package com.ibm.xml.soapsec;

import com.ibm.wsspi.wssecurity.SoapSecurityException;
import com.ibm.xml.soapsec.dsig.SignatureReceiver;
import com.ibm.xml.soapsec.dsig.SignatureReceiverConfig;
import com.ibm.xml.soapsec.dsig.SignatureResult;
import com.ibm.xml.soapsec.dsig.SignedPartChecker;
import com.ibm.xml.soapsec.enc.EncryptedPartChecker;
import com.ibm.xml.soapsec.enc.EncryptionReceiver;
import com.ibm.xml.soapsec.enc.EncryptionReceiverConfig;
import com.ibm.xml.soapsec.proxy.FaultProxy;
import com.ibm.xml.soapsec.proxy.MessageContextProxy;
import com.ibm.xml.soapsec.proxy.MessageFactory;
import com.ibm.xml.soapsec.proxy.MessageProxy;
import com.ibm.xml.soapsec.proxy.SOAPEnvelopeProxy;
import com.ibm.xml.soapsec.proxy.SOAPHeaderElementProxy;
import com.ibm.xml.soapsec.time.TimestampChecker;
import com.ibm.xml.soapsec.time.TimestampReceiver;
import com.ibm.xml.soapsec.time.TimestampReceiverConfig;
import com.ibm.xml.soapsec.token.BinaryTokenReceiver;
import com.ibm.xml.soapsec.token.LoginResult;
import com.ibm.xml.soapsec.token.ReceiverLogin;
import com.ibm.xml.soapsec.token.ReceiverLoginComponent;
import com.ibm.xml.soapsec.token.TokenReceiverConfig;
import com.ibm.xml.soapsec.token.TokenResult;
import com.ibm.xml.soapsec.token.UsernameTokenReceiver;
import com.ibm.xml.soapsec.token.XMLTokenReceiver;
import com.ibm.xml.soapsec.util.ConfigUtil;
import com.ibm.xml.soapsec.util.DOMUtil;
import com.ibm.xml.soapsec.util.NamespaceUtil;
import com.ibm.xml.soapsec.util.SetupJCEProviders;
import com.ibm.xml.soapsec.util.Tr;
import com.ibm.xml.soapsec.util.TraceComponent;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.HashMap;
import java.util.Map;
import javax.faces.validator.BeanValidator;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:com/ibm/xml/soapsec/SoapSecurityReceiver.class */
public abstract class SoapSecurityReceiver {
    public static final String CONFIG_KEY;
    private ThreadLocal _messageConfig = new ThreadLocal();
    private Map handlerOption = new HashMap();
    private static final TraceComponent tc;
    private static final String comp = "security.wssecurity";
    private static final String clsName;

    public void setHandlerOption(String str, Object obj) {
        this.handlerOption.put(str, obj);
    }

    public Object getHandlerOption(String str) {
        return this.handlerOption.get(str);
    }

    private Map getHandlerOptions() {
        return this.handlerOption;
    }

    private final void clear() {
        this._messageConfig.set(null);
    }

    private Map getMessageConfig() {
        Map map = (Map) this._messageConfig.get();
        if (map == null) {
            map = new HashMap();
            this._messageConfig.set(map);
        }
        return map;
    }

    public void setMessageOption(String str, Object obj) {
        getMessageConfig().put(str, obj);
    }

    public Object getMessageOption(String str) {
        return getMessageConfig().get(str);
    }

