package com.aoindustries.aoserv.daemon.net.ssh;

import com.aoindustries.aoserv.client.AOServConnector;
import com.aoindustries.aoserv.client.distribution.OperatingSystemVersion;
import com.aoindustries.aoserv.client.linux.Server;
import com.aoindustries.aoserv.client.net.AppProtocol;
import com.aoindustries.aoserv.client.net.Bind;
import com.aoindustries.aoserv.daemon.AOServDaemon;
import com.aoindustries.aoserv.daemon.AOServDaemonConfiguration;
import com.aoindustries.aoserv.daemon.unix.linux.PackageManager;
import com.aoindustries.aoserv.daemon.util.BuilderThread;
import com.aoindustries.aoserv.daemon.util.DaemonFileUtils;
import com.aoindustries.encoding.ChainWriter;
import com.aoindustries.io.unix.UnixFile;
import com.aoindustries.net.InetAddress;
import com.aoindustries.net.Protocol;
import com.aoindustries.selinux.SEManagePort;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.net.ProtocolFamily;
import java.net.StandardProtocolFamily;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.TreeSet;
import java.util.logging.Level;
import java.util.logging.Logger;

/* loaded from: input_file:com/aoindustries/aoserv/daemon/net/ssh/SshdManager.class */
public final class SshdManager extends BuilderThread {
    private static final int DEFAULT_PORT = 22;
    private static final String MAX_STARTUPS = "60:30:100";
    private static final String SELINUX_TYPE = "ssh_port_t";
    private static SshdManager sshdManager;
    private static final Logger logger = Logger.getLogger(SshdManager.class.getName());
    private static final Object rebuildLock = new Object();

    private SshdManager() {
    }

    private static void writeListenAddresses(Collection<? extends Bind> collection, ChainWriter chainWriter) throws SQLException, IOException {
        if (collection.isEmpty()) {
            chainWriter.print("#ListenAddress 0.0.0.0\n#ListenAddress ::\n");
            return;
        }
        for (Bind bind : collection) {
            chainWriter.print("ListenAddress ");
            InetAddress inetAddress = bind.getIpAddress().getInetAddress();
            ProtocolFamily protocolFamily = inetAddress.getProtocolFamily();
            if (protocolFamily.equals(StandardProtocolFamily.INET)) {
                chainWriter.print(inetAddress.toString());
            } else {
                if (!protocolFamily.equals(StandardProtocolFamily.INET6)) {
                    throw new AssertionError("Unexpected family: " + protocolFamily);
                }
                chainWriter.print('[').print(inetAddress.toString()).print(']');
            }
            int port = bind.getPort().getPort();
            if (port != DEFAULT_PORT) {
                chainWriter.print(':').print(port);
            }
            chainWriter.print("\n");
        }
    }

    private static String getSftpUmaskString(long j) {
        String octalString = Long.toOctalString(j);
        if (j < 0) {
            throw new IllegalArgumentException("sftpUmask < 0000 : " + octalString);
        }
        if (j > 511) {
            throw new IllegalArgumentException("sftpUmask > 0777 : " + octalString);
        }
        while (octalString.length() < 3) {
            octalString = '0' + octalString;
        }
        return octalString;
    }

    private static void writeConfigFileCentOS5(Server server, Collection<? extends Bind> collection, ChainWriter chainWriter) throws SQLException, IOException {
        chainWriter.print("#\n# This configuration file is automatically generated by\n# ").print(SshdManager.class.getName()).print("\n#\nPort 22\nProtocol 2\n");
        writeListenAddresses(collection, chainWriter);
        chainWriter.print("AcceptEnv SCREEN_SESSION\nSyslogFacility AUTHPRIV\nPermitRootLogin yes\nPasswordAuthentication yes\nChallengeResponseAuthentication no\nGSSAPIAuthentication yes\nGSSAPICleanupCredentials yes\nUsePAM yes\nAcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES\nAcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT\nAcceptEnv LC_IDENTIFICATION LC_ALL\nMaxStartups 60:30:100\nX11Forwarding yes\nUsePrivilegeSeparation yes\nSubsystem sftp /usr/libexec/openssh/sftp-server -l VERBOSE");
        long sftpUmask = server.getSftpUmask();
        if (sftpUmask != -1) {
            chainWriter.print(" -u ").print(getSftpUmaskString(sftpUmask));
        }
        chainWriter.print('\n');
    }

