package weblogic.iiop.csi;

import java.rmi.RemoteException;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import javax.security.auth.login.LoginException;
import org.omg.CORBA.CompletionStatus;
import org.omg.CORBA.MARSHAL;
import weblogic.corba.cos.security.GSSUtil;
import weblogic.diagnostics.debug.DebugLogger;
import weblogic.iiop.EndPoint;
import weblogic.iiop.IIOPInputStream;
import weblogic.iiop.IIOPLogger;
import weblogic.iiop.IIOPOutputStream;
import weblogic.iiop.ReplyMessage;
import weblogic.iiop.RequestMessage;
import weblogic.iiop.ServiceContext;
import weblogic.iiop.ServiceContextList;
import weblogic.kernel.Kernel;
import weblogic.protocol.configuration.ChannelHelper;
import weblogic.security.SimpleCallbackHandler;
import weblogic.security.SubjectUtils;
import weblogic.security.acl.UserInfo;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.auth.login.PasswordCredential;
import weblogic.security.service.CredentialManager;
import weblogic.security.service.InvalidParameterException;
import weblogic.security.service.PrincipalAuthenticator;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.RemoteResource;
import weblogic.security.service.SecurityService;
import weblogic.security.service.SecurityServiceManager;
import weblogic.security.spi.CredentialMapperV2;
import weblogic.utils.Debug;
import weblogic.utils.DebugCategory;

/* loaded from: input_file:weblogic/iiop/csi/SASServiceContext.class */
public class SASServiceContext extends ServiceContext {
    private short ctxMsgType;
    private ContextBody ctxBody;
    private AuthenticatedSubject subject;
    private static final DebugCategory debugSecurity = Debug.getCategory("weblogic.iiop.security");
    private static final DebugLogger debugIIOPSecurity = DebugLogger.getDebugLogger("DebugIIOPSecurity");
    private static final AuthenticatedSubject kernelId = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());

    public SASServiceContext() {
        super(15);
    }

    public SASServiceContext(short s, ContextBody contextBody, AuthenticatedSubject authenticatedSubject) {
        super(15);
        this.ctxMsgType = s;
        this.ctxBody = contextBody;
        this.subject = authenticatedSubject;
        if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
            log("created " + this);
        }
    }

    public SASServiceContext(CompoundSecMechList compoundSecMechList, AuthenticatedSubject authenticatedSubject, EndPoint endPoint) {
        super(15);
        this.ctxMsgType = (short) 0;
        long nextClientContextId = compoundSecMechList.isGSSUPTargetStateful() ? endPoint.getNextClientContextId() : 0L;
        byte[] bArr = null;
        IdentityToken identityToken = null;
        PasswordCredential passwordCredential = getPasswordCredential(authenticatedSubject, endPoint);
        String str = null;
        boolean hasGSSUP = compoundSecMechList.hasGSSUP();
        boolean hasGSSUPIdentity = compoundSecMechList.hasGSSUPIdentity();
        str = hasGSSUP ? GSSUtil.extractGSSUPGSSNTExportedName(compoundSecMechList.getGSSUPTarget()) : str;
        if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
            log("create sasservice target: " + str + " hasGSSUP: " + hasGSSUP + " hasIdentity: " + hasGSSUPIdentity + " pc: " + passwordCredential);
        }
        if (hasGSSUP && passwordCredential != null) {
            bArr = new GSSUPImpl(passwordCredential.getUsername(), str, passwordCredential.getPassword(), str).getBytes();
            identityToken = new IdentityToken(0, true, null);
        } else if (hasGSSUPIdentity) {
            if (authenticatedSubject == null || SubjectUtils.isUserAnonymous(authenticatedSubject) || SecurityServiceManager.isKernelIdentity(authenticatedSubject)) {
                identityToken = new IdentityToken(1, true, null);
            } else {
                String username = SubjectUtils.getUsername(authenticatedSubject);
                identityToken = new IdentityToken(2, true, GSSUtil.createGSSUPGSSNTExportedName(str != null ? username + "@" + str : username));
            }
        }
        this.ctxBody = new EstablishContext(nextClientContextId, bArr, identityToken);
        if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
            log("created " + this);
        }
    }

    public SASServiceContext(long j) {
        super(15);
        this.ctxMsgType = (short) 5;
        this.ctxBody = new MessageInContext(j, false);
        if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
            log("created " + this);
        }
    }

    public SASServiceContext(IIOPInputStream iIOPInputStream) {
        super(15);
        readEncapsulatedContext(iIOPInputStream);
    }

