package org.apache.ws.security.processor;

import java.util.Collections;
import java.util.List;
import javax.xml.namespace.QName;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.SAMLTokenPrincipal;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.util.DOM2Writer;
import org.apache.ws.security.validate.Credential;
import org.apache.ws.security.validate.Validator;
import org.w3c.dom.Element;

/* loaded from: input_file:lib/open/security/wss4j-1.6.4.jar:org/apache/ws/security/processor/SAMLTokenProcessor.class */
public class SAMLTokenProcessor implements Processor {
    private static Log log = LogFactory.getLog(SAMLTokenProcessor.class);

    @Override // org.apache.ws.security.processor.Processor
    public List<WSSecurityEngineResult> handleToken(Element element, RequestData requestData, WSDocInfo wSDocInfo) throws WSSecurityException {
        if (log.isDebugEnabled()) {
            log.debug("Found SAML Assertion element");
        }
        Validator validator = requestData.getValidator(new QName(element.getNamespaceURI(), element.getLocalName()));
        Credential handleSAMLToken = handleSAMLToken(element, requestData, validator, wSDocInfo);
        AssertionWrapper assertion = handleSAMLToken.getAssertion();
        if (log.isDebugEnabled()) {
            log.debug("SAML Assertion issuer " + assertion.getIssuerString());
            log.debug(DOM2Writer.nodeToString(element));
        }
        String id = assertion.getId();
        Element tokenElement = wSDocInfo.getTokenElement(id);
        if (element.equals(tokenElement)) {
            return Collections.singletonList(wSDocInfo.getResult(id));
        }
        if (tokenElement != null) {
            throw new WSSecurityException(4, "duplicateError");
        }
        wSDocInfo.addTokenElement(element);
        WSSecurityEngineResult wSSecurityEngineResult = assertion.isSigned() ? new WSSecurityEngineResult(16, assertion) : new WSSecurityEngineResult(8, assertion);
        wSSecurityEngineResult.put("id", assertion.getId());
        if (validator != null) {
            wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_VALIDATED_TOKEN, Boolean.TRUE);
            if (handleSAMLToken.getTransformedToken() != null) {
                wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN, handleSAMLToken.getTransformedToken());
                wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_PRINCIPAL, new SAMLTokenPrincipal(handleSAMLToken.getTransformedToken()));
            } else if (handleSAMLToken.getPrincipal() != null) {
                wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_PRINCIPAL, handleSAMLToken.getPrincipal());
            } else {
                wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_PRINCIPAL, new SAMLTokenPrincipal(assertion));
            }
        }
        wSDocInfo.addResult(wSSecurityEngineResult);
        return Collections.singletonList(wSSecurityEngineResult);
    }

    public Credential handleSAMLToken(Element element, RequestData requestData, Validator validator, WSDocInfo wSDocInfo) throws WSSecurityException {
        AssertionWrapper assertionWrapper = new AssertionWrapper(element);
        if (assertionWrapper.isSigned()) {
            assertionWrapper.verifySignature(requestData, wSDocInfo);
        }
        assertionWrapper.parseHOKSubject(requestData, wSDocInfo);
        Credential credential = new Credential();
        credential.setAssertion(assertionWrapper);
        return validator != null ? validator.validate(credential, requestData) : credential;
    }
}
