package org.apache.cxf.ws.security.trust;

import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
import org.apache.cxf.rt.security.utils.SecurityUtils;
import org.apache.cxf.ws.addressing.AddressingProperties;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.wss4j.policy.model.Trust10;
import org.apache.wss4j.policy.model.Trust13;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/cxf/ws/security/trust/STSTokenRetriever.class */
public final class STSTokenRetriever {
    private static final Logger LOG = LogUtils.getL7dLogger(STSTokenRetriever.class);
    private static final String ASSOCIATED_TOKEN = STSTokenRetriever.class.getName() + "-Associated_Token";

    /* loaded from: input_file:org/apache/cxf/ws/security/trust/STSTokenRetriever$TokenRequestParams.class */
    public static class TokenRequestParams {
        private Element issuer;
        private Trust10 trust10;
        private Trust13 trust13;
        private Element tokenTemplate;
        private String wspNamespace;
        private Element claims;

        public Element getIssuer() {
            return this.issuer;
        }

        public void setIssuer(Element element) {
            this.issuer = element;
        }

        public Trust10 getTrust10() {
            return this.trust10;
        }

        public void setTrust10(Trust10 trust10) {
            this.trust10 = trust10;
        }

        public Trust13 getTrust13() {
            return this.trust13;
        }

        public void setTrust13(Trust13 trust13) {
            this.trust13 = trust13;
        }

        public Element getTokenTemplate() {
            return this.tokenTemplate;
        }

        public void setTokenTemplate(Element element) {
            this.tokenTemplate = element;
        }

        public String getWspNamespace() {
            return this.wspNamespace;
        }

        public void setWspNamespace(String str) {
            this.wspNamespace = str;
        }

        public Element getClaims() {
            return this.claims;
        }

        public void setClaims(Element element) {
            this.claims = element;
        }
    }

    private STSTokenRetriever() {
    }

    public static SecurityToken getToken(Message message, TokenRequestParams tokenRequestParams) {
        return getToken(message, tokenRequestParams, new DefaultSTSTokenCacher());
    }

    public static SecurityToken getToken(Message message, TokenRequestParams tokenRequestParams, STSTokenCacher sTSTokenCacher) {
        SecurityToken securityToken;
        Object securityPropertyValue = SecurityUtils.getSecurityPropertyValue("security.sts.applies-to", message);
        String obj = securityPropertyValue == null ? null : securityPropertyValue.toString();
        if (obj == null) {
            String obj2 = message.getContextualProperty(Message.ENDPOINT_ADDRESS).toString();
            int indexOf = obj2.indexOf(63);
            if (indexOf > 0) {
                obj2 = obj2.substring(0, indexOf);
            }
            obj = obj2;
        }
        STSClient clientWithIssuer = STSUtils.getClientWithIssuer(message, "sts", tokenRequestParams.getIssuer());
        synchronized (clientWithIssuer) {
            try {
                try {
                    clientWithIssuer.setMessage(message);
                    Object securityPropertyValue2 = SecurityUtils.getSecurityPropertyValue("security.sts.token.act-as", message);
                    if (securityPropertyValue2 != null) {
                        clientWithIssuer.setActAs(securityPropertyValue2);
                    }
                    Object securityPropertyValue3 = SecurityUtils.getSecurityPropertyValue("security.sts.token.on-behalf-of", message);
                    if (securityPropertyValue3 != null) {
                        clientWithIssuer.setOnBehalfOf(securityPropertyValue3);
                    }
                    boolean isEnableAppliesTo = clientWithIssuer.isEnableAppliesTo();
                    Element onBehalfOfToken = clientWithIssuer.getOnBehalfOfToken();
                    Element actAsToken = clientWithIssuer.getActAsToken();
                    String str = obj;
                    if (!isEnableAppliesTo || str == null || "".equals(str)) {
                        str = ASSOCIATED_TOKEN;
                    }
                    boolean isCachedTokenFromEndpoint = isCachedTokenFromEndpoint(message, onBehalfOfToken, actAsToken);
                    SecurityToken retrieveToken = sTSTokenCacher.retrieveToken(message, isCachedTokenFromEndpoint);
                    if (retrieveToken == null && onBehalfOfToken != null) {
                        retrieveToken = sTSTokenCacher.retrieveToken(message, onBehalfOfToken, str);
                    }
                    if (retrieveToken == null && actAsToken != null) {
                        retrieveToken = sTSTokenCacher.retrieveToken(message, actAsToken, str);
                    }
                    SecurityToken renewToken = retrieveToken != null ? renewToken(message, retrieveToken, tokenRequestParams, sTSTokenCacher) : getTokenFromSTS(message, clientWithIssuer, obj, tokenRequestParams);
                    if (renewToken != null) {
                        sTSTokenCacher.storeToken(message, onBehalfOfToken, renewToken.getId(), str);
                        sTSTokenCacher.storeToken(message, actAsToken, renewToken.getId(), str);
                        sTSTokenCacher.storeToken(message, renewToken, isCachedTokenFromEndpoint);
                    }
                    securityToken = renewToken;
                } catch (RuntimeException e) {
                    throw e;
                } catch (Exception e2) {
                    throw new Fault(e2);
                }
            } finally {
                clientWithIssuer.setTrust(null);
                clientWithIssuer.setTrust(null);
                clientWithIssuer.setTemplate(null);
                clientWithIssuer.setAddressingNamespace(null);
            }
        }
        return securityToken;
    }

