package com.cloudera.enterprise;

import com.cloudera.cmf.Environment;
import com.google.common.base.Preconditions;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import javax.net.ssl.SSLContext;
import org.apache.commons.lang.StringUtils;
import org.eclipse.jetty.http.HttpVersion;
import org.eclipse.jetty.security.ConstraintMapping;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.server.ConnectionFactory;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.SecureRequestCustomizer;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.util.security.Constraint;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/cloudera/enterprise/TLSUtil.class */
public class TLSUtil {
    public static final String JAVA_MODERN2018 = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256";
    private static final String[] JAVA_MODERN2018_ARRAY = JAVA_MODERN2018.split(":");
    private static Logger LOG = LoggerFactory.getLogger(TLSUtil.class);

    public static void setupTLSConnection(int i, String str, String str2, String str3, Server server, ServerConnector serverConnector, ServletContextHandler servletContextHandler, String str4, int i2) {
        HttpConfiguration httpConfiguration = new HttpConfiguration();
        httpConfiguration.addCustomizer(new SecureRequestCustomizer(false));
        httpConfiguration.setSecurePort(i);
        httpConfiguration.setSecureScheme("https");
        httpConfiguration.setSendXPoweredBy(false);
        httpConfiguration.setSendServerVersion(false);
        serverConnector.addConnectionFactory(new HttpConnectionFactory(httpConfiguration));
        HttpConfiguration httpConfiguration2 = new HttpConfiguration(httpConfiguration);
        httpConfiguration2.setRequestHeaderSize(i2);
        httpConfiguration2.addCustomizer(new SecureRequestCustomizer(false));
        if (StringUtils.isBlank(str3)) {
            str3 = KeyStore.getDefaultType();
        }
        SslContextFactory sslContextFactory = new SslContextFactory();
        sslContextFactory.setKeyStorePath(str);
        sslContextFactory.setKeyStorePassword(str2);
        sslContextFactory.setKeyStoreType(str3);
        ConnectionFactory sslConnectionFactory = new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.toString());
        ServerConnector serverConnector2 = new ServerConnector(server, new ConnectionFactory[]{sslConnectionFactory, new HttpConnectionFactory(httpConfiguration2)});
        serverConnector2.setPort(i);
        serverConnector2.setIdleTimeout(serverConnector.getIdleTimeout());
        if (canPerformSecureRenegotiations()) {
            LOG.info("Cipher suite TLS_EMPTY_RENEGOTIATION_INFO_SCSV found. Allowing SSL/TLS renegotiations.");
            sslConnectionFactory.getSslContextFactory().setRenegotiationAllowed(true);
        } else {
            LOG.info("Cipher suite TLS_EMPTY_RENEGOTIATION_INFO_SCSV not found and SSL renegotiate denied warnings may occur in the logs");
        }
        disableInsecureCiphers(sslConnectionFactory.getSslContextFactory());
        if (str4 != null && !str4.isEmpty()) {
            setSupportedTlsVersions(sslConnectionFactory.getSslContextFactory(), str4);
        }
        server.addConnector(serverConnector2);
        Constraint constraint = new Constraint("NONE", "*");
        constraint.setDataConstraint(2);
        ConstraintMapping constraintMapping = new ConstraintMapping();
        constraintMapping.setConstraint(constraint);
        constraintMapping.setPathSpec("/*");
        ConstraintSecurityHandler constraintSecurityHandler = new ConstraintSecurityHandler();
        constraintSecurityHandler.setConstraintMappings(new ConstraintMapping[]{constraintMapping});
        constraintSecurityHandler.setHandler(servletContextHandler);
        server.setHandler(constraintSecurityHandler);
    }

    private static boolean canPerformSecureRenegotiations() {
        try {
            for (String str : SSLContext.getDefault().getSocketFactory().getSupportedCipherSuites()) {
                if ("TLS_EMPTY_RENEGOTIATION_INFO_SCSV".equals(str)) {
                    return true;
                }
            }
            return false;
        } catch (NoSuchAlgorithmException e) {
            LOG.error("Could not determine if current JDK can perform secure SSL/TLS renegotiation. Defaulting to no-renegotiations.", e);
            return false;
        }
    }

    public static void disableInsecureCiphers(SslContextFactory sslContextFactory) {
        sslContextFactory.setExcludeCipherSuites(new String[0]);
        String overrideTlsCiphers = Environment.getOverrideTlsCiphers();
        if (overrideTlsCiphers == null) {
            sslContextFactory.setIncludeCipherSuites(JAVA_MODERN2018_ARRAY);
        } else {
            LOG.info("Set TLS ciphers to: " + overrideTlsCiphers);
            sslContextFactory.setIncludeCipherSuites(overrideTlsCiphers.split(":"));
        }
    }

    public static void setSupportedTlsVersions(SslContextFactory sslContextFactory, String str) {
        Preconditions.checkNotNull(sslContextFactory);
        String[] split = str.split(",");
        Preconditions.checkState(split.length > 0);
        sslContextFactory.setIncludeProtocols(split);
    }
}
