package com.sun.enterprise.iiop.security;

import com.sun.corba.ee.org.omg.CSI.AuthorizationElement;
import com.sun.corba.ee.org.omg.CSI.EstablishContext;
import com.sun.corba.ee.org.omg.CSI.GSS_NT_ExportedNameHelper;
import com.sun.corba.ee.org.omg.CSI.IdentityToken;
import com.sun.corba.ee.org.omg.CSI.SASContextBody;
import com.sun.corba.ee.org.omg.CSI.SASContextBodyHelper;
import com.sun.corba.ee.org.omg.CSI.X501DistinguishedNameHelper;
import com.sun.corba.ee.org.omg.CSI.X509CertificateChainHelper;
import com.sun.corba.ee.org.omg.CSIIOP.CompoundSecMech;
import com.sun.enterprise.common.iiop.security.AnonCredential;
import com.sun.enterprise.common.iiop.security.GSSUPName;
import com.sun.enterprise.common.iiop.security.SecurityContext;
import com.sun.enterprise.security.auth.login.common.PasswordCredential;
import com.sun.enterprise.security.auth.login.common.X509CertificateCredential;
import com.sun.logging.LogDomains;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.x500.X500Principal;
import org.apache.xml.security.keys.content.x509.XMLX509Certificate;
import org.glassfish.enterprise.iiop.api.GlassFishORBHelper;
import org.omg.CORBA.Any;
import org.omg.CORBA.BAD_PARAM;
import org.omg.CORBA.LocalObject;
import org.omg.CORBA.ORB;
import org.omg.CORBA.Object;
import org.omg.IOP.Codec;
import org.omg.IOP.ServiceContext;
import org.omg.PortableInterceptor.ClientRequestInfo;
import org.omg.PortableInterceptor.ClientRequestInterceptor;
import org.omg.PortableInterceptor.ForwardRequest;

/* loaded from: input_file:com/sun/enterprise/iiop/security/SecClientRequestInterceptor.class */
public class SecClientRequestInterceptor extends LocalObject implements ClientRequestInterceptor {
    private static final Logger LOG = LogDomains.getLogger((Class<?>) SecClientRequestInterceptor.class, "jakarta.enterprise.system.core.security", false);
    private final String name;
    private final String prname;
    private final Codec codec;
    private final GlassFishORBHelper orbHelper = Lookups.getGlassFishORBHelper();
    private final SecurityContextUtil secContextUtil = Lookups.getSecurityContextUtil();
    protected static final int SECURITY_ATTRIBUTE_SERVICE_ID = 15;

    public SecClientRequestInterceptor(String str, Codec codec) {
        this.name = str;
        this.codec = codec;
        this.prname = str + "::";
    }

    @Override // org.omg.PortableInterceptor.InterceptorOperations
    public String name() {
        return this.name;
    }

    private Object getCred(Set set, Class cls) {
        Object obj = null;
        String name = cls.getName();
        if (LOG.isLoggable(Level.FINE)) {
            LOG.log(Level.FINE, "Checking for a single instance of class in subject");
            LOG.log(Level.FINE, "    Classname = " + name);
        }
        if (set.size() != 1) {
            throw new SecurityException("Credential list size is not 1, but " + set.size());
        }
        Iterator it = set.iterator();
        while (it.hasNext()) {
            obj = it.next();
        }
        LOG.log(Level.FINE, "Verified single instance of class {0}", name);
        return obj;
    }

    private byte[] createAuthToken(Object obj, Class cls, ORB orb, CompoundSecMech compoundSecMech) throws Exception {
        byte[] bArr = new byte[0];
        if (PasswordCredential.class.isAssignableFrom(cls)) {
            LOG.log(Level.FINE, "Constructing a PasswordCredential client auth token");
            bArr = GSSUPToken.getClientSideInstance(orb, this.codec, (PasswordCredential) obj, compoundSecMech).getGSSToken();
        }
        return bArr;
    }

