package com.ibm.ISecurityLocalObjectBaseL13Impl;

import com.ibm.CORBA.iiop.ExtendedORBInitInfo;
import com.ibm.CORBA.iiop.ORB;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.CSIv2EffectivePerformPolicy;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.ClientSessionKey;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.SecurityExecutionEnvironment;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.SessionEntry;
import com.ibm.ISecurityUtilityImpl.RealmSecurityName;
import com.ibm.ISecurityUtilityImpl.SecurityMinorCodes;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ffdc.Manager;
import com.ibm.ws.security.config.CSIv2Config;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.util.PlatformHelperFactory;
import java.security.PrivilegedExceptionAction;
import javax.security.auth.Subject;
import org.omg.CORBA.BAD_PARAM;
import org.omg.CORBA.INTERNAL;
import org.omg.CORBA.NO_PERMISSION;
import org.omg.CORBA.Object;
import org.omg.CSI.ContextError;
import org.omg.CSI.IdentityToken;
import org.omg.CSI.SASContextBody;
import org.omg.IOP.ServiceContext;
import org.omg.PortableInterceptor.ClientRequestInfo;
import org.omg.PortableInterceptor.ForwardRequest;
import org.omg.PortableInterceptor.ORBInitInfo;
import org.omg.PortableInterceptor.RequestInfo;

/* loaded from: input_file:com.ibm.ws.admin.client_7.0.0.jar:com/ibm/ISecurityLocalObjectBaseL13Impl/CSIClientRIForCFW.class */
public class CSIClientRIForCFW extends CSIClientRIBase {
    private static final TraceComponent tc = Tr.register(CSIClientRIForCFW.class, "SASRas", "com.ibm.ISecurityL13SupportImpl.sec");
    private CSIClientRI clientRI = null;
    private CSICredentialsManager credsMgr = new CSICredentialsManager();

    @Override // com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase, com.ibm.ISecurityLocalObjectBaseL13Impl.CSIORBInit
    public void pre_init(ORBInitInfo oRBInitInfo) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "pre_init", oRBInitInfo);
        }
        if (SecurityObjectLocator.getCSIv2Config().getBoolean("com.ibm.CORBA.securityEnabled")) {
            try {
                if (PlatformHelperFactory.getPlatformHelper().isClientJvm()) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Registering simple client request interceptor");
                    }
                    this.clientRI = new CSIClientRI();
                    this.clientRI.pre_init(oRBInitInfo);
                } else {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Registering client request interceptor for CFW");
                    }
                    super.pre_init(oRBInitInfo);
                    ((ExtendedORBInitInfo) oRBInitInfo).add_client_request_interceptor(this, false);
                }
            } catch (Exception e) {
                Manager.Ffdc.log(e, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIForCFW.pre_init", "108", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "An exception has been thrown registering the interceptor.", new Object[]{e});
                }
                throw new INTERNAL().initCause(e);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "pre_init");
        }
    }

    @Override // com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase, com.ibm.ISecurityLocalObjectBaseL13Impl.CSIORBInit
    public void post_init(ORBInitInfo oRBInitInfo) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "post_init", oRBInitInfo);
        }
        if (this.clientRI != null) {
            this.clientRI.post_init(oRBInitInfo);
        } else {
            super.post_init(oRBInitInfo);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "post_init");
        }
    }

