package com.hazelcast.instance.impl;

import com.hazelcast.config.AdvancedNetworkConfig;
import com.hazelcast.config.AuditlogConfig;
import com.hazelcast.config.Config;
import com.hazelcast.config.EncryptionAtRestConfig;
import com.hazelcast.config.EndpointConfig;
import com.hazelcast.config.PersistenceConfig;
import com.hazelcast.config.SSLConfig;
import com.hazelcast.config.SecurityConfig;
import com.hazelcast.config.security.RealmConfig;
import com.hazelcast.instance.EndpointQualifier;
import com.hazelcast.logging.ILogger;
import com.hazelcast.logging.LoggingService;
import com.hazelcast.spi.properties.ClusterProperty;
import com.hazelcast.spi.properties.HazelcastProperties;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import org.hsqldb.Tokens;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:WEB-INF/lib/hazelcast-5.3.6.jar:com/hazelcast/instance/impl/NodeSecurityBanner.class */
public class NodeSecurityBanner {
    protected static final String SECURITY_BANNER_CATEGORY = "com.hazelcast.system.security";
    private final Config config;
    private final HazelcastProperties properties;
    private final boolean multicastUsed;
    private final ILogger securityLogger;
    private final boolean showEmoji;

    /* JADX INFO: Access modifiers changed from: package-private */
    public NodeSecurityBanner(Config config, HazelcastProperties hazelcastProperties, boolean z, LoggingService loggingService) {
        this.config = config;
        this.properties = hazelcastProperties;
        this.multicastUsed = z;
        this.securityLogger = loggingService.getLogger(SECURITY_BANNER_CATEGORY);
        this.showEmoji = hazelcastProperties.getBoolean(ClusterProperty.LOG_EMOJI_ENABLED);
    }

    public void printSecurityInfo() {
        boolean z = this.properties.getString(ClusterProperty.SECURITY_RECOMMENDATIONS) != null;
        if ((z && this.securityLogger.isInfoEnabled()) || this.securityLogger.isFineEnabled()) {
            printSecurityFeaturesInfo(this.config, z ? Level.INFO : Level.FINE);
        } else {
            this.securityLogger.info(String.format("Enable DEBUG/FINE log level for log category %s  or use -D%s system property to see %ssecurity recommendations and the status of current config.", SECURITY_BANNER_CATEGORY, ClusterProperty.SECURITY_RECOMMENDATIONS.getName(), getLockEmo()));
        }
    }

