package de.rcenvironment.core.embedded.ssh.internal;

import de.rcenvironment.core.configuration.bootstrap.RuntimeDetection;
import de.rcenvironment.core.embedded.ssh.api.SshAccount;
import de.rcenvironment.core.embedded.ssh.api.TemporarySshAccount;
import de.rcenvironment.core.embedded.ssh.api.TemporarySshAccountControl;
import de.rcenvironment.core.utils.common.StringUtils;
import de.rcenvironment.core.utils.common.TempFileServiceAccess;
import de.rcenvironment.core.utils.common.exception.OperationFailureException;
import java.io.IOException;
import java.security.PublicKey;
import java.util.Arrays;
import java.util.List;
import java.util.SortedMap;
import java.util.TreeMap;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.regex.PatternSyntaxException;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.sshd.common.session.Session;
import org.apache.sshd.server.auth.password.PasswordAuthenticator;
import org.apache.sshd.server.auth.pubkey.PublickeyAuthenticator;
import org.apache.sshd.server.session.ServerSession;
import org.mindrot.jbcrypt.BCrypt;

/* loaded from: input_file:de/rcenvironment/core/embedded/ssh/internal/SshAuthenticationManager.class */
public class SshAuthenticationManager implements PasswordAuthenticator, TemporarySshAccountControl, PublickeyAuthenticator {
    private static final String REFUSAL_REASON_UNDEFINED = "<undefined>";
    private static final String REFUSAL_REASON_EMPTY_LOGIN_NAME = "empty login name";
    private static final String REFUSAL_REASON_INVALID_ACCOUNT = "invalid account";
    private static final String REFUSAL_REASON_EMPTY_PASSWORD = "empty password";
    private static final String REFUSAL_REASON_WRONG_PASSWORD = "wrong password";
    private static final String REFUSAL_REASON_NO_MATCHING_KEY = "no matching key";
    private static final String EVENT_LOG_VALUE_AUTH_METHOD_PASSWORD = "password";
    private static final String EVENT_LOG_VALUE_AUTH_METHOD_PUBLIC_KEY = "publickey";
    private final SshConfiguration configuration;
    private final IncomingSessionTracker<Session> sessionTracker;
    private final int numAllowedLoginAttempts;
    private List<TemporarySshAccount> temporaryAccounts;
    private final Log log = LogFactory.getLog(getClass());

    public SshAuthenticationManager(SshConfiguration sshConfiguration, IncomingSessionTracker<Session> incomingSessionTracker, int i) {
        this.configuration = sshConfiguration;
        this.sessionTracker = incomingSessionTracker;
        this.numAllowedLoginAttempts = i;
    }

    public boolean authenticate(String str, String str2, ServerSession serverSession) {
        boolean z = false;
        String str3 = REFUSAL_REASON_UNDEFINED;
        if (str2 == null || str2.isEmpty()) {
            str3 = REFUSAL_REASON_EMPTY_PASSWORD;
        } else if (str == null || str.isEmpty()) {
            str3 = REFUSAL_REASON_EMPTY_LOGIN_NAME;
        } else if (str.startsWith(SshConstants.TEMP_USER_PREFIX)) {
            str3 = "unsupported temp user";
        } else {
            SshAccount accountByName = this.configuration.getAccountByName(str, false);
            if (accountByName == null) {
                str3 = REFUSAL_REASON_INVALID_ACCOUNT;
            } else if (checkPassword(accountByName, str2)) {
                z = true;
            } else {
                str3 = REFUSAL_REASON_WRONG_PASSWORD;
            }
        }
        registerAuthResult(serverSession, str, EVENT_LOG_VALUE_AUTH_METHOD_PASSWORD, z, str3);
        if (!z && serverSession != null && this.sessionTracker != null) {
            closeConnectionIfAuthAttemptsExceeded(serverSession);
        }
        return z;
    }