    @Override // com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase
    public void send_request(ClientRequestInfo clientRequestInfo) throws ForwardRequest {
        ServiceContext serviceContext;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "send_request", clientRequestInfo);
        }
        if (tc.isDebugEnabled()) {
            entry(clientRequestInfo);
        }
        CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
        ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        SessionEntry sessionEntry = (SessionEntry) contextManagerFactory.get(Integer.toString(SecurityMinorCodes.CSIV2_ZOS_PRIVATE_CTX_ID));
        contextManagerFactory.put(Integer.toString(SecurityMinorCodes.CSIV2_ZOS_PRIVATE_CTX_ID), null);
        if (sessionEntry == null) {
            try {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Session entry not found from filter, generating SEED (first pass).");
                }
                CSIv2EffectivePerformPolicy effectivePolicyFromClientRequestInfo = getEffectivePolicyFromClientRequestInfo(clientRequestInfo);
                if (effectivePolicyFromClientRequestInfo != null) {
                    boolean z = false;
                    if (effectivePolicyFromClientRequestInfo.isNamingReadUnprotected()) {
                        z = namingReadUnprotected(clientRequestInfo, effectivePolicyFromClientRequestInfo);
                    }
                    if (z) {
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "Naming Read is unprotected and this is a naming method, so returning without creating SEED.");
                            return;
                        }
                        return;
                    }
                }
                Subject invocationSubject = CSICredentialsManager.getInstance().getInvocationSubject();
                if (cSIv2Config.getBoolean("com.ibm.CSI.rmiOutboundMappingEnabled")) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "*** To unwrap innocation subject ***");
                    }
                    invocationSubject = unwrapSubject(invocationSubject);
                }
                SecurityExecutionEnvironment securityExecutionEnvironment = new SecurityExecutionEnvironment(invocationSubject);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Seed created, adding as private service context to flow to filter.");
                }
                ServiceContext serviceContext2 = new ServiceContext(SecurityMinorCodes.CSIV2_SEED_CTX_ID, securityExecutionEnvironment.getBytes());
                if (serviceContext2 != null) {
                    clientRequestInfo.add_request_service_context(serviceContext2, true);
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "send_request(seed)");
                    return;
                }
                return;
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception trying to create private service context.", new Object[]{e});
                }
                if (!(e instanceof NO_PERMISSION)) {
                    throw new NO_PERMISSION("Cannot create seed service context due to exception: \n" + e.toString());
                }
                throw e;
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Session entry found from filter (second pass).");
        }
        try {
            final CSIv2EffectivePerformPolicy cSIv2EffectivePerformPolicy = sessionEntry.get_effective_policy();
            if (cSIv2EffectivePerformPolicy != null) {
                boolean z2 = false;
                if (cSIv2EffectivePerformPolicy.isNamingReadUnprotected()) {
                    z2 = namingReadUnprotected(clientRequestInfo, cSIv2EffectivePerformPolicy);
                }
                if (z2) {
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "Naming read is unprotected and this is a naming method, so returning without authenticating.");
                        return;
                    }
                    return;
                }
                if (cSIv2EffectivePerformPolicy.performClientAuthentication() || cSIv2EffectivePerformPolicy.performIdentityAssertion()) {
                    long j = sessionEntry.get_client_context_id();
                    ClientSessionKey clientSessionKey = sessionEntry.get_client_session_key();
                    this.sessionMgr.update_client_session(clientSessionKey, sessionEntry);
                    String str = clientSessionKey.get_connection_key();
                    final String realmOrReturnSecurityName = RealmSecurityName.getRealmOrReturnSecurityName(cSIv2EffectivePerformPolicy.getTargetSecurityName(), cSIv2EffectivePerformPolicy.getPerformClientAuthMechOID(), cSIv2EffectivePerformPolicy.getTargetAuthMechOID());
                    this.myVault.put_effective_policy(clientRequestInfo.request_id(), cSIv2EffectivePerformPolicy);
                    Subject invocationSubject2 = cSIv2EffectivePerformPolicy.performIdentityAssertion() ? CSICredentialsManager.getInstance().getInvocationSubject() : (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIForCFW.1
                        CSICredentialsManager credsMgr = CSICredentialsManager.getInstance();