    private IdentityToken createIdToken(Object obj, Class cls, ORB orb) throws Exception {
        Any create_any = orb.create_any();
        IdentityToken identityToken = new IdentityToken();
        if (X500Principal.class.isAssignableFrom(cls)) {
            LOG.log(Level.FINE, "Constructing an X500 DN Identity Token");
            X501DistinguishedNameHelper.insert(create_any, ((X500Principal) obj).getEncoded());
            identityToken.dn(this.codec.encode_value(create_any));
        } else if (X509CertificateCredential.class.isAssignableFrom(cls)) {
            LOG.log(Level.FINE, "Constructing an X509 Certificate Chain Identity Token");
            X509Certificate[] x509CertificateChain = ((X509CertificateCredential) obj).getX509CertificateChain();
            LOG.log(Level.FINE, "Certchain length = {0}", Integer.valueOf(x509CertificateChain.length));
            X509CertificateChainHelper.insert(create_any, CertificateFactory.getInstance(XMLX509Certificate.JCA_CERT_ID).generateCertPath(Arrays.asList(x509CertificateChain)).getEncoded());
            identityToken.certificate_chain(this.codec.encode_value(create_any));
        } else if (AnonCredential.class.isAssignableFrom(cls)) {
            LOG.log(Level.FINE, "Constructing an Anonymous Identity Token");
            identityToken.anonymous(true);
        } else if (GSSUPName.class.isAssignableFrom(cls)) {
            LOG.log(Level.FINE, "Constructing a GSS Exported name Identity Token");
            GSS_NT_ExportedNameHelper.insert(create_any, ((GSSUPName) obj).getExportedName());
            identityToken.principal_name(this.codec.encode_value(create_any));
        }
        return identityToken;
    }

    @Override // org.omg.PortableInterceptor.ClientRequestInterceptorOperations
    public void send_request(ClientRequestInfo clientRequestInfo) throws ForwardRequest {
        IdentityToken identityToken;
        ConnectionExecutionContext.removeClientThreadID();
        AuthorizationElement[] authorizationElementArr = new AuthorizationElement[0];
        byte[] bArr = new byte[0];
        LOG.log(Level.FINE, "++++ Entered {0} send_request()", this.prname);
        ORB orb = this.orbHelper.getORB();
        try {
            SecurityContext securityContext = this.secContextUtil.getSecurityContext(clientRequestInfo.effective_target());
            if (securityContext == null) {
                LOG.log(Level.FINE, "Security context is null (nothing to add to service context)");
                return;
            }
            if (securityContext.authcls != null) {
                Object doPrivileged = AccessController.doPrivileged((PrivilegedAction<Object>) () -> {
                    return getCred(securityContext.subject.getPrivateCredentials(securityContext.authcls), securityContext.authcls);
                });
                try {
                    bArr = createAuthToken(doPrivileged, securityContext.authcls, orb, Lookups.getSecurityMechanismSelector().getClientConnectionContext().getMechanism());
                } catch (Exception e) {
                    throw new SecurityException("Error while constructing an authentication token.");
                }
            }
            if (securityContext.identcls != null) {
                try {
                    identityToken = createIdToken(getCred(securityContext.subject.getPublicCredentials(securityContext.identcls), securityContext.identcls), securityContext.identcls, orb);
                } catch (Exception e2) {
                    throw new SecurityException("Error while constructing an identity token.");
                }
            } else {
                LOG.log(Level.FINE, "Constructing an Absent Identity Token");
                identityToken = new IdentityToken();
                identityToken.absent(true);
            }
            LOG.log(Level.FINE, "Creating an EstablishContext message");
            EstablishContext establishContext = new EstablishContext(0L, authorizationElementArr, identityToken, bArr);
            SASContextBody sASContextBody = new SASContextBody();
            sASContextBody.establish_msg(establishContext);
            Any create_any = orb.create_any();
            SASContextBodyHelper.insert(create_any, sASContextBody);
            try {
                byte[] encode_value = this.codec.encode_value(create_any);
                ServiceContext serviceContext = new ServiceContext();
                serviceContext.context_id = 15;
                serviceContext.context_data = encode_value;
                LOG.log(Level.FINE, "Adding EstablishContext message to service context list");
                clientRequestInfo.add_request_service_context(serviceContext, false);
                LOG.log(Level.FINE, "Added EstablishContext message to service context list");
            } catch (Exception e3) {
                throw new SecurityException("CDR Encoding error for a SAS context element.", e3);
            }
        } catch (InvalidIdentityTokenException e4) {
            throw new RuntimeException(e4);
        } catch (InvalidMechanismException e5) {
            throw new RuntimeException(e5);
        }
    }

