package org.eclipse.jgit.internal.signing.ssh;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.StreamCorruptedException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.NoSuchFileException;
import java.nio.file.Path;
import java.security.PublicKey;
import java.text.MessageFormat;
import java.time.Instant;
import java.time.LocalDate;
import java.time.LocalDateTime;
import java.time.ZoneOffset;
import java.time.format.DateTimeFormatter;
import java.time.format.DateTimeFormatterBuilder;
import java.time.temporal.ChronoField;
import java.time.temporal.TemporalAccessor;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import org.apache.lucene.geo.SimpleWKTShapeParser;
import org.apache.sshd.common.config.keys.KeyUtils;
import org.apache.sshd.common.config.keys.OpenSshCertificate;
import org.apache.sshd.common.config.keys.PublicKeyEntry;
import org.apache.sshd.common.util.io.ModifiableFileWatcher;
import org.eclipse.jgit.internal.transport.ssh.OpenSshConfigFile;
import org.eclipse.jgit.internal.transport.sshd.SshdText;
import org.eclipse.jgit.signing.ssh.VerificationException;
import org.eclipse.jgit.util.StringUtils;
import org.eclipse.jgit.util.SystemReader;

/* loaded from: input_file:org/eclipse/jgit/internal/signing/ssh/AllowedSigners.class */
final class AllowedSigners extends ModifiableFileWatcher {
    private static final String CERT_AUTHORITY = "cert-authority";
    private static final String NAMESPACES = "namespaces=";
    private static final String VALID_AFTER = "valid-after=";
    private static final String VALID_BEFORE = "valid-before=";
    private static final DateTimeFormatter SSH_DATE_FORMAT = new DateTimeFormatterBuilder().appendValue(ChronoField.YEAR, 4).appendValue(ChronoField.MONTH_OF_YEAR, 2).appendValue(ChronoField.DAY_OF_MONTH, 2).optionalStart().appendValue(ChronoField.HOUR_OF_DAY, 2).appendValue(ChronoField.MINUTE_OF_HOUR, 2).optionalStart().appendValue(ChronoField.SECOND_OF_MINUTE, 2).toFormatter(Locale.ROOT);
    private static final Predicate<AllowedEntry> CERTIFICATES = (v0) -> {
        return v0.isCA();
    };
    private static final Predicate<AllowedEntry> PLAIN_KEYS = Predicate.not(CERTIFICATES);
    private State state;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/eclipse/jgit/internal/signing/ssh/AllowedSigners$AllowedEntry.class */
    public static final class AllowedEntry extends Record {
        private final String[] identities;
        private final boolean isCA;
        private final String[] namespaces;
        private final Instant validAfter;
        private final Instant validBefore;
        private final String key;

        AllowedEntry(String[] strArr, boolean z, String[] strArr2, Instant instant, Instant instant2, String str) {
            this.identities = strArr;
            this.isCA = z;
            this.namespaces = strArr2;
            this.validAfter = instant;
            this.validBefore = instant2;
            this.key = str;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || !(obj instanceof AllowedEntry)) {
                return false;
            }
            AllowedEntry allowedEntry = (AllowedEntry) obj;
            return this.isCA == allowedEntry.isCA && Arrays.equals(this.identities, allowedEntry.identities) && Arrays.equals(this.namespaces, allowedEntry.namespaces) && Objects.equals(this.validAfter, allowedEntry.validAfter) && Objects.equals(this.validBefore, allowedEntry.validBefore) && Objects.equals(this.key, allowedEntry.key);
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (((((Boolean.hashCode(this.isCA) * 31) + Arrays.hashCode(this.identities)) * 31) + Arrays.hashCode(this.namespaces)) * 31) + Objects.hash(this.validAfter, this.validBefore, this.key);
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, AllowedEntry.class), AllowedEntry.class, "identities;isCA;namespaces;validAfter;validBefore;key", "FIELD:Lorg/eclipse/jgit/internal/signing/ssh/AllowedSigners$AllowedEntry;->identities:[Ljava/lang/String;", "FIELD:Lorg/eclipse/jgit/internal/signing/ssh/AllowedSigners$AllowedEntry;->isCA:Z", "FIELD:Lorg/eclipse/jgit/internal/signing/ssh/AllowedSigners$AllowedEntry;->namespaces:[Ljava/lang/String;", "FIELD:Lorg/eclipse/jgit/internal/signing/ssh/AllowedSigners$AllowedEntry;->validAfter:Ljava/time/Instant;", "FIELD:Lorg/eclipse/jgit/internal/signing/ssh/AllowedSigners$AllowedEntry;->validBefore:Ljava/time/Instant;", "FIELD:Lorg/eclipse/jgit/internal/signing/ssh/AllowedSigners$AllowedEntry;->key:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        public String[] identities() {
            return this.identities;
        }

        public boolean isCA() {
            return this.isCA;
        }

        public String[] namespaces() {
            return this.namespaces;
        }

        public Instant validAfter() {
            return this.validAfter;
        }

        public Instant validBefore() {
            return this.validBefore;
        }

        public String key() {
            return this.key;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/eclipse/jgit/internal/signing/ssh/AllowedSigners$Dequoted.class */
    public static final class Dequoted extends Record {
        private final String value;
        private final int after;

