package com.sun.enterprise.iiop.security;

import com.sun.corba.ee.org.omg.CSI.CompleteEstablishContext;
import com.sun.corba.ee.org.omg.CSI.ContextError;
import com.sun.corba.ee.org.omg.CSI.EstablishContext;
import com.sun.corba.ee.org.omg.CSI.GSS_NT_ExportedNameHelper;
import com.sun.corba.ee.org.omg.CSI.IdentityToken;
import com.sun.corba.ee.org.omg.CSI.SASContextBody;
import com.sun.corba.ee.org.omg.CSI.SASContextBodyHelper;
import com.sun.corba.ee.org.omg.CSI.X501DistinguishedNameHelper;
import com.sun.corba.ee.org.omg.CSI.X509CertificateChainHelper;
import com.sun.corba.ee.spi.legacy.connection.Connection;
import com.sun.corba.ee.spi.legacy.interceptor.RequestInfoExt;
import com.sun.enterprise.common.iiop.security.AnonCredential;
import com.sun.enterprise.common.iiop.security.GSSUPName;
import com.sun.enterprise.common.iiop.security.SecurityContext;
import com.sun.enterprise.security.auth.login.common.PasswordCredential;
import com.sun.enterprise.security.auth.login.common.X509CertificateCredential;
import com.sun.enterprise.util.LocalStringManagerImpl;
import com.sun.logging.LogDomains;
import java.net.Socket;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.cert.X509Certificate;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import org.glassfish.enterprise.iiop.api.GlassFishORBHelper;
import org.omg.CORBA.Any;
import org.omg.CORBA.BAD_PARAM;
import org.omg.CORBA.LocalObject;
import org.omg.CORBA.NO_PERMISSION;
import org.omg.CORBA.ORB;
import org.omg.IOP.Codec;
import org.omg.IOP.ServiceContext;
import org.omg.PortableInterceptor.ForwardRequest;
import org.omg.PortableInterceptor.ServerRequestInfo;
import org.omg.PortableInterceptor.ServerRequestInterceptor;
import sun.security.util.DerInputStream;
import sun.security.util.DerValue;
import sun.security.x509.X500Name;
import sun.security.x509.X509CertImpl;

/* loaded from: input_file:MICRO-INF/runtime/ejb.security-5.181.jar:com/sun/enterprise/iiop/security/SecServerRequestInterceptor.class */
public class SecServerRequestInterceptor extends LocalObject implements ServerRequestInterceptor {
    private static Logger _logger;
    private static LocalStringManagerImpl localStrings = new LocalStringManagerImpl(SecServerRequestInterceptor.class);
    protected static final int SECURITY_ATTRIBUTE_SERVICE_ID = 15;
    private static final int INVALID_MECHANISM_MAJOR = 2;
    private static final int INVALID_MECHANISM_MINOR = 1;
    public static final String SERVER_CONNECTION_CONTEXT = "ServerConnContext";
    private static final boolean NO_REPLACE = false;
    private String prname;
    private String name;
    private Codec codec;
    private SecurityContextUtil secContextUtil;
    private SecurityMechanismSelector smSelector;
    private InheritableThreadLocal counterForCalls = new InheritableThreadLocal();
    private GlassFishORBHelper orbHelper = Lookups.getGlassFishORBHelper();

    public SecServerRequestInterceptor(String str, Codec codec) {
        this.secContextUtil = null;
        this.smSelector = null;
        this.name = str;
        this.codec = codec;
        this.prname = str + "::";
        this.secContextUtil = Lookups.getSecurityContextUtil();
        this.smSelector = Lookups.getSecurityMechanismSelector();
    }

    @Override // org.omg.PortableInterceptor.InterceptorOperations
    public String name() {
        return this.name;
    }

    private SASContextBody createContextError(int i) {
        return createContextError(1, i);
    }

    private SASContextBody createContextError(int i, int i2) {
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "Creating ContextError message: major code = " + i + "minor code= " + i2);
        }
        ContextError contextError = new ContextError(0L, i, i2, new byte[0]);
        SASContextBody sASContextBody = new SASContextBody();
        sASContextBody.error_msg(contextError);
        return sASContextBody;
    }

    private SASContextBody createCompleteEstablishContext(int i) {
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "Creating CompleteEstablishContext message");
        }
        CompleteEstablishContext completeEstablishContext = new CompleteEstablishContext(0L, false, new byte[0]);
        SASContextBody sASContextBody = new SASContextBody();
        sASContextBody.complete_msg(completeEstablishContext);
        return sASContextBody;
    }

