package org.apache.cxf.ws.security.trust;

import java.io.IOException;
import java.util.Arrays;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.cxf.message.Message;
import org.apache.cxf.rt.security.SecurityConstants;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.tokenstore.TokenStoreException;
import org.apache.cxf.ws.security.tokenstore.TokenStoreUtils;
import org.apache.cxf.ws.security.trust.delegation.DelegationCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.validate.Credential;
import org.apache.wss4j.dom.validate.Validator;
import org.w3c.dom.Element;

/* loaded from: input_file:lib/cxf-rt-ws-security-3.4.1.jar:org/apache/cxf/ws/security/trust/STSTokenValidator.class */
public class STSTokenValidator implements Validator {
    private boolean alwaysValidateToSts;
    private boolean useIssueBinding;
    private STSClient stsClient;
    private TokenStore tokenStore;
    private boolean disableCaching;
    private STSSamlAssertionValidator samlValidator = new STSSamlAssertionValidator();
    private boolean useOnBehalfOf = true;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/cxf-rt-ws-security-3.4.1.jar:org/apache/cxf/ws/security/trust/STSTokenValidator$ElementCallbackHandler.class */
    public static class ElementCallbackHandler implements CallbackHandler {
        private final Element tokenElement;

        ElementCallbackHandler(Element element) {
            this.tokenElement = element;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            for (int i = 0; i < callbackArr.length; i++) {
                if (!(callbackArr[i] instanceof DelegationCallback)) {
                    throw new UnsupportedCallbackException(callbackArr[i], "Unrecognized Callback");
                }
                ((DelegationCallback) callbackArr[i]).setToken(this.tokenElement);
            }
        }
    }

    public STSTokenValidator() {
    }

    public STSTokenValidator(boolean z) {
        this.alwaysValidateToSts = z;
    }

    @Override // org.apache.wss4j.dom.validate.Validator
    public Credential validate(Credential credential, RequestData requestData) throws WSSecurityException {
        return isValidatedLocally(credential, requestData) ? credential : validateWithSTS(credential, (Message) requestData.getMsgContext());
    }

    public Credential validateWithSTS(Credential credential, Message message) throws WSSecurityException {
        SecurityToken securityToken;
        SecurityToken transformedToken;
        try {
            SecurityToken securityToken2 = new SecurityToken();
            Element element = null;
            int i = 0;
            if (credential.getSamlAssertion() != null) {
                byte[] signatureValue = credential.getSamlAssertion().getSignatureValue();
                if (signatureValue != null && signatureValue.length > 0) {
                    i = Arrays.hashCode(signatureValue);
                }
                element = credential.getSamlAssertion().getElement();
            } else if (credential.getUsernametoken() != null) {
                element = credential.getUsernametoken().getElement();
                i = credential.getUsernametoken().hashCode();
            } else if (credential.getBinarySecurityToken() != null) {
                element = credential.getBinarySecurityToken().getElement();
                i = credential.getBinarySecurityToken().hashCode();
            } else if (credential.getSecurityContextToken() != null) {
                element = credential.getSecurityContextToken().getElement();
                i = credential.getSecurityContextToken().hashCode();
            }
            securityToken2.setToken(element);
            TokenStore tokenStore = null;
            if (!this.disableCaching) {
                tokenStore = getTokenStore(message);
                if (tokenStore == null) {
                    tokenStore = this.tokenStore;
                }
                if (tokenStore != null && i != 0 && (transformedToken = getTransformedToken(tokenStore, i)) != null && !transformedToken.isExpired()) {
                    SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(transformedToken.getToken());
                    credential.setPrincipal(new SAMLTokenPrincipalImpl(samlAssertionWrapper));
                    credential.setTransformedToken(samlAssertionWrapper);
                    return credential;
                }
            }
            securityToken2.setTokenHash(i);
            STSClient sTSClient = this.stsClient;
            if (sTSClient == null) {
                sTSClient = STSUtils.getClient(message, "sts");
            }
            synchronized (sTSClient) {
                System.setProperty("noprint", "true");
                if (this.useIssueBinding && this.useOnBehalfOf) {
                    sTSClient.setOnBehalfOf(new ElementCallbackHandler(element));
                    securityToken = sTSClient.requestSecurityToken();
                    sTSClient.setOnBehalfOf(null);
                } else if (!this.useIssueBinding || this.useOnBehalfOf || credential.getUsernametoken() == null) {
                    securityToken = sTSClient.validateSecurityToken(securityToken2).get(0);
                } else {
                    sTSClient.getProperties().put(SecurityConstants.USERNAME, credential.getUsernametoken().getName());
                    sTSClient.getProperties().put(SecurityConstants.PASSWORD, credential.getUsernametoken().getPassword());
                    securityToken = sTSClient.requestSecurityToken();
                    sTSClient.getProperties().remove(SecurityConstants.USERNAME);
                    sTSClient.getProperties().remove(SecurityConstants.PASSWORD);
                }
                if (securityToken != securityToken2) {
                    SamlAssertionWrapper samlAssertionWrapper2 = new SamlAssertionWrapper(securityToken.getToken());
                    credential.setTransformedToken(samlAssertionWrapper2);
                    credential.setPrincipal(new SAMLTokenPrincipalImpl(samlAssertionWrapper2));
                    if (!this.disableCaching && i != 0 && tokenStore != null) {
                        tokenStore.add(securityToken);
                        securityToken2.setTransformedTokenIdentifier(securityToken.getId());
                        tokenStore.add(Integer.toString(i), securityToken2);
                    }
                }
            }
            return credential;
        } catch (RuntimeException e) {
            throw e;
        } catch (Exception e2) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e2, "invalidSAMLsecurity");
        }
    }

    static final TokenStore getTokenStore(Message message) throws TokenStoreException {
        if (message == null) {
            return null;
        }
        return TokenStoreUtils.getTokenStore(message);
    }

    protected boolean isValidatedLocally(Credential credential, RequestData requestData) throws WSSecurityException {
        if (this.alwaysValidateToSts || credential.getSamlAssertion() == null) {
            return false;
        }
        try {
            this.samlValidator.validate(credential, requestData);
            return this.samlValidator.isTrustVerificationSucceeded();
        } catch (RuntimeException e) {
            throw e;
        } catch (Exception e2) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e2, "invalidSAMLsecurity");
        }
    }

    private SecurityToken getTransformedToken(TokenStore tokenStore, int i) {
        String transformedTokenIdentifier;
        SecurityToken token = tokenStore.getToken(Integer.toString(i));
        if (token == null || token.getTokenHash() != i || (transformedTokenIdentifier = token.getTransformedTokenIdentifier()) == null) {
            return null;
        }
        return tokenStore.getToken(transformedTokenIdentifier);
    }

    public boolean isUseIssueBinding() {
        return this.useIssueBinding;
    }

    public void setUseIssueBinding(boolean z) {
        this.useIssueBinding = z;
    }

    public boolean isUseOnBehalfOf() {
        return this.useOnBehalfOf;
    }

    public void setUseOnBehalfOf(boolean z) {
        this.useOnBehalfOf = z;
    }

    public STSClient getStsClient() {
        return this.stsClient;
    }

    public void setStsClient(STSClient sTSClient) {
        this.stsClient = sTSClient;
    }

    public TokenStore getTokenStore() {
        return this.tokenStore;
    }

    public void setTokenStore(TokenStore tokenStore) {
        this.tokenStore = tokenStore;
    }

    public boolean isDisableCaching() {
        return this.disableCaching;
    }

    public void setDisableCaching(boolean z) {
        this.disableCaching = z;
    }
}