    private void printSecurityFeaturesInfo(Config config, Level level) {
        StringBuilder append = new StringBuilder("\n").append(getLockEmo()).append("Security recommendations and their status:");
        addSecurityFeatureCheck(append, "Use a custom cluster name", !"dev".equals(config.getClusterName()));
        addSecurityFeatureCheck(append, "Disable member multicast discovery/join method", !this.multicastUsed);
        AdvancedNetworkConfig advancedNetworkConfig = config.getAdvancedNetworkConfig();
        addSecurityFeatureCheck(append, "Use advanced networking, separate client and member sockets", advancedNetworkConfig.isEnabled());
        boolean z = this.properties.getBoolean(ClusterProperty.SOCKET_SERVER_BIND_ANY);
        addSecurityFeatureCheck(append, "Bind Server sockets to a single network interface (disable " + ClusterProperty.SOCKET_SERVER_BIND_ANY.getName() + Tokens.T_CLOSEBRACKET, !z);
        Set<String> trustedInterfaces = config.getManagementCenterConfig().getTrustedInterfaces();
        addSecurityFeatureCheck(append, "Allow Management Center operations only from specified remote addresses (use management-center/trusted-interfaces configuration)", (trustedInterfaces == null || trustedInterfaces.isEmpty()) ? false : true);
        StringBuilder sb = new StringBuilder();
        boolean z2 = true;
        if (advancedNetworkConfig.isEnabled()) {
            for (Map.Entry<EndpointQualifier, EndpointConfig> entry : advancedNetworkConfig.getEndpointConfigs().entrySet()) {
                z2 = addAdvNetworkTlsInfo(sb, entry.getKey(), entry.getValue().getSSLConfig()) && z2;
            }
        } else {
            SSLConfig sSLConfig = config.getNetworkConfig().getSSLConfig();
            z2 = addSecurityFeatureCheck(sb, "Use TLS communication protection (Enterprise)", sSLConfig != null && sSLConfig.isEnabled());
        }
        if (config.getJetConfig().isEnabled()) {
            addSecurityFeatureCheck(append, "Use Jet in trusted environments only (single network interface and/or TLS enabled)", z2 || !z);
            if (config.getJetConfig().isResourceUploadEnabled()) {
                addSecurityFeatureInfo(append, "Jet resource upload is enabled. Any uploaded code can be executed within Hazelcast. Use this in trusted environments only.");
            }
        }
        if (config.getUserCodeDeploymentConfig().isEnabled()) {
            addSecurityFeatureInfo(append, "User code deployment is enabled. Any uploaded code can be executed within Hazelcast. Use this in trusted environments only.");
        }
        addSecurityFeatureCheck(append, "Disable scripting in the Management Center", !config.getManagementCenterConfig().isScriptingEnabled());
        addSecurityFeatureCheck(append, "Disable console in the Management Center", !config.getManagementCenterConfig().isConsoleEnabled());
        SecurityConfig securityConfig = config.getSecurityConfig();
        boolean z3 = securityConfig != null && securityConfig.isEnabled();
        addSecurityFeatureCheck(append, "Enable Security (Enterprise)", z3);
        if (z3) {
            checkAuthnConfigured(append, securityConfig, "member-authentication", securityConfig.getMemberRealm());
            checkAuthnConfigured(append, securityConfig, "client-authentication", securityConfig.getClientRealm());
        }
        append.append(sb.toString());
        PersistenceConfig persistenceConfig = config.getPersistenceConfig();
        if (persistenceConfig != null && persistenceConfig.isEnabled()) {
            EncryptionAtRestConfig encryptionAtRestConfig = persistenceConfig.getEncryptionAtRestConfig();
            addSecurityFeatureCheck(append, "Enable encryption-at-rest in the Persistence config (Enterprise)", encryptionAtRestConfig != null && encryptionAtRestConfig.isEnabled());
        }
        AuditlogConfig auditlogConfig = config.getAuditlogConfig();
        addSecurityFeatureCheck(append, "Enable auditlog (Enterprise)", auditlogConfig != null && auditlogConfig.isEnabled());
        append.append("\nCheck the hazelcast-security-hardened.xml/yaml example config file to find why and how to configure these security related settings.\n");
        this.securityLogger.log(level, append.toString());
    }

    private void checkAuthnConfigured(StringBuilder sb, SecurityConfig securityConfig, String str, String str2) {
        RealmConfig realmConfig = securityConfig.getRealmConfig(str2);
        addSecurityFeatureCheck(sb, "Configure " + str + " explicitly (Enterprise)", realmConfig != null && realmConfig.isAuthenticationConfigured());
    }

    private boolean addAdvNetworkTlsInfo(StringBuilder sb, EndpointQualifier endpointQualifier, SSLConfig sSLConfig) {
        return addSecurityFeatureCheck(sb, "Use TLS in the " + endpointQualifier.toMetricsPrefixString() + " endpoint (Enterprise)", sSLConfig != null && sSLConfig.isEnabled());
    }

    private boolean addSecurityFeatureCheck(StringBuilder sb, String str, boolean z) {
        sb.append("\n  ").append(z ? getCheckEmo() : getWarningEmo()).append(str);
        return z;
    }

    private void addSecurityFeatureInfo(StringBuilder sb, String str) {
        sb.append("\n  ").append(getInfoEmo()).append(str);
    }

    private String getLockEmo() {
        return this.showEmoji ? "�� " : "";
    }

    private String getInfoEmo() {
        return this.showEmoji ? "ℹ️ " : "(i) ";
    }

    private String getWarningEmo() {
        return this.showEmoji ? "⚠️ " : "[ ] ";
    }

    private String getCheckEmo() {
        return this.showEmoji ? "✅ " : "[X] ";
    }
}