    public Map getMessageOptions() {
        return getMessageConfig();
    }

    public void init() {
    }

    protected void initConfig(MessageContextProxy messageContextProxy) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initConfig(" + messageContextProxy + ")");
        }
        SignatureReceiver signatureReceiver = new SignatureReceiver();
        SignedPartChecker signedPartChecker = new SignedPartChecker();
        UsernameTokenReceiver usernameTokenReceiver = new UsernameTokenReceiver();
        BinaryTokenReceiver binaryTokenReceiver = new BinaryTokenReceiver();
        XMLTokenReceiver xMLTokenReceiver = new XMLTokenReceiver();
        ReceiverLoginComponent createLoginComponent = createLoginComponent();
        TimestampReceiver timestampReceiver = new TimestampReceiver();
        TimestampChecker timestampChecker = new TimestampChecker();
        EncryptionReceiver encryptionReceiver = new EncryptionReceiver();
        EncryptedPartChecker encryptedPartChecker = new EncryptedPartChecker();
        ReceiverConfig receiverConfig = (ReceiverConfig) getMessageOption(CONFIG_KEY);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Configuration object is as follows:", new Object[]{receiverConfig});
        }
        try {
            Map hashMap = new HashMap();
            hashMap.put(ReceiverConfig.class, receiverConfig);
            hashMap.put(SignatureReceiverConfig.class, receiverConfig.getSignatureConfig());
            hashMap.put(TokenReceiverConfig.class, receiverConfig.getTokenConfig());
            hashMap.put(EncryptionReceiverConfig.class, receiverConfig.getDecryptionConfig());
            hashMap.put(TimestampReceiverConfig.class, receiverConfig.getTimestampConfig());
            signatureReceiver.init(hashMap);
            signedPartChecker.init(hashMap);
            usernameTokenReceiver.init(hashMap);
            binaryTokenReceiver.init(hashMap);
            xMLTokenReceiver.init(hashMap);
            createLoginComponent.init(hashMap);
            timestampReceiver.init(hashMap);
            timestampChecker.init(hashMap);
            encryptionReceiver.init(hashMap);
            encryptedPartChecker.init(hashMap);
            setMessageOption(SignatureReceiver.class.getName(), signatureReceiver);
            setMessageOption(SignedPartChecker.class.getName(), signedPartChecker);
            setMessageOption(UsernameTokenReceiver.class.getName(), usernameTokenReceiver);
            setMessageOption(BinaryTokenReceiver.class.getName(), binaryTokenReceiver);
            setMessageOption(XMLTokenReceiver.class.getName(), xMLTokenReceiver);
            setMessageOption(ReceiverLoginComponent.class.getName(), createLoginComponent);
            setMessageOption(TimestampReceiver.class.getName(), timestampReceiver);
            setMessageOption(TimestampChecker.class.getName(), timestampChecker);
            setMessageOption(EncryptionReceiver.class.getName(), encryptionReceiver);
            setMessageOption(EncryptedPartChecker.class.getName(), encryptedPartChecker);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "initConfig(MessageContext context)");
            }
        } catch (Exception e) {
            Tr.processException(e, clsName + ".initConfig", "137", this);
            Tr.error(tc, "security.wssecurity.SoapSecurityReceiver.initConfig", e);
            throw new RuntimeException(e.getMessage());
        }
    }

    protected boolean adjustContext(MessageContextProxy messageContextProxy, Map map) throws FaultProxy {
        return false;
    }

    protected boolean backContext(MessageContextProxy messageContextProxy, Map map) throws FaultProxy {
        return false;
    }

    protected ReceiverLoginComponent createLoginComponent() {
        return new ReceiverLogin();
    }

