package weblogic.iiop.server;

import java.rmi.RemoteException;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import javax.security.auth.login.LoginException;
import org.omg.CORBA.CompletionStatus;
import org.omg.CORBA.MARSHAL;
import weblogic.corba.cos.security.GSSUtil;
import weblogic.diagnostics.debug.DebugLogger;
import weblogic.iiop.IIOPLogger;
import weblogic.iiop.contexts.ContextError;
import weblogic.iiop.contexts.EstablishContext;
import weblogic.iiop.contexts.GSSUPDecodeException;
import weblogic.iiop.contexts.GSSUPImpl;
import weblogic.iiop.contexts.IdentityToken;
import weblogic.iiop.contexts.MessageInContext;
import weblogic.iiop.contexts.SASServiceContext;
import weblogic.iiop.contexts.ServiceContextList;
import weblogic.iiop.messages.ReplyMessage;
import weblogic.iiop.messages.RequestMessage;
import weblogic.iiop.protocol.CorbaOutputStream;
import weblogic.protocol.configuration.ChannelHelper;
import weblogic.rmi.facades.RmiSecurityFacade;
import weblogic.security.SimpleCallbackHandler;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.auth.login.PasswordCredential;
import weblogic.security.service.InvalidParameterException;
import weblogic.security.service.PrincipalAuthenticator;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.SecurityServiceManager;
import weblogic.utils.Debug;
import weblogic.utils.DebugCategory;
import weblogic.utils.Hex;

/* loaded from: input_file:weblogic/iiop/server/ServerSASServiceContextHandler.class */
public class ServerSASServiceContextHandler {
    private static final AuthenticatedSubject KERNEL_ID = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
    private static final DebugCategory debugSecurity = Debug.getCategory("weblogic.iiop.security");
    private static final DebugLogger debugIIOPSecurity = DebugLogger.getDebugLogger("DebugIIOPSecurity");
    private final ServerEndPoint endPoint;
    public AuthenticatedSubject subject;

    public ServerSASServiceContextHandler(ServerEndPoint serverEndPoint) {
        this.endPoint = serverEndPoint;
    }

    public boolean handleSASRequest(RequestMessage requestMessage, SASServiceContext sASServiceContext) {
        boolean z = false;
        ContextError contextError = null;
        switch (sASServiceContext.getMsgType()) {
            case 0:
                if (!SASServiceContext.NO_AUTHENTICATION_METHOD.equals(requestMessage.getOperationName())) {
                    contextError = handleEstablishContext(requestMessage, this.endPoint, (EstablishContext) sASServiceContext.getBody());
                    if (contextError == null) {
                        sASServiceContext.setSubject(this.subject);
                        break;
                    }
                }
                break;
            case 1:
            case 2:
            case 3:
            case 4:
            default:
                throw new MARSHAL("Unsupported Request CSI MsgType.");
            case 5:
                contextError = handleMessageInContext(this.endPoint, (MessageInContext) sASServiceContext.getBody());
                if (contextError == null) {
                    sASServiceContext.setSubject(this.subject);
                    break;
                }
                break;
        }
        if (contextError != null) {
            SASServiceContext sASServiceContext2 = new SASServiceContext(contextError);
            ServiceContextList serviceContextList = new ServiceContextList();
            serviceContextList.addServiceContext(sASServiceContext2);
            CorbaOutputStream marshalTo = new ReplyMessage(requestMessage, serviceContextList, 2).marshalTo(this.endPoint.createOutputStream());
            marshalTo.write_string("IDL:omg.org/CORBA/NO_PERMISSION:1.0");
            marshalTo.write_long(0);
            marshalTo.write_long(CompletionStatus.COMPLETED_NO.value());
            try {
                this.endPoint.send(marshalTo);
                z = true;
            } catch (RemoteException e) {
                throw new MARSHAL("Sending reply on SAS failure");
            }
        }
        return z;
    }

