package org.apache.cxf.ws.security.policy.interceptors;

import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.logging.Logger;
import javax.xml.namespace.QName;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.configuration.security.AuthorizationPolicy;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.transport.http.MessageTrustDecider;
import org.apache.cxf.transport.http.URLConnectionInfo;
import org.apache.cxf.transport.http.UntrustedURLConnectionIOException;
import org.apache.cxf.transport.https.HttpsURLConnectionInfo;
import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.policy.PolicyException;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.HttpsToken;
import org.apache.wss4j.stax.impl.securityToken.HttpsSecurityTokenImpl;
import org.apache.wss4j.stax.securityEvent.HttpsTokenSecurityEvent;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;

/* loaded from: input_file:WEB-INF/lib/cxf-rt-ws-security-3.3.10.jar:org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.class */
public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProvider {
    private static final Logger LOG = LogUtils.getL7dLogger(HttpsTokenInterceptorProvider.class);
    private static final long serialVersionUID = -13951002554477036L;

    /* loaded from: input_file:WEB-INF/lib/cxf-rt-ws-security-3.3.10.jar:org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider$HttpsTokenInInterceptor.class */
    static class HttpsTokenInInterceptor extends AbstractPhaseInterceptor<Message> {
        HttpsTokenInInterceptor() {
            super(Phase.PRE_STREAM);
            addBefore(WSS4JStaxInInterceptor.class.getName());
        }

        @Override // org.apache.cxf.interceptor.Interceptor
        public void handleMessage(Message message) throws Fault {
            TLSSessionInfo tLSSessionInfo;
            AssertionInfoMap assertionInfoMap = (AssertionInfoMap) message.get(AssertionInfoMap.class);
            if (assertionInfoMap != null) {
                Collection<AssertionInfo> allAssertionsByLocalname = PolicyUtils.getAllAssertionsByLocalname(assertionInfoMap, SPConstants.HTTPS_TOKEN);
                boolean isRequestor = isRequestor(message);
                if (allAssertionsByLocalname.isEmpty()) {
                    if (isRequestor) {
                        return;
                    }
                    try {
                        assertNonHttpsTransportToken(message);
                        return;
                    } catch (XMLSecurityException e) {
                        HttpsTokenInterceptorProvider.LOG.fine(e.getMessage());
                        return;
                    }
                }
                if (isRequestor) {
                    Iterator<AssertionInfo> it = allAssertionsByLocalname.iterator();
                    while (it.hasNext()) {
                        it.next().setAsserted(true);
                    }
                    PolicyUtils.assertPolicy(assertionInfoMap, SPConstants.HTTP_DIGEST_AUTHENTICATION);
                    PolicyUtils.assertPolicy(assertionInfoMap, SPConstants.HTTP_BASIC_AUTHENTICATION);
                    PolicyUtils.assertPolicy(assertionInfoMap, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
                    return;
                }
                try {
                    assertHttps(assertionInfoMap, allAssertionsByLocalname, message);
                } catch (XMLSecurityException e2) {
                    HttpsTokenInterceptorProvider.LOG.fine(e2.getMessage());
                }
                SecurityContext securityContext = (SecurityContext) message.get(SecurityContext.class);
                if ((securityContext == null || securityContext.getUserPrincipal() == null) && (tLSSessionInfo = (TLSSessionInfo) message.get(TLSSessionInfo.class)) != null && tLSSessionInfo.getPeerCertificates() != null && tLSSessionInfo.getPeerCertificates().length > 0 && (tLSSessionInfo.getPeerCertificates()[0] instanceof X509Certificate)) {
                    message.put((Class<Class>) SecurityContext.class, (Class) createSecurityContext(((X509Certificate) tLSSessionInfo.getPeerCertificates()[0]).getSubjectX500Principal()));
                }
            }
        }

