package org.apache.cxf.ws.security.trust;

import com.amazonaws.regions.ServiceAbbreviations;
import java.util.HashMap;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
import org.apache.cxf.rt.security.SecurityConstants;
import org.apache.cxf.rt.security.utils.SecurityUtils;
import org.apache.cxf.ws.addressing.AddressingProperties;
import org.apache.cxf.ws.addressing.JAXWSAConstants;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.tokenstore.TokenStoreUtils;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.policy.model.Trust10;
import org.apache.wss4j.policy.model.Trust13;
import org.w3c.dom.Element;

/* loaded from: classes4.dex */
public final class STSTokenRetriever {
    private static final Logger LOG = LogUtils.getL7dLogger(STSTokenRetriever.class);
    private static final String ASSOCIATED_TOKEN = STSTokenRetriever.class.getName() + "-Associated_Token";

    /* loaded from: classes4.dex */
    public static class TokenRequestParams {
        private Element claims;
        private Element issuer;
        private Element tokenTemplate;
        private Trust10 trust10;
        private Trust13 trust13;
        private String wspNamespace;

        public Element getClaims() {
            return this.claims;
        }

        public Element getIssuer() {
            return this.issuer;
        }

        public Element getTokenTemplate() {
            return this.tokenTemplate;
        }

        public Trust10 getTrust10() {
            return this.trust10;
        }

        public Trust13 getTrust13() {
            return this.trust13;
        }

        public String getWspNamespace() {
            return this.wspNamespace;
        }

        public void setClaims(Element element) {
            this.claims = element;
        }

        public void setIssuer(Element element) {
            this.issuer = element;
        }

        public void setTokenTemplate(Element element) {
            this.tokenTemplate = element;
        }

        public void setTrust10(Trust10 trust10) {
            this.trust10 = trust10;
        }

        public void setTrust13(Trust13 trust13) {
            this.trust13 = trust13;
        }

        public void setWspNamespace(String str) {
            this.wspNamespace = str;
        }
    }

    private STSTokenRetriever() {
    }

    private static String getIdFromToken(Element element) {
        return element != null ? element.hasAttributeNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", "Id") ? element.getAttributeNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", "Id") : element.hasAttributeNS(null, "ID") ? element.getAttributeNS(null, "ID") : element.hasAttributeNS(null, "AssertionID") ? element.getAttributeNS(null, "AssertionID") : "" : "";
    }

    public static SecurityToken getToken(Message message, TokenRequestParams tokenRequestParams) {
        SecurityToken retrieveCachedToken = retrieveCachedToken(message);
        SecurityToken issueToken = retrieveCachedToken == null ? issueToken(message, tokenRequestParams) : renewToken(message, retrieveCachedToken, tokenRequestParams);
        if (!SecurityUtils.getSecurityPropertyBoolean(SecurityConstants.CACHE_ISSUED_TOKEN_IN_ENDPOINT, message, true) || isOneTimeUse(issueToken)) {
            message.put(org.apache.cxf.ws.security.SecurityConstants.TOKEN, issueToken);
            message.put(org.apache.cxf.ws.security.SecurityConstants.TOKEN_ID, issueToken.getId());
            message.put(org.apache.cxf.ws.security.SecurityConstants.TOKEN_ELEMENT, issueToken.getToken());
        } else {
            message.getExchange().getEndpoint().put(org.apache.cxf.ws.security.SecurityConstants.TOKEN, issueToken);
            message.getExchange().put(org.apache.cxf.ws.security.SecurityConstants.TOKEN, issueToken);
            message.put(org.apache.cxf.ws.security.SecurityConstants.TOKEN_ELEMENT, issueToken.getToken());
            message.getExchange().put(org.apache.cxf.ws.security.SecurityConstants.TOKEN_ID, issueToken.getId());
            message.getExchange().getEndpoint().put(org.apache.cxf.ws.security.SecurityConstants.TOKEN_ID, issueToken.getId());
        }
        TokenStoreUtils.getTokenStore(message).add(issueToken);
        return issueToken;
    }

    private static SecurityToken getTokenFromSTS(Message message, STSClient sTSClient, AddressingProperties addressingProperties, String str, TokenRequestParams tokenRequestParams) throws Exception {
        sTSClient.setTrust(tokenRequestParams.getTrust10());
        sTSClient.setTrust(tokenRequestParams.getTrust13());
        sTSClient.setTemplate(tokenRequestParams.getTokenTemplate());
        if (tokenRequestParams.getWspNamespace() != null) {
            sTSClient.setWspNamespace(tokenRequestParams.getWspNamespace());
        }
        if (addressingProperties != null && addressingProperties.getNamespaceURI() != null) {
            sTSClient.setAddressingNamespace(addressingProperties.getNamespaceURI());
        }
        if (tokenRequestParams.getClaims() != null) {
            sTSClient.setClaims(tokenRequestParams.getClaims());
        }
        return sTSClient.requestSecurityToken(str);
    }

