package com.adobe.granite.security.user.ui.internal.servlets;

import com.adobe.granite.crypto.CryptoException;
import com.adobe.granite.crypto.CryptoSupport;
import com.adobe.granite.keystore.KeyStoreNotInitialisedException;
import com.adobe.granite.keystore.KeyStoreService;
import com.adobe.granite.security.user.SSLConfigurationService;
import com.adobe.granite.ui.components.HtmlResponse;
import com.adobe.granite.xss.XSSAPI;
import com.day.cq.i18n.I18n;
import java.io.IOException;
import java.net.URI;
import java.security.KeyFactory;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Arrays;
import java.util.Collections;
import java.util.Dictionary;
import java.util.Hashtable;
import java.util.Locale;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.servlet.Servlet;
import javax.servlet.ServletException;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.math.NumberUtils;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpHead;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.SSLContexts;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.osgi.services.HttpClientBuilderFactory;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
import org.apache.sling.api.request.RequestParameter;
import org.apache.sling.api.resource.LoginException;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.api.servlets.SlingAllMethodsServlet;
import org.apache.sling.discovery.DiscoveryService;
import org.apache.sling.hc.api.HealthCheck;
import org.apache.sling.hc.api.Result;
import org.apache.sling.hc.util.FormattingResultLog;
import org.apache.sling.jcr.api.SlingRepository;
import org.osgi.framework.InvalidSyntaxException;
import org.osgi.service.cm.Configuration;
import org.osgi.service.cm.ConfigurationAdmin;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = SSLHealthCheckConfiguration.class)
@Component(immediate = true, service = {Servlet.class, SSLConfigurationService.class, HealthCheck.class}, property = {"sling.servlet.paths=/libs/granite/security/post/sslSetup.html", "sling.servlet.methods=GET", "sling.servlet.methods=POST", "hc.name=SSL Configuration", "hc.mbean.name=sslConfig"})
/* loaded from: input_file:com/adobe/granite/security/user/ui/internal/servlets/SSLConfigurationServlet.class */
public class SSLConfigurationServlet extends SlingAllMethodsServlet implements SSLConfigurationService, HealthCheck {
    private static final char CHAR_DEFAULT = 0;
    public static final String SERVLET_PATH = "/libs/granite/security/post/sslSetup.html";
    public static final String PARAM_KEYSTORE_PASSWORD = "keystorePassword";
    public static final String PARAM_KEYSTORE_PASSWORD_CONFIRM = "keystorePasswordConfirm";
    public static final String PARAM_TRUSTSTORE_PASSWORD = "truststorePassword";
    public static final String PARAM_TRUSTSTORE_PASSWORD_CONFIRM = "truststorePasswordConfirm";
    public static final String PARAM_HTTPS_PORT = "httpsPort";
    public static final String PARAM_PRIVATE_KEY_FILE = "privatekeyFile";
    public static final String PARAM_CERTIFICATE_FILE = "certificateFile";
    public static final String PARAM_HTTPS_HOSTNAME = "httpsHostname";
    public static final String SSL_CONFIG_VERIFICATION_FAILED = "SSL configuration verification failed";
    public static final String UNAUTHORIZED_ACCESS_TO_SSL_CONFIG = "Unauthorized access to SSL configuration";
    public static final String SSL_CONFIG_VERIFIED = "SSL configuration verified";
    static final String SSL_CONNECTOR_FACTORY_CONFIGURATION_PID = "com.adobe.granite.jetty.ssl.internal.GraniteSslConnectorFactory";
    static final String SSL_CONNECTOR_FACTORY_PARAM_HTTPS_PORT = "com.adobe.granite.jetty.ssl.port";
    static final String SSL_CONNECTOR_FACTORY_PARAM_HTTPS_HOSTNAME = "com.adobe.granite.jetty.ssl.hostname";
    static final String SSL_CONNECTOR_FACTORY_PARAM_KEYSTORE_USER = "com.adobe.granite.jetty.ssl.keystore.user";
    static final String SSL_CONNECTOR_FACTORY_PARAM_KEYSTORE_PASSWORD = "com.adobe.granite.jetty.ssl.keystore.password";
    static final String SSL_CONNECTOR_FACTORY_PARAM_CIPHERS_INCLUDED = "com.adobe.granite.jetty.ssl.ciphersuites.included";
    static final String SSL_CONNECTOR_FACTORY_PARAM_CIPHERS_EXCLUDED = "com.adobe.granite.jetty.ssl.ciphersuites.excluded";
    private static final String HTTP_SERVICE_CONFIGURATION_PID = "org.apache.felix.http";
    private static final String HTTP_SERVICE_PARAM_HTTPS_ENABLE = "org.apache.felix.https.enable";
    private static final String SERVICE_PID = "service.pid";
    static final String BUNDLE_LOCATION = "?";
    private static final String SERVICE_USER_MAPPING_NAME = "sslService";
    private static final int SSL_CONNECTOR_FACTORY_HTTPS_PORT_MIN = 1;
    private static final int SSL_CONNECTOR_FACTORY_HTTPS_PORT_MAX = 65535;
    private static final int SSL_CONNECT_TIMEOUT = 10000;