        private void assertHttps(AssertionInfoMap assertionInfoMap, Collection<AssertionInfo> collection, Message message) throws XMLSecurityException {
            List<SecurityEvent> securityEventList = getSecurityEventList(message);
            AuthorizationPolicy authorizationPolicy = (AuthorizationPolicy) message.get(AuthorizationPolicy.class);
            for (AssertionInfo assertionInfo : collection) {
                boolean z = true;
                HttpsToken httpsToken = (HttpsToken) assertionInfo.getAssertion();
                HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
                Map protocolHeaders = HttpsTokenInterceptorProvider.getProtocolHeaders(message);
                if (httpsToken.getAuthenticationType() == HttpsToken.AuthenticationType.HttpBasicAuthentication) {
                    List list = (List) protocolHeaders.get("Authorization");
                    if (list == null || list.isEmpty() || !((String) list.get(0)).startsWith("Basic")) {
                        z = false;
                    } else {
                        httpsTokenSecurityEvent.setAuthenticationType(HttpsTokenSecurityEvent.AuthenticationType.HttpBasicAuthentication);
                        HttpsSecurityTokenImpl httpsSecurityTokenImpl = new HttpsSecurityTokenImpl(true, authorizationPolicy.getUserName());
                        httpsSecurityTokenImpl.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
                        httpsTokenSecurityEvent.setSecurityToken(httpsSecurityTokenImpl);
                        PolicyUtils.assertPolicy(assertionInfoMap, new QName(httpsToken.getName().getNamespaceURI(), SPConstants.HTTP_BASIC_AUTHENTICATION));
                    }
                }
                if (httpsToken.getAuthenticationType() == HttpsToken.AuthenticationType.HttpDigestAuthentication) {
                    List list2 = (List) protocolHeaders.get("Authorization");
                    if (list2 == null || list2.isEmpty() || !((String) list2.get(0)).startsWith("Digest")) {
                        z = false;
                    } else {
                        httpsTokenSecurityEvent.setAuthenticationType(HttpsTokenSecurityEvent.AuthenticationType.HttpDigestAuthentication);
                        HttpsSecurityTokenImpl httpsSecurityTokenImpl2 = new HttpsSecurityTokenImpl(false, authorizationPolicy.getUserName());
                        httpsSecurityTokenImpl2.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
                        httpsTokenSecurityEvent.setSecurityToken(httpsSecurityTokenImpl2);
                        PolicyUtils.assertPolicy(assertionInfoMap, new QName(httpsToken.getName().getNamespaceURI(), SPConstants.HTTP_DIGEST_AUTHENTICATION));
                    }
                }
                TLSSessionInfo tLSSessionInfo = (TLSSessionInfo) message.get(TLSSessionInfo.class);
                if (tLSSessionInfo != null) {
                    if (httpsToken.getAuthenticationType() == HttpsToken.AuthenticationType.RequireClientCertificate) {
                        if (tLSSessionInfo.getPeerCertificates() == null || tLSSessionInfo.getPeerCertificates().length == 0) {
                            z = false;
                        } else {
                            PolicyUtils.assertPolicy(assertionInfoMap, new QName(httpsToken.getName().getNamespaceURI(), SPConstants.REQUIRE_CLIENT_CERTIFICATE));
                        }
                    }
                    if (tLSSessionInfo.getPeerCertificates() != null && tLSSessionInfo.getPeerCertificates().length > 0) {
                        httpsTokenSecurityEvent.setAuthenticationType(HttpsTokenSecurityEvent.AuthenticationType.HttpsClientCertificateAuthentication);
                        HttpsSecurityTokenImpl httpsSecurityTokenImpl3 = new HttpsSecurityTokenImpl((X509Certificate) tLSSessionInfo.getPeerCertificates()[0]);
                        httpsSecurityTokenImpl3.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
                        httpsTokenSecurityEvent.setSecurityToken(httpsSecurityTokenImpl3);
                    } else if (httpsTokenSecurityEvent.getAuthenticationType() == null) {
                        httpsTokenSecurityEvent.setAuthenticationType(HttpsTokenSecurityEvent.AuthenticationType.HttpsNoAuthentication);
                        HttpsSecurityTokenImpl httpsSecurityTokenImpl4 = new HttpsSecurityTokenImpl();
                        httpsSecurityTokenImpl4.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
                        httpsTokenSecurityEvent.setSecurityToken(httpsSecurityTokenImpl4);
                    }
                } else {
                    z = false;
                }
                assertionInfo.setAsserted(z);
                if (z) {
                    securityEventList.add(httpsTokenSecurityEvent);
                }
            }
        }

