package org.apache.cxf.rs.security.saml;

import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.rs.security.common.CryptoLoader;
import org.apache.cxf.rs.security.common.RSSecurityUtils;
import org.apache.cxf.rs.security.saml.authorization.SecurityContextProvider;
import org.apache.cxf.rs.security.saml.authorization.SecurityContextProviderImpl;
import org.apache.cxf.rs.security.xml.AbstractXmlSecInHandler;
import org.apache.cxf.rt.security.SecurityConstants;
import org.apache.cxf.rt.security.utils.SecurityUtils;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.WSProviderConfig;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
import org.apache.wss4j.dom.validate.Credential;
import org.apache.wss4j.dom.validate.SamlAssertionValidator;
import org.apache.wss4j.dom.validate.Validator;
import org.opensaml.xmlsec.signature.KeyInfo;
import org.opensaml.xmlsec.signature.Signature;
import org.w3c.dom.Element;

@PreMatching
/* loaded from: input_file:BOOT-INF/lib/cxf-rt-rs-security-xml-3.2.2.jar:org/apache/cxf/rs/security/saml/AbstractSamlInHandler.class */
public abstract class AbstractSamlInHandler implements ContainerRequestFilter {
    private static final Logger LOG = LogUtils.getL7dLogger(AbstractSamlInHandler.class);
    private Validator samlValidator = new SamlAssertionValidator();
    private boolean keyInfoMustBeAvailable = true;
    private SecurityContextProvider scProvider = new SecurityContextProviderImpl();

    public void setValidator(Validator validator) {
        this.samlValidator = validator;
    }

    public void setSecurityContextProvider(SecurityContextProvider securityContextProvider) {
        this.scProvider = securityContextProvider;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateToken(Message message, InputStream inputStream) {
        validateToken(message, readToken(message, inputStream));
    }

    protected Element readToken(Message message, InputStream inputStream) {
        try {
            return StaxUtils.read(new InputStreamReader(inputStream, StandardCharsets.UTF_8)).getDocumentElement();
        } catch (Exception e) {
            throwFault("Assertion can not be read as XML document", e);
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateToken(Message message, Element element) {
        validateToken(message, toWrapper(element));
    }

    protected SamlAssertionWrapper toWrapper(Element element) {
        try {
            return new SamlAssertionWrapper(element);
        } catch (Exception e) {
            throwFault("Assertion can not be validated", e);
            return null;
        }
    }

    protected void validateToken(Message message, SamlAssertionWrapper samlAssertionWrapper) {
        try {
            RequestData requestData = new RequestData();
            requestData.setMsgContext(message);
            configureAudienceRestriction(message, requestData);
            if (samlAssertionWrapper.isSigned()) {
                requestData.setWssConfig(WSSConfig.getNewInstance());
                requestData.setCallbackHandler(RSSecurityUtils.getCallbackHandler(message, getClass()));
                try {
                    requestData.setSigVerCrypto(new CryptoLoader().getCrypto(message, SecurityConstants.SIGNATURE_CRYPTO, SecurityConstants.SIGNATURE_PROPERTIES));
                } catch (IOException e) {
                    throwFault("Crypto can not be loaded", e);
                }
                boolean z = false;
                String str = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENABLE_REVOCATION, message);
                if (str != null) {
                    z = Boolean.parseBoolean(str);
                }
                requestData.setEnableRevocation(z);
                Signature signature = samlAssertionWrapper.getSignature();
                requestData.setWsDocInfo(new WSDocInfo(signature.getDOM().getOwnerDocument()));
                SAMLKeyInfo sAMLKeyInfo = null;
                KeyInfo keyInfo = signature.getKeyInfo();
                if (keyInfo != null) {
                    sAMLKeyInfo = SAMLUtil.getCredentialFromKeyInfo(keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData), requestData.getSigVerCrypto());
                } else if (!this.keyInfoMustBeAvailable) {
                    sAMLKeyInfo = createKeyInfoFromDefaultAlias(requestData.getSigVerCrypto());
                }
                samlAssertionWrapper.verifySignature(sAMLKeyInfo);
                samlAssertionWrapper.parseSubject(new WSSSAMLKeyInfoProcessor(requestData), requestData.getSigVerCrypto(), requestData.getCallbackHandler());
            } else if (getTLSCertificates(message) == null) {
                throwFault("Assertion must be signed", null);
            }
            if (this.samlValidator != null) {
                Credential credential = new Credential();
                credential.setSamlAssertion(samlAssertionWrapper);
                this.samlValidator.validate(credential, requestData);
            }
            checkSubjectConfirmationData(message, samlAssertionWrapper);
            setSecurityContext(message, samlAssertionWrapper);
        } catch (Exception e2) {
            throwFault("Assertion can not be validated", e2);
        }
    }

    protected void configureAudienceRestriction(Message message, RequestData requestData) {
        requestData.setAudienceRestrictions(org.apache.cxf.rt.security.saml.utils.SAMLUtils.getAudienceRestrictions(message, false));
    }

