package org.apache.cxf.ws.security.trust;

import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.validate.Credential;
import org.apache.ws.security.validate.Validator;

/* loaded from: input_file:org/apache/cxf/ws/security/trust/STSTokenValidator.class */
public class STSTokenValidator implements Validator {
    private STSSamlAssertionValidator samlValidator = new STSSamlAssertionValidator();
    private boolean alwaysValidateToSts;

    public STSTokenValidator() {
    }

    public STSTokenValidator(boolean z) {
        this.alwaysValidateToSts = z;
    }

    public Credential validate(Credential credential, RequestData requestData) throws WSSecurityException {
        SoapMessage soapMessage = (SoapMessage) requestData.getMsgContext();
        SecurityToken securityToken = new SecurityToken();
        try {
            if (credential.getAssertion() != null) {
                if (!this.alwaysValidateToSts) {
                    this.samlValidator.validate(credential, requestData);
                    if (this.samlValidator.isTrustVerificationSucceeded()) {
                        return credential;
                    }
                }
                securityToken.setToken(credential.getAssertion().getElement());
            } else if (credential.getUsernametoken() != null) {
                securityToken.setToken(credential.getUsernametoken().getElement());
            } else if (credential.getBinarySecurityToken() != null) {
                securityToken.setToken(credential.getBinarySecurityToken().getElement());
            }
            STSClient client = STSUtils.getClient(soapMessage, "sts");
            synchronized (client) {
                System.setProperty("noprint", "true");
                SecurityToken securityToken2 = client.validateSecurityToken(securityToken).get(0);
                if (securityToken2 != securityToken) {
                    credential.setTransformedToken(new AssertionWrapper(securityToken2.getToken()));
                }
            }
            return credential;
        } catch (RuntimeException e) {
            throw e;
        } catch (Exception e2) {
            throw new WSSecurityException(0, "invalidSAMLsecurity", (Object[]) null, e2);
        }
    }
}