    public ContextError handleEstablishContext(RequestMessage requestMessage, ServerEndPoint serverEndPoint, EstablishContext establishContext) {
        ContextError handleEstablishContext = handleEstablishContext(serverEndPoint, establishContext);
        requestMessage.addOutboundServiceContext(SASServiceContext.createCompleteEstablishContext(establishContext));
        return handleEstablishContext;
    }

    public ContextError handleMessageInContext(ServerEndPoint serverEndPoint, MessageInContext messageInContext) {
        SecurityContext securityContext = serverEndPoint.getSecurityContext(messageInContext.getClientContextId());
        if (securityContext == null) {
            return new ContextError(messageInContext.getClientContextId(), 4, 1, null);
        }
        setSubject(securityContext.getSubject());
        if (!messageInContext.isDiscardContext()) {
            return null;
        }
        serverEndPoint.removeSecurityContext(messageInContext.getClientContextId());
        return null;
    }

    private void setSubject(AuthenticatedSubject authenticatedSubject) {
        this.subject = authenticatedSubject;
    }

    public ContextError handleEstablishContext(final ServerEndPoint serverEndPoint, EstablishContext establishContext) {
        SecurityContext securityContext;
        if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
            log("handleEstablishContext");
        }
        if (isStateful(establishContext) && (securityContext = serverEndPoint.getSecurityContext(establishContext.getClientContextId())) != null) {
            return handlePreviouslyEstablishedContext(establishContext, securityContext);
        }
        byte[] clientAuthenticationToken = establishContext.getClientAuthenticationToken();
        if (clientAuthenticationToken != null) {
            try {
                GSSUPImpl gSSUPImpl = new GSSUPImpl(clientAuthenticationToken);
                AuthenticatedSubject authenticate = RmiSecurityFacade.getPrincipalAuthenticator(KERNEL_ID, SecurityServiceManager.defaultRealmName).authenticate(new SimpleCallbackHandler(gSSUPImpl.getUserName(), gSSUPImpl.getPasswordChars()), serverEndPoint.getConnection().getContextHandler());
                addPrivateCredential(authenticate, new PasswordCredential(gSSUPImpl.getUserName(), gSSUPImpl.getPasswordChars()));
                if (ChannelHelper.isLocalAdminChannelEnabled() && RmiSecurityFacade.isUserAnAdministrator(authenticate) && !ChannelHelper.isAdminChannel(serverEndPoint.getServerChannel())) {
                    return new ContextError(establishContext.getClientContextId(), 1, 1, null);
                }
                setSubject(authenticate);
            } catch (LoginException e) {
                return new ContextError(establishContext.getClientContextId(), 1, 1, null);
            } catch (GSSUPDecodeException e2) {
                return new ContextError(establishContext.getClientContextId(), 2, 1, null);
            }
        }
        final IdentityToken identityToken = establishContext.getIdentityToken();
        if (identityToken != null) {
            final PrincipalAuthenticator principalAuthenticator = RmiSecurityFacade.getPrincipalAuthenticator(KERNEL_ID, SecurityServiceManager.defaultRealmName);
            int identityType = identityToken.getIdentityType();
            AuthenticatedSubject subjectForIdentityAssertion = getSubjectForIdentityAssertion(this.subject);
            switch (identityType) {
                case 0:
                    break;
                case 1:
                    try {
                        this.subject = (AuthenticatedSubject) SecurityServiceManager.runAs(KERNEL_ID, subjectForIdentityAssertion, new PrivilegedExceptionAction() { // from class: weblogic.iiop.server.ServerSASServiceContextHandler.1
                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws LoginException {
                                return principalAuthenticator.assertIdentity("CSI.ITTAnonymous", Boolean.valueOf(identityToken.getAnonymous()), serverEndPoint.getConnection().getContextHandler());
                            }
                        });
                        break;
                    } catch (PrivilegedActionException e3) {
                        LoginException loginException = (LoginException) e3.getException();
                        if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
                            log("failed identity assertion - use connection subject " + loginException);
                        }
                        this.subject = null;
                        break;
                    }
                    break;
                case 2:
                    String extractGSSUPGSSNTExportedName = GSSUtil.extractGSSUPGSSNTExportedName(identityToken.getPrincipalName());
                    if (extractGSSUPGSSNTExportedName == null) {
                        if (debugSecurity.isEnabled() || debugIIOPSecurity.isDebugEnabled()) {
                            IIOPLogger.logDebugSecurity("Unsupported CSIv2 mechanism");
                        }
                        return new ContextError(establishContext.getClientContextId(), 2, 1, null);
                    }
                    int indexOf = extractGSSUPGSSNTExportedName.indexOf(64);
                    if (indexOf >= 0) {
                        extractGSSUPGSSNTExportedName = extractGSSUPGSSNTExportedName.substring(0, indexOf);
                        try {
                            principalAuthenticator = RmiSecurityFacade.getPrincipalAuthenticator(KERNEL_ID, SecurityServiceManager.defaultRealmName);
                        } catch (InvalidParameterException e4) {
                            if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
                                log("Assert identity realm not found: weblogicDEFAULT");
                            }
                        }
                    }
                    if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