    @Reference
    private SlingRepository repository = null;

    @Reference
    private ResourceResolverFactory resolverFactory = null;

    @Reference
    private KeyStoreService keyStoreService = null;

    @Reference
    private ConfigurationAdmin configurationAdmin = null;

    @Reference
    private DiscoveryService discoveryService = null;

    @Reference
    private HttpClientBuilderFactory builderFactory = null;

    @Reference
    private XSSAPI xssapi = null;

    @Reference
    private CryptoSupport cryptoSupport;
    private static final Logger log = LoggerFactory.getLogger(SSLConfigurationServlet.class);
    private static final String[] SSL_CONNECTOR_FACTORY_INCLUDED_CIPHERS = {"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA"};
    private static final String[] SSL_CONNECTOR_FACTORY_EXCLUDED_CIPHERS = {"^.*_RSA_.*_(MD5|SHA|SHA1)$", "SSL_DHE_DSS_WITH_DES_CBC_SHA", "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", "^.*_RC4_.*", "^.*_DES_.*"};

    @ObjectClassDefinition(name = "SSL Configuration Health Check")
    /* loaded from: input_file:com/adobe/granite/security/user/ui/internal/servlets/SSLConfigurationServlet$SSLHealthCheckConfiguration.class */
    public @interface SSLHealthCheckConfiguration {
        @AttributeDefinition(name = "Health Check Tags", description = "Health Check Tags")
        String[] hc_tags() default {"security", "production", "ssl"};
    }

    @Activate
    protected void activate(SSLHealthCheckConfiguration sSLHealthCheckConfiguration) {
    }

    public Result execute() {
        FormattingResultLog formattingResultLog = new FormattingResultLog();
        ResourceResolver resourceResolver = null;
        try {
            try {
                ResourceResolver serviceResourceResolver = this.resolverFactory.getServiceResourceResolver(Collections.singletonMap("sling.service.subservice", SERVICE_USER_MAPPING_NAME));
                if (validateConfiguration(serviceResourceResolver)) {
                    try {
                        if (validateConnectivity(false, getHost(), getHttpsPort())) {
                            formattingResultLog.info("A valid SSL configuration was found.", new Object[CHAR_DEFAULT]);
                        } else {
                            formattingResultLog.warn("SSL was configured, but we failed to connect to the HTTPS port. Check the error.log.", new Object[CHAR_DEFAULT]);
                        }
                    } catch (IOException e) {
                        formattingResultLog.warn("SSL was configured, but we failed connecting to the HTTPS port (strict SSL mode, your certificate may be self-signed). ERROR: {}", new Object[]{e.getMessage()});
                    }
                } else {
                    formattingResultLog.warn("SSL has not yet been configured. Please use the SSL Wizard under Operations to configure an HTTPS listener.", new Object[CHAR_DEFAULT]);
                }
                if (serviceResourceResolver != null && serviceResourceResolver.isLive()) {
                    serviceResourceResolver.close();
                }
            } catch (IOException e2) {
                formattingResultLog.healthCheckError("Unable to access OSGi SSL configuration: {}", new Object[]{e2.getMessage()});
                if (CHAR_DEFAULT != 0 && resourceResolver.isLive()) {
                    resourceResolver.close();
                }
            } catch (LoginException e3) {
                formattingResultLog.healthCheckError("Failed obtaining SSL service user session to check configuration: {}", new Object[]{e3.getMessage()});
                if (CHAR_DEFAULT != 0 && resourceResolver.isLive()) {
                    resourceResolver.close();
                }
            }
            return new Result(formattingResultLog);
        } catch (Throwable th) {
            if (CHAR_DEFAULT != 0 && resourceResolver.isLive()) {
                resourceResolver.close();
            }
            throw th;
        }
    }

