package org.apache.cxf.sts.claims;

import java.net.URI;
import java.net.URISyntaxException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.rt.security.claims.Claim;
import org.apache.cxf.rt.security.claims.ClaimCollection;
import org.apache.cxf.sts.IdentityMapper;
import org.apache.cxf.sts.token.realm.RealmSupport;
import org.apache.cxf.sts.token.realm.Relationship;
import org.apache.cxf.ws.security.sts.provider.STSException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.saml1.core.Assertion;
import org.opensaml.saml.saml1.core.Attribute;
import org.opensaml.saml.saml1.core.AttributeStatement;

/* loaded from: input_file:WEB-INF/lib/cxf-services-sts-core-3.3.6.jar:org/apache/cxf/sts/claims/ClaimsManager.class */
public class ClaimsManager {
    private static final Logger LOG = LogUtils.getL7dLogger(ClaimsManager.class);
    private List<ClaimsParser> claimParsers;
    private List<ClaimsHandler> claimHandlers;
    private List<String> supportedClaimTypes = new ArrayList();
    private boolean stopProcessingOnException = true;
    private IdentityMapper identityMapper;

    public IdentityMapper getIdentityMapper() {
        return this.identityMapper;
    }

    public void setIdentityMapper(IdentityMapper identityMapper) {
        this.identityMapper = identityMapper;
    }

    public boolean isStopProcessingOnException() {
        return this.stopProcessingOnException;
    }

    public void setStopProcessingOnException(boolean z) {
        this.stopProcessingOnException = z;
    }

    public List<String> getSupportedClaimTypes() {
        return this.supportedClaimTypes;
    }

    public List<ClaimsParser> getClaimParsers() {
        return this.claimParsers;
    }

    public List<ClaimsHandler> getClaimHandlers() {
        return this.claimHandlers;
    }

    public void setClaimParsers(List<ClaimsParser> list) {
        this.claimParsers = list;
    }

    public void setClaimHandlers(List<ClaimsHandler> list) {
        this.claimHandlers = list;
        if (list == null) {
            this.supportedClaimTypes.clear();
            return;
        }
        Iterator<ClaimsHandler> it = list.iterator();
        while (it.hasNext()) {
            this.supportedClaimTypes.addAll(it.next().getSupportedClaimTypes());
        }
    }

    public ProcessedClaimCollection retrieveClaimValues(ClaimCollection claimCollection, ClaimCollection claimCollection2, ClaimsParameters claimsParameters) {
        if (claimCollection == null && claimCollection2 == null) {
            return null;
        }
        if (claimCollection != null && claimCollection2 == null) {
            return retrieveClaimValues(claimCollection, claimsParameters);
        }
        if (claimCollection2 != null && claimCollection == null) {
            return retrieveClaimValues(claimCollection2, claimsParameters);
        }
        if (claimCollection.getDialect() != null && claimCollection.getDialect().equals(claimCollection2.getDialect())) {
            return retrieveClaimValues(mergeClaims(claimCollection, claimCollection2), claimsParameters);
        }
        ProcessedClaimCollection retrieveClaimValues = retrieveClaimValues(claimCollection, claimsParameters);
        ProcessedClaimCollection retrieveClaimValues2 = retrieveClaimValues(claimCollection2, claimsParameters);
        ProcessedClaimCollection processedClaimCollection = new ProcessedClaimCollection();
        if (retrieveClaimValues != null) {
            processedClaimCollection.addAll(retrieveClaimValues);
        }
        if (retrieveClaimValues2 != null) {
            processedClaimCollection.addAll(retrieveClaimValues2);
        }
        return processedClaimCollection;
    }

