package org.wildfly.iiop.openjdk.csiv2;

import com.sun.corba.se.impl.interceptors.ClientRequestInfoImpl;
import com.sun.corba.se.impl.transport.SocketOrChannelContactInfoImpl;
import com.sun.corba.se.spi.transport.CorbaConnection;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.security.AccessController;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.jboss.as.controller.capability.RuntimeCapability;
import org.jboss.as.server.CurrentServiceContainer;
import org.jboss.msc.service.ServiceContainer;
import org.omg.CORBA.Any;
import org.omg.CORBA.BAD_PARAM;
import org.omg.CORBA.CompletionStatus;
import org.omg.CORBA.LocalObject;
import org.omg.CORBA.ORB;
import org.omg.CSI.AuthorizationElement;
import org.omg.CSI.EstablishContext;
import org.omg.CSI.GSS_NT_ExportedNameHelper;
import org.omg.CSI.IdentityToken;
import org.omg.CSI.SASContextBody;
import org.omg.CSI.SASContextBodyHelper;
import org.omg.CSIIOP.CompoundSecMech;
import org.omg.GSSUP.InitialContextToken;
import org.omg.IOP.Codec;
import org.omg.IOP.CodecPackage.FormatMismatch;
import org.omg.IOP.CodecPackage.InvalidTypeForEncoding;
import org.omg.IOP.CodecPackage.TypeMismatch;
import org.omg.IOP.ServiceContext;
import org.omg.PortableInterceptor.ClientRequestInfo;
import org.omg.PortableInterceptor.ClientRequestInterceptor;
import org.omg.PortableInterceptor.ForwardRequest;
import org.wildfly.iiop.openjdk.logging.IIOPLogger;
import org.wildfly.security.auth.client.AuthenticationConfiguration;
import org.wildfly.security.auth.client.AuthenticationContext;
import org.wildfly.security.auth.client.AuthenticationContextConfigurationClient;
import org.wildfly.security.auth.client.MatchRule;
import org.wildfly.security.auth.principal.AnonymousPrincipal;
import org.wildfly.security.auth.server.SecurityDomain;
import org.wildfly.security.auth.server.SecurityIdentity;
import org.wildfly.security.manager.WildFlySecurityManager;

/* loaded from: input_file:org/wildfly/iiop/openjdk/csiv2/ElytronSASClientInterceptor.class */
public class ElytronSASClientInterceptor extends LocalObject implements ClientRequestInterceptor {
    private static final int SAS_CONTEXT_ID = 15;
    private static final String AUTHENTICATION_CONTEXT_CAPABILITY = "org.wildfly.security.authentication-context";
    private static final RuntimeCapability<Void> AUTHENTICATION_CONTEXT_RUNTIME_CAPABILITY = RuntimeCapability.Builder.of("org.wildfly.security.authentication-context", true, AuthenticationContext.class).build();
    private static final AuthenticationContextConfigurationClient AUTH_CONFIG_CLIENT = (AuthenticationContextConfigurationClient) AccessController.doPrivileged(AuthenticationContextConfigurationClient.ACTION);
    private static final IdentityToken ABSENT_IDENTITY_TOKEN = new IdentityToken();
    private static final byte[] NO_AUTHENTICATION_TOKEN;
    private static final AuthorizationElement[] NO_AUTHORIZATION_TOKEN;
    private static String authenticationContextName;
    private Codec codec;
    private AuthenticationContext authContext;

    public static void setAuthenticationContextName(String str) {
        authenticationContextName = str;
    }

    public ElytronSASClientInterceptor(Codec codec) {
        this.codec = codec;
        ServiceContainer currentServiceContainer = currentServiceContainer();
        if (authenticationContextName != null) {
            this.authContext = (AuthenticationContext) currentServiceContainer.getRequiredService(AUTHENTICATION_CONTEXT_RUNTIME_CAPABILITY.getCapabilityServiceName(new String[]{authenticationContextName})).getValue();
        } else {
            this.authContext = null;
        }
    }