    public boolean isSSLConfigured(ResourceResolver resourceResolver) throws SecurityException {
        try {
            checkAuthorized(resourceResolver);
            return internalIsSSLConfigured(resourceResolver);
        } catch (IOException e) {
            log.error("Error checking SSL configuration status: ", e);
            return false;
        }
    }

    protected void doGet(@Nonnull SlingHttpServletRequest slingHttpServletRequest, @Nonnull SlingHttpServletResponse slingHttpServletResponse) throws ServletException, IOException {
        HtmlResponse createStatusResponse;
        String str;
        String str2;
        I18n i18n = new I18n(slingHttpServletRequest);
        try {
            checkAuthorized(slingHttpServletRequest.getResourceResolver());
            boolean internalIsSSLConfigured = internalIsSSLConfigured(slingHttpServletRequest.getResourceResolver());
            if (internalIsSSLConfigured) {
                str = SSL_CONFIG_VERIFIED;
                str2 = i18n.get("The SSL configuration appears to be valid and is listening on port {0}", "", new Object[]{String.valueOf(getHttpsPort())});
            } else {
                str = SSL_CONFIG_VERIFICATION_FAILED;
                str2 = i18n.get("The SSL configuration appears to be invalid. Check the error log.");
            }
            createStatusResponse = createStatusResponse(this.xssapi, i18n, slingHttpServletRequest.getLocale(), internalIsSSLConfigured, i18n.get(str), str2, "/");
        } catch (Exception e) {
            log.error("Error while checking SSL configuration: ", e);
            createStatusResponse = createStatusResponse(this.xssapi, i18n, slingHttpServletRequest.getLocale(), false, i18n.get("{0}", "Please translate the various exceptions that may be thrown", new Object[]{e.getMessage()}), "", "");
        }
        createStatusResponse.send(slingHttpServletResponse, true);
    }

    protected void doPost(@Nonnull SlingHttpServletRequest slingHttpServletRequest, @Nonnull SlingHttpServletResponse slingHttpServletResponse) throws ServletException, IOException {
        HtmlResponse createStatusResponse;
        I18n i18n = new I18n(slingHttpServletRequest);
        try {
            ResourceResolver resourceResolver = slingHttpServletRequest.getResourceResolver();
            checkAuthorized(resourceResolver);
            RequestParameter requestParameter = slingHttpServletRequest.getRequestParameter(PARAM_PRIVATE_KEY_FILE);
            RequestParameter[] requestParameters = slingHttpServletRequest.getRequestParameters(PARAM_CERTIFICATE_FILE);
            char[] passwordValue = getPasswordValue(slingHttpServletRequest, PARAM_KEYSTORE_PASSWORD);
            char[] passwordValue2 = getPasswordValue(slingHttpServletRequest, PARAM_KEYSTORE_PASSWORD_CONFIRM);
            char[] passwordValue3 = getPasswordValue(slingHttpServletRequest, PARAM_TRUSTSTORE_PASSWORD);
            char[] passwordValue4 = getPasswordValue(slingHttpServletRequest, PARAM_TRUSTSTORE_PASSWORD_CONFIRM);
            String paramValue = getParamValue(slingHttpServletRequest, PARAM_HTTPS_HOSTNAME);
            int i = NumberUtils.toInt(getParamValue(slingHttpServletRequest, PARAM_HTTPS_PORT));
            validateParameters(requestParameter, requestParameters, passwordValue, passwordValue2, passwordValue3, passwordValue4, i);
            createTrustStoreAndKeyStore(resourceResolver, passwordValue, passwordValue3, i18n);
            storeKeyAndCertificate(resourceResolver, requestParameter, requestParameters, i18n);
            configureSSLConnectorFactory(paramValue, i, passwordValue);
            Arrays.fill(passwordValue, (char) 0);
            Arrays.fill(passwordValue2, (char) 0);
            Arrays.fill(passwordValue3, (char) 0);
            Arrays.fill(passwordValue4, (char) 0);
            Thread.sleep(250L);
            validateConfiguration(resourceResolver);
            validateConnectivity(true, getHost(), i);
            ensureFelixHttpsDisabled();
            createStatusResponse = createStatusResponse(this.xssapi, i18n, slingHttpServletRequest.getLocale(), true, i18n.get("SSL successfully configured"), i18n.get("HTTPS has been configured on port {0}. The private key and certificate were stored in the key store of the user {1}. Please take note of the key store password you provided. You will need it for any subsequent updating of the private key or certificate.", "", new Object[]{String.valueOf(i), "ssl-service"}), "/");
        } catch (Exception e) {
            log.error("Error while configuring SSL: ", e);
            createStatusResponse = createStatusResponse(this.xssapi, i18n, slingHttpServletRequest.getLocale(), false, i18n.get("{0}", "Please translate the various IllegalArgumentExceptions that may be thrown", new Object[]{e.getMessage()}), "", "");
        }
        createStatusResponse.send(slingHttpServletResponse, true);
    }

