package org.jenkinsci.main.modules.sshd;

import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.Extension;
import hudson.ExtensionList;
import hudson.init.InitMilestone;
import hudson.init.Initializer;
import hudson.model.Descriptor;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import jenkins.model.GlobalConfiguration;
import jenkins.model.GlobalConfigurationCategory;
import jenkins.util.ServerTcpPort;
import jenkins.util.SystemProperties;
import jenkins.util.Timer;
import net.jcip.annotations.GuardedBy;
import net.sf.json.JSONObject;
import org.apache.commons.lang.StringUtils;
import org.apache.sshd.common.NamedFactory;
import org.apache.sshd.common.cipher.BuiltinCiphers;
import org.apache.sshd.common.cipher.Cipher;
import org.apache.sshd.common.kex.KeyExchangeFactory;
import org.apache.sshd.common.keyprovider.AbstractKeyPairProvider;
import org.apache.sshd.common.mac.Mac;
import org.apache.sshd.common.session.SessionContext;
import org.apache.sshd.server.SshServer;
import org.apache.sshd.server.shell.ShellFactory;
import org.jenkinsci.main.modules.instance_identity.InstanceIdentity;
import org.kohsuke.stapler.StaplerRequest;

@Extension
/* loaded from: input_file:WEB-INF/lib/sshd.jar:org/jenkinsci/main/modules/sshd/SSHD.class */
public class SSHD extends GlobalConfiguration {

    @GuardedBy("this")
    private transient SshServer sshd;
    private volatile int port = -1;
    public static final String IDLE_TIMEOUT_KEY = "idle-timeout";
    private static final List<NamedFactory<Cipher>> ENABLED_CIPHERS = Arrays.asList(BuiltinCiphers.aes128ctr, BuiltinCiphers.aes192ctr, BuiltinCiphers.aes256ctr);
    private static final String EXCLUDED_KEY_EXCHANGES = SystemProperties.getString(SSHD.class.getName() + ".excludedKeyExchanges", "diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1");
    private static final String EXCLUDED_MACS = SystemProperties.getString(SSHD.class.getName() + ".excludedMacs", "hmac-md5, hmac-md5-96, hmac-sha1-96");
    private static final Logger LOGGER = Logger.getLogger(SSHD.class.getName());
    private static Logger MINA_LOGGER = Logger.getLogger("org.apache.sshd");

    @NonNull
    public GlobalConfigurationCategory getCategory() {
        return GlobalConfigurationCategory.get(GlobalConfigurationCategory.Security.class);
    }

    public SSHD() {
        load();
    }

    public int getPort() {
        return this.port;
    }

    public synchronized int getActualPort() {
        if (this.port == -1) {
            return -1;
        }
        return this.sshd != null ? this.sshd.getPort() : this.port;
    }

    public void setPort(int i) {
        if (this.port != i) {
            this.port = i;
            Timer.get().submit(new Runnable() { // from class: org.jenkinsci.main.modules.sshd.SSHD.1
                @Override // java.lang.Runnable
                public void run() {
                    SSHD.this.restart();
                }
            });
            save();
        }
    }

    @NonNull
    static List<NamedFactory<Cipher>> getActivatedCiphers() {
        ArrayList arrayList = new ArrayList(ENABLED_CIPHERS.size());
        Iterator<NamedFactory<Cipher>> it = ENABLED_CIPHERS.iterator();
        while (it.hasNext()) {
            BuiltinCiphers builtinCiphers = (NamedFactory) it.next();
            if (builtinCiphers instanceof BuiltinCiphers) {
                BuiltinCiphers builtinCiphers2 = builtinCiphers;
                if (builtinCiphers2.isSupported()) {
                    arrayList.add(builtinCiphers);
                } else {
                    LOGGER.log(Level.FINE, "Discovered unsupported built-in Cipher: {0}. It will not be enabled", builtinCiphers2);
                }
            } else {
                arrayList.add(builtinCiphers);
            }
        }
        return arrayList;
    }

