package com.apusic.security;

import com.apusic.client.ClientContainer;
import com.apusic.corba.RequestInfoHook;
import com.apusic.invocation.Invocation;
import com.apusic.invocation.InvocationContext;
import com.apusic.logging.Logger;
import com.apusic.security.auth.login.PasswordCredential;
import com.apusic.security.util.DerOutputStream;
import com.apusic.security.util.DerValue;
import java.io.IOException;
import java.net.Socket;
import java.security.Principal;
import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.List;
import javax.net.ssl.SSLSocket;
import javax.security.auth.x500.X500Principal;
import org.omg.CORBA.Any;
import org.omg.CORBA.BAD_PARAM;
import org.omg.CORBA.INTERNAL;
import org.omg.CORBA.LocalObject;
import org.omg.CORBA.NO_PERMISSION;
import org.omg.CORBA.portable.ObjectImpl;
import org.omg.CSI.AuthorizationElement;
import org.omg.CSI.CompleteEstablishContext;
import org.omg.CSI.ContextError;
import org.omg.CSI.EstablishContext;
import org.omg.CSI.GSS_NT_ExportedNameHelper;
import org.omg.CSI.IdentityToken;
import org.omg.CSI.SASContextBody;
import org.omg.CSI.SASContextBodyHelper;
import org.omg.CSI.X501DistinguishedNameHelper;
import org.omg.CSI.X509CertificateChainHelper;
import org.omg.CSIIOP.AS_ContextSec;
import org.omg.CSIIOP.CompoundSecMech;
import org.omg.CSIIOP.CompoundSecMechListHelper;
import org.omg.CSIIOP.SAS_ContextSec;
import org.omg.GSSUP.InitialContextToken;
import org.omg.GSSUP.InitialContextTokenHelper;
import org.omg.IOP.Codec;
import org.omg.IOP.ServiceContext;
import org.omg.PortableInterceptor.ClientRequestInfo;
import org.omg.PortableInterceptor.ClientRequestInterceptor;
import org.omg.PortableInterceptor.ForwardRequest;
import org.omg.PortableInterceptor.ServerRequestInfo;
import org.omg.PortableInterceptor.ServerRequestInterceptor;

/* loaded from: input_file:com/apusic/security/RequestInterceptor.class */
public class RequestInterceptor extends LocalObject implements ClientRequestInterceptor, ServerRequestInterceptor {
    private SecurityController controller;
    private Codec codec;
    static final int SECURITY_ATTRIBUTE_SERVICE_CONTEXT = 15;
    static final int SECURITY_SERVICE_CONTEXT = 99;
    static final int INVALID_EVIDENCE = 1;
    static final int INVALID_MECHANISM = 2;
    static final int CONFLICT_EVIDENCE = 3;
    static final int NO_CONTEXT = 4;
    private Logger log = Logger.getLogger("security.RequestInterceptor");
    private RequestInfoHook rihook = RequestInfoHook.getInstance();

    public RequestInterceptor(SecurityController securityController, Codec codec) {
        this.controller = securityController;
        this.codec = codec;
    }

    @Override // org.omg.PortableInterceptor.InterceptorOperations
    public String name() {
        return getClass().getName();
    }

    @Override // org.omg.PortableInterceptor.InterceptorOperations
    public void destroy() {
    }

    @Override // org.omg.PortableInterceptor.ClientRequestInterceptorOperations
    public void send_request(ClientRequestInfo clientRequestInfo) {
        sendSecurityContext(clientRequestInfo);
        sendSASContext(clientRequestInfo);
    }

    @Override // org.omg.PortableInterceptor.ClientRequestInterceptorOperations
    public void send_poll(ClientRequestInfo clientRequestInfo) {
    }

    @Override // org.omg.PortableInterceptor.ClientRequestInterceptorOperations
    public void receive_reply(ClientRequestInfo clientRequestInfo) {
    }

    @Override // org.omg.PortableInterceptor.ClientRequestInterceptorOperations
    public void receive_exception(ClientRequestInfo clientRequestInfo) {
    }