    @Override // org.omg.PortableInterceptor.ClientRequestInterceptorOperations
    public void send_poll(ClientRequestInfo clientRequestInfo) {
    }

    private void setreplyStatus(int i, Object object) {
        LOG.log(Level.FINE, "Status to be set: {0}", Integer.valueOf(i));
        SecurityContextUtil.receivedReply(i, object);
        LOG.log(Level.FINE, "Invoked receivedReply()");
    }

    private int mapreplyStatus(int i) {
        int i2;
        LOG.log(Level.FINE, "Reply status to be mapped = {0}", Integer.valueOf(i));
        switch (i) {
            case 0:
            case 2:
                i2 = 0;
                break;
            case 1:
                i2 = 1;
                break;
            case 3:
            case 4:
                i2 = 2;
                break;
            default:
                i2 = i;
                break;
        }
        LOG.log(Level.FINE, "Mapped reply status = {0}", Integer.valueOf(i2));
        return i2;
    }

    private void handle_null_service_context(ClientRequestInfo clientRequestInfo) {
        LOG.log(Level.FINE, "No SAS context element found in service context list");
        setreplyStatus(0, clientRequestInfo.effective_target());
    }

    @Override // org.omg.PortableInterceptor.ClientRequestInterceptorOperations
    public void receive_reply(ClientRequestInfo clientRequestInfo) {
        LOG.log(Level.FINE, "Entered {0} receive_reply", this.prname);
        try {
            ServiceContext serviceContext = clientRequestInfo.get_reply_service_context(15);
            if (serviceContext == null) {
                handle_null_service_context(clientRequestInfo);
                return;
            }
            try {
                short discriminator = SASContextBodyHelper.extract(this.codec.decode_value(serviceContext.context_data, SASContextBodyHelper.type())).discriminator();
                if (LOG.isLoggable(Level.FINE)) {
                    LOG.log(Level.FINE, "Received " + SvcContextUtils.getMsgname(discriminator) + " message");
                }
                LOG.log(Level.FINE, "Verifying the SAS protocol reply message");
                if (discriminator != 1 && discriminator != 4) {
                    throw new SecurityException("Reply message not one of CompleteEstablishContext or ContextError: " + discriminator);
                }
                setreplyStatus(mapreplyStatus(clientRequestInfo.reply_status()), clientRequestInfo.effective_target());
            } catch (Exception e) {
                throw new SecurityException("CDR Decoding error for SAS context element.", e);
            }
        } catch (BAD_PARAM e2) {
            handle_null_service_context(clientRequestInfo);
        } catch (Exception e3) {
            LOG.log(Level.SEVERE, "Could not get the service context for id=15", (Throwable) e3);
        }
    }

    @Override // org.omg.PortableInterceptor.ClientRequestInterceptorOperations
    public void receive_exception(ClientRequestInfo clientRequestInfo) throws ForwardRequest {
        LOG.log(Level.FINE, "Entered {0} receive_exception", this.prname);
    }

    @Override // org.omg.PortableInterceptor.ClientRequestInterceptorOperations
    public void receive_other(ClientRequestInfo clientRequestInfo) throws ForwardRequest {
    }

    @Override // org.omg.PortableInterceptor.InterceptorOperations
    public void destroy() {
    }

    protected GlassFishORBHelper getORBHelper() {
        return this.orbHelper;
    }
}