    public synchronized void start() throws IOException, InterruptedException {
        int i = this.port;
        if (i < 0) {
            return;
        }
        LOGGER.fine("starting SSHD");
        stop();
        this.sshd = SshServer.setUpDefaultServer();
        this.sshd.setUserAuthFactories(Arrays.asList(new UserAuthNamedFactory()));
        this.sshd.setCipherFactories(getActivatedCiphers());
        this.sshd.setKeyExchangeFactories(filterKeyExchanges(this.sshd.getKeyExchangeFactories()));
        this.sshd.setMacFactories(filterMacs(this.sshd.getMacFactories()));
        this.sshd.setPort(i);
        this.sshd.setKeyPairProvider(new AbstractKeyPairProvider() { // from class: org.jenkinsci.main.modules.sshd.SSHD.2
            public Iterable<KeyPair> loadKeys(SessionContext sessionContext) throws IOException, GeneralSecurityException {
                InstanceIdentity instanceIdentity = InstanceIdentity.get();
                return Collections.singletonList(new KeyPair(instanceIdentity.getPublic(), instanceIdentity.getPrivate()));
            }
        });
        this.sshd.setShellFactory((ShellFactory) null);
        this.sshd.setCommandFactory(new CommandFactoryImpl());
        this.sshd.setPublickeyAuthenticator(new PublicKeyAuthenticatorImpl());
        IdleTimeout.fromSystemProperty(SSHD.class.getName() + ".idle-timeout").apply(this.sshd);
        this.sshd.start();
        LOGGER.info("Started SSHD at port " + this.sshd.getPort());
    }

    private List<NamedFactory<Mac>> filterMacs(List<NamedFactory<Mac>> list) {
        if (StringUtils.isBlank(EXCLUDED_MACS)) {
            return list;
        }
        List list2 = (List) Arrays.stream(EXCLUDED_MACS.split(",")).filter(StringUtils::isNotBlank).map((v0) -> {
            return v0.trim();
        }).collect(Collectors.toList());
        ArrayList arrayList = new ArrayList();
        for (NamedFactory<Mac> namedFactory : list) {
            String name = namedFactory.getName();
            if (list2.contains(name)) {
                LOGGER.log(Level.CONFIG, "Excluding " + name);
            } else {
                LOGGER.log(Level.FINE, "Not excluding " + name);
                arrayList.add(namedFactory);
            }
        }
        return arrayList;
    }

    private List<KeyExchangeFactory> filterKeyExchanges(List<KeyExchangeFactory> list) {
        if (StringUtils.isBlank(EXCLUDED_KEY_EXCHANGES)) {
            return list;
        }
        List list2 = (List) Arrays.stream(EXCLUDED_KEY_EXCHANGES.split(",")).filter(StringUtils::isNotBlank).map((v0) -> {
            return v0.trim();
        }).collect(Collectors.toList());
        ArrayList arrayList = new ArrayList();
        for (KeyExchangeFactory keyExchangeFactory : list) {
            String name = keyExchangeFactory.getName();
            if (list2.contains(name)) {
                LOGGER.log(Level.CONFIG, "Excluding " + name);
            } else {
                LOGGER.log(Level.FINE, "Not excluding " + name);
                arrayList.add(keyExchangeFactory);
            }
        }
        return arrayList;
    }

    public synchronized void restart() {
        try {
            if (this.sshd != null) {
                this.sshd.stop(false);
                this.sshd = null;
            }
            start();
        } catch (Exception e) {
            LOGGER.log(Level.SEVERE, "Failed to restart SSHD", (Throwable) e);
        }
    }

    public synchronized void stop() throws IOException, InterruptedException {
        if (this.sshd != null) {
            this.sshd.stop(true);
            this.sshd = null;
        }
    }

    public boolean configure(StaplerRequest staplerRequest, JSONObject jSONObject) throws Descriptor.FormException {
        setPort(new ServerTcpPort(jSONObject.getJSONObject("port")).getPort());
        return true;
    }

    public static SSHD get() {
        return (SSHD) ExtensionList.lookupSingleton(SSHD.class);
    }

    @Initializer(after = InitMilestone.JOB_LOADED, fatal = false)
    public static void init() throws IOException, InterruptedException {
        get().start();
    }

    static {
        if (MINA_LOGGER.getLevel() == null) {
            MINA_LOGGER.setLevel(Level.WARNING);
        }
    }
}
