package org.apache.rahas.impl;

import java.security.PublicKey;
import javax.xml.namespace.QName;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.impl.dom.jaxp.DocumentBuilderFactoryImpl;
import org.apache.axiom.soap.SOAPEnvelope;
import org.apache.axis2.context.MessageContext;
import org.apache.axis2.description.Parameter;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.rahas.RahasConstants;
import org.apache.rahas.RahasData;
import org.apache.rahas.Token;
import org.apache.rahas.TokenStorage;
import org.apache.rahas.TokenValidator;
import org.apache.rahas.TrustException;
import org.apache.rahas.TrustUtil;
import org.apache.ws.security.components.crypto.CryptoFactory;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLException;
import org.w3c.dom.Element;

/* loaded from: input_file:lib/open/rampart/rampart-trust-1.5.1.jar:org/apache/rahas/impl/SAMLTokenValidator.class */
public class SAMLTokenValidator implements TokenValidator {
    Log log = LogFactory.getLog(SAMLTokenValidator.class);
    private String configFile;
    private OMElement configElement;
    private String configParamName;

    @Override // org.apache.rahas.TokenValidator
    public SOAPEnvelope validate(RahasData rahasData) throws TrustException {
        MessageContext inMessageContext = rahasData.getInMessageContext();
        TokenStorage tokenStore = TrustUtil.getTokenStore(inMessageContext);
        try {
            DocumentBuilderFactoryImpl.setDOOMRequired(true);
            SOAPEnvelope createSOAPEnvelope = TrustUtil.createSOAPEnvelope(inMessageContext.getEnvelope().getNamespace().getNamespaceURI());
            int version = rahasData.getVersion();
            OMElement createRequestSecurityTokenResponseElement = 1 == version ? TrustUtil.createRequestSecurityTokenResponseElement(version, createSOAPEnvelope.getBody()) : TrustUtil.createRequestSecurityTokenResponseElement(version, TrustUtil.createRequestSecurityTokenResponseCollectionElement(version, createSOAPEnvelope.getBody()));
            TrustUtil.createTokenTypeElement(version, createRequestSecurityTokenResponseElement).setText(TrustUtil.getWSTNamespace(version) + RahasConstants.TOK_TYPE_STATUS);
            createMessageElement(version, createMessageElement(version, createRequestSecurityTokenResponseElement, "Status"), "Code").setText(TrustUtil.getWSTNamespace(version) + (isValid(tokenStore.getToken(rahasData.getTokenId()), getIssuerPublicKey(inMessageContext)) ? RahasConstants.STATUS_CODE_VALID : RahasConstants.STATUS_CODE_INVALID));
            DocumentBuilderFactoryImpl.setDOOMRequired(false);
            return createSOAPEnvelope;
        } catch (Throwable th) {
            DocumentBuilderFactoryImpl.setDOOMRequired(false);
            throw th;
        }
    }

    private boolean isValid(Token token, PublicKey publicKey) {
        try {
            SAMLAssertion sAMLAssertion = new SAMLAssertion((Element) token.getToken());
            this.log.info("Verifying token validity...");
            sAMLAssertion.verify(publicKey);
            return true;
        } catch (SAMLException e) {
            this.log.error("Could not verify signature", e);
            return false;
        }
    }

    private PublicKey getIssuerPublicKey(MessageContext messageContext) {
        PublicKey publicKey = null;
        SAMLTokenIssuerConfig sAMLTokenIssuerConfig = null;
        try {
            if (this.configElement != null) {
                sAMLTokenIssuerConfig = new SAMLTokenIssuerConfig(this.configElement.getFirstChildWithName(SAMLTokenIssuerConfig.SAML_ISSUER_CONFIG));
            }
            if (sAMLTokenIssuerConfig == null && this.configFile != null) {
                sAMLTokenIssuerConfig = new SAMLTokenIssuerConfig(this.configFile);
            }
            if (sAMLTokenIssuerConfig == null && this.configParamName != null) {
                Parameter parameter = messageContext.getParameter(this.configParamName);
                if (parameter == null || parameter.getParameterElement() == null) {
                    throw new TrustException("expectedParameterMissing", new String[]{this.configParamName});
                }
                sAMLTokenIssuerConfig = new SAMLTokenIssuerConfig(parameter.getParameterElement().getFirstChildWithName(SAMLTokenIssuerConfig.SAML_ISSUER_CONFIG));
            }
        } catch (Exception e) {
            this.log.error("Could not retrieve issuer public key", e);
        }
        if (sAMLTokenIssuerConfig == null) {
            throw new TrustException("configurationIsNull");
        }
        publicKey = (sAMLTokenIssuerConfig.cryptoElement != null ? CryptoFactory.getInstance(TrustUtil.toProperties(sAMLTokenIssuerConfig.cryptoElement), messageContext.getAxisService().getClassLoader()) : CryptoFactory.getInstance(sAMLTokenIssuerConfig.cryptoPropertiesFile, messageContext.getAxisService().getClassLoader())).getCertificates(sAMLTokenIssuerConfig.issuerKeyAlias)[0].getPublicKey();
        return publicKey;
    }

    private static OMElement createMessageElement(int i, OMElement oMElement, String str) throws TrustException {
        return createOMElement(oMElement, TrustUtil.getWSTNamespace(i), str, "wst");
    }

    private static OMElement createOMElement(OMElement oMElement, String str, String str2, String str3) {
        return oMElement.getOMFactory().createOMElement(new QName(str, str2, str3), oMElement);
    }

    @Override // org.apache.rahas.TokenValidator
    public void setConfigurationFile(String str) {
        this.configFile = str;
    }

    @Override // org.apache.rahas.TokenValidator
    public void setConfigurationParamName(String str) {
        this.configParamName = str;
    }

    @Override // org.apache.rahas.TokenValidator
    public void setConfigurationElement(OMElement oMElement) {
        this.configElement = oMElement;
    }
}
