package com.mulesoft.modules.wss.internal.inbound;

import com.mulesoft.modules.wss.api.inbound.DecryptionConfig;
import com.mulesoft.modules.wss.api.inbound.VerifySamlConfig;
import com.mulesoft.modules.wss.api.inbound.VerifySignatureConfig;
import com.mulesoft.modules.wss.api.inbound.VerifyTimestampConfig;
import com.mulesoft.modules.wss.api.inbound.VerifyUsernameTokenConfig;
import com.mulesoft.modules.wss.internal.error.WssException;
import com.mulesoft.modules.wss.internal.error.WssSecurityException;
import com.mulesoft.modules.wss.internal.handler.CredentialsCallbackHandler;
import com.mulesoft.modules.wss.internal.handler.InboundConfigHandler;
import com.mulesoft.modules.wss.internal.security.SoapWssSecurityProvider;
import java.util.ArrayList;
import java.util.Iterator;
import javax.inject.Inject;
import javax.inject.Named;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.engine.WSSecurityEngine;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.mule.runtime.api.i18n.I18nMessageFactory;
import org.mule.runtime.api.lifecycle.Disposable;
import org.mule.runtime.api.lifecycle.Initialisable;
import org.mule.runtime.api.lifecycle.InitialisationException;
import org.mule.runtime.api.meta.ExpressionSupport;
import org.mule.runtime.core.api.security.SecurityManager;
import org.mule.runtime.extension.api.annotation.Configuration;
import org.mule.runtime.extension.api.annotation.Expression;
import org.mule.runtime.extension.api.annotation.Operations;
import org.mule.runtime.extension.api.annotation.dsl.xml.ParameterDsl;
import org.mule.runtime.extension.api.annotation.param.Optional;
import org.mule.runtime.extension.api.annotation.param.Parameter;
import org.mule.runtime.extension.api.annotation.param.display.DisplayName;
import org.mule.runtime.extension.api.annotation.param.display.Placement;
import org.w3c.dom.Document;

@Configuration(name = "inbound")
@Operations({WssInboundOperations.class})
/* loaded from: input_file:com/mulesoft/modules/wss/internal/inbound/WssInboundConfig.class */
public class WssInboundConfig implements Initialisable, Disposable {

    @Inject
    @Named("_muleSecurityManager")
    private SecurityManager securityManager;

    @Optional
    @Parameter
    private String actor;

    @Optional
    @Parameter
    @Expression(ExpressionSupport.NOT_SUPPORTED)
    private boolean extractSecurityHeader;

    @Optional
    @ParameterDsl(allowReferences = false)
    @Parameter
    @Placement(tab = "Validation")
    @DisplayName("Validate Username Token")
    @Expression(ExpressionSupport.NOT_SUPPORTED)
    private VerifyUsernameTokenConfig usernameConfig;

    @Optional
    @ParameterDsl(allowReferences = false)
    @Parameter
    @Placement(tab = "Validation")
    @DisplayName("Validate Signature")
    @Expression(ExpressionSupport.NOT_SUPPORTED)
    private VerifySignatureConfig verifySignatureConfig;

    @Optional
    @ParameterDsl(allowReferences = false)
    @Parameter
    @Placement(tab = "Decryption")
    @DisplayName("Decrypt Message")
    @Expression(ExpressionSupport.NOT_SUPPORTED)
    private DecryptionConfig decryptionConfig;

    @Optional
    @ParameterDsl(allowReferences = false)
    @Parameter
    @Placement(tab = "Validation")
    @DisplayName("Validate Timestamp")
    @Expression(ExpressionSupport.NOT_SUPPORTED)
    private VerifyTimestampConfig timestampConfig;