    public void invoke(MessageContextProxy messageContextProxy) throws FaultProxy {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "invoke(" + messageContextProxy + ")");
        }
        clear();
        try {
            boolean z = false;
            MessageProxy currentMessage = messageContextProxy.getCurrentMessage();
            initConfig(messageContextProxy);
            ReceiverConfig receiverConfig = (ReceiverConfig) getMessageOption(CONFIG_KEY);
            try {
                receiverConfig.validate();
                try {
                    Document document = currentMessage.getDocument();
                    Element securityHeader = getSecurityHeader(document, receiverConfig.getMyActor());
                    if (securityHeader != null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "invoke wsse:Security found: " + securityHeader);
                        }
                        z = ConfigUtil.isTrue(securityHeader.getAttributeNS("http://schemas.xmlsoap.org/soap/envelope/", com.ibm.ws.webservices.engine.Constants.ATTR_MUST_UNDERSTAND));
                        ConfigUtil.setMustUnderstand(messageContextProxy, z);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "invoke wsse:Security.mustUnderstand: " + z);
                        }
                    }
                    if (!receiverConfig.isSignatureRequired() && !receiverConfig.isLoginRequired() && !receiverConfig.isDecryptionRequired() && ((receiverConfig.getTimestampConfig() == null || !receiverConfig.getTimestampConfig().addReceivedTimestamp()) && !z)) {
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "invoke(MessageContextProxy context)");
                        }
                        return;
                    }
                    if (securityHeader == null && ((receiverConfig.isSignatureRequired() || receiverConfig.isLoginRequired() || receiverConfig.isDecryptionRequired()) && countSecurityHeaders(document) > 0)) {
                        throw FaultProxy.makeFault((receiverConfig.getMyActor() == null || receiverConfig.getMyActor().trim().length() == 0) ? new SoapSecurityException("The Application Server expected a Security header with the " + Constants.NS_WSSE + " or " + Constants.NS_WSSE200207 + " or " + Constants.NS_WSSE200204 + " namespace, but it was not found.") : new SoapSecurityException("The Application Server expected a Security header with the " + Constants.NS_WSSE + " or " + Constants.NS_WSSE200207 + " or " + Constants.NS_WSSE200204 + " namespace and the " + receiverConfig.getMyActor() + " actor, but it was not found."));
                    }
                    HashMap hashMap = new HashMap();
                    ResultPool.initialize(hashMap);
                    adjustContext(messageContextProxy, hashMap);
                    String str = (String) messageContextProxy.getConfig(Constants.REQUEST_WSSE_NAMESPACE);
                    try {
                        if (!((str == null || str.length() == 0) ? false : true)) {
                            if (securityHeader != null) {
                                String namespaceURI = securityHeader.getNamespaceURI();
                                if (namespaceURI == null || namespaceURI.length() == 0 || !NamespaceUtil.isWsse(namespaceURI)) {
                                    throw SoapSecurityException.format("security.wssecurity.WSEC6720E", namespaceURI);
                                }
                                messageContextProxy.setConfig(Constants.REQUEST_WSSE_NAMESPACE, namespaceURI);
                                String correspondingWSUNS = NamespaceUtil.getCorrespondingWSUNS(namespaceURI);
                                if (correspondingWSUNS != null && correspondingWSUNS.length() != 0) {
                                    messageContextProxy.setConfig(Constants.REQUEST_WSU_NAMESPACE, correspondingWSUNS);
                                } else if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "No wsu namespace found for " + namespaceURI);
                                }
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Incoming namespaces, wsse = " + namespaceURI + ", wsu = " + correspondingWSUNS);
                                }
                            } else {
                                Tr.warning(tc, "security.wssecurity.SoapSecurityReceiver.getSecurityHeader", receiverConfig.getMyActor());
                                messageContextProxy.setConfig(Constants.REQUEST_WSSE_NAMESPACE, Constants.NS_WSSE);
