STSClient;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.wss4j.policy.model.IssuedToken;
import org.codice.ddf.platform.util.http.UnavailableUrls;
import org.codice.ddf.security.common.HttpUtils;
import org.codice.ddf.security.common.jaxrs.RestSecurity;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;

/* loaded from: input_file:ddf-security-common-2.9.1.jar:ddf/security/soap/impl/SecureProxyServiceFactoryImpl.class */
public class SecureProxyServiceFactoryImpl implements ProxyServiceFactory {
    protected static final String ADDRESSING_NAMESPACE = "http://www.w3.org/2005/08/addressing";
    private static final Logger LOGGER = LoggerFactory.getLogger(SecureProxyServiceFactoryImpl.class);
    private final UnavailableUrls unavailableWsdls = new UnavailableUrls();
    private STSClientConfiguration stsClientConfig;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:ddf-security-common-2.9.1.jar:ddf/security/soap/impl/SecureProxyServiceFactoryImpl$TokenPassThroughInterceptor.class */
    public static final class TokenPassThroughInterceptor extends AbstractPhaseInterceptor<Message> {
        public TokenPassThroughInterceptor() {
            super("post-logical");
        }

        /* JADX WARN: Failed to find 'out' block for switch in B:16:0x00a9. Please report as an issue. */
        public void handleMessage(Message message) throws Fault {
            Collection<AssertionInfo> allAssertionsByLocalname;
            AssertionInfoMap assertionInfoMap = (AssertionInfoMap) message.get(AssertionInfoMap.class);
            if (assertionInfoMap == null || (allAssertionsByLocalname = getAllAssertionsByLocalname(assertionInfoMap, "IssuedToken")) == null) {
                return;
            }
            IssuedToken assertion = allAssertionsByLocalname.iterator().next().getAssertion();
            SecurityToken securityToken = (SecurityToken) message.getContextualProperty("ws-security.token");
            boolean z = false;
            if (securityToken == null || assertion == null) {
                return;
            }
            SecurityAssertionImpl securityAssertionImpl = new SecurityAssertionImpl(securityToken);
            Element requestSecurityTokenTemplate = assertion.getRequestSecurityTokenTemplate();
            List attributeStatements = securityAssertionImpl.getAttributeStatements();
            XMLStreamReader createXMLStreamReader = StaxUtils.createXMLStreamReader(requestSecurityTokenTemplate);
            while (createXMLStreamReader.hasNext()) {
                try {
                    switch (createXMLStreamReader.next()) {
                        case RestSecurity.GZIP_COMPATIBLE /* 1 */:
                            String localName = createXMLStreamReader.getLocalName();
                            boolean z2 = -1;
                            switch (localName.hashCode()) {
                                case 849211929:
                                    if (localName.equals("KeyType")) {
                                        z2 = true;
                                        break;
                                    }
                                    break;
                                case 1702448502:
                                    if (localName.equals("ClaimType")) {
                                        z2 = 2;
                                        break;
                                    }
                                    break;
                                case 2145466547:
                                    if (localName.equals("TokenType")) {
                                        z2 = false;
                                        break;
                                    }
                                    break;
                            }
                            switch (z2) {
                                case false:
                                    String elementText = createXMLStreamReader.getElementText();
                                    if (elementText == null || !securityAssertionImpl.getTokenType().equals(elementText.trim())) {
                                        z = true;
                                        break;
                                    } else {
                                        break;
                                    }
                                    break;
                                case RestSecurity.GZIP_COMPATIBLE /* 1 */:
                                    String elementText2 = createXMLStreamReader.getElementText();
                                    if (StringUtils.containsIgnoreCase(elementText2, "bearer") && !securityAssertionImpl.getSubjectConfirmations().stream().anyMatch(str -> {
                                        return StringUtils.containsIgnoreCase(str, "bearer");
                                    })) {
                                        z = true;
                                    }
                                    if ((StringUtils.containsIgnoreCase(elementText2, "publickey") || StringUtils.containsIgnoreCase(elementText2, "symmetrickey")) && !securityAssertionImpl.getSubjectConfirmations().stream().anyMatch(str2 -> {
                                        return StringUtils.containsIgnoreCase(str2, "holder-of-key") || StringUtils.containsIgnoreCase(str2, "sender-vouches");
                                    })) {
                                        z = true;
                                        break;
                                    }
                                    break;
                                case true:
                                    int attributeCount = createXMLStreamReader.getAttributeCount();
                                    boolean z3 = true;
                                    boolean z4 = true;
                                    String str3 = org.jvnet.jaxb2_commons.lang.StringUtils.EMPTY;
                                    for (int i = 0; i < attributeCount; i++) {
                                        String attributeLocalName = createXMLStreamReader.getAttributeLocalName(i);
                                        String attributeValue = createXMLStreamReader.getAttributeValue(i);
                                        if (attributeLocalName.equalsIgnoreCase("Optional")) {
                                            z4 = Boolean.parseBoolean(attributeValue);
                                        }
                                        if (attributeLocalName.equalsIgnoreCase("Uri")) {
                                            str3 = attributeValue;
                                        }
                                    }
                                    if (!z4) {
                                        z3 = false;
                                        Iterator it = attributeStatements.iterator();
                                        while (it.hasNext()) {
                                            Iterator it2 = ((AttributeStatement) it.next()).getAttributes().iterator();
                                            while (it2.hasNext()) {
                                                if (((Attribute) it2.next()).getName().equals(str3)) {
                                                    z3 = true;
                                                }
                                            }
                                        }
                                    }
                                    if (z3) {
                                        break;
                                    } else {
                                        z = true;
                                        break;
                                    }
                            }
                    }
                } catch (XMLStreamException e) {
                    throw new Fault(e);
                }
            }
            if (z) {
                message.put("ws-security.token", (Object) null);
                message.put("security.sts.token.on-behalf-of", securityToken.getToken());
            }
        }

