package org.apache.rampart;

import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.Vector;
import javax.xml.namespace.QName;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.impl.dom.jaxp.DocumentBuilderFactoryImpl;
import org.apache.axiom.soap.SOAPFault;
import org.apache.axiom.soap.SOAPFaultCode;
import org.apache.axiom.soap.SOAPFaultSubCode;
import org.apache.axiom.soap.SOAPFaultValue;
import org.apache.axiom.soap.SOAPHeader;
import org.apache.axiom.soap.SOAPHeaderBlock;
import org.apache.axis2.AxisFault;
import org.apache.axis2.context.MessageContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.rahas.RahasConstants;
import org.apache.rahas.Token;
import org.apache.rahas.TokenStorage;
import org.apache.rahas.TrustUtil;
import org.apache.rahas.impl.util.SAML2KeyInfo;
import org.apache.rahas.impl.util.SAML2Utils;
import org.apache.rampart.policy.RampartPolicyData;
import org.apache.rampart.policy.model.KerberosConfig;
import org.apache.rampart.policy.model.RampartConfig;
import org.apache.rampart.util.Axis2Util;
import org.apache.rampart.util.RampartUtil;
import org.apache.ws.secpolicy.WSSPolicyException;
import org.apache.ws.secpolicy.model.IssuedToken;
import org.apache.ws.security.KerberosTokenPrincipal;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.SAMLUtil;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLSubject;
import org.opensaml.SAMLSubjectStatement;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmationData;

/* loaded from: input_file:WEB-INF/lib/rampart-core-1.6.1-wso2v28.jar:org/apache/rampart/RampartEngine.class */
public class RampartEngine {
    private static Log log = LogFactory.getLog(RampartEngine.class);
    private static Log tlog = LogFactory.getLog(RampartConstants.TIME_LOG);
    private static ServiceNonceCache serviceNonceCache = new ServiceNonceCache();

    public Vector process(MessageContext messageContext) throws WSSPolicyException, RampartException, WSSecurityException, AxisFault {
        Vector processSecurityHeader;
        KerberosTokenPrincipal kerberosTokenPrincipal;
        Date date;
        log.isDebugEnabled();
        boolean isDebugEnabled = tlog.isDebugEnabled();
        log.debug("Enter process(MessageContext msgCtx)");
        RampartMessageData rampartMessageData = new RampartMessageData(messageContext, false);
        RampartPolicyData policyData = rampartMessageData.getPolicyData();
        if (log.isDebugEnabled() && policyData != null && policyData.getRampartConfig() != null && policyData.getRampartConfig().isOptimizeMessageProcessingForTransportBinding()) {
            log.debug("Optimized Message Processing enabled for transport binding.");
        }
        messageContext.setProperty(RampartMessageData.RAMPART_POLICY_DATA, policyData);
        RampartUtil.validateTransport(rampartMessageData);
        if (policyData == null) {
            return null;
        }
        if (isSecurityFault(rampartMessageData) || !RampartUtil.isSecHeaderRequired(policyData, rampartMessageData.isInitiator(), true)) {
            messageContext.setEnvelope(Axis2Util.getSOAPEnvelopeFromDOMDocument(rampartMessageData.getDocument(), true));
            Axis2Util.useDOOM(false);
            log.debug("Return process MessageContext msgCtx)");
            return null;
        }
        WSSecurityEngine wSSecurityEngine = new WSSecurityEngine();
        ValidatorData validatorData = new ValidatorData(rampartMessageData);
        SOAPHeader header = rampartMessageData.getMsgContext().getEnvelope().getHeader();
        if (header == null) {
            throw new RampartException("missingSOAPHeader");
        }
        if ((policyData.isSignBody() || policyData.isEntireHeadersAndBodySignatures()) && !isValidHeaderForSignedBody(header)) {
            throw new RampartException("Duplicate Body element within the header");
        }
        ArrayList headerBlocksWithNSURI = header.getHeaderBlocksWithNSURI("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
        SOAPHeaderBlock sOAPHeaderBlock = null;
        if (headerBlocksWithNSURI != null) {
            Iterator it = headerBlocksWithNSURI.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SOAPHeaderBlock sOAPHeaderBlock2 = (SOAPHeaderBlock) it.next();
                if (sOAPHeaderBlock2.getLocalName().equals(WSConstants.WSSE_LN)) {
                    sOAPHeaderBlock = sOAPHeaderBlock2;
                    break;
                }
            }
        }
        if (sOAPHeaderBlock == null) {
            throw new RampartException("missingSecurityHeader");
        }
        long currentTimeMillis = isDebugEnabled ? System.currentTimeMillis() : 0L;
        String attributeValue = sOAPHeaderBlock.getAttributeValue(new QName(rampartMessageData.getSoapConstants().getEnvelopeURI(), "actor"));
        if (attributeValue == null) {
            attributeValue = sOAPHeaderBlock.getAttributeValue(new QName(rampartMessageData.getSoapConstants().getEnvelopeURI(), "role"));
