package com.sun.identity.wss.security.handler;

import com.iplanet.sso.SSOToken;
import com.sun.identity.liberty.ws.common.wsse.BinarySecurityToken;
import com.sun.identity.liberty.ws.disco.Description;
import com.sun.identity.liberty.ws.disco.DiscoveryClient;
import com.sun.identity.liberty.ws.disco.QueryResponse;
import com.sun.identity.liberty.ws.disco.ResourceOffering;
import com.sun.identity.liberty.ws.security.SecurityAssertion;
import com.sun.identity.liberty.ws.security.SecurityTokenManager;
import com.sun.identity.liberty.ws.security.SecurityUtils;
import com.sun.identity.liberty.ws.soapbinding.CorrelationHeader;
import com.sun.identity.liberty.ws.soapbinding.Message;
import com.sun.identity.liberty.ws.soapbinding.SOAPBindingException;
import com.sun.identity.liberty.ws.soapbinding.Utils;
import com.sun.identity.saml.common.SAMLUtils;
import com.sun.identity.security.AdminTokenAction;
import com.sun.identity.shared.xml.XMLUtils;
import com.sun.identity.wss.provider.ProviderConfig;
import com.sun.identity.wss.security.SecurityException;
import com.sun.identity.wss.security.SecurityMechanism;
import com.sun.identity.wss.security.WSSConstants;
import com.sun.identity.wss.security.WSSUtils;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.xml.soap.SOAPBody;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPHeader;
import javax.xml.soap.SOAPMessage;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:com/sun/identity/wss/security/handler/MessageProcessor.class */
public class MessageProcessor {
    private ProviderConfig _config;
    private String correlationId;

    private MessageProcessor() {
        this._config = null;
        this.correlationId = null;
    }

    public MessageProcessor(ProviderConfig providerConfig) {
        this._config = null;
        this.correlationId = null;
        this._config = providerConfig;
    }

    public Object validateRequest(SOAPMessage sOAPMessage, Subject subject, Map map, HttpServletRequest httpServletRequest) throws SOAPBindingException {
        WSSUtils.debug.message("SOAPProvider.validateRequest : Init");
        try {
            Message message = new Message(sOAPMessage);
            map.put("LibertyRequest", message);
            if (message.getSecurityProfileType() != 0 && !SecurityUtils.verifyMessage(message)) {
                WSSUtils.debug.error("MessageProcessor.validateRequest: SignatureVerification failed.");
                throw new SOAPBindingException(WSSUtils.bundle.getString("cannotVerifySignature"));
            }
            Utils.enforceProcessingRules(message, (String) null, true);
            if (this._config == null) {
                throw new SOAPBindingException(WSSUtils.bundle.getString("nullConfiguration"));
            }
            String authenticationMechanism = message.getAuthenticationMechanism();
            if (authenticationMechanism == null || !this._config.getSecurityMechanisms().contains(authenticationMechanism)) {
                throw new SOAPBindingException(WSSUtils.bundle.getString("unsupportedAuthMech"));
            }
            return SOAPRequestHandler.getAuthenticator().authenticate(subject, null, null, this._config, message, true);
        } catch (SecurityException e) {
            WSSUtils.debug.error("MessageProcessor.validateRequest: RequestValidation has failed.", e);
            throw new SOAPBindingException(e.getMessage());
        } catch (Exception e2) {
            WSSUtils.debug.error("MessageProcessor.validateRequest: SOAPFaultException.", e2);
            throw new SOAPBindingException(e2.getMessage());
        }
    }

    public SOAPMessage secureResponse(SOAPMessage sOAPMessage, Map map) throws SOAPBindingException {
        WSSUtils.debug.message("MessageProcessor.secureResponse : Init");
        try {
            addCorrelationHeader(sOAPMessage, (Message) map.get("LibertyRequest"));
            if (this._config.isResponseSignEnabled()) {
                sOAPMessage = signMessage(sOAPMessage, null, null);
            }
            if (WSSUtils.debug.messageEnabled()) {
                WSSUtils.debug.message("MessageProcessor.secureResponse: " + XMLUtils.print(sOAPMessage.getSOAPPart().getEnvelope()));
            }
            return sOAPMessage;
        } catch (Exception e) {
            WSSUtils.debug.error("MessageProcessor.secureResponse: Failed in securing the response", e);
            throw new SOAPBindingException(WSSUtils.bundle.getString("secureResponseFailed"));
        }
    }