        private void assertNonHttpsTransportToken(Message message) throws XMLSecurityException {
            TLSSessionInfo tLSSessionInfo = (TLSSessionInfo) message.get(TLSSessionInfo.class);
            if (tLSSessionInfo != null) {
                HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
                if (tLSSessionInfo.getPeerCertificates() != null && tLSSessionInfo.getPeerCertificates().length > 0) {
                    httpsTokenSecurityEvent.setAuthenticationType(HttpsTokenSecurityEvent.AuthenticationType.HttpsClientCertificateAuthentication);
                    HttpsSecurityTokenImpl httpsSecurityTokenImpl = new HttpsSecurityTokenImpl((X509Certificate) tLSSessionInfo.getPeerCertificates()[0]);
                    httpsSecurityTokenImpl.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
                    httpsTokenSecurityEvent.setSecurityToken(httpsSecurityTokenImpl);
                } else if (httpsTokenSecurityEvent.getAuthenticationType() == null) {
                    httpsTokenSecurityEvent.setAuthenticationType(HttpsTokenSecurityEvent.AuthenticationType.HttpsNoAuthentication);
                    HttpsSecurityTokenImpl httpsSecurityTokenImpl2 = new HttpsSecurityTokenImpl();
                    httpsSecurityTokenImpl2.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
                    httpsTokenSecurityEvent.setSecurityToken(httpsSecurityTokenImpl2);
                }
                getSecurityEventList(message).add(httpsTokenSecurityEvent);
            }
        }

        private List<SecurityEvent> getSecurityEventList(Message message) {
            List<SecurityEvent> list = (List) message.getExchange().get(SecurityEvent.class.getName() + ".out");
            if (list == null) {
                list = new ArrayList();
                message.getExchange().put(SecurityEvent.class.getName() + ".out", list);
            }
            return list;
        }

        private SecurityContext createSecurityContext(final Principal principal) {
            return new SecurityContext() { // from class: org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider.HttpsTokenInInterceptor.1
                @Override // org.apache.cxf.security.SecurityContext
                public Principal getUserPrincipal() {
                    return principal;
                }

                @Override // org.apache.cxf.security.SecurityContext
                public boolean isUserInRole(String str) {
                    return false;
                }
            };
        }
    }

    /* loaded from: input_file:WEB-INF/lib/cxf-rt-ws-security-3.3.10.jar:org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor.class */
    static class HttpsTokenOutInterceptor extends AbstractPhaseInterceptor<Message> {
        HttpsTokenOutInterceptor() {
            super(Phase.PRE_STREAM);
        }

        @Override // org.apache.cxf.interceptor.Interceptor
        public void handleMessage(Message message) throws Fault {
            AssertionInfoMap assertionInfoMap = (AssertionInfoMap) message.get(AssertionInfoMap.class);
            if (assertionInfoMap != null) {
                Collection<AssertionInfo> allAssertionsByLocalname = PolicyUtils.getAllAssertionsByLocalname(assertionInfoMap, SPConstants.HTTPS_TOKEN);
                if (allAssertionsByLocalname.isEmpty()) {
                    return;
                }
                if (isRequestor(message)) {
                    assertHttps(assertionInfoMap, allAssertionsByLocalname, message);
                    return;
                }
                Iterator<AssertionInfo> it = allAssertionsByLocalname.iterator();
                while (it.hasNext()) {
                    it.next().setAsserted(true);
                }
            }
        }

