package com.adobe.granite.repository.hc.impl;

import java.io.IOException;
import java.util.AbstractMap;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Dictionary;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.sling.commons.osgi.PropertiesUtil;
import org.apache.sling.hc.api.HealthCheck;
import org.apache.sling.hc.api.Result;
import org.apache.sling.hc.util.FormattingResultLog;
import org.apache.sling.jcr.api.SlingRepository;
import org.osgi.framework.InvalidSyntaxException;
import org.osgi.service.cm.Configuration;
import org.osgi.service.cm.ConfigurationAdmin;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = HealthCheckConfiguration.class)
@Component(service = {HealthCheck.class}, property = {"hc.name=Default Login Accounts", "hc.mbean.name=defaultLogins"})
/* loaded from: input_file:com/adobe/granite/repository/hc/impl/DefaultLoginsHealthCheck.class */
public class DefaultLoginsHealthCheck implements HealthCheck {
    private final Logger log = LoggerFactory.getLogger(getClass());
    private static final String DEFAULT_ADMIN_LOGIN = "admin:admin";
    private static final String DEFAULT_AUTHOR_LOGIN = "author:author";
    private static final String DEFAULT_OSGI_CONSOLE_LOGIN = "admin:admin";
    private static final String OSGI_MANAGER_SERVICE_PID = "org.apache.felix.webconsole.internal.servlet.OsgiManager";
    private static final String SERVICE_NAME = "user-reader-service";
    static final String DEFAULT_HASHED_PASSWORD = "{sha-256}jGl25bVBBBW96Qi9Te4V37Fnqchz/Eu4qB9vKrRIqRg=";
    private List<String> accountLogins;
    private List<String> consoleLogins;

    @Reference
    private SlingRepository repository;

    @Reference
    private ConfigurationAdmin configurationAdmin;

    @ObjectClassDefinition(name = "Adobe Granite Repository Default Login Health Check")
    /* loaded from: input_file:com/adobe/granite/repository/hc/impl/DefaultLoginsHealthCheck$HealthCheckConfiguration.class */
    public @interface HealthCheckConfiguration {
        @AttributeDefinition(name = "Health Check Tags", description = "Health Check Tags")
        String[] hc_tags() default {"login", "security", "production"};

        @AttributeDefinition(name = "Logins", description = "The logins to check")
        String[] account_logins() default {"admin:admin", "author:author"};

        @AttributeDefinition(name = "Console Logins", description = "The logins for the console to check")
        String[] console_logins() default {"admin:admin"};
    }

    @Activate
    public void activate(HealthCheckConfiguration healthCheckConfiguration) {
        initializeConfigs(healthCheckConfiguration);
        this.log.info("Activated, accountLogins={}, consoleLogins={}", this.accountLogins, this.consoleLogins);
    }

    @Modified
    public void modified(HealthCheckConfiguration healthCheckConfiguration) {
        initializeConfigs(healthCheckConfiguration);
    }

    private void initializeConfigs(HealthCheckConfiguration healthCheckConfiguration) {
        this.accountLogins = Arrays.asList(healthCheckConfiguration.account_logins());
        this.consoleLogins = Arrays.asList(healthCheckConfiguration.console_logins());
    }

    public Result execute() {
        FormattingResultLog formattingResultLog = new FormattingResultLog();
        checkSystemLoginAccounts(formattingResultLog);
        checkConsoleAdminPassword(formattingResultLog);
        return new Result(formattingResultLog);
    }

    private boolean checkSystemLoginAccounts(FormattingResultLog formattingResultLog) {
        int i = 0;
        int i2 = 0;
        Iterator<Map.Entry<String, String>> it = getLoginEntries(this.accountLogins, formattingResultLog).iterator();
        while (it.hasNext()) {
            i++;
            Map.Entry<String, String> next = it.next();
            String key = next.getKey();
            String value = next.getValue();
            JackrabbitSession jackrabbitSession = null;
            try {
                try {
                    jackrabbitSession = this.repository.loginService(SERVICE_NAME, (String) null);
                    if (jackrabbitSession.getUserManager().getAuthorizable(key) == null) {
                        formattingResultLog.debug("The user with id {} does not exist.", new Object[]{key});
                    } else {
                        Session session = null;
                        try {
                            try {
                                session = this.repository.login(new SimpleCredentials(key, value.toCharArray()));
                                if (session != null) {
                                    formattingResultLog.warn("Login as [{}: {}] succeeded, was expected to fail.", new Object[]{key, value});
                                    i2++;
                                } else {
                                    formattingResultLog.debug("Login as [{}: {}] didn't throw an Exception but returned null Session.", new Object[]{key, value});
                                }
                                if (session != null) {
                                    session.logout();
                                }
                            } catch (Throwable th) {
                                if (session != null) {
                                    session.logout();
                                }
                                throw th;
                            }
                        } catch (RepositoryException e) {
                            formattingResultLog.debug("Login as [{}: {}] failed, as expected.", new Object[]{key, value});
                            if (session != null) {
                                session.logout();
                            }
                        }
                    }
                    if (jackrabbitSession != null) {
                        jackrabbitSession.logout();
                    }
                } catch (RepositoryException e2) {
                    formattingResultLog.warn("Could not verify users and could not test system account logins.", new Object[0]);
                    if (jackrabbitSession != null) {
                        jackrabbitSession.logout();
                    }
                    return false;
                }
            } catch (Throwable th2) {
                if (jackrabbitSession != null) {
                    jackrabbitSession.logout();
                }
                throw th2;
            }
        }
        if (i == 0) {
            formattingResultLog.warn("No login checks were performed. Configured account logins: {}.", new Object[]{this.accountLogins});
        } else if (i2 != 0) {
            formattingResultLog.debug("It is strongly recommended to change the default admin accounts for CQ.", new Object[0]);
            formattingResultLog.debug("[You can change the admin account passwords via the User Admin.](/libs/granite/security/content/useradmin.html)", new Object[0]);
            formattingResultLog.debug("[Check the 'Changing the CQ Admin Password' section in the security guidelines.](https://www.adobe.com/go/aem6_4_docs_security_adminpass_en)", new Object[0]);
        }
        return i != 0 && i2 == 0;
    }

