package weblogic.wsee.security.wss;

import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.xml.rpc.handler.soap.SOAPMessageContext;
import weblogic.wsee.policy.framework.PolicyAlternative;
import weblogic.wsee.policy.framework.PolicyException;
import weblogic.wsee.security.configuration.TimestampConfiguration;
import weblogic.wsee.security.policy.EncryptionPolicy;
import weblogic.wsee.security.policy.EncryptionTarget;
import weblogic.wsee.security.policy.IdentityPolicy;
import weblogic.wsee.security.policy.SecurityToken;
import weblogic.wsee.security.policy.SigningPolicy;
import weblogic.wsee.security.policy.SigningReferencesFactory;
import weblogic.wsee.security.policy.TimestampPolicy;
import weblogic.wsee.security.policy.assertions.ConfidentialityAssertion;
import weblogic.wsee.security.policy.assertions.IdentityAssertion;
import weblogic.wsee.security.policy.assertions.IntegrityAssertion;
import weblogic.wsee.security.policy.assertions.MessageAgeAssertion;
import weblogic.wsee.security.policy.assertions.SecurityPolicyAssertionFactory;
import weblogic.xml.crypto.api.MarshalException;
import weblogic.xml.crypto.dsig.api.SignedInfo;
import weblogic.xml.crypto.dsig.api.XMLSignatureFactory;
import weblogic.xml.crypto.encrypt.api.EncryptionMethod;
import weblogic.xml.crypto.encrypt.api.XMLEncryptionException;
import weblogic.xml.crypto.encrypt.api.XMLEncryptionFactory;
import weblogic.xml.crypto.utils.LogUtils;
import weblogic.xml.crypto.wss.SecurityImpl;
import weblogic.xml.crypto.wss.SecurityTokenContextHandler;
import weblogic.xml.crypto.wss.SecurityValidator;
import weblogic.xml.crypto.wss.WSSConstants;
import weblogic.xml.crypto.wss.WSSecurityException;

/* loaded from: input_file:weblogic/wsee/security/wss/SecurityPolicyValidator.class */
public class SecurityPolicyValidator {
    private static boolean VERBOSE = SecurityImpl.VERBOSE;
    private SecurityValidator svalidator;
    private TimestampConfiguration timestampConfig;

    public SecurityPolicyValidator(SecurityValidator securityValidator) {
        this.svalidator = securityValidator;
    }

    public SecurityPolicyValidator(SecurityValidator securityValidator, TimestampConfiguration timestampConfiguration) {
        this.svalidator = securityValidator;
        this.timestampConfig = timestampConfiguration;
    }

    public void processInbound(PolicyAlternative policyAlternative, SOAPMessageContext sOAPMessageContext) throws PolicyException, WSSecurityException, SecurityPolicyException, MarshalException, XMLEncryptionException {
        if (!this.svalidator.hasSecurity() && SecurityPolicyAssertionFactory.hasSecurityPolicy(policyAlternative)) {
            throw new WSSecurityException("No Security header in message but required by policy.");
        }
        processConfidentiality(policyAlternative, sOAPMessageContext);
        processIntegrity(policyAlternative, sOAPMessageContext);
        processIdentity(policyAlternative);
        processMessageAge(policyAlternative);
    }

    private void processMessageAge(PolicyAlternative policyAlternative) throws WSSecurityException, PolicyException {
        Set assertions = policyAlternative.getAssertions(MessageAgeAssertion.class);
        if (assertions.size() > 0) {
            doMessageAge(assertions);
        }
    }

    private void doMessageAge(Set<MessageAgeAssertion> set) throws WSSecurityException, PolicyException {
        if (set.size() > 1) {
            throw new PolicyException("Only one MessageAge specification is supported in a policy alternative");
        }
        if (!this.svalidator.validateTimestamp(new TimestampPolicy(set.iterator().next()).getMessageAgeSeconds())) {
            throw new WSSecurityException("Timestamp validation failed.", WSSConstants.FAILURE_INVALID);
        }
    }

    private void processIdentity(PolicyAlternative policyAlternative) throws WSSecurityException {
        doIdentity(policyAlternative);
    }

    private void doIdentity(PolicyAlternative policyAlternative) throws WSSecurityException {
        Iterator it = policyAlternative.getAssertions(IdentityAssertion.class).iterator();
        while (it.hasNext()) {
            boolean z = false;
            for (SecurityToken securityToken : new IdentityPolicy((IdentityAssertion) it.next()).getValidIdentityTokens()) {
                LogUtils.logWss("Trying to validate identity assertion token " + securityToken.getTokenTypeUri());
                if (this.svalidator.validateSecurityToken(securityToken.getTokenTypeUri(), securityToken.getTokenIssuer(), securityToken.getClaims())) {
                    z = true;
                    LogUtils.logWss("Validated identity assertion token " + securityToken.getTokenTypeUri());
                }
            }
            if (!z) {
                throw new WSSecurityException("Unable to validate identity assertions.", WSSConstants.FAILURE_INVALID);
            }
        }
    }

