package weblogic.wsee.jaxws.security;

import com.sun.xml.ws.api.SOAPVersion;
import com.sun.xml.ws.api.message.Message;
import com.sun.xml.ws.api.message.Packet;
import com.sun.xml.ws.api.model.JavaMethod;
import com.sun.xml.ws.api.model.SEIModel;
import com.sun.xml.ws.api.pipe.Fiber;
import com.sun.xml.ws.api.pipe.NextAction;
import com.sun.xml.ws.api.pipe.ServerTubeAssemblerContext;
import com.sun.xml.ws.api.pipe.Tube;
import com.sun.xml.ws.api.pipe.TubeCloner;
import com.sun.xml.ws.api.pipe.helper.AbstractFilterTubeImpl;
import com.sun.xml.ws.api.pipe.helper.AbstractTubeImpl;
import com.sun.xml.ws.api.server.WSEndpoint;
import com.sun.xml.ws.message.saaj.SAAJMessage;
import java.lang.reflect.Method;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPFactory;
import javax.xml.soap.SOAPFault;
import javax.xml.soap.SOAPMessage;
import javax.xml.ws.Provider;
import javax.xml.ws.WebServiceException;
import javax.xml.ws.soap.SOAPFaultException;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.service.AuthorizationManager;
import weblogic.security.service.ContextElement;
import weblogic.security.service.ContextHandler;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.SecurityServiceManager;
import weblogic.security.service.WebServiceResource;
import weblogic.security.utils.ResourceIDDContextWrapper;
import weblogic.wsee.jaxrpc.WLStub;
import weblogic.wsee.jaxrpc.soapfault.SOAPFaultUtil;
import weblogic.wsee.jaxws.framework.jaxrpc.EnvironmentFactory;
import weblogic.wsee.jaxws.framework.jaxrpc.JAXRPCEnvironmentFeature;
import weblogic.wsee.security.configuration.MBeanConstants;
import weblogic.wsee.security.configuration.WssConfigurationException;
import weblogic.wsee.security.policy.WssPolicyContext;
import weblogic.wsee.security.saml.SAMLAttributeStatementData;
import weblogic.wsee.security.saml.SAMLAttributeStatementDataImpl;
import weblogic.wsee.util.AccessException;
import weblogic.wsee.util.ServerSecurityHelper;
import weblogic.xml.crypto.wss.BinarySecurityTokenHandler;
import weblogic.xml.crypto.wss.SignatureInfo;
import weblogic.xml.crypto.wss.WSSConstants;
import weblogic.xml.crypto.wss.WSSecurityContext;
import weblogic.xml.crypto.wss.WSSecurityException;
import weblogic.xml.crypto.wss.api.BinarySecurityToken;
import weblogic.xml.security.specs.SpecConstants;

/* loaded from: input_file:weblogic/wsee/jaxws/security/AuthorizationTube.class */
public class AuthorizationTube extends AbstractFilterTubeImpl {
    private static final AuthenticatedSubject kernelId = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
    private static final Logger LOGGER = Logger.getLogger(AuthorizationTube.class.getName());
    private static final QName AUTHENTICATION_FAILURE_11 = new QName("http://schemas.xmlsoap.org/soap/envelope/", "Client.Authentication", SpecConstants.SOAP_ENV_PREFIX);
    private static final QName AUTHENTICATION_FAILURE_12 = new QName("http://www.w3.org/2003/05/soap-envelope", "Client.Authentication", SpecConstants.SOAP_ENV_PREFIX);
    public static final String WSS_SUBJECT_PROPERTY = "weblogic.wsee.wss.subject";
    public static final String OWSM_SUBJECT_PROPERTY = "weblogic.wsee.owsm.subject";
    public static final String TRANSPORT_SUBJECT_PROPERTY = "weblogic.wsee.subject";
    public static final String CURRENT_SUBJECT = "weblogic.wsee.jaxws.security.subject";
    public static final String RESOURCE = "weblogic.wsee.jaxws.security.resource";
    public static final String CONTEXT_HANDLER = "weblogic.wsee.jaxws.security.contexthandler";
    private SEIModel seiModel;
    private SOAPVersion sv;
    private SOAPFactory sf;
    private QName failureQName;
    private Map<JavaMethod, WebServiceResource> resources;
    private WebServiceResource providerResource;
    private AuthorizationManager am;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:weblogic/wsee/jaxws/security/AuthorizationTube$RunAsWrapperTube.class */
    public static class RunAsWrapperTube extends AbstractTubeImpl {
        private AuthenticatedSubject subject;
        private Tube inner;

        public RunAsWrapperTube(AuthenticatedSubject authenticatedSubject, Tube tube) {
            this.subject = authenticatedSubject;
            this.inner = tube;
        }

        public RunAsWrapperTube(RunAsWrapperTube runAsWrapperTube, TubeCloner tubeCloner) {
            super(runAsWrapperTube, tubeCloner);
            this.subject = runAsWrapperTube.subject;
            this.inner = tubeCloner.copy(runAsWrapperTube.inner);
        }

