package org.apache.cxf.ws.security.wss4j;

import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.namespace.QName;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.headers.Header;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.security.DefaultSecurityContext;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.SPConstants;
import org.apache.cxf.ws.security.policy.model.SupportingToken;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.handler.WSHandlerResult;
import org.apache.ws.security.message.WSSecUsernameToken;
import org.apache.ws.security.message.token.UsernameToken;
import org.apache.ws.security.processor.UsernameTokenProcessor;
import org.apache.ws.security.validate.Validator;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.class */
public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
    @Override // org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor
    protected void processToken(SoapMessage soapMessage) {
        Header findSecurityHeader = findSecurityHeader(soapMessage, false);
        if (findSecurityHeader == null) {
            return;
        }
        Element firstElement = DOMUtils.getFirstElement((Element) findSecurityHeader.getObject());
        while (true) {
            Element element = firstElement;
            if (element == null) {
                return;
            }
            if (SPConstants.USERNAME_TOKEN.equals(element.getLocalName()) && DefaultCryptoCoverageChecker.WSSE_NS.equals(element.getNamespaceURI())) {
                try {
                    WSUsernameTokenPrincipal principal = getPrincipal(element, soapMessage);
                    if (principal != null) {
                        ArrayList arrayList = new ArrayList();
                        int i = 1;
                        if (principal.getPassword() == null) {
                            i = 8192;
                        }
                        arrayList.add(0, new WSSecurityEngineResult(i, principal, (X509Certificate[]) null, (List) null, (byte[]) null));
                        List cast = CastUtils.cast((List) soapMessage.get("RECV_RESULTS"));
                        if (cast == null) {
                            cast = new ArrayList();
                            soapMessage.put("RECV_RESULTS", cast);
                        }
                        cast.add(0, new WSHandlerResult((String) null, arrayList));
                        assertTokens(soapMessage, principal, false);
                        soapMessage.put(WSS4JInInterceptor.PRINCIPAL_RESULT, principal);
                        SecurityContext securityContext = (SecurityContext) soapMessage.get(SecurityContext.class);
                        if (securityContext == null || securityContext.getUserPrincipal() == null) {
                            soapMessage.put(SecurityContext.class, createSecurityContext(principal, createSubject(principal.getName(), principal.getPassword(), principal.isPasswordDigest(), principal.getNonce(), principal.getCreatedTime())));
                        }
                    }
                } catch (WSSecurityException e) {
                    throw new Fault(e);
                }
            }
            firstElement = DOMUtils.getNextElement(element);
        }
    }

    protected WSUsernameTokenPrincipal getPrincipal(Element element, final SoapMessage soapMessage) throws WSSecurityException {
        boolean isWsiBSPCompliant = isWsiBSPCompliant(soapMessage);
        boolean contextualBoolean = MessageUtils.getContextualBoolean(soapMessage, SecurityConstants.VALIDATE_TOKEN, true);
        boolean isAllowNoPassword = isAllowNoPassword((AssertionInfoMap) soapMessage.get(AssertionInfoMap.class));
        if (!contextualBoolean) {
            WSUsernameTokenPrincipal parseTokenAndCreatePrincipal = parseTokenAndCreatePrincipal(element, isWsiBSPCompliant);
            WSS4JTokenConverter.convertToken(soapMessage, parseTokenAndCreatePrincipal);
            return parseTokenAndCreatePrincipal;
        }
        UsernameTokenProcessor usernameTokenProcessor = new UsernameTokenProcessor();
        WSDocInfo wSDocInfo = new WSDocInfo(element.getOwnerDocument());
        RequestData requestData = new RequestData() { // from class: org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.1
            public CallbackHandler getCallbackHandler() {
                return UsernameTokenInterceptor.this.getCallback(soapMessage);
            }

