package com.atlassian.bitbucket.internal.mirroring.mirror.ssh;

import com.atlassian.bitbucket.AuthorisationException;
import com.atlassian.bitbucket.Product;
import com.atlassian.bitbucket.auth.AuthenticationContext;
import com.atlassian.bitbucket.i18n.I18nService;
import com.atlassian.bitbucket.internal.mirroring.MirroringConstants;
import com.atlassian.bitbucket.internal.mirroring.mirror.MirrorDescriptionUtils;
import com.atlassian.bitbucket.internal.mirroring.mirror.MirrorPushAnalyticsEvent;
import com.atlassian.bitbucket.internal.mirroring.mirror.MirroringConfig;
import com.atlassian.bitbucket.internal.mirroring.mirror.auth.ServerSyncCredentials;
import com.atlassian.bitbucket.internal.mirroring.mirror.auth.SyncCredentialsManager;
import com.atlassian.bitbucket.internal.mirroring.mirror.dao.AoProjectMapping;
import com.atlassian.bitbucket.internal.mirroring.mirror.dao.AoRepositoryMapping;
import com.atlassian.bitbucket.internal.mirroring.mirror.dao.ProjectMappingDao;
import com.atlassian.bitbucket.internal.mirroring.mirror.dao.RepositoryMappingDao;
import com.atlassian.bitbucket.internal.mirroring.user.ApplicationUserWithPermissions;
import com.atlassian.bitbucket.mirroring.mirror.UpstreamServer;
import com.atlassian.bitbucket.mirroring.mirror.UpstreamServerType;
import com.atlassian.bitbucket.mirroring.mirror.UpstreamService;
import com.atlassian.bitbucket.repository.NoSuchRepositoryException;
import com.atlassian.bitbucket.repository.Repository;
import com.atlassian.bitbucket.repository.RepositoryMovedException;
import com.atlassian.bitbucket.repository.RepositoryService;
import com.atlassian.bitbucket.scm.http.RepositoryUrlFragment;
import com.atlassian.bitbucket.ssh.SimpleSshKeyFingerprint;
import com.atlassian.bitbucket.ssh.SshKeyFingerprint;
import com.atlassian.bitbucket.ssh.command.SshCommand;
import com.atlassian.bitbucket.ssh.command.SshCommandContext;
import com.atlassian.bitbucket.ssh.command.SshCommandFactory;
import com.atlassian.bitbucket.ssh.util.KeyUtils;
import com.atlassian.bitbucket.user.ApplicationUser;
import com.atlassian.event.api.EventPublisher;
import com.google.common.collect.Sets;
import java.io.IOException;
import java.net.URI;
import java.security.PublicKey;
import java.time.Duration;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Stream;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.apache.sshd.client.SshClient;
import org.apache.sshd.client.channel.ChannelExec;
import org.apache.sshd.client.channel.ClientChannelEvent;
import org.apache.sshd.client.config.hosts.HostConfigEntryResolver;
import org.apache.sshd.client.config.keys.ClientIdentityLoader;
import org.apache.sshd.client.session.ClientSession;
import org.apache.sshd.common.FactoryManager;
import org.apache.sshd.common.PropertyResolverUtils;
import org.apache.sshd.common.SshException;
import org.apache.sshd.common.config.keys.FilePasswordProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/bitbucket-mirroring-mirror-6.0.0.jar:com/atlassian/bitbucket/internal/mirroring/mirror/ssh/ProxySshCommandFactory.class */
public class ProxySshCommandFactory implements SshCommandFactory {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ProxySshCommandFactory.class);
    private static final Pattern QUOTED_REPO = Pattern.compile("'([^']+)'");
    private final AuthenticationContext authenticationContext;
    private final EventPublisher eventPublisher;
    private final I18nService i18nService;
    private final MirroringConfig mirroringConfig;
    private final ProjectMappingDao projectMappingDao;
    private final RepositoryMappingDao repositoryMappingDao;
    private final RepositoryService repositoryService;
    private final UpstreamSshSettingService upstreamSshSettingService;
    private final SyncCredentialsManager syncCredentialsManager;
    private final UpstreamService upstreamService;