    private boolean checkConsoleAdminPassword(FormattingResultLog formattingResultLog) {
        boolean z = false;
        try {
            Configuration[] listConfigurations = this.configurationAdmin.listConfigurations("(service.pid=org.apache.felix.webconsole.internal.servlet.OsgiManager)");
            if (listConfigurations == null || listConfigurations.length == 0) {
                formattingResultLog.warn("The default OSGI console credentials were not changed. It is strongly recommended to change them.", new Object[0]);
                formattingResultLog.warn("[You can change the OSGI admin password via the configuration of the Apache Felix OSGI Management Console.]({})", new Object[]{"/system/console/configMgr/org.apache.felix.webconsole.internal.servlet.OsgiManager"});
                formattingResultLog.debug("[Check the 'Changing the OSGI Web Console Admin Password' section in the security guideline.](https://www.adobe.com/go/aem6_4_docs_security_osgipass_en)", new Object[0]);
                return false;
            }
            ArrayList<Map.Entry<String, String>> loginEntries = getLoginEntries(this.consoleLogins, formattingResultLog);
            int size = loginEntries.size();
            for (Configuration configuration : listConfigurations) {
                Dictionary properties = configuration.getProperties();
                String propertiesUtil = PropertiesUtil.toString(properties.get("username"), "");
                String propertiesUtil2 = PropertiesUtil.toString(properties.get("password"), "");
                Iterator<Map.Entry<String, String>> it = loginEntries.iterator();
                while (it.hasNext()) {
                    Map.Entry<String, String> next = it.next();
                    String key = next.getKey();
                    String value = next.getValue();
                    if (propertiesUtil.equals(key) && propertiesUtil2.equals(DEFAULT_HASHED_PASSWORD)) {
                        formattingResultLog.warn("The default admin password for the OSGI console was not changed. It is strongly recommended to change the default admin credentials for the OSGI console.", new Object[0]);
                        z = true;
                    } else {
                        formattingResultLog.debug("The the OSGI console admin password was changed, as expected.", new Object[]{key, value});
                    }
                }
            }
            if (size == 0) {
                formattingResultLog.debug("No login checks were performed for the OSGI console.", new Object[0]);
            } else if (z) {
                formattingResultLog.warn("[You can change the OSGI admin password via the configuration of the Apache Felix OSGI Management Console.]({})", new Object[]{"/system/console/configMgr/org.apache.felix.webconsole.internal.servlet.OsgiManager"});
                formattingResultLog.debug("[Check the 'Changing the OSGI Web Console Admin Password' section in the security guideline.](https://www.adobe.com/go/aem6_4_docs_security_osgipass_en)", new Object[0]);
            }
            return (size == 0 || z) ? false : true;
        } catch (IOException e) {
            formattingResultLog.warn("Could not get OSGI Management Bundle configuration and could not test OSGI console logins.", new Object[0]);
            return false;
        } catch (InvalidSyntaxException e2) {
            formattingResultLog.warn("Could not get OSGI Management Bundle configuration and could not test OSGI console logins.", new Object[0]);
            return false;
        }
    }

    private ArrayList<Map.Entry<String, String>> getLoginEntries(List<String> list, FormattingResultLog formattingResultLog) {
        ArrayList<Map.Entry<String, String>> arrayList = new ArrayList<>();
        for (String str : list) {
            String[] split = str.split(":");
            if (split.length != 2) {
                formattingResultLog.warn("Expected login in the form username:password, got {}.", new Object[]{str});
            } else {
                arrayList.add(new AbstractMap.SimpleEntry(split[0].trim(), split[1].trim()));
            }
        }
        return arrayList;
    }
}
