package org.apache.cxf.ws.security.wss4j.policyvalidators;

import java.util.Collection;
import java.util.List;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.security.policy.model.IssuedToken;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.message.token.BinarySecurity;
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.opensaml.common.SAMLVersion;
import org.opensaml.ws.wstrust.Claims;
import org.opensaml.ws.wstrust.KeyType;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/cxf-rt-ws-security-2.7.12.jar:org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.class */
public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator {
    private List<WSSecurityEngineResult> signedResults;
    private Message message;
    private ClaimsPolicyValidator claimsValidator = new DefaultClaimsPolicyValidator();

    public IssuedTokenPolicyValidator(List<WSSecurityEngineResult> list, Message message) {
        this.signedResults = list;
        this.message = message;
    }

    public boolean validatePolicy(Collection<AssertionInfo> collection, AssertionWrapper assertionWrapper) {
        if (collection == null || collection.isEmpty()) {
            return true;
        }
        for (AssertionInfo assertionInfo : collection) {
            IssuedToken issuedToken = (IssuedToken) assertionInfo.getAssertion();
            assertionInfo.setAsserted(true);
            if (isTokenRequired(issuedToken, this.message)) {
                if (assertionWrapper == null) {
                    assertionInfo.setNotAsserted("The received token does not match the token inclusion requirement");
                } else {
                    Element rstTemplate = issuedToken.getRstTemplate();
                    if (rstTemplate == null || checkIssuedTokenTemplate(rstTemplate, assertionWrapper)) {
                        Element claims = issuedToken.getClaims();
                        if (claims != null) {
                            if (this.claimsValidator.getDialect().equals(claims.getAttributeNS(null, Claims.DIALECT_ATTRIB_NAME)) && !this.claimsValidator.validatePolicy(claims, assertionWrapper)) {
                                assertionInfo.setNotAsserted("Error in validating the Claims policy");
                            }
                        }
                        TLSSessionInfo tLSSessionInfo = (TLSSessionInfo) this.message.get(TLSSessionInfo.class);
                        if (!checkHolderOfKey(assertionWrapper, this.signedResults, tLSSessionInfo != null ? tLSSessionInfo.getPeerCertificates() : null)) {
                            assertionInfo.setNotAsserted("Assertion fails holder-of-key requirements");
                        }
                    } else {
                        assertionInfo.setNotAsserted("Error in validating the IssuedToken policy");
                    }
                }
            }
        }
        return true;
    }

    public boolean validatePolicy(Collection<AssertionInfo> collection, BinarySecurity binarySecurity) {
        if (collection == null || collection.isEmpty()) {
            return true;
        }
        for (AssertionInfo assertionInfo : collection) {
            IssuedToken issuedToken = (IssuedToken) assertionInfo.getAssertion();
            assertionInfo.setAsserted(true);
            if (isTokenRequired(issuedToken, this.message)) {
                if (binarySecurity == null) {
                    assertionInfo.setNotAsserted("The received token does not match the token inclusion requirement");
                    return false;
                }
                Element rstTemplate = issuedToken.getRstTemplate();
                if (rstTemplate != null && !checkIssuedTokenTemplate(rstTemplate, binarySecurity)) {
                    assertionInfo.setNotAsserted("Error in validating the IssuedToken policy");
                    return false;
                }
            }
        }
        return true;
    }

    private boolean checkIssuedTokenTemplate(Element element, AssertionWrapper assertionWrapper) {
        Element firstElement = DOMUtils.getFirstElement(element);
        while (true) {
            Element element2 = firstElement;
            if (element2 == null) {
                return true;
            }
            if ("TokenType".equals(element2.getLocalName())) {
                String textContent = element2.getTextContent();
                if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(textContent) && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_11) {
                    return false;
                }
                if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(textContent) && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20) {
                    return false;
                }
            } else if (KeyType.ELEMENT_LOCAL_NAME.equals(element2.getLocalName())) {
                String textContent2 = element2.getTextContent();
                if (textContent2.endsWith("SymmetricKey")) {
                    SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
                    if (subjectKeyInfo == null || subjectKeyInfo.getSecret() == null) {
                        return false;
                    }
                } else if (textContent2.endsWith("PublicKey")) {
                    SAMLKeyInfo subjectKeyInfo2 = assertionWrapper.getSubjectKeyInfo();
                    if (subjectKeyInfo2 == null) {
                        return false;
                    }
                    if (subjectKeyInfo2.getPublicKey() == null && subjectKeyInfo2.getCerts() == null) {
                        return false;
                    }
                } else {
                    continue;
                }
            } else if ("Claims".equals(element2.getLocalName())) {
                if (this.claimsValidator.getDialect().equals(element2.getAttributeNS(null, Claims.DIALECT_ATTRIB_NAME)) && !this.claimsValidator.validatePolicy(element2, assertionWrapper)) {
                    return false;
                }
            } else {
                continue;
            }
            firstElement = DOMUtils.getNextElement(element2);
        }
    }

    private boolean checkIssuedTokenTemplate(Element element, BinarySecurity binarySecurity) {
        Element firstElement = DOMUtils.getFirstElement(element);
        while (true) {
            Element element2 = firstElement;
            if (element2 == null) {
                return true;
            }
            if ("TokenType".equals(element2.getLocalName()) && !element2.getTextContent().equals(binarySecurity.getValueType())) {
                return false;
            }
            firstElement = DOMUtils.getNextElement(element2);
        }
    }
}
