package org.apache.karaf.shell.ssh;

import java.security.Principal;
import java.security.PublicKey;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginContext;
import org.apache.karaf.jaas.boot.principal.ClientPrincipal;
import org.apache.karaf.jaas.modules.publickey.PublickeyCallback;
import org.apache.sshd.common.AttributeStore;
import org.apache.sshd.server.auth.password.PasswordAuthenticator;
import org.apache.sshd.server.auth.pubkey.PublickeyAuthenticator;
import org.apache.sshd.server.session.ServerSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/karaf/shell/ssh/KarafJaasAuthenticator.class */
public class KarafJaasAuthenticator implements PasswordAuthenticator, PublickeyAuthenticator {
    public static final AttributeStore.AttributeKey<Subject> SUBJECT_ATTRIBUTE_KEY = new AttributeStore.AttributeKey<>();
    private final Logger LOGGER = LoggerFactory.getLogger(KarafJaasAuthenticator.class);
    private String realm;
    private String role;
    private Class<?>[] roleClasses;

    public KarafJaasAuthenticator(String str, String str2, Class<?>[] clsArr) {
        this.realm = str;
        this.role = str2;
        this.roleClasses = clsArr;
    }

    public boolean authenticate(String str, String str2, ServerSession serverSession) {
        return doLogin(serverSession, callbackArr -> {
            for (Callback callback : callbackArr) {
                if (callback instanceof NameCallback) {
                    ((NameCallback) callback).setName(str);
                } else {
                    if (!(callback instanceof PasswordCallback)) {
                        throw new UnsupportedCallbackException(callback);
                    }
                    ((PasswordCallback) callback).setPassword(str2.toCharArray());
                }
            }
        });
    }

    public boolean authenticate(String str, PublicKey publicKey, ServerSession serverSession) {
        return doLogin(serverSession, callbackArr -> {
            for (Callback callback : callbackArr) {
                if (callback instanceof NameCallback) {
                    ((NameCallback) callback).setName(str);
                } else {
                    if (!(callback instanceof PublickeyCallback)) {
                        throw new UnsupportedCallbackException(callback);
                    }
                    ((PublickeyCallback) callback).setPublicKey(publicKey);
                }
            }
        });
    }

    private boolean doLogin(ServerSession serverSession, CallbackHandler callbackHandler) {
        try {
            Subject subject = new Subject();
            subject.getPrincipals().add(new ClientPrincipal("ssh", serverSession.getClientAddress().toString()));
            new LoginContext(this.realm, subject, callbackHandler).login();
            assertRolePresent(subject);
            serverSession.setAttribute(SUBJECT_ATTRIBUTE_KEY, subject);
            return true;
        } catch (Exception e) {
            this.LOGGER.debug("User authentication failed with " + e.getMessage(), e);
            return false;
        }
    }

    private void assertRolePresent(Subject subject) throws FailedLoginException {
        boolean z = this.role == null || this.role.isEmpty() || this.roleClasses.length == 0;
        int i = 0;
        for (Principal principal : subject.getPrincipals()) {
            for (Class<?> cls : this.roleClasses) {
                if (cls.isInstance(principal)) {
                    if (!z) {
                        z = this.role.equals(principal.getName());
                    }
                    i++;
                }
            }
        }
        if (i == 0) {
            throw new FailedLoginException("User doesn't have role defined");
        }
        if (!z) {
            throw new FailedLoginException("User doesn't have the required role " + this.role);
        }
    }
}