    @Override // org.omg.PortableInterceptor.ClientRequestInterceptorOperations
    public void receive_other(ClientRequestInfo clientRequestInfo) {
    }

    private void sendSecurityContext(ClientRequestInfo clientRequestInfo) {
        ObjectImpl effective_target = clientRequestInfo.effective_target();
        AccessToken accessToken = (AccessToken) this.controller.getAccessToken();
        if (accessToken != null) {
            ServiceContext serviceContext = new ServiceContext();
            serviceContext.context_id = 99;
            if (effective_target._is_local()) {
                serviceContext.context_data = new byte[0];
            } else {
                serviceContext.context_data = accessToken.getEncoded();
            }
            clientRequestInfo.add_request_service_context(serviceContext, true);
        }
    }

    private void sendSASContext(ClientRequestInfo clientRequestInfo) {
        byte[] createClientAuthenticationToken;
        if (clientRequestInfo.effective_target()._is_local()) {
            SecurityContext.setClientThreadID(Long.valueOf(Thread.currentThread().getId()));
            return;
        }
        CompoundSecMech[] securityMechanisms = getSecurityMechanisms(clientRequestInfo);
        if (securityMechanisms == null || securityMechanisms.length == 0) {
            return;
        }
        boolean isClientAuthOccurred = isClientAuthOccurred(clientRequestInfo);
        IdentityToken identityToken = null;
        if (!isAppClient()) {
            createClientAuthenticationToken = createClientAuthenticationToken(securityMechanisms, true);
            if (createClientAuthenticationToken == null) {
                identityToken = createIdentityToken(securityMechanisms);
            }
            if (createClientAuthenticationToken == null && identityToken == null && isClientAuthOccurred) {
                createClientAuthenticationToken = createClientAuthenticationToken(securityMechanisms, false);
            }
        } else if (isClientAuthOccurred) {
            return;
        } else {
            createClientAuthenticationToken = createClientAuthenticationToken(securityMechanisms, false);
        }
        if (createClientAuthenticationToken == null && identityToken == null) {
            return;
        }
        if (createClientAuthenticationToken == null) {
            createClientAuthenticationToken = new byte[0];
        }
        if (identityToken == null) {
            identityToken = new IdentityToken();
            identityToken.absent(true);
        }
        EstablishContext establishContext = new EstablishContext(0L, new AuthorizationElement[0], identityToken, createClientAuthenticationToken);
        SASContextBody sASContextBody = new SASContextBody();
        sASContextBody.establish_msg(establishContext);
        try {
            Any create_any = this.controller.orb().create_any();
            SASContextBodyHelper.insert(create_any, sASContextBody);
            byte[] encode_value = this.codec.encode_value(create_any);
            ServiceContext serviceContext = new ServiceContext();
            serviceContext.context_id = 15;
            serviceContext.context_data = encode_value;
            clientRequestInfo.add_request_service_context(serviceContext, false);
        } catch (Exception e) {
            throw new INTERNAL();
        }
    }

    private CompoundSecMech[] getSecurityMechanisms(ClientRequestInfo clientRequestInfo) {
        try {
            return CompoundSecMechListHelper.extract(this.codec.decode_value(clientRequestInfo.get_effective_component(33).component_data, CompoundSecMechListHelper.type())).mechanism_list;
        } catch (Exception e) {
            return null;
        }
    }

    private boolean isClientAuthOccurred(ClientRequestInfo clientRequestInfo) {
        Socket socket = this.rihook.getSocket(clientRequestInfo);
        return (socket instanceof SSLSocket) && ((SSLSocket) socket).getSession().getLocalCertificates() != null;
    }

    private boolean isAppClient() {
        Invocation currentInvocation = InvocationContext.currentInvocation();
        return currentInvocation == null || (currentInvocation instanceof ClientContainer);
    }

    private byte[] createClientAuthenticationToken(CompoundSecMech[] compoundSecMechArr, boolean z) {
        for (CompoundSecMech compoundSecMech : compoundSecMechArr) {
            AS_ContextSec aS_ContextSec = compoundSecMech.as_context_mech;
            if (((z ? aS_ContextSec.target_requires : aS_ContextSec.target_supports) & 64) != 0 && GSSUtil.getOID(aS_ContextSec.client_authentication_mech).equals(GSSUtil.GSSUP_MECH_OID)) {
                byte[] bArr = aS_ContextSec.target_name;
                Object subjectCredential = Security.getSubjectCredential(PasswordCredential.class);
                if (subjectCredential == null) {
                    subjectCredential = this.controller.getCredential();
                    if (!(subjectCredential instanceof PasswordCredential)) {
                        return null;
                    }
                }
                try {
                    PasswordCredential passwordCredential = (PasswordCredential) subjectCredential;
                    InitialContextToken initialContextToken = new InitialContextToken(passwordCredential.getUserName().getBytes("UTF8"), new String(passwordCredential.getPassword()).getBytes("UTF8"), bArr);
                    Any create_any = this.controller.orb().create_any();
                    InitialContextTokenHelper.insert(create_any, initialContextToken);
                    return GSSUtil.getGSSToken(GSSUtil.GSSUP_MECH_OID, this.codec.encode_value(create_any));
                } catch (Exception e) {
                    return null;
                }
            }
        }
        return null;
    }