    public ProcessedClaimCollection retrieveClaimValues(ClaimCollection claimCollection, ClaimsParameters claimsParameters) {
        if (claimCollection == null || claimCollection.isEmpty()) {
            return null;
        }
        Relationship relationship = null;
        if (claimsParameters.getAdditionalProperties() != null) {
            relationship = (Relationship) claimsParameters.getAdditionalProperties().get(Relationship.class.getName());
        }
        if (relationship == null || relationship.getType().equals(Relationship.FED_TYPE_IDENTITY)) {
            ProcessedClaimCollection handleClaims = handleClaims(claimCollection, claimsParameters);
            validateClaimValues(claimCollection, handleClaims);
            return handleClaims;
        }
        ClaimsMapper claimsMapper = relationship.getClaimsMapper();
        if (claimsMapper == null) {
            LOG.log(Level.SEVERE, "ClaimsMapper required to federate claims but not configured.");
            throw new STSException("ClaimsMapper required to federate claims but not configured", STSException.BAD_REQUEST);
        }
        SamlAssertionWrapper samlAssertionWrapper = (SamlAssertionWrapper) claimsParameters.getAdditionalProperties().get(SamlAssertionWrapper.class.getName());
        List<ProcessedClaim> parseClaimsInAssertion = samlAssertionWrapper.getSamlVersion().equals(SAMLVersion.VERSION_20) ? parseClaimsInAssertion(samlAssertionWrapper.getSaml2()) : parseClaimsInAssertion(samlAssertionWrapper.getSaml1());
        ProcessedClaimCollection processedClaimCollection = new ProcessedClaimCollection();
        processedClaimCollection.addAll(parseClaimsInAssertion);
        ProcessedClaimCollection mapClaims = claimsMapper.mapClaims(relationship.getSourceRealm(), processedClaimCollection, relationship.getTargetRealm(), claimsParameters);
        validateClaimValues(claimCollection, mapClaims);
        return mapClaims;
    }

    private ProcessedClaimCollection handleClaims(ClaimCollection claimCollection, ClaimsParameters claimsParameters) {
        ProcessedClaimCollection processedClaimCollection = new ProcessedClaimCollection();
        if (this.claimHandlers == null) {
            return processedClaimCollection;
        }
        Principal principal = claimsParameters.getPrincipal();
        for (ClaimsHandler claimsHandler : this.claimHandlers) {
            ClaimCollection filterHandlerClaims = filterHandlerClaims(claimCollection, claimsHandler.getSupportedClaimTypes());
            if (!filterHandlerClaims.isEmpty() && isCurrentRealmSupported(claimsHandler, claimsParameters)) {
                ProcessedClaimCollection processedClaimCollection2 = null;
                try {
                    try {
                        processedClaimCollection2 = claimsHandler.retrieveClaimValues(filterHandlerClaims, claimsParameters);
                        claimsParameters.setPrincipal(principal);
                    } catch (RuntimeException e) {
                        LOG.log(Level.INFO, "Failed retrieving claims from ClaimsHandler " + claimsHandler.getClass().getName(), (Throwable) e);
                        if (isStopProcessingOnException()) {
                            throw e;
                        }
                        claimsParameters.setPrincipal(principal);
                    }
                    if (processedClaimCollection2 != null && !processedClaimCollection2.isEmpty()) {
                        processedClaimCollection.addAll(processedClaimCollection2);
                    }
                } catch (Throwable th) {
                    claimsParameters.setPrincipal(principal);
                    throw th;
                }
            }
        }
        return processedClaimCollection;
    }