    @Optional
    @ParameterDsl(allowReferences = false)
    @Parameter
    @Placement(tab = "SAML")
    @DisplayName("Validate SAML Assertion")
    @Expression(ExpressionSupport.NOT_SUPPORTED)
    private VerifySamlConfig verifySamlConfig;
    private WSSecurityEngine engine;
    private RequestData requestData;
    private ArrayList<Integer> requiredValidations;

    public void initialise() throws InitialisationException {
        validateConfig();
        doSetUpSecurityProvider();
        doSetUpEngine();
    }

    private void doSetUpSecurityProvider() throws InitialisationException {
        if (this.securityManager.getProvider(SoapWssSecurityProvider.ID) == null) {
            SoapWssSecurityProvider soapWssSecurityProvider = new SoapWssSecurityProvider();
            soapWssSecurityProvider.initialise();
            this.securityManager.addProvider(soapWssSecurityProvider);
        }
    }

    private void validateConfig() throws InitialisationException {
        if (this.verifySignatureConfig == null && this.decryptionConfig == null && this.timestampConfig == null && this.usernameConfig == null && this.verifySamlConfig == null) {
            throw new InitialisationException(I18nMessageFactory.createStaticMessage("No WSS config was found in config, at least one is required"), this);
        }
    }

    private void doSetUpEngine() throws InitialisationException {
        WSSecurityEngine wSSecurityEngine = new WSSecurityEngine();
        WSSConfig wssConfig = wSSecurityEngine.getWssConfig();
        initConfig(wssConfig);
        RequestData requestData = new RequestData();
        requestData.setCallbackHandler(new CredentialsCallbackHandler());
        try {
            handleInboundConfig(wssConfig, requestData);
            requestData.setAllowRSA15KeyTransportAlgorithm(true);
            requestData.setActor(this.actor);
            requestData.setWssConfig(wssConfig);
            this.requestData = requestData;
            this.engine = wSSecurityEngine;
        } catch (WssException e) {
            throw new InitialisationException(e, this);
        }
    }

    private void handleInboundConfig(WSSConfig wSSConfig, RequestData requestData) {
        InboundConfigHandler inboundConfigHandler = new InboundConfigHandler(wSSConfig, requestData);
        this.requiredValidations = new ArrayList<>();
        if (this.verifySignatureConfig != null) {
            inboundConfigHandler.handle(this.verifySignatureConfig);
            this.requiredValidations.add(2);
        }
        if (this.decryptionConfig != null) {
            inboundConfigHandler.handle(this.decryptionConfig);
            this.requiredValidations.add(4);
        }
        if (this.timestampConfig != null) {
            inboundConfigHandler.handle(this.timestampConfig);
            this.requiredValidations.add(32);
        }
        if (this.usernameConfig != null) {
            inboundConfigHandler.handle(this.usernameConfig);
            this.requiredValidations.add(1);
        }
        if (this.verifySamlConfig != null) {
            inboundConfigHandler.handle(this.verifySamlConfig);
            this.requiredValidations.add(16);
        }
    }

    private void validateResult(WSHandlerResult wSHandlerResult) throws WSSecurityException {
        Iterator<Integer> it = this.requiredValidations.iterator();
        while (it.hasNext()) {
            Integer next = it.next();
            if (!wSHandlerResult.getActionResults().containsKey(next) && (next.intValue() != 16 || !wSHandlerResult.getActionResults().containsKey(8))) {
                if (next.intValue() != 2 || !wSHandlerResult.getActionResults().containsKey(16)) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.SECURITY_ERROR);
                }
            }
        }
    }

    private void initConfig(WSSConfig wSSConfig) {
        wSSConfig.setProcessor(WSConstants.SAML_TOKEN, NullProcessor.class);
        wSSConfig.setProcessor(WSConstants.SAML2_TOKEN, NullProcessor.class);
        wSSConfig.setProcessor(WSConstants.SIGNATURE, NullProcessor.class);
        wSSConfig.setProcessor(WSConstants.TIMESTAMP, NullProcessor.class);
        wSSConfig.setProcessor(WSConstants.USERNAME_TOKEN, NullProcessor.class);
        wSSConfig.setProcessor(WSConstants.ENCRYPTED_KEY, NullProcessor.class);
    }

    public String getActor() {
        return this.actor;
    }

    public boolean extractSecurityHeader() {
        return this.extractSecurityHeader;
    }

    public void dispose() {
        this.engine = null;
    }

    public synchronized WSHandlerResult processSecurity(Document document) {
        try {
            WSHandlerResult processSecurityHeader = this.engine.processSecurityHeader(document, this.requestData);
            validateResult(processSecurityHeader);
            return processSecurityHeader;
        } catch (WSSecurityException e) {
            throw new WssSecurityException("Error processing security: " + e.getMessage(), e);
        }
    }
}
