package com.google.gerrit.sshd;

import com.google.common.base.Throwables;
import com.google.common.util.concurrent.Atomics;
import com.google.gerrit.entities.Account;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.DynamicOptions;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.PeerDaemonUser;
import com.google.gerrit.server.config.AuthConfig;
import com.google.gerrit.server.permissions.GlobalPermission;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.sshd.BaseCommand;
import com.google.gerrit.sshd.SshScope;
import com.google.inject.Inject;
import java.io.IOException;
import java.net.SocketAddress;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.List;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.sshd.server.Environment;
import org.apache.sshd.server.channel.ChannelSession;
import org.apache.sshd.server.command.Command;
import org.kohsuke.args4j.Argument;
import org.kohsuke.args4j.Option;

/* loaded from: input_file:com/google/gerrit/sshd/SuExec.class */
public final class SuExec extends BaseCommand {
    private final SshScope sshScope;
    private final DispatchCommandProvider dispatcher;
    private final PermissionBackend permissionBackend;
    private boolean enableRunAs;
    private CurrentUser caller;
    private SshSession session;
    private IdentifiedUser.GenericFactory userFactory;
    private SshScope.Context callingContext;

    @Option(name = "--as", required = true)
    private Account.Id accountId;

    @Option(name = "--from")
    private SocketAddress peerAddress;

    @Argument(index = 0, multiValued = true, metaVar = "COMMAND")
    private List<String> args = new ArrayList();
    private final AtomicReference<Command> atomicCmd = Atomics.newReference();

    @Inject
    SuExec(SshScope sshScope, @CommandName("") DispatchCommandProvider dispatchCommandProvider, PermissionBackend permissionBackend, CurrentUser currentUser, SshSession sshSession, IdentifiedUser.GenericFactory genericFactory, SshScope.Context context, AuthConfig authConfig) {
        this.sshScope = sshScope;
        this.dispatcher = dispatchCommandProvider;
        this.permissionBackend = permissionBackend;
        this.caller = currentUser;
        this.session = sshSession;
        this.userFactory = genericFactory;
        this.callingContext = context;
        this.enableRunAs = authConfig.isRunAsEnabled();
    }

    public void start(ChannelSession channelSession, Environment environment) throws IOException {
        try {
            DynamicOptions dynamicOptions = new DynamicOptions(this.injector, this.dynamicBeans);
            try {
                checkCanRunAs();
                parseCommandLine(dynamicOptions);
                SshScope.Context context = this.sshScope.set(this.callingContext.subContext(newSession(), join(this.args)));
                try {
                    DispatchCommand m11get = this.dispatcher.m11get();
                    m11get.setArguments((String[]) this.args.toArray(new String[this.args.size()]));
                    provideStateTo(m11get);
                    this.atomicCmd.set(m11get);
                    m11get.start(channelSession, environment);
                    this.sshScope.set(context);
                    dynamicOptions.close();
                } catch (Throwable th) {
                    this.sshScope.set(context);
                    throw th;
                }
            } finally {
            }
        } catch (BaseCommand.UnloggedFailure e) {
            String message = e.getMessage();
            if (!message.endsWith("\n")) {
                message = message + "\n";
            }
            this.err.write(message.getBytes(StandardCharsets.UTF_8));
            this.err.flush();
            onExit(1);
        }
    }

    private void checkCanRunAs() throws BaseCommand.UnloggedFailure {
        if (this.caller instanceof PeerDaemonUser) {
            return;
        }
        if (!this.enableRunAs) {
            throw die("suexec disabled by auth.enableRunAs = false");
        }
        try {
            this.permissionBackend.user(this.caller).check(GlobalPermission.RUN_AS);
        } catch (AuthException e) {
            throw die("suexec not permitted", e);
        } catch (PermissionBackendException e2) {
            throw die("suexec not available", e2);
        }
    }

    private SshSession newSession() {
        SocketAddress remoteAddress = this.peerAddress == null ? this.session.getRemoteAddress() : this.peerAddress;
        if (this.caller instanceof PeerDaemonUser) {
            this.caller = null;
        }
        return new SshSession(this.session, remoteAddress, this.userFactory.runAs(remoteAddress, this.accountId, this.caller));
    }

    private static String join(List<String> list) {
        StringBuilder sb = new StringBuilder();
        for (String str : list) {
            if (sb.length() > 0) {
                sb.append(" ");
            }
            sb.append(str);
        }
        return sb.toString();
    }

    @Override // com.google.gerrit.sshd.BaseCommand
    public void destroy(ChannelSession channelSession) {
        Command andSet = this.atomicCmd.getAndSet(null);
        if (andSet != null) {
            try {
                andSet.destroy(channelSession);
            } catch (Exception e) {
                Throwables.throwIfUnchecked(e);
                throw new RuntimeException(e);
            }
        }
    }
}
