package org.apache.cxf.ws.security.policy.interceptors;

import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import java.util.logging.Logger;
import javax.security.auth.callback.CallbackHandler;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Exchange;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.staxutils.W3CDOMStreamWriter;
import org.apache.cxf.ws.addressing.AddressingProperties;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.neethi.All;
import org.apache.neethi.ExactlyOne;
import org.apache.neethi.Policy;
import org.apache.ws.security.message.token.SecurityContextToken;
import org.apache.ws.security.spnego.SpnegoTokenContext;
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
import org.opensaml.ws.wstrust.RequestSecurityTokenResponseCollection;
import org.opensaml.ws.wstrust.RequestedAttachedReference;
import org.opensaml.ws.wstrust.RequestedProofToken;
import org.opensaml.ws.wstrust.RequestedUnattachedReference;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/cxf-rt-ws-security-2.7.19-MULE-004.jar:org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.class */
class SpnegoContextTokenInInterceptor extends AbstractPhaseInterceptor<SoapMessage> {
    static final Logger LOG = LogUtils.getL7dLogger(SpnegoContextTokenInInterceptor.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/cxf-rt-ws-security-2.7.19-MULE-004.jar:org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor$SpnegoContextTokenFinderInterceptor.class */
    public static final class SpnegoContextTokenFinderInterceptor extends AbstractPhaseInterceptor<SoapMessage> {
        static final SpnegoContextTokenFinderInterceptor INSTANCE = new SpnegoContextTokenFinderInterceptor();

        private SpnegoContextTokenFinderInterceptor() {
            super(Phase.PRE_PROTOCOL);
            addAfter(WSS4JInInterceptor.class.getName());
        }

        @Override // org.apache.cxf.interceptor.Interceptor
        public void handleMessage(SoapMessage soapMessage) throws Fault {
            Collection<AssertionInfo> collection;
            boolean parseSCTResult = NegotiationUtils.parseSCTResult(soapMessage);
            AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
            if (assertionInfoMap == null || (collection = assertionInfoMap.get(SP12Constants.SPNEGO_CONTEXT_TOKEN)) == null || collection.isEmpty()) {
                return;
            }
            for (AssertionInfo assertionInfo : collection) {
                if (parseSCTResult) {
                    assertionInfo.setAsserted(true);
                } else {
                    assertionInfo.setNotAsserted("No SecurityContextToken token found in message.");
                }
            }
        }
    }

    /* loaded from: input_file:WEB-INF/lib/cxf-rt-ws-security-2.7.19-MULE-004.jar:org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor$SpnegoSTSInvoker.class */
    public class SpnegoSTSInvoker extends STSInvoker {
        public SpnegoSTSInvoker() {
        }

