package com.atlassian.bitbucket.internal.mirroring.mirror.scm.ssh;

import com.atlassian.bitbucket.auth.AuthenticationContext;
import com.atlassian.bitbucket.i18n.I18nService;
import com.atlassian.bitbucket.internal.mirroring.mirror.InternalUpstreamServer;
import com.atlassian.bitbucket.internal.mirroring.mirror.InternalUpstreamService;
import com.atlassian.bitbucket.internal.mirroring.mirror.MirrorDescriptionUtils;
import com.atlassian.bitbucket.internal.mirroring.mirror.MirroringConfig;
import com.atlassian.bitbucket.internal.mirroring.mirror.ModuleHelper;
import com.atlassian.bitbucket.internal.mirroring.mirror.auth.DelegatedAuthenticationFailureException;
import com.atlassian.bitbucket.internal.mirroring.mirror.auth.DelegatedAuthorisationException;
import com.atlassian.bitbucket.internal.mirroring.mirror.auth.UpstreamAuthenticatorFactory;
import com.atlassian.bitbucket.internal.mirroring.mirror.auth.ssh.CloudAuthenticatedSshUser;
import com.atlassian.bitbucket.internal.mirroring.mirror.dao.RepositoryMappingDao;
import com.atlassian.bitbucket.mirroring.mirror.IntegrationState;
import com.atlassian.bitbucket.mirroring.mirror.UpstreamServer;
import com.atlassian.bitbucket.mirroring.mirror.UpstreamServerType;
import com.atlassian.bitbucket.permission.Permission;
import com.atlassian.bitbucket.repository.Repository;
import com.atlassian.bitbucket.scm.ssh.SshScmRequest;
import com.atlassian.bitbucket.scm.ssh.SshScmRequestContext;
import com.atlassian.bitbucket.scm.ssh.SshScmRequestHandler;
import com.atlassian.bitbucket.scm.ssh.SshScmRequestHandlerModuleDescriptor;
import com.atlassian.bitbucket.user.ApplicationUser;
import com.atlassian.bitbucket.user.SecurityService;
import com.atlassian.plugin.PluginAccessor;
import java.io.IOException;
import java.io.OutputStream;
import java.security.PublicKey;
import java.util.Objects;
import java.util.Optional;
import javax.annotation.Nonnull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/bitbucket-mirroring-mirror-6.0.0.jar:com/atlassian/bitbucket/internal/mirroring/mirror/scm/ssh/CloudAuthenticatingSshScmRequestHandler.class */
public class CloudAuthenticatingSshScmRequestHandler implements SshScmRequestHandler {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) CloudAuthenticatingSshScmRequestHandler.class);
    private final AuthenticationContext authenticationContext;
    private final UpstreamAuthenticatorFactory authenticatorFactory;
    private final MirroringConfig config;
    private final I18nService i18nService;
    private final InternalUpstreamService upstreamService;
    private final PluginAccessor pluginAccessor;
    private final SecurityService securityService;
    private final RepositoryMappingDao repositoryMapping;

    CloudAuthenticatingSshScmRequestHandler(AuthenticationContext authenticationContext, UpstreamAuthenticatorFactory upstreamAuthenticatorFactory, MirroringConfig mirroringConfig, I18nService i18nService, InternalUpstreamService internalUpstreamService, PluginAccessor pluginAccessor, SecurityService securityService, RepositoryMappingDao repositoryMappingDao) {
        this.authenticationContext = authenticationContext;
        this.authenticatorFactory = upstreamAuthenticatorFactory;
        this.config = mirroringConfig;
        this.i18nService = i18nService;
        this.upstreamService = internalUpstreamService;
        this.pluginAccessor = pluginAccessor;
        this.securityService = securityService;
        this.repositoryMapping = repositoryMappingDao;
    }