        }
        Crypto signatureCrypto = RampartUtil.getSignatureCrypto(policyData.getRampartConfig(), messageContext.getAxisService().getClassLoader());
        TokenCallbackHandler tokenCallbackHandler = policyData != null ? new TokenCallbackHandler(rampartMessageData.getTokenStorage(), RampartUtil.getPasswordCB(rampartMessageData), policyData.getRampartConfig()) : new TokenCallbackHandler(rampartMessageData.getTokenStorage(), RampartUtil.getPasswordCB(rampartMessageData));
        if (policyData.isSymmetricBinding()) {
            log.debug("Processing security header using SymetricBinding");
            if ((policyData.getSignatureToken() instanceof IssuedToken) && RahasConstants.TOK_TYPE_SAML_10.equals(((IssuedToken) policyData.getInitiatorToken()).getRstTokenType().trim()) && !TrustUtil.isDoomParserPoolUsed()) {
                DocumentBuilderFactoryImpl.setDOOMRequired(true);
            }
            processSecurityHeader = wSSecurityEngine.processSecurityHeader(rampartMessageData.getDocument(), attributeValue, tokenCallbackHandler, signatureCrypto, RampartUtil.getEncryptionCrypto(policyData.getRampartConfig(), messageContext.getAxisService().getClassLoader()));
            if ((policyData.getSignatureToken() instanceof IssuedToken) && RahasConstants.TOK_TYPE_SAML_10.equals(((IssuedToken) policyData.getInitiatorToken()).getRstTokenType().trim()) && !TrustUtil.isDoomParserPoolUsed()) {
                DocumentBuilderFactoryImpl.setDOOMRequired(false);
            }
            if (rampartMessageData.isInitiator() && (messageContext.getFLOW() == 1 || messageContext.getFLOW() == 3)) {
                tokenCallbackHandler.removeEncryptedToken();
            }
        } else {
            log.debug("Processing security header in normal path");
            if ((policyData.getInitiatorToken() instanceof IssuedToken) && RahasConstants.TOK_TYPE_SAML_10.equals(((IssuedToken) policyData.getInitiatorToken()).getRstTokenType().trim()) && !TrustUtil.isDoomParserPoolUsed()) {
                DocumentBuilderFactoryImpl.setDOOMRequired(true);
            }
            processSecurityHeader = wSSecurityEngine.processSecurityHeader(rampartMessageData.getDocument(), attributeValue, tokenCallbackHandler, signatureCrypto, RampartUtil.getEncryptionCrypto(policyData.getRampartConfig(), messageContext.getAxisService().getClassLoader()));
            if ((policyData.getInitiatorToken() instanceof IssuedToken) && RahasConstants.TOK_TYPE_SAML_10.equals(((IssuedToken) policyData.getInitiatorToken()).getRstTokenType().trim()) && !TrustUtil.isDoomParserPoolUsed()) {
                DocumentBuilderFactoryImpl.setDOOMRequired(false);
            }
        }
        long currentTimeMillis2 = isDebugEnabled ? System.currentTimeMillis() : 0L;
        for (int i = 0; i < processSecurityHeader.size(); i++) {
            WSSecurityEngineResult wSSecurityEngineResult = (WSSecurityEngineResult) processSecurityHeader.get(i);
            Integer num = (Integer) wSSecurityEngineResult.get("action");
            if (8 == num.intValue()) {
                if (!(wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION) instanceof Assertion)) {
                    SAMLAssertion sAMLAssertion = (SAMLAssertion) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
                    Iterator statements = sAMLAssertion.getStatements();
                    while (statements.hasNext()) {
                        SAMLSubject subject = ((SAMLSubjectStatement) statements.next()).getSubject();
                        if (subject != null && subject.getNameIdentifier() != null) {
                            messageContext.setProperty(RampartConstants.SAML_SUBJECT_ID, subject.getNameIdentifier().getName());
                        }
                    }
                    if ("urn:oasis:names:tc:SAML:1.0:cm:bearer".equals(TrustUtil.getSAML11SubjectConfirmationMethod(sAMLAssertion)) || "urn:oasis:names:tc:SAML:1.0:cm:sender-vouches".equals(TrustUtil.getSAML11SubjectConfirmationMethod(sAMLAssertion))) {
                        break;
                    }
                    String id = sAMLAssertion.getId();
                    Date notBefore = sAMLAssertion.getNotBefore();
                    Date notOnOrAfter = sAMLAssertion.getNotOnOrAfter();
                    SAMLKeyInfo sAMLKeyInfo = SAMLUtil.getSAMLKeyInfo(sAMLAssertion, signatureCrypto, tokenCallbackHandler);
                    try {
                        TokenStorage tokenStorage = rampartMessageData.getTokenStorage();
                        if (tokenStorage.getToken(id) == null) {
                            Token token = new Token(id, (OMElement) sAMLAssertion.toDOM(), notBefore, notOnOrAfter);
                            token.setSecret(sAMLKeyInfo.getSecret());
                            tokenStorage.add(token);
                        }
