package org.apache.cxf.ws.security.wss4j.policyvalidators;

import java.util.Collection;
import javax.xml.namespace.QName;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.wss4j.dom.message.token.KerberosSecurity;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.KerberosToken;

/* loaded from: input_file:payload/TIB_bwplugindynamicscrm_6.7.0_common.zip:assemblies/assembly_tibco_com_tibco_bw_sharedresource_dynamicscrm_model_feature_6.7.0.001.zip:source/plugins/com.tibco.bw.sharedresource.dynamicscrm.model_6.7.0.001.jar:lib/CXF-3.0.3/cxf-rt-ws-security-3.0.3.jar:org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.class */
public class KerberosTokenPolicyValidator extends AbstractTokenPolicyValidator {
    private Message message;

    public KerberosTokenPolicyValidator(Message message) {
        this.message = message;
    }

    public boolean validatePolicy(AssertionInfoMap assertionInfoMap, KerberosSecurity kerberosSecurity) {
        Collection<AssertionInfo> allAssertionsByLocalname = getAllAssertionsByLocalname(assertionInfoMap, "KerberosToken");
        if (allAssertionsByLocalname.isEmpty()) {
            return true;
        }
        parsePolicies(assertionInfoMap, allAssertionsByLocalname, kerberosSecurity);
        assertPolicy(assertionInfoMap, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
        return true;
    }

    private void parsePolicies(AssertionInfoMap assertionInfoMap, Collection<AssertionInfo> collection, KerberosSecurity kerberosSecurity) {
        for (AssertionInfo assertionInfo : collection) {
            KerberosToken kerberosToken = (KerberosToken) assertionInfo.getAssertion();
            assertionInfo.setAsserted(true);
            if (!isTokenRequired(kerberosToken, this.message)) {
                assertPolicy(assertionInfoMap, new QName(kerberosToken.getVersion().getNamespace(), "WssKerberosV5ApReqToken11"));
                assertPolicy(assertionInfoMap, new QName(kerberosToken.getVersion().getNamespace(), "WssGssKerberosV5ApReqToken11"));
            } else if (!checkToken(assertionInfoMap, kerberosToken, kerberosSecurity)) {
                assertionInfo.setNotAsserted("An incorrect Kerberos Token Type is detected");
            }
        }
    }

    private boolean checkToken(AssertionInfoMap assertionInfoMap, KerberosToken kerberosToken, KerberosSecurity kerberosSecurity) {
        KerberosToken.ApReqTokenType apReqTokenType = kerberosToken.getApReqTokenType();
        if (apReqTokenType == KerberosToken.ApReqTokenType.WssKerberosV5ApReqToken11 && kerberosSecurity.isV5ApReq()) {
            assertPolicy(assertionInfoMap, new QName(kerberosToken.getVersion().getNamespace(), "WssKerberosV5ApReqToken11"));
            return true;
        }
        if (apReqTokenType != KerberosToken.ApReqTokenType.WssGssKerberosV5ApReqToken11 || !kerberosSecurity.isGssV5ApReq()) {
            return false;
        }
        assertPolicy(assertionInfoMap, new QName(kerberosToken.getVersion().getNamespace(), "WssGssKerberosV5ApReqToken11"));
        return true;
    }
}
