package com.atlassian.bitbucket.internal.mirroring.upstream.ssh;

import com.atlassian.bitbucket.AuthorisationException;
import com.atlassian.bitbucket.auth.AuthenticationContext;
import com.atlassian.bitbucket.i18n.I18nService;
import com.atlassian.bitbucket.internal.mirroring.MirroringConstants;
import com.atlassian.bitbucket.internal.mirroring.upstream.InternalMirrorService;
import com.atlassian.bitbucket.internal.mirroring.upstream.UpstreamConstants;
import com.atlassian.bitbucket.mirroring.upstream.MirrorServer;
import com.atlassian.bitbucket.server.ApplicationPropertiesService;
import com.atlassian.bitbucket.server.FeatureManager;
import com.atlassian.bitbucket.server.StandardFeature;
import com.atlassian.bitbucket.ssh.command.SshCommand;
import com.atlassian.bitbucket.ssh.command.SshCommandContext;
import com.atlassian.bitbucket.ssh.command.SshCommandFactory;
import com.atlassian.bitbucket.ssh.command.SshCommandFactoryModuleDescriptor;
import com.atlassian.bitbucket.user.ApplicationUser;
import com.atlassian.bitbucket.user.EscalatedSecurityContext;
import com.atlassian.bitbucket.user.SecurityService;
import com.atlassian.bitbucket.user.UserService;
import com.atlassian.bitbucket.util.ModuleDescriptorUtils;
import com.atlassian.plugin.PluginAccessor;
import io.atlassian.fugue.Pair;
import java.io.IOException;
import java.util.Locale;
import java.util.Optional;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.Nonnull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/bitbucket-mirroring-upstream-6.0.0.jar:com/atlassian/bitbucket/internal/mirroring/upstream/ssh/ProxiedSshCommandFactory.class */
public class ProxiedSshCommandFactory implements SshCommandFactory {
    private static final Pattern PROXY_COMMAND_PATTERN = Pattern.compile("proxy\\s(\\d+)\\s((\\S+)(?:\\s+\\S+.*|$))");
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ProxiedSshCommandFactory.class);
    private final AuthenticationContext authenticationContext;
    private final I18nService i18nService;
    private final FeatureManager featureManager;
    private final InternalMirrorService mirrorService;
    private final PluginAccessor pluginAccessor;
    private final ApplicationPropertiesService propertiesService;
    private final SecurityService securityService;
    private final UserService userService;

    /* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/bitbucket-mirroring-upstream-6.0.0.jar:com/atlassian/bitbucket/internal/mirroring/upstream/ssh/ProxiedSshCommandFactory$RunAsCommand.class */
    private static class RunAsCommand implements SshCommand {
        private final SshCommand delegate;
        private final EscalatedSecurityContext securityContext;

        private RunAsCommand(SshCommand sshCommand, EscalatedSecurityContext escalatedSecurityContext) {
            this.delegate = sshCommand;
            this.securityContext = escalatedSecurityContext;
        }

        @Override // com.atlassian.bitbucket.ssh.command.SshCommand
        public void cancel() {
            this.securityContext.call(() -> {
                this.delegate.cancel();
                return null;
            });
        }

        @Override // com.atlassian.bitbucket.ssh.command.SshCommand
        public int run() throws IOException {
            EscalatedSecurityContext escalatedSecurityContext = this.securityContext;
            SshCommand sshCommand = this.delegate;
            sshCommand.getClass();
            return ((Integer) escalatedSecurityContext.call(sshCommand::run)).intValue();
        }
    }

    public ProxiedSshCommandFactory(@Nonnull AuthenticationContext authenticationContext, @Nonnull FeatureManager featureManager, @Nonnull InternalMirrorService internalMirrorService, @Nonnull I18nService i18nService, @Nonnull PluginAccessor pluginAccessor, @Nonnull ApplicationPropertiesService applicationPropertiesService, @Nonnull SecurityService securityService, @Nonnull UserService userService) {
        this.authenticationContext = authenticationContext;
        this.featureManager = featureManager;
        this.mirrorService = internalMirrorService;
        this.i18nService = i18nService;
        this.pluginAccessor = pluginAccessor;
        this.propertiesService = applicationPropertiesService;
        this.securityService = securityService;
        this.userService = userService;
    }