        /* renamed from: copy, reason: merged with bridge method [inline-methods] and merged with bridge method [inline-methods] */
        public RunAsWrapperTube m514copy(TubeCloner tubeCloner) {
            return new RunAsWrapperTube(this, tubeCloner);
        }

        public void preDestroy() {
        }

        public NextAction processException(Throwable th) {
            return doThrow(th);
        }

        public NextAction processRequest(final Packet packet) {
            return (NextAction) Subject.doAs(this.subject.getSubject(), new PrivilegedAction<NextAction>() { // from class: weblogic.wsee.jaxws.security.AuthorizationTube.RunAsWrapperTube.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedAction
                public NextAction run() {
                    NextAction processRequest = RunAsWrapperTube.this.inner.processRequest(packet);
                    Tube next = processRequest.getNext();
                    if (next != null) {
                        processRequest.setNext(new RunAsWrapperTube(RunAsWrapperTube.this.subject, next));
                    }
                    return processRequest;
                }
            });
        }

        public NextAction processResponse(final Packet packet) {
            return (NextAction) Subject.doAs(this.subject.getSubject(), new PrivilegedAction<NextAction>() { // from class: weblogic.wsee.jaxws.security.AuthorizationTube.RunAsWrapperTube.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedAction
                public NextAction run() {
                    return RunAsWrapperTube.this.inner.processResponse(packet);
                }
            });
        }
    }

    /* loaded from: input_file:weblogic/wsee/jaxws/security/AuthorizationTube$WebServiceContextHandler.class */
    private static class WebServiceContextHandler implements ContextHandler {
        private Map<String, Object> map = new HashMap();

        public WebServiceContextHandler(Packet packet) {
            WSSecurityContext wSSecurityContext = (WSSecurityContext) packet.invocationProperties.get(WSSecurityContext.WS_SECURITY_CONTEXT);
            if (wSSecurityContext != null) {
                WssPolicyContext wssPolicyContext = (WssPolicyContext) packet.invocationProperties.get(WssPolicyContext.WSS_POLICY_CTX_PROP);
                if (wssPolicyContext != null && wssPolicyContext.getWssConfiguration().isSignatureACLEnabled()) {
                    try {
                        BinarySecurityTokenHandler binarySecurityTokenHandler = (BinarySecurityTokenHandler) wssPolicyContext.getWssConfiguration().getTokenHandler(MBeanConstants.X509_TYPE, MBeanConstants.X509_TOKEN_HANDLER_CLASS);
                        List<BinarySecurityToken> securityTokens = wSSecurityContext.getSecurityTokens(WSSConstants.VALUE_TYPE_X509V3);
                        securityTokens.addAll(wSSecurityContext.getSecurityTokens(WSSConstants.VALUE_TYPE_X509V1));
                        for (BinarySecurityToken binarySecurityToken : securityTokens) {
                            Node node = null;
                            Iterator it = wSSecurityContext.getSignatures(binarySecurityToken).iterator();
                            while (it.hasNext()) {
                                node = getSignatureNode((SignatureInfo) it.next(), packet);
                                if (node != null) {
                                    break;
                                }
                            }
                            if (node != null) {
                                this.map.put("Integrity{" + ("{" + node.getNamespaceURI() + "}" + node.getLocalName()) + "}", binarySecurityTokenHandler.getSubject(binarySecurityToken, wSSecurityContext));
                            }
                        }
                    } catch (WssConfigurationException e) {
                        throw new WebServiceException(e);
                    } catch (WSSecurityException e2) {
                        throw new WebServiceException(e2);
                    }
                }
                SAMLAttributeStatementData sAMLAttributeStatementData = (SAMLAttributeStatementData) wSSecurityContext.getMessageContext().getProperty(WLStub.SAML_ATTRIBUTES);
                if (null != sAMLAttributeStatementData) {
                    this.map.put(WLStub.SAML_ATTRIBUTES, sAMLAttributeStatementData);
                    if (AuthorizationTube.LOGGER.isLoggable(Level.FINER)) {
                        AuthorizationTube.LOGGER.finer("Save SAMLAttributeStatementData object with size =" + sAMLAttributeStatementData.size());
                    }
                    if (sAMLAttributeStatementData.isEmpty()) {
                        return;
                    }
                    this.map.putAll(((SAMLAttributeStatementDataImpl) sAMLAttributeStatementData).getNameValuePair());
                    if (AuthorizationTube.LOGGER.isLoggable(Level.FINER)) {
                        AuthorizationTube.LOGGER.finer("Added SAML Attributes to the map for XACML" + sAMLAttributeStatementData.toString());
                    }
                }
            }
        }