        Dequoted(String str, int i) {
            this.value = str;
            this.after = i;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, Dequoted.class), Dequoted.class, "value;after", "FIELD:Lorg/eclipse/jgit/internal/signing/ssh/AllowedSigners$Dequoted;->value:Ljava/lang/String;", "FIELD:Lorg/eclipse/jgit/internal/signing/ssh/AllowedSigners$Dequoted;->after:I").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, Dequoted.class), Dequoted.class, "value;after", "FIELD:Lorg/eclipse/jgit/internal/signing/ssh/AllowedSigners$Dequoted;->value:Ljava/lang/String;", "FIELD:Lorg/eclipse/jgit/internal/signing/ssh/AllowedSigners$Dequoted;->after:I").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, Dequoted.class, Object.class), Dequoted.class, "value;after", "FIELD:Lorg/eclipse/jgit/internal/signing/ssh/AllowedSigners$Dequoted;->value:Ljava/lang/String;", "FIELD:Lorg/eclipse/jgit/internal/signing/ssh/AllowedSigners$Dequoted;->after:I").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String value() {
            return this.value;
        }

        public int after() {
            return this.after;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/eclipse/jgit/internal/signing/ssh/AllowedSigners$State.class */
    public static final class State extends Record {
        private final Map<String, List<AllowedEntry>> entries;

        private State(Map<String, List<AllowedEntry>> map) {
            this.entries = map;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, State.class), State.class, "entries", "FIELD:Lorg/eclipse/jgit/internal/signing/ssh/AllowedSigners$State;->entries:Ljava/util/Map;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, State.class), State.class, "entries", "FIELD:Lorg/eclipse/jgit/internal/signing/ssh/AllowedSigners$State;->entries:Ljava/util/Map;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, State.class, Object.class), State.class, "entries", "FIELD:Lorg/eclipse/jgit/internal/signing/ssh/AllowedSigners$State;->entries:Ljava/util/Map;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public Map<String, List<AllowedEntry>> entries() {
            return this.entries;
        }
    }

    public AllowedSigners(Path path) {
        super(path);
        this.state = new State(new HashMap());
    }

    public String isAllowed(PublicKey publicKey, String str, String str2, Instant instant) throws IOException, VerificationException {
        State refresh = refresh();
        if (!(publicKey instanceof OpenSshCertificate)) {
            AllowedEntry find = find(refresh, publicKey, str, str2, instant, PLAIN_KEYS);
            if (find != null) {
                return !StringUtils.isEmptyOrNull(str2) ? str2 : (String) Arrays.stream(find.identities()).collect(Collectors.joining(SimpleWKTShapeParser.COMMA));
            }
            return null;
        }
        OpenSshCertificate openSshCertificate = (OpenSshCertificate) publicKey;
        AllowedEntry find2 = find(refresh, openSshCertificate.getCaPubKey(), str, str2, instant, CERTIFICATES);
        if (find2 == null) {
            return null;
        }
        Collection<String> principals = openSshCertificate.getPrincipals();
        if (principals.isEmpty()) {
            throw new VerificationException(false, MessageFormat.format(SshdText.get().signCertificateWithoutPrincipals, KeyUtils.getFingerPrint(openSshCertificate.getCaPubKey()), !StringUtils.isEmptyOrNull(str2) ? str2 : (String) Arrays.stream(find2.identities()).collect(Collectors.joining(SimpleWKTShapeParser.COMMA))));
        }
        if (!StringUtils.isEmptyOrNull(str2)) {
            if (principals.contains(str2)) {
                return str2;
            }
            throw new VerificationException(false, MessageFormat.format(SshdText.get().signCertificateNotForName, KeyUtils.getFingerPrint(openSshCertificate.getCaPubKey()), str2));
        }
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        List asList = Arrays.asList(find2.identities());
        for (String str3 : principals) {
            if (OpenSshConfigFile.patternMatch(asList, str3)) {
                linkedHashSet.add(str3);
            }
        }
        return (String) linkedHashSet.stream().collect(Collectors.joining(SimpleWKTShapeParser.COMMA));
    }