    /* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/bitbucket-mirroring-mirror-6.0.0.jar:com/atlassian/bitbucket/internal/mirroring/mirror/ssh/ProxySshCommandFactory$ProxySshCommand.class */
    private class ProxySshCommand implements SshCommand {
        private static final int FAILURE_CODE = -1;
        private final String command;
        private final SshCommandContext context;
        private final ApplicationUser currentUser;
        private final UpstreamServer upstreamServer;
        private volatile ChannelExec channel;

        ProxySshCommand(@Nonnull SshCommandContext sshCommandContext, @Nonnull ApplicationUser applicationUser, @Nonnull UpstreamServer upstreamServer) {
            this.context = sshCommandContext;
            this.currentUser = applicationUser;
            this.upstreamServer = upstreamServer;
            this.command = sshCommandContext.getCommand();
        }

        @Override // com.atlassian.bitbucket.ssh.command.SshCommand
        public void cancel() {
            ChannelExec channelExec = this.channel;
            if (channelExec == null) {
                ProxySshCommandFactory.log.trace("Command \"{}\" was either not yet started or has already finished executing on upstream {} for user {}", this.command, MirrorDescriptionUtils.describe(this.upstreamServer), Integer.valueOf(this.currentUser.getId()));
                return;
            }
            ProxySshCommandFactory.log.debug("Cancelling command \"{}\" executing on upstream {} for user {}", this.command, MirrorDescriptionUtils.describe(this.upstreamServer), Integer.valueOf(this.currentUser.getId()));
            channelExec.close(true);
            this.channel = null;
        }

