package weblogic.iiop.csi;

import java.rmi.RemoteException;
import java.security.AccessController;
import java.util.Arrays;
import java.util.Iterator;
import javax.security.auth.login.LoginException;
import org.omg.CORBA.CompletionStatus;
import org.omg.CORBA.MARSHAL;
import weblogic.corba.cos.security.GSSUtil;
import weblogic.iiop.EndPoint;
import weblogic.iiop.IIOPInputStream;
import weblogic.iiop.IIOPLogger;
import weblogic.iiop.IIOPOutputStream;
import weblogic.iiop.ReplyMessage;
import weblogic.iiop.RequestMessage;
import weblogic.iiop.ServiceContext;
import weblogic.iiop.ServiceContextList;
import weblogic.security.SimpleCallbackHandler;
import weblogic.security.SubjectUtils;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.auth.login.PasswordCredential;
import weblogic.security.service.InvalidParameterException;
import weblogic.security.service.PrincipalAuthenticator;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.SecurityService;
import weblogic.security.service.SecurityServiceManager;
import weblogic.security.spi.IdentityAsserter;
import weblogic.utils.Debug;
import weblogic.utils.DebugCategory;

/* loaded from: input_file:weblogic.jar:weblogic/iiop/csi/SASServiceContext.class */
public class SASServiceContext extends ServiceContext {
    private static final boolean DEBUG = false;
    private short ctxMsgType;
    private ContextBody ctxBody;
    private AuthenticatedSubject subject;
    private static final DebugCategory debugSecurity = Debug.getCategory("weblogic.iiop.security");
    private static final AuthenticatedSubject kernelId = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
    static Class class$weblogic$security$auth$login$PasswordCredential;

    public SASServiceContext() {
        super(15);
    }

    public SASServiceContext(short s, ContextBody contextBody, AuthenticatedSubject authenticatedSubject) {
        super(15);
        this.ctxMsgType = s;
        this.ctxBody = contextBody;
        this.subject = authenticatedSubject;
    }

    public SASServiceContext(CompoundSecMechList compoundSecMechList, AuthenticatedSubject authenticatedSubject, EndPoint endPoint) {
        super(15);
        Class cls;
        this.ctxMsgType = (short) 0;
        long nextClientContextId = compoundSecMechList.isGSSUPTargetStateful() ? endPoint.getNextClientContextId() : 0L;
        byte[] bArr = null;
        IdentityToken identityToken = null;
        PasswordCredential passwordCredential = null;
        if (authenticatedSubject != null) {
            AuthenticatedSubject authenticatedSubject2 = kernelId;
            if (class$weblogic$security$auth$login$PasswordCredential == null) {
                cls = class$("weblogic.security.auth.login.PasswordCredential");
                class$weblogic$security$auth$login$PasswordCredential = cls;
            } else {
                cls = class$weblogic$security$auth$login$PasswordCredential;
            }
            Iterator it = authenticatedSubject.getPrivateCredentials(authenticatedSubject2, cls).iterator();
            if (it.hasNext()) {
                passwordCredential = (PasswordCredential) it.next();
            }
        }
        String str = null;
        boolean hasGSSUP = compoundSecMechList.hasGSSUP();
        boolean hasGSSUPIdentity = compoundSecMechList.hasGSSUPIdentity();
        str = hasGSSUP ? GSSUtil.extractGSSUPGSSNTExportedName(compoundSecMechList.getGSSUPTarget()) : str;
        if (hasGSSUP && passwordCredential != null) {
            bArr = new GSSUPImpl(passwordCredential.getUsername(), str, passwordCredential.getPassword(), str).getBytes();
            identityToken = new IdentityToken(0, true, null);
        } else if (hasGSSUPIdentity) {
            if (authenticatedSubject == null || SubjectUtils.isUserAnonymous(authenticatedSubject) || SecurityServiceManager.isKernelIdentity(authenticatedSubject)) {
                identityToken = new IdentityToken(1, true, null);
            } else {
                String username = SubjectUtils.getUsername(authenticatedSubject);
                identityToken = new IdentityToken(2, true, GSSUtil.createGSSUPGSSNTExportedName(str != null ? new StringBuffer().append(username).append("@").append(str).toString() : username));
            }
        }
        this.ctxBody = new EstablishContext(nextClientContextId, bArr, identityToken);
    }