    public SOAPMessage secureRequest(ResourceOffering resourceOffering, List list, String str, SOAPMessage sOAPMessage, Map map) throws SOAPBindingException {
        WSSUtils.debug.message("MessageProcessor.secureRequest:Init");
        try {
            SOAPHeader addCorrelationHeader = addCorrelationHeader(sOAPMessage, null);
            QueryResponse webserviceOffering = getWebserviceOffering(resourceOffering, list, str);
            if (WSSUtils.debug.messageEnabled()) {
                WSSUtils.debug.message("MessageProcessor.secureRequest: Discovery Response: " + webserviceOffering.toString());
            }
            List resourceOffering2 = webserviceOffering.getResourceOffering();
            if (resourceOffering2 == null || resourceOffering2.size() == 0) {
                WSSUtils.debug.error("MessageProcessor.secureRequest:: service offerings are null.");
                throw new SOAPBindingException(WSSUtils.bundle.getString("noServiceOfferings"));
            }
            ResourceOffering resourceOffering3 = (ResourceOffering) webserviceOffering.getResourceOffering().get(0);
            List credentials = webserviceOffering.getCredentials();
            String processResourceOffering = processResourceOffering(resourceOffering3);
            SecurityAssertion securityAssertion = null;
            if ((processResourceOffering.equals("urn:liberty:security:2003-08:null:SAML") || processResourceOffering.equals("urn:liberty:security:2003-08:TLS:SAML") || processResourceOffering.equals("urn:liberty:security:2003-08:ClientTLS:SAML") || processResourceOffering.equals("urn:liberty:security:2004-04:null:Bearer") || processResourceOffering.equals("urn:liberty:security:2004-04:TLS:Bearer") || processResourceOffering.equals("urn:liberty:security:2004-04:ClientTLS:Bearer") || processResourceOffering.equals(SecurityMechanism.LIB_NULL_SAML_TOKEN_URI) || processResourceOffering.equals(SecurityMechanism.LIB_TLS_SAML_TOKEN_URI) || processResourceOffering.equals(SecurityMechanism.LIB_CLIENT_TLS_SAML_TOKEN_URI) || processResourceOffering.equals(SecurityMechanism.LIB_NULL_SAML_BEARER_TOKEN_URI) || processResourceOffering.equals(SecurityMechanism.LIB_TLS_SAML_BEARER_TOKEN_URI) || processResourceOffering.equals(SecurityMechanism.LIB_CLIENT_TLS_SAML_BEARER_TOKEN_URI)) && credentials != null && credentials.size() != 0) {
                securityAssertion = (SecurityAssertion) credentials.get(0);
                securityAssertion.addToParent(addCorrelationHeader);
            }
            if (processResourceOffering.equals("urn:liberty:security:2003-08:null:SAML") || processResourceOffering.equals("urn:liberty:security:2003-08:TLS:SAML") || processResourceOffering.equals("urn:liberty:security:2003-08:ClientTLS:SAML") || processResourceOffering.equals("urn:liberty:security:2003-08:null:X509") || processResourceOffering.equals("urn:liberty:security:2003-08:TLS:X509") || processResourceOffering.equals("urn:liberty:security:2003-08:ClientTLS:X509") || processResourceOffering.equals(SecurityMechanism.LIB_NULL_SAML_TOKEN_URI) || processResourceOffering.equals(SecurityMechanism.LIB_TLS_SAML_TOKEN_URI) || processResourceOffering.equals(SecurityMechanism.LIB_CLIENT_TLS_SAML_TOKEN_URI) || processResourceOffering.equals(SecurityMechanism.LIB_NULL_X509_TOKEN_URI) || processResourceOffering.equals(SecurityMechanism.LIB_TLS_X509_TOKEN_URI) || processResourceOffering.equals(SecurityMechanism.LIB_CLIENT_TLS_X509_TOKEN_URI)) {
                sOAPMessage = signMessage(sOAPMessage, processResourceOffering, securityAssertion);
            }
            if (WSSUtils.debug.messageEnabled()) {
                WSSUtils.debug.message("MessageProcessor.secureRequest: " + XMLUtils.print(sOAPMessage.getSOAPPart().getEnvelope()));
            }
            return sOAPMessage;
        } catch (Exception e) {
            WSSUtils.debug.error("MessageProcessor.secureRequest: Failure in Securing the request.", e);
            throw new SOAPBindingException(WSSUtils.bundle.getString("secureRequestFailed"));
        }
    }