    private void processIntegrity(PolicyAlternative policyAlternative, SOAPMessageContext sOAPMessageContext) throws SecurityPolicyException, WSSecurityException, PolicyException {
        Set assertions = policyAlternative.getAssertions(IntegrityAssertion.class);
        if (assertions == null || assertions.size() == 0) {
            return;
        }
        doIntegrity(assertions, sOAPMessageContext);
    }

    private void doIntegrity(Set<IntegrityAssertion> set, SOAPMessageContext sOAPMessageContext) throws SecurityPolicyException, WSSecurityException, PolicyException {
        XMLSignatureFactory xMLSignatureFactory = this.svalidator.getXMLSignatureFactory();
        SigningReferencesFactory signingReferencesFactory = new SigningReferencesFactory(this.svalidator);
        SigningPolicy signingPolicy = new SigningPolicy(xMLSignatureFactory, signingReferencesFactory, sOAPMessageContext, set);
        SignedInfo signedInfo = signingPolicy.getSignedInfo();
        List<SecurityToken> validSignatureTokens = signingPolicy.getValidSignatureTokens();
        boolean z = false;
        boolean signedSecurityTokens = signingPolicy.signedSecurityTokens();
        for (SecurityToken securityToken : validSignatureTokens) {
            if (signedSecurityTokens) {
                SecurityTokenContextHandler securityTokenContextHandler = new SecurityTokenContextHandler();
                securityTokenContextHandler.addContextElement(SecurityTokenContextHandler.CLAIMS_MAP, securityToken.getClaims());
                z = this.svalidator.validateSignature(signingPolicy.newSignedInfo(xMLSignatureFactory, signingReferencesFactory.newSigningTokenReference(securityToken, securityTokenContextHandler, signingPolicy.getDigestAlgorithm())), securityToken.getTokenTypeUri(), securityToken.getTokenIssuer(), securityToken.getClaims());
            } else {
                z = this.svalidator.validateSignature(signedInfo, securityToken.getTokenTypeUri(), securityToken.getTokenIssuer(), securityToken.getClaims());
            }
            if (z) {
                break;
            }
        }
        if (!z) {
            throw new WSSecurityException("Could not validate signature using any of the supported token types", WSSConstants.FAILURE_INVALID);
        }
    }

    private void processConfidentiality(PolicyAlternative policyAlternative, SOAPMessageContext sOAPMessageContext) throws WSSecurityException, PolicyException, XMLEncryptionException {
        Set assertions = policyAlternative.getAssertions(ConfidentialityAssertion.class);
        if (assertions == null || assertions.size() == 0) {
            return;
        }
        doConfidentiality(assertions, sOAPMessageContext);
    }

    private void doConfidentiality(Set<ConfidentialityAssertion> set, SOAPMessageContext sOAPMessageContext) throws WSSecurityException, PolicyException, XMLEncryptionException {
        XMLEncryptionFactory xMLEncryptionFactory = this.svalidator.getXMLEncryptionFactory();
        Iterator<ConfidentialityAssertion> it = set.iterator();
        while (it.hasNext()) {
            EncryptionPolicy encryptionPolicy = new EncryptionPolicy(xMLEncryptionFactory, sOAPMessageContext, it.next());
            List<SecurityToken> validEncryptionTokens = encryptionPolicy.getValidEncryptionTokens();
            List<EncryptionTarget> encryptionTargets = encryptionPolicy.getEncryptionTargets();
            EncryptionMethod keyWrapMethod = encryptionPolicy.getKeyWrapMethod();
            for (EncryptionTarget encryptionTarget : encryptionTargets) {
                boolean z = false;
                for (SecurityToken securityToken : validEncryptionTokens) {
                    z = this.svalidator.validateEncryption(encryptionTarget.getTBEs(), keyWrapMethod, encryptionTarget.getEncryptionMethod(), securityToken.getTokenTypeUri(), securityToken.getTokenIssuer(), securityToken.getClaims());
                    if (z) {
                        break;
                    }
                }
                if (!z) {
                    throw new WSSecurityException("Could not validate encryption against any of the supported token types", WSSConstants.FAILURE_INVALID);
                }
            }
        }
    }
}