        @Override // com.atlassian.bitbucket.ssh.command.SshCommand
        public int run() throws IOException {
            ProxySshCommandFactory.log.debug("Running proxy command \"{}\"", this.command);
            ProxiedCommand translateToProxiedCommand = translateToProxiedCommand(this.command);
            if (isRepoWriteCommand(translateToProxiedCommand)) {
                ProxySshCommandFactory.this.eventPublisher.publish(new MirrorPushAnalyticsEvent(this, translateToProxiedCommand.getRepository()));
            }
            UpstreamSshSettings orElse = ProxySshCommandFactory.this.upstreamSshSettingService.getSshSettings(this.upstreamServer).orElse(null);
            if (orElse == null) {
                ProxySshCommandFactory.log.error("The upstream server {} does not expose its SSH configuration via REST which is required to proxy the command {}. Please consult your administrator about upgrading the upstream server to the version of the product this mirror is running", MirrorDescriptionUtils.describe(this.upstreamServer), this.command);
                return -1;
            }
            if (!orElse.isEnabled()) {
                ProxySshCommandFactory.log.info("The upstream {} has disabled SCM operations over SSH. The proxied command {} will be rejected", MirrorDescriptionUtils.describe(this.upstreamServer), this.command);
                return -1;
            }
            ServerSyncCredentials orRegisterUpstreamSshCreds = getOrRegisterUpstreamSshCreds();
            if (orRegisterUpstreamSshCreds == null) {
                return -1;
            }
            for (int i = 1; i <= 2; i++) {
                try {
                    SshClient buildSshClient = buildSshClient(orRegisterUpstreamSshCreds, orElse);
                    Throwable th = null;
                    try {
                        ClientSession buildSshSession = buildSshSession(buildSshClient, orElse, this.upstreamServer);
                        Throwable th2 = null;
                        if (buildSshSession == null) {
                            try {
                                try {
                                    ProxySshCommandFactory.log.error("Could not build ssh session to {} for command {} ", MirrorDescriptionUtils.describe(this.upstreamServer), this.command);
                                    if (buildSshSession != null) {
                                        if (0 != 0) {
                                            try {
                                                buildSshSession.close();
                                            } catch (Throwable th3) {
                                                th2.addSuppressed(th3);
                                            }
                                        } else {
                                            buildSshSession.close();
                                        }
                                    }
                                    return -1;
                                } finally {
                                }
                            } finally {
                            }
                        }
                        try {
                            this.channel = execute(buildSshSession, translateToProxiedCommand.toProxyCommand(this.currentUser));
                            Integer num = (Integer) Optional.ofNullable(this.channel.getExitStatus()).orElse(-1);
                            ProxySshCommandFactory.log.trace("Command \"{}\" completed with code {}", this.command, num);
                            int intValue = num.intValue();
                            ChannelExec channelExec = this.channel;
                            if (channelExec != null) {
                                channelExec.close(true);
                                this.channel = null;
                            }
                            if (buildSshSession != null) {
                                if (0 != 0) {
                                    try {
                                        buildSshSession.close();
                                    } catch (Throwable th4) {
                                        th2.addSuppressed(th4);
                                    }
                                } else {
                                    buildSshSession.close();
                                }
                            }
                            if (buildSshClient != null) {
                                if (0 != 0) {
                                    try {
                                        buildSshClient.close();
                                    } catch (Throwable th5) {
                                        th.addSuppressed(th5);
                                    }
                                } else {
                                    buildSshClient.close();
                                }
                            }
                            return intValue;
                        } finally {
                        }
                    } finally {
                        if (buildSshClient != null) {
                            if (0 != 0) {
                                try {
                                    buildSshClient.close();
                                } catch (Throwable th6) {
                                    th.addSuppressed(th6);
                                }
                            } else {
                                buildSshClient.close();
                            }
                        }
                    }
                } catch (SshException e) {
                    if (!isAuthenticationException(e)) {
                        throw e;
                    }
                    if (i != 1) {
                        ProxySshCommandFactory.log.error("Failure connecting and authenticating with the upstream {} via SSH. The proxied command will be rejected", MirrorDescriptionUtils.describe(this.upstreamServer), e);
                        return -1;
                    }
                    orRegisterUpstreamSshCreds = refreshSshCreds(orRegisterUpstreamSshCreds);
                    if (orRegisterUpstreamSshCreds == null) {
                        return -1;
                    }
                }
            }
            return -1;
        }

        private boolean isRepoWriteCommand(ProxiedCommand proxiedCommand) {
            return MirroringConstants.SUPPORTED_SSH_PROXY_SCM_WRITE_COMMANDS.contains(proxiedCommand.getFirstPart()) && proxiedCommand.getRepository() != null;
        }

        private SshClient buildSshClient(ServerSyncCredentials serverSyncCredentials, UpstreamSshSettings upstreamSshSettings) {
            try {
                SshClient upDefaultClient = SshClient.setUpDefaultClient();
                upDefaultClient.addPublicKeyIdentity(ClientIdentityLoader.DEFAULT.loadClientIdentity(serverSyncCredentials.getKeyFile().toAbsolutePath().toString(), FilePasswordProvider.EMPTY));
                if (!ProxySshCommandFactory.this.mirroringConfig.isSshProxyConfigParsed()) {
                    upDefaultClient.setHostConfigEntryResolver(HostConfigEntryResolver.EMPTY);
                }
                upDefaultClient.setServerKeyVerifier((clientSession, socketAddress, publicKey) -> {
                    return isMatchingFingerprint(upstreamSshSettings.getFingerprint(), publicKey);
                });
                PropertyResolverUtils.updateProperty(upDefaultClient, FactoryManager.IDLE_TIMEOUT, ProxySshCommandFactory.this.mirroringConfig.getSshProxyUpstreamIdleTimeout().toMillis());
                upDefaultClient.start();
                return upDefaultClient;
            } catch (Exception e) {
                ProxySshCommandFactory.log.error("Exception encountered constructing an SSH client for proxying SSH commands to upstream server {}. The proxied command will be rejected", MirrorDescriptionUtils.describe(this.upstreamServer), e);
                return null;
            }
        }

