package com.adobe.granite.jetty.ssl.internal;

import com.adobe.granite.crypto.CryptoException;
import com.adobe.granite.crypto.CryptoSupport;
import com.adobe.granite.keystore.KeyStoreService;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import org.apache.felix.http.jetty.ConnectorFactory;
import org.apache.sling.adapter.Adaption;
import org.apache.sling.api.resource.LoginException;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.commons.osgi.PropertiesUtil;
import org.apache.sling.jcr.api.SlingRepository;
import org.eclipse.jetty.server.ConnectionFactory;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.osgi.framework.BundleContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferencePolicyOption;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.AttributeType;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.osgi.service.metatype.annotations.Option;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = Config.class)
@Component(service = {ConnectorFactory.class}, configurationPolicy = ConfigurationPolicy.REQUIRE, reference = {@Reference(service = Adaption.class, name = "ignore", target = "(&(adaptables=org.apache.sling.api.resource.ResourceResolver)(adapters=org.apache.jackrabbit.api.security.user.UserManager))")}, property = {"service.vendor=Adobe"})
/* loaded from: input_file:com/adobe/granite/jetty/ssl/internal/GraniteSslConnectorFactory.class */
public class GraniteSslConnectorFactory implements ConnectorFactory {
    private final Logger logger = LoggerFactory.getLogger(GraniteSslConnectorFactory.class);
    private static final String AUTHENTICATION_SERVICE = "authentication-service";
    private static final int DEFAULT_PORT = 8443;
    private static final String PROP_PORT = "com.adobe.granite.jetty.ssl.port";
    private static final String PROP_KEYSTORE_USER = "com.adobe.granite.jetty.ssl.keystore.user";
    private static final String PROP_KEYSTORE_PASSWORD = "com.adobe.granite.jetty.ssl.keystore.password";
    private static final String PROP_EXCLUDED_SUITES = "com.adobe.granite.jetty.ssl.ciphersuites.excluded";
    private static final String PROP_INCLUDED_SUITES = "com.adobe.granite.jetty.ssl.ciphersuites.included";
    private static final String NONE_CLIENT_CERT = "none";
    private static final String WANTS_CLIENT_CERT = "wants";
    private static final String NEEDS_CLIENT_CERT = "needs";
    private static final String PROP_CLIENT_CERT = "com.adobe.granite.jetty.ssl.client.certificate";

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    private KeyStoreService keyStoreService;

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    private ResourceResolverFactory resourceResolverFactory;

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    private SlingRepository slingRepository;

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    private CryptoSupport cryptoSupport;
    private int port;
    private String keyStoreUser;
    private String keyStorePassword;
    private String[] excludeCiphers;
    private String[] includeCiphers;
    private String clientCert;

    @ObjectClassDefinition(description = "Factory for the SSL Connector", name = "Adobe Granite SSL Connector Factory")
    /* loaded from: input_file:com/adobe/granite/jetty/ssl/internal/GraniteSslConnectorFactory$Config.class */
    public @interface Config {
        @AttributeDefinition(name = "HTTPS Port", description = "Port to listen on for HTTPS requests. Defaults to 8443.")
        int com_adobe_granite_jetty_ssl_port() default 8443;

        @AttributeDefinition(name = "Keystore User", description = "The userID of the Keystore user")
        String com_adobe_granite_jetty_ssl_keystore_user();

        @AttributeDefinition(name = "Keystore Password", description = "Password to access the Keystore.", type = AttributeType.PASSWORD)
        String com_adobe_granite_jetty_ssl_keystore_password();

        @AttributeDefinition(name = "Excluded cipher suites", description = "List of cipher suites that should be excluded. Default is none.")
        String[] com_adobe_granite_jetty_ssl_ciphersuites_excluded();

        @AttributeDefinition(name = "Included cipher suites", description = "List of cipher suites that should be included. Default is none.")
        String[] com_adobe_granite_jetty_ssl_ciphersuites_included();

        @AttributeDefinition(name = "Client Certificate", description = "Requirement for the Client to provide a valid certifcate. Defaults to none.", options = {@Option(label = "No Client Certificate", value = GraniteSslConnectorFactory.NONE_CLIENT_CERT), @Option(label = "Client Certficate Wanted", value = GraniteSslConnectorFactory.WANTS_CLIENT_CERT), @Option(label = "Client Certificate Needed", value = GraniteSslConnectorFactory.NEEDS_CLIENT_CERT)})
        String com_adobe_granite_jetty_ssl_client_certificate() default "none";
    }