        private void assertHttps(AssertionInfoMap assertionInfoMap, Collection<AssertionInfo> collection, Message message) {
            for (AssertionInfo assertionInfo : collection) {
                HttpsToken httpsToken = (HttpsToken) assertionInfo.getAssertion();
                String str = (String) message.get("http.scheme");
                assertionInfo.setAsserted(true);
                Map protocolHeaders = HttpsTokenInterceptorProvider.getProtocolHeaders(message);
                if ("https".equals(str)) {
                    if (httpsToken.getAuthenticationType() == HttpsToken.AuthenticationType.RequireClientCertificate) {
                        if (!MessageUtils.getContextualBoolean(message, SecurityConstants.DISABLE_REQ_CLIENT_CERT_CHECK, false)) {
                            final MessageTrustDecider messageTrustDecider = (MessageTrustDecider) message.get(MessageTrustDecider.class);
                            message.put((Class<Class>) MessageTrustDecider.class, (Class) new MessageTrustDecider() { // from class: org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider.HttpsTokenOutInterceptor.1
                                @Override // org.apache.cxf.transport.http.MessageTrustDecider
                                public void establishTrust(String str2, URLConnectionInfo uRLConnectionInfo, Message message2) throws UntrustedURLConnectionIOException {
                                    if (messageTrustDecider != null) {
                                        messageTrustDecider.establishTrust(str2, uRLConnectionInfo, message2);
                                    }
                                    HttpsURLConnectionInfo httpsURLConnectionInfo = (HttpsURLConnectionInfo) uRLConnectionInfo;
                                    if (httpsURLConnectionInfo.getLocalCertificates() == null || httpsURLConnectionInfo.getLocalCertificates().length == 0) {
                                        throw new UntrustedURLConnectionIOException("RequireClientCertificate is set, but no local certificates were negotiated.  Is the server set to ask for client authorization?");
                                    }
                                }
                            });
                        }
                        PolicyUtils.assertPolicy(assertionInfoMap, new QName(httpsToken.getName().getNamespaceURI(), SPConstants.REQUIRE_CLIENT_CERTIFICATE));
                    }
                    if (httpsToken.getAuthenticationType() == HttpsToken.AuthenticationType.HttpBasicAuthentication) {
                        List list = (List) protocolHeaders.get("Authorization");
                        if (list == null || list.isEmpty() || !((String) list.get(0)).startsWith("Basic")) {
                            assertionInfo.setNotAsserted("HttpBasicAuthentication is set, but not being used");
                        } else {
                            PolicyUtils.assertPolicy(assertionInfoMap, new QName(httpsToken.getName().getNamespaceURI(), SPConstants.HTTP_BASIC_AUTHENTICATION));
                        }
                    }
                    if (httpsToken.getAuthenticationType() == HttpsToken.AuthenticationType.HttpDigestAuthentication) {
                        List list2 = (List) protocolHeaders.get("Authorization");
                        if (list2 == null || list2.isEmpty() || !((String) list2.get(0)).startsWith("Digest")) {
                            assertionInfo.setNotAsserted("HttpDigestAuthentication is set, but not being used");
                        } else {
                            PolicyUtils.assertPolicy(assertionInfoMap, new QName(httpsToken.getName().getNamespaceURI(), SPConstants.HTTP_DIGEST_AUTHENTICATION));
                        }
                    }
                } else {
                    assertionInfo.setNotAsserted("Not an HTTPs connection");
                }
                if (!assertionInfo.isAsserted()) {
                    throw new PolicyException(assertionInfo);
                }
            }
        }
    }

    public HttpsTokenInterceptorProvider() {
        super(Arrays.asList(SP11Constants.TRANSPORT_TOKEN, SP12Constants.TRANSPORT_TOKEN, SP11Constants.ISSUED_TOKEN, SP12Constants.ISSUED_TOKEN, SP11Constants.HTTPS_TOKEN, SP12Constants.HTTPS_TOKEN));
        HttpsTokenOutInterceptor httpsTokenOutInterceptor = new HttpsTokenOutInterceptor();
        getOutInterceptors().add(httpsTokenOutInterceptor);
        getOutFaultInterceptors().add(httpsTokenOutInterceptor);
        HttpsTokenInInterceptor httpsTokenInInterceptor = new HttpsTokenInInterceptor();
        getInInterceptors().add(httpsTokenInInterceptor);
        getInFaultInterceptors().add(httpsTokenInInterceptor);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Map<String, List<String>> getProtocolHeaders(Message message) {
        Map<String, List<String>> cast = CastUtils.cast((Map<?, ?>) message.get(Message.PROTOCOL_HEADERS));
        return null == cast ? Collections.emptyMap() : cast;
    }
}