    public boolean authenticate(String str, PublicKey publicKey, ServerSession serverSession) {
        boolean z = false;
        String str2 = REFUSAL_REASON_UNDEFINED;
        if (str == null || str.isEmpty()) {
            str2 = REFUSAL_REASON_EMPTY_LOGIN_NAME;
        } else {
            SshAccount accountByName = this.configuration.getAccountByName(str, false);
            if (accountByName != null) {
                PublicKey publicKeyObj = accountByName.getPublicKeyObj();
                if (publicKeyObj != null) {
                    z = Arrays.equals(publicKey.getEncoded(), publicKeyObj.getEncoded());
                }
                if (!z) {
                    str2 = REFUSAL_REASON_NO_MATCHING_KEY;
                }
            } else {
                str2 = REFUSAL_REASON_INVALID_ACCOUNT;
            }
        }
        if (serverSession != null) {
            registerAuthResult(serverSession, str, EVENT_LOG_VALUE_AUTH_METHOD_PUBLIC_KEY, z, str2);
        } else if (!RuntimeDetection.isTestEnvironment()) {
            throw new IllegalStateException("SSH session is null while apparently not in a test context");
        }
        if (!z && serverSession != null && this.sessionTracker != null) {
            closeConnectionIfAuthAttemptsExceeded(serverSession);
        }
        return z;
    }

    private void registerAuthResult(ServerSession serverSession, String str, String str2, boolean z, String str3) {
        if (serverSession == null || this.sessionTracker == null) {
            if (!RuntimeDetection.isTestEnvironment()) {
                throw new IllegalStateException("SSH session or session tracker null (" + serverSession + "/" + this.sessionTracker + ") while apparently outside of a test context");
            }
            return;
        }
        try {
            if (z) {
                this.sessionTracker.forSession(serverSession).registerAuthenticationSuccess(str, str2);
            } else {
                this.sessionTracker.forSession(serverSession).registerAuthenticationFailure(str, str2, str3);
            }
        } catch (OperationFailureException e) {
            this.log.warn("Failed to log authentication result (success=" + z + "): " + e.getMessage());
        }
    }

    private void closeConnectionIfAuthAttemptsExceeded(ServerSession serverSession) {
        String obj = serverSession.toString();
        try {
            int authenticationFailureCount = this.sessionTracker.forSession(serverSession).getAuthenticationFailureCount();
            if (authenticationFailureCount >= this.numAllowedLoginAttempts) {
                this.log.debug("Closing incoming SSH connection " + obj + " after " + authenticationFailureCount + " failed authentication attempts");
                try {
                    serverSession.close();
                } catch (IOException e) {
                    this.log.error("Failed to close", e);
                }
            }
        } catch (OperationFailureException unused) {
            this.log.warn("Failed to query incoming SSH session " + obj + " for its login failure count; this is possible, but unusual in normal operation");
        }
    }

    public boolean isAllowedToExecuteConsoleCommand(String str, String str2) {
        boolean z = false;
        SshAccountRole roleForUser = getRoleForUser(str);
        if (roleForUser != null) {
            try {
                boolean matches = str2.matches(roleForUser.getAllowedCommandRegEx());
                boolean matches2 = str2.matches(roleForUser.getDisallowedCommandRegEx());
                if (matches && !matches2) {
                    z = true;
                }
            } catch (PatternSyntaxException unused) {
                this.log.error("Could not verify if user " + str + " is allowed to execute command " + str2 + ". Probable cause: The allowed commands pattern is invalid.");
            }
        }
        return z;
    }

    public boolean isAllowedToUseScpDestination(String str, String str2) {
        boolean z = false;
        TemporarySshAccount temporaryAccountByName = getTemporaryAccountByName(str);
        if (temporaryAccountByName != null) {
            z = (str2 == null || !str2.startsWith(temporaryAccountByName.getVirtualScpRootPath()) || str2.contains("../") || str2.contains("..\\")) ? false : true;
        }
        return z;
    }

    public boolean isAllowedToOpenShell(String str) {
        return getRoleForUser(str).isAllowedToOpenShell();
    }

    public boolean isAllowedToUseUplink(String str) {
        return getRoleForUser(str).isAllowedToUseUplink();
    }