    private void validateParameters(@Nullable RequestParameter requestParameter, @Nullable RequestParameter[] requestParameterArr, @Nullable char[] cArr, @Nullable char[] cArr2, @Nullable char[] cArr3, @Nullable char[] cArr4, int i) {
        if (requestParameter == null || ArrayUtils.isEmpty(requestParameterArr) || requestParameter.isFormField() || requestParameterArr[CHAR_DEFAULT].isFormField()) {
            throw new IllegalArgumentException("Private key or certificate empty or not a file");
        }
        if (ArrayUtils.isEmpty(cArr)) {
            throw new IllegalArgumentException("Empty key store password");
        }
        if (ArrayUtils.isEmpty(cArr3)) {
            throw new IllegalArgumentException("Empty trust store password");
        }
        if (!Arrays.equals(cArr, cArr2)) {
            throw new IllegalArgumentException("Key store password confirmation does not match");
        }
        if (!Arrays.equals(cArr3, cArr4)) {
            throw new IllegalArgumentException("Trust store password confirmation does not match");
        }
        if (i == 0 || i < SSL_CONNECTOR_FACTORY_HTTPS_PORT_MIN || i > SSL_CONNECTOR_FACTORY_HTTPS_PORT_MAX) {
            throw new IllegalArgumentException("HTTPS TCP Port empty or out of range");
        }
        log.info("Configuring SSL with validated parameters: keystore={}, httpsPort={}", "ssl-service", Integer.valueOf(i));
    }

    private void createTrustStoreAndKeyStore(@Nonnull ResourceResolver resourceResolver, @Nonnull char[] cArr, @Nonnull char[] cArr2, @Nonnull I18n i18n) {
        try {
            if (!this.keyStoreService.trustStoreExists(resourceResolver)) {
                this.keyStoreService.createTrustStore(resourceResolver, cArr2);
            }
            this.keyStoreService.createKeyStore(resourceResolver, "ssl-service", cArr);
            log.debug("Key store for user [{}] successfully accessed", "ssl-service");
        } catch (SecurityException e) {
            log.error("Key store for user [{}] already exists, but wrong password provided.", "ssl-service");
            throw new IllegalArgumentException(i18n.get("Invalid password for existing key store"));
        }
    }

    private void storeKeyAndCertificate(@Nonnull ResourceResolver resourceResolver, @Nonnull RequestParameter requestParameter, @Nonnull RequestParameter[] requestParameterArr, @Nonnull I18n i18n) throws NoSuchAlgorithmException, InvalidKeySpecException, CertificateException, IOException {
        try {
            PrivateKey generatePrivate = KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(IOUtils.toByteArray(requestParameter.getInputStream())));
            X509Certificate[] x509CertificateArr = new X509Certificate[requestParameterArr.length];
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            int i = CHAR_DEFAULT;
            int length = requestParameterArr.length;
            for (int i2 = CHAR_DEFAULT; i2 < length; i2 += SSL_CONNECTOR_FACTORY_HTTPS_PORT_MIN) {
                X509Certificate x509Certificate = (X509Certificate) certificateFactory.generateCertificate(requestParameterArr[i2].getInputStream());
                int i3 = i;
                i += SSL_CONNECTOR_FACTORY_HTTPS_PORT_MIN;
                x509CertificateArr[i3] = x509Certificate;
            }
            this.keyStoreService.addKeyStoreKeyEntry(resourceResolver, "ssl-service", "ssl-service", generatePrivate, x509CertificateArr);
            log.info("Stored key and certificate in keystore for user [{}], under alias [{}].", "ssl-service", "ssl-service");
        } catch (CertificateException e) {
            log.error("The provided file [{}] is not a valid certificate.", requestParameter.getFileName(), e);
            throw new IllegalArgumentException(i18n.get("The provided file is not a valid certificate"));
        } catch (InvalidKeySpecException e2) {
            log.error("The provided file [{}] is not a valid key, DER format expected.", requestParameter.getFileName(), e2);
            throw new IllegalArgumentException(i18n.get("The provided file is not a valid key, DER format expected"));
        }
    }