    public void send_request(ClientRequestInfo clientRequestInfo) throws ForwardRequest {
        try {
            CompoundSecMech matchingSecurityMech = CSIv2Util.getMatchingSecurityMech(clientRequestInfo, this.codec, (short) 64, (short) 0);
            if (matchingSecurityMech == null) {
                return;
            }
            IdentityToken identityToken = ABSENT_IDENTITY_TOKEN;
            byte[] bArr = NO_AUTHENTICATION_TOKEN;
            URI uri = getURI(clientRequestInfo);
            if (uri == null) {
                return;
            }
            SecurityDomain current = SecurityDomain.getCurrent();
            SecurityIdentity securityIdentity = null;
            if (current != null) {
                securityIdentity = current.getCurrentSecurityIdentity();
            }
            AuthenticationContext captureCurrent = this.authContext != null ? this.authContext : (securityIdentity == null || securityIdentity.isAnonymous()) ? AuthenticationContext.captureCurrent() : AuthenticationContext.empty().with(MatchRule.ALL, AuthenticationConfiguration.empty().useForwardedIdentity(current));
            if ((matchingSecurityMech.sas_context_mech.target_supports & 1024) != 0) {
                AnonymousPrincipal principal = AUTH_CONFIG_CLIENT.getPrincipal(AUTH_CONFIG_CLIENT.getAuthenticationConfiguration(uri, captureCurrent, -1, (String) null, (String) null));
                if (principal != null && principal != AnonymousPrincipal.getInstance()) {
                    String name = principal.getName();
                    if (name.indexOf(64) < 0) {
                        name = name + "@default";
                    }
                    byte[] encodeGssExportedName = CSIv2Util.encodeGssExportedName(name.getBytes(StandardCharsets.UTF_8));
                    Any create_any = ORB.init().create_any();
                    GSS_NT_ExportedNameHelper.insert(create_any, encodeGssExportedName);
                    try {
                        byte[] encode_value = this.codec.encode_value(create_any);
                        identityToken = new IdentityToken();
                        identityToken.principal_name(encode_value);
                    } catch (InvalidTypeForEncoding e) {
                        throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
                    }
                } else if ((matchingSecurityMech.sas_context_mech.supported_identity_types & 1) != 0) {
                    identityToken = new IdentityToken();
                    identityToken.anonymous(true);
                }
                if ((matchingSecurityMech.as_context_mech.target_requires & 64) != 0) {
                    bArr = createInitialContextToken(uri, matchingSecurityMech);
                }
            } else if ((matchingSecurityMech.as_context_mech.target_supports & 64) != 0) {
                bArr = createInitialContextToken(uri, matchingSecurityMech);
            }
            if (identityToken != ABSENT_IDENTITY_TOKEN || bArr != NO_AUTHENTICATION_TOKEN) {
                EstablishContext establishContext = new EstablishContext(0L, NO_AUTHORIZATION_TOKEN, identityToken, bArr);
                SASContextBody sASContextBody = new SASContextBody();
                sASContextBody.establish_msg(establishContext);
                Any create_any2 = ORB.init().create_any();
                SASContextBodyHelper.insert(create_any2, sASContextBody);
                clientRequestInfo.add_request_service_context(new ServiceContext(SAS_CONTEXT_ID, this.codec.encode_value(create_any2)), true);
            }
        } catch (Exception e2) {
            throw IIOPLogger.ROOT_LOGGER.unexpectedException(e2);
        }
    }

    public void send_poll(ClientRequestInfo clientRequestInfo) {
    }

    public void receive_reply(ClientRequestInfo clientRequestInfo) {
        try {
            SASContextBody extract = SASContextBodyHelper.extract(this.codec.decode_value(clientRequestInfo.get_reply_service_context(SAS_CONTEXT_ID).context_data, SASContextBodyHelper.type()));
            IIOPLogger.ROOT_LOGGER.tracef("receive_reply: got SAS reply, type %d", extract.discriminator());
            if (extract.discriminator() == 4) {
                throw IIOPLogger.ROOT_LOGGER.unexpectedContextErrorInSASReply(0, CompletionStatus.COMPLETED_YES);
            }
        } catch (FormatMismatch | TypeMismatch e) {
            throw IIOPLogger.ROOT_LOGGER.errorParsingSASReply(e, 0, CompletionStatus.COMPLETED_YES);
        } catch (BAD_PARAM e2) {
        }
    }