    private static void writeConfigFileCentOS7(Server server, Collection<? extends Bind> collection, ChainWriter chainWriter) throws SQLException, IOException {
        chainWriter.print("#\n# This configuration file is automatically generated by\n# ").print(SshdManager.class.getName()).print("\n#\n\n#\t$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $\n\n# This is the sshd server system-wide configuration file.  See\n# sshd_config(5) for more information.\n\n# This sshd was compiled with PATH=/usr/local/bin:/usr/bin\n\n# The strategy used for options in the default sshd_config shipped with\n# OpenSSH is to specify options with their default value where\n# possible, but leave them commented.  Uncommented options override the\n# default value.\n\n# If you want to change the port on a SELinux system, you have to tell\n# SELinux about this change.\n# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER\n#\nPort 22\n");
        if (collection.isEmpty()) {
            chainWriter.print("#AddressFamily any\n");
        } else {
            boolean z = false;
            boolean z2 = false;
            Iterator<? extends Bind> it = collection.iterator();
            while (it.hasNext()) {
                ProtocolFamily protocolFamily = it.next().getIpAddress().getInetAddress().getProtocolFamily();
                if (protocolFamily.equals(StandardProtocolFamily.INET)) {
                    z = true;
                    if (z2) {
                        break;
                    }
                } else {
                    if (!protocolFamily.equals(StandardProtocolFamily.INET6)) {
                        throw new AssertionError("Unexpected family: " + protocolFamily);
                    }
                    z2 = true;
                    if (z) {
                        break;
                    }
                }
            }
            chainWriter.print("AddressFamily ");
            if (z && z2) {
                chainWriter.print("any");
            } else if (z) {
                chainWriter.print("inet");
            } else {
                if (!z2) {
                    throw new AssertionError();
                }
                chainWriter.print("inet6");
            }
            chainWriter.print('\n');
        }
        writeListenAddresses(collection, chainWriter);
        chainWriter.print("\nHostKey /etc/ssh/ssh_host_rsa_key\n#HostKey /etc/ssh/ssh_host_dsa_key\nHostKey /etc/ssh/ssh_host_ecdsa_key\nHostKey /etc/ssh/ssh_host_ed25519_key\n\n# Ciphers and keying\n#RekeyLimit default none\n\n# Logging\n#SyslogFacility AUTH\nSyslogFacility AUTHPRIV\n#LogLevel INFO\n\n# Authentication:\n\n#LoginGraceTime 2m\n#PermitRootLogin yes\n#StrictModes yes\n#MaxAuthTries 6\n#MaxSessions 10\n\n#PubkeyAuthentication yes\n\n# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2\n# but this is overridden so installations will only check .ssh/authorized_keys\nAuthorizedKeysFile\t.ssh/authorized_keys\n\n#AuthorizedPrincipalsFile none\n\n#AuthorizedKeysCommand none\n#AuthorizedKeysCommandUser nobody\n\n# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts\n#HostbasedAuthentication no\n# Change to yes if you don't trust ~/.ssh/known_hosts for\n# HostbasedAuthentication\n#IgnoreUserKnownHosts no\n# Don't read the user's ~/.rhosts and ~/.shosts files\n#IgnoreRhosts yes\n\n# To disable tunneled clear text passwords, change to no here!\n#PasswordAuthentication yes\n#PermitEmptyPasswords no\nPasswordAuthentication yes\n\n# Change to no to disable s/key passwords\n#ChallengeResponseAuthentication yes\nChallengeResponseAuthentication no\n\n# Kerberos options\n#KerberosAuthentication no\n#KerberosOrLocalPasswd yes\n#KerberosTicketCleanup yes\n#KerberosGetAFSToken no\n#KerberosUseKuserok yes\n\n# GSSAPI options\nGSSAPIAuthentication yes\nGSSAPICleanupCredentials no\n#GSSAPIStrictAcceptorCheck yes\n#GSSAPIKeyExchange no\n#GSSAPIEnablek5users no\n\n# Set this to 'yes' to enable PAM authentication, account processing,\n# and session processing. If this is enabled, PAM authentication will\n# be allowed through the ChallengeResponseAuthentication and\n# PasswordAuthentication.  Depending on your PAM configuration,\n# PAM authentication via ChallengeResponseAuthentication may bypass\n# the setting of \"PermitRootLogin without-password\".\n# If you just want the PAM account and session checks to run without\n# PAM authentication, then enable this but set PasswordAuthentication\n# and ChallengeResponseAuthentication to 'no'.\n# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several\n# problems.\nUsePAM yes\n\n#AllowAgentForwarding yes\n#AllowTcpForwarding yes\n#GatewayPorts no\nX11Forwarding yes\n#X11DisplayOffset 10\n#X11UseLocalhost yes\n#PermitTTY yes\n#PrintMotd yes\n#PrintLastLog yes\n#TCPKeepAlive yes\n#UseLogin no\n#UsePrivilegeSeparation sandbox\n#PermitUserEnvironment no\n#Compression delayed\n#ClientAliveInterval 0\n#ClientAliveCountMax 3\n#ShowPatchLevel no\n#UseDNS yes\n#PidFile /var/run/sshd.pid\nMaxStartups 60:30:100\n#PermitTunnel no\n#ChrootDirectory none\n#VersionAddendum none\n\n# no default banner path\n#Banner none\n\n# Accept locale-related environment variables\nAcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES\nAcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT\nAcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE\nAcceptEnv XMODIFIERS\n\n# Accept variable for auto-screen\nAcceptEnv SCREEN_SESSION\n\n# override default of no subsystems\nSubsystem\tsftp\t/usr/libexec/openssh/sftp-server -l VERBOSE");
        long sftpUmask = server.getSftpUmask();
        if (sftpUmask != -1) {
            chainWriter.print(" -u ").print(getSftpUmaskString(sftpUmask));
        }
        chainWriter.print("\n\n# Example of overriding settings on a per-user basis\n#Match User anoncvs\n#\tX11Forwarding no\n#\tAllowTcpForwarding no\n#\tPermitTTY no\n#\tForceCommand cvs server\n");
    }