        @Override // org.apache.cxf.ws.security.policy.interceptors.STSInvoker
        void doIssue(Element element, Exchange exchange, Element element2, W3CDOMStreamWriter w3CDOMStreamWriter, String str, String str2) throws Exception {
            SpnegoTokenContext handleBinaryExchange = handleBinaryExchange(element2, exchange.getInMessage(), str2);
            w3CDOMStreamWriter.writeStartElement(str, RequestSecurityTokenResponseCollection.ELEMENT_LOCAL_NAME, str2);
            w3CDOMStreamWriter.writeStartElement(str, "RequestSecurityTokenResponse", str2);
            String attributeNS = element.getAttributeNS(null, "Context");
            if (attributeNS != null && !"".equals(attributeNS)) {
                w3CDOMStreamWriter.writeAttribute("Context", attributeNS);
            }
            int i = 256;
            String str3 = null;
            Element firstElement = DOMUtils.getFirstElement(element);
            while (true) {
                Element element3 = firstElement;
                if (element3 == null) {
                    break;
                }
                String localName = element3.getLocalName();
                if (str2.equals(element3.getNamespaceURI())) {
                    if ("KeySize".equals(localName)) {
                        i = Integer.parseInt(element3.getTextContent());
                    } else if ("TokenType".equals(localName)) {
                        str3 = element3.getTextContent();
                    }
                }
                firstElement = DOMUtils.getNextElement(element3);
            }
            if (i < 128 || i > 512) {
                i = 256;
            }
            w3CDOMStreamWriter.writeStartElement(str, "TokenType", str2);
            w3CDOMStreamWriter.writeCharacters(str3);
            w3CDOMStreamWriter.writeEndElement();
            w3CDOMStreamWriter.writeStartElement(str, "RequestedSecurityToken", str2);
            SecurityContextToken securityContextToken = new SecurityContextToken(NegotiationUtils.getWSCVersion(str3), w3CDOMStreamWriter.getDocument());
            Date date = new Date();
            Date date2 = new Date();
            date2.setTime(date.getTime() + 300000);
            SecurityToken securityToken = new SecurityToken(securityContextToken.getIdentifier(), date, date2);
            securityToken.setToken(securityContextToken.getElement());
            securityToken.setTokenType(securityContextToken.getTokenType());
            SecurityContext securityContext = (SecurityContext) exchange.getInMessage().get(SecurityContext.class);
            if (securityContext != null) {
                securityToken.setSecurityContext(securityContext);
            }
            w3CDOMStreamWriter.getCurrentNode().appendChild(securityContextToken.getElement());
            w3CDOMStreamWriter.writeEndElement();
            w3CDOMStreamWriter.writeStartElement(str, RequestedAttachedReference.ELEMENT_LOCAL_NAME, str2);
            securityToken.setAttachedReference(writeSecurityTokenReference(w3CDOMStreamWriter, "#" + securityContextToken.getID(), str3));
            w3CDOMStreamWriter.writeEndElement();
            w3CDOMStreamWriter.writeStartElement(str, RequestedUnattachedReference.ELEMENT_LOCAL_NAME, str2);
            securityToken.setUnattachedReference(writeSecurityTokenReference(w3CDOMStreamWriter, securityContextToken.getIdentifier(), str3));
            w3CDOMStreamWriter.writeEndElement();
            writeLifetime(w3CDOMStreamWriter, date, date2, str, str2);
            w3CDOMStreamWriter.writeStartElement(str, "KeySize", str2);
            w3CDOMStreamWriter.writeCharacters("" + i);
            w3CDOMStreamWriter.writeEndElement();
            byte[] generateNonce = WSSecurityUtil.generateNonce(i / 8);
            writeProofToken(w3CDOMStreamWriter, str, str2, handleBinaryExchange.wrapKey(generateNonce));
            w3CDOMStreamWriter.writeEndElement();
            w3CDOMStreamWriter.writeEndElement();
            handleBinaryExchange.clear();
            securityToken.setSecret(generateNonce);
            ((TokenStore) ((Endpoint) exchange.get(Endpoint.class)).getEndpointInfo().getProperty(TokenStore.class.getName())).add(securityToken);
        }

        private SpnegoTokenContext handleBinaryExchange(Element element, Message message, String str) throws Exception {
            if (element == null) {
                throw new Exception("No BinaryExchange element received");
            }
            String attributeNS = element.getAttributeNS(null, "EncodingType");
            if (!"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary".equals(attributeNS)) {
                throw new Exception("Unknown encoding type: " + attributeNS);
            }
            String attributeNS2 = element.getAttributeNS(null, "ValueType");
            if (!(str + "/spnego").equals(attributeNS2)) {
                throw new Exception("Unknown value type: " + attributeNS2);
            }
            byte[] decode = Base64.decode(DOMUtils.getContent(element));
            String str2 = (String) message.getContextualProperty(SecurityConstants.KERBEROS_JAAS_CONTEXT_NAME);
            String str3 = (String) message.getContextualProperty(SecurityConstants.KERBEROS_SPN);
            CallbackHandler callbackHandler = NegotiationUtils.getCallbackHandler(message.getContextualProperty(SecurityConstants.CALLBACK_HANDLER), getClass());
            SpnegoTokenContext spnegoTokenContext = new SpnegoTokenContext();
            spnegoTokenContext.validateServiceTicket(str2, callbackHandler, str3, decode);
            return spnegoTokenContext;
        }