        @Nullable
        private ClientSession buildSshSession(SshClient sshClient, UpstreamSshSettings upstreamSshSettings, UpstreamServer upstreamServer) throws SshException {
            if (sshClient == null || upstreamSshSettings == null) {
                return null;
            }
            ClientSession clientSession = null;
            try {
                clientSession = connectSshSession(sshClient, upstreamSshSettings.getBaseUrl());
                clientSession.auth().verify(ProxySshCommandFactory.this.mirroringConfig.getSshProxyUpstreamAuthTimeout().toMillis());
                return clientSession;
            } catch (Exception e) {
                if (clientSession != null) {
                    try {
                        clientSession.close();
                    } catch (Exception e2) {
                    }
                }
                if (isAuthenticationException(e)) {
                    throw ((SshException) e);
                }
                ProxySshCommandFactory.log.error("Failure connecting and authenticating with the upstream {} via SSH. The proxied command will be rejected", MirrorDescriptionUtils.describe(upstreamServer), e);
                return null;
            }
        }

        private ClientSession connectSshSession(SshClient sshClient, String str) throws IOException {
            try {
                URI create = URI.create(str);
                String host = create.getHost();
                int port = create.getPort() == -1 ? 22 : create.getPort();
                Duration sshProxyUpstreamConnectionTimeout = ProxySshCommandFactory.this.mirroringConfig.getSshProxyUpstreamConnectionTimeout();
                if (host.contains("[") && host.contains("]")) {
                    host = host.replace("[", "").replace("]", "");
                }
                return sshClient.connect("git", host, port).verify(sshProxyUpstreamConnectionTimeout.toMillis()).getSession();
            } catch (Exception e) {
                ProxySshCommandFactory.log.error("Error connecting via SSH to upstream server {}. The proxied command will be rejected", MirrorDescriptionUtils.describe(this.upstreamServer), e);
                throw e;
            }
        }

        private ServerSyncCredentials getOrRegisterUpstreamSshCreds() {
            try {
                return ProxySshCommandFactory.this.syncCredentialsManager.getServerCredentials(this.upstreamServer.getId()).claim();
            } catch (RuntimeException e) {
                ProxySshCommandFactory.log.warn("Could not find valid local SSH credentials for upstream server {} and registration of new credentials failed. This SSH push command {} will not be proxied to the upstream and will be rejected", MirrorDescriptionUtils.describe(this.upstreamServer), this.command, e);
                return null;
            }
        }

        private boolean isAuthenticationException(Exception exc) {
            String message = exc.getMessage();
            return (exc instanceof SshException) && message != null && message.contains("authentication");
        }

        private ServerSyncCredentials refreshSshCreds(ServerSyncCredentials serverSyncCredentials) {
            try {
                return (ServerSyncCredentials) ProxySshCommandFactory.this.syncCredentialsManager.refresh(serverSyncCredentials).claim();
            } catch (RuntimeException e) {
                ProxySshCommandFactory.log.warn("Failed to refresh SSH credentials with upstream server {}. This SSH push command {} will not be proxied to the upstream and will be rejected", MirrorDescriptionUtils.describe(this.upstreamServer), this.command, e);
                return null;
            }
        }

