package org.apache.cxf.ws.security.wss4j.policyvalidators;

import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.model.SamlToken;
import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.saml.ext.OpenSAMLUtil;
import org.apache.ws.security.util.WSSecurityUtil;
import org.opensaml.common.SAMLVersion;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.class */
public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator implements TokenPolicyValidator {
    private Element body;
    private List<WSSecurityEngineResult> signed;

    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.TokenPolicyValidator
    public boolean validatePolicy(AssertionInfoMap assertionInfoMap, Message message, Element element, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        Collection<AssertionInfo> collection = assertionInfoMap.get(SP12Constants.SAML_TOKEN);
        if (collection == null || collection.isEmpty()) {
            return true;
        }
        this.body = element;
        this.signed = list2;
        ArrayList arrayList = new ArrayList();
        WSSecurityUtil.fetchAllActionResults(list, 16, arrayList);
        WSSecurityUtil.fetchAllActionResults(list, 8, arrayList);
        for (AssertionInfo assertionInfo : collection) {
            SamlToken samlToken = (SamlToken) assertionInfo.getAssertion();
            assertionInfo.setAsserted(true);
            if (isTokenRequired(samlToken, message)) {
                if (arrayList.isEmpty()) {
                    assertionInfo.setNotAsserted("The received token does not match the token inclusion requirement");
                    return false;
                }
                Iterator it = arrayList.iterator();
                while (it.hasNext()) {
                    AssertionWrapper assertionWrapper = (AssertionWrapper) ((WSSecurityEngineResult) it.next()).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
                    if (!checkVersion(samlToken, assertionWrapper)) {
                        assertionInfo.setNotAsserted("Wrong SAML Version");
                        return false;
                    }
                    TLSSessionInfo tLSSessionInfo = (TLSSessionInfo) message.get(TLSSessionInfo.class);
                    Certificate[] peerCertificates = tLSSessionInfo != null ? tLSSessionInfo.getPeerCertificates() : null;
                    if (!checkHolderOfKey(assertionWrapper, list2, peerCertificates)) {
                        assertionInfo.setNotAsserted("Assertion fails holder-of-key requirements");
                        return false;
                    }
                    if (!checkSenderVouches(assertionWrapper, peerCertificates)) {
                        assertionInfo.setNotAsserted("Assertion fails sender-vouches requirements");
                        return false;
                    }
                }
            }
        }
        return true;
    }

    private boolean checkVersion(SamlToken samlToken, AssertionWrapper assertionWrapper) {
        if ((samlToken.isUseSamlVersion11Profile10() || samlToken.isUseSamlVersion11Profile11()) && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_11) {
            return false;
        }
        return !samlToken.isUseSamlVersion20Profile11() || assertionWrapper.getSamlVersion() == SAMLVersion.VERSION_20;
    }

    private boolean checkSenderVouches(AssertionWrapper assertionWrapper, Certificate[] certificateArr) {
        if (certificateArr != null && certificateArr.length > 0) {
            return true;
        }
        Iterator<String> it = assertionWrapper.getConfirmationMethods().iterator();
        while (it.hasNext()) {
            if (OpenSAMLUtil.isMethodSenderVouches(it.next()) && (this.signed == null || this.signed.isEmpty() || !checkAssertionAndBodyAreSigned(assertionWrapper))) {
                return false;
            }
        }
        return true;
    }

    private boolean checkAssertionAndBodyAreSigned(AssertionWrapper assertionWrapper) {
        Iterator<WSSecurityEngineResult> it = this.signed.iterator();
        while (it.hasNext()) {
            List cast = CastUtils.cast((List<?>) it.next().get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            boolean z = false;
            boolean z2 = false;
            if (cast != null) {
                Iterator it2 = cast.iterator();
                while (it2.hasNext()) {
                    Element protectedElement = ((WSDataRef) it2.next()).getProtectedElement();
                    if (protectedElement == assertionWrapper.getElement()) {
                        z = true;
                    }
                    if (protectedElement == this.body) {
                        z2 = true;
                    }
                    if (z && z2) {
                        return true;
                    }
                }
            }
        }
        return false;
    }
}
