package org.apache.cxf.ws.security.wss4j;

import java.security.Provider;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPBody;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import javax.xml.transform.dom.DOMSource;
import org.apache.cxf.binding.soap.SoapFault;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.SoapVersion;
import org.apache.cxf.binding.soap.saaj.SAAJInInterceptor;
import org.apache.cxf.binding.soap.saaj.SAAJUtils;
import org.apache.cxf.common.i18n.Message;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.rt.security.utils.SecurityUtils;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.tokenstore.TokenStoreUtils;
import org.apache.wss4j.common.cache.ReplayCache;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.ThreadLocalSecurityProvider;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.engine.WSSecurityEngine;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.processor.Processor;
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.dom.validate.NoOpValidator;
import org.apache.wss4j.dom.validate.Validator;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.class */
public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
    public static final String SAML_ROLE_ATTRIBUTENAME_DEFAULT = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
    public static final String PROCESSOR_MAP = "wss4j.processor.map";
    public static final String VALIDATOR_MAP = "wss4j.validator.map";
    public static final String SECURITY_PROCESSED;
    private static final Logger LOG;
    private boolean ignoreActions;
    private WSSecurityEngine secEngineOverride;
    static final /* synthetic */ boolean $assertionsDisabled;

    public WSS4JInInterceptor() {
        setPhase("pre-protocol");
        getAfter().add(SAAJInInterceptor.class.getName());
        getAfter().add("org.apache.cxf.ws.addressing.soap.MAPCodec");
    }

    public WSS4JInInterceptor(boolean z) {
        this();
        this.ignoreActions = z;
    }

    public WSS4JInInterceptor(Map<String, Object> map) {
        this();
        setProperties(map);
        Map cast = CastUtils.cast((Map) map.get(PROCESSOR_MAP));
        Map cast2 = CastUtils.cast((Map) map.get(VALIDATOR_MAP));
        if (cast != null) {
            if (cast2 != null) {
                cast.putAll(cast2);
            }
            this.secEngineOverride = createSecurityEngine(cast);
        } else if (cast2 != null) {
            this.secEngineOverride = createSecurityEngine(cast2);
        }
    }

    public void setIgnoreActions(boolean z) {
        this.ignoreActions = z;
    }

    private SOAPMessage getSOAPMessage(SoapMessage soapMessage) {
        SAAJInInterceptor.INSTANCE.handleMessage(soapMessage);
        return (SOAPMessage) soapMessage.getContent(SOAPMessage.class);
    }

    @Override // org.apache.cxf.ws.security.wss4j.AbstractWSS4JInterceptor
    public Object getProperty(Object obj, String str) {
        Object property = super.getProperty(obj, str);
        if (property == null && "_sendSignatureValues_".equals(str) && isRequestor((SoapMessage) obj)) {
            property = ((SoapMessage) obj).getExchange().getOutMessage().get(str);
        }
        return property;
    }

    public final boolean isGET(SoapMessage soapMessage) {
        return "GET".equals((String) soapMessage.get("org.apache.cxf.request.method")) && soapMessage.getContent(XMLStreamReader.class) == null;
    }

    @Override // 
    public void handleMessage(SoapMessage soapMessage) throws Fault {
        if (soapMessage.containsKey(SECURITY_PROCESSED) || isGET(soapMessage)) {
            return;
        }
        Object obj = soapMessage.getExchange().get(Provider.class);
        boolean z = obj != null && ThreadLocalSecurityProvider.isInstalled();
        if (z) {
            try {
                ThreadLocalSecurityProvider.setProvider((Provider) obj);
            } catch (Throwable th) {
                if (z) {
                    ThreadLocalSecurityProvider.unsetProvider();
                }
                throw th;
            }
        }
        handleMessageInternal(soapMessage);
        if (z) {
            ThreadLocalSecurityProvider.unsetProvider();
        }
    }