    /* JADX WARN: Finally extract failed */
    @Override // com.aoindustries.aoserv.daemon.util.BuilderThread
    protected boolean doRebuild() {
        try {
            Server thisServer = AOServDaemon.getThisServer();
            OperatingSystemVersion operatingSystemVersion = thisServer.getHost().getOperatingSystemVersion();
            int pkey = operatingSystemVersion.getPkey();
            AOServConnector connector = AOServDaemon.getConnector();
            synchronized (rebuildLock) {
                LinkedHashSet linkedHashSet = new LinkedHashSet();
                try {
                    ArrayList arrayList = new ArrayList();
                    boolean z = false;
                    AppProtocol appProtocol = connector.getNet().getAppProtocol().get("SSH");
                    if (appProtocol == null) {
                        throw new SQLException("AppProtocol not found: SSH");
                    }
                    for (Bind bind : thisServer.getHost().getNetBinds(appProtocol)) {
                        if (bind.getNetTcpRedirect() == null) {
                            Protocol protocol = bind.getPort().getProtocol();
                            if (protocol != Protocol.TCP) {
                                throw new IOException("Unsupported protocol for SSH: " + protocol);
                            }
                            arrayList.add(bind);
                            InetAddress inetAddress = bind.getIpAddress().getInetAddress();
                            if (!inetAddress.isLoopback() && !inetAddress.isUnspecified()) {
                                z = true;
                            }
                        }
                    }
                    boolean[] zArr = {false};
                    if (!arrayList.isEmpty()) {
                        PackageManager.installPackage(PackageManager.PackageName.OPENSSH_SERVER, () -> {
                            try {
                                if (pkey == 67) {
                                    AOServDaemon.exec("/sbin/chkconfig", "sshd", "on");
                                } else {
                                    if (pkey != 70) {
                                        throw new AssertionError("Unsupported OperatingSystemVersion: " + operatingSystemVersion);
                                    }
                                    AOServDaemon.exec("/usr/bin/systemctl", "enable", "sshd.service");
                                }
                                zArr[0] = true;
                            } catch (IOException e) {
                                throw new UncheckedIOException(e);
                            }
                        });
                        if (z && pkey == 70) {
                            PackageManager.installPackage(PackageManager.PackageName.SSHD_AFTER_NETWORK_ONLINE);
                        }
                    }
                    boolean z2 = PackageManager.getInstalledPackage(PackageManager.PackageName.OPENSSH_SERVER) != null;
                    if (!arrayList.isEmpty() && !z2) {
                        throw new AssertionError(PackageManager.PackageName.OPENSSH_SERVER + " not installed");
                    }
                    if (z2) {
                        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                        ChainWriter chainWriter = new ChainWriter(byteArrayOutputStream);
                        try {
                            if (pkey == 67) {
                                writeConfigFileCentOS5(thisServer, arrayList, chainWriter);
                            } else {
                                if (pkey != 70) {
                                    throw new AssertionError("Unsupported OperatingSystemVersion: " + operatingSystemVersion);
                                }
                                writeConfigFileCentOS7(thisServer, arrayList, chainWriter);
                            }
                            chainWriter.close();
                            if (DaemonFileUtils.atomicWrite(new UnixFile("/etc/ssh/sshd_config"), byteArrayOutputStream.toByteArray(), 384L, 0, 0, null, linkedHashSet)) {
                                zArr[0] = true;
                            }
                        } catch (Throwable th) {
                            try {
                                chainWriter.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                            throw th;
                        }
                    }
                    DaemonFileUtils.restorecon(linkedHashSet);
                    linkedHashSet.clear();
                    if (pkey != 67) {
                        if (pkey != 70) {
                            throw new AssertionError("Unsupported OperatingSystemVersion: " + operatingSystemVersion);
                        }