    @Override // com.atlassian.bitbucket.scm.ssh.SshScmRequestHandler
    @Nonnull
    public Optional<SshScmRequest> create(@Nonnull SshScmRequestContext sshScmRequestContext) {
        String command = ((SshScmRequestContext) Objects.requireNonNull(sshScmRequestContext)).getCommand();
        if (!this.upstreamService.isMirror()) {
            log.error("Delegated SSH authentication attempted for command {} but this is not a mirror", command);
            return Optional.empty();
        }
        InternalUpstreamServer internalUpstreamServer = this.upstreamService.get();
        if (internalUpstreamServer == null) {
            log.error("Delegated SSH authentication attempted for command {} but there is no upstream server registered", command);
            return Optional.empty();
        }
        String describe = MirrorDescriptionUtils.describe(internalUpstreamServer);
        if (!isSupported(internalUpstreamServer)) {
            log.debug("{}: not proceeding with SSH auth delegation. Upstream server is not supported", describe);
            return Optional.empty();
        }
        ApplicationUser currentUser = this.authenticationContext.getCurrentUser();
        if (!(currentUser instanceof CloudAuthenticatedSshUser)) {
            Logger logger = log;
            Object[] objArr = new Object[3];
            objArr[0] = describe;
            objArr[1] = CloudAuthenticatedSshUser.class;
            objArr[2] = currentUser == null ? null : currentUser.getClass();
            logger.debug("{}: not proceeding with SSH auth delegation. Unexpected user type. (Expected: {}, but was: {})", objArr);
            return Optional.empty();
        }
        log.trace("{}: creating delegate SCM request for command {}", describe, command);
        Optional<SshScmRequest> optional = (Optional) this.securityService.withPermission(Permission.REPO_READ, "Create SshScmRequest for delegated auth").call(() -> {
            return getHandler(command).flatMap(sshScmRequestHandler -> {
                return sshScmRequestHandler.create(sshScmRequestContext);
            });
        });
        if (optional.isPresent()) {
            Repository repository = (Repository) this.securityService.withPermission(Permission.REPO_READ, "Repo info for delegated auth").call(() -> {
                return ((SshScmRequest) optional.get()).getRepository();
            });
            PublicKey publicKey = ((CloudAuthenticatedSshUser) CloudAuthenticatedSshUser.class.cast(currentUser)).getPublicKey();
            String externalSlugByLocalId = this.repositoryMapping.getExternalSlugByLocalId(repository.getId());
            if (externalSlugByLocalId == null) {
                log.error("{}: unable to find mapping for local repository {}", describe, repository);
                return Optional.empty();
            }
            log.trace("{}: performing delegated SSH authentication using {}", describe, externalSlugByLocalId);
            try {
                this.authenticatorFactory.createForCloud(internalUpstreamServer).checkRepositoryReadAccess(repository, externalSlugByLocalId, publicKey);
                log.trace("{}: delegated authorisation against repository {} successful for public key {} - user has read privileges on the upstream repository", describe, repository, publicKey);
                this.securityService.withPermission(Permission.REPO_READ, repository, "Successful auth delegation").withPermission(Permission.LICENSED_USER).applyToRequest();
            } catch (DelegatedAuthenticationFailureException e) {
                log.debug("{}: delegated authorisation failed against repository {} for public key {} - key not recognised on upstream", describe, repository, publicKey);
                throw new DelegatedAuthorisationException(this.i18nService.createKeyedMessage("bitbucket.mirroring.operation.not.permitted", new Object[0]), e);
            } catch (DelegatedAuthorisationException e2) {
                log.debug("{}: delegated authorisation failed against repository {} for public key {} - user lacks privileges on upstream", describe, repository, publicKey);
                try {
                    OutputStream stderr = sshScmRequestContext.getStderr();
                    stderr.write("Permission denied (publickey).".getBytes());
                    stderr.write(10);
                    stderr.flush();
                } catch (IOException e3) {
                    log.error("{}: Failed to write authorization failure to client.", describe, e3);
                }
                return Optional.of(new NoOpSshScmRequest(sshScmRequestContext.getExitCodeCallback(), repository));
            }
        } else {
            log.warn("{}: command not recognized. Denying execution and not performing delegated SSH authentication. (Command: {})", command);
        }
        return optional;
    }

    @Override // com.atlassian.bitbucket.scm.ssh.SshScmRequestHandler
    public boolean supports(@Nonnull String str) {
        Objects.requireNonNull(str, "command");
        if (isSupported(this.upstreamService.get())) {
            return ModuleHelper.getSortedModulesAfter(this.pluginAccessor, SshScmRequestHandlerModuleDescriptor.class, this).anyMatch(sshScmRequestHandler -> {
                return sshScmRequestHandler.supports(str);
            });
        }
        return false;
    }

    private Optional<SshScmRequestHandler> getHandler(String str) {
        return ModuleHelper.getSortedModulesAfter(this.pluginAccessor, SshScmRequestHandlerModuleDescriptor.class, this).filter(sshScmRequestHandler -> {
            return sshScmRequestHandler.supports(str);
        }).findFirst();
    }

    private boolean isSupported(UpstreamServer upstreamServer) {
        return upstreamServer != null && upstreamServer.getType() == UpstreamServerType.BITBUCKET_CLOUD && (upstreamServer.getState() == IntegrationState.INSTALLED || (upstreamServer.getState() == IntegrationState.UNKNOWN && this.config.isAuthCachingEnabled()));
    }
}
