package org.wso2.carbon.security.config;

import java.io.File;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import javax.xml.stream.XMLInputFactory;
import org.apache.axiom.om.impl.builder.StAXOMBuilder;
import org.apache.axis2.AxisFault;
import org.apache.axis2.description.AxisService;
import org.apache.axis2.description.Parameter;
import org.apache.axis2.engine.AxisConfiguration;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.neethi.Policy;
import org.apache.neethi.PolicyEngine;
import org.apache.rampart.policy.RampartPolicyBuilder;
import org.apache.rampart.policy.RampartPolicyData;
import org.apache.rampart.policy.model.CryptoConfig;
import org.apache.rampart.policy.model.RampartConfig;
import org.apache.ws.secpolicy.WSSPolicyException;
import org.apache.ws.secpolicy.model.SecureConversationToken;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.core.util.KeyStoreUtil;
import org.wso2.carbon.security.SecurityConfigException;
import org.wso2.carbon.security.SecurityConstants;
import org.wso2.carbon.security.SecurityScenario;
import org.wso2.carbon.security.SecurityScenarioDatabase;
import org.wso2.carbon.security.config.service.SecurityConfigData;
import org.wso2.carbon.security.config.service.SecurityScenarioData;
import org.wso2.carbon.security.util.SecurityTokenStore;
import org.wso2.carbon.security.util.ServerCrypto;
import org.wso2.carbon.security.util.ServicePasswordCallbackHandler;
import org.wso2.carbon.service.mgt.ServiceAdmin;
import org.wso2.carbon.utils.ServerConfiguration;
import org.wso2.carbon.utils.ServerException;
import org.wso2.registry.Association;
import org.wso2.registry.Registry;
import org.wso2.registry.Resource;
import org.wso2.registry.exceptions.RegistryException;

/* loaded from: input_file:org/wso2/carbon/security/config/SecurityConfigAdmin.class */
public class SecurityConfigAdmin {
    private static Log log = LogFactory.getLog(SecurityConfigAdmin.class);
    private Registry registry;
    public static final String WS_SEC_UTILITY_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
    public static final String USER = "rampart.config.user";
    protected AxisConfiguration axisConfig;

    public SecurityConfigAdmin(AxisConfiguration axisConfiguration) {
        this.registry = null;
        this.axisConfig = null;
        this.axisConfig = axisConfiguration;
        this.registry = (Registry) this.axisConfig.getParameterValue("WSO2Registry");
    }

    public SecurityConfigAdmin(AxisConfiguration axisConfiguration, Registry registry) {
        this.registry = null;
        this.axisConfig = null;
        this.axisConfig = axisConfiguration;
        this.registry = registry;
    }

    public SecurityScenarioData getSecurityScenario(String str) throws SecurityConfigException {
        SecurityScenarioData securityScenarioData = null;
        SecurityScenario securityScenario = SecurityScenarioDatabase.get(str);
        if (securityScenario != null) {
            securityScenarioData = new SecurityScenarioData();
            securityScenarioData.setCategory(securityScenario.getCategory());
            securityScenarioData.setDescription(securityScenario.getDescription());
            securityScenarioData.setScenarioId(securityScenario.getScenarioId());
            securityScenarioData.setSummary(securityScenario.getSummary());
        }
        return securityScenarioData;
    }

    public SecurityScenarioData getCurrentScenario(String str) throws SecurityConfigException {
        try {
            SecurityScenarioData securityScenarioData = null;
            AxisService service = this.axisConfig.getService(str);
            if (service == null) {
                throw new SecurityConfigException("AxisService is Null");
            }
            if (!this.registry.resourceExists(("/carbon/service-groups/" + service.getAxisServiceGroup().getServiceGroupName() + "/services/" + str) + "/policies/")) {
                return null;
            }
            SecurityScenario readCurrentScenario = readCurrentScenario(str);
            if (readCurrentScenario != null) {
                securityScenarioData = new SecurityScenarioData();
                securityScenarioData.setCategory(readCurrentScenario.getCategory());
                securityScenarioData.setDescription(readCurrentScenario.getDescription());
                securityScenarioData.setScenarioId(readCurrentScenario.getScenarioId());
                securityScenarioData.setSummary(readCurrentScenario.getSummary());
            }
            return securityScenarioData;
        } catch (AxisFault e) {
            throw new SecurityConfigException("readingSecurity");
        } catch (RegistryException e2) {
            throw new SecurityConfigException("readingSecurity");
        }
    }