    void configureSSLConnectorFactory(String str, int i, @Nonnull char[] cArr) throws IOException, CryptoException {
        Configuration configuration = this.configurationAdmin.getConfiguration(SSL_CONNECTOR_FACTORY_CONFIGURATION_PID, BUNDLE_LOCATION);
        Dictionary properties = configuration.getProperties();
        if (properties == null) {
            properties = new Hashtable();
        }
        properties.put(SSL_CONNECTOR_FACTORY_PARAM_HTTPS_PORT, Integer.valueOf(i));
        properties.put(SSL_CONNECTOR_FACTORY_PARAM_HTTPS_HOSTNAME, str);
        properties.put(SSL_CONNECTOR_FACTORY_PARAM_KEYSTORE_USER, "ssl-service");
        properties.put(SSL_CONNECTOR_FACTORY_PARAM_KEYSTORE_PASSWORD, this.cryptoSupport.protect(new String(cArr)));
        properties.put(SSL_CONNECTOR_FACTORY_PARAM_CIPHERS_INCLUDED, SSL_CONNECTOR_FACTORY_INCLUDED_CIPHERS);
        properties.put(SSL_CONNECTOR_FACTORY_PARAM_CIPHERS_EXCLUDED, SSL_CONNECTOR_FACTORY_EXCLUDED_CIPHERS);
        configuration.update(properties);
        log.info("Configured SSL Connector with keystore={}, httpsHostname={}, httpsPort={}, includedCiphers={}, excludedCiphers={}", new Object[]{"ssl-service", str, String.valueOf(i), StringUtils.join(SSL_CONNECTOR_FACTORY_INCLUDED_CIPHERS, ","), StringUtils.join(SSL_CONNECTOR_FACTORY_EXCLUDED_CIPHERS, ",")});
    }

    private void ensureFelixHttpsDisabled() throws IOException, InvalidSyntaxException {
        Configuration configuration;
        Dictionary properties;
        Configuration[] listConfigurations = this.configurationAdmin.listConfigurations(getConfigurationFilter(HTTP_SERVICE_CONFIGURATION_PID, BUNDLE_LOCATION));
        if (listConfigurations == null || listConfigurations.length <= 0 || (configuration = listConfigurations[CHAR_DEFAULT]) == null || (properties = configuration.getProperties()) == null) {
            return;
        }
        properties.put(HTTP_SERVICE_PARAM_HTTPS_ENABLE, false);
        configuration.update(properties);
        log.info("Disabled the Apache Felix Jetty Based HTTPS Service in favor of Granite's SSL connector.");
    }

    private boolean validateConfiguration(ResourceResolver resourceResolver) throws IOException {
        boolean z = this.configurationAdmin.getConfiguration(SSL_CONNECTOR_FACTORY_CONFIGURATION_PID, BUNDLE_LOCATION).getProperties() != null;
        boolean z2 = CHAR_DEFAULT;
        try {
            KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) this.keyStoreService.getKeyStoreEntry(resourceResolver, "ssl-service", "ssl-service");
            if (privateKeyEntry == null || privateKeyEntry.getCertificateChain().length <= 0) {
                log.debug("The key store for user {} was user alias {} was found, but did not contain any certificate.", "ssl-service", "ssl-service");
            } else {
                z2 = SSL_CONNECTOR_FACTORY_HTTPS_PORT_MIN;
                log.debug("The key store for user {} was found and contains an entry under alias {}", "ssl-service", "ssl-service");
            }
        } catch (KeyStoreNotInitialisedException e) {
            log.debug("The key store for user {} is not initialized (may not exist): ", "ssl-service", e);
        } catch (ClassCastException e2) {
            log.debug("The key store entry  under alias {} for user {} is not of correct type: ", new Object[]{"ssl-service", "ssl-service", e2});
        } catch (SecurityException e3) {
            log.debug("The key store for user {} could not be accessed: ", "ssl-service", e3);
        }
        return z2 && z;
    }