    protected SAMLKeyInfo createKeyInfoFromDefaultAlias(Crypto crypto) throws WSSecurityException {
        try {
            X509Certificate[] certificates = RSSecurityUtils.getCertificates(crypto, crypto.getDefaultX509Identifier());
            SAMLKeyInfo sAMLKeyInfo = new SAMLKeyInfo(new X509Certificate[]{certificates[0]});
            sAMLKeyInfo.setPublicKey(certificates[0].getPublicKey());
            return sAMLKeyInfo;
        } catch (Exception e) {
            LOG.log(Level.FINE, "Error in loading the certificates: " + e.getMessage(), (Throwable) e);
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, e);
        }
    }

    protected void checkSubjectConfirmationData(Message message, SamlAssertionWrapper samlAssertionWrapper) {
        String str = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, message);
        boolean z = true;
        if (str != null) {
            z = Boolean.parseBoolean(str);
        }
        if (z) {
            Certificate[] tLSCertificates = getTLSCertificates(message);
            if (!checkHolderOfKey(message, samlAssertionWrapper, tLSCertificates)) {
                throwFault("Holder Of Key claim fails", null);
            }
            if (!checkSenderVouches(message, samlAssertionWrapper, tLSCertificates)) {
                throwFault("Sender vouchers claim fails", null);
            }
            if (checkBearer(samlAssertionWrapper, tLSCertificates)) {
                return;
            }
            throwFault("Bearer claim fails", null);
        }
    }

    protected void setSecurityContext(Message message, SamlAssertionWrapper samlAssertionWrapper) {
        if (this.scProvider != null) {
            message.put((Class<Class>) SecurityContext.class, (Class) this.scProvider.getSecurityContext(message, samlAssertionWrapper));
        }
    }

    private Certificate[] getTLSCertificates(Message message) {
        TLSSessionInfo tLSSessionInfo = (TLSSessionInfo) message.get(TLSSessionInfo.class);
        if (tLSSessionInfo != null) {
            return tLSSessionInfo.getPeerCertificates();
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void throwFault(String str, Exception exc) {
        String str2 = str;
        if (exc != null) {
            str2 = str2 + ": " + ExceptionUtils.getStackTrace(exc);
        }
        LOG.warning(str2);
        throw ExceptionUtils.toNotAuthorizedException(null, JAXRSUtils.toResponseBuilder(401).entity(str).build());
    }

    protected boolean checkSenderVouches(Message message, SamlAssertionWrapper samlAssertionWrapper, Certificate[] certificateArr) {
        if (certificateArr != null && certificateArr.length > 0) {
            return true;
        }
        Iterator<String> it = samlAssertionWrapper.getConfirmationMethods().iterator();
        while (it.hasNext()) {
            if (OpenSAMLUtil.isMethodSenderVouches(it.next())) {
                if (samlAssertionWrapper.getElement().getParentNode() != ((Element) message.getContent(Element.class)) && !compareCredentials(samlAssertionWrapper.getSignatureKeyInfo(), message, certificateArr)) {
                    return false;
                }
            }
        }
        return true;
    }

    protected boolean checkHolderOfKey(Message message, SamlAssertionWrapper samlAssertionWrapper, Certificate[] certificateArr) {
        Iterator<String> it = samlAssertionWrapper.getConfirmationMethods().iterator();
        while (it.hasNext()) {
            if (OpenSAMLUtil.isMethodHolderOfKey(it.next()) && !compareCredentials(samlAssertionWrapper.getSubjectKeyInfo(), message, certificateArr)) {
                return false;
            }
        }
        return true;
    }

    private boolean compareCredentials(SAMLKeyInfo sAMLKeyInfo, Message message, Certificate[] certificateArr) {
        X509Certificate[] certs = sAMLKeyInfo.getCerts();
        PublicKey publicKey = sAMLKeyInfo.getPublicKey();
        if (certificateArr != null && certificateArr.length > 0 && certs != null && certs.length > 0 && certificateArr[0].equals(certs[0])) {
            return true;
        }
        if (certificateArr != null && certificateArr.length > 0 && publicKey != null && certificateArr[0].getPublicKey().equals(publicKey)) {
            return true;
        }
        try {
            X509Certificate x509Certificate = (X509Certificate) message.getExchange().getInMessage().get(AbstractXmlSecInHandler.SIGNING_CERT);
            if (certs != null && certs.length > 0 && x509Certificate != null && x509Certificate.equals(certs[0])) {
                return true;
            }
            PublicKey publicKey2 = (PublicKey) message.getExchange().getInMessage().get(AbstractXmlSecInHandler.SIGNING_PUBLIC_KEY);
            if (publicKey2 != null) {
                return publicKey2.equals(publicKey);
            }
            return false;
        } catch (Exception e) {
            return false;
        }
    }

    protected boolean checkBearer(SamlAssertionWrapper samlAssertionWrapper, Certificate[] certificateArr) {
        Iterator<String> it = samlAssertionWrapper.getConfirmationMethods().iterator();
        while (it.hasNext()) {
            if (isMethodBearer(it.next()) && !samlAssertionWrapper.isSigned() && (certificateArr == null || certificateArr.length == 0)) {
                return false;
            }
        }
        return true;
    }

    private boolean isMethodBearer(String str) {
        return str != null && str.startsWith("urn:oasis:names:tc:SAML:") && str.endsWith(":cm:bearer");
    }

    public void setKeyInfoMustBeAvailable(boolean z) {
        this.keyInfoMustBeAvailable = z;
    }

    static {
        WSProviderConfig.init();
    }
}