                        PackageManager.installPackage(PackageManager.PackageName.POLICYCOREUTILS_PYTHON);
                        TreeSet treeSet = new TreeSet();
                        Iterator it = arrayList.iterator();
                        while (it.hasNext()) {
                            treeSet.add(((Bind) it.next()).getPort());
                        }
                        if (SEManagePort.configure(treeSet, SELINUX_TYPE)) {
                            zArr[0] = true;
                        }
                    }
                    if (z2) {
                        if (arrayList.isEmpty()) {
                            if (pkey == 67) {
                                AOServDaemon.exec("/sbin/chkconfig", "sshd", "off");
                                AOServDaemon.exec("/etc/rc.d/init.d/sshd", "stop");
                            } else {
                                if (pkey != 70) {
                                    throw new AssertionError("Unsupported OperatingSystemVersion: " + operatingSystemVersion);
                                }
                                AOServDaemon.exec("/usr/bin/systemctl", "disable", "sshd.service");
                                AOServDaemon.exec("/usr/bin/systemctl", "stop", "sshd.service");
                            }
                        } else if (zArr[0]) {
                            if (pkey == 67) {
                                try {
                                    AOServDaemon.exec("/etc/rc.d/init.d/sshd", "reload");
                                } catch (IOException e) {
                                    logger.log(Level.SEVERE, (String) null, (Throwable) e);
                                    try {
                                        AOServDaemon.exec("/etc/rc.d/init.d/sshd", "stop");
                                    } catch (IOException e2) {
                                        logger.log(Level.SEVERE, (String) null, (Throwable) e2);
                                    }
                                    try {
                                        Thread.sleep(1000L);
                                    } catch (InterruptedException e3) {
                                        logger.log(Level.WARNING, (String) null, (Throwable) e3);
                                    }
                                    AOServDaemon.exec("/etc/rc.d/init.d/sshd", "start");
                                }
                            } else {
                                if (pkey != 70) {
                                    throw new AssertionError("Unsupported OperatingSystemVersion: " + operatingSystemVersion);
                                }
                                AOServDaemon.exec("/usr/bin/systemctl", "enable", "sshd.service");
                                AOServDaemon.exec("/usr/bin/systemctl", "restart", "sshd.service");
                            }
                        }
                    }
                    if (!z && pkey == 70 && AOServDaemonConfiguration.isPackageManagerUninstallEnabled()) {
                        PackageManager.removePackage(PackageManager.PackageName.SSHD_AFTER_NETWORK_ONLINE);
                    }
                    DaemonFileUtils.restorecon(linkedHashSet);
                } catch (Throwable th3) {
                    DaemonFileUtils.restorecon(linkedHashSet);
                    throw th3;
                }
            }
            return true;
        } catch (ThreadDeath e4) {
            throw e4;
        } catch (Throwable th4) {
            logger.log(Level.SEVERE, (String) null, th4);
            return false;
        }
    }

    public static void start() throws IOException, SQLException {
        OperatingSystemVersion operatingSystemVersion = AOServDaemon.getThisServer().getHost().getOperatingSystemVersion();
        int pkey = operatingSystemVersion.getPkey();
        synchronized (System.out) {
            if (pkey != 64 && pkey != 63 && pkey != 69) {
                if (AOServDaemonConfiguration.isManagerEnabled(SshdManager.class) && sshdManager == null) {
                    System.out.print("Starting SshdManager: ");
                    if (pkey == 67 || pkey == 70) {
                        AOServConnector connector = AOServDaemon.getConnector();
                        sshdManager = new SshdManager();
                        connector.getNet().getBind().addTableListener(sshdManager, 0L);
                        PackageManager.addPackageListener(sshdManager);
                        System.out.println("Done");
                    } else {
                        System.out.println("Unsupported OperatingSystemVersion: " + operatingSystemVersion);
                    }
                }
            }
        }
    }

    @Override // com.aoindustries.aoserv.daemon.util.BuilderThread
    public String getProcessTimerDescription() {
        return "Rebuild SSH Configuration";
    }
}