                    } catch (Exception e) {
                        throw new RampartException("errorInAddingTokenIntoStore", e);
                    }
                } else {
                    Assertion assertion = (Assertion) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
                    Subject subject2 = assertion.getSubject();
                    if (subject2 != null && subject2.getNameID() != null) {
                        messageContext.setProperty(RampartConstants.SAML_SUBJECT_ID, subject2.getNameID().getValue());
                    }
                    if (TrustUtil.getSAML2SubjectConfirmationMethod(assertion).equals(RahasConstants.SAML20_SUBJECT_CONFIRMATION_BEARER) || TrustUtil.getSAML2SubjectConfirmationMethod(assertion).equals(RahasConstants.SAML20_SUBJECT_CONFIRMATION_SENDER_VOUCHES)) {
                        break;
                    }
                    String id2 = assertion.getID();
                    Date date2 = null;
                    if (assertion.getConditions() != null) {
                        Conditions conditions = assertion.getConditions();
                        date = conditions.getNotBefore() != null ? conditions.getNotBefore().toDate() : null;
                        if (conditions.getNotOnOrAfter() != null) {
                            date2 = conditions.getNotOnOrAfter().toDate();
                        }
                    } else {
                        SubjectConfirmationData subjectConfirmationData = subject2.getSubjectConfirmations().get(0).getSubjectConfirmationData();
                        date = subjectConfirmationData.getNotBefore() != null ? subjectConfirmationData.getNotBefore().toDate() : null;
                        if (subjectConfirmationData.getNotOnOrAfter() != null) {
                            date2 = subjectConfirmationData.getNotOnOrAfter().toDate();
                        }
                    }
                    SAML2KeyInfo sAML2KeyInfo = SAML2Utils.getSAML2KeyInfo(assertion, signatureCrypto, tokenCallbackHandler);
                    try {
                        TokenStorage tokenStorage2 = rampartMessageData.getTokenStorage();
                        if (tokenStorage2.getToken(id2) == null) {
                            Token token2 = new Token(id2, (OMElement) SAML2Utils.getElementFromAssertion(assertion), date, date2);
                            token2.setSecret(sAML2KeyInfo.getSecret());
                            tokenStorage2.add(token2);
                        }
                    } catch (Exception e2) {
                        throw new RampartException("errorInAddingTokenIntoStore", e2);
                    }
                }
            } else if (1 == num.intValue()) {
                WSUsernameTokenPrincipal wSUsernameTokenPrincipal = (WSUsernameTokenPrincipal) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
                String name = wSUsernameTokenPrincipal.getName();
                messageContext.setProperty("username", name);
                if (wSUsernameTokenPrincipal.getNonce() != null) {
                    int i2 = 0;
                    if (policyData.getRampartConfig() != null) {
                        try {
                            i2 = Integer.parseInt(policyData.getRampartConfig().getNonceLifeTime());
                        } catch (NumberFormatException e3) {
                            log.error("Invalid value for nonceLifeTime in rampart configuration file.", e3);
                            throw new RampartException("invalidNonceLifeTime", e3);
                        }
                    }
                    String endpointName = messageContext.getAxisService().getEndpointName();
                    if (serviceNonceCache.isNonceRepeatingForService(endpointName, name, wSUsernameTokenPrincipal.getNonce())) {
                        throw new RampartException("repeatingNonceValue", new Object[]{wSUsernameTokenPrincipal.getNonce(), name});
                    }
                    serviceNonceCache.addNonceForService(endpointName, name, wSUsernameTokenPrincipal.getNonce(), i2);
                } else {
                    continue;
                }
            } else if (2 == num.intValue()) {
                Object obj = (X509Certificate) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
                if (policyData.isAsymmetricBinding() && obj == null && policyData.getInitiatorToken() != null && !(policyData.getInitiatorToken() instanceof IssuedToken) && !policyData.getInitiatorToken().isDerivedKeys()) {
                    throw new RampartException("invalidSignatureAlgo");
                }
                messageContext.setProperty("X509Certificate", obj);
            } else if (4608 == num.intValue()) {
                KerberosTokenPrincipal kerberosTokenPrincipal2 = (KerberosTokenPrincipal) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