    private boolean isCurrentRealmSupported(ClaimsHandler claimsHandler, ClaimsParameters claimsParameters) {
        if (!(claimsHandler instanceof RealmSupport)) {
            return true;
        }
        RealmSupport realmSupport = (RealmSupport) claimsHandler;
        if (realmSupport.getSupportedRealms() != null && realmSupport.getSupportedRealms().size() > 0 && realmSupport.getSupportedRealms().indexOf(claimsParameters.getRealm()) == -1) {
            if (!LOG.isLoggable(Level.FINER)) {
                return false;
            }
            LOG.finer("Handler '" + realmSupport.getClass().getName() + "' doesn't support realm '" + claimsParameters.getRealm() + "'");
            return false;
        }
        if (realmSupport.getHandlerRealm() == null || realmSupport.getHandlerRealm().equalsIgnoreCase(claimsParameters.getRealm())) {
            if (!LOG.isLoggable(Level.FINER)) {
                return true;
            }
            LOG.finer("Handler '" + realmSupport.getClass().getName() + "' doesn't require identity mapping '" + claimsParameters.getRealm() + "'");
            return true;
        }
        try {
            if (LOG.isLoggable(Level.FINE)) {
                LOG.fine("Mapping user '" + claimsParameters.getPrincipal().getName() + "' [" + claimsParameters.getRealm() + "] to realm '" + realmSupport.getHandlerRealm() + "'");
            }
            Principal doMapping = doMapping(claimsParameters.getRealm(), claimsParameters.getPrincipal(), realmSupport.getHandlerRealm());
            if (doMapping == null || doMapping.getName() == null) {
                LOG.log(Level.WARNING, "Null. Failed to map user '" + claimsParameters.getPrincipal().getName() + "' [" + claimsParameters.getRealm() + "] to realm '" + realmSupport.getHandlerRealm() + "'");
                return false;
            }
            if (LOG.isLoggable(Level.INFO)) {
                LOG.info("Principal '" + doMapping.getName() + "' passed to handler '" + realmSupport.getClass().getName() + "'");
            }
            claimsParameters.setPrincipal(doMapping);
            return true;
        } catch (Exception e) {
            LOG.log(Level.WARNING, "Failed to map user '" + claimsParameters.getPrincipal().getName() + "' [" + claimsParameters.getRealm() + "] to realm '" + realmSupport.getHandlerRealm() + "'", (Throwable) e);
            throw new STSException("Failed to map user for claims handler", STSException.REQUEST_FAILED);
        }
    }

    private ClaimCollection filterHandlerClaims(ClaimCollection claimCollection, List<String> list) {
        ClaimCollection claimCollection2 = new ClaimCollection();
        claimCollection2.setDialect(claimCollection.getDialect());
        Iterator<Claim> it = claimCollection.iterator();
        while (it.hasNext()) {
            Claim next = it.next();
            if (list.contains(next.getClaimType())) {
                claimCollection2.add(next);
            }
        }
        return claimCollection2;
    }

    private boolean validateClaimValues(ClaimCollection claimCollection, ProcessedClaimCollection processedClaimCollection) {
        Iterator<Claim> it = claimCollection.iterator();
        while (it.hasNext()) {
            Claim next = it.next();
            String claimType = next.getClaimType();
            boolean z = false;
            if (!next.isOptional()) {
                Iterator<ProcessedClaim> it2 = processedClaimCollection.iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    if (it2.next().getClaimType().equals(claimType)) {
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    LOG.warning("Mandatory claim not found: " + next.getClaimType());
                    throw new STSException("Mandatory claim '" + next.getClaimType() + "' not found");
                }
            }
        }
        return true;
    }

    protected List<ProcessedClaim> parseClaimsInAssertion(Assertion assertion) {
        List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
        if (attributeStatements == null || attributeStatements.isEmpty()) {
            if (LOG.isLoggable(Level.FINEST)) {
                LOG.finest("No attribute statements found");
            }
            return Collections.emptyList();
        }
        ProcessedClaimCollection processedClaimCollection = new ProcessedClaimCollection();
        for (AttributeStatement attributeStatement : attributeStatements) {
            if (LOG.isLoggable(Level.FINEST)) {
                LOG.finest("parsing statement: " + attributeStatement.getElementQName());
            }
            for (Attribute attribute : attributeStatement.getAttributes()) {
                if (LOG.isLoggable(Level.FINEST)) {
                    LOG.finest("parsing attribute: " + attribute.getAttributeName());
                }
                ProcessedClaim processedClaim = new ProcessedClaim();
                processedClaim.setIssuer(assertion.getIssuer());
                processedClaim.setClaimType(URI.create(attribute.getAttributeName()));
                try {
                    processedClaim.setClaimType(new URI(attribute.getAttributeName()));
                    Iterator<XMLObject> it = attribute.getAttributeValues().iterator();
                    while (it.hasNext()) {
                        String textContent = it.next().getDOM().getTextContent();
                        if (LOG.isLoggable(Level.FINEST)) {
                            LOG.finest(" [" + textContent + "]");
                        }
                        processedClaim.addValue(textContent);
                    }
                    processedClaimCollection.add(processedClaim);
                } catch (URISyntaxException e) {
                    LOG.warning("Invalid attribute name in attributestatement: " + e.getMessage());
                }
            }
        }
        return processedClaimCollection;
    }