    public SASServiceContext(long j) {
        super(15);
        this.ctxMsgType = (short) 5;
        this.ctxBody = new MessageInContext(j, false);
    }

    public SASServiceContext(IIOPInputStream iIOPInputStream) {
        super(15);
        readEncapsulatedContext(iIOPInputStream);
    }

    @Override // weblogic.iiop.ServiceContext
    protected void readEncapsulation(IIOPInputStream iIOPInputStream) {
        short read_short = iIOPInputStream.read_short();
        switch (read_short) {
            case 0:
                this.ctxBody = new EstablishContext(iIOPInputStream);
                break;
            case 1:
                this.ctxBody = new CompleteEstablishContext(iIOPInputStream);
                break;
            case 2:
            case 3:
            default:
                throw new MARSHAL("Unsupported CSI MsgType.");
            case 4:
                this.ctxBody = new ContextError(iIOPInputStream);
                break;
            case 5:
                this.ctxBody = new MessageInContext(iIOPInputStream);
                break;
        }
        this.ctxMsgType = read_short;
    }

    public short getMsgType() {
        return this.ctxMsgType;
    }

    public ContextBody getBody() {
        return this.ctxBody;
    }

    @Override // weblogic.iiop.ServiceContext
    public void write(IIOPOutputStream iIOPOutputStream) {
        writeEncapsulatedContext(iIOPOutputStream);
    }

    @Override // weblogic.iiop.ServiceContext
    public void writeEncapsulation(IIOPOutputStream iIOPOutputStream) {
        iIOPOutputStream.write_short(this.ctxMsgType);
        this.ctxBody.write(iIOPOutputStream);
    }

    public void handleSASReply(EndPoint endPoint) {
        switch (this.ctxMsgType) {
            case 0:
            case 2:
            case 3:
            case 5:
            default:
                throw new MARSHAL("Unsupported Reply CSI MsgType.");
            case 1:
                CompleteEstablishContext completeEstablishContext = (CompleteEstablishContext) this.ctxBody;
                if (completeEstablishContext.getContextStateful()) {
                    endPoint.establishSASClientContext(completeEstablishContext.getClientContextId());
                    if (debugSecurity.isEnabled()) {
                        IIOPLogger.logDebugSecurity("stateful CSIv2 session established.");
                        return;
                    }
                    return;
                }
                endPoint.removeSASClientContext(completeEstablishContext.getClientContextId());
                if (debugSecurity.isEnabled()) {
                    IIOPLogger.logDebugSecurity("stateful CSIv2 session reset.");
                    return;
                }
                return;
            case 4:
                ContextError contextError = (ContextError) this.ctxBody;
                endPoint.removeSASClientContext(contextError.getClientContextId());
                if (debugSecurity.isEnabled()) {
                    IIOPLogger.logDebugSecurity(new StringBuffer().append("received ContextError(").append(contextError.getMajorStatus()).append(", ").append(contextError.getMinorStatus()).append(") for context ").append(contextError.getClientContextId()).toString());
                    return;
                }
                return;
        }
    }

