package com.hazelcast.security.impl;

import com.hazelcast.config.Config;
import com.hazelcast.config.ConfigAccessor;
import com.hazelcast.config.EncryptionAtRestConfig;
import com.hazelcast.config.HotRestartPersistenceConfig;
import com.hazelcast.config.JavaKeyStoreSecureStoreConfig;
import com.hazelcast.config.SSLConfig;
import com.hazelcast.config.SecureStoreConfig;
import com.hazelcast.config.SecurityConfig;
import com.hazelcast.config.SymmetricEncryptionConfig;
import com.hazelcast.config.security.RealmConfig;
import com.hazelcast.config.security.UsernamePasswordIdentityConfig;
import com.hazelcast.internal.nio.ClassLoaderUtil;
import com.hazelcast.internal.util.ExceptionUtil;
import com.hazelcast.logging.ILogger;
import com.hazelcast.security.SecretStrengthPolicy;
import com.hazelcast.security.WeakSecretException;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.Locale;
import java.util.Map;
import java.util.Properties;

/* loaded from: input_file:WEB-INF/lib/hazelcast-jet-enterprise-4.3.jar:com/hazelcast/security/impl/WeakSecretsConfigChecker.class */
public class WeakSecretsConfigChecker {
    private static final String LINE_SEP = System.getProperty("line.separator");
    private final Config config;
    private final SecretStrengthPolicy policy;

    public WeakSecretsConfigChecker(Config config) {
        this.config = config;
        SecretStrengthPolicy secretStrengthPolicy = null;
        try {
            secretStrengthPolicy = (SecretStrengthPolicy) ClassLoaderUtil.newInstance(WeakSecretsConfigChecker.class.getClassLoader(), System.getProperty(SecurityConstants.SECRET_STRENGTH_POLICY_CLASS, SecurityConstants.DEFAULT_SECRET_STRENGTH_POLICY_CLASS));
        } catch (Exception e) {
            ExceptionUtil.rethrow(e);
        }
        this.policy = secretStrengthPolicy;
    }

    public void evaluateAndReport(ILogger iLogger) {
        Map<String, EnumSet<WeakSecretError>> evaluate = evaluate();
        if (evaluate.isEmpty()) {
            return;
        }
        iLogger.warning(constructBanner(evaluate));
        if (WeakSecretException.ENFORCED) {
            throw new WeakSecretException("Weak secrets found in configuration, check output above for more details.");
        }
    }

    public Map<String, EnumSet<WeakSecretError>> evaluate() {
        HashMap hashMap = new HashMap();
        SecurityConfig securityConfig = this.config.getSecurityConfig();
        if (securityConfig != null && securityConfig.isEnabled()) {
            checkRealmsPasswords(hashMap, securityConfig.getRealmConfigs());
        }
        SymmetricEncryptionConfig symmetricEncryptionConfig = ConfigAccessor.getActiveMemberNetworkConfig(this.config).getSymmetricEncryptionConfig();
        if (symmetricEncryptionConfig != null && symmetricEncryptionConfig.isEnabled()) {
            checkSymmetricEncryptionPasswords(hashMap, symmetricEncryptionConfig);
        }
        HotRestartPersistenceConfig hotRestartPersistenceConfig = this.config.getHotRestartPersistenceConfig();
        if (hotRestartPersistenceConfig != null && hotRestartPersistenceConfig.isEnabled()) {
            checkHotRestartPasswords(hashMap, hotRestartPersistenceConfig);
        }
        SSLConfig sSLConfig = ConfigAccessor.getActiveMemberNetworkConfig(this.config).getSSLConfig();
        if (sSLConfig != null && sSLConfig.isEnabled() && sSLConfig.getProperties() != null && !sSLConfig.getProperties().isEmpty()) {
            checkSSLConfigPasswords(hashMap, sSLConfig);
        }
        return hashMap;
    }