    public void disableSecurityOnService(String str) throws SecurityConfigException {
        SecurityScenario readCurrentScenario;
        try {
            ServiceAdmin serviceAdmin = new ServiceAdmin();
            AxisService service = this.axisConfig.getService(str);
            if (service == null) {
                throw new SecurityConfigException("AxisService is Null");
            }
            String str2 = "/carbon/service-groups/" + service.getAxisServiceGroup().getServiceGroupName() + "/services/" + str;
            String str3 = str2 + "/policies/";
            log.debug("Removing " + str3);
            if (this.registry.resourceExists(str3) && (readCurrentScenario = readCurrentScenario(str)) != null) {
                serviceAdmin.removeBindingPolicy(str, readCurrentScenario.getWsuId(), (String[]) readCurrentScenario.getModules().toArray(new String[readCurrentScenario.getModules().size()]));
                String scenarioId = readCurrentScenario.getScenarioId();
                this.registry.removeAssociation("/org/wso2/carbon/security/policy/" + scenarioId, str2, "service-secpolicy");
                for (Association association : this.registry.getAssociations(str2, SecurityConstants.ASSOCIATION_UT_GROUP)) {
                    this.registry.removeAssociation(str2, association.getDestinationPath(), SecurityConstants.ASSOCIATION_UT_GROUP);
                }
                for (Association association2 : this.registry.getAssociations(str2, SecurityConstants.ASSOCIATION_PRIVATE_KEYSTORE)) {
                    this.registry.removeAssociation(str2, association2.getDestinationPath(), SecurityConstants.ASSOCIATION_PRIVATE_KEYSTORE);
                }
                for (Association association3 : this.registry.getAssociations(str2, SecurityConstants.ASSOCIATION_TRUSTED_KEYSTORE)) {
                    this.registry.removeAssociation(str2, association3.getDestinationPath(), SecurityConstants.ASSOCIATION_TRUSTED_KEYSTORE);
                }
                Parameter parameter = new Parameter();
                parameter.setName("passwordCallbackRef");
                service.removeParameter(parameter);
                Parameter parameter2 = new Parameter();
                parameter2.setName("disableREST");
                service.removeParameter(parameter2);
                if (isHttpsTransportOnly(loadPolicy(scenarioId))) {
                    try {
                        this.registry.beginTransaction();
                        Resource resource = this.registry.get(str2);
                        resource.removeProperty("ut.enabled");
                        List<String> allTransports = getAllTransports();
                        setServiceTransports(str, allTransports);
                        resource.setProperty("exposed.all.transports", Boolean.TRUE.toString());
                        for (String str4 : allTransports) {
                            if (!str4.endsWith(SecurityConstants.HTTPS_TRANSPORT)) {
                                this.registry.addAssociation(str2, "/carbon/transports/" + str4, "exposed.transports");
                            }
                        }
                        this.registry.put(resource.getPath(), resource);
                        this.registry.commitTransaction();
                    } catch (RegistryException e) {
                        this.registry.rollbackTransaction();
                        String str5 = "Service with name " + str + " not found.";
                        log.error(str5);
                        throw new AxisFault(str5, e);
                    }
                }
            }
        } catch (SecurityConfigException e2) {
            throw e2;
        } catch (AxisFault e3) {
            e3.printStackTrace();
        } catch (Exception e4) {
            log.error(e4);
            throw new SecurityConfigException("removingPolicy", e4);
        }
    }

    public void activateUsernameTokenAuthentication(String str, String[] strArr) throws SecurityConfigException {
    }