    public boolean handleSASRequest(RequestMessage requestMessage, EndPoint endPoint) {
        boolean z = false;
        ContextError contextError = null;
        switch (this.ctxMsgType) {
            case 0:
                contextError = handleEstablishContext(requestMessage, endPoint);
                break;
            case 1:
            case 2:
            case 3:
            case 4:
            default:
                throw new MARSHAL("Unsupported Request CSI MsgType.");
            case 5:
                MessageInContext messageInContext = (MessageInContext) this.ctxBody;
                SecurityContext securityContext = endPoint.getSecurityContext(messageInContext.getClientContextId());
                if (securityContext == null) {
                    contextError = new ContextError(messageInContext.getClientContextId(), 4, 1, null);
                    break;
                } else {
                    this.subject = securityContext.getSubject();
                    if (messageInContext.getDiscardContext()) {
                        endPoint.removeSecurityContext(messageInContext.getClientContextId());
                        break;
                    }
                }
                break;
        }
        if (contextError != null) {
            SASServiceContext sASServiceContext = new SASServiceContext((short) 4, (ContextBody) contextError, (AuthenticatedSubject) null);
            ServiceContextList serviceContextList = new ServiceContextList();
            serviceContextList.addServiceContext(sASServiceContext);
            ReplyMessage replyMessage = new ReplyMessage(endPoint, requestMessage.getRequestID(), serviceContextList, 2);
            IIOPOutputStream outputStream = replyMessage.getOutputStream();
            replyMessage.write(outputStream);
            outputStream.write_string("IDL:omg.org/CORBA/NO_PERMISSION:1.0");
            outputStream.write_long(0);
            outputStream.write_long(CompletionStatus.COMPLETED_NO.value());
            try {
                endPoint.send(outputStream);
                z = true;
            } catch (RemoteException e) {
                throw new MARSHAL("Sending reply on SAS failure");
            }
        }
        return z;
    }

    public AuthenticatedSubject getSubject() {
        return this.subject;
    }

    public ClientSecurityContext getClientContext() {
        return new ClientSecurityContext(((EstablishContext) getBody()).getClientContextId(), this);
    }

    public SASServiceContext getCompleteEstablishContext() {
        EstablishContext establishContext = (EstablishContext) this.ctxBody;
        return new SASServiceContext((short) 1, (ContextBody) new CompleteEstablishContext(establishContext.getClientContextId(), establishContext.getClientContextId() != 0, null), this.subject);
    }