        private ProxiedCommand translateToProxiedCommand(String str) {
            String[] split = str.trim().split("\\s+");
            Repository repository = null;
            if (split.length > 1) {
                Matcher matcher = ProxySshCommandFactory.QUOTED_REPO.matcher(split[1]);
                String group = matcher.matches() ? matcher.group(1) : split[1];
                RepositoryUrlFragment fromNamespacedPathInfo = RepositoryUrlFragment.fromNamespacedPathInfo(group);
                if (fromNamespacedPathInfo == null) {
                    ProxySshCommandFactory.log.debug("Unable to determine repository from reference \"{}\"", group);
                    throw throwInvalidRepositoryUrl(split[1]);
                }
                try {
                    repository = ProxySshCommandFactory.this.repositoryService.getBySlug(fromNamespacedPathInfo.getProjectNamespace(), fromNamespacedPathInfo.getProjectKey(), fromNamespacedPathInfo.getRepositorySlug());
                } catch (AuthorisationException e) {
                    ProxySshCommandFactory.log.debug("Repository for reference {} found but current user is not authorised to read it", fromNamespacedPathInfo);
                    throw e;
                } catch (RepositoryMovedException e2) {
                    repository = e2.getRepository();
                }
                if (repository == null) {
                    ProxySshCommandFactory.log.debug("Repository for reference {} not found", fromNamespacedPathInfo);
                    throw throwNoSuchRepository();
                }
                AoRepositoryMapping byLocalId = ProxySshCommandFactory.this.repositoryMappingDao.getByLocalId(repository.getId());
                if (byLocalId == null) {
                    ProxySshCommandFactory.log.debug("No upstream repository mapping for {}", repository);
                    throw throwNoSuchRepository();
                }
                AoProjectMapping byLocalId2 = ProxySshCommandFactory.this.projectMappingDao.getByLocalId(Integer.valueOf(repository.getProject().getId()));
                if (byLocalId2 == null) {
                    ProxySshCommandFactory.log.debug("No upstream project mapping for {}", repository.getProject());
                    throw throwNoSuchRepository();
                }
                split[1] = String.format(str.startsWith("git-lfs-") ? "%s/%s" : "'/%s/%s'", byLocalId2.getExternalKey(), byLocalId.getExternalSlug());
            }
            return new ProxiedCommand(split, repository);
        }

        private boolean isMatchingFingerprint(SshKeyFingerprint sshKeyFingerprint, PublicKey publicKey) {
            SimpleSshKeyFingerprint simpleSshKeyFingerprint = new SimpleSshKeyFingerprint(publicKey.getAlgorithm(), KeyUtils.calculateFingerprint(publicKey));
            if (simpleSshKeyFingerprint.equals(sshKeyFingerprint)) {
                ProxySshCommandFactory.log.trace("Upstream SSH fingerprint matches what was expected: {}", simpleSshKeyFingerprint);
                return true;
            }
            ProxySshCommandFactory.log.warn("The SSH fingerprint of upstream server {} does not match what was expected. Expected: {}, was: {}. This proxy command will be rejected", MirrorDescriptionUtils.describe(this.upstreamServer), sshKeyFingerprint, simpleSshKeyFingerprint);
            return false;
        }

        private ChannelExec execute(ClientSession clientSession, String str) throws IOException {
            Duration sshProxyUpstreamChannelTimeout = ProxySshCommandFactory.this.mirroringConfig.getSshProxyUpstreamChannelTimeout();
            Duration sshProxyUpstreamExecutionTimeout = ProxySshCommandFactory.this.mirroringConfig.getSshProxyUpstreamExecutionTimeout();
            ChannelExec createExecChannel = clientSession.createExecChannel(str);
            createExecChannel.setIn(this.context.getStdin());
            createExecChannel.setOut(this.context.getStdout());
            createExecChannel.setErr(this.context.getStderr());
            Map<String, String> environment = this.context.getEnvironment();
            createExecChannel.getClass();
            environment.forEach(createExecChannel::setEnv);
            createExecChannel.open().verify(sshProxyUpstreamChannelTimeout.toMillis());
            createExecChannel.waitFor(Sets.immutableEnumSet(ClientChannelEvent.CLOSED, new ClientChannelEvent[0]), sshProxyUpstreamExecutionTimeout.toMillis());
            return createExecChannel;
        }

        private NoSuchRepositoryException throwInvalidRepositoryUrl(@Nonnull String str) {
            throw new NoSuchRepositoryException(ProxySshCommandFactory.this.i18nService.createKeyedMessage("bitbucket.mirroring.scm.request.ssh.url.invalid.message", Product.NAME, str), null);
        }