    @Activate
    private void activate(BundleContext bundleContext, Map<String, Object> map) throws CryptoException {
        this.port = PropertiesUtil.toInteger(getProperty(bundleContext, map, PROP_PORT), DEFAULT_PORT);
        this.keyStoreUser = PropertiesUtil.toString(getProperty(bundleContext, map, PROP_KEYSTORE_USER), "");
        this.keyStorePassword = PropertiesUtil.toString(getProperty(bundleContext, map, PROP_KEYSTORE_PASSWORD), "");
        if (this.cryptoSupport.isProtected(this.keyStorePassword)) {
            this.keyStorePassword = this.cryptoSupport.unprotect(this.keyStorePassword);
        }
        this.excludeCiphers = getArrayProperty(PropertiesUtil.toStringArray(getProperty(bundleContext, map, PROP_EXCLUDED_SUITES), (String[]) null));
        this.includeCiphers = getArrayProperty(PropertiesUtil.toStringArray(getProperty(bundleContext, map, PROP_INCLUDED_SUITES), (String[]) null));
        this.clientCert = PropertiesUtil.toString(getProperty(bundleContext, map, PROP_CLIENT_CERT), NONE_CLIENT_CERT);
    }

    public Connector createConnector(Server server) {
        this.logger.debug("createConnector: creating connection using keyStore for user {}", this.keyStoreUser);
        SslContextFactory.Server server2 = new SslContextFactory.Server();
        if (this.excludeCiphers != null && this.excludeCiphers.length > 0) {
            server2.setExcludeCipherSuites(this.excludeCiphers);
        }
        if (this.includeCiphers != null && this.includeCiphers.length > 0) {
            server2.setIncludeCipherSuites(this.includeCiphers);
        }
        if (NEEDS_CLIENT_CERT.equals(this.clientCert)) {
            server2.setNeedClientAuth(true);
        } else if (WANTS_CLIENT_CERT.equals(this.clientCert)) {
            server2.setWantClientAuth(true);
        }
        ServerConnector serverConnector = new ServerConnector(server, server2, new ConnectionFactory[]{getHTTPConnectionFactory(server)});
        Session session = null;
        ResourceResolver resourceResolver = null;
        try {
            try {
                session = getSession();
                resourceResolver = getResourceResolver(session);
                KeyStore keyStore = this.keyStoreService.getKeyStore(resourceResolver);
                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(SslContextFactory.DEFAULT_KEYMANAGERFACTORY_ALGORITHM);
                keyManagerFactory.init(keyStore, this.keyStorePassword.toCharArray());
                KeyStore trustStore = this.keyStoreService.getTrustStore(resourceResolver);
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(SslContextFactory.DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM);
                trustManagerFactory.init(trustStore);
                SSLContext sSLContext = SSLContext.getInstance("TLS");
                sSLContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom());
                server2.setSslContext(sSLContext);
                serverConnector.setPort(this.port);
                if (resourceResolver != null) {
                    resourceResolver.close();
                }
                if (session != null) {
                    session.logout();
                }
                return serverConnector;
            } catch (Exception e) {
                throw new RuntimeException("Exception while creating connector", e);
            }
        } catch (Throwable th) {
            if (resourceResolver != null) {
                resourceResolver.close();
            }
            if (session != null) {
                session.logout();
            }
            throw th;
        }
    }

    private HttpConnectionFactory getHTTPConnectionFactory(Server server) {
        HttpConnectionFactory httpConnectionFactory = null;
        for (Connector connector : server.getConnectors()) {
            if (connector.getClass().equals(ServerConnector.class)) {
                httpConnectionFactory = (HttpConnectionFactory) connector.getConnectionFactory(HttpConnectionFactory.class);
            }
        }
        return httpConnectionFactory;
    }

    private ResourceResolver getResourceResolver(Session session) throws LoginException {
        HashMap hashMap = new HashMap();
        hashMap.put("user.jcr.session", session);
        return this.resourceResolverFactory.getResourceResolver(hashMap);
    }

    private Session getSession() throws javax.jcr.LoginException, RepositoryException {
        return this.slingRepository.impersonateFromService(AUTHENTICATION_SERVICE, new SimpleCredentials(this.keyStoreUser, new char[0]), (String) null);
    }

    private Object getProperty(BundleContext bundleContext, Map<String, Object> map, String str) {
        Object obj = map.get(str);
        if (obj == null) {
            obj = bundleContext.getProperty(str);
        }
        return obj;
    }

    private String[] getArrayProperty(String[] strArr) {
        if (strArr == null || strArr.length == 0) {
            return strArr;
        }
        ArrayList arrayList = new ArrayList();
        for (String str : strArr) {
            if (str.trim().length() > 0) {
                arrayList.add(str);
            }
        }
        return (String[]) arrayList.toArray(new String[arrayList.size()]);
    }
}