    private static boolean isCachedTokenFromEndpoint(Message message, Element element, Element element2) {
        if (element == null && element2 == null) {
            return SecurityUtils.getSecurityPropertyBoolean("security.cache.issued.token.in.endpoint", message, true);
        }
        return false;
    }

    private static SecurityToken renewToken(Message message, SecurityToken securityToken, TokenRequestParams tokenRequestParams, STSTokenCacher sTSTokenCacher) {
        SecurityToken renewSecurityToken;
        String str = (String) SecurityUtils.getSecurityPropertyValue("security.sts.token.imminent-expiry-value", message);
        long j = 10;
        if (str != null) {
            j = Long.parseLong(str);
        }
        if (!securityToken.isExpired() && !securityToken.isAboutToExpire(j)) {
            return securityToken;
        }
        sTSTokenCacher.removeToken(message, securityToken);
        STSClient clientWithIssuer = STSUtils.getClientWithIssuer(message, "sts", tokenRequestParams.getIssuer());
        if (!clientWithIssuer.isAllowRenewing()) {
            return getToken(message, tokenRequestParams, sTSTokenCacher);
        }
        synchronized (clientWithIssuer) {
            try {
                try {
                    mapSecurityProps(message, clientWithIssuer.getRequestContext());
                    clientWithIssuer.setMessage(message);
                    String addressingNamespaceURI = getAddressingNamespaceURI(message);
                    if (addressingNamespaceURI != null) {
                        clientWithIssuer.setAddressingNamespace(addressingNamespaceURI);
                    }
                    clientWithIssuer.setTrust(tokenRequestParams.getTrust10());
                    clientWithIssuer.setTrust(tokenRequestParams.getTrust13());
                    clientWithIssuer.setTemplate(tokenRequestParams.getTokenTemplate());
                    renewSecurityToken = clientWithIssuer.renewSecurityToken(securityToken);
                    clientWithIssuer.setTrust((Trust10) null);
                    clientWithIssuer.setTrust((Trust13) null);
                    clientWithIssuer.setTemplate(null);
                    clientWithIssuer.setAddressingNamespace(null);
                } catch (Throwable th) {
                    clientWithIssuer.setTrust((Trust10) null);
                    clientWithIssuer.setTrust((Trust13) null);
                    clientWithIssuer.setTemplate(null);
                    clientWithIssuer.setAddressingNamespace(null);
                    throw th;
                }
            } catch (RuntimeException e) {
                LOG.log(Level.WARNING, "Error renewing a token", (Throwable) e);
                if (!SecurityUtils.getSecurityPropertyBoolean("security.issue.after.failed.renew", message, true)) {
                    throw e;
                }
                SecurityToken token = getToken(message, tokenRequestParams, sTSTokenCacher);
                clientWithIssuer.setTrust((Trust10) null);
                clientWithIssuer.setTrust((Trust13) null);
                clientWithIssuer.setTemplate(null);
                clientWithIssuer.setAddressingNamespace(null);
                return token;
            } catch (Exception e2) {
                LOG.log(Level.WARNING, "Error renewing a token", (Throwable) e2);
                if (!SecurityUtils.getSecurityPropertyBoolean("security.issue.after.failed.renew", message, true)) {
                    throw new Fault(e2);
                }
                SecurityToken token2 = getToken(message, tokenRequestParams, sTSTokenCacher);
                clientWithIssuer.setTrust((Trust10) null);
                clientWithIssuer.setTrust((Trust13) null);
                clientWithIssuer.setTemplate(null);
                clientWithIssuer.setAddressingNamespace(null);
                return token2;
            }
        }
        return renewSecurityToken;
    }

    private static String getAddressingNamespaceURI(Message message) {
        AddressingProperties addressingProperties = (AddressingProperties) message.get("javax.xml.ws.addressing.context.outbound");
        if (addressingProperties == null) {
            addressingProperties = (AddressingProperties) message.get("javax.xml.ws.addressing.context");
        }
        if (addressingProperties != null) {
            return addressingProperties.getNamespaceURI();
        }
        return null;
    }

    private static void mapSecurityProps(Message message, Map<String, Object> map) {
        for (String str : SecurityConstants.ALL_PROPERTIES) {
            Object contextualProperty = message.getContextualProperty(str + ".it");
            if (contextualProperty == null) {
                contextualProperty = message.getContextualProperty(str);
            }
            if (!map.containsKey(str) && contextualProperty != null) {
                map.put(str, contextualProperty);
            }
        }
    }

    private static SecurityToken getTokenFromSTS(Message message, STSClient sTSClient, String str, TokenRequestParams tokenRequestParams) throws Exception {
        sTSClient.setTrust(tokenRequestParams.getTrust10());
        sTSClient.setTrust(tokenRequestParams.getTrust13());
        sTSClient.setTemplate(tokenRequestParams.getTokenTemplate());
        if (tokenRequestParams.getWspNamespace() != null) {
            sTSClient.setWspNamespace(tokenRequestParams.getWspNamespace());
        }
        String addressingNamespaceURI = getAddressingNamespaceURI(message);
        if (addressingNamespaceURI != null) {
            sTSClient.setAddressingNamespace(addressingNamespaceURI);
        }
        if (tokenRequestParams.getClaims() != null) {
            sTSClient.setClaims(tokenRequestParams.getClaims());
        }
        mapSecurityProps(message, sTSClient.getRequestContext());
        return sTSClient.requestSecurityToken(str);
    }
}