    private void handleMessageInternal(SoapMessage soapMessage) throws Fault {
        WSSecurityEngine securityEngine;
        boolean contextualBoolean = MessageUtils.getContextualBoolean(soapMessage, SecurityConstants.VALIDATE_TOKEN, true);
        translateProperties(soapMessage);
        CXFRequestData cXFRequestData = new CXFRequestData();
        WSSConfig wSSConfig = (WSSConfig) soapMessage.getContextualProperty(WSSConfig.class.getName());
        if (wSSConfig != null) {
            securityEngine = new WSSecurityEngine();
            securityEngine.setWssConfig(wSSConfig);
        } else {
            securityEngine = getSecurityEngine(contextualBoolean);
            if (securityEngine == null) {
                securityEngine = new WSSecurityEngine();
            }
            wSSConfig = securityEngine.getWssConfig();
        }
        cXFRequestData.setWssConfig(wSSConfig);
        cXFRequestData.setEncryptionSerializer(new StaxSerializer());
        configureAudienceRestriction(soapMessage, cXFRequestData);
        SOAPMessage sOAPMessage = getSOAPMessage(soapMessage);
        boolean isLoggable = LOG.isLoggable(Level.FINE);
        SoapVersion version = soapMessage.getVersion();
        if (isLoggable) {
            LOG.fine("WSS4JInInterceptor: enter handleMessage()");
        }
        try {
            try {
                try {
                    cXFRequestData.setMsgContext(soapMessage);
                    cXFRequestData.setAttachmentCallbackHandler(new AttachmentCallbackHandler(soapMessage));
                    setAlgorithmSuites(soapMessage, cXFRequestData);
                    cXFRequestData.setCallbackHandler(getCallback(cXFRequestData, contextualBoolean));
                    computeAction(soapMessage, cXFRequestData);
                    List<Integer> decodeAction = WSSecurityUtil.decodeAction(getAction(soapMessage, version));
                    String str = (String) getOption("actor");
                    if (str == null) {
                        str = (String) soapMessage.getContextualProperty(SecurityConstants.ACTOR);
                    }
                    cXFRequestData.setActor(str);
                    configureReplayCaches(cXFRequestData, decodeAction, soapMessage);
                    TLSSessionInfo tLSSessionInfo = (TLSSessionInfo) soapMessage.get(TLSSessionInfo.class);
                    if (tLSSessionInfo != null) {
                        cXFRequestData.setTlsCerts(tLSSessionInfo.getPeerCertificates());
                    }
                    doReceiverAction(decodeAction, cXFRequestData);
                    cXFRequestData.setEnableRevocation(cXFRequestData.isRevocationEnabled() || MessageUtils.isTrue(SecurityUtils.getSecurityPropertyValue("security.enableRevocation", soapMessage)));
                    SOAPBody body = SAAJUtils.getBody(sOAPMessage);
                    if (body != null) {
                        securityEngine.setCallbackLookup(new CXFCallbackLookup(body.getOwnerDocument(), body));
                    }
                    WSHandlerResult processSecurityHeader = securityEngine.processSecurityHeader(WSSecurityUtil.getSecurityHeader(sOAPMessage.getSOAPHeader(), str, version.getVersion() != 1.1d), cXFRequestData);
                    if (processSecurityHeader.getResults() != null && !processSecurityHeader.getResults().isEmpty()) {
                        if (cXFRequestData.isEnableSignatureConfirmation()) {
                            checkSignatureConfirmation(cXFRequestData, processSecurityHeader);
                        }
                        checkActions(soapMessage, cXFRequestData, processSecurityHeader.getResults(), decodeAction, SAAJUtils.getBody(sOAPMessage));
                        doResults(soapMessage, str, SAAJUtils.getHeader(sOAPMessage), SAAJUtils.getBody(sOAPMessage), processSecurityHeader, contextualBoolean);
                    } else if (sOAPMessage.getSOAPPart().getEnvelope().getBody().hasFault() && isRequestor(soapMessage)) {
                        LOG.warning("The request is a SOAP Fault, but it is not secured");
                        doResults(soapMessage, str, SAAJUtils.getHeader(sOAPMessage), SAAJUtils.getBody(sOAPMessage), processSecurityHeader, contextualBoolean);
                    } else {
                        checkActions(soapMessage, cXFRequestData, processSecurityHeader.getResults(), decodeAction, SAAJUtils.getBody(sOAPMessage));
                        doResults(soapMessage, str, SAAJUtils.getHeader(sOAPMessage), SAAJUtils.getBody(sOAPMessage), processSecurityHeader, contextualBoolean);
                    }
                    advanceBody(soapMessage, SAAJUtils.getBody(sOAPMessage));
                    SAAJInInterceptor.replaceHeaders(sOAPMessage, soapMessage);
                    if (isLoggable) {
                        LOG.fine("WSS4JInInterceptor: exit handleMessage()");
                    }
                    soapMessage.put(SECURITY_PROCESSED, Boolean.TRUE);
                } catch (SOAPException e) {
                    throw new SoapFault(new Message("SAAJ_EX", LOG, new Object[0]), e, version.getSender());
                }
            } catch (XMLStreamException e2) {
                throw new SoapFault(new Message("STAX_EX", LOG, new Object[0]), e2, version.getSender());
            } catch (WSSecurityException e3) {
                throw WSS4JUtils.createSoapFault(soapMessage, version, e3);
            }
        } catch (Throwable th) {
            throw th;
        }
    }