            public Validator getValidator(QName qName) throws WSSecurityException {
                Object contextualProperty = soapMessage.getContextualProperty(SecurityConstants.USERNAME_TOKEN_VALIDATOR);
                return contextualProperty == null ? super.getValidator(qName) : (Validator) contextualProperty;
            }
        };
        requestData.setNonceReplayCache(WSS4JUtils.getReplayCache(soapMessage, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE));
        WSSConfig newInstance = WSSConfig.getNewInstance();
        newInstance.setWsiBSPCompliant(isWsiBSPCompliant);
        newInstance.setAllowUsernameTokenNoPassword(isAllowNoPassword);
        requestData.setWssConfig(newInstance);
        return (WSUsernameTokenPrincipal) ((WSSecurityEngineResult) usernameTokenProcessor.handleToken(element, requestData, wSDocInfo).get(0)).get("principal");
    }

    protected WSUsernameTokenPrincipal parseTokenAndCreatePrincipal(Element element, boolean z) throws WSSecurityException {
        UsernameToken usernameToken = new UsernameToken(element, false, z);
        WSUsernameTokenPrincipal wSUsernameTokenPrincipal = new WSUsernameTokenPrincipal(usernameToken.getName(), usernameToken.isHashed());
        wSUsernameTokenPrincipal.setNonce(usernameToken.getNonce());
        wSUsernameTokenPrincipal.setPassword(usernameToken.getPassword());
        wSUsernameTokenPrincipal.setCreatedTime(usernameToken.getCreated());
        wSUsernameTokenPrincipal.setPasswordType(usernameToken.getPasswordType());
        return wSUsernameTokenPrincipal;
    }

    protected boolean isWsiBSPCompliant(SoapMessage soapMessage) {
        String str = (String) soapMessage.getContextualProperty(SecurityConstants.IS_BSP_COMPLIANT);
        return ("false".equals(str) || "0".equals(str)) ? false : true;
    }

    private boolean isAllowNoPassword(AssertionInfoMap assertionInfoMap) throws WSSecurityException {
        Collection collection = (Collection) assertionInfoMap.get(SP12Constants.USERNAME_TOKEN);
        if (collection == null || collection.isEmpty()) {
            return false;
        }
        Iterator it = collection.iterator();
        while (it.hasNext()) {
            if (((org.apache.cxf.ws.security.policy.model.UsernameToken) ((AssertionInfo) it.next()).getAssertion()).isNoPassword()) {
                return true;
            }
        }
        return false;
    }

    protected SecurityContext createSecurityContext(Principal principal, Subject subject) {
        return new DefaultSecurityContext(principal, subject);
    }

    protected Subject createSubject(String str, String str2, boolean z, String str3, String str4) throws SecurityException {
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor
    public org.apache.cxf.ws.security.policy.model.UsernameToken assertTokens(SoapMessage soapMessage) {
        return (org.apache.cxf.ws.security.policy.model.UsernameToken) assertTokens(soapMessage, SP12Constants.USERNAME_TOKEN, true);
    }

    private org.apache.cxf.ws.security.policy.model.UsernameToken assertTokens(SoapMessage soapMessage, WSUsernameTokenPrincipal wSUsernameTokenPrincipal, boolean z) {
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
        org.apache.cxf.ws.security.policy.model.UsernameToken usernameToken = null;
        for (AssertionInfo assertionInfo : assertionInfoMap.getAssertionInfo(SP12Constants.USERNAME_TOKEN)) {
            usernameToken = (org.apache.cxf.ws.security.policy.model.UsernameToken) assertionInfo.getAssertion();
            if (wSUsernameTokenPrincipal != null && usernameToken.isHashPassword() != wSUsernameTokenPrincipal.isPasswordDigest()) {
                assertionInfo.setNotAsserted("Password hashing policy not enforced");
            } else if (wSUsernameTokenPrincipal == null || usernameToken.isNoPassword() || wSUsernameTokenPrincipal.getPassword() != null || !isNonEndorsingSupportingToken(usernameToken)) {
                assertionInfo.setAsserted(true);
            } else {
                assertionInfo.setNotAsserted("Username Token No Password supplied");
            }
        }
        Iterator it = assertionInfoMap.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS).iterator();
        while (it.hasNext()) {
            ((AssertionInfo) it.next()).setAsserted(true);
        }
        if (z || isTLSInUse(soapMessage)) {
            Iterator it2 = assertionInfoMap.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS).iterator();
            while (it2.hasNext()) {
                ((AssertionInfo) it2.next()).setAsserted(true);
            }
        }
        return usernameToken;
    }