    private ContextError handleEstablishContext(RequestMessage requestMessage, EndPoint endPoint) {
        EstablishContext establishContext = (EstablishContext) this.ctxBody;
        SecurityContext securityContext = null;
        byte[] clientAuthenticationToken = establishContext.getClientAuthenticationToken();
        IdentityToken identityToken = establishContext.getIdentityToken();
        if (establishContext.getClientContextId() != 0) {
            securityContext = endPoint.getSecurityContext(establishContext.getClientContextId());
            if (securityContext != null) {
                if (identityToken != null && !identityToken.equals(securityContext.getEstablishContext().getIdentityToken())) {
                    return new ContextError(establishContext.getClientContextId(), 3, 1, null);
                }
                if (clientAuthenticationToken != null && !Arrays.equals(clientAuthenticationToken, securityContext.getEstablishContext().getClientAuthenticationToken())) {
                    return new ContextError(establishContext.getClientContextId(), 3, 1, null);
                }
                this.subject = securityContext.getSubject();
                return null;
            }
        }
        if (clientAuthenticationToken != null) {
            try {
                GSSUPImpl gSSUPImpl = new GSSUPImpl(clientAuthenticationToken);
                this.subject = ((PrincipalAuthenticator) SecurityServiceManager.getSecurityService(kernelId, gSSUPImpl.getTargetName(), SecurityService.ServiceType.AUTHENTICATION)).authenticate(new SimpleCallbackHandler(gSSUPImpl.getUserName(), gSSUPImpl.getPassword()));
                this.subject.getPrivateCredentials(kernelId).add(new PasswordCredential(gSSUPImpl.getUserName(), gSSUPImpl.getPassword()));
            } catch (LoginException e) {
                return new ContextError(establishContext.getClientContextId(), 1, 1, null);
            } catch (GSSUPDecodeException e2) {
                return new ContextError(establishContext.getClientContextId(), 2, 1, null);
            }
        }
        if (identityToken != null) {
            PrincipalAuthenticator principalAuthenticator = (PrincipalAuthenticator) SecurityServiceManager.getSecurityService(kernelId, SecurityServiceManager.defaultRealmName, SecurityService.ServiceType.AUTHENTICATION);
            switch (identityToken.getIdentityType()) {
                case 0:
                    break;
                case 1:
                    try {
                        this.subject = principalAuthenticator.assertIdentity(IdentityAsserter.CSI_ANONYMOUS_TYPE, new Boolean(identityToken.getAnonymous()));
                        break;
                    } catch (LoginException e3) {
                        this.subject = null;
                        break;
                    }
                case 2:
                    String extractGSSUPGSSNTExportedName = GSSUtil.extractGSSUPGSSNTExportedName(identityToken.getPrincipalName());
                    if (extractGSSUPGSSNTExportedName == null) {
                        return new ContextError(establishContext.getClientContextId(), 2, 1, null);
                    }
                    int indexOf = extractGSSUPGSSNTExportedName.indexOf(64);
                    if (indexOf >= 0) {
                        String substring = extractGSSUPGSSNTExportedName.substring(indexOf + 1);
                        extractGSSUPGSSNTExportedName = extractGSSUPGSSNTExportedName.substring(0, indexOf);
                        try {
                            principalAuthenticator = (PrincipalAuthenticator) SecurityServiceManager.getSecurityService(kernelId, substring, SecurityService.ServiceType.AUTHENTICATION);
                        } catch (InvalidParameterException e4) {
                        }
                    }
                    try {
                        this.subject = principalAuthenticator.assertIdentity(IdentityAsserter.CSI_PRINCIPAL_TYPE, extractGSSUPGSSNTExportedName);
                        break;
                    } catch (LoginException e5) {
                        return new ContextError(establishContext.getClientContextId(), 2, 1, null);
                    }
                case 3:
                case 5:
                case 6:
                case 7:
                default:
                    return new ContextError(establishContext.getClientContextId(), 1, 1, null);
                case 4:
                    byte[] certChain = identityToken.getCertChain();
                    if (certChain == null) {
                        return new ContextError(establishContext.getClientContextId(), 1, 1, null);
                    }
                    try {
                        this.subject = principalAuthenticator.assertIdentity(IdentityAsserter.CSI_X509_CERTCHAIN_TYPE, certChain);
                        break;
                    } catch (LoginException e6) {
                        return new ContextError(establishContext.getClientContextId(), 2, 1, null);
                    }
                case 8:
                    byte[] distinguishedName = identityToken.getDistinguishedName();
                    if (distinguishedName == null) {
                        return new ContextError(establishContext.getClientContextId(), 2, 1, null);
                    }
                    try {
                        this.subject = principalAuthenticator.assertIdentity(IdentityAsserter.CSI_DISTINGUISHED_NAME_TYPE, distinguishedName);
                        break;
                    } catch (LoginException e7) {
                        return new ContextError(establishContext.getClientContextId(), 2, 1, null);
                    }
            }
        }
        if (establishContext.getClientContextId() == 0 || securityContext != null) {
            return null;
        }
        if (this.subject == null) {
            this.subject = SubjectUtils.getAnonymousSubject();
        }
        endPoint.putSecurityContext(establishContext.getClientContextId(), new SecurityContext(establishContext.getClientContextId(), establishContext, this.subject));
        return null;
    }

    @Override // weblogic.iiop.ServiceContext
    public String toString() {
        return new StringBuffer().append("SASServiceContext Context (msgType = ").append((int) this.ctxMsgType).append(", body = ").append(this.ctxBody).append(", subject = ").append(this.subject).append(")").toString();
    }

    private static void log(String str) {
        System.out.println(new StringBuffer().append("<SASServiceContext>: ").append(str).toString());
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }
}
