package org.apache.cxf.rs.security.saml;

import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.logging.Logger;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.core.Response;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.jaxrs.ext.RequestHandler;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.rs.security.common.CryptoLoader;
import org.apache.cxf.rs.security.common.SecurityUtils;
import org.apache.cxf.rs.security.saml.authorization.SecurityContextProvider;
import org.apache.cxf.rs.security.saml.authorization.SecurityContextProviderImpl;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.http.HttpStatus;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.saml.ext.OpenSAMLUtil;
import org.apache.ws.security.validate.Credential;
import org.apache.ws.security.validate.SamlAssertionValidator;
import org.apache.ws.security.validate.Validator;
import org.apache.xml.security.signature.XMLSignature;
import org.w3c.dom.Element;

/* loaded from: input_file:cxf/cxf-bundle-2.7.6.jar:org/apache/cxf/rs/security/saml/AbstractSamlInHandler.class */
public abstract class AbstractSamlInHandler implements RequestHandler {
    private static final Logger LOG = LogUtils.getL7dLogger(AbstractSamlInHandler.class);
    private Validator samlValidator = new SamlAssertionValidator();
    private SecurityContextProvider scProvider = new SecurityContextProviderImpl();

    public void setValidator(Validator validator) {
        this.samlValidator = validator;
    }

    public void setSecurityContextProvider(SecurityContextProvider securityContextProvider) {
        this.scProvider = securityContextProvider;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateToken(Message message, InputStream inputStream) {
        validateToken(message, readToken(message, inputStream));
    }

    protected Element readToken(Message message, InputStream inputStream) {
        try {
            return DOMUtils.readXml(new InputStreamReader(inputStream, "UTF-8")).getDocumentElement();
        } catch (Exception e) {
            throwFault("Assertion can not be read as XML document", e);
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateToken(Message message, Element element) {
        validateToken(message, toWrapper(element));
    }

    protected AssertionWrapper toWrapper(Element element) {
        try {
            return new AssertionWrapper(element);
        } catch (Exception e) {
            throwFault("Assertion can not be validated", e);
            return null;
        }
    }

    protected void validateToken(Message message, AssertionWrapper assertionWrapper) {
        try {
            RequestData requestData = new RequestData();
            if (assertionWrapper.isSigned()) {
                requestData.setWssConfig(WSSConfig.getNewInstance());
                requestData.setCallbackHandler(SecurityUtils.getCallbackHandler(message, getClass()));
                try {
                    requestData.setSigCrypto(new CryptoLoader().getCrypto(message, SecurityConstants.SIGNATURE_CRYPTO, SecurityConstants.SIGNATURE_PROPERTIES));
                } catch (IOException e) {
                    throwFault("Crypto can not be loaded", e);
                }
                requestData.setEnableRevocation(MessageUtils.isTrue(message.getContextualProperty(WSHandlerConstants.ENABLE_REVOCATION)));
                assertionWrapper.verifySignature(requestData, null);
                assertionWrapper.parseHOKSubject(requestData, null);
            } else if (getTLSCertificates(message) == null) {
                throwFault("Assertion must be signed", null);
            }
            if (this.samlValidator != null) {
                Credential credential = new Credential();
                credential.setAssertion(assertionWrapper);
                this.samlValidator.validate(credential, requestData);
            }
            checkSubjectConfirmationData(message, assertionWrapper);
            setSecurityContext(message, assertionWrapper);
        } catch (Exception e2) {
            throwFault("Assertion can not be validated", e2);
        }
    }

    protected void checkSubjectConfirmationData(Message message, AssertionWrapper assertionWrapper) {
        Certificate[] tLSCertificates = getTLSCertificates(message);
        if (!checkHolderOfKey(message, assertionWrapper, tLSCertificates)) {
            throwFault("Holder Of Key claim fails", null);
        }
        if (!checkSenderVouches(message, assertionWrapper, tLSCertificates)) {
            throwFault("Sender vouchers claim fails", null);
        }
        if (checkBearer(assertionWrapper, tLSCertificates)) {
            return;
        }
        throwFault("Bearer claim fails", null);
    }