    private void checkSSLConfigPasswords(Map<String, EnumSet<WeakSecretError>> map, SSLConfig sSLConfig) {
        Properties properties = sSLConfig.getProperties();
        for (Object obj : properties.keySet()) {
            if (((String) obj).toLowerCase(Locale.US).contains("password")) {
                map.put("SSLConfig property[" + obj + "]", getWeaknesses(properties.getProperty((String) obj)));
            }
        }
    }

    private void checkHotRestartPasswords(Map<String, EnumSet<WeakSecretError>> map, HotRestartPersistenceConfig hotRestartPersistenceConfig) {
        for (Map.Entry<String, String> entry : getHotRestartSecrets(hotRestartPersistenceConfig).entrySet()) {
            EnumSet<WeakSecretError> weaknesses = getWeaknesses(entry.getValue());
            if (!weaknesses.isEmpty()) {
                map.put(entry.getKey(), weaknesses);
            }
        }
    }

    private void checkSymmetricEncryptionPasswords(Map<String, EnumSet<WeakSecretError>> map, SymmetricEncryptionConfig symmetricEncryptionConfig) {
        EnumSet<WeakSecretError> weaknesses = getWeaknesses(symmetricEncryptionConfig.getPassword());
        if (!weaknesses.isEmpty()) {
            map.put("Symmetric Encryption Password", weaknesses);
        }
        EnumSet<WeakSecretError> weaknesses2 = getWeaknesses(symmetricEncryptionConfig.getSalt());
        if (weaknesses2.isEmpty()) {
            return;
        }
        map.put("Symmetric Encryption Salt", weaknesses2);
    }

    private static Map<String, String> getHotRestartSecrets(HotRestartPersistenceConfig hotRestartPersistenceConfig) {
        String password;
        HashMap hashMap = new HashMap();
        if (hotRestartPersistenceConfig.isEnabled()) {
            EncryptionAtRestConfig encryptionAtRestConfig = hotRestartPersistenceConfig.getEncryptionAtRestConfig();
            if (encryptionAtRestConfig.isEnabled()) {
                SecureStoreConfig secureStoreConfig = encryptionAtRestConfig.getSecureStoreConfig();
                if ((secureStoreConfig instanceof JavaKeyStoreSecureStoreConfig) && (password = ((JavaKeyStoreSecureStoreConfig) secureStoreConfig).getPassword()) != null) {
                    hashMap.put("Hot Restart Encryption Java KeyStore password", password);
                }
            }
        }
        return hashMap;
    }

    private void checkRealmsPasswords(Map<String, EnumSet<WeakSecretError>> map, Map<String, RealmConfig> map2) {
        if (map2 == null) {
            return;
        }
        for (Map.Entry<String, RealmConfig> entry : map2.entrySet()) {
            UsernamePasswordIdentityConfig usernamePasswordIdentityConfig = entry.getValue().getUsernamePasswordIdentityConfig();
            if (usernamePasswordIdentityConfig != null) {
                EnumSet<WeakSecretError> weaknesses = getWeaknesses(usernamePasswordIdentityConfig.getPassword());
                if (weaknesses.isEmpty()) {
                    map.put("Identity password in Security realm " + entry.getKey(), weaknesses);
                }
            }
        }
    }

    private EnumSet<WeakSecretError> getWeaknesses(String str) {
        try {
            this.policy.validate(null, str);
            return EnumSet.noneOf(WeakSecretError.class);
        } catch (WeakSecretException e) {
            return e.getWeaknesses();
        }
    }

    private String constructBanner(Map<String, EnumSet<WeakSecretError>> map) {
        StringBuilder sb = new StringBuilder();
        sb.append(LINE_SEP).append("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ SECURITY WARNING @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@").append(LINE_SEP);
        for (Map.Entry<String, EnumSet<WeakSecretError>> entry : map.entrySet()) {
            sb.append(WeakSecretException.formatMessage(entry.getKey(), entry.getValue())).append(LINE_SEP).append(LINE_SEP);
        }
        sb.append("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
        return sb.toString();
    }
}
