package weblogic.wsee.security.policy.assertions;

import java.util.Iterator;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import weblogic.kernel.KernelStatus;
import weblogic.wsee.policy.framework.DOMUtils;
import weblogic.wsee.policy.framework.PolicyAlternative;
import weblogic.wsee.policy.framework.PolicyException;
import weblogic.wsee.policy.framework.PolicyStatement;
import weblogic.wsee.policy.provider.PolicyValidationHandler;
import weblogic.wsee.security.policy.assertions.xbeans.SecurityTokenType;
import weblogic.wsee.security.policy.assertions.xbeans.SupportedTokensType;
import weblogic.wsee.security.saml.SAMLConstants;
import weblogic.xml.crypto.wss.SecurityUtils;
import weblogic.xml.crypto.wss.WSSConstants;
import weblogic.xml.crypto.wss.policy.ClaimsBuilder;

/* loaded from: input_file:weblogic/wsee/security/policy/assertions/SecurityPolicyDeploymentValidationHandler.class */
public class SecurityPolicyDeploymentValidationHandler implements PolicyValidationHandler {
    @Override // weblogic.wsee.policy.provider.PolicyValidationHandler
    public boolean validate(String str, PolicyStatement policyStatement) throws PolicyException {
        PolicyAlternative policyAlternative = policyStatement.normalize().getPolicyAlternative();
        if (policyAlternative == null || policyAlternative.isEmpty()) {
            return true;
        }
        validateIdentityAssertion(str, policyAlternative);
        validateIntegrityAssertion(policyAlternative);
        return true;
    }

    private void validateIntegrityAssertion(PolicyAlternative policyAlternative) throws PolicyException {
        Iterator it = policyAlternative.getAssertions(IntegrityAssertion.class).iterator();
        while (it.hasNext()) {
            SupportedTokensType supportedTokens = ((IntegrityAssertion) it.next()).getXbean().getIntegrity().getSupportedTokens();
            if (supportedTokens != null) {
                SecurityTokenType[] securityTokenArray = supportedTokens.getSecurityTokenArray();
                for (int i = 0; i < securityTokenArray.length; i++) {
                    if (securityTokenArray[i].getTokenType().equals("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID")) {
                        validateSAMLTokenType(securityTokenArray[i]);
                    }
                }
            }
        }
    }

    private void validateIdentityAssertion(String str, PolicyAlternative policyAlternative) throws PolicyException {
        Iterator it = policyAlternative.getAssertions(IdentityAssertion.class).iterator();
        while (it.hasNext()) {
            SupportedTokensType supportedTokens = ((IdentityAssertion) it.next()).getXbean().getIdentity().getSupportedTokens();
            if (supportedTokens != null) {
                SecurityTokenType[] securityTokenArray = supportedTokens.getSecurityTokenArray();
                for (int i = 0; i < securityTokenArray.length; i++) {
                    if (securityTokenArray[i].getTokenType().equals("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID")) {
                        validateSAMLTokenType(securityTokenArray[i]);
                    } else if (securityTokenArray[i].getTokenType().equals(WSSConstants.VALUE_TYPE_UNT)) {
                        validateUsernameTokenType(str, securityTokenArray[i]);
                    }
                }
            }
        }
    }

    private static void validateUsernameTokenType(String str, SecurityTokenType securityTokenType) throws PolicyException {
        NodeList elementsByTagNameNS;
        if (KernelStatus.isServer() && (elementsByTagNameNS = ((Element) securityTokenType.newDomNode().getFirstChild()).getElementsByTagNameNS("http://www.bea.com/wls90/security/policy", WSSConstants.POLICY_USE_PASSWD_QNAME.getLocalPart())) != null && elementsByTagNameNS.getLength() > 0) {
            String attributeValueAsString = DOMUtils.getAttributeValueAsString((Element) elementsByTagNameNS.item(0), WSSConstants.TYPE_QNAME);
            if (attributeValueAsString == null || attributeValueAsString.length() == 0) {
                throw new PolicyException(str + " is not valid: 'Type' attribute of 'UsePassword' is not specified.");
            }
            if (attributeValueAsString.equals(WSSConstants.PASSWORD_TYPE_DIGEST) && !SecurityUtils.isPasswordDigestSupported()) {
                throw new PolicyException(str + " is not valid:  server is not configured to support Password Digest. Specify 'PasswordText' instead.");
            }
        }
    }

    private static void validateSAMLTokenType(SecurityTokenType securityTokenType) throws PolicyException {
        Element element = (Element) securityTokenType.newDomNode().getFirstChild();
        if (element == null) {
            throw new PolicyException("Claims of SAML token must not be null");
        }
        String claimFromElt = ClaimsBuilder.getClaimFromElt(element, SAMLConstants.CONFIRMATION_METHOD_QNAME);
        if (claimFromElt == null) {
            throw new PolicyException("ConfirmationMethod of saml token is not specified.");
        }
        if (!claimFromElt.equals("holder-of-key") && !claimFromElt.equals("sender-vouches")) {
            throw new PolicyException(claimFromElt + " is not a valid subject confirmation method");
        }
    }
}