    private static SecurityToken handleDelegation(Message message, Element element, Element element2, String str, boolean z) throws Exception {
        SecurityToken token;
        Map<String, Object> properties;
        SecurityToken token2;
        SecurityToken token3;
        Map<String, Object> properties2;
        SecurityToken token4;
        TokenStore tokenStore = TokenStoreUtils.getTokenStore(message);
        if (!z || str == null || "".equals(str)) {
            str = ASSOCIATED_TOKEN;
        }
        if (element != null && (token3 = tokenStore.getToken(getIdFromToken(element))) != null && (properties2 = token3.getProperties()) != null && properties2.containsKey(str) && (token4 = tokenStore.getToken((String) properties2.get(str))) != null) {
            return token4;
        }
        if (element2 == null || (token = tokenStore.getToken(getIdFromToken(element2))) == null || (properties = token.getProperties()) == null || !properties.containsKey(str) || (token2 = tokenStore.getToken((String) properties.get(str))) == null) {
            return null;
        }
        return token2;
    }

    private static boolean isOneTimeUse(SecurityToken securityToken) {
        Element token = securityToken.getToken();
        if (token == null || !"Assertion".equals(token.getLocalName()) || !"urn:oasis:names:tc:SAML:2.0:assertion".equals(token.getNamespaceURI())) {
            return false;
        }
        try {
            SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(token);
            if (samlAssertionWrapper.getSaml2().getConditions() != null) {
                return samlAssertionWrapper.getSaml2().getConditions().getOneTimeUse() != null;
            }
            return false;
        } catch (WSSecurityException e) {
            throw new Fault(e);
        }
    }

    private static SecurityToken issueToken(Message message, TokenRequestParams tokenRequestParams) {
        SecurityToken renewToken;
        int indexOf;
        AddressingProperties addressingProperties = (AddressingProperties) message.get("javax.xml.ws.addressing.context.outbound");
        if (addressingProperties == null) {
            addressingProperties = (AddressingProperties) message.get(JAXWSAConstants.CLIENT_ADDRESSING_PROPERTIES);
        }
        STSClient clientWithIssuer = STSUtils.getClientWithIssuer(message, ServiceAbbreviations.STS, tokenRequestParams.getIssuer());
        synchronized (clientWithIssuer) {
            try {
                try {
                    Object securityPropertyValue = SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_TOKEN_ACT_AS, message);
                    if (securityPropertyValue != null) {
                        clientWithIssuer.setActAs(securityPropertyValue);
                    }
                    Object securityPropertyValue2 = SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_TOKEN_ON_BEHALF_OF, message);
                    if (securityPropertyValue2 != null) {
                        clientWithIssuer.setOnBehalfOf(securityPropertyValue2);
                    }
                    mapSecurityProps(message, clientWithIssuer.getRequestContext());
                    Object securityPropertyValue3 = SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_APPLIES_TO, message);
                    String obj = securityPropertyValue3 == null ? null : securityPropertyValue3.toString();
                    if (obj == null && (indexOf = (obj = message.getContextualProperty(Message.ENDPOINT_ADDRESS).toString()).indexOf(63)) > 0) {
                        obj = obj.substring(0, indexOf);
                    }
                    String str = obj;
                    boolean isEnableAppliesTo = clientWithIssuer.isEnableAppliesTo();
                    clientWithIssuer.setMessage(message);
                    Element onBehalfOfToken = clientWithIssuer.getOnBehalfOfToken();
                    Element actAsToken = clientWithIssuer.getActAsToken();
                    SecurityToken handleDelegation = handleDelegation(message, onBehalfOfToken, actAsToken, str, isEnableAppliesTo);
                    renewToken = handleDelegation != null ? renewToken(message, handleDelegation, tokenRequestParams) : getTokenFromSTS(message, clientWithIssuer, addressingProperties, str, tokenRequestParams);
                    storeDelegationTokens(message, renewToken, onBehalfOfToken, actAsToken, str, isEnableAppliesTo);
                } catch (RuntimeException e) {
                    throw e;
                } catch (Exception e2) {
                    throw new Fault(e2);
                }
            } finally {
                clientWithIssuer.setTrust(null);
                clientWithIssuer.setTrust(null);
                clientWithIssuer.setTemplate(null);
                clientWithIssuer.setAddressingNamespace(null);
            }
        }
        return renewToken;
    }

    private static void mapSecurityProps(Message message, Map<String, Object> map) {
        for (String str : org.apache.cxf.ws.security.SecurityConstants.ALL_PROPERTIES) {
            Object contextualProperty = message.getContextualProperty(str + ".it");
            if (contextualProperty == null) {
                contextualProperty = message.getContextualProperty(str);
            }
            if (!map.containsKey(str) && contextualProperty != null) {
                map.put(str, contextualProperty);
            }
        }
    }