    public void applySecurity(String str, String str2, String[] strArr, String str3, String[] strArr2) throws SecurityConfigException {
        try {
            disableSecurityOnService(str);
            applyEndPointPolicy(str, str2, strArr, str3, strArr2);
            disableRESTCalls(str, str2);
            String str4 = "/carbon/service-groups/" + this.axisConfig.getService(str).getAxisServiceGroup().getServiceGroupName() + "/services/" + str;
            this.registry.addAssociation("/org/wso2/carbon/security/policy/" + str2, str4, "service-secpolicy");
            if (str3 != null) {
                String str5 = "/org/wso2/carbon/secmgt/key-stores/" + str3;
                if (this.registry.resourceExists(str5)) {
                    this.registry.addAssociation(str4, str5, SecurityConstants.ASSOCIATION_PRIVATE_KEYSTORE);
                } else {
                    if (!KeyStoreUtil.isPrimaryStore(str3)) {
                        throw new SecurityConfigException("missingks", new String[]{str3});
                    }
                    this.registry.addAssociation(str4, "/org/wso2/carbon/secmgt/key-stores/carbon-primary-ks", SecurityConstants.ASSOCIATION_PRIVATE_KEYSTORE);
                }
            }
            if (strArr != null) {
                for (String str6 : strArr) {
                    String str7 = "/org/wso2/carbon/secmgt/key-stores/" + str6;
                    if (this.registry.resourceExists(str7)) {
                        this.registry.addAssociation(str4, str7, SecurityConstants.ASSOCIATION_TRUSTED_KEYSTORE);
                    } else {
                        if (!KeyStoreUtil.isPrimaryStore(str6)) {
                            throw new SecurityConfigException("missingks", new String[]{str6});
                        }
                        this.registry.addAssociation(str4, "/org/wso2/carbon/secmgt/key-stores/carbon-primary-ks", SecurityConstants.ASSOCIATION_TRUSTED_KEYSTORE);
                    }
                }
            } else {
                String[] strArr3 = new String[0];
            }
            if (strArr2 != null) {
                for (String str8 : strArr2) {
                    this.registry.addAssociation(str4, "/org/wso2/carbon/secmgt/user-groups/" + str8, SecurityConstants.ASSOCIATION_UT_GROUP);
                }
            }
        } catch (RegistryException e) {
            log.error(e);
            throw new SecurityConfigException("errorPersisting", (Throwable) e);
        } catch (AxisFault e2) {
            e2.printStackTrace();
        }
    }

    protected void applyEndPointPolicy(String str, String str2, String[] strArr, String str3, String[] strArr2) throws SecurityConfigException, AxisFault, RegistryException {
        try {
            AxisService service = this.axisConfig.getService(str);
            if (service == null) {
                throw new SecurityConfigException("nullService");
            }
            if (str2 == SecurityConstants.SCENARIO_DISABLE_SECURITY) {
                return;
            }
            ServicePasswordCallbackHandler servicePasswordCallbackHandler = new ServicePasswordCallbackHandler(str, strArr2, this.registry);
            Parameter parameter = new Parameter();
            parameter.setName("passwordCallbackRef");
            parameter.setValue(servicePasswordCallbackHandler);
            service.addParameter(parameter);
            Properties serverCryptoProperties = getServerCryptoProperties(str3, strArr);
            RampartConfig rampartConfig = new RampartConfig();
            populateRampartConfig(rampartConfig, serverCryptoProperties);
            Policy loadPolicy = loadPolicy(str2);
            if (rampartConfig != null) {
                loadPolicy.addAssertion(rampartConfig);
            }
            if (isHttpsTransportOnly(loadPolicy)) {
                setServiceTransports(str, getHttpsTransports());
                try {
                    this.registry.beginTransaction();
                    String str4 = "/carbon/service-groups/" + service.getAxisServiceGroup().getServiceGroupName() + "/services/" + str;
                    Resource resource = this.registry.get(str4);
                    resource.setProperty("exposed.all.transports", Boolean.FALSE.toString());
                    resource.setProperty("ut.enabled", Boolean.TRUE.toString());
                    boolean z = false;
                    for (Association association : this.registry.getAssociations(str4, "exposed.transports")) {
                        String destinationPath = association.getDestinationPath();
                        if (destinationPath.endsWith(SecurityConstants.HTTPS_TRANSPORT)) {
                            z = true;
                        } else {
                            this.registry.removeAssociation(str4, destinationPath, "exposed.transports");
                        }
                    }
                    if (!z) {
                        this.registry.addAssociation(str4, "/carbon/transports/https", "exposed.transports");
                    }
                    this.registry.put(resource.getPath(), resource);
                    this.registry.commitTransaction();
                } catch (RegistryException e) {
                    this.registry.rollbackTransaction();
                    String str5 = "Service with name " + str + " not found.";
                    log.error(str5);
                    throw new AxisFault(str5, e);
                }
            } else {
                setServiceTransports(str, getAllTransports());
            }
            SecurityScenario securityScenario = SecurityScenarioDatabase.get(str2);
            new SecurityServiceAdmin(this.axisConfig).addPoliciesToService(service, loadPolicy, 6, (String[]) securityScenario.modules.toArray(new String[securityScenario.modules.size()]));
        } catch (Exception e2) {
            log.error(e2);
            throw new SecurityConfigException("configuringService", new String[]{"while appliying Security policy"}, e2);
        } catch (ServerException e3) {
            log.error(e3);
            throw new SecurityConfigException("configuringService", new String[]{"while appliying Security policy"}, e3);
        }
    }