    private ServiceContext createSvcContext(SASContextBody sASContextBody, ORB orb) {
        Any create_any = orb.create_any();
        SASContextBodyHelper.insert(create_any, sASContextBody);
        byte[] bArr = new byte[0];
        try {
            bArr = this.codec.encode_value(create_any);
        } catch (Exception e) {
            _logger.log(Level.SEVERE, "iiop.encode_exception", (Throwable) e);
        }
        ServiceContext serviceContext = new ServiceContext();
        serviceContext.context_id = 15;
        serviceContext.context_data = bArr;
        return serviceContext;
    }

    private void createIdCred(SecurityContext securityContext, IdentityToken identityToken) throws Exception {
        switch (identityToken.discriminator()) {
            case 0:
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "Identity token type is Absent");
                }
                securityContext.identcls = null;
                return;
            case 1:
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "Identity token type is Anonymous");
                    _logger.log(Level.FINE, "Adding AnonyCredential to subject's PublicCredentials");
                }
                securityContext.subject.getPublicCredentials().add(new AnonCredential());
                securityContext.identcls = AnonCredential.class;
                return;
            case 2:
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "Identity token type is GSS Exported Name");
                }
                byte[] principal_name = identityToken.principal_name();
                if (isCDR(principal_name)) {
                    principal_name = GSS_NT_ExportedNameHelper.extract(this.codec.decode_value(principal_name, GSS_NT_ExportedNameHelper.type()));
                }
                if (!GSSUtils.verifyMechOID(GSSUtils.GSSUP_MECH_OID, principal_name)) {
                    throw new SecurityException(localStrings.getLocalString("secserverreqinterceptor.err_unknown_idassert_type", "Unknown identity assertion type."));
                }
                securityContext.subject.getPublicCredentials().add(new GSSUPName(principal_name));
                securityContext.identcls = GSSUPName.class;
                _logger.log(Level.FINE, "Adding GSSUPName credential to subject");
                return;
            case 3:
            case 5:
            case 6:
            case 7:
            default:
                _logger.log(Level.SEVERE, "iiop.unknown_identity");
                throw new SecurityException(localStrings.getLocalString("secserverreqinterceptor.err_unknown_idassert_type", "Unknown identity assertion type."));
            case 4:
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "Identity token type is a X509 Certificate Chain");
                }
                byte[] certificate_chain = identityToken.certificate_chain();
                if (isCDR(certificate_chain)) {
                    certificate_chain = X509CertificateChainHelper.extract(this.codec.decode_value(certificate_chain, X509CertificateChainHelper.type()));
                }
                DerValue[] sequence = new DerInputStream(certificate_chain).getSequence(1);
                X509Certificate[] x509CertificateArr = new X509CertImpl[sequence.length];
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "Contents of X509 Certificate chain:");
                }
                for (int i = 0; i < x509CertificateArr.length; i++) {
                    x509CertificateArr[i] = new X509CertImpl(sequence[i]);
                    if (_logger.isLoggable(Level.FINE)) {
                        _logger.log(Level.FINE, "    " + x509CertificateArr[i].getSubjectDN().getName());
                    }
                }
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "Creating a X509CertificateCredential object from certchain");
                }
                X509CertificateCredential x509CertificateCredential = new X509CertificateCredential(x509CertificateArr, x509CertificateArr[0].getSubjectDN().getName(), "default");
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "Adding X509CertificateCredential to subject's PublicCredentials");
                }
                securityContext.subject.getPublicCredentials().add(x509CertificateCredential);
                securityContext.identcls = X509CertificateCredential.class;
                return;
            case 8:
                byte[] dn = identityToken.dn();
                if (isCDR(dn)) {
                    dn = X501DistinguishedNameHelper.extract(this.codec.decode_value(dn, X501DistinguishedNameHelper.type()));
                }
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "Create an X500Name object from identity token");
                }
                X500Name x500Name = new X500Name(dn);
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "Identity to be asserted is " + x500Name.toString());
                    _logger.log(Level.FINE, "Adding X500Name to subject's PublicCredentials");
                }
                securityContext.subject.getPublicCredentials().add(x500Name);
                securityContext.identcls = X500Name.class;
                return;
        }
    }

    private boolean isCDR(byte[] bArr) {
        return bArr != null && bArr.length > 0 && (bArr[0] == 0 || bArr[0] == 1);
    }

    private void createAuthCred(final SecurityContext securityContext, byte[] bArr, ORB orb) throws Exception {
        _logger.log(Level.FINE, "Constructing a PasswordCredential from client authentication token");
        final PasswordCredential pwdcred = GSSUPToken.getServerSideInstance(orb, this.codec, bArr).getPwdcred();
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "Password credential = " + pwdcred.toString());
            _logger.log(Level.FINE, "Adding PasswordCredential to subject's PrivateCredentials");
        }
        AccessController.doPrivileged(new PrivilegedAction() { // from class: com.sun.enterprise.iiop.security.SecServerRequestInterceptor.1
            @Override // java.security.PrivilegedAction
            public Object run() {
                securityContext.subject.getPrivateCredentials().add(pwdcred);
                return null;
            }
        });
        securityContext.authcls = PasswordCredential.class;
    }