    private boolean validateConnectivity(boolean z, String str, int i) throws IOException {
        String format = String.format("https://%s:%s/", str, Integer.valueOf(i));
        HttpHead httpHead = new HttpHead(format);
        CloseableHttpClient closeableHttpClient = CHAR_DEFAULT;
        CloseableHttpResponse closeableHttpResponse = CHAR_DEFAULT;
        RequestConfig.Builder custom = RequestConfig.custom();
        custom.setConnectTimeout(SSL_CONNECT_TIMEOUT);
        custom.setSocketTimeout(SSL_CONNECT_TIMEOUT);
        HttpClientBuilder newBuilder = this.builderFactory.newBuilder();
        newBuilder.setDefaultRequestConfig(custom.build());
        try {
            try {
                try {
                    closeableHttpClient = z ? newBuilder.setSSLSocketFactory(new SSLConnectionSocketFactory(SSLContexts.custom().loadTrustMaterial((KeyStore) null, new TrustSelfSignedStrategy()).build(), SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER)).build() : newBuilder.build();
                    closeableHttpResponse = closeableHttpClient.execute(httpHead);
                    int statusCode = closeableHttpResponse.getStatusLine().getStatusCode();
                    boolean z2 = statusCode < 400 || statusCode == 401;
                    if (closeableHttpResponse != null) {
                        try {
                            closeableHttpResponse.close();
                        } catch (IOException e) {
                            log.error("Error while closing request/response via {}: ", format, e);
                        }
                    }
                    if (closeableHttpClient != null) {
                        closeableHttpClient.close();
                    }
                    return z2;
                } catch (KeyManagementException e2) {
                    log.error("Connection to URL {} successful, but SSL certificate is invalid: ", format, e2);
                    if (closeableHttpResponse != null) {
                        try {
                            closeableHttpResponse.close();
                        } catch (IOException e3) {
                            log.error("Error while closing request/response via {}: ", format, e3);
                            return false;
                        }
                    }
                    if (closeableHttpClient != null) {
                        closeableHttpClient.close();
                    }
                    return false;
                } catch (KeyStoreException e4) {
                    log.error("Connection to URL {} successful, but SSL certificate is invalid: ", format, e4);
                    if (closeableHttpResponse != null) {
                        try {
                            closeableHttpResponse.close();
                        } catch (IOException e5) {
                            log.error("Error while closing request/response via {}: ", format, e5);
                            return false;
                        }
                    }
                    if (closeableHttpClient != null) {
                        closeableHttpClient.close();
                    }
                    return false;
                }
            } catch (NoSuchAlgorithmException e6) {
                log.error("Connection to URL {} successful, but SSL certificate is invalid: ", format, e6);
                if (closeableHttpResponse != null) {
                    try {
                        closeableHttpResponse.close();
                    } catch (IOException e7) {
                        log.error("Error while closing request/response via {}: ", format, e7);
                        return false;
                    }
                }
                if (closeableHttpClient != null) {
                    closeableHttpClient.close();
                }
                return false;
            } catch (SSLPeerUnverifiedException e8) {
                log.error("Connection to URL {} successful, but SSL certificate is invalid: ", format, e8);
                if (closeableHttpResponse != null) {
                    try {
                        closeableHttpResponse.close();
                    } catch (IOException e9) {
                        log.error("Error while closing request/response via {}: ", format, e9);
                        return false;
                    }
                }
                if (closeableHttpClient != null) {
                    closeableHttpClient.close();
                }
                return false;
            }
        } catch (Throwable th) {
            if (closeableHttpResponse != null) {
                try {
                    closeableHttpResponse.close();
                } catch (IOException e10) {
                    log.error("Error while closing request/response via {}: ", format, e10);
                    throw th;
                }
            }
            if (closeableHttpClient != null) {
                closeableHttpClient.close();
            }
            throw th;
        }
    }

    private void checkAuthorized(@Nonnull ResourceResolver resourceResolver) throws SecurityException {
        if (!((User) resourceResolver.adaptTo(User.class)).isAdmin()) {
            throw new SecurityException(UNAUTHORIZED_ACCESS_TO_SSL_CONFIG);
        }
    }

    private boolean internalIsSSLConfigured(@Nonnull ResourceResolver resourceResolver) throws IOException {
        boolean validateConfiguration = validateConfiguration(resourceResolver);
        boolean z = CHAR_DEFAULT;
        if (validateConfiguration) {
            z = validateConnectivity(true, getHost(), getHttpsPort());
        }
        return validateConfiguration && z;
    }