    protected void disableRESTCalls(String str, String str2) throws SecurityConfigException {
        if (str2.equals(SecurityConstants.USERNAME_TOKEN_SCENARIO_ID)) {
            return;
        }
        try {
            AxisService service = this.axisConfig.getService(str);
            if (service == null) {
                throw new SecurityConfigException("nullService");
            }
            Parameter parameter = new Parameter();
            parameter.setName("disableREST");
            parameter.setValue(Boolean.TRUE.toString());
            service.addParameter(parameter);
        } catch (AxisFault e) {
            log.error(e);
            throw new SecurityConfigException("disablingREST", (Throwable) e);
        }
    }

    public Policy loadPolicy(String str) throws SecurityConfigException {
        try {
            return PolicyEngine.getPolicy(new StAXOMBuilder(XMLInputFactory.newInstance().createXMLStreamReader(this.registry.get("/org/wso2/carbon/security/policy/" + str).getContentStream())).getDocumentElement());
        } catch (Exception e) {
            log.error(e);
            throw new SecurityConfigException("loadingPolicy", e);
        }
    }

    public void populateRampartConfig(RampartConfig rampartConfig, Properties properties) throws SecurityConfigException {
        if (rampartConfig != null) {
            if (!properties.isEmpty()) {
                CryptoConfig cryptoConfig = new CryptoConfig();
                cryptoConfig.setProvider(ServerCrypto.class.getName());
                cryptoConfig.setProp(properties);
                rampartConfig.setEncrCryptoConfig(cryptoConfig);
                CryptoConfig cryptoConfig2 = new CryptoConfig();
                cryptoConfig2.setProvider(ServerCrypto.class.getName());
                cryptoConfig2.setProp(properties);
                rampartConfig.setSigCryptoConfig(cryptoConfig2);
            }
            rampartConfig.setEncryptionUser("useReqSigCert");
            rampartConfig.setUser(properties.getProperty("rampart.config.user"));
            rampartConfig.setTimestampTTL(Integer.toString(300));
            rampartConfig.setTimestampMaxSkew(Integer.toString(300));
            rampartConfig.setTokenStoreClass(SecurityTokenStore.class.getName());
        }
    }

    public Properties getServerCryptoProperties(String str, String[] strArr) throws Exception {
        Properties properties = new Properties();
        ServerConfiguration.getInstance();
        if (strArr != null) {
            StringBuffer stringBuffer = new StringBuffer();
            for (String str2 : strArr) {
                stringBuffer.append(str2).append(",");
            }
            if (strArr.length != 0) {
                properties.setProperty(ServerCrypto.PROP_ID_TRUST_STORES, stringBuffer.toString());
            }
        }
        if (str != null) {
            properties.setProperty(ServerCrypto.PROP_ID_PRIVATE_STORE, str);
            String privateKeyAlias = KeyStoreUtil.getPrivateKeyAlias(KeyStoreManager.getInstance().getKeyStore(str));
            properties.setProperty(ServerCrypto.PROP_ID_DEFAULT_ALIAS, privateKeyAlias);
            properties.setProperty("rampart.config.user", privateKeyAlias);
        }
        return properties;
    }

    public void setServiceTransports(String str, List<String> list) throws SecurityConfigException, AxisFault {
        AxisService service = this.axisConfig.getService(str);
        if (service == null) {
            throw new SecurityConfigException("nullService");
        }
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < list.size(); i++) {
            arrayList.add(list.get(i));
        }
        service.setExposedTransports(arrayList);
        log.info("Successfully add selected transport bindings to service " + str);
    }

    public boolean isHttpsTransportOnly(Policy policy) throws SecurityConfigException {
        boolean z = false;
        try {
            Iterator alternatives = policy.getAlternatives();
            if (alternatives.hasNext()) {
                RampartPolicyData build = RampartPolicyBuilder.build((List) alternatives.next());
                if (build.isTransportBinding()) {
                    z = true;
                } else if (build.isSymmetricBinding()) {
                    SecureConversationToken encryptionToken = build.getEncryptionToken();
                    if (encryptionToken instanceof SecureConversationToken) {
                        Iterator alternatives2 = encryptionToken.getBootstrapPolicy().getAlternatives();
                        if (alternatives2.hasNext()) {
                        }
                        z = RampartPolicyBuilder.build((List) alternatives2.next()).isTransportBinding();
                    }
                }
            }
            return z;
        } catch (WSSPolicyException e) {
            log.error(e);
            throw new SecurityConfigException("transportSwitch", (Throwable) e);
        }
    }

