package com.mulesoft.modules.wss.internal.handler;

import com.mulesoft.modules.wss.api.constants.SamlConfirmationMethod;
import com.mulesoft.modules.wss.api.inbound.AuthenticateUserConfig;
import com.mulesoft.modules.wss.api.inbound.CredentialsConfig;
import com.mulesoft.modules.wss.api.inbound.DecryptionConfig;
import com.mulesoft.modules.wss.api.inbound.LDAPConfig;
import com.mulesoft.modules.wss.api.inbound.VerifySamlConfig;
import com.mulesoft.modules.wss.api.inbound.VerifySignatureConfig;
import com.mulesoft.modules.wss.api.inbound.VerifyTimestampConfig;
import com.mulesoft.modules.wss.api.inbound.VerifyUsernameTokenConfig;
import com.mulesoft.modules.wss.api.store.KeyStoreConfiguration;
import com.mulesoft.modules.wss.internal.error.MissingCertificateException;
import com.mulesoft.modules.wss.internal.error.WssException;
import com.mulesoft.modules.wss.internal.inbound.LDAPValidator;
import com.mulesoft.modules.wss.internal.inbound.SamlValidator;
import java.io.IOException;
import java.util.Collections;
import java.util.HashMap;
import java.util.concurrent.TimeUnit;
import java.util.regex.Pattern;
import org.apache.wss4j.common.crypto.Merlin;
import org.apache.wss4j.common.crypto.PasswordEncryptor;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.processor.EncryptedKeyProcessor;
import org.apache.wss4j.dom.processor.SAMLTokenProcessor;
import org.apache.wss4j.dom.processor.SignatureProcessor;
import org.apache.wss4j.dom.processor.TimestampProcessor;
import org.apache.wss4j.dom.processor.UsernameTokenProcessor;
import org.apache.wss4j.dom.validate.UsernameTokenValidator;
import org.apache.wss4j.dom.validate.Validator;
import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
import org.springframework.security.ldap.authentication.BindAuthenticator;
import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;

/* loaded from: input_file:com/mulesoft/modules/wss/internal/handler/InboundConfigHandler.class */
public class InboundConfigHandler {
    private final WSSConfig wssConfig;
    private final RequestData requestData;

    public InboundConfigHandler(WSSConfig wSSConfig, RequestData requestData) {
        this.wssConfig = wSSConfig;
        this.requestData = requestData;
    }

    public void handle(VerifySignatureConfig verifySignatureConfig) {
        try {
            this.requestData.setSigVerCrypto(new Merlin(StoreConfigHandler.getWssProperties(verifySignatureConfig.getTrustStoreConfig()), getClass().getClassLoader(), (PasswordEncryptor) null));
            this.wssConfig.setProcessor(WSConstants.SIGNATURE, SignatureProcessor.class);
            if (verifySignatureConfig.getSubjectPattern() != null) {
                this.requestData.setSubjectCertConstraints(Collections.singletonList(Pattern.compile(verifySignatureConfig.getSubjectPattern())));
            }
            if (verifySignatureConfig.getIssuerPattern() != null) {
                this.requestData.setIssuerDNPatterns(Collections.singletonList(Pattern.compile(verifySignatureConfig.getIssuerPattern())));
            }
        } catch (WSSecurityException e) {
            throw new WssException("Error setting signature validation configuration: " + e.getMessage(), e);
        } catch (IOException e2) {
            throw new MissingCertificateException("Unable to get certificate from TrustStore.", e2);
        }
    }

    public void handle(DecryptionConfig decryptionConfig) {
        try {
            KeyStoreConfiguration keyStoreConfig = decryptionConfig.getKeyStoreConfig();
            ((CredentialsCallbackHandler) this.requestData.getCallbackHandler()).setDecryptionConfigCredentials(new CredentialsConfig(keyStoreConfig.getAlias(), keyStoreConfig.getKeyPassword()));
            this.requestData.setDecCrypto(new Merlin(StoreConfigHandler.getWssProperties(keyStoreConfig), getClass().getClassLoader(), (PasswordEncryptor) null));
            this.wssConfig.setProcessor(WSConstants.ENCRYPTED_KEY, EncryptedKeyProcessor.class);
        } catch (WSSecurityException e) {
            throw new WssException("Error setting decrypt configuration: " + e.getMessage(), e);
        } catch (IOException e2) {
            throw new MissingCertificateException("Unable to get certificate from Key Store.", e2);
        }
    }

    public void handle(VerifyTimestampConfig verifyTimestampConfig) {
        this.requestData.setTimeStampTTL((int) verifyTimestampConfig.getTimeUnit().convert(verifyTimestampConfig.getTimeToLive().intValue(), TimeUnit.SECONDS));
        this.requestData.setTimeStampStrict(verifyTimestampConfig.isStrict());
        this.requestData.setTimeStampFutureTTL((int) verifyTimestampConfig.getTimeUnit().convert(verifyTimestampConfig.getSkewTime().intValue(), TimeUnit.SECONDS));
        this.requestData.setRequireTimestampExpires(verifyTimestampConfig.isRequireExpiresHeader());
        this.requestData.setPrecisionInMilliSeconds(verifyTimestampConfig.isPrecisionInMilliseconds());
        this.wssConfig.setProcessor(WSConstants.TIMESTAMP, TimestampProcessor.class);
    }