        private void writeProofToken(W3CDOMStreamWriter w3CDOMStreamWriter, String str, String str2, byte[] bArr) throws Exception {
            w3CDOMStreamWriter.writeStartElement(str, RequestedProofToken.ELEMENT_LOCAL_NAME, str2);
            w3CDOMStreamWriter.writeStartElement("xenc", "EncryptedKey", "http://www.w3.org/2001/04/xmlenc#");
            w3CDOMStreamWriter.writeStartElement("xenc", "EncryptionMethod", "http://www.w3.org/2001/04/xmlenc#");
            w3CDOMStreamWriter.writeAttribute("Algorithm", str2 + "/spnego#GSS_Wrap");
            w3CDOMStreamWriter.writeEndElement();
            w3CDOMStreamWriter.writeStartElement("xenc", "CipherData", "http://www.w3.org/2001/04/xmlenc#");
            w3CDOMStreamWriter.writeStartElement("xenc", "CipherValue", "http://www.w3.org/2001/04/xmlenc#");
            w3CDOMStreamWriter.writeCharacters(Base64.encode(bArr));
            w3CDOMStreamWriter.writeEndElement();
            w3CDOMStreamWriter.writeEndElement();
            w3CDOMStreamWriter.writeEndElement();
            w3CDOMStreamWriter.writeEndElement();
        }

        @Override // org.apache.cxf.ws.security.policy.interceptors.STSInvoker, org.apache.cxf.service.invoker.Invoker
        public /* bridge */ /* synthetic */ Object invoke(Exchange exchange, Object obj) {
            return super.invoke(exchange, obj);
        }
    }

    public SpnegoContextTokenInInterceptor() {
        super(Phase.PRE_PROTOCOL);
    }

    @Override // org.apache.cxf.interceptor.Interceptor
    public void handleMessage(SoapMessage soapMessage) throws Fault {
        Collection<AssertionInfo> collection;
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
        if (assertionInfoMap == null || (collection = assertionInfoMap.get(SP12Constants.SPNEGO_CONTEXT_TOKEN)) == null || collection.isEmpty()) {
            return;
        }
        if (isRequestor(soapMessage)) {
            Iterator<AssertionInfo> it = collection.iterator();
            while (it.hasNext()) {
                it.next().setAsserted(true);
            }
            return;
        }
        String str = (String) soapMessage.get("SOAPAction");
        AddressingProperties addressingProperties = (AddressingProperties) soapMessage.getContextualProperty("javax.xml.ws.addressing.context.inbound");
        if (addressingProperties != null && str == null) {
            str = addressingProperties.getAction().getValue();
        }
        if (str == null || !str.contains("/RST/Issue") || (!str.startsWith("http://schemas.xmlsoap.org/ws/2005/02/trust") && !str.startsWith("http://docs.oasis-open.org/ws-sx/ws-trust/200512"))) {
            soapMessage.getInterceptorChain().add(SpnegoContextTokenFinderInterceptor.INSTANCE);
            return;
        }
        Policy policy = new Policy();
        ExactlyOne exactlyOne = new ExactlyOne();
        policy.addPolicyComponent(exactlyOne);
        All all = new All();
        all.addPolicyComponent(NegotiationUtils.getAddressingPolicy(assertionInfoMap, false));
        exactlyOne.addPolicyComponent(all);
        unmapSecurityProps(soapMessage);
        NegotiationUtils.recalcEffectivePolicy(soapMessage, str.startsWith("http://schemas.xmlsoap.org/ws/2005/02/trust") ? "http://schemas.xmlsoap.org/ws/2005/02/trust" : "http://docs.oasis-open.org/ws-sx/ws-trust/200512", policy, new SpnegoSTSInvoker(), false);
    }

    private void unmapSecurityProps(Message message) {
        Exchange exchange = message.getExchange();
        for (String str : SecurityConstants.ALL_PROPERTIES) {
            Object contextualProperty = message.getContextualProperty(str);
            if (contextualProperty != null) {
                exchange.put(str, contextualProperty);
            }
        }
    }
}