    private void handle_null_service_context(ServerRequestInfo serverRequestInfo, ORB orb) {
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "No SAS context element found in service context list for operation: " + serverRequestInfo.operation());
        }
        if (this.secContextUtil.setSecurityContext(null, serverRequestInfo.object_id(), serverRequestInfo.operation(), getServerSocket()) == 1) {
            serverRequestInfo.add_reply_service_context(createSvcContext(createContextError(2, 1), orb), false);
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, "SecServerRequestInterceptor.receive_request: NO_PERMISSION");
            }
            throw new NO_PERMISSION();
        }
    }

    @Override // org.omg.PortableInterceptor.ServerRequestInterceptorOperations
    public void receive_request(ServerRequestInfo serverRequestInfo) throws ForwardRequest {
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "++++ Entered " + this.prname + "receive_request");
        }
        ORB orb = this.orbHelper.getORB();
        try {
            ServiceContext serviceContext = serverRequestInfo.get_request_service_context(15);
            if (serviceContext == null) {
                handle_null_service_context(serverRequestInfo, orb);
                return;
            }
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, "Received a non null SAS context element");
            }
            try {
                Any decode_value = this.codec.decode_value(serviceContext.context_data, SASContextBodyHelper.type());
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "Successfully decoded CDR encoded SAS context element.");
                }
                SASContextBody extract = SASContextBodyHelper.extract(decode_value);
                short discriminator = extract.discriminator();
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "SAS context element is a/an " + SvcContextUtils.getMsgname(discriminator) + " message");
                }
                if (discriminator == 5) {
                    ServiceContext createSvcContext = createSvcContext(createContextError(4), orb);
                    if (_logger.isLoggable(Level.FINE)) {
                        _logger.log(Level.FINE, "Adding ContextError message to service context list");
                        _logger.log(Level.FINE, "SecurityContext set to null");
                    }
                    serverRequestInfo.add_reply_service_context(createSvcContext, false);
                    throw new NO_PERMISSION();
                }
                if (discriminator != 0) {
                    _logger.log(Level.SEVERE, "iiop.not_establishcontext_msg");
                    throw new SecurityException(localStrings.getLocalString("secserverreqinterceptor.err_not_ec_msg", "Received message not an EstablishContext message."));
                }
                EstablishContext establish_msg = extract.establish_msg();
                SecurityContext securityContext = new SecurityContext();
                securityContext.subject = new Subject();
                try {
                    if (establish_msg.client_authentication_token.length != 0) {
                        if (_logger.isLoggable(Level.FINE)) {
                            _logger.log(Level.FINE, "Message contains Client Authentication Token");
                        }
                        createAuthCred(securityContext, establish_msg.client_authentication_token, orb);
                    }
                    try {
                        if (establish_msg.identity_token != null) {
                            if (_logger.isLoggable(Level.FINE)) {
                                _logger.log(Level.FINE, "Message contains an Identity Token");
                            }
                            createIdCred(securityContext, establish_msg.identity_token);
                        }
                        if (_logger.isLoggable(Level.FINE)) {
                            _logger.log(Level.FINE, "Invoking setSecurityContext() to set security context");
                        }
                        int securityContext2 = this.secContextUtil.setSecurityContext(securityContext, serverRequestInfo.object_id(), serverRequestInfo.operation(), getServerSocket());
                        if (_logger.isLoggable(Level.FINE)) {
                            _logger.log(Level.FINE, "setSecurityContext() returned status code " + securityContext2);
                        }
                        if (securityContext2 == 1) {
                            if (_logger.isLoggable(Level.FINE)) {
                                _logger.log(Level.FINE, "setSecurityContext() returned STATUS_FAILED");
                            }
                            ServiceContext createSvcContext2 = createSvcContext(createContextError(securityContext2), orb);
                            if (_logger.isLoggable(Level.FINE)) {
                                _logger.log(Level.FINE, "Adding ContextError message to service context list");
                            }
                            serverRequestInfo.add_reply_service_context(createSvcContext2, false);
                            throw new NO_PERMISSION();
                        }
                        if (_logger.isLoggable(Level.FINE)) {
                            _logger.log(Level.FINE, "setSecurityContext() returned SUCCESS");
                        }
                        ServiceContext createSvcContext3 = createSvcContext(createCompleteEstablishContext(securityContext2), orb);
                        if (_logger.isLoggable(Level.FINE)) {
                            _logger.log(Level.FINE, "Adding CompleteEstablisContext message to service context list");
                        }
                        serverRequestInfo.add_reply_service_context(createSvcContext3, false);
                    } catch (SecurityException e) {
                        _logger.log(Level.SEVERE, "iiop.security_exception", (Throwable) e);
                        serverRequestInfo.add_reply_service_context(createSvcContext(createContextError(2, 1), orb), false);
                        throw new NO_PERMISSION();
                    } catch (Exception e2) {
                        _logger.log(Level.SEVERE, "iiop.generic_exception", (Throwable) e2);
                        throw new SecurityException(localStrings.getLocalString("secsercverreqinterceptor.err_cred_create", "Error while creating a JAAS subject credential."));
                    }
                } catch (Exception e3) {
                    _logger.log(Level.SEVERE, "iiop.authentication_exception", (Throwable) e3);
                    throw new SecurityException(localStrings.getLocalString("secsercverreqinterceptor.err_cred_create", "Error while creating a JAAS subject credential."));
                }
            } catch (Exception e4) {
                _logger.log(Level.SEVERE, "iiop.decode_exception", (Throwable) e4);
                throw new SecurityException(localStrings.getLocalString("secserverreqinterceptor.err_cdr_decode", "CDR Decoding error for SAS context element."));
            }
        } catch (BAD_PARAM e5) {
            handle_null_service_context(serverRequestInfo, orb);
        }
    }

