package org.apache.cxf.ws.security.wss4j;

import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.Vector;
import java.util.logging.Logger;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.namespace.QName;
import org.apache.cxf.binding.soap.SoapHeader;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor;
import org.apache.cxf.common.classloader.ClassLoaderUtils;
import org.apache.cxf.common.i18n.Message;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.headers.Header;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.policy.PolicyException;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.model.UsernameToken;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.handler.WSHandlerResult;
import org.apache.ws.security.message.WSSecUsernameToken;
import org.apache.ws.security.processor.UsernameTokenProcessor;
import org.w3c.dom.Element;

/* JADX WARN: Classes with same name are omitted:
  input_file:lib/cxf-bundle-2.2.8.jar:org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.class
 */
/* loaded from: input_file:lib/cxf-rt-ws-security-2.2.8.jar:org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.class */
public class UsernameTokenInterceptor extends AbstractSoapInterceptor {
    private static final Logger LOG = LogUtils.getL7dLogger(UsernameTokenInterceptor.class);
    private static final Set<QName> HEADERS = new HashSet();

    public UsernameTokenInterceptor() {
        super(Phase.PRE_PROTOCOL);
        addAfter(PolicyBasedWSS4JInInterceptor.class.getName());
        addAfter(PolicyBasedWSS4JOutInterceptor.class.getName());
    }

    @Override // org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor, org.apache.cxf.binding.soap.interceptor.SoapInterceptor
    public Set<QName> getUnderstoodHeaders() {
        return HEADERS;
    }

    @Override // org.apache.cxf.interceptor.Interceptor
    public void handleMessage(SoapMessage soapMessage) throws Fault {
        boolean isRequestor = MessageUtils.isRequestor(soapMessage);
        if (isRequestor != MessageUtils.isOutbound(soapMessage)) {
            assertUsernameTokens(soapMessage, null);
            return;
        }
        if (isRequestor) {
            if (soapMessage.containsKey(PolicyBasedWSS4JOutInterceptor.SECURITY_PROCESSED)) {
                return;
            }
            addUsernameToken(soapMessage);
        } else {
            if (soapMessage.containsKey(WSS4JInInterceptor.SECURITY_PROCESSED)) {
                return;
            }
            processUsernameToken(soapMessage);
        }
    }

    private void processUsernameToken(SoapMessage soapMessage) {
        Header findSecurityHeader = findSecurityHeader(soapMessage, false);
        if (findSecurityHeader == null) {
            return;
        }
        Element firstElement = DOMUtils.getFirstElement((Element) findSecurityHeader.getObject());
        while (true) {
            Element element = firstElement;
            if (element == null) {
                return;
            }
            if ("UsernameToken".equals(element.getLocalName())) {
                try {
                    final WSUsernameTokenPrincipal handleUsernameToken = new UsernameTokenProcessor().handleUsernameToken(element, getCallback(soapMessage));
                    if (handleUsernameToken != null) {
                        Vector vector = new Vector();
                        vector.add(0, new WSSecurityEngineResult(1, handleUsernameToken, (X509Certificate) null, (Set) null, (byte[]) null));
                        List cast = CastUtils.cast((List<?>) soapMessage.get(WSHandlerConstants.RECV_RESULTS));
                        if (cast == null) {
                            cast = new Vector();
                            soapMessage.put(WSHandlerConstants.RECV_RESULTS, (Object) cast);
                        }
                        cast.add(0, new WSHandlerResult(null, vector));
                        assertUsernameTokens(soapMessage, handleUsernameToken);
                        soapMessage.put(WSS4JInInterceptor.PRINCIPAL_RESULT, (Object) handleUsernameToken);
                        SecurityContext securityContext = (SecurityContext) soapMessage.get(SecurityContext.class);
                        if (securityContext == null || securityContext.getUserPrincipal() == null) {
                            soapMessage.put((Class<Class>) SecurityContext.class, (Class) new SecurityContext() { // from class: org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.1
                                @Override // org.apache.cxf.security.SecurityContext
                                public Principal getUserPrincipal() {
                                    return handleUsernameToken;
                                }

                                @Override // org.apache.cxf.security.SecurityContext
                                public boolean isUserInRole(String str) {
                                    return false;
                                }
                            });
                        }
                    }
                } catch (WSSecurityException e) {
                    throw new Fault((Throwable) e);
                }
            }
            firstElement = DOMUtils.getNextElement(element);
        }
    }

    private UsernameToken assertUsernameTokens(SoapMessage soapMessage, WSUsernameTokenPrincipal wSUsernameTokenPrincipal) {
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
        UsernameToken usernameToken = null;
        for (AssertionInfo assertionInfo : assertionInfoMap.getAssertionInfo(SP12Constants.USERNAME_TOKEN)) {
            usernameToken = (UsernameToken) assertionInfo.getAssertion();
            if (wSUsernameTokenPrincipal == null || usernameToken.isHashPassword() == wSUsernameTokenPrincipal.isPasswordDigest()) {
                assertionInfo.setAsserted(true);
            } else {
                assertionInfo.setNotAsserted("Password hashing policy not enforced");
            }
        }
        Iterator<AssertionInfo> it = assertionInfoMap.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS).iterator();
        while (it.hasNext()) {
            it.next().setAsserted(true);
        }
        Iterator<AssertionInfo> it2 = assertionInfoMap.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS).iterator();
        while (it2.hasNext()) {
            it2.next().setAsserted(true);
        }
        return usernameToken;
    }