        static Collection<AssertionInfo> getAllAssertionsByLocalname(AssertionInfoMap assertionInfoMap, String str) {
            Collection collection = (Collection) assertionInfoMap.get(new QName("http://schemas.xmlsoap.org/ws/2005/07/securitypolicy", str));
            Collection collection2 = (Collection) assertionInfoMap.get(new QName("http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702", str));
            if ((collection == null || collection.isEmpty()) && (collection2 == null || collection2.isEmpty())) {
                return Collections.emptySet();
            }
            HashSet hashSet = new HashSet();
            if (collection != null) {
                hashSet.addAll(collection);
            }
            if (collection2 != null) {
                hashSet.addAll(collection2);
            }
            return hashSet;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:ddf-security-common-2.9.1.jar:ddf/security/soap/impl/SecureProxyServiceFactoryImpl$WebServiceProperties.class */
    public class WebServiceProperties<ProxyServiceType> {
        public final Class<ProxyServiceType> serviceClass;
        public final QName serviceName;
        public final QName endpointName;
        public final String endpointAddress;
        public final String endpointWsdlURL;

        public WebServiceProperties(Class<ProxyServiceType> cls, QName qName, QName qName2, String str) {
            this.serviceClass = cls;
            this.serviceName = qName;
            this.endpointName = qName2;
            this.endpointAddress = HttpUtils.stripQueryString(str);
            this.endpointWsdlURL = SecureProxyServiceFactoryImpl.this.appendWsdlExtension(this.endpointAddress);
        }
    }

    public SecureProxyServiceFactoryImpl(STSClientConfiguration sTSClientConfiguration) {
        this.stsClientConfig = sTSClientConfiguration;
    }

    protected String appendWsdlExtension(String str) {
        return str + "?wsdl";
    }

