package org.springframework.integration.sftp.session;

import java.io.IOException;
import java.net.SocketAddress;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.TreeSet;
import java.util.function.Supplier;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.sshd.client.config.hosts.KnownHostEntry;
import org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier;
import org.apache.sshd.client.keyverifier.ServerKeyVerifier;
import org.apache.sshd.client.session.ClientSession;
import org.apache.sshd.common.config.keys.AuthorizedKeyEntry;
import org.apache.sshd.common.config.keys.KeyUtils;
import org.apache.sshd.common.config.keys.PublicKeyEntryResolver;
import org.apache.sshd.common.util.GenericUtils;
import org.apache.sshd.common.util.net.SshdSocketAddress;
import org.springframework.core.io.Resource;
import org.springframework.util.Assert;

/* loaded from: input_file:BOOT-INF/lib/spring-integration-sftp-6.3.7.jar:org/springframework/integration/sftp/session/ResourceKnownHostsServerKeyVerifier.class */
public class ResourceKnownHostsServerKeyVerifier implements ServerKeyVerifier {
    private static final Log logger = LogFactory.getLog(ResourceKnownHostsServerKeyVerifier.class);
    private final Supplier<Collection<KnownHostsServerKeyVerifier.HostEntryPair>> keysSupplier;

    public ResourceKnownHostsServerKeyVerifier(Resource resource) {
        Assert.notNull(resource, "'knownHostsResource' must not be null");
        this.keysSupplier = GenericUtils.memoizeLock(getKnownHostSupplier(resource));
    }

    @Override // org.apache.sshd.client.keyverifier.ServerKeyVerifier
    public boolean verifyServerKey(ClientSession clientSession, SocketAddress socketAddress, PublicKey publicKey) {
        List<KnownHostsServerKeyVerifier.HostEntryPair> findKnownHostEntries = findKnownHostEntries(clientSession, socketAddress, this.keysSupplier.get());
        if (findKnownHostEntries.isEmpty()) {
            return false;
        }
        String keyType = KeyUtils.getKeyType(publicKey);
        return findKnownHostEntries.stream().filter(hostEntryPair -> {
            return keyType.equals(hostEntryPair.getHostEntry().getKeyEntry().getKeyType());
        }).filter(hostEntryPair2 -> {
            return KeyUtils.compareKeys(hostEntryPair2.getServerKey(), publicKey);
        }).anyMatch(hostEntryPair3 -> {
            return !"revoked".equals(hostEntryPair3.getHostEntry().getMarker());
        });
    }

    private static Supplier<Collection<KnownHostsServerKeyVerifier.HostEntryPair>> getKnownHostSupplier(Resource resource) {
        return () -> {
            try {
                List<KnownHostEntry> readKnownHostEntries = KnownHostEntry.readKnownHostEntries(resource.getInputStream(), true);
                ArrayList arrayList = new ArrayList(readKnownHostEntries.size());
                for (KnownHostEntry knownHostEntry : readKnownHostEntries) {
                    arrayList.add(new KnownHostsServerKeyVerifier.HostEntryPair(knownHostEntry, resolveHostKey(knownHostEntry)));
                }
                return arrayList;
            } catch (Exception e) {
                logger.warn("Known hosts cannot be loaded from the: " + resource, e);
                return Collections.emptyList();
            }
        };
    }

    private static PublicKey resolveHostKey(KnownHostEntry knownHostEntry) throws IOException, GeneralSecurityException {
        AuthorizedKeyEntry keyEntry = knownHostEntry.getKeyEntry();
        Assert.notNull(keyEntry, (Supplier<String>) () -> {
            return "No key extracted from " + knownHostEntry;
        });
        return keyEntry.resolvePublicKey(null, PublicKeyEntryResolver.IGNORING);
    }

    private static List<KnownHostsServerKeyVerifier.HostEntryPair> findKnownHostEntries(ClientSession clientSession, SocketAddress socketAddress, Collection<KnownHostsServerKeyVerifier.HostEntryPair> collection) {
        if (GenericUtils.isEmpty((Collection<?>) collection)) {
            return Collections.emptyList();
        }
        Collection<SshdSocketAddress> resolveHostNetworkIdentities = resolveHostNetworkIdentities(clientSession, socketAddress);
        if (GenericUtils.isEmpty((Collection<?>) resolveHostNetworkIdentities)) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        for (KnownHostsServerKeyVerifier.HostEntryPair hostEntryPair : collection) {
            KnownHostEntry hostEntry = hostEntryPair.getHostEntry();
            Iterator<SshdSocketAddress> it = resolveHostNetworkIdentities.iterator();
            while (true) {
                if (it.hasNext()) {
                    SshdSocketAddress next = it.next();
                    if (hostEntry.isHostMatch(next.getHostName(), next.getPort())) {
                        arrayList.add(hostEntryPair);
                        break;
                    }
                }
            }
        }
        return arrayList;
    }

    private static Collection<SshdSocketAddress> resolveHostNetworkIdentities(ClientSession clientSession, SocketAddress socketAddress) {
        TreeSet treeSet = new TreeSet(SshdSocketAddress.BY_HOST_AND_PORT);
        treeSet.add(SshdSocketAddress.toSshdSocketAddress(socketAddress));
        treeSet.add(SshdSocketAddress.toSshdSocketAddress(clientSession.getConnectAddress()));
        return treeSet;
    }
}