    @Nonnull
    private static HtmlResponse createStatusResponse(@Nonnull XSSAPI xssapi, @Nonnull I18n i18n, @Nonnull Locale locale, boolean z, @Nonnull String str, @Nullable String str2, @Nullable String str3) {
        return createStatusResponse(xssapi, i18n, locale, z ? 200 : 500, str, str2, str3);
    }

    @Nonnull
    private static HtmlResponse createStatusResponse(@Nonnull XSSAPI xssapi, @Nonnull I18n i18n, @Nonnull Locale locale, int i, @Nonnull String str, @Nullable String str2, @Nullable String str3) {
        HtmlResponse htmlResponse = new HtmlResponse(xssapi, i18n, locale);
        htmlResponse.setStatus(i, str);
        htmlResponse.setTitle(i < 400 ? i18n.get("OK") : i18n.get("Error"));
        if (StringUtils.isNotBlank(str2)) {
            htmlResponse.setDescription(str2);
        }
        if (StringUtils.isNotBlank(str3)) {
            htmlResponse.addRedirectLink(str3, i18n.get("Done"));
        }
        return htmlResponse;
    }

    @CheckForNull
    private static String getParamValue(SlingHttpServletRequest slingHttpServletRequest, String str) {
        RequestParameter requestParameter = slingHttpServletRequest.getRequestParameter(str);
        if (CHAR_DEFAULT != requestParameter) {
            return requestParameter.getString();
        }
        return null;
    }

    private static char[] getPasswordValue(SlingHttpServletRequest slingHttpServletRequest, String str) {
        return getParamValue(slingHttpServletRequest, str) != null ? getParamValue(slingHttpServletRequest, str).toCharArray() : new char[CHAR_DEFAULT];
    }

    @Nonnull
    private String getHost() {
        String obj;
        try {
            Configuration configuration = this.configurationAdmin.getConfiguration(SSL_CONNECTOR_FACTORY_CONFIGURATION_PID, BUNDLE_LOCATION);
            if (configuration != null && configuration.getProperties().get(SSL_CONNECTOR_FACTORY_PARAM_HTTPS_HOSTNAME) != null && (obj = configuration.getProperties().get(SSL_CONNECTOR_FACTORY_PARAM_HTTPS_HOSTNAME).toString()) != null) {
                if (!obj.isEmpty()) {
                    return obj;
                }
            }
        } catch (IOException e) {
            log.warn("Could not access OSGi SSL configuration to read hostname", e.getMessage());
        }
        String[] split = StringUtils.split(this.discoveryService.getTopology().getLocalInstance().getProperty("org.apache.sling.instance.endpoints"), ",");
        if (split.length > 0) {
            return URI.create(split[CHAR_DEFAULT]).getHost();
        }
        throw new IllegalArgumentException("No known local endpoint");
    }

    private int getHttpsPort() throws IOException {
        Object obj = this.configurationAdmin.getConfiguration(SSL_CONNECTOR_FACTORY_CONFIGURATION_PID, BUNDLE_LOCATION).getProperties().get(SSL_CONNECTOR_FACTORY_PARAM_HTTPS_PORT);
        if (CHAR_DEFAULT != obj) {
            return ((Integer) obj).intValue();
        }
        return -1;
    }

    private String getConfigurationFilter(String str, String str2) {
        StringBuffer stringBuffer = new StringBuffer();
        if (isNotBlank(str) && isNotBlank(str2)) {
            stringBuffer.append("(&");
        }
        if (isNotBlank(str)) {
            stringBuffer.append('(');
            stringBuffer.append(SERVICE_PID);
            stringBuffer.append('=');
            stringBuffer.append(str);
            stringBuffer.append(')');
        }
        if (isNotBlank(str2)) {
            stringBuffer.append(str2);
        }
        if (isNotBlank(str) && isNotBlank(str2)) {
            stringBuffer.append(')');
        }
        return stringBuffer.toString();
    }

    private boolean isNotBlank(String str) {
        return (str == null || str.trim().isEmpty()) ? false : true;
    }
}
