package org.apereo.cas.shell.commands.util;

import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.InetSocketAddress;
import java.net.Proxy;
import java.net.URL;
import java.net.URLConnection;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Objects;
import java.util.function.Supplier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.jooq.lambda.Unchecked;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.shell.standard.ShellCommandGroup;
import org.springframework.shell.standard.ShellComponent;
import org.springframework.shell.standard.ShellMethod;
import org.springframework.shell.standard.ShellOption;

@ShellCommandGroup("Utilities")
@ShellComponent
/* loaded from: input_file:org/apereo/cas/shell/commands/util/ValidateEndpointCommand.class */
public class ValidateEndpointCommand {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(ValidateEndpointCommand.class);

    private static X509TrustManager[] getSystemTrustManagers() throws Exception {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init((KeyStore) null);
        LOGGER.info("Detected Truststore: [{}]", trustManagerFactory.getProvider().getName());
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        ArrayList arrayList = new ArrayList(trustManagers.length);
        for (TrustManager trustManager : trustManagers) {
            if (trustManager instanceof X509TrustManager) {
                X509TrustManager x509TrustManager = (X509TrustManager) trustManager;
                LOGGER.info("Trusted issuers found: [{}]", Integer.valueOf(x509TrustManager.getAcceptedIssuers().length));
                arrayList.add(x509TrustManager);
            }
        }
        return (X509TrustManager[]) arrayList.toArray(i -> {
            return new X509TrustManager[i];
        });
    }

    private static URLConnection createConnection(String str, String str2) throws Exception {
        URL url = new URL(str);
        boolean isNotBlank = StringUtils.isNotBlank(str2);
        Supplier supplier = Unchecked.supplier(() -> {
            URL url2 = new URL(str2);
            LOGGER.info("Using proxy address [{}]", str2);
            return url.openConnection(new Proxy(Proxy.Type.HTTP, new InetSocketAddress(url2.getHost(), url2.getPort())));
        });
        Objects.requireNonNull(url);
        return (URLConnection) FunctionUtils.doIf(isNotBlank, supplier, Unchecked.supplier(url::openConnection)).get();
    }

    private static String consolidateExceptionMessages(Throwable th) {
        StringBuilder sb = new StringBuilder();
        Throwable th2 = th;
        while (true) {
            Throwable th3 = th2;
            if (th3 == null) {
                return sb.toString();
            }
            sb.append("  Caused by: ").append(th3).append(System.getProperty("line.separator"));
            th2 = th3.getCause();
        }
    }

    private static void testBadTlsConnection(String str, String str2) {
        try {
            URLConnection createConnection = createConnection(str, str2);
            if (!(createConnection instanceof HttpsURLConnection)) {
                LOGGER.info("Not an TLS connection.");
                return;
            }
            HttpsURLConnection httpsURLConnection = (HttpsURLConnection) createConnection;
            httpsURLConnection.setSSLSocketFactory(getTheAllTrustingSSLContext().getSocketFactory());
            InputStreamReader inputStreamReader = new InputStreamReader(httpsURLConnection.getInputStream(), StandardCharsets.UTF_8);
            try {
                tlsConnectionReport(httpsURLConnection);
                inputStreamReader.close();
            } finally {
            }
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
        }
    }