    @Override // weblogic.iiop.ServiceContext
    protected void readEncapsulation(IIOPInputStream iIOPInputStream) {
        short read_short = iIOPInputStream.read_short();
        switch (read_short) {
            case 0:
                this.ctxBody = new EstablishContext(iIOPInputStream);
                break;
            case 1:
                this.ctxBody = new CompleteEstablishContext(iIOPInputStream);
                break;
            case 2:
            case 3:
            default:
                throw new MARSHAL("Unsupported CSI MsgType.");
            case 4:
                this.ctxBody = new ContextError(iIOPInputStream);
                break;
            case 5:
                this.ctxBody = new MessageInContext(iIOPInputStream);
                break;
        }
        this.ctxMsgType = read_short;
        if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
            log("read " + this);
        }
    }

    public short getMsgType() {
        return this.ctxMsgType;
    }

    public ContextBody getBody() {
        return this.ctxBody;
    }

    @Override // weblogic.iiop.ServiceContext
    public void write(IIOPOutputStream iIOPOutputStream) {
        writeEncapsulatedContext(iIOPOutputStream);
    }

    @Override // weblogic.iiop.ServiceContext
    public void writeEncapsulation(IIOPOutputStream iIOPOutputStream) {
        if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
            log("writing " + this);
        }
        iIOPOutputStream.write_short(this.ctxMsgType);
        this.ctxBody.write(iIOPOutputStream);
    }

    public void handleSASReply(EndPoint endPoint) {
        if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
            log("handle SAS Reply " + this);
        }
        switch (this.ctxMsgType) {
            case 0:
            case 2:
            case 3:
            case 5:
            default:
                throw new MARSHAL("Unsupported Reply CSI MsgType.");
            case 1:
                CompleteEstablishContext completeEstablishContext = (CompleteEstablishContext) this.ctxBody;
                if (completeEstablishContext.getContextStateful()) {
                    endPoint.establishSASClientContext(completeEstablishContext.getClientContextId());
                    if (debugSecurity.isEnabled() || debugIIOPSecurity.isDebugEnabled()) {
                        IIOPLogger.logDebugSecurity("stateful CSIv2 session established.");
                        return;
                    }
                    return;
                }
                endPoint.removeSASClientContext(completeEstablishContext.getClientContextId());
                if (debugSecurity.isEnabled() || debugIIOPSecurity.isDebugEnabled()) {
                    IIOPLogger.logDebugSecurity("stateful CSIv2 session reset.");
                    return;
                }
                return;
            case 4:
                ContextError contextError = (ContextError) this.ctxBody;
                endPoint.removeSASClientContext(contextError.getClientContextId());
                if (debugSecurity.isEnabled() || debugIIOPSecurity.isDebugEnabled()) {
                    IIOPLogger.logDebugSecurity("received ContextError(" + contextError.getMajorStatus() + ", " + contextError.getMinorStatus() + ") for context " + contextError.getClientContextId());
                    return;
                }
                return;
        }
    }

    public boolean handleSASRequest(RequestMessage requestMessage, EndPoint endPoint) {
        if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
            log("handle SAS Request ");
        }
        boolean z = false;
        ContextError contextError = null;
        switch (this.ctxMsgType) {
            case 0:
                contextError = handleEstablishContext(endPoint);
                break;
            case 1:
            case 2:
            case 3:
            case 4:
            default:
                throw new MARSHAL("Unsupported Request CSI MsgType.");
            case 5:
                MessageInContext messageInContext = (MessageInContext) this.ctxBody;
                SecurityContext securityContext = endPoint.getSecurityContext(messageInContext.getClientContextId());
                if (securityContext == null) {
                    contextError = new ContextError(messageInContext.getClientContextId(), 4, 1, null);
                    break;
                } else {
                    this.subject = securityContext.getSubject();
                    if (messageInContext.getDiscardContext()) {
                        endPoint.removeSecurityContext(messageInContext.getClientContextId());
                        break;
                    }
                }
                break;
        }
        if (contextError != null) {
            if (debugSecurity.isEnabled() || debugIIOPSecurity.isDebugEnabled()) {
                IIOPLogger.logDebugSecurity("CSIv2 context error.");
            }
            SASServiceContext sASServiceContext = new SASServiceContext((short) 4, (ContextBody) contextError, (AuthenticatedSubject) null);
            ServiceContextList serviceContextList = new ServiceContextList();
            serviceContextList.addServiceContext(sASServiceContext);
            ReplyMessage replyMessage = new ReplyMessage(endPoint, requestMessage, serviceContextList, 2);
            IIOPOutputStream outputStream = replyMessage.getOutputStream();
            replyMessage.write(outputStream);
            outputStream.write_string("IDL:omg.org/CORBA/NO_PERMISSION:1.0");
            outputStream.write_long(0);
            outputStream.write_long(CompletionStatus.COMPLETED_NO.value());
            try {
                endPoint.send(outputStream);
                z = true;
            } catch (RemoteException e) {
                throw new MARSHAL("Sending reply on SAS failure");
            }
        }
        return z;
    }