                        log("Assert identity: " + extractGSSUPGSSNTExportedName);
                    }
                    try {
                        final PrincipalAuthenticator principalAuthenticator2 = principalAuthenticator;
                        final String str = extractGSSUPGSSNTExportedName;
                        this.subject = (AuthenticatedSubject) SecurityServiceManager.runAs(KERNEL_ID, subjectForIdentityAssertion, new PrivilegedExceptionAction<AuthenticatedSubject>() { // from class: weblogic.iiop.server.ServerSASServiceContextHandler.2
                            /* JADX WARN: Can't rename method to resolve collision */
                            @Override // java.security.PrivilegedExceptionAction
                            public AuthenticatedSubject run() throws LoginException {
                                return principalAuthenticator2.assertIdentity("CSI.PrincipalName", str, serverEndPoint.getConnection().getContextHandler());
                            }
                        });
                        break;
                    } catch (PrivilegedActionException e5) {
                        LoginException loginException2 = (LoginException) e5.getException();
                        if (debugSecurity.isEnabled() || debugIIOPSecurity.isDebugEnabled()) {
                            log("failed identity assertion prin " + loginException2);
                        }
                        return new ContextError(establishContext.getClientContextId(), 2, 1, null);
                    }
                    break;
                case 3:
                case 5:
                case 6:
                case 7:
                default:
                    if (debugSecurity.isEnabled() || debugIIOPSecurity.isDebugEnabled()) {
                        IIOPLogger.logDebugSecurity("Unsupported CSIv2 mechanism");
                    }
                    return new ContextError(establishContext.getClientContextId(), 1, 1, null);
                case 4:
                    final X509Certificate[] x509CertChain = GSSUtil.getX509CertChain(identityToken.getCertChain());
                    if (x509CertChain == null) {
                        if (debugSecurity.isEnabled() || debugIIOPSecurity.isDebugEnabled()) {
                            IIOPLogger.logDebugSecurity("CSIv2 certification chain not found");
                        }
                        return new ContextError(establishContext.getClientContextId(), 1, 1, "CSIv2 certification chain not found".getBytes());
                    }
                    if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
                        log("Assert identity chain: " + Arrays.toString(x509CertChain));
                    }
                    try {
                        this.subject = (AuthenticatedSubject) SecurityServiceManager.runAs(KERNEL_ID, subjectForIdentityAssertion, new PrivilegedExceptionAction() { // from class: weblogic.iiop.server.ServerSASServiceContextHandler.4
                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws LoginException {
                                return principalAuthenticator.assertIdentity("CSI.X509CertChain", x509CertChain, serverEndPoint.getConnection().getContextHandler());
                            }
                        });
                        break;
                    } catch (PrivilegedActionException e6) {
                        LoginException loginException3 = (LoginException) e6.getException();
                        if (debugSecurity.isEnabled() || debugIIOPSecurity.isDebugEnabled()) {
                            log("failed identity assertion cert chain " + loginException3);
                        }
                        return new ContextError(establishContext.getClientContextId(), 2, 1, null);
                    }
                    break;
                case 8:
                    final byte[] distinguishedName = identityToken.getDistinguishedName();
                    if (distinguishedName == null) {
                        if (debugSecurity.isEnabled() || debugIIOPSecurity.isDebugEnabled()) {
                            IIOPLogger.logDebugSecurity("CSIv2 distinguished name not found");
                        }
                        return new ContextError(establishContext.getClientContextId(), 2, 1, null);
                    }
                    if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
                        log("Assert identity distinguished: " + Hex.asHex(distinguishedName));
                    }
                    try {
                        this.subject = (AuthenticatedSubject) SecurityServiceManager.runAs(KERNEL_ID, subjectForIdentityAssertion, new PrivilegedExceptionAction() { // from class: weblogic.iiop.server.ServerSASServiceContextHandler.3
                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws LoginException {
                                return principalAuthenticator.assertIdentity("CSI.DistinguishedName", distinguishedName, serverEndPoint.getConnection().getContextHandler());
                            }
                        });
                        break;
                    } catch (PrivilegedActionException e7) {
                        LoginException loginException4 = (LoginException) e7.getException();
                        if (debugSecurity.isEnabled() || debugIIOPSecurity.isDebugEnabled()) {
                            log("failed identity assertion dist name " + loginException4);
                        }
                        return new ContextError(establishContext.getClientContextId(), 2, 1, null);
                    }
            }
        }
        if (!isStateful(establishContext)) {
            return null;
        }
        if (this.subject == null) {
            this.subject = RmiSecurityFacade.getAnonymousSubject();
        }
        serverEndPoint.putSecurityContext(establishContext.getClientContextId(), new SecurityContext(establishContext.getClientContextId(), establishContext, this.subject));
        return null;
    }