    public <ProxyServiceType> ProxyServiceType create(boolean z, Class<ProxyServiceType> cls, QName qName, QName qName2, String str, Serializable serializable) throws UnsupportedOperationException {
        LOGGER.debug("Creating proxy service");
        WebServiceProperties webServiceProperties = new WebServiceProperties(cls, qName, qName2, str);
        ProxyServiceType proxyservicetype = (ProxyServiceType) createSecureClientFactory(webServiceProperties, getSecurityToken(webServiceProperties, serializable));
        LOGGER.debug("Finished creating proxy service");
        return proxyservicetype;
    }

    private SecurityToken getSecurityToken(WebServiceProperties webServiceProperties, Serializable serializable) {
        PrincipalCollection principals;
        SecurityAssertion securityAssertion;
        SecurityToken securityToken = null;
        if (serializable != null) {
            if (serializable instanceof SecurityAssertion) {
                securityToken = ((SecurityAssertion) serializable).getSecurityToken();
            } else if ((serializable instanceof Subject) && (principals = ((Subject) serializable).getPrincipals()) != null && (securityAssertion = (SecurityAssertion) principals.oneByType(SecurityAssertion.class)) != null) {
                securityToken = securityAssertion.getSecurityToken();
            }
        }
        return securityToken;
    }

    private <ProxyServiceType> ProxyServiceType createSecureClientFactory(WebServiceProperties<ProxyServiceType> webServiceProperties, SecurityToken securityToken) throws UnsupportedOperationException {
        Object create;
        JaxWsProxyFactoryBean jaxWsProxyFactoryBean = new JaxWsProxyFactoryBean();
        boolean contains = this.unavailableWsdls.contains(webServiceProperties.endpointWsdlURL);
        if (contains) {
            LOGGER.debug("Using service class to create client rather than WSDL.");
        }
        jaxWsProxyFactoryBean.getClientFactoryBean().getServiceFactory().setPopulateFromClass(contains);
        LOGGER.debug("Configuring client proxy properties");
        configureProxyFactoryProperties(jaxWsProxyFactoryBean, securityToken, webServiceProperties);
        jaxWsProxyFactoryBean.getOutInterceptors().add(new TokenPassThroughInterceptor());
        try {
            create = jaxWsProxyFactoryBean.create(webServiceProperties.serviceClass);
        } catch (ServiceConstructionException e) {
            LOGGER.debug("Unable to use WSDL to build client. Attempting to use service class.", e);
            this.unavailableWsdls.add(webServiceProperties.endpointWsdlURL);
            jaxWsProxyFactoryBean.getClientFactoryBean().getServiceFactory().setPopulateFromClass(true);
            create = jaxWsProxyFactoryBean.create(webServiceProperties.serviceClass);
        }
        return (ProxyServiceType) create;
    }

    protected STSClient configureSTSClient(Bus bus) {
        LOGGER.debug("Configuring STS client...");
        String address = this.stsClientConfig.getAddress();
        String serviceName = this.stsClientConfig.getServiceName();
        String endpointName = this.stsClientConfig.getEndpointName();
        String signatureProperties = this.stsClientConfig.getSignatureProperties();
        String encryptionProperties = this.stsClientConfig.getEncryptionProperties();
        String tokenProperties = this.stsClientConfig.getTokenProperties();
        STSClient sTSClient = new STSClient(bus);
        if (address == null || address.isEmpty()) {
            LOGGER.debug("STS address is null, unable to create STS Client");
        } else {
            LOGGER.debug("Setting WSDL location on STSClient: {}", address);
            sTSClient.setWsdlLocation(address);
            LOGGER.debug("Setting service name on STSClient: {}", serviceName);
            sTSClient.setServiceName(serviceName);
            LOGGER.debug("Setting endpoint name on STSClient: {}", endpointName);
            sTSClient.setEndpointName(endpointName);
            LOGGER.debug("Setting addressing namespace on STSClient: {}", ADDRESSING_NAMESPACE);
            sTSClient.setAddressingNamespace(ADDRESSING_NAMESPACE);
            HashMap hashMap = new HashMap();
            if (signatureProperties != null && !signatureProperties.isEmpty()) {
                LOGGER.debug("Setting signature properties on STSClient: {}", signatureProperties);
                hashMap.put("security.signature.properties", PropertiesLoader.loadProperties(signatureProperties));
            }
            if (encryptionProperties != null && !encryptionProperties.isEmpty()) {
                LOGGER.debug("Setting encryption properties on STSClient: {}", encryptionProperties);
                hashMap.put("security.encryption.properties", PropertiesLoader.loadProperties(encryptionProperties));
            }
            if (tokenProperties != null && !tokenProperties.isEmpty()) {
                LOGGER.debug("Setting sts properties on STSClient: {}", tokenProperties);
                hashMap.put("security.sts.token.properties", PropertiesLoader.loadProperties(tokenProperties));
            }
            LOGGER.debug("Setting STS TOKEN USE CERT FOR KEY INFO to \"true\"");
            hashMap.put("security.sts.token.usecert", Boolean.TRUE.toString());
            hashMap.put("security.sts.disable-wsmex-call-using-epr-address", Boolean.TRUE.toString());
            sTSClient.setProperties(hashMap);
        }
        LOGGER.debug("Done configuring STS client");
        return sTSClient;
    }