    public SOAPMessage validateResponse(SOAPMessage sOAPMessage, Map map) throws SOAPBindingException {
        try {
            Message message = new Message(sOAPMessage);
            if (this._config.isResponseSignEnabled() && !SecurityUtils.verifyMessage(message)) {
                throw new SOAPBindingException(WSSUtils.bundle.getString("cannotVerifySignature"));
            }
            Utils.enforceProcessingRules(message, (String) null, true);
            return sOAPMessage;
        } catch (Exception e) {
            WSSUtils.debug.error("MessageProcessor.validateResponse:  Response validation failed.", e);
            throw new SOAPBindingException(WSSUtils.bundle.getString("validateResponseFailed"));
        }
    }

    private SOAPMessage signMessage(SOAPMessage sOAPMessage, String str, SecurityAssertion securityAssertion) throws SOAPBindingException {
        try {
            if (sOAPMessage.getSOAPPart().getEnvelope().getHeader() == null) {
                sOAPMessage.getSOAPPart().getEnvelope().addHeader();
            }
            SOAPBody body = sOAPMessage.getSOAPPart().getEnvelope().getBody();
            if (body == null) {
                throw new SOAPBindingException(WSSUtils.bundle.getString("nullSOAPBody"));
            }
            String generateID = SAMLUtils.generateID();
            body.setAttributeNS(WSSConstants.WSU_NS, WSSConstants.WSU_ID, generateID);
            ArrayList arrayList = new ArrayList();
            arrayList.add(generateID);
            if (this.correlationId != null) {
                arrayList.add(this.correlationId);
            }
            Element element = null;
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            if (str == null || str.equals("urn:liberty:security:2003-08:null:X509") || str.equals("urn:liberty:security:2003-08:TLS:X509") || str.equals("urn:liberty:security:2003-08:ClientTLS:X509") || str.equals(SecurityMechanism.LIB_NULL_X509_TOKEN_URI) || str.equals(SecurityMechanism.LIB_TLS_X509_TOKEN_URI) || str.equals(SecurityMechanism.LIB_CLIENT_TLS_X509_TOKEN_URI)) {
                Certificate certificate = SecurityUtils.getCertificate(addBinaryToken(sOAPMessage));
                sOAPMessage.writeTo(byteArrayOutputStream);
                element = SecurityUtils.getSignatureManager().signWithWSSX509TokenProfile(XMLUtils.toDOMDocument(new ByteArrayInputStream(byteArrayOutputStream.toByteArray()), WSSUtils.debug), certificate, "", arrayList, "1.1");
            } else if (str.equals("urn:liberty:security:2003-08:null:SAML") || str.equals("urn:liberty:security:2003-08:TLS:SAML") || str.equals("urn:liberty:security:2003-08:ClientTLS:SAML") || str.equals(SecurityMechanism.LIB_NULL_SAML_TOKEN_URI) || str.equals(SecurityMechanism.LIB_TLS_SAML_TOKEN_URI) || str.equals(SecurityMechanism.LIB_CLIENT_TLS_SAML_TOKEN_URI)) {
                Certificate certificate2 = SecurityUtils.getCertificate(securityAssertion);
                sOAPMessage.writeTo(byteArrayOutputStream);
                new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
                element = SecurityUtils.getSignatureManager().signWithWSSSAMLTokenProfile(XMLUtils.toDOMDocument(new ByteArrayInputStream(byteArrayOutputStream.toByteArray()), WSSUtils.debug), certificate2, securityAssertion.getAssertionID(), "", arrayList, "1.1");
            }
            if (element == null) {
                WSSUtils.debug.error("MessageProcessor.signMessage: SigElement is null");
                throw new SOAPBindingException(WSSUtils.bundle.getString("cannotSignMessage"));
            }
            Element securityHeader = getSecurityHeader(sOAPMessage);
            securityHeader.appendChild(securityHeader.getOwnerDocument().importNode(element, true));
            return Utils.DocumentToSOAPMessage(element.getOwnerDocument());
        } catch (Exception e) {
            WSSUtils.debug.error("MessageProcessor.signMessage: Signing failed.", e);
            throw new SOAPBindingException(WSSUtils.bundle.getString("cannotSignMessage"));
        }
    }