    private static SecurityToken renewToken(Message message, SecurityToken securityToken, TokenRequestParams tokenRequestParams) {
        SecurityToken renewSecurityToken;
        String str = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_TOKEN_IMMINENT_EXPIRY_VALUE, message);
        long parseLong = str != null ? Long.parseLong(str) : 10L;
        if (!securityToken.isExpired() && !securityToken.isAboutToExpire(parseLong)) {
            return securityToken;
        }
        message.getExchange().getEndpoint().remove(org.apache.cxf.ws.security.SecurityConstants.TOKEN);
        message.getExchange().getEndpoint().remove(org.apache.cxf.ws.security.SecurityConstants.TOKEN_ID);
        message.getExchange().remove(org.apache.cxf.ws.security.SecurityConstants.TOKEN_ID);
        message.getExchange().remove(org.apache.cxf.ws.security.SecurityConstants.TOKEN);
        TokenStoreUtils.getTokenStore(message).remove(securityToken.getId());
        STSClient clientWithIssuer = STSUtils.getClientWithIssuer(message, ServiceAbbreviations.STS, tokenRequestParams.getIssuer());
        if (!clientWithIssuer.isAllowRenewing()) {
            return issueToken(message, tokenRequestParams);
        }
        AddressingProperties addressingProperties = (AddressingProperties) message.get("javax.xml.ws.addressing.context.outbound");
        if (addressingProperties == null) {
            addressingProperties = (AddressingProperties) message.get(JAXWSAConstants.CLIENT_ADDRESSING_PROPERTIES);
        }
        synchronized (clientWithIssuer) {
            try {
                try {
                    mapSecurityProps(message, clientWithIssuer.getRequestContext());
                    clientWithIssuer.setMessage(message);
                    if (addressingProperties != null) {
                        clientWithIssuer.setAddressingNamespace(addressingProperties.getNamespaceURI());
                    }
                    clientWithIssuer.setTrust(tokenRequestParams.getTrust10());
                    clientWithIssuer.setTrust(tokenRequestParams.getTrust13());
                    clientWithIssuer.setTemplate(tokenRequestParams.getTokenTemplate());
                    renewSecurityToken = clientWithIssuer.renewSecurityToken(securityToken);
                } catch (RuntimeException e) {
                    LOG.log(Level.WARNING, "Error renewing a token", (Throwable) e);
                    if (SecurityUtils.getSecurityPropertyBoolean(SecurityConstants.STS_ISSUE_AFTER_FAILED_RENEW, message, true)) {
                        return issueToken(message, tokenRequestParams);
                    }
                    throw e;
                } catch (Exception e2) {
                    LOG.log(Level.WARNING, "Error renewing a token", (Throwable) e2);
                    if (SecurityUtils.getSecurityPropertyBoolean(SecurityConstants.STS_ISSUE_AFTER_FAILED_RENEW, message, true)) {
                        return issueToken(message, tokenRequestParams);
                    }
                    throw new Fault(e2);
                }
            } finally {
                clientWithIssuer.setTrust(null);
                clientWithIssuer.setTrust(null);
                clientWithIssuer.setTemplate(null);
                clientWithIssuer.setAddressingNamespace(null);
            }
        }
        return renewSecurityToken;
    }

    private static SecurityToken retrieveCachedToken(Message message) {
        String str;
        String str2;
        if (SecurityUtils.getSecurityPropertyBoolean(SecurityConstants.CACHE_ISSUED_TOKEN_IN_ENDPOINT, message, true)) {
            SecurityToken securityToken = (SecurityToken) message.getContextualProperty(org.apache.cxf.ws.security.SecurityConstants.TOKEN);
            return (securityToken != null || (str2 = (String) message.getContextualProperty(org.apache.cxf.ws.security.SecurityConstants.TOKEN_ID)) == null) ? securityToken : TokenStoreUtils.getTokenStore(message).getToken(str2);
        }
        SecurityToken securityToken2 = (SecurityToken) message.get(org.apache.cxf.ws.security.SecurityConstants.TOKEN);
        return (securityToken2 != null || (str = (String) message.get(org.apache.cxf.ws.security.SecurityConstants.TOKEN_ID)) == null) ? securityToken2 : TokenStoreUtils.getTokenStore(message).getToken(str);
    }

    private static void storeDelegationTokens(Message message, SecurityToken securityToken, Element element, Element element2, String str, boolean z) throws Exception {
        if (securityToken == null) {
            return;
        }
        TokenStore tokenStore = TokenStoreUtils.getTokenStore(message);
        if (!z || str == null || "".equals(str)) {
            str = ASSOCIATED_TOKEN;
        }
        if (element != null) {
            String idFromToken = getIdFromToken(element);
            SecurityToken token = tokenStore.getToken(idFromToken);
            if (token == null) {
                token = new SecurityToken(idFromToken);
                token.setToken(element);
            }
            Map<String, Object> properties = token.getProperties();
            if (properties == null) {
                properties = new HashMap<>();
                token.setProperties(properties);
            }
            properties.put(str, securityToken.getId());
            tokenStore.add(token);
        }
        if (element2 != null) {
            String idFromToken2 = getIdFromToken(element2);
            SecurityToken token2 = tokenStore.getToken(idFromToken2);
            if (token2 == null) {
                token2 = new SecurityToken(idFromToken2);
                token2.setToken(element2);
            }
            Map<String, Object> properties2 = token2.getProperties();
            if (properties2 == null) {
                properties2 = new HashMap<>();
                token2.setProperties(properties2);
            }
            properties2.put(str, securityToken.getId());
            tokenStore.add(token2);
        }
    }
}