    private IdentityToken createIdentityToken(CompoundSecMech[] compoundSecMechArr) {
        SecurityContext securityContext = this.controller.getSecurityContext();
        for (CompoundSecMech compoundSecMech : compoundSecMechArr) {
            SAS_ContextSec sAS_ContextSec = compoundSecMech.sas_context_mech;
            if (((sAS_ContextSec.target_requires | sAS_ContextSec.target_supports) & 1024) != 0) {
                if (!Security.getCurrentUser().equals(Security.ANONYMOUS)) {
                    if ((sAS_ContextSec.supported_identity_types & 2) != 0) {
                        Principal currentUser = Security.getCurrentUser();
                        if (currentUser instanceof PrincipalImpl) {
                            return createPrincipalNameIdToken(currentUser.getName());
                        }
                    }
                    if ((sAS_ContextSec.supported_identity_types & 4) != 0) {
                        Object subjectCredential = Security.getSubjectCredential(CertPath.class);
                        if (subjectCredential == null && securityContext != null) {
                            subjectCredential = securityContext.getCredential();
                        }
                        if (subjectCredential instanceof CertPath) {
                            return createX509CertChainIdToken((CertPath) subjectCredential);
                        }
                    }
                    if ((sAS_ContextSec.supported_identity_types & 8) != 0) {
                        Object subjectPrincipal = Security.getSubjectPrincipal(X500Principal.class);
                        if (subjectPrincipal == null && securityContext != null) {
                            subjectPrincipal = securityContext.getUserPrincipal();
                        }
                        if (subjectPrincipal instanceof X500Principal) {
                            return createDistinguishedNameIdToken((X500Principal) subjectPrincipal);
                        }
                    } else {
                        continue;
                    }
                } else if ((sAS_ContextSec.supported_identity_types & 1) != 0) {
                    IdentityToken identityToken = new IdentityToken();
                    identityToken.anonymouse(true);
                    return identityToken;
                }
            }
        }
        return null;
    }

    private IdentityToken createPrincipalNameIdToken(String str) {
        if (str.indexOf(92) != -1 || str.indexOf(64) != -1) {
            StringBuffer stringBuffer = new StringBuffer();
            for (int i = 0; i < str.length(); i++) {
                char charAt = str.charAt(i);
                if (charAt == '\\' || charAt == '@') {
                    stringBuffer.append('\\');
                }
                stringBuffer.append(charAt);
            }
            str = stringBuffer.toString();
        }
        try {
            byte[] exportName = GSSUtil.exportName(GSSUtil.GSSUP_MECH_OID, str.getBytes("UTF8"));
            Any create_any = this.controller.orb().create_any();
            GSS_NT_ExportedNameHelper.insert(create_any, exportName);
            byte[] encode_value = this.codec.encode_value(create_any);
            IdentityToken identityToken = new IdentityToken();
            identityToken.principal_name(encode_value);
            return identityToken;
        } catch (Exception e) {
            return null;
        }
    }

    private IdentityToken createX509CertChainIdToken(CertPath certPath) {
        DerOutputStream derOutputStream = new DerOutputStream();
        try {
            List<? extends Certificate> certificates = certPath.getCertificates();
            X509Certificate[] x509CertificateArr = new X509Certificate[certificates.size()];
            certificates.toArray(x509CertificateArr);
            DerValue[] derValueArr = new DerValue[x509CertificateArr.length];
            for (int i = 0; i < x509CertificateArr.length; i++) {
                derValueArr[i] = new DerValue(x509CertificateArr[i].getEncoded());
            }
            derOutputStream.putSequence(derValueArr);
            Any create_any = this.controller.orb().create_any();
            X509CertificateChainHelper.insert(create_any, derOutputStream.toByteArray());
            byte[] encode_value = this.codec.encode_value(create_any);
            IdentityToken identityToken = new IdentityToken();
            identityToken.certificate_chain(encode_value);
            try {
                derOutputStream.close();
            } catch (IOException e) {
            }
            return identityToken;
        } catch (Exception e2) {
            try {
                derOutputStream.close();
            } catch (IOException e3) {
            }
            return null;
        } catch (Throwable th) {
            try {
                derOutputStream.close();
            } catch (IOException e4) {
            }
            throw th;
        }
    }

    private IdentityToken createDistinguishedNameIdToken(X500Principal x500Principal) {
        try {
            Any create_any = this.controller.orb().create_any();
            X501DistinguishedNameHelper.insert(create_any, x500Principal.getEncoded());
            byte[] encode_value = this.codec.encode_value(create_any);
            IdentityToken identityToken = new IdentityToken();
            identityToken.dn(encode_value);
            return identityToken;
        } catch (Exception e) {
            return null;
        }
    }