    public List<String> getHttpsTransports() {
        ArrayList arrayList = new ArrayList();
        for (String str : this.axisConfig.getTransportsIn().keySet()) {
            if (str.toLowerCase().indexOf(SecurityConstants.HTTPS_TRANSPORT) != -1) {
                arrayList.add(str);
            }
        }
        return arrayList;
    }

    public List<String> getAllTransports() {
        ArrayList arrayList = new ArrayList();
        Iterator it = this.axisConfig.getTransportsIn().keySet().iterator();
        while (it.hasNext()) {
            arrayList.add((String) it.next());
        }
        return arrayList;
    }

    public SecurityConfigData getSecurityConfigData(String str, String str2) throws SecurityConfigException {
        SecurityConfigData securityConfigData = null;
        try {
            SecurityScenario readCurrentScenario = readCurrentScenario(str);
            if (str2 == null || readCurrentScenario == null) {
                return null;
            }
            if (!readCurrentScenario.getScenarioId().equals(str2)) {
                return null;
            }
            securityConfigData = new SecurityConfigData();
            String str3 = "/carbon/service-groups/" + this.axisConfig.getService(str).getAxisServiceGroup().getServiceGroupName() + "/services/" + str;
            Association[] associations = this.registry.getAssociations(str3, SecurityConstants.ASSOCIATION_UT_GROUP);
            String[] strArr = new String[associations.length];
            for (int i = 0; i < associations.length; i++) {
                String destinationPath = associations[i].getDestinationPath();
                strArr[i] = destinationPath.substring(destinationPath.lastIndexOf("/") + 1);
            }
            securityConfigData.setUserGroups(strArr);
            Association[] associations2 = this.registry.getAssociations(str3, SecurityConstants.ASSOCIATION_PRIVATE_KEYSTORE);
            if (associations2.length > 0) {
                String destinationPath2 = associations2[0].getDestinationPath();
                if (destinationPath2.equals("/org/wso2/carbon/secmgt/key-stores/carbon-primary-ks")) {
                    securityConfigData.setPrivateStore(KeyStoreUtil.getKeyStoreFileName(new File(ServerConfiguration.getInstance().getFirstProperty("Security.KeyStore.Location")).getAbsolutePath()));
                } else {
                    securityConfigData.setPrivateStore(destinationPath2.substring(destinationPath2.lastIndexOf("/") + 1));
                }
            }
            Association[] associations3 = this.registry.getAssociations(str3, SecurityConstants.ASSOCIATION_TRUSTED_KEYSTORE);
            String[] strArr2 = new String[associations3.length];
            for (int i2 = 0; i2 < associations3.length; i2++) {
                String destinationPath3 = associations3[i2].getDestinationPath();
                if (destinationPath3.equals("/org/wso2/carbon/secmgt/key-stores/carbon-primary-ks")) {
                    strArr2[i2] = KeyStoreUtil.getKeyStoreFileName(new File(ServerConfiguration.getInstance().getFirstProperty("Security.KeyStore.Location")).getAbsolutePath());
                } else {
                    strArr2[i2] = destinationPath3.substring(destinationPath3.lastIndexOf("/") + 1);
                }
            }
            securityConfigData.setTrustedKeyStores(strArr2);
            return securityConfigData;
        } catch (AxisFault e) {
            e.printStackTrace();
            return securityConfigData;
        } catch (RegistryException e2) {
            e2.printStackTrace();
            return securityConfigData;
        }
    }

    public SecurityScenario readCurrentScenario(String str) throws SecurityConfigException {
        SecurityScenario securityScenario = null;
        try {
            new ServiceAdmin();
            AxisService service = this.axisConfig.getService(str);
            if (service == null) {
                throw new SecurityConfigException("AxisService is Null");
            }
            String str2 = ("/carbon/service-groups/" + service.getAxisServiceGroup().getServiceGroupName() + "/services/" + str) + "/policies/";
            if (!this.registry.resourceExists(str2)) {
                return null;
            }
            for (String str3 : this.registry.get(str2).getChildren()) {
                securityScenario = SecurityScenarioDatabase.getByWsuId(str3.substring(str2.length()));
                if (securityScenario != null) {
                    break;
                }
            }
            return securityScenario;
        } catch (Exception e) {
            throw new SecurityConfigException("readingSecurity", e);
        }
    }
}