    public AuthenticatedSubject getSubject() {
        return this.subject;
    }

    public ClientSecurityContext getClientContext() {
        return new ClientSecurityContext(((EstablishContext) getBody()).getClientContextId(), this);
    }

    public SASServiceContext getCompleteEstablishContext() {
        if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
            log("getCompleteEstablishContexst");
        }
        EstablishContext establishContext = (EstablishContext) this.ctxBody;
        return new SASServiceContext((short) 1, (ContextBody) new CompleteEstablishContext(establishContext.getClientContextId(), establishContext.getClientContextId() != 0, null), this.subject);
    }

    private ContextError handleEstablishContext(final EndPoint endPoint) {
        if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
            log("handleEstablishContext");
        }
        EstablishContext establishContext = (EstablishContext) this.ctxBody;
        SecurityContext securityContext = null;
        byte[] clientAuthenticationToken = establishContext.getClientAuthenticationToken();
        final IdentityToken identityToken = establishContext.getIdentityToken();
        if (establishContext.getClientContextId() != 0) {
            securityContext = endPoint.getSecurityContext(establishContext.getClientContextId());
            if (securityContext != null) {
                if (identityToken != null && !identityToken.equals(securityContext.getEstablishContext().getIdentityToken())) {
                    if (debugSecurity.isEnabled() || debugIIOPSecurity.isDebugEnabled()) {
                        IIOPLogger.logDebugSecurity("Invalid CSIv2 context token");
                    }
                    return new ContextError(establishContext.getClientContextId(), 3, 1, null);
                }
                if (clientAuthenticationToken == null || Arrays.equals(clientAuthenticationToken, securityContext.getEstablishContext().getClientAuthenticationToken())) {
                    this.subject = securityContext.getSubject();
                    return null;
                }
                if (debugSecurity.isEnabled() || debugIIOPSecurity.isDebugEnabled()) {
                    IIOPLogger.logDebugSecurity("Invalid CSIv2 auth token");
                }
                return new ContextError(establishContext.getClientContextId(), 3, 1, null);
            }
        }
        if (clientAuthenticationToken != null) {
            try {
                GSSUPImpl gSSUPImpl = new GSSUPImpl(clientAuthenticationToken);
                if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
                    log("Handle establish username: " + gSSUPImpl.getUserName());
                }
                this.subject = ((PrincipalAuthenticator) SecurityServiceManager.getSecurityService(kernelId, SecurityServiceManager.defaultRealmName, SecurityService.ServiceType.AUTHENTICATION)).authenticate(new SimpleCallbackHandler(gSSUPImpl.getUserName(), gSSUPImpl.getPassword()), endPoint.getConnection().getContextHandler());
                this.subject.getPrivateCredentials(kernelId).add(new PasswordCredential(gSSUPImpl.getUserName(), gSSUPImpl.getPassword()));
                if (ChannelHelper.isLocalAdminChannelEnabled() && SubjectUtils.isUserAnAdministrator(this.subject) && !ChannelHelper.isAdminChannel(endPoint.getServerChannel())) {
                    return new ContextError(establishContext.getClientContextId(), 1, 1, null);
                }
                if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
                    log("Created subject for username: " + gSSUPImpl.getUserName() + " subject: " + this.subject);
                }
            } catch (LoginException e) {
                if (debugSecurity.isEnabled() || debugIIOPSecurity.isDebugEnabled()) {
                    IIOPLogger.logDebugSecurity("CSIv2 login error: " + e.getMessage());
                }
                return new ContextError(establishContext.getClientContextId(), 1, 1, null);
            } catch (GSSUPDecodeException e2) {
                if (debugSecurity.isEnabled() || debugIIOPSecurity.isDebugEnabled()) {
                    IIOPLogger.logDebugSecurity("Error decoding CSIv2 GSS token: " + e2.getMessage());
                }
                return new ContextError(establishContext.getClientContextId(), 2, 1, null);
            }
        }
        if (identityToken != null) {
            final PrincipalAuthenticator principalAuthenticator = (PrincipalAuthenticator) SecurityServiceManager.getSecurityService(kernelId, SecurityServiceManager.defaultRealmName, SecurityService.ServiceType.AUTHENTICATION);
            int identityType = identityToken.getIdentityType();
            AuthenticatedSubject assertAsSubject = getAssertAsSubject();
            switch (identityType) {
                case 0:
                    break;
                case 1:
                    try {
                        this.subject = (AuthenticatedSubject) SecurityServiceManager.runAs(kernelId, assertAsSubject, new PrivilegedExceptionAction() { // from class: weblogic.iiop.csi.SASServiceContext.1
                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws LoginException {
                                return principalAuthenticator.assertIdentity("CSI.ITTAnonymous", new Boolean(identityToken.getAnonymous()), endPoint.getConnection().getContextHandler());
                            }
                        });
                        break;
                    } catch (PrivilegedActionException e3) {
                        LoginException loginException = (LoginException) e3.getException();
                        if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
                            log("failed identity assertion - use connection subject " + loginException);
                        }
                        this.subject = null;
                        break;
                    }
                    break;
                case 2:
                    String extractGSSUPGSSNTExportedName = GSSUtil.extractGSSUPGSSNTExportedName(identityToken.getPrincipalName());
                    if (extractGSSUPGSSNTExportedName == null) {
                        if (debugSecurity.isEnabled() || debugIIOPSecurity.isDebugEnabled()) {
                            IIOPLogger.logDebugSecurity("Unsupported CSIv2 mechanism");
                        }
                        return new ContextError(establishContext.getClientContextId(), 2, 1, null);
                    }
                    int indexOf = extractGSSUPGSSNTExportedName.indexOf(64);