    protected List<ProcessedClaim> parseClaimsInAssertion(org.opensaml.saml.saml2.core.Assertion assertion) {
        List<org.opensaml.saml.saml2.core.AttributeStatement> attributeStatements = assertion.getAttributeStatements();
        if (attributeStatements == null || attributeStatements.isEmpty()) {
            if (LOG.isLoggable(Level.FINEST)) {
                LOG.finest("No attribute statements found");
            }
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        for (org.opensaml.saml.saml2.core.AttributeStatement attributeStatement : attributeStatements) {
            if (LOG.isLoggable(Level.FINEST)) {
                LOG.finest("parsing statement: " + attributeStatement.getElementQName());
            }
            for (org.opensaml.saml.saml2.core.Attribute attribute : attributeStatement.getAttributes()) {
                if (LOG.isLoggable(Level.FINEST)) {
                    LOG.finest("parsing attribute: " + attribute.getName());
                }
                ProcessedClaim processedClaim = new ProcessedClaim();
                processedClaim.setClaimType(URI.create(attribute.getName()));
                processedClaim.setIssuer(assertion.getIssuer().getNameQualifier());
                Iterator<XMLObject> it = attribute.getAttributeValues().iterator();
                while (it.hasNext()) {
                    String textContent = it.next().getDOM().getTextContent();
                    if (LOG.isLoggable(Level.FINEST)) {
                        LOG.finest(" [" + textContent + "]");
                    }
                    processedClaim.addValue(textContent);
                }
                arrayList.add(processedClaim);
            }
        }
        return arrayList;
    }

    private ClaimCollection mergeClaims(ClaimCollection claimCollection, ClaimCollection claimCollection2) {
        ClaimCollection claimCollection3 = new ClaimCollection();
        claimCollection3.addAll(claimCollection2);
        ClaimCollection claimCollection4 = new ClaimCollection();
        claimCollection4.setDialect(claimCollection.getDialect());
        Iterator<Claim> it = claimCollection.iterator();
        while (it.hasNext()) {
            Claim next = it.next();
            Claim claim = null;
            Iterator<Claim> it2 = claimCollection3.iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                Claim next2 = it2.next();
                if (next2.getClaimType().equals(next.getClaimType())) {
                    claim = next2;
                    break;
                }
            }
            if (claim == null) {
                claimCollection4.add(next);
            } else {
                Claim claim2 = new Claim();
                claim2.setClaimType(next.getClaimType());
                if (next.getValues() != null && !next.getValues().isEmpty()) {
                    claim2.setValues(next.getValues());
                    if (claim.getValues() != null && !claim.getValues().isEmpty()) {
                        LOG.log(Level.WARNING, "Secondary claim value " + claim.getValues() + " ignored in favour of primary claim value");
                    }
                } else if (claim.getValues() != null && !claim.getValues().isEmpty()) {
                    claim2.setValues(claim.getValues());
                }
                claimCollection4.add(claim2);
                claimCollection3.remove(claim);
            }
        }
        claimCollection4.addAll(claimCollection3);
        return claimCollection4;
    }

    protected Principal doMapping(String str, Principal principal, String str2) {
        return this.identityMapper.mapPrincipal(str, principal, str2);
    }
}