    private static void tlsConnectionReport(HttpsURLConnection httpsURLConnection) throws Exception {
        X509TrustManager[] systemTrustManagers = getSystemTrustManagers();
        try {
            Certificate[] serverCertificates = httpsURLConnection.getServerCertificates();
            X509Certificate[] x509CertificateArr = (X509Certificate[]) Arrays.copyOf(serverCertificates, serverCertificates.length, X509Certificate[].class);
            LOGGER.info("Server provided certs: ");
            for (X509Certificate x509Certificate : x509CertificateArr) {
                String str = (String) FunctionUtils.doAndHandle(obj -> {
                    x509Certificate.checkValidity();
                    return "valid";
                }, th -> {
                    return "invalid: " + th.getMessage();
                }).apply(x509Certificate);
                LOGGER.info("\tsubject: [{}]", x509Certificate.getSubjectDN().getName());
                LOGGER.info("\tissuer: [{}]", x509Certificate.getIssuerDN().getName());
                LOGGER.info("\texpiration: [{}] - [{}] [{}]", new Object[]{x509Certificate.getNotBefore(), x509Certificate.getNotAfter(), str});
                LOGGER.info("\ttrust anchor [{}]", checkTrustedCertStatus(x509Certificate, systemTrustManagers));
                LOGGER.info("---");
            }
        } catch (SSLPeerUnverifiedException e) {
            LoggingUtils.error(LOGGER, e);
            throw new RuntimeException(e);
        }
    }

    private static String checkTrustedCertStatus(X509Certificate x509Certificate, X509TrustManager[] x509TrustManagerArr) {
        for (X509TrustManager x509TrustManager : x509TrustManagerArr) {
            for (X509Certificate x509Certificate2 : x509TrustManager.getAcceptedIssuers()) {
                try {
                    x509Certificate.verify(x509Certificate2.getPublicKey());
                    return "Matches found: " + x509Certificate2.getIssuerDN().getName();
                } catch (Exception e) {
                    LOGGER.trace("[{}]: [{}]", x509Certificate2.getIssuerDN().getName(), e.getMessage());
                }
            }
        }
        return "Not matched in trust store (which is expected of the host certificate that is part of a chain)";
    }

    private static SSLContext getTheAllTrustingSSLContext() {
        return (SSLContext) FunctionUtils.doUnchecked(() -> {
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(null, new TrustManager[]{new X509TrustManager() { // from class: org.apereo.cas.shell.commands.util.ValidateEndpointCommand.1
                @Override // javax.net.ssl.X509TrustManager
                public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
                }

                @Override // javax.net.ssl.X509TrustManager
                public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
                }

                @Override // javax.net.ssl.X509TrustManager
                public X509Certificate[] getAcceptedIssuers() {
                    return null;
                }
            }}, null);
            return sSLContext;
        });
    }

    @ShellMethod(key = {"validate-endpoint"}, value = "Test connections to an endpoint to verify connectivity, SSL, etc")
    public boolean validateEndpoint(@ShellOption(value = {"url", "--url"}, help = "Endpoint URL to test") String str, @ShellOption(value = {"proxy", "--proxy"}, help = "Proxy address to use when testing the endpoint url", defaultValue = "") String str2, @ShellOption(value = {"timeout", "--timeout"}, help = "Timeout to use in milliseconds when testing the url", defaultValue = "5000") int i) throws Exception {
        try {
            LOGGER.info("Trying to connect to [{}]", str);
            URLConnection createConnection = createConnection(str, str2);
            LOGGER.info("Setting connection timeout to [{}]", Integer.valueOf(i));
            createConnection.setConnectTimeout(i);
            InputStreamReader inputStreamReader = new InputStreamReader(createConnection.getInputStream(), StandardCharsets.UTF_8);
            try {
                BufferedReader bufferedReader = new BufferedReader(inputStreamReader);
                try {
                    bufferedReader.readLine();
                    if (createConnection instanceof HttpURLConnection) {
                        LOGGER.info("Response status code received: [{}]", Integer.valueOf(((HttpURLConnection) createConnection).getResponseCode()));
                    }
                    LOGGER.info("Successfully connected to url [{}]", str);
                    bufferedReader.close();
                    inputStreamReader.close();
                    return true;
                } catch (Throwable th) {
                    try {
                        bufferedReader.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            } finally {
            }
        } catch (Exception e) {
            LOGGER.info("Could not connect to the host address [{}]", str);
            LOGGER.info("The error is: [{}]", e.getMessage());
            LOGGER.info("Here are the details:");
            LOGGER.error(consolidateExceptionMessages(e));
            testBadTlsConnection(str, str2);
            return false;
        }
    }
}
