package com.google.gerrit.sshd;

import com.google.common.base.Preconditions;
import com.google.gerrit.common.FileUtil;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.PeerDaemonUser;
import com.google.gerrit.server.config.GerritServerConfig;
import com.google.gerrit.server.config.SitePaths;
import com.google.inject.Inject;
import java.io.BufferedReader;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.NoSuchFileException;
import java.nio.file.Path;
import java.security.KeyPair;
import java.security.PublicKey;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Locale;
import java.util.Set;
import org.apache.commons.codec.binary.Base64;
import org.apache.lucene.analysis.fa.PersianAnalyzer;
import org.apache.sshd.common.SshException;
import org.apache.sshd.common.keyprovider.KeyPairProvider;
import org.apache.sshd.common.util.buffer.ByteArrayBuffer;
import org.apache.sshd.server.auth.pubkey.PublickeyAuthenticator;
import org.apache.sshd.server.session.ServerSession;
import org.eclipse.jgit.lib.Config;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/google/gerrit/sshd/DatabasePubKeyAuth.class */
public class DatabasePubKeyAuth implements PublickeyAuthenticator {
    private static final Logger log = LoggerFactory.getLogger(DatabasePubKeyAuth.class);
    private final SshKeyCacheImpl sshKeyCache;
    private final SshLog sshLog;
    private final IdentifiedUser.GenericFactory userFactory;
    private final PeerDaemonUser.Factory peerFactory;
    private final Config config;
    private final SshScope sshScope;
    private final Set<PublicKey> myHostKeys;
    private volatile PeerKeyCache peerKeyCache;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/google/gerrit/sshd/DatabasePubKeyAuth$PeerKeyCache.class */
    public static class PeerKeyCache {
        private final Path path;
        private final long modified;
        final Set<PublicKey> keys;

        PeerKeyCache(Path path) {
            this.path = path;
            this.modified = FileUtil.lastModified(path);
            this.keys = read(path);
        }

        private static Set<PublicKey> read(Path path) {
            try {
                BufferedReader newBufferedReader = Files.newBufferedReader(path, StandardCharsets.UTF_8);
                Throwable th = null;
                try {
                    HashSet hashSet = new HashSet();
                    while (true) {
                        String readLine = newBufferedReader.readLine();
                        if (readLine == null) {
                            break;
                        }
                        String trim = readLine.trim();
                        if (!trim.startsWith(PersianAnalyzer.STOPWORDS_COMMENT) && !trim.isEmpty()) {
                            try {
                                hashSet.add(new ByteArrayBuffer(Base64.decodeBase64(trim.getBytes(StandardCharsets.ISO_8859_1))).getRawPublicKey());
                            } catch (RuntimeException | SshException e) {
                                logBadKey(path, trim, e);
                            }
                        }
                    }
                    Set<PublicKey> unmodifiableSet = Collections.unmodifiableSet(hashSet);
                    if (newBufferedReader != null) {
                        if (0 != 0) {
                            try {
                                newBufferedReader.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newBufferedReader.close();
                        }
                    }
                    return unmodifiableSet;
                } finally {
                }
            } catch (NoSuchFileException e2) {
                return Collections.emptySet();
            } catch (IOException e3) {
                DatabasePubKeyAuth.log.error("Cannot read " + path, (Throwable) e3);
                return Collections.emptySet();
            }
        }

        private static void logBadKey(Path path, String str, Exception exc) {
            DatabasePubKeyAuth.log.warn("Invalid key in " + path + ":\n  " + str, (Throwable) exc);
        }

        boolean isCurrent() {
            return this.modified == FileUtil.lastModified(this.path);
        }

        PeerKeyCache reload() {
            return new PeerKeyCache(this.path);
        }
    }

    @Inject
    DatabasePubKeyAuth(SshKeyCacheImpl sshKeyCacheImpl, SshLog sshLog, IdentifiedUser.GenericFactory genericFactory, PeerDaemonUser.Factory factory, SitePaths sitePaths, KeyPairProvider keyPairProvider, @GerritServerConfig Config config, SshScope sshScope) {
        this.sshKeyCache = sshKeyCacheImpl;
        this.sshLog = sshLog;
        this.userFactory = genericFactory;
        this.peerFactory = factory;
        this.config = config;
        this.sshScope = sshScope;
        this.myHostKeys = myHostKeys(keyPairProvider);
        this.peerKeyCache = new PeerKeyCache(sitePaths.peer_keys);
    }

    private static Set<PublicKey> myHostKeys(KeyPairProvider keyPairProvider) {
        HashSet hashSet = new HashSet(2);
        addPublicKey(hashSet, keyPairProvider, KeyPairProvider.SSH_RSA);
        addPublicKey(hashSet, keyPairProvider, KeyPairProvider.SSH_DSS);
        return hashSet;
    }

    private static void addPublicKey(Collection<PublicKey> collection, KeyPairProvider keyPairProvider, String str) {
        KeyPair loadKey = keyPairProvider.loadKey(str);
        if (loadKey == null || loadKey.getPublic() == null) {
            return;
        }
        collection.add(loadKey.getPublic());
    }

    @Override // org.apache.sshd.server.auth.pubkey.PublickeyAuthenticator
    public boolean authenticate(String str, PublicKey publicKey, ServerSession serverSession) {
        SshSession sshSession = (SshSession) serverSession.getAttribute(SshSession.KEY);
        Preconditions.checkState(sshSession.getUser() == null);
        if ("Gerrit Code Review".equals(str)) {
            if (this.myHostKeys.contains(publicKey) || getPeerKeys().contains(publicKey)) {
                return SshUtil.success(str, serverSession, this.sshScope, this.sshLog, sshSession, this.peerFactory.create(sshSession.getRemoteAddress()));
            }
            sshSession.authenticationError(str, "no-matching-key");
            return false;
        }
        if (this.config.getBoolean("auth", "userNameToLowerCase", false)) {
            str = str.toLowerCase(Locale.US);
        }
        Iterable<SshKeyCacheEntry> iterable = this.sshKeyCache.get(str);
        SshKeyCacheEntry find = find(iterable, publicKey);
        if (find == null) {
            sshSession.authenticationError(str, iterable == SshKeyCacheImpl.NO_SUCH_USER ? "user-not-found" : iterable == SshKeyCacheImpl.NO_KEYS ? "key-list-empty" : "no-matching-key");
            return false;
        }
        Iterator<SshKeyCacheEntry> it = iterable.iterator();
        while (it.hasNext()) {
            if (!find.getAccount().equals(it.next().getAccount())) {
                sshSession.authenticationError(str, "keys-cross-accounts");
                return false;
            }
        }
        IdentifiedUser createUser = SshUtil.createUser(sshSession, this.userFactory, find.getAccount());
        if (createUser.getAccount().isActive()) {
            return SshUtil.success(str, serverSession, this.sshScope, this.sshLog, sshSession, createUser);
        }
        sshSession.authenticationError(str, "inactive-account");
        return false;
    }

    private Set<PublicKey> getPeerKeys() {
        PeerKeyCache peerKeyCache = this.peerKeyCache;
        if (!peerKeyCache.isCurrent()) {
            peerKeyCache = peerKeyCache.reload();
            this.peerKeyCache = peerKeyCache;
        }
        return peerKeyCache.keys;
    }

    private SshKeyCacheEntry find(Iterable<SshKeyCacheEntry> iterable, PublicKey publicKey) {
        for (SshKeyCacheEntry sshKeyCacheEntry : iterable) {
            if (sshKeyCacheEntry.match(publicKey)) {
                return sshKeyCacheEntry;
            }
        }
        return null;
    }
}