    @Override // org.omg.PortableInterceptor.ServerRequestInterceptorOperations
    public void receive_request_service_contexts(ServerRequestInfo serverRequestInfo) throws ForwardRequest {
        SecurityContext receiveSASContext = receiveSASContext(serverRequestInfo, receiveSecurityContext(serverRequestInfo));
        if (receiveSASContext != null) {
            this.controller.impersonate(receiveSASContext.getAccessToken(), receiveSASContext.getCredential());
        } else {
            this.controller.impersonate(null, null);
        }
    }

    @Override // org.omg.PortableInterceptor.ServerRequestInterceptorOperations
    public void receive_request(ServerRequestInfo serverRequestInfo) {
    }

    @Override // org.omg.PortableInterceptor.ServerRequestInterceptorOperations
    public void send_reply(ServerRequestInfo serverRequestInfo) {
        this.controller.revertToSelf();
        SecurityContext.removeClientThreadID();
    }

    @Override // org.omg.PortableInterceptor.ServerRequestInterceptorOperations
    public void send_exception(ServerRequestInfo serverRequestInfo) {
        this.controller.revertToSelf();
        SecurityContext.removeClientThreadID();
    }

    @Override // org.omg.PortableInterceptor.ServerRequestInterceptorOperations
    public void send_other(ServerRequestInfo serverRequestInfo) {
        this.controller.revertToSelf();
        SecurityContext.removeClientThreadID();
    }

    private SecurityContext receiveSecurityContext(ServerRequestInfo serverRequestInfo) {
        try {
            ServiceContext serviceContext = serverRequestInfo.get_request_service_context(99);
            if (serviceContext.context_data.length == 0) {
                return this.controller.getSecurityContext();
            }
            try {
                return new SecurityContext(AccessToken.decode(serviceContext.context_data), null);
            } catch (Exception e) {
                throw new INTERNAL();
            }
        } catch (BAD_PARAM e2) {
            return null;
        }
    }

    private SecurityContext receiveSASContext(ServerRequestInfo serverRequestInfo, SecurityContext securityContext) {
        SecurityContext identity;
        Long readClientThreadID;
        ServiceContext serviceContext = null;
        AccessToken accessToken = null;
        Object obj = null;
        if (securityContext != null) {
            accessToken = (AccessToken) securityContext.getAccessToken();
            obj = securityContext.getCredential();
        }
        try {
            serviceContext = serverRequestInfo.get_request_service_context(15);
        } catch (BAD_PARAM e) {
        }
        if (serviceContext == null && (readClientThreadID = SecurityContext.readClientThreadID()) != null && readClientThreadID.longValue() == Thread.currentThread().getId()) {
            return SecurityContext.getCurrent();
        }
        if (serviceContext != null) {
            try {
                SASContextBody extract = SASContextBodyHelper.extract(this.codec.decode_value(serviceContext.context_data, SASContextBodyHelper.type()));
                if (extract.discriminator() != 0) {
                    throw new SecurityException("Received an invalid SAS message.");
                }
                EstablishContext establish_msg = extract.establish_msg();
                if (establish_msg.client_authentication_token.length != 0) {
                    PasswordCredential passwordCredential = getPasswordCredential(establish_msg.client_authentication_token);
                    if (passwordCredential == null) {
                        addContextError(serverRequestInfo, 2);
                        throw new NO_PERMISSION();
                    }
                    try {
                        SecurityContext securityContext2 = new SecurityContext(new ServerAuthenticator(((SecurityControllerImpl) Security.getSecurityController()).factory(), this.log).localPasswordAuthenticate(passwordCredential.getUserName().toCharArray(), passwordCredential), passwordCredential);
                        if (accessToken == null) {
                            accessToken = (AccessToken) securityContext2.getAccessToken();
                        }
                        obj = securityContext2.getCredential();
                    } catch (AuthenticationException e2) {
                        addContextError(serverRequestInfo, 1);
                        throw new NO_PERMISSION();
                    }
                }
                if (establish_msg.identity_token != null && establish_msg.identity_token.discriminator() != 0) {
                    IdentityToken identityToken = establish_msg.identity_token;
                    if (accessToken == null && (identity = getIdentity(identityToken)) != null) {
                        accessToken = (AccessToken) identity.getAccessToken();
                        obj = identity.getCredential();
                    }
                }
                CompleteEstablishContext completeEstablishContext = new CompleteEstablishContext(0L, false, new byte[0]);
                SASContextBody sASContextBody = new SASContextBody();
                sASContextBody.complete_msg(completeEstablishContext);
                serverRequestInfo.add_reply_service_context(createServiceContext(sASContextBody), false);
            } catch (Exception e3) {
                throw new SecurityException("Received an invalid SAS message.");
            }
        } else {
            SecurityContext transportSecurityContext = getTransportSecurityContext(serverRequestInfo);
            if (transportSecurityContext != null) {
                if (accessToken == null) {
                    accessToken = (AccessToken) transportSecurityContext.getAccessToken();
                }
                obj = transportSecurityContext.getCredential();
            }
        }
        return new SecurityContext(accessToken, obj);
    }