        private static Node getSignatureNode(SignatureInfo signatureInfo, Packet packet) {
            Message message = packet.getMessage();
            Node node = null;
            if (message instanceof SAAJMessage) {
                try {
                    SOAPMessage readAsSOAPMessage = message.readAsSOAPMessage();
                    node = getFirstSigNode(signatureInfo, readAsSOAPMessage.getSOAPBody());
                    if (node == null) {
                        return getFirstSigNode(signatureInfo, readAsSOAPMessage.getSOAPHeader());
                    }
                } catch (SOAPException e) {
                    throw new WebServiceException(e);
                }
            }
            return node;
        }

        private static Node getFirstSigNode(SignatureInfo signatureInfo, Node node) {
            if (signatureInfo.containsNode(node)) {
                return node;
            }
            NodeList childNodes = node.getChildNodes();
            for (int i = 0; i < childNodes.getLength(); i++) {
                Node firstSigNode = getFirstSigNode(signatureInfo, childNodes.item(i));
                if (firstSigNode != null) {
                    return firstSigNode;
                }
            }
            return null;
        }

        public String[] getNames() {
            return (String[]) this.map.keySet().toArray(new String[this.map.size()]);
        }

        public Object getValue(String str) {
            return this.map.get(str);
        }

        public ContextElement[] getValues(String[] strArr) {
            ContextElement[] contextElementArr = new ContextElement[this.map.size()];
            int i = 0;
            for (Map.Entry<String, Object> entry : this.map.entrySet()) {
                int i2 = i;
                i++;
                contextElementArr[i2] = new ContextElement(entry.getKey(), entry.getValue());
            }
            return contextElementArr;
        }

        public int size() {
            return this.map.size();
        }
    }

    public AuthorizationTube(ServerTubeAssemblerContext serverTubeAssemblerContext, Tube tube) {
        super(tube);
        this.resources = new HashMap();
        this.providerResource = null;
        EnvironmentFactory factory = JAXRPCEnvironmentFeature.getFactory((WSEndpoint<?>) serverTubeAssemblerContext.getEndpoint());
        String application = factory.getApplication();
        String contextPath = factory.getContextPath();
        String securityRealmName = factory.getSecurityRealmName();
        securityRealmName = securityRealmName == null ? SecurityServiceManager.getContextSensitiveRealmName() : securityRealmName;
        String localPart = serverTubeAssemblerContext.getWsdlModel() != null ? serverTubeAssemblerContext.getWsdlModel().getName().getLocalPart() : null;
        this.seiModel = serverTubeAssemblerContext.getSEIModel();
        if (this.seiModel != null) {
            for (JavaMethod javaMethod : this.seiModel.getJavaMethods()) {
                Method method = javaMethod.getMethod();
                String name = method.getName();
                Class<?>[] parameterTypes = method.getParameterTypes();
                String[] strArr = new String[parameterTypes.length];
                for (int i = 0; i < parameterTypes.length; i++) {
                    strArr[i] = parameterTypes[i].getCanonicalName();
                }
                this.resources.put(javaMethod, new WebServiceResource(application, contextPath, localPart, name, strArr));
            }
        } else {
            try {
                Method method2 = Provider.class.getMethod("invoke", Object.class);
                Class<?>[] parameterTypes2 = method2.getParameterTypes();
                String[] strArr2 = new String[parameterTypes2.length];
                for (int i2 = 0; i2 < parameterTypes2.length; i2++) {
                    strArr2[i2] = parameterTypes2[i2].getCanonicalName();
                }
                this.providerResource = new WebServiceResource(application, contextPath, localPart, method2.getName(), strArr2);
            } catch (NoSuchMethodException e) {
                throw new RuntimeException(e);
            }
        }
        this.am = ServerSecurityHelper.getAuthManager(securityRealmName);
        this.sv = serverTubeAssemblerContext.getEndpoint().getBinding().getSOAPVersion();
        this.sf = this.sv.getSOAPFactory();
        this.failureQName = this.sv.equals(SOAPVersion.SOAP_11) ? AUTHENTICATION_FAILURE_11 : AUTHENTICATION_FAILURE_12;
    }

    protected AuthorizationTube(AuthorizationTube authorizationTube, TubeCloner tubeCloner) {
        super(authorizationTube, tubeCloner);
        this.resources = new HashMap();
        this.providerResource = null;
        this.seiModel = authorizationTube.seiModel;
        this.sv = authorizationTube.sv;
        this.sf = authorizationTube.sf;
        this.failureQName = authorizationTube.failureQName;
        this.resources = authorizationTube.resources;
        this.providerResource = authorizationTube.providerResource;
        this.am = authorizationTube.am;
    }

