package org.apache.cxf.ws.security.trust;

import java.util.Arrays;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.message.Message;
import org.apache.cxf.service.model.EndpointInfo;
import org.apache.cxf.ws.security.tokenstore.MemoryTokenStore;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.validate.Credential;
import org.apache.ws.security.validate.Validator;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/cxf/ws/security/trust/STSTokenValidator.class */
public class STSTokenValidator implements Validator {
    private STSSamlAssertionValidator samlValidator = new STSSamlAssertionValidator();
    private boolean alwaysValidateToSts;

    public STSTokenValidator() {
    }

    public STSTokenValidator(boolean z) {
        this.alwaysValidateToSts = z;
    }

    @Override // org.apache.ws.security.validate.Validator
    public Credential validate(Credential credential, RequestData requestData) throws WSSecurityException {
        return isValidatedLocally(credential, requestData) ? credential : validateWithSTS(credential, (SoapMessage) requestData.getMsgContext());
    }

    public Credential validateWithSTS(Credential credential, Message message) throws WSSecurityException {
        SecurityToken tokenByAssociatedHash;
        try {
            SecurityToken securityToken = new SecurityToken();
            Element element = null;
            int i = 0;
            if (credential.getAssertion() != null) {
                byte[] signatureValue = credential.getAssertion().getSignatureValue();
                if (signatureValue != null && signatureValue.length > 0) {
                    i = Arrays.hashCode(signatureValue);
                }
                element = credential.getAssertion().getElement();
            } else if (credential.getUsernametoken() != null) {
                element = credential.getUsernametoken().getElement();
                i = credential.getUsernametoken().hashCode();
            } else if (credential.getBinarySecurityToken() != null) {
                element = credential.getBinarySecurityToken().getElement();
                i = credential.getBinarySecurityToken().hashCode();
            } else if (credential.getSecurityContextToken() != null) {
                element = credential.getSecurityContextToken().getElement();
                i = credential.getSecurityContextToken().hashCode();
            }
            securityToken.setToken(element);
            TokenStore tokenStore = getTokenStore(message);
            if (tokenStore != null && i != 0 && (tokenByAssociatedHash = tokenStore.getTokenByAssociatedHash(i)) != null) {
                credential.setTransformedToken(new AssertionWrapper(tokenByAssociatedHash.getToken()));
                return credential;
            }
            STSClient client = STSUtils.getClient(message, "sts");
            synchronized (client) {
                System.setProperty("noprint", "true");
                SecurityToken securityToken2 = client.validateSecurityToken(securityToken).get(0);
                if (securityToken2 != securityToken) {
                    credential.setTransformedToken(new AssertionWrapper(securityToken2.getToken()));
                    if (i != 0) {
                        securityToken2.setAssociatedHash(i);
                        tokenStore.add(securityToken2);
                    }
                }
            }
            return credential;
        } catch (RuntimeException e) {
            throw e;
        } catch (Exception e2) {
            throw new WSSecurityException(0, "invalidSAMLsecurity", null, e2);
        }
    }

    static final TokenStore getTokenStore(Message message) {
        TokenStore tokenStore;
        EndpointInfo endpointInfo = ((Endpoint) message.getExchange().get(Endpoint.class)).getEndpointInfo();
        synchronized (endpointInfo) {
            TokenStore tokenStore2 = (TokenStore) message.getContextualProperty(TokenStore.class.getName());
            if (tokenStore2 == null) {
                tokenStore2 = (TokenStore) endpointInfo.getProperty(TokenStore.class.getName());
            }
            if (tokenStore2 == null) {
                tokenStore2 = new MemoryTokenStore();
                endpointInfo.setProperty(TokenStore.class.getName(), tokenStore2);
            }
            tokenStore = tokenStore2;
        }
        return tokenStore;
    }

    protected boolean isValidatedLocally(Credential credential, RequestData requestData) throws WSSecurityException {
        if (this.alwaysValidateToSts || credential.getAssertion() == null) {
            return false;
        }
        try {
            this.samlValidator.validate(credential, requestData);
            return this.samlValidator.isTrustVerificationSucceeded();
        } catch (RuntimeException e) {
            throw e;
        } catch (Exception e2) {
            throw new WSSecurityException(0, "invalidSAMLsecurity", null, e2);
        }
    }
}