    private PasswordCredential getPasswordCredential(byte[] bArr) {
        try {
            InitialContextToken extract = InitialContextTokenHelper.extract(this.codec.decode_value(GSSUtil.getMechToken(GSSUtil.GSSUP_MECH_OID, bArr), InitialContextTokenHelper.type()));
            String str = null;
            try {
                String str2 = new String(extract.username, "UTF8");
                String str3 = new String(extract.password, "UTF8");
                byte[] bArr2 = extract.target_name;
                if (bArr2 != null && bArr2.length > 0) {
                    str = new String(GSSUtil.importName(GSSUtil.GSSUP_MECH_OID, bArr2), "UTF8");
                }
                int indexOf = str2.indexOf(64);
                if (indexOf != -1) {
                    str2 = str2.substring(0, indexOf);
                    if (str == null || str.isEmpty()) {
                        str = str2.substring(indexOf + 1);
                    }
                }
                if (str.isEmpty()) {
                    str = null;
                }
                return new PasswordCredential(str2, str3.toCharArray(), str);
            } catch (Exception e) {
                throw new INTERNAL();
            }
        } catch (Exception e2) {
            throw new SecurityException("Invalid GSSUP token");
        }
    }

    private SecurityContext getIdentity(IdentityToken identityToken) {
        if (identityToken.discriminator() != 2) {
            return null;
        }
        try {
            String str = new String(GSSUtil.importName(GSSUtil.GSSUP_MECH_OID, GSS_NT_ExportedNameHelper.extract(this.codec.decode_value(identityToken.principal_name(), GSS_NT_ExportedNameHelper.type()))), "UTF8");
            if (str.indexOf(92) != -1) {
                StringBuffer stringBuffer = new StringBuffer();
                int i = 0;
                while (i < str.length()) {
                    char charAt = str.charAt(i);
                    if (charAt == '\\' && i < str.length() - 1) {
                        i++;
                        charAt = str.charAt(i);
                    }
                    stringBuffer.append(charAt);
                    i++;
                }
                str = stringBuffer.toString();
            }
            return new SecurityContext(this.controller.getImpersonateToken(str), null);
        } catch (Exception e) {
            return null;
        }
    }

    private SecurityContext getTransportSecurityContext(ServerRequestInfo serverRequestInfo) {
        Certificate[] peerCertificates;
        try {
            Socket socket = this.rihook.getSocket(serverRequestInfo);
            if (!(socket instanceof SSLSocket) || (peerCertificates = ((SSLSocket) socket).getSession().getPeerCertificates()) == null) {
                return null;
            }
            return this.controller.logonUser(null, peerCertificates);
        } catch (Exception e) {
            return null;
        }
    }

    private void addContextError(ServerRequestInfo serverRequestInfo, int i) {
        ContextError contextError = new ContextError(0L, i, 1, new byte[0]);
        SASContextBody sASContextBody = new SASContextBody();
        sASContextBody.error_msg(contextError);
        serverRequestInfo.add_reply_service_context(createServiceContext(sASContextBody), false);
    }

    private ServiceContext createServiceContext(SASContextBody sASContextBody) {
        ServiceContext serviceContext = new ServiceContext();
        serviceContext.context_id = 15;
        try {
            Any create_any = this.controller.orb().create_any();
            SASContextBodyHelper.insert(create_any, sASContextBody);
            serviceContext.context_data = this.codec.encode_value(create_any);
            return serviceContext;
        } catch (Exception e) {
            throw new INTERNAL();
        }
    }
}