    private boolean isStateful(EstablishContext establishContext) {
        return establishContext.getClientContextId() != 0;
    }

    private ContextError handlePreviouslyEstablishedContext(EstablishContext establishContext, SecurityContext securityContext) {
        if (!isMismatchedIdentity(establishContext.getIdentityToken(), securityContext) && !isMismatchedAuthentication(establishContext.getClientAuthenticationToken(), securityContext)) {
            setSubject(securityContext.getSubject());
            return null;
        }
        return new ContextError(establishContext.getClientContextId(), 3, 1, null);
    }

    private boolean isMismatchedIdentity(IdentityToken identityToken, SecurityContext securityContext) {
        return (identityToken == null || identityToken.equals(securityContext.getEstablishContext().getIdentityToken())) ? false : true;
    }

    private boolean isMismatchedAuthentication(byte[] bArr, SecurityContext securityContext) {
        return (bArr == null || Arrays.equals(bArr, securityContext.getEstablishContext().getClientAuthenticationToken())) ? false : true;
    }

    private static boolean addPrivateCredential(AuthenticatedSubject authenticatedSubject, Object obj) {
        return authenticatedSubject.getPrivateCredentials(KERNEL_ID).add(obj);
    }

    private AuthenticatedSubject getSubjectForIdentityAssertion(AuthenticatedSubject authenticatedSubject) {
        return null == authenticatedSubject ? RmiSecurityFacade.getCurrentSubject(KERNEL_ID) : authenticatedSubject.equals(KERNEL_ID) ? RmiSecurityFacade.getAnonymousSubject() : authenticatedSubject;
    }

    private static void log(String str) {
        IIOPLogger.logDebugSecurity("<SASServiceContext>: " + str);
    }
}