        private NoSuchRepositoryException throwNoSuchRepository() {
            throw new NoSuchRepositoryException(ProxySshCommandFactory.this.i18nService.createKeyedMessage("bitbucket.mirroring.scm.request.not.available.detail", new Object[0]), null);
        }
    }

    public ProxySshCommandFactory(@Nonnull AuthenticationContext authenticationContext, @Nonnull EventPublisher eventPublisher, @Nonnull I18nService i18nService, @Nonnull MirroringConfig mirroringConfig, @Nonnull ProjectMappingDao projectMappingDao, @Nonnull RepositoryMappingDao repositoryMappingDao, @Nonnull RepositoryService repositoryService, @Nonnull UpstreamSshSettingService upstreamSshSettingService, @Nonnull SyncCredentialsManager syncCredentialsManager, @Nonnull UpstreamService upstreamService) {
        this.authenticationContext = authenticationContext;
        this.eventPublisher = eventPublisher;
        this.i18nService = i18nService;
        this.mirroringConfig = mirroringConfig;
        this.projectMappingDao = projectMappingDao;
        this.repositoryMappingDao = repositoryMappingDao;
        this.repositoryService = repositoryService;
        this.upstreamSshSettingService = upstreamSshSettingService;
        this.syncCredentialsManager = syncCredentialsManager;
        this.upstreamService = upstreamService;
    }

    @Override // com.atlassian.bitbucket.ssh.command.SshCommandFactory
    @Nonnull
    public Optional<SshCommand> create(@Nonnull SshCommandContext sshCommandContext) {
        return !supports(sshCommandContext.getCommand()) ? Optional.empty() : Optional.of(new ProxySshCommand(sshCommandContext, this.authenticationContext.getCurrentUser(), this.upstreamService.get()));
    }

    @Override // com.atlassian.bitbucket.ssh.command.SshCommandFactory
    public boolean supports(@Nonnull String str) {
        UpstreamServer upstreamServer = this.upstreamService.get();
        return this.mirroringConfig.isSshProxyEnabled() && isBitbucketServerMirror(upstreamServer) && isSupportedSshProxyCommand(str) && isCurrentUsersAuthDelegated() && isUpstreamSshStateKnownAndEnabled(upstreamServer);
    }

    private boolean isBitbucketServerMirror(UpstreamServer upstreamServer) {
        return upstreamServer != null && upstreamServer.getType() == UpstreamServerType.BITBUCKET_SERVER;
    }

    private boolean isCurrentUsersAuthDelegated() {
        return this.authenticationContext.getCurrentUser() instanceof ApplicationUserWithPermissions;
    }

    private boolean isSupportedSshProxyCommand(@Nonnull String str) {
        String[] split = str.toLowerCase(Locale.ROOT).split("\\s+");
        if (split.length > 0) {
            Stream<String> stream = MirroringConstants.SUPPORTED_SSH_PROXY_COMMANDS.stream();
            String str2 = split[0];
            str2.getClass();
            if (stream.anyMatch((v1) -> {
                return r1.equals(v1);
            })) {
                return true;
            }
        }
        return false;
    }

    private boolean isUpstreamSshStateKnownAndEnabled(UpstreamServer upstreamServer) {
        Optional<UpstreamSshSettings> sshSettings = this.upstreamSshSettingService.getSshSettings(upstreamServer);
        if (!sshSettings.isPresent()) {
            log.debug("The upstream server {} does not expose its SSH configuration via REST which is required to proxy this command. Please consult your administrator about upgrading the upstream server to the version of the product this mirror is running", MirrorDescriptionUtils.describe(upstreamServer));
            return false;
        }
        boolean isEnabled = sshSettings.get().isEnabled();
        if (!isEnabled) {
            log.debug("The upstream server {} has disabled SSH which is required to proxy this command. Please consult your administrator to enable this", MirrorDescriptionUtils.describe(upstreamServer));
        }
        return isEnabled;
    }
}