    protected void setSecurityContext(Message message, AssertionWrapper assertionWrapper) {
        if (this.scProvider != null) {
            message.put((Class<Class>) SecurityContext.class, (Class) this.scProvider.getSecurityContext(message, assertionWrapper));
        }
    }

    private Certificate[] getTLSCertificates(Message message) {
        TLSSessionInfo tLSSessionInfo = (TLSSessionInfo) message.get(TLSSessionInfo.class);
        if (tLSSessionInfo != null) {
            return tLSSessionInfo.getPeerCertificates();
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void throwFault(String str, Exception exc) {
        LOG.warning(str);
        Response build = Response.status(HttpStatus.SC_UNAUTHORIZED).entity(str).build();
        if (exc == null) {
            throw new NotAuthorizedException(build);
        }
    }

    protected boolean checkSenderVouches(Message message, AssertionWrapper assertionWrapper, Certificate[] certificateArr) {
        XMLSignature xMLSignature;
        if (certificateArr != null && certificateArr.length > 0) {
            return true;
        }
        Iterator<String> it = assertionWrapper.getConfirmationMethods().iterator();
        while (it.hasNext()) {
            if (OpenSAMLUtil.isMethodSenderVouches(it.next())) {
                if (assertionWrapper.getElement().getParentNode() != ((Element) message.getContent(Element.class)) && ((xMLSignature = (XMLSignature) message.getContent(XMLSignature.class)) == null || !compareCredentials(assertionWrapper.getSignatureKeyInfo(), xMLSignature, certificateArr))) {
                    return false;
                }
            }
        }
        return true;
    }

    protected boolean checkHolderOfKey(Message message, AssertionWrapper assertionWrapper, Certificate[] certificateArr) {
        Iterator<String> it = assertionWrapper.getConfirmationMethods().iterator();
        while (it.hasNext()) {
            if (OpenSAMLUtil.isMethodHolderOfKey(it.next())) {
                if (!compareCredentials(assertionWrapper.getSubjectKeyInfo(), (XMLSignature) message.getContent(XMLSignature.class), certificateArr)) {
                    return false;
                }
            }
        }
        return true;
    }

    private boolean compareCredentials(SAMLKeyInfo sAMLKeyInfo, XMLSignature xMLSignature, Certificate[] certificateArr) {
        X509Certificate[] certs = sAMLKeyInfo.getCerts();
        PublicKey publicKey = sAMLKeyInfo.getPublicKey();
        if (certificateArr != null && certificateArr.length > 0 && certs != null && certs.length > 0 && certificateArr[0].equals(certs[0])) {
            return true;
        }
        if (certificateArr != null && certificateArr.length > 0 && publicKey != null && certificateArr[0].getPublicKey().equals(publicKey)) {
            return true;
        }
        if (xMLSignature == null) {
            return false;
        }
        try {
            X509Certificate[] x509CertificateArr = {xMLSignature.getKeyInfo().getX509Certificate()};
            PublicKey publicKey2 = xMLSignature.getKeyInfo().getPublicKey();
            if (x509CertificateArr != null && x509CertificateArr.length > 0 && certs != null && certs.length > 0 && x509CertificateArr[0].equals(certs[0])) {
                return true;
            }
            if (publicKey2 != null) {
                return publicKey2.equals(publicKey);
            }
            return false;
        } catch (Exception e) {
            return false;
        }
    }

    protected boolean checkBearer(AssertionWrapper assertionWrapper, Certificate[] certificateArr) {
        Iterator<String> it = assertionWrapper.getConfirmationMethods().iterator();
        while (it.hasNext()) {
            if (isMethodBearer(it.next()) && !assertionWrapper.isSigned() && (certificateArr == null || certificateArr.length == 0)) {
                return false;
            }
        }
        return true;
    }

    private boolean isMethodBearer(String str) {
        return str != null && str.startsWith("urn:oasis:names:tc:SAML:") && str.endsWith(":cm:bearer");
    }

    static {
        WSSConfig.init();
    }
}