    private AllowedEntry find(State state, PublicKey publicKey, String str, String str2, Instant instant, Predicate<AllowedEntry> predicate) throws VerificationException {
        VerificationException verificationException = null;
        List<AllowedEntry> list = state.entries().get(PublicKeyEntry.toString(publicKey));
        if (list == null) {
            return null;
        }
        for (AllowedEntry allowedEntry : list) {
            if (predicate.test(allowedEntry) && (str2 == null || OpenSshConfigFile.patternMatch(Arrays.asList(allowedEntry.identities()), str2))) {
                if (allowedEntry.namespaces() == null || OpenSshConfigFile.patternMatch(Arrays.asList(allowedEntry.namespaces()), str)) {
                    if (instant != null) {
                        if (allowedEntry.validAfter() == null || !instant.isBefore(allowedEntry.validAfter())) {
                            if (allowedEntry.validBefore() != null && instant.isAfter(allowedEntry.validBefore())) {
                                if (verificationException == null) {
                                    verificationException = new VerificationException(true, MessageFormat.format(SshdText.get().signKeyTooEarly, KeyUtils.getFingerPrint(publicKey)));
                                }
                            }
                        } else if (verificationException == null) {
                            verificationException = new VerificationException(true, MessageFormat.format(SshdText.get().signKeyTooEarly, KeyUtils.getFingerPrint(publicKey)));
                        }
                    }
                    return allowedEntry;
                }
                if (verificationException == null) {
                    verificationException = new VerificationException(false, MessageFormat.format(SshdText.get().signWrongNamespace, KeyUtils.getFingerPrint(publicKey), str));
                }
            }
        }
        if (verificationException != null) {
            throw verificationException;
        }
        return null;
    }

    private synchronized State refresh() throws IOException {
        if (checkReloadRequired()) {
            updateReloadAttributes();
            try {
                this.state = reload(getPath());
            } catch (NoSuchFileException e) {
                resetReloadAttributes();
                this.state = new State(new HashMap());
            }
        }
        return this.state;
    }

    private static State reload(Path path) throws IOException {
        HashMap hashMap = new HashMap();
        BufferedReader newBufferedReader = Files.newBufferedReader(path, StandardCharsets.UTF_8);
        int i = 1;
        while (true) {
            try {
                String readLine = newBufferedReader.readLine();
                if (readLine == null) {
                    break;
                }
                String strip = readLine.strip();
                try {
                    AllowedEntry parseLine = parseLine(strip);
                    if (parseLine != null) {
                        ((List) hashMap.computeIfAbsent(parseLine.key(), str -> {
                            return new ArrayList();
                        })).add(parseLine);
                    }
                    i++;
                } catch (IOException | RuntimeException e) {
                    throw new IOException(MessageFormat.format(SshdText.get().signAllowedSignersFormatError, path, Integer.toString(i), strip), e);
                }
            } catch (Throwable th) {
                if (newBufferedReader != null) {
                    try {
                        newBufferedReader.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        if (newBufferedReader != null) {
            newBufferedReader.close();
        }
        return new State(hashMap);
    }

    private static boolean matches(String str, String str2, int i) {
        return str.regionMatches(true, i, str2, 0, str2.length());
    }