    public void handle(VerifySamlConfig verifySamlConfig) {
        TimeUnit timeUnit = verifySamlConfig.getTimeUnit();
        SamlValidator samlValidator = new SamlValidator(this.requestData);
        samlValidator.setTtl((int) timeUnit.convert(verifySamlConfig.getTimeToLive().intValue(), TimeUnit.SECONDS));
        samlValidator.setFutureTTL((int) timeUnit.convert(verifySamlConfig.getSkewTime().intValue(), TimeUnit.SECONDS));
        samlValidator.setValidateSignatureAgainstProfile(verifySamlConfig.isValidateSignatureAgainstProfile());
        samlValidator.setRequireStandardSubjectConfirmationMethod(verifySamlConfig.isRequireStandardSubjectConfirmationMethod());
        samlValidator.setRequireBearerSignature(verifySamlConfig.isRequireBearerSignature());
        SamlConfirmationMethod requiredSubjectConfirmationMethod = verifySamlConfig.getRequiredSubjectConfirmationMethod();
        if (requiredSubjectConfirmationMethod != null) {
            samlValidator.setRequiredSubjectConfirmationMethod(requiredSubjectConfirmationMethod.getMethodStringForSAML(verifySamlConfig.getSamlVersion()));
        }
        this.wssConfig.setProcessor(WSConstants.SAML_TOKEN, SAMLTokenProcessor.class);
        this.wssConfig.setValidator(WSConstants.SAML_TOKEN, samlValidator);
        this.wssConfig.setProcessor(WSConstants.SAML2_TOKEN, SAMLTokenProcessor.class);
        this.wssConfig.setValidator(WSConstants.SAML2_TOKEN, samlValidator);
    }

    public void handle(VerifyUsernameTokenConfig verifyUsernameTokenConfig) {
        this.requestData.setAddUsernameTokenNonce(verifyUsernameTokenConfig.isCheckNonce());
        this.requestData.setAddUsernameTokenCreated(true);
        this.requestData.setUtTTL(verifyUsernameTokenConfig.getTimeToLive().intValue());
        this.wssConfig.setProcessor(WSConstants.USERNAME_TOKEN, UsernameTokenProcessor.class);
        AuthenticateUserConfig authenticateUserConfig = verifyUsernameTokenConfig.getAuthenticateUserConfig();
        if (authenticateUserConfig instanceof LDAPConfig) {
            this.wssConfig.setValidator(WSConstants.USERNAME_TOKEN, createLDAPValidator((LDAPConfig) authenticateUserConfig));
        } else if (authenticateUserConfig instanceof CredentialsConfig) {
            ((CredentialsCallbackHandler) this.requestData.getCallbackHandler()).setUsernameTokenCredentials((CredentialsConfig) authenticateUserConfig);
            this.wssConfig.setValidator(WSConstants.USERNAME_TOKEN, new UsernameTokenValidator());
        }
    }

    private Validator createLDAPValidator(LDAPConfig lDAPConfig) {
        HashMap hashMap = new HashMap();
        hashMap.put("java.naming.ldap.version", "3");
        hashMap.put("com.sun.jndi.ldap.connect.pool", "true");
        hashMap.put("com.sun.jndi.ldap.connect.pool.maxsize", "10");
        hashMap.put("com.sun.jndi.ldap.connect.pool.prefsize", "5");
        hashMap.put("com.sun.jndi.ldap.connect.pool.initsize", "3");
        hashMap.put("com.sun.jndi.ldap.connect.timeout", "10000");
        hashMap.put("com.sun.jndi.ldap.connect.pool.timeout", "60000");
        hashMap.put("com.sun.jndi.ldap.connect.pool.protocol", "plain");
        DefaultSpringSecurityContextSource defaultSpringSecurityContextSource = new DefaultSpringSecurityContextSource(lDAPConfig.getProviderUrl());
        defaultSpringSecurityContextSource.setUserDn(lDAPConfig.getUserDn());
        defaultSpringSecurityContextSource.setPassword(lDAPConfig.getPassword());
        defaultSpringSecurityContextSource.setBaseEnvironmentProperties(hashMap);
        defaultSpringSecurityContextSource.afterPropertiesSet();
        FilterBasedLdapUserSearch filterBasedLdapUserSearch = new FilterBasedLdapUserSearch(lDAPConfig.getSearchBase(), lDAPConfig.getSearchFilter(), defaultSpringSecurityContextSource);
        filterBasedLdapUserSearch.setSearchSubtree(lDAPConfig.isSearchInSubtree());
        BindAuthenticator bindAuthenticator = new BindAuthenticator(defaultSpringSecurityContextSource);
        bindAuthenticator.setUserSearch(filterBasedLdapUserSearch);
        return new LDAPValidator(new LdapAuthenticationProvider(bindAuthenticator));
    }
}