    private void addUsernameToken(SoapMessage soapMessage) {
        UsernameToken assertUsernameTokens = assertUsernameTokens(soapMessage, null);
        Header findSecurityHeader = findSecurityHeader(soapMessage, true);
        WSSecUsernameToken addUsernameToken = addUsernameToken(soapMessage, assertUsernameTokens);
        if (addUsernameToken != null) {
            Element element = (Element) findSecurityHeader.getObject();
            addUsernameToken.prepare(element.getOwnerDocument());
            element.appendChild(addUsernameToken.getUsernameTokenElement());
        } else {
            for (AssertionInfo assertionInfo : ((AssertionInfoMap) soapMessage.get(AssertionInfoMap.class)).getAssertionInfo(SP12Constants.USERNAME_TOKEN)) {
                if (assertionInfo.isAsserted()) {
                    assertionInfo.setAsserted(false);
                }
            }
        }
    }

    private Header findSecurityHeader(SoapMessage soapMessage, boolean z) {
        for (Header header : soapMessage.getHeaders()) {
            QName name = header.getName();
            if (name.getLocalPart().equals(WSConstants.WSSE_LN) && (name.getNamespaceURI().equals(WSConstants.WSSE_NS) || name.getNamespaceURI().equals(WSConstants.WSSE11_NS))) {
                return header;
            }
        }
        if (!z) {
            return null;
        }
        Element createElementNS = DOMUtils.createDocument().createElementNS(WSConstants.WSSE_NS, "wsse:Security");
        createElementNS.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:wsse", WSConstants.WSSE_NS);
        SoapHeader soapHeader = new SoapHeader(new QName(WSConstants.WSSE_NS, WSConstants.WSSE_LN), createElementNS);
        soapHeader.setMustUnderstand(true);
        soapMessage.getHeaders().add(soapHeader);
        return soapHeader;
    }

    protected WSSecUsernameToken addUsernameToken(SoapMessage soapMessage, UsernameToken usernameToken) {
        String str = (String) soapMessage.getContextualProperty(SecurityConstants.USERNAME);
        if (StringUtils.isEmpty(str)) {
            policyNotAsserted(usernameToken, "No username available", soapMessage);
            return null;
        }
        if (usernameToken.isNoPassword()) {
            WSSecUsernameToken wSSecUsernameToken = new WSSecUsernameToken();
            wSSecUsernameToken.setUserInfo(str, null);
            wSSecUsernameToken.setPasswordType(null);
            return wSSecUsernameToken;
        }
        String str2 = (String) soapMessage.getContextualProperty(SecurityConstants.PASSWORD);
        if (StringUtils.isEmpty(str2)) {
            str2 = getPassword(str, usernameToken, 2, soapMessage);
        }
        if (StringUtils.isEmpty(str2)) {
            policyNotAsserted(usernameToken, "No username available", soapMessage);
            return null;
        }
        WSSecUsernameToken wSSecUsernameToken2 = new WSSecUsernameToken();
        if (usernameToken.isHashPassword()) {
            wSSecUsernameToken2.setPasswordType(WSConstants.PASSWORD_DIGEST);
        } else {
            wSSecUsernameToken2.setPasswordType(WSConstants.PASSWORD_TEXT);
        }
        wSSecUsernameToken2.setUserInfo(str, str2);
        return wSSecUsernameToken2;
    }

    private CallbackHandler getCallback(SoapMessage soapMessage) {
        Object contextualProperty = soapMessage.getContextualProperty(SecurityConstants.CALLBACK_HANDLER);
        CallbackHandler callbackHandler = null;
        if (contextualProperty instanceof CallbackHandler) {
            callbackHandler = (CallbackHandler) contextualProperty;
        } else if (contextualProperty instanceof String) {
            try {
                callbackHandler = (CallbackHandler) ClassLoaderUtils.loadClass((String) contextualProperty, getClass()).newInstance();
            } catch (Exception e) {
                callbackHandler = null;
            }
        }
        return callbackHandler;
    }

    public String getPassword(String str, UsernameToken usernameToken, int i, SoapMessage soapMessage) {
        CallbackHandler callback = getCallback(soapMessage);
        if (callback == null) {
            policyNotAsserted(usernameToken, "No callback handler and no password available", soapMessage);
            return null;
        }
        WSPasswordCallback[] wSPasswordCallbackArr = {new WSPasswordCallback(str, i)};
        try {
            callback.handle(wSPasswordCallbackArr);
        } catch (Exception e) {
            policyNotAsserted(usernameToken, e, soapMessage);
        }
        return wSPasswordCallbackArr[0].getPassword();
    }

    protected void policyNotAsserted(UsernameToken usernameToken, String str, SoapMessage soapMessage) {
        if (usernameToken == null) {
            return;
        }
        Collection<AssertionInfo> collection = ((AssertionInfoMap) soapMessage.get(AssertionInfoMap.class)).get(usernameToken.getName());
        if (collection != null) {
            for (AssertionInfo assertionInfo : collection) {
                if (assertionInfo.getAssertion() == usernameToken) {
                    assertionInfo.setNotAsserted(str);
                }
            }
        }
        if (!usernameToken.isOptional()) {
            throw new PolicyException(new Message(str, LOG, new Object[0]));
        }
    }

    protected void policyNotAsserted(UsernameToken usernameToken, Exception exc, SoapMessage soapMessage) {
        if (usernameToken == null) {
            return;
        }
        Collection<AssertionInfo> collection = ((AssertionInfoMap) soapMessage.get(AssertionInfoMap.class)).get(usernameToken.getName());
        if (collection != null) {
            for (AssertionInfo assertionInfo : collection) {
                if (assertionInfo.getAssertion() == usernameToken) {
                    assertionInfo.setNotAsserted(exc.getMessage());
                }
            }
        }
        throw new PolicyException(exc);
    }

    static {
        HEADERS.add(new QName(WSConstants.WSSE_NS, WSConstants.WSSE_LN));
        HEADERS.add(new QName(WSConstants.WSSE11_NS, WSConstants.WSSE_LN));
    }
}