    private SOAPHeader addCorrelationHeader(SOAPMessage sOAPMessage, Message message) throws SOAPBindingException {
        try {
            SOAPHeader header = sOAPMessage.getSOAPPart().getEnvelope().getHeader();
            if (header == null) {
                header = sOAPMessage.getSOAPPart().getEnvelope().addHeader();
            }
            CorrelationHeader correlationHeader = new CorrelationHeader();
            this.correlationId = correlationHeader.getId();
            if (message != null) {
                correlationHeader.setRefToMessageID(message.getCorrelationHeader().getMessageID());
            }
            correlationHeader.addToParent(header);
            return header;
        } catch (Exception e) {
            WSSUtils.debug.error("MessageProcessor.addCorrealtionHeader: Could not add correlation header", e);
            throw new SOAPBindingException(WSSUtils.bundle.getString("canotAddCorrelationHeader"));
        }
    }

    private BinarySecurityToken addBinaryToken(SOAPMessage sOAPMessage) throws SOAPBindingException {
        try {
            SOAPHeader header = sOAPMessage.getSOAPPart().getEnvelope().getHeader();
            if (header == null) {
                header = sOAPMessage.getSOAPPart().getEnvelope().addHeader();
            }
            BinarySecurityToken x509CertificateToken = new SecurityTokenManager(getAdminToken()).getX509CertificateToken();
            x509CertificateToken.setWSFVersion("1.1");
            x509CertificateToken.addToParent(header);
            return x509CertificateToken;
        } catch (Exception e) {
            WSSUtils.debug.error("MessageProcessor.addBinaryToken: Could not add binary security token", e);
            throw new SOAPBindingException(WSSUtils.bundle.getString("cannotAddCorrelationHeader"));
        }
    }

    private QueryResponse getWebserviceOffering(ResourceOffering resourceOffering, List list, String str) throws SOAPBindingException {
        ArrayList arrayList = new ArrayList();
        arrayList.add(str);
        try {
            return new DiscoveryClient(resourceOffering, getAdminToken(), (String) null, list).getResourceOffering(arrayList);
        } catch (Exception e) {
            WSSUtils.debug.error("MessageProcessor.getWebserviceOffering : Failed in discovery query.", e);
            throw new SOAPBindingException(WSSUtils.bundle.getString("discoveryQueryFailed"));
        }
    }

    private String processResourceOffering(ResourceOffering resourceOffering) throws SOAPBindingException {
        try {
            List description = resourceOffering.getServiceInstance().getDescription();
            if (description == null || description.isEmpty()) {
                WSSUtils.debug.error("MessageProcessor:processResourceOffering:descriptions are null.");
                throw new SOAPBindingException(WSSUtils.bundle.getString("noDescriptions"));
            }
            Iterator it = description.iterator();
            if (!it.hasNext()) {
                throw new SOAPBindingException(WSSUtils.bundle.getString("noSecurityMechs"));
            }
            List securityMechID = ((Description) it.next()).getSecurityMechID();
            if (securityMechID != null && !securityMechID.isEmpty()) {
                return (String) securityMechID.iterator().next();
            }
            WSSUtils.debug.error("MessageProcessor.processResourceOffering: security Mechs are empty");
            throw new SOAPBindingException(WSSUtils.bundle.getString("noSecurityMechs"));
        } catch (Exception e) {
            WSSUtils.debug.error("MessageProcessor.processResourceOffering: Failed in processing the resource offering.", e);
            throw new SOAPBindingException(WSSUtils.bundle.getString("processOfferingFailed"));
        }
    }

    private static SSOToken getAdminToken() {
        return (SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance());
    }

    private Element getSecurityHeader(SOAPMessage sOAPMessage) throws SOAPBindingException {
        try {
            NodeList childNodes = sOAPMessage.getSOAPPart().getEnvelope().getHeader().getChildNodes();
            if (childNodes == null || childNodes.getLength() == 0) {
                throw new SOAPBindingException(WSSUtils.bundle.getString("noSecurityHeader"));
            }
            for (int i = 0; i < childNodes.getLength(); i++) {
                Node item = childNodes.item(i);
                if (item.getNodeType() == 1 && WSSConstants.WSSE_SECURITY_LNAME.equals(item.getLocalName()) && WSSConstants.WSSE_NS.equals(item.getNamespaceURI())) {
                    return (Element) item;
                }
            }
            return null;
        } catch (SOAPException e) {
            WSSUtils.debug.error("MessageProcess.getSecurityHeader:: SOAPException", e);
            throw new SOAPBindingException(WSSUtils.bundle.getString("noSecurityHeader"));
        }
    }
}