                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws Exception {
                            return this.credsMgr.getClientSubject(realmOrReturnSecurityName, cSIv2EffectivePerformPolicy);
                        }
                    });
                    if (invocationSubject2 == null) {
                        invocationSubject2 = contextManagerFactory.createUnauthenticatedSubject();
                    } else if (cSIv2Config.getBoolean("com.ibm.CSI.rmiOutboundMappingEnabled")) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "*** To unwrap innocation subject ***");
                        }
                        invocationSubject2 = unwrapSubject(invocationSubject2);
                    }
                    if (sessionEntry.get_renegotiate_to_stateless()) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Request is renegotiated to stateless, session returned from filter.");
                        }
                        j = 0;
                    }
                    cSIv2EffectivePerformPolicy.setStatefulContextID(j);
                    cSIv2EffectivePerformPolicy.setClientSessionKey(clientSessionKey);
                    if (cSIv2EffectivePerformPolicy.performAuthorizationToken() || cSIv2Config.getBoolean("com.ibm.CSI.rmiOutboundLoginEnabled")) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Calling JAAS login to map or create opaque authorization token.");
                        }
                        invocationSubject2 = mapOutboundOrCreateOAT(invocationSubject2, cSIv2EffectivePerformPolicy);
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Determining which SecurityContext to use (GSSUP or LTPA).");
                    }
                    SecurityContextImpl determineSecurityContextType = determineSecurityContextType(invocationSubject2, cSIv2EffectivePerformPolicy, str, this.sessionMgr, sessionEntry);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Setting the contents of the identity token.");
                    }
                    IdentityToken identityToken = new IdentityToken();
                    setIdentityToken(identityToken, invocationSubject2, cSIv2EffectivePerformPolicy, this.sessionMgr, sessionEntry);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Setting the contents of the client authentication token and EstablishContext message.");
                    }
                    setSecurityContext(clientRequestInfo, determineSecurityContextType, identityToken, invocationSubject2, cSIv2EffectivePerformPolicy, this.sessionMgr, sessionEntry, realmOrReturnSecurityName);
                    this.csiUtil.setUnauthenticatedToNullIfNeeded();
                    if (cSIv2EffectivePerformPolicy.isStateful() && sessionEntry != null && j != 0) {
                        sessionEntry.set_session_state(6);
                    }
                    if (sessionEntry != null && (serviceContext = new ServiceContext(SecurityMinorCodes.CSIV2_ZOS_PRIVATE_CTX_ID, sessionEntry.getBytes())) != null) {
                        clientRequestInfo.add_request_service_context(serviceContext, true);
                    }
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Neither client auth or identity assertion is being performed.  Returning without sending EstablishContext.");
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "*** SENDING REQUEST ***");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "send_request(establish_context)");
            }
        } catch (Exception e2) {
            Manager.Ffdc.log(e2, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIForCFW.send_request", "310", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception trying to create service context.", new Object[]{e2});
            }
            throw new NO_PERMISSION("Cannot create service context.  Message: " + e2.getMessage());
        }
    }

    @Override // com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase
    public void receive_reply(ClientRequestInfo clientRequestInfo) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "receive_reply");
        }
        if (tc.isDebugEnabled()) {
            entry(clientRequestInfo);
        }
        CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
        if (is_local_client_request(clientRequestInfo)) {
            receive_reply_local(clientRequestInfo);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "receive_reply");
                return;
            }
            return;
        }
        CSIv2EffectivePerformPolicy cSIv2EffectivePerformPolicy = this.myVault.get_effective_policy(clientRequestInfo.request_id());
        this.myVault.clear_effective_policy(clientRequestInfo.request_id());
        if (cSIv2EffectivePerformPolicy == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Effective policy is null? " + (cSIv2EffectivePerformPolicy == null));
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "receive_reply");
                return;
            }
            return;
        }
        String name = clientRequestInfo.effective_target() != null ? clientRequestInfo.effective_target().getClass().getName() : "<unknown>";
        if (SecurityConnectionInterceptor.isSpecialNamingMethod(clientRequestInfo.operation(), name) || SecurityConnectionInterceptor.isSpecialSSLRequiredNamingMethod(clientRequestInfo.operation(), name) || (ORB.isSpecialMethod(clientRequestInfo.operation()) && !this.csiUtil.isCORBAAuthRequired())) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Special naming method or other corba special method. Return from interceptor.");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "receive_reply");
                return;
            }
            return;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "*** RECEIVING REPLY ***");
        }
        SASContextBody sASContextBody = null;
        ServiceContext serviceContext = this.csiUtil.get_sc_from_reply((RequestInfo) clientRequestInfo);
        if (serviceContext != null) {
            sASContextBody = this.csiUtil.get_message_from_sc(serviceContext);
        }
        if (sASContextBody != null && sASContextBody.discriminator() == 1 && cSIv2Config.getBoolean("com.ibm.CORBA.authenticationRetryEnabled")) {
            this.csiUtil.getCurrent().clear_retry_count();
        }
        if ((serviceContext != null && cSIv2EffectivePerformPolicy != null && cSIv2EffectivePerformPolicy.performClientAuthentication()) || cSIv2EffectivePerformPolicy.performIdentityAssertion()) {
            SecurityContextImpl securityContextImpl = new com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl(this.myVault, "");
            securityContextImpl.csi_continue_security_context(clientRequestInfo, securityContextImpl);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "*** MESSAGE COMPLETED ***");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "receive_reply");
        }
    }