    private void configureAudienceRestriction(SoapMessage soapMessage, RequestData requestData) {
        if (SecurityUtils.getSecurityPropertyBoolean("security.validate.audience-restriction", soapMessage, true)) {
            ArrayList arrayList = new ArrayList();
            if (soapMessage.get("org.apache.cxf.request.url") != null) {
                arrayList.add((String) soapMessage.get("org.apache.cxf.request.url"));
            } else if (soapMessage.get("org.apache.cxf.request.uri") != null) {
                arrayList.add((String) soapMessage.get("org.apache.cxf.request.uri"));
            }
            if (soapMessage.getContextualProperty("javax.xml.ws.wsdl.service") != null) {
                arrayList.add(soapMessage.getContextualProperty("javax.xml.ws.wsdl.service").toString());
            }
            requestData.setAudienceRestrictions(arrayList);
        }
    }

    private void checkActions(SoapMessage soapMessage, RequestData requestData, List<WSSecurityEngineResult> list, List<Integer> list2, Element element) throws WSSecurityException {
        if (this.ignoreActions) {
            return;
        }
        if (!checkReceiverResultsAnyOrder(list, list2)) {
            LOG.warning("Security processing failed (actions mismatch)");
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
        }
        if (((String) getProperty(soapMessage, "signatureParts")) != null) {
            LOG.warning("To enforce that particular elements were signed you must either use WS-SecurityPolicy, or else use the CryptoCoverageChecker or SignatureCoverageChecker");
        }
    }

    protected void computeAction(SoapMessage soapMessage, RequestData requestData) throws WSSecurityException {
        Crypto crypto = (Crypto) SecurityUtils.getSecurityPropertyValue("security.encryption.crypto", soapMessage);
        if (crypto != null) {
            requestData.setDecCrypto(crypto);
        }
        Crypto crypto2 = (Crypto) SecurityUtils.getSecurityPropertyValue("security.signature.crypto", soapMessage);
        if (crypto2 != null) {
            requestData.setSigVerCrypto(crypto2);
        }
    }

    protected void configureReplayCaches(RequestData requestData, List<Integer> list, SoapMessage soapMessage) throws WSSecurityException {
        requestData.setEnableNonceReplayCache(false);
        if (isNonceCacheRequired(list, soapMessage)) {
            ReplayCache replayCache = getReplayCache(soapMessage, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE);
            requestData.setNonceReplayCache(replayCache);
            if (replayCache != null) {
                requestData.setEnableNonceReplayCache(true);
            }
        }
        requestData.setEnableTimestampReplayCache(false);
        if (isTimestampCacheRequired(list, soapMessage)) {
            ReplayCache replayCache2 = getReplayCache(soapMessage, SecurityConstants.ENABLE_TIMESTAMP_CACHE, SecurityConstants.TIMESTAMP_CACHE_INSTANCE);
            requestData.setTimestampReplayCache(replayCache2);
            if (replayCache2 != null) {
                requestData.setEnableTimestampReplayCache(true);
            }
        }
        requestData.setEnableSamlOneTimeUseReplayCache(false);
        if (isSamlCacheRequired(list, soapMessage)) {
            ReplayCache replayCache3 = getReplayCache(soapMessage, SecurityConstants.ENABLE_SAML_ONE_TIME_USE_CACHE, SecurityConstants.SAML_ONE_TIME_USE_CACHE_INSTANCE);
            requestData.setSamlOneTimeUseReplayCache(replayCache3);
            if (replayCache3 != null) {
                requestData.setEnableSamlOneTimeUseReplayCache(true);
            }
        }
    }

    protected boolean isNonceCacheRequired(List<Integer> list, SoapMessage soapMessage) {
        return list.contains(1) || list.contains(8192);
    }

    protected boolean isTimestampCacheRequired(List<Integer> list, SoapMessage soapMessage) {
        return list.contains(32);
    }

    protected boolean isSamlCacheRequired(List<Integer> list, SoapMessage soapMessage) {
        return list.contains(8) || list.contains(16);
    }

    protected void setAlgorithmSuites(SoapMessage soapMessage, RequestData requestData) throws WSSecurityException {
        super.decodeAlgorithmSuite(requestData);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void doResults(SoapMessage soapMessage, String str, Element element, Element element2, WSHandlerResult wSHandlerResult, boolean z) throws SOAPException, XMLStreamException, WSSecurityException {
        List cast = CastUtils.cast((List) soapMessage.get("RECV_RESULTS"));
        if (cast == null) {
            cast = new LinkedList();
            soapMessage.put("RECV_RESULTS", cast);
        }
        cast.add(0, wSHandlerResult);
        WSS4JSecurityContextCreator wSS4JSecurityContextCreator = (WSS4JSecurityContextCreator) SecurityUtils.getSecurityPropertyValue(SecurityConstants.SECURITY_CONTEXT_CREATOR, soapMessage);
        if (wSS4JSecurityContextCreator != null) {
            wSS4JSecurityContextCreator.createSecurityContext(soapMessage, wSHandlerResult);
        } else {
            new DefaultWSS4JSecurityContextCreator().createSecurityContext(soapMessage, wSHandlerResult);
        }
    }