    public void receive_exception(ClientRequestInfo clientRequestInfo) throws ForwardRequest {
        try {
            IIOPLogger.ROOT_LOGGER.tracef("receive_exception: got SAS reply, type %d", SASContextBodyHelper.extract(this.codec.decode_value(clientRequestInfo.get_reply_service_context(SAS_CONTEXT_ID).context_data, SASContextBodyHelper.type())).discriminator());
        } catch (FormatMismatch | TypeMismatch e) {
            throw IIOPLogger.ROOT_LOGGER.errorParsingSASReply(e, 0, CompletionStatus.COMPLETED_MAYBE);
        } catch (BAD_PARAM e2) {
        }
    }

    public void receive_other(ClientRequestInfo clientRequestInfo) throws ForwardRequest {
    }

    public String name() {
        return "ElytronSASClientInterceptor";
    }

    public void destroy() {
    }

    private ServiceContainer currentServiceContainer() {
        return WildFlySecurityManager.isChecking() ? (ServiceContainer) AccessController.doPrivileged(CurrentServiceContainer.GET_ACTION) : CurrentServiceContainer.getServiceContainer();
    }

    private URI getURI(ClientRequestInfo clientRequestInfo) throws URISyntaxException {
        CorbaConnection connection;
        StringBuilder sb = new StringBuilder("iiop:");
        if (!(clientRequestInfo instanceof ClientRequestInfoImpl) || (connection = ((ClientRequestInfoImpl) clientRequestInfo).connection()) == null) {
            return null;
        }
        SocketOrChannelContactInfoImpl contactInfo = connection.getContactInfo();
        if (contactInfo instanceof SocketOrChannelContactInfoImpl) {
            String host = contactInfo.getHost();
            if (host != null) {
                sb.append("//").append(host);
            }
            int port = contactInfo.getPort();
            if (port > 0) {
                sb.append(":").append(port);
            }
        }
        return new URI(sb.toString());
    }

    private byte[] createInitialContextToken(URI uri, CompoundSecMech compoundSecMech) throws Exception {
        CallbackHandler callbackHandler = AUTH_CONFIG_CLIENT.getCallbackHandler(AUTH_CONFIG_CLIENT.getAuthenticationConfiguration(uri, this.authContext == null ? AuthenticationContext.captureCurrent() : this.authContext, -1, (String) null, (String) null));
        Callback nameCallback = new NameCallback("Username: ");
        PasswordCallback passwordCallback = new PasswordCallback("Password: ", false);
        try {
            callbackHandler.handle(new Callback[]{nameCallback, passwordCallback});
            if (nameCallback.getName() == null || nameCallback.getName().equals(AnonymousPrincipal.getInstance().getName())) {
                return NO_AUTHENTICATION_TOKEN;
            }
            byte[] bArr = compoundSecMech.as_context_mech.target_name;
            String name = nameCallback.getName();
            if (name.indexOf(64) < 0) {
                name = name + "@" + new String(CSIv2Util.decodeGssExportedName(bArr), StandardCharsets.UTF_8);
            }
            byte[] bytes = name.getBytes(StandardCharsets.UTF_8);
            byte[] bArr2 = new byte[0];
            if (passwordCallback.getPassword() != null) {
                bArr2 = new String(passwordCallback.getPassword()).getBytes(StandardCharsets.UTF_8);
            }
            return CSIv2Util.encodeInitialContextToken(new InitialContextToken(bytes, bArr2, bArr), this.codec);
        } catch (UnsupportedCallbackException e) {
            return NO_AUTHENTICATION_TOKEN;
        }
    }

    static {
        ABSENT_IDENTITY_TOKEN.absent(true);
        NO_AUTHENTICATION_TOKEN = new byte[0];
        NO_AUTHORIZATION_TOKEN = new AuthorizationElement[0];
    }
}
