package org.apache.cxf.ws.security.wss4j.policyvalidators;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.SPConstants;
import org.apache.cxf.ws.security.policy.model.SupportingToken;
import org.apache.cxf.ws.security.policy.model.UsernameToken;
import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
import org.apache.ws.security.WSSecurityEngineResult;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/cxf-rt-ws-security-2.7.19-MULE-002.jar:org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.class */
public class UsernameTokenPolicyValidator extends AbstractTokenPolicyValidator implements TokenPolicyValidator {
    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.TokenPolicyValidator
    public boolean validatePolicy(AssertionInfoMap assertionInfoMap, Message message, Element element, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        Collection<AssertionInfo> collection = assertionInfoMap.get(SP12Constants.USERNAME_TOKEN);
        if (collection == null || collection.isEmpty()) {
            return true;
        }
        ArrayList arrayList = new ArrayList(2);
        arrayList.add(1);
        arrayList.add(8192);
        List<WSSecurityEngineResult> fetchAllActionResults = WSS4JUtils.fetchAllActionResults(list, arrayList);
        for (AssertionInfo assertionInfo : collection) {
            UsernameToken usernameToken = (UsernameToken) assertionInfo.getAssertion();
            assertionInfo.setAsserted(true);
            if (isTokenRequired(usernameToken, message)) {
                if (fetchAllActionResults.isEmpty()) {
                    assertionInfo.setNotAsserted("The received token does not match the token inclusion requirement");
                } else if (!checkTokens(usernameToken, assertionInfo, fetchAllActionResults)) {
                }
            }
        }
        return true;
    }

    public boolean checkTokens(UsernameToken usernameToken, AssertionInfo assertionInfo, List<WSSecurityEngineResult> list) {
        Iterator<WSSecurityEngineResult> it = list.iterator();
        while (it.hasNext()) {
            org.apache.ws.security.message.token.UsernameToken usernameToken2 = (org.apache.ws.security.message.token.UsernameToken) it.next().get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
            if (usernameToken.isHashPassword() != usernameToken2.isHashed()) {
                assertionInfo.setNotAsserted("Password hashing policy not enforced");
                return false;
            }
            if (usernameToken.isNoPassword() && usernameToken2.getPassword() != null) {
                assertionInfo.setNotAsserted("Username Token NoPassword policy not enforced");
                return false;
            }
            if (!usernameToken.isNoPassword() && usernameToken2.getPassword() == null && isNonEndorsingSupportingToken(usernameToken)) {
                assertionInfo.setNotAsserted("Username Token No Password supplied");
                return false;
            }
            if (usernameToken.isRequireCreated() && (usernameToken2.getCreated() == null || usernameToken2.isHashed())) {
                assertionInfo.setNotAsserted("Username Token Created policy not enforced");
                return false;
            }
            if (usernameToken.isRequireNonce() && (usernameToken2.getNonce() == null || usernameToken2.isHashed())) {
                assertionInfo.setNotAsserted("Username Token Nonce policy not enforced");
                return false;
            }
        }
        return true;
    }

    private boolean isNonEndorsingSupportingToken(UsernameToken usernameToken) {
        SupportingToken supportingToken = usernameToken.getSupportingToken();
        if (supportingToken == null) {
            return false;
        }
        SPConstants.SupportTokenType tokenType = supportingToken.getTokenType();
        return tokenType == SPConstants.SupportTokenType.SUPPORTING_TOKEN_SUPPORTING || tokenType == SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED || tokenType == SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED_ENCRYPTED || tokenType == SPConstants.SupportTokenType.SUPPORTING_TOKEN_ENCRYPTED;
    }
}