                if (kerberosTokenPrincipal2 != null) {
                    Object clientPrincipalName = kerberosTokenPrincipal2.getClientPrincipalName();
                    Object servicePrincipalName = kerberosTokenPrincipal2.getServicePrincipalName();
                    if (clientPrincipalName != null) {
                        messageContext.getOptions().setProperty(KerberosConfig.CLIENT_PRINCIPLE_NAME, clientPrincipalName);
                    }
                    if (servicePrincipalName != null) {
                        messageContext.getOptions().setProperty(KerberosConfig.SERVICE_PRINCIPLE_NAME, servicePrincipalName);
                    }
                }
            } else if (5632 == num.intValue()) {
                KerberosTokenPrincipal kerberosTokenPrincipal3 = (KerberosTokenPrincipal) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
                if (kerberosTokenPrincipal3 != null) {
                    Object clientPrincipalName2 = kerberosTokenPrincipal3.getClientPrincipalName();
                    Object servicePrincipalName2 = kerberosTokenPrincipal3.getServicePrincipalName();
                    if (clientPrincipalName2 != null) {
                        messageContext.getOptions().setProperty(KerberosConfig.CLIENT_PRINCIPLE_NAME, clientPrincipalName2);
                    }
                    if (servicePrincipalName2 != null) {
                        messageContext.getOptions().setProperty(KerberosConfig.SERVICE_PRINCIPLE_NAME, servicePrincipalName2);
                    }
                }
            } else if (5120 == num.intValue() && (kerberosTokenPrincipal = (KerberosTokenPrincipal) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PRINCIPAL)) != null) {
                Object clientPrincipalName3 = kerberosTokenPrincipal.getClientPrincipalName();
                Object servicePrincipalName3 = kerberosTokenPrincipal.getServicePrincipalName();
                if (clientPrincipalName3 != null) {
                    messageContext.getOptions().setProperty(KerberosConfig.CLIENT_PRINCIPLE_NAME, clientPrincipalName3);
                }
                if (servicePrincipalName3 != null) {
                    messageContext.getOptions().setProperty(KerberosConfig.SERVICE_PRINCIPLE_NAME, servicePrincipalName3);
                }
            }
        }
        RampartConfig rampartConfig = policyData.getRampartConfig();
        if (rampartConfig != null && !rampartConfig.isOptimizeMessageProcessingForTransportBinding()) {
            messageContext.setEnvelope(Axis2Util.getSOAPEnvelopeFromDOMDocument(rampartMessageData.getDocument(), true));
        }
        long currentTimeMillis3 = isDebugEnabled ? System.currentTimeMillis() : 0L;
        Axis2Util.useDOOM(false);
        RampartUtil.getPolicyValidatorCB(messageContext, policyData).validate(validatorData, processSecurityHeader);
        if (isDebugEnabled) {
            tlog.debug("processHeader by WSSecurityEngine took : " + (currentTimeMillis2 - currentTimeMillis) + ", DOOM conversion took :" + (currentTimeMillis3 - currentTimeMillis2) + ", PolicyBasedResultsValidattor took " + (System.currentTimeMillis() - currentTimeMillis3));
        }
        log.debug("Return process(MessageContext msgCtx)");
        return processSecurityHeader;
    }

    private boolean isValidHeaderForSignedBody(OMElement oMElement) {
        Iterator children;
        if (null != oMElement && oMElement.getLocalName().equals("Body")) {
            return false;
        }
        if (null == oMElement || null == (children = oMElement.getChildren())) {
            return true;
        }
        while (children.hasNext()) {
            Object next = children.next();
            if ((next instanceof OMElement) && !((OMElement) next).getLocalName().equals(WSConstants.WSSE_LN) && !isValidHeaderForSignedBody((OMElement) next)) {
                return false;
            }
        }
        return true;
    }

    private boolean isSecurityFault(RampartMessageData rampartMessageData) {
        SOAPFaultSubCode subCode;
        SOAPFaultValue value;
        SOAPFault fault = rampartMessageData.getMsgContext().getEnvelope().getBody().getFault();
        if (fault == null) {
            return false;
        }
        String namespaceURI = rampartMessageData.getMsgContext().getEnvelope().getNamespace().getNamespaceURI();
        SOAPFaultCode code = fault.getCode();
        if (code == null) {
            return false;
        }
        return namespaceURI.equals("http://schemas.xmlsoap.org/soap/envelope/") ? code.getTextAsQName().getNamespaceURI().equals("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd") : namespaceURI.equals("http://www.w3.org/2003/05/soap-envelope") && (subCode = code.getSubCode()) != null && (value = subCode.getValue()) != null && value.getTextAsQName().getNamespaceURI().equals("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
    }
}