    protected void advanceBody(SoapMessage soapMessage, Node node) throws SOAPException, XMLStreamException, WSSecurityException {
        XMLStreamReader createXMLStreamReader = StaxUtils.createXMLStreamReader(new DOMSource(node));
        int next = createXMLStreamReader.next();
        if (createXMLStreamReader.hasNext() && (next != 2 || next != 1)) {
            createXMLStreamReader.next();
        }
        soapMessage.setContent(XMLStreamReader.class, createXMLStreamReader);
    }

    private String getAction(SoapMessage soapMessage, SoapVersion soapVersion) {
        String str = (String) getOption("action");
        if (str == null) {
            str = (String) soapMessage.get("action");
        }
        if (str != null) {
            return str;
        }
        LOG.warning("No security action was defined!");
        throw new SoapFault("No security action was defined!", soapVersion.getReceiver());
    }

    protected CallbackHandler getCallback(RequestData requestData, boolean z) throws WSSecurityException {
        if (z) {
            return getCallback(requestData);
        }
        CallbackHandler callbackHandler = null;
        try {
            callbackHandler = getCallback(requestData);
        } catch (Exception e) {
        }
        return new DelegatingCallbackHandler(callbackHandler);
    }

    protected CallbackHandler getCallback(RequestData requestData) throws WSSecurityException {
        try {
            CallbackHandler callbackHandler = SecurityUtils.getCallbackHandler(SecurityUtils.getSecurityPropertyValue("security.callback-handler", (SoapMessage) requestData.getMsgContext()));
            if (callbackHandler == null) {
                try {
                    callbackHandler = getPasswordCallbackHandler(requestData);
                } catch (WSSecurityException e) {
                    Endpoint endpoint = ((SoapMessage) requestData.getMsgContext()).getExchange().getEndpoint();
                    if (endpoint == null || endpoint.getEndpointInfo() == null) {
                        throw e;
                    }
                    return new TokenStoreCallbackHandler(null, TokenStoreUtils.getTokenStore((SoapMessage) requestData.getMsgContext()));
                }
            }
            Endpoint endpoint2 = ((SoapMessage) requestData.getMsgContext()).getExchange().getEndpoint();
            if (endpoint2 == null || endpoint2.getEndpointInfo() == null) {
                return callbackHandler;
            }
            return new TokenStoreCallbackHandler(callbackHandler, TokenStoreUtils.getTokenStore((SoapMessage) requestData.getMsgContext()));
        } catch (Exception e2) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e2);
        }
    }

    protected WSSecurityEngine getSecurityEngine(boolean z) {
        if (this.secEngineOverride != null) {
            return this.secEngineOverride;
        }
        if (z) {
            return null;
        }
        HashMap hashMap = new HashMap(1);
        hashMap.put(WSConstants.USERNAME_TOKEN, new NoOpValidator());
        return createSecurityEngine(hashMap);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static WSSecurityEngine createSecurityEngine(Map<QName, Object> map) {
        if (!$assertionsDisabled && map == null) {
            throw new AssertionError();
        }
        WSSConfig newInstance = WSSConfig.getNewInstance();
        for (Map.Entry<QName, Object> entry : map.entrySet()) {
            QName key = entry.getKey();
            Object value = entry.getValue();
            if (value instanceof Class) {
                newInstance.setProcessor(key, (Class) value);
            } else if (value instanceof Processor) {
                newInstance.setProcessor(key, (Processor) value);
            } else if (value instanceof Validator) {
                newInstance.setValidator(key, (Validator) value);
            } else if (value == null) {
                newInstance.setProcessor(key, (Class) null);
            }
        }
        WSSecurityEngine wSSecurityEngine = new WSSecurityEngine();
        wSSecurityEngine.setWssConfig(newInstance);
        return wSSecurityEngine;
    }

    protected ReplayCache getReplayCache(SoapMessage soapMessage, String str, String str2) {
        return WSS4JUtils.getReplayCache(soapMessage, str, str2);
    }

    static {
        $assertionsDisabled = !WSS4JInInterceptor.class.desiredAssertionStatus();
        SECURITY_PROCESSED = WSS4JInInterceptor.class.getName() + ".DONE";
        LOG = LogUtils.getL7dLogger(WSS4JInInterceptor.class);
    }
}