                    if (indexOf >= 0) {
                        extractGSSUPGSSNTExportedName = extractGSSUPGSSNTExportedName.substring(0, indexOf);
                        try {
                            principalAuthenticator = (PrincipalAuthenticator) SecurityServiceManager.getSecurityService(kernelId, SecurityServiceManager.defaultRealmName, SecurityService.ServiceType.AUTHENTICATION);
                        } catch (InvalidParameterException e4) {
                            if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
                                log("Assert identity realm not found: " + SecurityServiceManager.defaultRealmName);
                            }
                        }
                    }
                    if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
                        log("Assert identity: " + extractGSSUPGSSNTExportedName);
                    }
                    try {
                        final PrincipalAuthenticator principalAuthenticator2 = principalAuthenticator;
                        final String str = extractGSSUPGSSNTExportedName;
                        this.subject = (AuthenticatedSubject) SecurityServiceManager.runAs(kernelId, assertAsSubject, new PrivilegedExceptionAction() { // from class: weblogic.iiop.csi.SASServiceContext.2
                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws LoginException {
                                return principalAuthenticator2.assertIdentity("CSI.PrincipalName", str, endPoint.getConnection().getContextHandler());
                            }
                        });
                        break;
                    } catch (PrivilegedActionException e5) {
                        LoginException loginException2 = (LoginException) e5.getException();
                        if (debugSecurity.isEnabled() || debugIIOPSecurity.isDebugEnabled()) {
                            log("failed identity assertion prin " + loginException2);
                        }
                        return new ContextError(establishContext.getClientContextId(), 2, 1, null);
                    }
                    break;
                case 3:
                case 5:
                case 6:
                case 7:
                default:
                    if (debugSecurity.isEnabled() || debugIIOPSecurity.isDebugEnabled()) {
                        IIOPLogger.logDebugSecurity("Unsupported CSIv2 mechanism");
                    }
                    return new ContextError(establishContext.getClientContextId(), 1, 1, null);
                case 4:
                    final X509Certificate[] x509CertChain = GSSUtil.getX509CertChain(identityToken.getCertChain());
                    if (x509CertChain == null) {
                        if (debugSecurity.isEnabled() || debugIIOPSecurity.isDebugEnabled()) {
                            IIOPLogger.logDebugSecurity("CSIv2 certification chain not found");
                        }
                        return new ContextError(establishContext.getClientContextId(), 1, 1, null);
                    }
                    if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
                        log("Assert identity chain: " + x509CertChain);
                    }
                    try {
                        this.subject = (AuthenticatedSubject) SecurityServiceManager.runAs(kernelId, assertAsSubject, new PrivilegedExceptionAction() { // from class: weblogic.iiop.csi.SASServiceContext.4
                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws LoginException {
                                return principalAuthenticator.assertIdentity("CSI.X509CertChain", x509CertChain, endPoint.getConnection().getContextHandler());
                            }
                        });
                        break;
                    } catch (PrivilegedActionException e6) {
                        LoginException loginException3 = (LoginException) e6.getException();
                        if (debugSecurity.isEnabled() || debugIIOPSecurity.isDebugEnabled()) {
                            log("failed identity assertion cert chain " + loginException3);
                        }
                        return new ContextError(establishContext.getClientContextId(), 2, 1, null);
                    }
                    break;
                case 8:
                    final byte[] distinguishedName = identityToken.getDistinguishedName();
                    if (distinguishedName == null) {
                        if (debugSecurity.isEnabled() || debugIIOPSecurity.isDebugEnabled()) {
                            IIOPLogger.logDebugSecurity("CSIv2 distinguished name not found");
                        }
                        return new ContextError(establishContext.getClientContextId(), 2, 1, null);
                    }
                    if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
                        log("Assert identity distinguished: " + distinguishedName);
                    }
                    try {
                        this.subject = (AuthenticatedSubject) SecurityServiceManager.runAs(kernelId, assertAsSubject, new PrivilegedExceptionAction() { // from class: weblogic.iiop.csi.SASServiceContext.3
                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws LoginException {
                                return principalAuthenticator.assertIdentity("CSI.DistinguishedName", distinguishedName, endPoint.getConnection().getContextHandler());
                            }
                        });
                        break;
                    } catch (PrivilegedActionException e7) {
                        LoginException loginException4 = (LoginException) e7.getException();
                        if (debugSecurity.isEnabled() || debugIIOPSecurity.isDebugEnabled()) {
                            log("failed identity assertion dist name " + loginException4);
                        }
                        return new ContextError(establishContext.getClientContextId(), 2, 1, null);
                    }
                    break;
            }
        }
        if (establishContext.getClientContextId() == 0 || securityContext != null) {
            return null;
        }
        if (this.subject == null) {
            this.subject = SubjectUtils.getAnonymousSubject();
        }
        endPoint.putSecurityContext(establishContext.getClientContextId(), new SecurityContext(establishContext.getClientContextId(), establishContext, this.subject));
        return null;
    }

