package org.apache.yoko.orb.csi;

import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import javax.security.auth.x500.X500Principal;
import org.apache.yoko.orb.OB.GIOPConnection;
import org.apache.yoko.orb.csi.CSIInterceptorBase;
import org.apache.yoko.orb.csi.gssup.GSSUPPolicy;
import org.apache.yoko.orb.csi.gssup.SecGSSUPPolicy;
import org.omg.CORBA.BAD_PARAM;
import org.omg.CORBA.CompletionStatus;
import org.omg.CORBA.INV_POLICY;
import org.omg.CORBA.MARSHAL;
import org.omg.CORBA.NO_PERMISSION;
import org.omg.CORBA.OctetSeqHelper;
import org.omg.CORBA.UserException;
import org.omg.CSI.CompleteEstablishContext;
import org.omg.CSI.ContextError;
import org.omg.CSI.EstablishContext;
import org.omg.CSI.SASContextBody;
import org.omg.GSSUP.InitialContextToken;
import org.omg.IOP.Codec;
import org.omg.IOP.ServiceContext;
import org.omg.PortableInterceptor.ForwardRequest;
import org.omg.PortableInterceptor.ServerRequestInfo;
import org.omg.PortableInterceptor.ServerRequestInterceptor;
import org.omg.Security.DelegationDirective;
import org.omg.Security.RequiresSupports;
import org.omg.SecurityLevel2.DelegationDirectivePolicy;

/* loaded from: input_file:org/apache/yoko/orb/csi/CSIServerRequestInterceptor.class */
public class CSIServerRequestInterceptor extends CSIInterceptorBase implements ServerRequestInterceptor {
    private static final Logger log = Logger.getLogger(CSIServerRequestInterceptor.class.getName());

    /* JADX INFO: Access modifiers changed from: package-private */
    public CSIServerRequestInterceptor(Codec codec) {
        super(codec);
    }

    public void receive_request_service_contexts(ServerRequestInfo serverRequestInfo) throws ForwardRequest {
        ServiceContext serviceContext;
        log.fine("receive_request_service_contexts " + serverRequestInfo.operation());
        if (CSIInterceptorBase.CallStatus.peekIsLocal()) {
            log.fine("local call");
            return;
        }
        boolean z = false;
        boolean z2 = false;
        String str = null;
        try {
            GSSUPPolicy gSSUPPolicy = (GSSUPPolicy) serverRequestInfo.get_server_policy(SecGSSUPPolicy.value);
            if (gSSUPPolicy == null) {
                log.fine("null GSSUPPolicy");
            } else {
                z = true;
                if (gSSUPPolicy.mode() == RequiresSupports.SecRequires) {
                    z2 = true;
                }
                str = gSSUPPolicy.domain();
            }
        } catch (INV_POLICY e) {
            log.log(Level.FINE, "no GSSUPPolicy", e);
        }
        boolean z3 = false;
        try {
            DelegationDirectivePolicy delegationDirectivePolicy = serverRequestInfo.get_server_policy(38);
            if (delegationDirectivePolicy != null) {
                if (delegationDirectivePolicy.delegation_directive() == DelegationDirective.Delegate) {
                    z3 = true;
                }
            }
        } catch (INV_POLICY e2) {
        }
        if (log.isLoggable(Level.FINE)) {
            log.fine("support gssup authorization: " + z);
            log.fine("require gssup authorization: " + z2);
            log.fine("support gssup identity: " + z3);
        }
        try {
            serviceContext = serverRequestInfo.get_request_service_context(15);
        } catch (BAD_PARAM e3) {
            serviceContext = null;
        }
        log.fine("Received request service context: " + serviceContext);
        if (z2 && serviceContext == null) {
            throw new NO_PERMISSION("GSSUP authorization required (missing SAS EstablishContext message)");
        }
        if (serviceContext != null) {
            SASContextBody decodeSASContextBody = decodeSASContextBody(serviceContext);
            log.fine("received request of type " + ((int) decodeSASContextBody.discriminator()));
            switch (decodeSASContextBody.discriminator()) {
                case 0:
                    log.fine("MTEstablishContext");
                    acceptContext(serverRequestInfo, decodeSASContextBody.establish_msg(), z, z2, z3, str);
                    return;
                case 1:
                case 4:
                    log.severe("Unexpected message of type " + ((int) decodeSASContextBody.discriminator()));
                    throw new NO_PERMISSION("unexpected SAS message");
                case 2:
                case 3:
                default:
                    return;
                case GIOPConnection.State.Closed /* 5 */:
                    log.fine("MTMessageInContext");
                    throw new NO_PERMISSION("Stateful SAS not supported");
            }
        }
    }

    public void receive_request(ServerRequestInfo serverRequestInfo) throws ForwardRequest {
    }

    public void send_reply(ServerRequestInfo serverRequestInfo) {
        if (CSIInterceptorBase.CallStatus.peekIsLocal()) {
        }
    }

    public void send_exception(ServerRequestInfo serverRequestInfo) throws ForwardRequest {
        send_reply(serverRequestInfo);
    }

    public void send_other(ServerRequestInfo serverRequestInfo) throws ForwardRequest {
        send_reply(serverRequestInfo);
    }

