package weblogic.wsee.security.saml;

import java.security.AccessController;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.service.PrincipalAuthenticator;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.SecurityServiceManager;
import weblogic.wsee.security.bst.StubPropertyBSTCredProv;
import weblogic.wsee.security.util.CertUtils;
import weblogic.wsee.security.wst.faults.RequestFailedException;
import weblogic.wsee.security.wst.faults.WSTFaultException;
import weblogic.wsee.security.wst.framework.TrustToken;
import weblogic.wsee.security.wst.framework.TrustTokenProvider;
import weblogic.wsee.security.wst.framework.WSTContext;
import weblogic.wsee.security.wst.helpers.EncryptedKeyInfoBuilder;
import weblogic.xml.crypto.wss.SecurityTokenContextHandler;
import weblogic.xml.crypto.wss.WSSecurityContext;
import weblogic.xml.crypto.wss.WSSecurityException;
import weblogic.xml.crypto.wss.X509Credential;
import weblogic.xml.crypto.wss.api.BinarySecurityToken;
import weblogic.xml.crypto.wss.api.UsernameToken;
import weblogic.xml.crypto.wss.provider.CredentialProvider;
import weblogic.xml.crypto.wss.provider.SecurityTokenReference;

/* loaded from: input_file:weblogic/wsee/security/saml/SAMLTrustTokenProvider.class */
public abstract class SAMLTrustTokenProvider implements TrustTokenProvider {
    private static final Logger LOGGER = Logger.getLogger(SAMLTrustTokenProvider.class.getName());

    public TrustToken issueTrustToken(WSTContext wSTContext) throws WSTFaultException {
        String confirmationMethod = getConfirmationMethod(wSTContext.getTokenType(), wSTContext.getKeyType());
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "Token Type =[" + wSTContext.getTokenType() + "]  and KeyType =[" + wSTContext.getKeyType() + "] and the Confirmation Method =[" + confirmationMethod + "]");
        }
        SAMLCredential credential = getCredential(wSTContext.getTokenType(), wSTContext.getAppliesTo(), getSubject(wSTContext), confirmationMethod, (WSSecurityContext) wSTContext.getMessageContext().getProperty("weblogic.xml.crypto.wss.WSSecurityContext"), wSTContext);
        if (credential == null) {
            throw new RequestFailedException("Could not obtain SAML token.");
        }
        SAMLTrustCredential sAMLTrustCredential = new SAMLTrustCredential(credential);
        intiTrustCredential(sAMLTrustCredential, wSTContext);
        return new SAMLTrustToken(sAMLTrustCredential);
    }

    protected String getConfirmationMethod(String str, String str2) {
        return "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer".equals(str2) ? "bearer" : ("http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey".equals(str2) || "http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey".equals(str2)) ? "holder-of-key" : "sender-vouches";
    }

    private AuthenticatedSubject getSubject(WSTContext wSTContext) throws WSTFaultException {
        try {
            AuthenticatedSubject actAsOrOnBehalfOfSubject = getActAsOrOnBehalfOfSubject(wSTContext);
            if (actAsOrOnBehalfOfSubject == null) {
                actAsOrOnBehalfOfSubject = (AuthenticatedSubject) wSTContext.getMessageContext().getProperty("weblogic.wsee.wss.subject");
            }
            return actAsOrOnBehalfOfSubject;
        } catch (LoginException e) {
            throw new WSTFaultException("Could not get SAML token for OnBehalfOf token.");
        }
    }

    private AuthenticatedSubject getOnBehalfOfSubject(WSTContext wSTContext) throws LoginException {
        String username;
        UsernameToken onBehalfOfToken = wSTContext.getOnBehalfOfToken();
        if (onBehalfOfToken == null || !(onBehalfOfToken instanceof UsernameToken) || (username = onBehalfOfToken.getUsername()) == null || username.length() == 0) {
            return null;
        }
        PrincipalAuthenticator principalAuthenticator = SecurityServiceManager.getPrincipalAuthenticator(getKernelID(), "weblogicDEFAULT");
        if (principalAuthenticator == null) {
            throw new RuntimeException("PrincipalAuthenticator Unavailable");
        }
        return principalAuthenticator.impersonateIdentity(username);
    }