    private boolean isNonEndorsingSupportingToken(org.apache.cxf.ws.security.policy.model.UsernameToken usernameToken) {
        SupportingToken supportingToken = usernameToken.getSupportingToken();
        if (supportingToken == null) {
            return false;
        }
        SPConstants.SupportTokenType tokenType = supportingToken.getTokenType();
        return tokenType == SPConstants.SupportTokenType.SUPPORTING_TOKEN_SUPPORTING || tokenType == SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED || tokenType == SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED_ENCRYPTED || tokenType == SPConstants.SupportTokenType.SUPPORTING_TOKEN_ENCRYPTED;
    }

    @Override // org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor
    protected void addToken(SoapMessage soapMessage) {
        org.apache.cxf.ws.security.policy.model.UsernameToken assertTokens = assertTokens(soapMessage);
        Header findSecurityHeader = findSecurityHeader(soapMessage, true);
        WSSecUsernameToken addUsernameToken = addUsernameToken(soapMessage, assertTokens);
        if (addUsernameToken != null) {
            Element element = (Element) findSecurityHeader.getObject();
            addUsernameToken.prepare(element.getOwnerDocument());
            element.appendChild(addUsernameToken.getUsernameTokenElement());
        } else {
            for (AssertionInfo assertionInfo : ((AssertionInfoMap) soapMessage.get(AssertionInfoMap.class)).getAssertionInfo(SP12Constants.USERNAME_TOKEN)) {
                if (assertionInfo.isAsserted()) {
                    assertionInfo.setAsserted(false);
                }
            }
        }
    }

    protected WSSecUsernameToken addUsernameToken(SoapMessage soapMessage, org.apache.cxf.ws.security.policy.model.UsernameToken usernameToken) {
        String str = (String) soapMessage.getContextualProperty(SecurityConstants.USERNAME);
        WSSConfig wSSConfig = (WSSConfig) soapMessage.getContextualProperty(WSSConfig.class.getName());
        if (wSSConfig == null) {
            wSSConfig = WSSConfig.getNewInstance();
        }
        if (StringUtils.isEmpty(str)) {
            policyNotAsserted(usernameToken, "No username available", soapMessage);
            return null;
        }
        if (usernameToken.isNoPassword()) {
            WSSecUsernameToken wSSecUsernameToken = new WSSecUsernameToken(wSSConfig);
            wSSecUsernameToken.setUserInfo(str, (String) null);
            wSSecUsernameToken.setPasswordType((String) null);
            return wSSecUsernameToken;
        }
        String str2 = (String) soapMessage.getContextualProperty(SecurityConstants.PASSWORD);
        if (StringUtils.isEmpty(str2)) {
            str2 = getPassword(str, usernameToken, 2, soapMessage);
        }
        if (StringUtils.isEmpty(str2)) {
            policyNotAsserted(usernameToken, "No username available", soapMessage);
            return null;
        }
        WSSecUsernameToken wSSecUsernameToken2 = new WSSecUsernameToken(wSSConfig);
        if (usernameToken.isHashPassword()) {
            wSSecUsernameToken2.setPasswordType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest");
        } else {
            wSSecUsernameToken2.setPasswordType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText");
        }
        wSSecUsernameToken2.setUserInfo(str, str2);
        return wSSecUsernameToken2;
    }
}