    public void receive_reply_local(ClientRequestInfo clientRequestInfo) {
    }

    @Override // com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase
    public void receive_exception(ClientRequestInfo clientRequestInfo) throws ForwardRequest {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "receive_exception");
        }
        if (tc.isDebugEnabled()) {
            entry(clientRequestInfo);
        }
        CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
        if (is_local_client_request(clientRequestInfo)) {
            receive_exception_local(clientRequestInfo);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "receive_exception");
                return;
            }
            return;
        }
        if (tc.isDebugEnabled()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "*** RECEIVING EXCEPTION ***");
            }
            String read_detailed_message = this.csiUtil.read_detailed_message(clientRequestInfo);
            if (read_detailed_message != null && !read_detailed_message.equals("") && tc.isDebugEnabled()) {
                Tr.debug(tc, "The following exception was received from the server: " + read_detailed_message);
            }
        }
        CSIv2EffectivePerformPolicy cSIv2EffectivePerformPolicy = this.myVault.get_effective_policy(clientRequestInfo.request_id());
        this.myVault.clear_effective_policy(clientRequestInfo.request_id());
        SASContextBody sASContextBody = null;
        ServiceContext serviceContext = this.csiUtil.get_sc_from_reply((RequestInfo) clientRequestInfo);
        if (serviceContext != null) {
            sASContextBody = this.csiUtil.get_message_from_sc(serviceContext);
        }
        if (sASContextBody == null || sASContextBody.discriminator() != 1) {
            if (sASContextBody != null && sASContextBody.discriminator() == 4) {
                ContextError error_msg = sASContextBody.error_msg();
                if (error_msg != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Client context ID: " + error_msg.client_context_id);
                    }
                    this.csiUtil.deserializeRootException(error_msg.error_token);
                }
                if (clientRequestInfo.reply_status() == 1) {
                    this.sessionMgr.retry(clientRequestInfo);
                }
            }
        } else if (cSIv2Config.getBoolean("com.ibm.CORBA.authenticationRetryEnabled")) {
            this.csiUtil.getCurrent().clear_retry_count();
        }
        if (serviceContext != null && cSIv2EffectivePerformPolicy != null && (cSIv2EffectivePerformPolicy.performClientAuthentication() || cSIv2EffectivePerformPolicy.performIdentityAssertion())) {
            SecurityContextImpl securityContextImpl = new com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl(this.myVault, "");
            securityContextImpl.csi_continue_security_context(clientRequestInfo, securityContextImpl);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "*** MESSAGE COMPLETED ***");
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "receive_exception");
        }
    }

    public void receive_exception_local(ClientRequestInfo clientRequestInfo) throws ForwardRequest {
    }

    @Override // com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase
    public void receive_other(ClientRequestInfo clientRequestInfo) throws ForwardRequest {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "receive_other");
        }
        if (tc.isDebugEnabled()) {
            entry(clientRequestInfo);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "*** RECEIVE OTHER ***");
        }
        this.myVault.get_effective_policy(clientRequestInfo.request_id());
        this.myVault.clear_effective_policy(clientRequestInfo.request_id());
        if (is_local_client_request(clientRequestInfo)) {
            receive_other_local(clientRequestInfo);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "receive_other");
                return;
            }
            return;
        }
        if (clientRequestInfo.effective_target() != null) {
            clientRequestInfo.effective_target().getClass().getName();
        }
        ServiceContext serviceContext = null;
        try {
            serviceContext = clientRequestInfo.get_reply_service_context(SecurityMinorCodes.CSIV2_ZOS_PRIVATE_CTX_ID);
        } catch (BAD_PARAM e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Did not find SessionEntry service context", e);
            }
        }
        if (serviceContext != null) {
            try {
                SessionEntry sessionEntry = new SessionEntry(serviceContext.context_data);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "SessionEntry from private service context", sessionEntry);
                }
                if (sessionEntry != null) {
                    ContextManagerFactory.getInstance().put(Integer.toString(SecurityMinorCodes.CSIV2_ZOS_PRIVATE_CTX_ID), sessionEntry);
                }
            } catch (Exception e2) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Found private context, but could not create session entry.", new Object[]{e2});
                }
                throw new INTERNAL("Error creating SessionEntry from bytes.  Message: " + e2.getMessage());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "receive_other");
        }
    }

    public void receive_other_local(ClientRequestInfo clientRequestInfo) throws ForwardRequest {
    }

    public void entry(ClientRequestInfo clientRequestInfo) {
        if (tc.isDebugEnabled()) {
            StringBuffer stringBuffer = new StringBuffer(100);
            stringBuffer.append("Request_id: ").append(clientRequestInfo.request_id()).append(", ");
            Object effective_target = clientRequestInfo.effective_target();
            if (effective_target != null) {
                stringBuffer.append("class: ").append(effective_target.getClass().getName()).append(", ");
            }
            stringBuffer.append("operation: ").append(clientRequestInfo.operation());
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, stringBuffer.toString());
            }
        }
    }
}