                                Element timestampHeader = TimestampReceiver.getTimestampHeader(document, true);
                                String namespaceURI2 = timestampHeader != null ? timestampHeader.getNamespaceURI() : null;
                                Element timestampHeader2 = TimestampReceiver.getTimestampHeader(document, false);
                                String namespaceURI3 = timestampHeader2 != null ? timestampHeader2.getNamespaceURI() : null;
                                if ((namespaceURI2 == null || namespaceURI2.length() == 0) && (namespaceURI3 == null || namespaceURI3.length() == 0)) {
                                    messageContextProxy.setConfig(Constants.REQUEST_WSU_NAMESPACE, Constants.NS_WSU);
                                } else if (namespaceURI2 == null || namespaceURI2.length() == 0) {
                                    if (!NamespaceUtil.isWsu(namespaceURI3)) {
                                        throw SoapSecurityException.format("security.wssecurity.WSEC6720E", namespaceURI3);
                                    }
                                    messageContextProxy.setConfig(Constants.REQUEST_WSU_NAMESPACE, namespaceURI3);
                                } else if (namespaceURI3 == null || namespaceURI3.length() == 0) {
                                    if (!NamespaceUtil.isWsu(namespaceURI2)) {
                                        throw SoapSecurityException.format("security.wssecurity.WSEC6720E", namespaceURI2);
                                    }
                                    messageContextProxy.setConfig(Constants.REQUEST_WSU_NAMESPACE, namespaceURI2);
                                } else {
                                    if (namespaceURI2.compareTo(namespaceURI3) != 0) {
                                        throw SoapSecurityException.format("security.wssecurity.WSEC6721E", namespaceURI2, namespaceURI3);
                                    }
                                    if (!NamespaceUtil.isWsu(namespaceURI2)) {
                                        throw SoapSecurityException.format("security.wssecurity.WSEC6720E", namespaceURI2);
                                    }
                                    messageContextProxy.setConfig(Constants.REQUEST_WSU_NAMESPACE, namespaceURI2);
                                }
                            }
                            if (!NamespaceUtil.validate(messageContextProxy)) {
                                throw SoapSecurityException.format("security.wssecurity.WSEC6721E", "wsse=" + ((String) messageContextProxy.getConfig(Constants.REQUEST_WSSE_NAMESPACE)), "wsu=" + ((String) messageContextProxy.getConfig(Constants.REQUEST_WSU_NAMESPACE)));
                            }
                        }
                        hashMap.put(Constants.REQUEST_WSSE_NAMESPACE, messageContextProxy.getConfig(Constants.REQUEST_WSSE_NAMESPACE));
                        hashMap.put(Constants.REQUEST_WSU_NAMESPACE, messageContextProxy.getConfig(Constants.REQUEST_WSU_NAMESPACE));
                        invokeComponent(document, SoapSecuritySender.getHeader(document), hashMap, TimestampReceiver.class);
                        if (securityHeader != null) {
                            for (Element firstElement = DOMUtil.getFirstElement(securityHeader); firstElement != null; firstElement = DOMUtil.getNextElement(firstElement)) {
                                String namespaceURI4 = firstElement.getNamespaceURI();
                                String localName = firstElement.getLocalName();
                                if (Constants.NS_DSIG.equals(namespaceURI4) && localName.equals(Constants.STR_SIG)) {
                                    if (receiverConfig.isSignatureReady()) {
                                        invokeComponent(document, firstElement, hashMap, SignatureReceiver.class);
                                    } else {
                                        try {
                                            invokeComponent(document, firstElement, hashMap, SignatureReceiver.class);
                                        } catch (Exception e) {
                                            Tr.processException(e, clsName + ".invoke", "276", this);
                                            Tr.error(tc, "security.wssecurity.invaliddsig.ignore", e);
                                        }
                                    }
                                } else if (NamespaceUtil.isWsse(namespaceURI4) && localName.equals("UsernameToken")) {