    static AllowedEntry parseLine(String str) throws IOException {
        if (StringUtils.isEmptyOrNull(str) || str.charAt(0) == '#') {
            return null;
        }
        int length = str.length();
        if ((matches(str, CERT_AUTHORITY, 0) && CERT_AUTHORITY.length() < length && Character.isWhitespace(str.charAt(CERT_AUTHORITY.length()))) || matches(str, NAMESPACES, 0) || matches(str, VALID_AFTER, 0) || matches(str, VALID_BEFORE, 0)) {
            throw new StreamCorruptedException(SshdText.get().signAllowedSignersNoIdentities);
        }
        int i = 0;
        while (i < length && !Character.isWhitespace(str.charAt(i))) {
            i++;
        }
        if (i >= length) {
            throw new StreamCorruptedException(SshdText.get().signAllowedSignersLineFormat);
        }
        String[] split = str.substring(0, i).split(SimpleWKTShapeParser.COMMA);
        if (Arrays.stream(split).anyMatch((v0) -> {
            return v0.isEmpty();
        })) {
            throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signAllowedSignersEmptyIdentity, str.substring(0, i)));
        }
        int i2 = i + 1;
        boolean z = false;
        ArrayList arrayList = null;
        Instant instant = null;
        Instant instant2 = null;
        while (i2 < length) {
            if (Character.isSpaceChar(str.charAt(i2))) {
                i2++;
            } else if (matches(str, CERT_AUTHORITY, i2)) {
                int length2 = i2 + CERT_AUTHORITY.length();
                z = true;
                if (!Character.isWhitespace(str.charAt(length2))) {
                    throw new StreamCorruptedException(SshdText.get().signAllowedSignersCertAuthorityError);
                }
                i2 = length2 + 1;
            } else if (matches(str, NAMESPACES, i2)) {
                if (arrayList != null) {
                    throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signAllowedSignersMultiple, NAMESPACES));
                }
                Dequoted dequote = dequote(str, i2 + NAMESPACES.length());
                i2 = dequote.after();
                String[] split2 = dequote.value().split(SimpleWKTShapeParser.COMMA);
                arrayList = new ArrayList(split2.length);
                for (String str2 : split2) {
                    String strip = str2.strip();
                    if (!strip.isEmpty()) {
                        arrayList.add(strip);
                    }
                }
                if (arrayList.isEmpty()) {
                    throw new StreamCorruptedException(SshdText.get().signAllowedSignersEmptyNamespaces);
                }
            } else if (!matches(str, VALID_AFTER, i2)) {
                if (!matches(str, VALID_BEFORE, i2)) {
                    break;
                }
                if (instant2 != null) {
                    throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signAllowedSignersMultiple, VALID_BEFORE));
                }
                Dequoted dequote2 = dequote(str, i2 + VALID_BEFORE.length());
                i2 = dequote2.after();
                instant2 = parseDate(dequote2.value());
            } else {
                if (instant != null) {
                    throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signAllowedSignersMultiple, VALID_AFTER));
                }
                Dequoted dequote3 = dequote(str, i2 + VALID_AFTER.length());
                i2 = dequote3.after();
                instant = parseDate(dequote3.value());
            }
        }
        return new AllowedEntry(split, z, arrayList == null ? null : (String[]) arrayList.toArray(new String[0]), instant, instant2, parsePublicKey(str, i2));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String parsePublicKey(String str, int i) throws StreamCorruptedException {
        int i2 = i;
        int length = str.length();
        while (i2 < length && Character.isWhitespace(str.charAt(i2))) {
            i2++;
        }
        if (i2 >= length) {
            throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signAllowedSignersPublicKeyParsing, str.substring(i)));
        }
        int i3 = i2;
        while (i2 < length && !Character.isWhitespace(str.charAt(i2))) {
            i2++;
        }
        if (i2 >= length) {
            throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signAllowedSignersPublicKeyParsing, str.substring(i3)));
        }
        int i4 = i2;
        int i5 = i4 + 1;
        while (i5 < length && Character.isWhitespace(str.charAt(i5))) {
            i5++;
        }
        int i6 = i5;
        while (i5 < length && !Character.isWhitespace(str.charAt(i5))) {
            i5++;
        }
        if (i5 == i6) {
            throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signAllowedSignersPublicKeyParsing, str.substring(i3)));
        }
        String substring = str.substring(i3, i4);
        if (str.substring(i6, i5).startsWith("AAAA")) {
            return substring + " " + str.substring(i6, i5);
        }
        throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signAllowedSignersPublicKeyParsing, str.substring(i3)));
    }

    /* JADX WARN: Type inference failed for: r0v18, types: [java.time.ZonedDateTime] */
    static Instant parseDate(String str) {
        String str2 = str;
        int length = str.length();
        if (length < 8) {
            throw new IllegalArgumentException(MessageFormat.format(SshdText.get().signAllowedSignersInvalidDate, str));
        }
        boolean z = false;
        if (str2.charAt(length - 1) == 'Z') {
            z = true;
            str2 = str2.substring(0, length - 1);
        }
        TemporalAccessor parseBest = SSH_DATE_FORMAT.parseBest(str2, LocalDateTime::from, LocalDate::from);
        LocalDateTime atStartOfDay = parseBest instanceof LocalDateTime ? (LocalDateTime) parseBest : ((LocalDate) parseBest).atStartOfDay();
        return z ? atStartOfDay.atOffset(ZoneOffset.UTC).toInstant() : atStartOfDay.atZone(SystemReader.getInstance().getTimeZoneId()).toInstant();
    }

    static Dequoted dequote(String str, int i) {
        boolean z;
        int length = str.length();
        int i2 = i;
        if (str.charAt(i2) != '\"') {
            while (i2 < length && !Character.isWhitespace(str.charAt(i2))) {
                i2++;
            }
            return new Dequoted(str.substring(i, i2), i2);
        }
        boolean z2 = false;
        int i3 = i2 + 1;
        StringBuilder sb = new StringBuilder();
        while (i3 < length) {
            char charAt = str.charAt(i3);
            if (charAt == '\"') {
                if (!z2) {
                    break;
                }
                sb.append(charAt);
                z = false;
            } else if (charAt == '\\') {
                z = true;
            } else {
                if (z2) {
                    sb.append('\\');
                }
                sb.append(charAt);
                z = false;
            }
            z2 = z;
            i3++;
        }
        if (i3 >= length) {
            throw new IllegalArgumentException(SshdText.get().signAllowedSignersUnterminatedQuote);
        }
        return new Dequoted(sb.toString(), i3 + 1);
    }
}