    private AuthenticatedSubject getActAsOrOnBehalfOfSubject(WSTContext wSTContext) throws LoginException {
        AuthenticatedSubject actAsSubject = getActAsSubject(wSTContext);
        if (actAsSubject == null) {
            actAsSubject = getOnBehalfOfSubject(wSTContext);
        }
        return actAsSubject;
    }

    private AuthenticatedSubject getActAsSubject(WSTContext wSTContext) throws LoginException {
        String username;
        UsernameToken actAsToken = wSTContext.getActAsToken();
        if (actAsToken == null || !(actAsToken instanceof UsernameToken) || (username = actAsToken.getUsername()) == null || username.length() == 0) {
            return null;
        }
        PrincipalAuthenticator principalAuthenticator = SecurityServiceManager.getPrincipalAuthenticator(getKernelID(), "weblogicDEFAULT");
        if (principalAuthenticator == null) {
            throw new RuntimeException("PrincipalAuthenticator Unavailable");
        }
        return principalAuthenticator.impersonateIdentity(username);
    }

    private static AuthenticatedSubject getKernelID() {
        return (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
    }

    private SAMLCredential getCredential(String str, String str2, AuthenticatedSubject authenticatedSubject, String str3, WSSecurityContext wSSecurityContext, WSTContext wSTContext) {
        boolean z = false;
        SecurityTokenContextHandler securityTokenContextHandler = new SecurityTokenContextHandler();
        securityTokenContextHandler.addContextElement(SecurityTokenContextHandler.ENDPOINT_URL, str2);
        securityTokenContextHandler.addContextElement("com.bea.contextelement.saml.TargetResource", str2);
        if (SAML2Constants.SAML20_TOKEN_TYPE.equals(str)) {
            z = true;
            securityTokenContextHandler.addContextElement("com.bea.contextelement.saml.subject.ConfirmationMethod", CSSUtils.mapSAML2ConfMethod(str3));
        } else {
            securityTokenContextHandler.addContextElement("com.bea.contextelement.saml.subject.ConfirmationMethod", CSSUtils.mapSAMLConfMethod(str3));
        }
        Subject subject = null;
        if (null != authenticatedSubject) {
            subject = authenticatedSubject.getSubject();
        }
        SAMLAttributeStatementData sAMLAttributeData = getSAMLAttributeData(z, str2, subject, wSSecurityContext);
        if (sAMLAttributeData != null) {
            CSSUtils.setupSAMLAttributesContextElements(z, securityTokenContextHandler, sAMLAttributeData.isAttributeOnlyRequest(), sAMLAttributeData);
        }
        Object obj = null;
        try {
            if (CSSUtils.isHolderOfKey(str3)) {
                if ("http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey".equals(wSTContext.getKeyType())) {
                    if (LOGGER.isLoggable(Level.FINE)) {
                        LOGGER.log(Level.FINE, "setting Symmetric Holder of Key ...");
                    }
                    obj = getKeyInfoFromSymmetricKey(wSTContext, wSSecurityContext, getEncryptionCredentialProvider(z, str2, wSSecurityContext));
                } else {
                    obj = getKeyInfoCredential(authenticatedSubject, wSSecurityContext);
                }
            }
            return (SAMLCredential) CSSUtils.getSAMLCredential(str.equals(SAML2Constants.SAML20_TOKEN_TYPE), str, securityTokenContextHandler, obj, authenticatedSubject);
        } catch (WSSecurityException e) {
            if (!LOGGER.isLoggable(Level.FINE)) {
                return null;
            }
            LOGGER.log(Level.FINE, "Exception while acquiring SAML credential", (Throwable) e);
            return null;
        }
    }

    public SAMLAttributeStatementData getSAMLAttributeData(boolean z, String str, Subject subject, WSSecurityContext wSSecurityContext) {
        if (!LOGGER.isLoggable(Level.FINE)) {
            return null;
        }
        LOGGER.log(Level.FINE, "No override on getSAMLAttributeData(), and no SAML Attribute data to be generated for target url =" + str);
        return null;
    }