    public String name() {
        return "CSI Server Interceptor";
    }

    void acceptContext(ServerRequestInfo serverRequestInfo, EstablishContext establishContext, boolean z, boolean z2, boolean z3, String str) {
        String substring;
        String substring2;
        String substring3;
        String substring4;
        if (establishContext.client_context_id != 0) {
            log.severe("Stateful security contexts not supported");
            throw new NO_PERMISSION("Stateful security contexts not supported");
        }
        log.fine("accepting context...");
        if (z && establishContext.identity_token.discriminator() == 0 && establishContext.client_authentication_token.length > 0) {
            InitialContextToken decodeGSSUPToken = decodeGSSUPToken(establishContext.client_authentication_token);
            String utf8decode = utf8decode(decodeGSSUPToken.username);
            int lastIndexOf = utf8decode.lastIndexOf(64);
            if (lastIndexOf == -1) {
                substring3 = utf8decode;
                substring4 = "default";
            } else {
                substring3 = utf8decode.substring(0, lastIndexOf);
                substring4 = utf8decode.substring(lastIndexOf + 1);
            }
            if (!substring4.equals(str)) {
                returnContextError(serverRequestInfo, 1, 1);
                throw new NO_PERMISSION("bad domain: \"" + substring4 + "\"");
            }
            String utf8decode2 = utf8decode(decodeGSSUPToken.password);
            log.fine("GSSUP initial context token name=" + substring3 + "; realm=" + substring4 + "; password=" + utf8decode2);
            try {
                SecurityContext.setAuthenticatedSubject(SecurityContext.login(substring3, substring4, utf8decode2));
                log.fine("Login succeeded");
                returnCompleteEstablishContext(serverRequestInfo);
                return;
            } catch (LoginException e) {
                log.log(Level.SEVERE, "Login failed", (Throwable) e);
                returnContextError(serverRequestInfo, 1, 1);
                throw new NO_PERMISSION("login failed");
            } catch (Exception e2) {
                log.log(Level.SEVERE, "Exception occured: ", (Throwable) e2);
                return;
            }
        }
        if (z2) {
            returnContextError(serverRequestInfo, 1, 1);
            throw new NO_PERMISSION("GSSUP authorization required");
        }
        if (z3 && establishContext.identity_token.discriminator() == 2) {
            log.fine("accepting ITTPrincipalName");
            try {
                String decodeGSSExportedName = decodeGSSExportedName(OctetSeqHelper.extract(this.codec.decode_value(establishContext.identity_token.principal_name(), OctetSeqHelper.type())));
                log.fine("establish ITTPrincipalName " + decodeGSSExportedName);
                int indexOf = decodeGSSExportedName.indexOf(64);
                if (indexOf == -1) {
                    substring = decodeGSSExportedName;
                    substring2 = "default";
                } else {
                    substring = decodeGSSExportedName.substring(0, indexOf);
                    substring2 = decodeGSSExportedName.substring(indexOf + 1);
                }
                if (str == null || substring2.equals(str)) {
                    SecurityContext.setAuthenticatedSubject(SecurityContext.delegate(substring, substring2));
                    returnCompleteEstablishContext(serverRequestInfo);
                    return;
                } else {
                    returnContextError(serverRequestInfo, 1, 1);
                    log.warning("request designates wrong domain: " + decodeGSSExportedName);
                    throw new NO_PERMISSION("bad domain");
                }
            } catch (UserException e3) {
                MARSHAL marshal = new MARSHAL("cannot decode security descriptor", 0, CompletionStatus.COMPLETED_NO);
                marshal.initCause(e3);
                throw marshal;
            }
        }
        if (establishContext.identity_token.discriminator() == 1) {
            log.fine("accepting ITTAnonymous");
            try {
                SecurityContext.setAuthenticatedSubject(SecurityContext.anonymousLogin());
            } catch (LoginException e4) {
            }
            returnCompleteEstablishContext(serverRequestInfo);
            return;
        }
        if (establishContext.identity_token.discriminator() != 8) {
            returnContextError(serverRequestInfo, 2, 1);
            throw new NO_PERMISSION("Unsupported IdentityToken");
        }
        log.fine("accepting ITTDistinguishedName");
        try {
            byte[] extract = OctetSeqHelper.extract(this.codec.decode_value(establishContext.identity_token.dn(), OctetSeqHelper.type()));
            try {
                Subject subject = new Subject();
                subject.getPrincipals().add(new X500Principal(extract));
                SecurityContext.setAuthenticatedSubject(subject);
                returnCompleteEstablishContext(serverRequestInfo);
            } catch (IllegalArgumentException e5) {
                log.log(Level.FINE, "cannot decode X500 name", (Throwable) e5);
                returnContextError(serverRequestInfo, 1, 1);
                throw new NO_PERMISSION("cannot decode X500 name");
            }
        } catch (UserException e6) {
            MARSHAL marshal2 = new MARSHAL("cannot encode security descriptor", 0, CompletionStatus.COMPLETED_NO);
            marshal2.initCause(e6);
            throw marshal2;
        }
    }

    void returnCompleteEstablishContext(ServerRequestInfo serverRequestInfo) {
        SASContextBody sASContextBody = new SASContextBody();
        CompleteEstablishContext completeEstablishContext = new CompleteEstablishContext();
        completeEstablishContext.client_context_id = 0L;
        completeEstablishContext.context_stateful = false;
        completeEstablishContext.final_context_token = EMPTY_BARR;
        sASContextBody.complete_msg(completeEstablishContext);
        log.fine("Adding SASContextBody, discriminator = " + ((int) sASContextBody.discriminator()));
        serverRequestInfo.add_reply_service_context(encodeSASContextBody(sASContextBody), true);
    }

    void returnContextError(ServerRequestInfo serverRequestInfo, int i, int i2) {
        SASContextBody sASContextBody = new SASContextBody();
        ContextError contextError = new ContextError();
        contextError.client_context_id = 0L;
        contextError.major_status = i;
        contextError.minor_status = i2;
        contextError.error_token = EMPTY_BARR;
        sASContextBody.error_msg(contextError);
        log.fine("Adding SASContextBody, discriminator = " + ((int) sASContextBody.discriminator()));
        serverRequestInfo.add_reply_service_context(encodeSASContextBody(sASContextBody), true);
    }

    public void destroy() {
    }
}
