package sun.security.mule.krb5.cxf;

import java.util.Collection;
import java.util.Iterator;
import javax.security.auth.callback.CallbackHandler;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.ws.addressing.AddressingProperties;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.model.Trust10;
import org.apache.cxf.ws.security.policy.model.Trust13;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.trust.STSClient;
import org.apache.cxf.ws.security.trust.STSUtils;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.spnego.SpnegoClientAction;
import org.apache.ws.security.util.Base64;
import org.w3c.dom.Element;
import sun.security.mule.krb5.Config;

/* loaded from: input_file:sun/security/mule/krb5/cxf/SpnegoContextTokenOutInterceptor.class */
public class SpnegoContextTokenOutInterceptor extends AbstractPhaseInterceptor<SoapMessage> {
    static final Log logger = LogFactory.getLog(SpnegoContextTokenOutInterceptor.class);

    public SpnegoContextTokenOutInterceptor() {
        super("prepare-send");
    }

    public void handleMessage(SoapMessage soapMessage) throws Fault {
        Collection collection;
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
        if (assertionInfoMap == null || (collection = (Collection) assertionInfoMap.get(SP12Constants.SPNEGO_CONTEXT_TOKEN)) == null || collection.isEmpty()) {
            return;
        }
        if (!isRequestor(soapMessage)) {
            Iterator it = collection.iterator();
            while (it.hasNext()) {
                ((AssertionInfo) it.next()).setAsserted(true);
            }
            return;
        }
        String str = (String) soapMessage.getContextualProperty("ws-security.token.id");
        SecurityToken securityToken = null;
        if (str != null) {
            securityToken = NegotiationUtils.getTokenStore(soapMessage).getToken(str);
        }
        if (securityToken == null) {
            securityToken = issueToken(soapMessage, assertionInfoMap);
        }
        if (securityToken != null) {
            Iterator it2 = collection.iterator();
            while (it2.hasNext()) {
                ((AssertionInfo) it2.next()).setAsserted(true);
            }
            ((Endpoint) soapMessage.getExchange().get(Endpoint.class)).put("ws-security.token.id", securityToken.getId());
            soapMessage.getExchange().put("ws-security.token.id", securityToken.getId());
            NegotiationUtils.getTokenStore(soapMessage).add(securityToken);
        }
    }

    private SecurityToken issueToken(SoapMessage soapMessage, AssertionInfoMap assertionInfoMap) {
        SecurityToken requestSecurityToken;
        String str = (String) soapMessage.getContextualProperty("ws-security.kerberos.spn");
        CallbackHandler callbackHandler = NegotiationUtils.getCallbackHandler(soapMessage.getContextualProperty("ws-security.callback-handler"), getClass());
        SpnegoTokenContext spnegoTokenContext = new SpnegoTokenContext();
        Object contextualProperty = soapMessage.getContextualProperty("ws-security.spnego.client.action");
        if (contextualProperty instanceof SpnegoClientAction) {
            spnegoTokenContext.setSpnegoClientAction((SpnegoClientAction) contextualProperty);
        }
        Config config = (Config) soapMessage.get(KerberosConstants.KERBEROS_CONFIG);
        if (config == null) {
            if (logger.isErrorEnabled()) {
                logger.error("Cannot find a Kerberos config in the request of the message. Key:sun.security.mule.krb5.configuration");
            }
            throw new RuntimeException("Cannot find a Kerberos config in the request of the message. Key:sun.security.mule.krb5.configuration");
        }
        spnegoTokenContext.setKerberosConfig(config);
        try {
            spnegoTokenContext.retrieveServiceTicket(callbackHandler, str);
            STSClient client = STSUtils.getClient(soapMessage, "spnego");
            AddressingProperties addressingProperties = (AddressingProperties) soapMessage.get("javax.xml.ws.addressing.context.outbound");
            if (addressingProperties == null) {
                addressingProperties = (AddressingProperties) soapMessage.get("javax.xml.ws.addressing.context");
            }
            synchronized (client) {
                try {
                    try {
                        String str2 = SpnegoTokenInterceptorProvider.setupClient(client, soapMessage, assertionInfoMap);
                        if (addressingProperties != null) {
                            client.setAddressingNamespace(addressingProperties.getNamespaceURI());
                        }
                        requestSecurityToken = client.requestSecurityToken(str2, Base64.encode(spnegoTokenContext.getToken()));
                        requestSecurityToken.setSecret(spnegoTokenContext.unwrapKey(requestSecurityToken.getSecret()));
                        spnegoTokenContext.clear();
                        client.setTrust((Trust10) null);
                        client.setTrust((Trust13) null);
                        client.setTemplate((Element) null);
                        client.setLocation((String) null);
                        client.setAddressingNamespace((String) null);
                    } catch (RuntimeException e) {
                        throw e;
                    } catch (Exception e2) {
                        throw new Fault(e2);
                    }
                } catch (Throwable th) {
                    client.setTrust((Trust10) null);
                    client.setTrust((Trust13) null);
                    client.setTemplate((Element) null);
                    client.setLocation((String) null);
                    client.setAddressingNamespace((String) null);
                    throw th;
                }
            }
            return requestSecurityToken;
        } catch (WSSecurityException e3) {
            throw new Fault(e3);
        }
    }
}