    @Deprecated
    public boolean isTemporaryAccountName(String str) {
        return getTemporaryAccountByName(str) != null;
    }

    private SshAccountRole getRoleForUser(String str) {
        SshAccount accountByName = this.configuration.getAccountByName(str, true);
        SshAccountRole sshAccountRole = null;
        if (accountByName != null) {
            sshAccountRole = this.configuration.getRoleByName(accountByName.getRole());
        }
        return sshAccountRole;
    }

    public SshAccount getAccountByLoginName(String str, boolean z) {
        return this.configuration.getAccountByName(str, z);
    }

    public SortedMap<String, SshAccount> getStaticAccountsByLoginName() {
        TreeMap treeMap = new TreeMap();
        for (SshAccountImpl sshAccountImpl : this.configuration.getStaticAccounts()) {
            treeMap.put(sshAccountImpl.getLoginName(), sshAccountImpl);
        }
        return treeMap;
    }

    @Deprecated
    public TemporarySshAccount getTemporaryAccountByName(String str) {
        TemporarySshAccount temporarySshAccount = null;
        if (this.temporaryAccounts != null) {
            for (TemporarySshAccount temporarySshAccount2 : this.temporaryAccounts) {
                if (temporarySshAccount2.getLoginName().equals(str)) {
                    temporarySshAccount = temporarySshAccount2;
                }
            }
        }
        return temporarySshAccount;
    }

    @Deprecated
    public List<TemporarySshAccount> getTemporaryAccounts() {
        return this.temporaryAccounts;
    }

    @Deprecated
    public void setTemporaryAccounts(List<TemporarySshAccount> list) {
        this.temporaryAccounts = list;
    }

    @Override // de.rcenvironment.core.embedded.ssh.api.TemporarySshAccountControl
    @Deprecated
    public TemporarySshAccount createTemporarySshAccount() {
        if (this.temporaryAccounts == null) {
            this.temporaryAccounts = new CopyOnWriteArrayList();
        }
        TemporarySshAccountImpl temporarySshAccountImpl = new TemporarySshAccountImpl();
        String randomAlphanumeric = RandomStringUtils.randomAlphanumeric(6);
        String str = SshConstants.TEMP_USER_PREFIX + randomAlphanumeric;
        temporarySshAccountImpl.setLoginName(str);
        temporarySshAccountImpl.setPassword(RandomStringUtils.randomAlphanumeric(6));
        temporarySshAccountImpl.setVirtualScpRootPath("/temp/" + str);
        try {
            temporarySshAccountImpl.setLocalScpRootPath(TempFileServiceAccess.getInstance().createManagedTempDir("temp-scp-" + randomAlphanumeric));
            this.log.debug(StringUtils.format("Created temporary SCP account '%s' with virtual SCP path '%s' mapped to local path '%s'", new Object[]{temporarySshAccountImpl.getLoginName(), temporarySshAccountImpl.getVirtualScpRootPath(), temporarySshAccountImpl.getLocalScpRootPath().getAbsolutePath()}));
            this.temporaryAccounts.add(temporarySshAccountImpl);
            return temporarySshAccountImpl;
        } catch (IOException e) {
            throw new RuntimeException("Failed to create temporary SCP directory", e);
        }
    }

    @Override // de.rcenvironment.core.embedded.ssh.api.TemporarySshAccountControl
    @Deprecated
    public void discardTemporarySshAccount(String str) {
        for (int i = 0; i < this.temporaryAccounts.size(); i++) {
            if (this.temporaryAccounts.get(i).getLoginName().equals(str)) {
                this.temporaryAccounts.remove(i);
            }
        }
    }

    private boolean checkPassword(SshAccount sshAccount, String str) {
        if (sshAccount.getPasswordHash() != null) {
            boolean checkpw = BCrypt.checkpw(str, sshAccount.getPasswordHash());
            this.log.debug(StringUtils.format("Used password hash to check login attempt for user \"%s\" - accepted = %s", new Object[]{sshAccount.getLoginName(), Boolean.valueOf(checkpw)}));
            return checkpw;
        }
        if (sshAccount.getPassword() == null) {
            this.log.error("Consistency error: SSH login attempt with a password for user \"" + sshAccount.getLoginName() + "\", but the local account has neither a clear-text nor a hashed password");
            return false;
        }
        boolean equals = sshAccount.getPassword().equals(str);
        this.log.warn(StringUtils.format("Used clear-text password to check login attempt for user \"%s\" - accepted = %s", new Object[]{sshAccount.getLoginName(), Boolean.valueOf(equals)}));
        return equals;
    }
}
