package io.jenkins.cli.shaded.org.apache.sshd.server.auth.gss;

import io.jenkins.cli.shaded.org.apache.sshd.common.SshConstants;
import io.jenkins.cli.shaded.org.apache.sshd.common.SshException;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.NumberUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.ValidateUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.buffer.Buffer;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.buffer.ByteArrayBuffer;
import io.jenkins.cli.shaded.org.apache.sshd.server.auth.AbstractUserAuth;
import io.jenkins.cli.shaded.org.apache.sshd.server.session.ServerSession;
import io.jenkins.cli.shaded.org.ietf.jgss.GSSContext;
import io.jenkins.cli.shaded.org.ietf.jgss.GSSCredential;
import io.jenkins.cli.shaded.org.ietf.jgss.GSSException;
import io.jenkins.cli.shaded.org.ietf.jgss.GSSManager;
import io.jenkins.cli.shaded.org.ietf.jgss.MessageProp;
import io.jenkins.cli.shaded.org.ietf.jgss.Oid;
import java.util.Objects;

/* loaded from: input_file:WEB-INF/lib/cli-2.308-rc31436.16854fef0e01.jar:io/jenkins/cli/shaded/org/apache/sshd/server/auth/gss/UserAuthGSS.class */
public class UserAuthGSS extends AbstractUserAuth {
    public static final String NAME = "gssapi-with-mic";
    public static final Oid KRB5_MECH = createOID("1.2.840.113554.1.2.2");
    public static final Oid KRB5_NT_PRINCIPAL = createOID("1.2.840.113554.1.2.2.1");
    private GSSContext context;
    private String identity;

    public UserAuthGSS() {
        super("gssapi-with-mic");
    }

    @Override // io.jenkins.cli.shaded.org.apache.sshd.server.auth.AbstractUserAuth
    protected Boolean doAuth(Buffer buffer, boolean z) throws Exception {
        GSSManager gSSManager;
        GSSCredential gSSCredential;
        ServerSession serverSession = getServerSession();
        GSSAuthenticator gSSAuthenticator = (GSSAuthenticator) Objects.requireNonNull(serverSession.getGSSAuthenticator(), "No GSSAuthenticator configured");
        String username = getUsername();
        boolean isDebugEnabled = this.log.isDebugEnabled();
        if (z) {
            int i = buffer.getInt();
            if (i < 0 || i > 32768) {
                this.log.error("doAuth({}@{}) Illogical OID entries count: {}", username, serverSession, Integer.valueOf(i));
                throw new IndexOutOfBoundsException("Illogical OID entries count: " + i);
            }
            boolean isTraceEnabled = this.log.isTraceEnabled();
            for (int i2 = 1; i2 <= i; i2++) {
                Oid oid = new Oid(buffer.getBytes());
                if (oid.equals(KRB5_MECH)) {
                    if (isDebugEnabled) {
                        this.log.debug("doAuth({}@{}) found Kerberos 5 after {}/{} OID(s)", username, serverSession, Integer.valueOf(i2), Integer.valueOf(i));
                    }
                    if (gSSAuthenticator.validateInitialUser(serverSession, username) && (gSSCredential = gSSAuthenticator.getGSSCredential((gSSManager = gSSAuthenticator.getGSSManager()))) != null) {
                        this.context = gSSManager.createContext(gSSCredential);
                        byte[] der = oid.getDER();
                        Buffer createBuffer = serverSession.createBuffer((byte) 60, der.length + 32);
                        createBuffer.putBytes(der);
                        serverSession.writePacket(createBuffer);
                        return null;
                    }
                    return Boolean.FALSE;
                }
                if (isTraceEnabled) {
                    this.log.trace("doAuth({}@{}) skip OID {}/{}: {}", username, serverSession, Integer.valueOf(i2), Integer.valueOf(i), oid);
                }
            }
            return Boolean.FALSE;
        }
        int uByte = buffer.getUByte();
        if (uByte != 61 && (uByte != 66 || !this.context.isEstablished())) {
            throw new SshException(2, "Packet not supported by user authentication method: " + SshConstants.getCommandMessageName(uByte));
        }
        if (isDebugEnabled) {
            this.log.debug("doAuth({}@{}) In krb5.next: msg = {}", username, serverSession, SshConstants.getCommandMessageName(uByte));
        }
        if (!this.context.isEstablished()) {
            byte[] bytes = buffer.getBytes();
            byte[] acceptSecContext = this.context.acceptSecContext(bytes, 0, bytes.length);
            boolean isEstablished = this.context.isEstablished();
            if (isEstablished && this.identity == null) {
                this.identity = this.context.getSrcName().toString();
                if (isDebugEnabled) {
                    this.log.debug("doAuth({}@{}) GSS identity is {}", username, serverSession, this.identity);
                }
                if (!gSSAuthenticator.validateIdentity(serverSession, this.identity)) {
                    return Boolean.FALSE;
                }
            }
            if (NumberUtils.length(acceptSecContext) <= 0) {
                return Boolean.valueOf(isEstablished);
            }
            Buffer createBuffer2 = serverSession.createBuffer((byte) 61, acceptSecContext.length + 32);
            createBuffer2.putBytes(acceptSecContext);
            serverSession.writePacket(createBuffer2);
            return null;
        }
        if (uByte != 66) {
            return Boolean.FALSE;
        }
        ByteArrayBuffer byteArrayBuffer = new ByteArrayBuffer();
        byteArrayBuffer.putBytes(ValidateUtils.checkNotNullAndNotEmpty(serverSession.getSessionId(), "No current session ID"));
        byteArrayBuffer.putByte((byte) 50);
        byteArrayBuffer.putString(getUsername());
        byteArrayBuffer.putString(getService());
        byteArrayBuffer.putString(getName());
        byte[] compactData = byteArrayBuffer.getCompactData();
        byte[] bytes2 = buffer.getBytes();
        try {
            this.context.verifyMIC(bytes2, 0, bytes2.length, compactData, 0, compactData.length, new MessageProp(false));
            if (isDebugEnabled) {
                this.log.debug("doAuth({}@{}) MIC verified", getUsername(), serverSession);
            }
            return Boolean.TRUE;
        } catch (GSSException e) {
            if (isDebugEnabled) {
                this.log.debug("doAuth({}@{}) GSS verification {} error: {}", username, serverSession, e.getClass().getSimpleName(), e.getMessage());
            }
            return Boolean.FALSE;
        }
    }

    @Override // io.jenkins.cli.shaded.org.apache.sshd.server.auth.AbstractUserAuth, io.jenkins.cli.shaded.org.apache.sshd.server.auth.UserAuth
    public void destroy() {
        if (this.context != null) {
            try {
                this.context.dispose();
            } catch (GSSException e) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Failed ({}) to dispose of context: {}", e.getClass().getSimpleName(), e.getMessage());
                }
            } finally {
                this.context = null;
            }
        }
    }

    public static Oid createOID(String str) {
        try {
            return new Oid(str);
        } catch (GSSException e) {
            return null;
        }
    }
}
