package hudson.security;

import hudson.Extension;
import hudson.Functions;
import hudson.Util;
import hudson.model.Descriptor;
import hudson.os.PosixAPI;
import hudson.util.FormValidation;
import java.io.File;
import java.util.Iterator;
import java.util.Set;
import java.util.logging.Logger;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.GrantedAuthorityImpl;
import org.acegisecurity.userdetails.User;
import org.acegisecurity.userdetails.UserDetails;
import org.acegisecurity.userdetails.UsernameNotFoundException;
import org.jruby.ext.posix.FileStat;
import org.jruby.ext.posix.Group;
import org.jruby.ext.posix.POSIX;
import org.jruby.ext.posix.Passwd;
import org.jvnet.libpam.PAM;
import org.jvnet.libpam.PAMException;
import org.jvnet.libpam.UnixUser;
import org.jvnet.libpam.impl.CLibrary;
import org.kohsuke.stapler.DataBoundConstructor;
import org.springframework.dao.DataAccessException;

/* loaded from: input_file:WEB-INF/lib/jenkins-core-1.424.5.jar:hudson/security/PAMSecurityRealm.class */
public class PAMSecurityRealm extends AbstractPasswordBasedSecurityRealm {
    public final String serviceName;
    private static final Logger LOGGER = Logger.getLogger(PAMSecurityRealm.class.getName());

    /* loaded from: input_file:WEB-INF/lib/jenkins-core-1.424.5.jar:hudson/security/PAMSecurityRealm$DescriptorImpl.class */
    public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
        @Override // hudson.model.Descriptor
        public String getDisplayName() {
            return Messages.PAMSecurityRealm_DisplayName();
        }

        public FormValidation doTest() {
            File file = new File("/etc/shadow");
            if (!file.exists() || file.canRead()) {
                return FormValidation.ok(Messages.PAMSecurityRealm_Success());
            }
            PAMSecurityRealm.LOGGER.fine("/etc/shadow exists but not readable");
            POSIX posix = PosixAPI.get();
            FileStat stat = posix.stat("/etc/shadow");
            if (stat == null) {
                return FormValidation.error(Messages.PAMSecurityRealm_ReadPermission());
            }
            Passwd passwd = posix.getpwuid(posix.geteuid());
            String PAMSecurityRealm_User = passwd != null ? Messages.PAMSecurityRealm_User(passwd.getLoginName()) : Messages.PAMSecurityRealm_CurrentUser();
            Group group = posix.getgrgid(stat.gid());
            String name = group != null ? group.getName() : String.valueOf(stat.gid());
            if ((stat.mode() & 32) != 0) {
                return FormValidation.error(Messages.PAMSecurityRealm_BelongToGroup(PAMSecurityRealm_User, name));
            }
            Passwd passwd2 = posix.getpwuid(stat.uid());
            return FormValidation.error(Messages.PAMSecurityRealm_RunAsUserOrBelongToGroupAndChmod(passwd2 != null ? passwd2.getLoginName() : Messages.PAMSecurityRealm_Uid(Integer.valueOf(stat.uid())), PAMSecurityRealm_User, name));
        }
    }

    @DataBoundConstructor
    public PAMSecurityRealm(String str) {
        String fixEmptyAndTrim = Util.fixEmptyAndTrim(str);
        this.serviceName = fixEmptyAndTrim == null ? "sshd" : fixEmptyAndTrim;
    }

    @Override // hudson.security.AbstractPasswordBasedSecurityRealm
    protected UserDetails authenticate(String str, String str2) throws AuthenticationException {
        try {
            return new User(str, "", true, true, true, true, toAuthorities(new PAM(this.serviceName).authenticate(str, str2)));
        } catch (PAMException e) {
            throw new BadCredentialsException(e.getMessage(), (Throwable) e);
        }
    }

    @Override // hudson.security.AbstractPasswordBasedSecurityRealm, hudson.security.SecurityRealm, org.acegisecurity.userdetails.UserDetailsService
    public UserDetails loadUserByUsername(String str) throws UsernameNotFoundException, DataAccessException {
        if (!UnixUser.exists(str)) {
            throw new UsernameNotFoundException("No such Unix user: " + str);
        }
        try {
            return new User(str, "", true, true, true, true, toAuthorities(new UnixUser(str)));
        } catch (PAMException e) {
            throw new UsernameNotFoundException("Failed to load information about Unix user " + str, (Throwable) e);
        }
    }

    private static GrantedAuthority[] toAuthorities(UnixUser unixUser) {
        Set<String> groups = unixUser.getGroups();
        GrantedAuthority[] grantedAuthorityArr = new GrantedAuthority[groups.size() + 1];
        int i = 0;
        Iterator<String> it = groups.iterator();
        while (it.hasNext()) {
            int i2 = i;
            i++;
            grantedAuthorityArr[i2] = new GrantedAuthorityImpl(it.next());
        }
        int i3 = i;
        int i4 = i + 1;
        grantedAuthorityArr[i3] = AUTHENTICATED_AUTHORITY;
        return grantedAuthorityArr;
    }

    @Override // hudson.security.AbstractPasswordBasedSecurityRealm, hudson.security.SecurityRealm
    public GroupDetails loadGroupByGroupname(final String str) throws UsernameNotFoundException, DataAccessException {
        if (CLibrary.libc.getgrnam(str) == null) {
            throw new UsernameNotFoundException(str);
        }
        return new GroupDetails() { // from class: hudson.security.PAMSecurityRealm.1
            @Override // hudson.security.GroupDetails
            public String getName() {
                return str;
            }
        };
    }

    @Extension
    public static DescriptorImpl install() {
        if (Functions.isWindows()) {
            return null;
        }
        return new DescriptorImpl();
    }
}