    private static final PasswordCredential getPasswordCredential(AuthenticatedSubject authenticatedSubject, EndPoint endPoint) {
        CredentialManager credentialManager;
        if (authenticatedSubject == null || SubjectUtils.isUserAnonymous(authenticatedSubject)) {
            return null;
        }
        Iterator it = authenticatedSubject.getPrivateCredentials(kernelId, PasswordCredential.class).iterator();
        PasswordCredential passwordCredential = it.hasNext() ? (PasswordCredential) it.next() : null;
        if (Kernel.isServer() && authenticatedSubject.getPrincipals(UserInfo.class).size() <= 0 && (credentialManager = (CredentialManager) SecurityServiceManager.getSecurityService(kernelId, SecurityServiceManager.defaultRealmName, SecurityService.ServiceType.CREDENTIALMANAGER)) != null) {
            for (Object obj : credentialManager.getCredentials(kernelId, authenticatedSubject, new RemoteResource(endPoint.getConnection().getRemoteChannel().getProtocolPrefix(), endPoint.getConnection().getRemoteChannel().getPublicAddress(), Integer.toString(endPoint.getConnection().getRemoteChannel().getPublicPort()), null, null), endPoint.getConnection().getContextHandler(), CredentialMapperV2.PASSWORD_TYPE)) {
                if (obj instanceof PasswordCredential) {
                    if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
                        log("Mapped subject: " + authenticatedSubject + " to " + obj);
                    }
                    return (PasswordCredential) obj;
                }
            }
            if (debugIIOPSecurity.isDebugEnabled() || debugSecurity.isEnabled()) {
                log("No credential mapping for: " + authenticatedSubject + ",  will use defaults: " + passwordCredential);
            }
            return passwordCredential;
        }
        return passwordCredential;
    }

    @Override // weblogic.iiop.ServiceContext
    public String toString() {
        return "SASServiceContext Context (msgType = " + ((int) this.ctxMsgType) + ", body = " + this.ctxBody + ", subject = " + this.subject + ")";
    }

    private static void log(String str) {
        IIOPLogger.logDebugSecurity("<SASServiceContext>: " + str);
    }

    private AuthenticatedSubject getAssertAsSubject() {
        return null != this.subject ? this.subject.equals(kernelId) ? SubjectUtils.getAnonymousSubject() : this.subject : SecurityServiceManager.getCurrentSubject(kernelId);
    }
}