    /* renamed from: copy, reason: merged with bridge method [inline-methods] */
    public AbstractTubeImpl m512copy(TubeCloner tubeCloner) {
        return new AuthorizationTube(this, tubeCloner);
    }

    public NextAction processRequest(Packet packet) {
        JavaMethod method;
        AuthenticatedSubject subject = setSubject(packet);
        WebServiceResource webServiceResource = null;
        String str = null;
        if (this.seiModel != null) {
            Message message = packet.getMessage();
            if (message != null && (method = message.getMethod(this.seiModel)) != null) {
                webServiceResource = this.resources.get(method);
                str = method.getOperationName();
            }
        } else {
            webServiceResource = this.providerResource;
        }
        if (webServiceResource != null) {
            AuthenticatedSubject currentSubject = ServerSecurityHelper.getCurrentSubject();
            WebServiceContextHandler webServiceContextHandler = new WebServiceContextHandler(packet);
            packet.invocationProperties.put(CURRENT_SUBJECT, currentSubject);
            packet.invocationProperties.put(RESOURCE, webServiceResource);
            ResourceIDDContextWrapper resourceIDDContextWrapper = new ResourceIDDContextWrapper(webServiceContextHandler);
            packet.invocationProperties.put(CONTEXT_HANDLER, resourceIDDContextWrapper);
            if (!this.am.isAccessAllowed(currentSubject, webServiceResource, resourceIDDContextWrapper)) {
                if (LOGGER.isLoggable(Level.FINER)) {
                    LOGGER.finer("** Access denied for subject " + currentSubject + " to resource " + webServiceResource);
                }
                try {
                    String str2 = "Access denied to operation " + str;
                    SOAPFault createFault = this.sf.createFault();
                    createFault.setFaultCode(this.failureQName);
                    createFault.setFaultString(str2);
                    SOAPFaultUtil.fillDetail(new AccessException(str2), createFault.addDetail(), this.sv.equals(SOAPVersion.SOAP_12));
                    throw new SOAPFaultException(createFault);
                } catch (SOAPException e) {
                    throw new WebServiceException(e);
                }
            }
            if (LOGGER.isLoggable(Level.FINER)) {
                LOGGER.finer("** Access granted for subject " + currentSubject + " to resource " + webServiceResource);
            }
        }
        return doInvoke(subject != null ? new RunAsWrapperTube(subject, this.next) : this.next, packet);
    }

    public NextAction processException(Throwable th) {
        Packet packet = Fiber.current().getPacket();
        if (packet != null) {
            resetSubject(packet);
        }
        return super.processException(th);
    }

    public NextAction processResponse(Packet packet) {
        resetSubject(packet);
        return super.processResponse(packet);
    }

    protected static AuthenticatedSubject setSubject(Packet packet) {
        Subject subject;
        AuthenticatedSubject authenticatedSubject = null;
        AuthenticatedSubject authenticatedSubject2 = (AuthenticatedSubject) packet.invocationProperties.get("weblogic.wsee.wss.subject");
        if (authenticatedSubject2 == null && (subject = (Subject) packet.invocationProperties.get("weblogic.wsee.owsm.subject")) != null) {
            authenticatedSubject2 = AuthenticatedSubject.getFromSubject(subject);
            authenticatedSubject2.setReadOnly(kernelId);
            authenticatedSubject = authenticatedSubject2;
        }
        if (authenticatedSubject2 != null) {
            packet.invocationProperties.put("weblogic.wsee.subject", switchSubject(authenticatedSubject2));
        }
        return authenticatedSubject;
    }

    protected static void resetSubject(Packet packet) {
        AuthenticatedSubject authenticatedSubject = (AuthenticatedSubject) packet.invocationProperties.get("weblogic.wsee.subject");
        if (authenticatedSubject != null) {
            switchSubject(authenticatedSubject);
            packet.invocationProperties.remove("weblogic.wsee.subject");
        }
    }

    private static AuthenticatedSubject switchSubject(AuthenticatedSubject authenticatedSubject) {
        AuthenticatedSubject currentSubject = SecurityServiceManager.getCurrentSubject(kernelId);
        SecurityServiceManager.popSubject(kernelId);
        SecurityServiceManager.pushSubject(kernelId, authenticatedSubject);
        return currentSubject;
    }
}