    protected void configureProxyFactoryProperties(JaxWsProxyFactoryBean jaxWsProxyFactoryBean, SecurityToken securityToken, WebServiceProperties webServiceProperties) {
        String signatureProperties = this.stsClientConfig.getSignatureProperties();
        String encryptionProperties = this.stsClientConfig.getEncryptionProperties();
        String tokenProperties = this.stsClientConfig.getTokenProperties();
        LOGGER.debug("Configuring proxy factory properties");
        if (webServiceProperties.endpointAddress != null) {
            LOGGER.debug("Configuring JaxWsProxyFactoryBean");
            Bus bus = jaxWsProxyFactoryBean.getBus();
            if (bus == null) {
                LOGGER.debug("Getting CXF thread default bus.");
                bus = BusFactory.getThreadDefaultBus();
            }
            jaxWsProxyFactoryBean.setWsdlURL(webServiceProperties.endpointWsdlURL);
            jaxWsProxyFactoryBean.setAddress(webServiceProperties.endpointAddress);
            jaxWsProxyFactoryBean.setServiceName(webServiceProperties.serviceName);
            jaxWsProxyFactoryBean.setEndpointName(webServiceProperties.endpointName);
            jaxWsProxyFactoryBean.setServiceClass(webServiceProperties.serviceClass);
            LOGGER.debug("Configuring STS Client");
            HashMap hashMap = new HashMap();
            STSClient configureSTSClient = configureSTSClient(bus);
            LOGGER.debug("Setting STSClient");
            hashMap.put("security.sts.client", configureSTSClient);
            if (securityToken != null && securityToken.getToken() != null) {
                LOGGER.debug("Setting incoming SAML assertion to outgoing federated client");
                hashMap.put("ws-security.token", securityToken);
            }
            if (signatureProperties != null && !signatureProperties.isEmpty()) {
                LOGGER.debug("Setting signature properties: {}", signatureProperties);
                hashMap.put("security.signature.properties", PropertiesLoader.loadProperties(signatureProperties));
            }
            if (tokenProperties != null && !tokenProperties.isEmpty()) {
                LOGGER.debug("Setting sts properties: {}", tokenProperties);
                hashMap.put("security.sts.token.properties", PropertiesLoader.loadProperties(tokenProperties));
            }
            if (encryptionProperties != null && !encryptionProperties.isEmpty()) {
                LOGGER.debug("Setting encryption properties: {}", encryptionProperties);
                hashMap.put("security.encryption.properties", PropertiesLoader.loadProperties(encryptionProperties));
            }
            hashMap.put("security.sts.disable-wsmex-call-using-epr-address", Boolean.TRUE.toString());
            jaxWsProxyFactoryBean.setProperties(hashMap);
        }
        LOGGER.debug("Finished configuring proxy factory properties");
    }
}