    private CredentialProvider getEncryptionCredentialProvider(boolean z, String str, WSSecurityContext wSSecurityContext) {
        try {
            X509Certificate serverEncryptionCert = getServerEncryptionCert(z, str, wSSecurityContext);
            if (null != serverEncryptionCert) {
                return new StubPropertyBSTCredProv(serverEncryptionCert, null);
            }
            if (!LOGGER.isLoggable(Level.FINE)) {
                return null;
            }
            LOGGER.log(Level.FINE, "Geeting no X509 for EncryptedKey token in SAML assertion");
            return null;
        } catch (Exception e) {
            if (!LOGGER.isLoggable(Level.FINE)) {
                return null;
            }
            LOGGER.log(Level.FINE, "Got exception when getting EncryptionCredentialProvider for for encrypting EncryptedKey token in SAML assertion", (Throwable) e);
            return null;
        }
    }

    public X509Certificate getServerEncryptionCert(boolean z, String str, WSSecurityContext wSSecurityContext) throws Exception {
        if (!LOGGER.isLoggable(Level.FINE)) {
            return null;
        }
        LOGGER.log(Level.FINE, "No override on getServerEncryptionCert(), and no encryption cert to be used for encrypting EncryptedKey token in SAML assertion for target url =" + str);
        return null;
    }

    private void intiTrustCredential(SAMLTrustCredential sAMLTrustCredential, WSTContext wSTContext) {
        sAMLTrustCredential.setAppliesTo(wSTContext.getAppliesTo());
        sAMLTrustCredential.setCreated(wSTContext.getCreated());
        sAMLTrustCredential.setExpires(wSTContext.getExpires());
    }

    public TrustToken renewTrustToken(WSTContext wSTContext, TrustToken trustToken) throws WSTFaultException {
        return null;
    }

    public void cancelTrustToken(WSTContext wSTContext, TrustToken trustToken) throws WSTFaultException {
    }

    public SecurityTokenReference createSecurityTokenReference(WSTContext wSTContext, TrustToken trustToken) throws WSTFaultException {
        return null;
    }

    public TrustToken resolveTrustToken(WSTContext wSTContext, SecurityTokenReference securityTokenReference) throws WSTFaultException {
        return null;
    }

    public Object getKeyInfoCredential(AuthenticatedSubject authenticatedSubject, WSSecurityContext wSSecurityContext) {
        if (null == authenticatedSubject) {
            if (!LOGGER.isLoggable(Level.FINE)) {
                return null;
            }
            LOGGER.log(Level.FINE, "No KeyInfo Credentail due to null AuthenticatedSubject");
            return null;
        }
        Object property = wSSecurityContext.getProperty("BinarySecurityTokenHandler.AuthenticatedSubject.Cert");
        if (property != null && (property instanceof X509Certificate)) {
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Found X509 credential of " + ((X509Certificate) property));
            }
            return new X509Credential((X509Certificate) property, (PrivateKey) null);
        }
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "looking BST from WSSecurityContext ...");
        }
        List binarySecurityTokens = wSSecurityContext.getBinarySecurityTokens();
        if (null == binarySecurityTokens || binarySecurityTokens.isEmpty()) {
            return null;
        }
        Set<Principal> principals = authenticatedSubject.getSubject().getPrincipals();
        Object[] array = principals.toArray();
        String[] strArr = new String[principals.size()];
        for (int i = 0; i < strArr.length; i++) {
            strArr[i] = ((Principal) array[i]).getName();
        }
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "Checking BST size = " + binarySecurityTokens.size());
        }
        Iterator it = binarySecurityTokens.iterator();
        while (it.hasNext()) {
            X509Certificate certificate = ((BinarySecurityToken) it.next()).getCertificate();
            String subjectCN = CertUtils.getSubjectCN(certificate);
            if (null != subjectCN) {
                for (String str : strArr) {
                    if (subjectCN.equals(str)) {
                        if (LOGGER.isLoggable(Level.FINE)) {
                            LOGGER.log(Level.FINE, "Found X509 credential for " + subjectCN + " cert SubjectDN name is " + certificate.getSubjectDN().getName());
                        }
                        return new X509Credential(certificate, (PrivateKey) null);
                    }
                }
            }
        }
        if (!LOGGER.isLoggable(Level.FINE)) {
            return null;
        }
        LOGGER.log(Level.FINE, "No KeyInfo Credentail found on all BST");
        return null;
    }

    private Object getKeyInfoFromSymmetricKey(WSTContext wSTContext, WSSecurityContext wSSecurityContext, CredentialProvider credentialProvider) throws WSSecurityException {
        return new EncryptedKeyInfoBuilder(wSSecurityContext, credentialProvider).getEncryptedKeyNode(wSTContext);
    }
}
