package org.jenkinsci.main.modules.sshd;

import java.security.PublicKey;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import jenkins.security.SecurityListener;
import org.acegisecurity.Authentication;
import org.acegisecurity.userdetails.User;
import org.acegisecurity.userdetails.UsernameNotFoundException;
import org.apache.sshd.server.auth.pubkey.PublickeyAuthenticator;
import org.apache.sshd.server.session.ServerSession;
import org.jenkinsci.main.modules.cli.auth.ssh.PublicKeySignatureWriter;
import org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl;

/* loaded from: input_file:WEB-INF/lib/sshd-2.3.jar:org/jenkinsci/main/modules/sshd/PublicKeyAuthenticatorImpl.class */
class PublicKeyAuthenticatorImpl implements PublickeyAuthenticator {
    private final PublicKeySignatureWriter signatureWriter = new PublicKeySignatureWriter();
    private static final Logger LOGGER = Logger.getLogger(PublicKeyAuthenticatorImpl.class.getName());

    /* loaded from: input_file:WEB-INF/lib/sshd-2.3.jar:org/jenkinsci/main/modules/sshd/PublicKeyAuthenticatorImpl$SSHUserDetails.class */
    private static class SSHUserDetails extends User {
        private SSHUserDetails(@Nonnull String str, @Nonnull Authentication authentication) {
            super(str, "", true, true, true, true, authentication.getAuthorities());
        }
    }

    @Override // org.apache.sshd.server.auth.pubkey.PublickeyAuthenticator
    public boolean authenticate(String str, PublicKey publicKey, ServerSession serverSession) {
        hudson.model.User retrieveOnlyKeyValidatedUser = retrieveOnlyKeyValidatedUser(str, publicKey);
        if (retrieveOnlyKeyValidatedUser == null) {
            SecurityListener.fireFailedToAuthenticate(str);
            return false;
        }
        Authentication verifyUserUsingSecurityRealm = verifyUserUsingSecurityRealm(retrieveOnlyKeyValidatedUser);
        if (verifyUserUsingSecurityRealm == null) {
            SecurityListener.fireFailedToAuthenticate(str);
            return false;
        }
        SecurityListener.fireAuthenticated(new SSHUserDetails(str, verifyUserUsingSecurityRealm));
        return true;
    }

    @CheckForNull
    private hudson.model.User retrieveOnlyKeyValidatedUser(String str, PublicKey publicKey) {
        LOGGER.log(Level.FINE, "Authentication attempted from {0} with {1}", new Object[]{str, publicKey});
        hudson.model.User byId = hudson.model.User.getById(str, false);
        if (byId == null) {
            LOGGER.log(Level.FINE, "No such user exists: {0}", new Object[]{str});
            return null;
        }
        UserPropertyImpl userPropertyImpl = (UserPropertyImpl) byId.getProperty(UserPropertyImpl.class);
        if (userPropertyImpl == null) {
            LOGGER.log(Level.FINE, "No SSH key registered for user: {0}", new Object[]{str});
            return null;
        }
        String asString = this.signatureWriter.asString(publicKey);
        if (userPropertyImpl.isAuthorizedKey(asString)) {
            return byId;
        }
        LOGGER.log(Level.FINE, "Key signature did not match for the user: {0} : {1}", new Object[]{str, asString});
        return null;
    }

    @CheckForNull
    private Authentication verifyUserUsingSecurityRealm(@Nonnull hudson.model.User user) {
        try {
            return user.impersonate();
        } catch (UsernameNotFoundException e) {
            LOGGER.log(Level.FINE, user.getId() + " is not a real user according to SecurityRealm", (Throwable) e);
            return null;
        }
    }
}