    @Override // com.atlassian.bitbucket.ssh.command.SshCommandFactory
    @Nonnull
    public Optional<SshCommand> create(@Nonnull SshCommandContext sshCommandContext) {
        String command = sshCommandContext.getCommand();
        return parseProxyCommand(command).flatMap(pair -> {
            log.debug("Proxied SSH command received: \"{}\"", command);
            Matcher matcher = (Matcher) pair.left();
            SshCommandFactory sshCommandFactory = (SshCommandFactory) pair.right();
            int parseInt = Integer.parseInt(matcher.group(1));
            String group = matcher.group(2);
            MirrorServer forUser = this.mirrorService.getForUser(this.authenticationContext.getCurrentUser());
            if (forUser == null || !forUser.isEnabled()) {
                String name = this.authenticationContext.getCurrentUser() == null ? "<anonymous>" : this.authenticationContext.getCurrentUser().getName();
                log.warn("Invalid attempt by user \"{}\" to proxy user with id {} for SSH command \"{}\" - user \"{}\" does not correspond to a service user for an active mirror", name, Integer.valueOf(parseInt), command, name);
                throw new AuthorisationException(this.i18nService.createKeyedMessage("bitbucket.mirroring.authentication.ssh.proxy.permission.denied", new Object[0]));
            }
            ApplicationUser userById = this.userService.getUserById(parseInt);
            if (userById == null) {
                log.warn("Invalid attempt by mirror {} to proxy user with id {} for SSH command \"{}\" - this user is inactive or does not exist", describe(forUser), Integer.valueOf(parseInt), group);
                return Optional.empty();
            }
            String name2 = userById.getName();
            EscalatedSecurityContext impersonating = this.securityService.impersonating(userById, String.format("Creating/running SSH command proxied by mirror %s for user \"%s\": \"%s\"", describe(forUser), name2, group));
            SshCommand sshCommand = (SshCommand) impersonating.call(() -> {
                return sshCommandFactory.create(new SshCommandContext.Builder(group, sshCommandContext.getStdin(), sshCommandContext.getStdout(), sshCommandContext.getStderr()).build()).orElse(null);
            });
            if (sshCommand == null) {
                log.error("Error while allowing mirror {} to proxy user \"{}\" for SSH command \"{}\" - failed to create SSH command", describe(forUser), name2, group);
                return Optional.empty();
            }
            log.debug("Executing SSH command proxied by mirror {} for user \"{}\": \"{}\"", describe(forUser), name2, group);
            return Optional.of(new RunAsCommand(sshCommand, impersonating));
        });
    }

    @Override // com.atlassian.bitbucket.ssh.command.SshCommandFactory
    public boolean supports(@Nonnull String str) {
        return parseProxyCommand(str).isPresent();
    }

    private String describe(@Nonnull MirrorServer mirrorServer) {
        return "[" + mirrorServer.getBaseUrl() + "]#" + mirrorServer.getId();
    }

    private Optional<SshCommandFactory> getSupportingModuleFor(String str) {
        return ModuleDescriptorUtils.toSortedModules(this.pluginAccessor.getEnabledModuleDescriptorsByClass(SshCommandFactoryModuleDescriptor.class)).filter(sshCommandFactory -> {
            return sshCommandFactory.supports(str);
        }).findFirst();
    }

    private boolean isSupportedSshProxyCommand(String str) {
        return MirroringConstants.SUPPORTED_SSH_PROXY_COMMANDS.contains(str.toLowerCase(Locale.ROOT));
    }

    private Optional<Pair<Matcher, SshCommandFactory>> parseProxyCommand(@Nonnull String str) {
        if (!this.featureManager.isEnabled(StandardFeature.SMART_MIRRORS)) {
            log.debug("Mirroring has been disabled on this server. Unable to process proxy command \"{}\"", str);
            return Optional.empty();
        }
        if (!this.propertiesService.getPluginProperty(UpstreamConstants.PROPERTY_SSH_PROXYING_ENABLED, true)) {
            log.info("Accepting proxied write commands over SSH has been disabled on this upstream. Unable to process proxy command \"{}\"", str);
            return Optional.empty();
        }
        Matcher matcher = PROXY_COMMAND_PATTERN.matcher(str);
        if (!matcher.matches()) {
            return Optional.empty();
        }
        String group = matcher.group(2);
        if (!isSupportedSshProxyCommand(matcher.group(3))) {
            log.warn("Proxying of SSH command is unsupported: \"{}\"", group);
            return Optional.empty();
        }
        Optional<SshCommandFactory> supportingModuleFor = getSupportingModuleFor(group);
        if (supportingModuleFor.isPresent()) {
            return Optional.of(Pair.pair(matcher, supportingModuleFor.get()));
        }
        log.warn("No module found to support proxied SSH command: \"{}\"", group);
        return Optional.empty();
    }
}
