package org.apache.cxf.sts.token.delegation;

import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.sts.request.ReceivedToken;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.saml.ext.builder.SAML1Constants;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/cxf-services-sts-core-2.7.19-MULE-001.jar:org/apache/cxf/sts/token/delegation/HOKDelegationHandler.class */
public class HOKDelegationHandler extends SAMLDelegationHandler {
    private static final Logger LOG = LogUtils.getL7dLogger(HOKDelegationHandler.class);

    @Override // org.apache.cxf.sts.token.delegation.SAMLDelegationHandler
    protected boolean isDelegationAllowed(ReceivedToken receivedToken, String str) {
        try {
            AssertionWrapper assertionWrapper = new AssertionWrapper((Element) receivedToken.getToken());
            for (String str2 : assertionWrapper.getConfirmationMethods()) {
                if (!SAML1Constants.CONF_BEARER.equals(str2) && !SAML1Constants.CONF_HOLDER_KEY.equals(str2) && !"urn:oasis:names:tc:SAML:2.0:cm:bearer".equals(str2) && !"urn:oasis:names:tc:SAML:2.0:cm:holder-of-key".equals(str2)) {
                    return false;
                }
            }
            if (!isCheckAudienceRestriction() || str == null) {
                return true;
            }
            List<String> audienceRestrictions = getAudienceRestrictions(assertionWrapper);
            if (audienceRestrictions.isEmpty()) {
                return true;
            }
            return audienceRestrictions.contains(str);
        } catch (WSSecurityException e) {
            LOG.log(Level.WARNING, "Error in ascertaining whether delegation is allowed", (Throwable) e);
            return false;
        }
    }
}