                                    invokeComponent(document, firstElement, hashMap, UsernameTokenReceiver.class);
                                } else if (NamespaceUtil.isWsse(namespaceURI4) && localName.equals("BinarySecurityToken")) {
                                    invokeComponent(document, firstElement, hashMap, BinaryTokenReceiver.class);
                                } else if (Constants.NS_ENC.equals(namespaceURI4) && (localName.equals("EncryptedKey") || localName.equals("ReferenceList"))) {
                                    invokeComponent(document, firstElement, hashMap, EncryptionReceiver.class);
                                } else {
                                    invokeComponent(document, firstElement, hashMap, XMLTokenReceiver.class);
                                }
                            }
                        }
                        if (receiverConfig.isSignatureRequired()) {
                            invokeComponent(document, null, hashMap, SignedPartChecker.class);
                        }
                        if (receiverConfig.isDecryptionRequired()) {
                            invokeComponent(document, null, hashMap, EncryptedPartChecker.class);
                        }
                        if (receiverConfig.isLoginRequired()) {
                            invokeComponent(document, null, hashMap, ReceiverLoginComponent.class);
                        }
                        invokeComponent(document, null, hashMap, TimestampChecker.class);
                        Result[] resultArr = ResultPool.get(hashMap, LoginResult.class);
                        processCertificateResults(ResultPool.get(hashMap, SignatureResult.class), ResultPool.get(hashMap, TokenResult.X509.class), messageContextProxy);
                        if (resultArr.length != 0) {
                            processLoginResults(resultArr, messageContextProxy);
                        }
                        Result[] resultArr2 = ResultPool.get(hashMap, SignatureResult.class);
                        if (resultArr2.length != 0) {
                            messageContextProxy.setConfig(Constants.REQUEST_CERT, ((SignatureResult) resultArr2[0]).getCertificate());
                        }
                        if (ResultPool.get(hashMap, WriteBackResult.class).length > 0) {
                            try {
                                messageContextProxy.setCurrentMessage(MessageFactory.getInstance().create(document, currentMessage));
                            } catch (Exception e2) {
                                throw FaultProxy.makeFault(e2);
                            }
                        }
                        backContext(messageContextProxy, hashMap);
                        SOAPEnvelopeProxy sOAPEnvelope = messageContextProxy.getCurrentMessage().getSOAPEnvelope();
                        SOAPHeaderElementProxy wsseHeaderByName = NamespaceUtil.getWsseHeaderByName(sOAPEnvelope, "Security", false);
                        if (wsseHeaderByName != null) {
                            wsseHeaderByName.setProcessed(true);
                        }
                        SOAPHeaderElementProxy wsuHeaderByName = NamespaceUtil.getWsuHeaderByName(sOAPEnvelope, "Timestamp", true);
                        if (wsuHeaderByName != null) {
                            wsuHeaderByName.setProcessed(true);
                        }
                        ResultPool.finalize(hashMap);
                        clear();
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "invoke(MessageContextProxy context)");
                        }
                    } catch (Exception e3) {
                        Tr.processException(e3, clsName + ".invoke", "321", this);
                        Tr.error(tc, "security.wssecurity.invoke.exception", new Object[]{messageContextProxy.getTargetEndpointAddress(), e3});
                        throw FaultProxy.makeFault(e3);
                    }
                } catch (Exception e4) {
                    Tr.processException(e4, clsName + "invoke", "%C", this);
                    Tr.error(tc, "security.wssecuritymessage.getDocument", e4);
                    throw FaultProxy.makeFault(e4);
                }
            } catch (SoapSecurityException e5) {
                Tr.processException((Throwable) e5, clsName + ".invoke", "198", (Object) this);
                Tr.error(tc, "security.wssecurity.config.invalid", e5);
                throw FaultProxy.makeFault(e5);
            }
        } finally {
            clear();
        }
    }