    @Override // org.omg.PortableInterceptor.ServerRequestInterceptorOperations
    public void receive_request_service_contexts(ServerRequestInfo serverRequestInfo) throws ForwardRequest {
        ServerConnectionContext serverConnectionContext;
        Counter counter = (Counter) this.counterForCalls.get();
        if (counter == null) {
            counter = new Counter();
            this.counterForCalls.set(counter);
        }
        if (counter.count == 0) {
            SecurityContextUtil.unsetSecurityContext(isLocal());
        }
        counter.increment();
        Connection connection = null;
        if (serverRequestInfo instanceof RequestInfoExt) {
            connection = ((RequestInfoExt) serverRequestInfo).connection();
        }
        if (connection != null) {
            Socket socket = connection.getSocket();
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, "RECEIVED request on connection: " + connection);
                _logger.log(Level.FINE, "Socket =" + socket);
            }
            serverConnectionContext = new ServerConnectionContext(socket);
        } else {
            serverConnectionContext = new ServerConnectionContext();
        }
        setServerConnectionContext(serverConnectionContext);
    }

    @Override // org.omg.PortableInterceptor.ServerRequestInterceptorOperations
    public void send_reply(ServerRequestInfo serverRequestInfo) {
        unsetSecurityContext();
    }

    @Override // org.omg.PortableInterceptor.ServerRequestInterceptorOperations
    public void send_exception(ServerRequestInfo serverRequestInfo) throws ForwardRequest {
        unsetSecurityContext();
    }

    @Override // org.omg.PortableInterceptor.ServerRequestInterceptorOperations
    public void send_other(ServerRequestInfo serverRequestInfo) throws ForwardRequest {
        unsetSecurityContext();
    }

    @Override // org.omg.PortableInterceptor.InterceptorOperations
    public void destroy() {
    }

    private void unsetSecurityContext() {
        try {
            Counter counter = (Counter) this.counterForCalls.get();
            if (counter == null) {
                counter = new Counter(1);
            }
            counter.decrement();
            if (counter.count == 0) {
                SecurityContextUtil.unsetSecurityContext(isLocal());
            }
        } finally {
            ConnectionExecutionContext.removeClientThreadID();
        }
    }

    private boolean isLocal() {
        boolean z = true;
        ServerConnectionContext serverConnectionContext = getServerConnectionContext();
        if (serverConnectionContext != null && serverConnectionContext.getSocket() != null) {
            z = false;
        }
        Long readClientThreadID = ConnectionExecutionContext.readClientThreadID();
        if (readClientThreadID != null && readClientThreadID.longValue() == Thread.currentThread().getId()) {
            z = true;
        }
        return z;
    }

    private Socket getServerSocket() {
        ServerConnectionContext serverConnectionContext = getServerConnectionContext();
        if (serverConnectionContext != null) {
            return serverConnectionContext.getSocket();
        }
        return null;
    }

    private ServerConnectionContext getServerConnectionContext() {
        return (ServerConnectionContext) ConnectionExecutionContext.getContext().get(SERVER_CONNECTION_CONTEXT);
    }

    public static void setServerConnectionContext(ServerConnectionContext serverConnectionContext) {
        ConnectionExecutionContext.getContext().put(SERVER_CONNECTION_CONTEXT, serverConnectionContext);
    }

    static {
        _logger = null;
        _logger = LogDomains.getLogger(SecServerRequestInterceptor.class, "javax.enterprise.system.core.security");
    }
}