    public void onFault(MessageContextProxy messageContextProxy) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "onFault(" + messageContextProxy + ")");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "onFault(MessageContextProxy context)");
        }
    }

    protected void processLoginResults(Result[] resultArr, MessageContextProxy messageContextProxy) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "processLoginResults(" + resultArr + BeanValidator.VALIDATION_GROUPS_DELIMITER + messageContextProxy + ")");
            Tr.exit(tc, "processLoginResults(Result[] results, MessageContext context)");
        }
    }

    protected void processCertificateResults(Result[] resultArr, Result[] resultArr2, MessageContextProxy messageContextProxy) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "processCertificateResults(" + resultArr + BeanValidator.VALIDATION_GROUPS_DELIMITER + resultArr2 + BeanValidator.VALIDATION_GROUPS_DELIMITER + messageContextProxy + ")");
            Tr.exit(tc, "processCertificateResults(Result[] resultSign, Result [] resultToken, MessageContext context)");
        }
    }

    private void invokeComponent(Document document, Element element, Map map, Class cls) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "invokeComponent(" + document + BeanValidator.VALIDATION_GROUPS_DELIMITER + element + BeanValidator.VALIDATION_GROUPS_DELIMITER + map + BeanValidator.VALIDATION_GROUPS_DELIMITER + cls + ")");
        }
        getComponent(cls).invoke(document, element, map);
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "invokeComponent(Document doc, Element target, Map context, Class cl)");
        }
    }

    private SoapSecurityComponent getComponent(Class cls) {
        return (SoapSecurityComponent) getMessageOption(cls.getName());
    }

    private static Element getSecurityHeader(Document document, String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSecurityHeader(" + document + BeanValidator.VALIDATION_GROUPS_DELIMITER + str + ")");
        }
        Element firstElement = DOMUtil.getFirstElement(document.getDocumentElement(), "http://schemas.xmlsoap.org/soap/envelope/", com.ibm.ws.webservices.engine.Constants.ELEM_HEADER);
        if (firstElement == null) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getSecurityHeader(Document doc, String actor) returns null");
            return null;
        }
        Element firstElement2 = DOMUtil.getFirstElement(firstElement);
        while (true) {
            Element element = firstElement2;
            if (element == null) {
                if (!tc.isEntryEnabled()) {
                    return null;
                }
                Tr.exit(tc, "getSecurityHeader(Document doc, String actor) returns null");
                return null;
            }
            if (NamespaceUtil.isWsse(element.getNamespaceURI()) && "Security".equals(element.getLocalName())) {
                String str2 = null;
                if (element.getAttributeNodeNS("http://schemas.xmlsoap.org/soap/envelope/", com.ibm.ws.webservices.engine.Constants.ATTR_ACTOR) != null) {
                    str2 = element.getAttributeNS("http://schemas.xmlsoap.org/soap/envelope/", com.ibm.ws.webservices.engine.Constants.ATTR_ACTOR);
                }
                if (str == null && str2 == null) {
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "getSecurityHeader(Document doc, String  actor) returns " + element);
                    }
                    return element;
                }
                if (str != null && str2 != null && str.equals(str2)) {
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "getSecurityHeader(Document doc, String actor) returns " + element);
                    }
                    return element;
                }
            }
            firstElement2 = DOMUtil.getNextElement(element);
        }
    }

    private static int countSecurityHeaders(Document document) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "countSecurityHeaders(" + document + ")");
        }
        Element firstElement = DOMUtil.getFirstElement(document.getDocumentElement(), "http://schemas.xmlsoap.org/soap/envelope/", com.ibm.ws.webservices.engine.Constants.ELEM_HEADER);
        if (firstElement == null) {
            if (!tc.isEntryEnabled()) {
                return 0;
            }
            Tr.exit(tc, "countSecurityHeaders(Document doc) returns zero");
            return 0;
        }
        int i = 0;
        Element firstElement2 = DOMUtil.getFirstElement(firstElement);
        while (true) {
            Element element = firstElement2;
            if (element == null) {
                break;
            }
            if ("Security".equals(element.getLocalName())) {
                i++;
            }
            firstElement2 = DOMUtil.getNextElement(element);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "countSecurityHeaders(Document doc) returns " + i);
        }
        return i;
    }

    static {
        if (((String) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.xml.soapsec.SoapSecurityReceiver.1
            @Override // java.security.PrivilegedAction
            public Object run() {
                return System.getProperty("setup-jce");
            }
        })) != null) {
            SetupJCEProviders.setup();
        }
        CONFIG_KEY = ReceiverConfig.class.getName();
        tc = Tr.register(SoapSecurityReceiver.class, Constants.TR_GROUP, "com.ibm.ws.webservices.wssecurity.resources.was-wssecurity");
        clsName = SoapSecurityReceiver.class.getName();
    }
}
