package pro.gravit.launchserver.command.service;

import java.io.File;
import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.SwitchBootstraps;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.PosixFilePermission;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import pro.gravit.launcher.base.LauncherConfig;
import pro.gravit.launchserver.LaunchServer;
import pro.gravit.launchserver.auth.protect.AdvancedProtectHandler;
import pro.gravit.launchserver.auth.protect.NoProtectHandler;
import pro.gravit.launchserver.auth.protect.ProtectHandler;
import pro.gravit.launchserver.auth.protect.StdProtectHandler;
import pro.gravit.launchserver.command.Command;
import pro.gravit.launchserver.components.ProGuardComponent;
import pro.gravit.launchserver.config.LaunchServerConfig;
import pro.gravit.launchserver.helper.SignHelper;
import pro.gravit.utils.helper.IOHelper;
import pro.gravit.utils.helper.JVMHelper;

/* loaded from: input_file:pro/gravit/launchserver/command/service/SecurityCheckCommand.class */
public class SecurityCheckCommand extends Command {
    private static final Logger logger = LogManager.getLogger();

    /* renamed from: pro.gravit.launchserver.command.service.SecurityCheckCommand$1, reason: invalid class name */
    /* loaded from: input_file:pro/gravit/launchserver/command/service/SecurityCheckCommand$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$pro$gravit$launcher$base$LauncherConfig$LauncherEnvironment = new int[LauncherConfig.LauncherEnvironment.values().length];

        static {
            try {
                $SwitchMap$pro$gravit$launcher$base$LauncherConfig$LauncherEnvironment[LauncherConfig.LauncherEnvironment.DEV.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$pro$gravit$launcher$base$LauncherConfig$LauncherEnvironment[LauncherConfig.LauncherEnvironment.DEBUG.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$pro$gravit$launcher$base$LauncherConfig$LauncherEnvironment[LauncherConfig.LauncherEnvironment.STD.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$pro$gravit$launcher$base$LauncherConfig$LauncherEnvironment[LauncherConfig.LauncherEnvironment.PROD.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    public SecurityCheckCommand(LaunchServer launchServer) {
        super(launchServer);
    }

    public static void printCheckResult(String str, String str2, Boolean bool) {
        if (bool == null) {
            logger.warn("[%s] %s".formatted(str, str2));
        } else if (bool.booleanValue()) {
            logger.info("[%s] %s OK".formatted(str, str2));
        } else {
            logger.error("[%s] %s".formatted(str, str2));
        }
    }

    public String getArgsDescription() {
        return "[]";
    }

    public String getUsageDescription() {
        return "check configuration";
    }

    public void invoke(String... strArr) {
        LaunchServerConfig launchServerConfig = this.server.config;
        launchServerConfig.auth.forEach((str, authProviderPair) -> {
        });
        ProtectHandler protectHandler = launchServerConfig.protectHandler;
        switch ((int) SwitchBootstraps.typeSwitch(MethodHandles.lookup(), "typeSwitch", MethodType.methodType(Integer.TYPE, Object.class, Integer.TYPE), NoProtectHandler.class, AdvancedProtectHandler.class, StdProtectHandler.class).dynamicInvoker().invoke(protectHandler, 0) /* invoke-custom */) {
            case -1:
            default:
                printCheckResult("protectHandler", "unknown protectHandler", null);
                break;
            case 0:
                printCheckResult("protectHandler", "protectHandler none", false);
                break;
            case 1:
                printCheckResult("protectHandler", "", true);
                if (((AdvancedProtectHandler) protectHandler).enableHardwareFeature) {
                    printCheckResult("protectHandler.hardwareId", "", true);
                    break;
                } else {
                    printCheckResult("protectHandler.hardwareId", "you can improve security by using hwid provider", null);
                    break;
                }
            case 2:
                printCheckResult("protectHandler", "you can improve security by using advanced", null);
                break;
        }
        if (launchServerConfig.netty.address.startsWith("ws://")) {
            if (launchServerConfig.netty.ipForwarding) {
                printCheckResult("netty.ipForwarding", "ipForwarding may be used to spoofing ip", null);
            }
            printCheckResult("netty.address", "websocket connection not secure", false);
        } else if (launchServerConfig.netty.address.startsWith("wss://")) {
            if (!launchServerConfig.netty.ipForwarding) {
                printCheckResult("netty.ipForwarding", "ipForwarding not enabled. authLimiter may be get incorrect ip", null);
            }
            printCheckResult("netty.address", "", true);
        }
        if (launchServerConfig.netty.launcherURL.startsWith("http://")) {
            printCheckResult("netty.launcherUrl", "launcher jar download connection not secure", false);
        } else if (launchServerConfig.netty.launcherURL.startsWith("https://")) {
            printCheckResult("netty.launcherUrl", "", true);
        }
        if (launchServerConfig.netty.launcherEXEURL.startsWith("http://")) {
            printCheckResult("netty.launcherExeUrl", "launcher exe download connection not secure", false);
        } else if (launchServerConfig.netty.launcherEXEURL.startsWith("https://")) {
            printCheckResult("netty.launcherExeUrl", "", true);
        }
        if (launchServerConfig.netty.downloadURL.startsWith("http://")) {
            printCheckResult("netty.downloadUrl", "assets/clients download connection not secure", false);
        } else if (launchServerConfig.netty.downloadURL.startsWith("https://")) {
            printCheckResult("netty.downloadUrl", "", true);
        }
        if (launchServerConfig.sign.enabled) {
            boolean z = false;
            try {
                List list = Arrays.stream(SignHelper.getStore(new File(launchServerConfig.sign.keyStore).toPath(), launchServerConfig.sign.keyStorePass, launchServerConfig.sign.keyStoreType).getCertificateChain(launchServerConfig.sign.keyAlias)).map(certificate -> {
                    return (X509Certificate) certificate;
                }).toList();
                X509Certificate x509Certificate = (X509Certificate) list.getFirst();
                x509Certificate.checkValidity();
                if (list.size() == 1) {
                    printCheckResult("sign", "certificate chain contains <2 element(recommend 2 and more)", false);
                    z = true;
                }
                if ((x509Certificate.getBasicConstraints() & 1) == 1) {
                    printCheckResult("sign", "end certificate - CA", false);
                    z = true;
                }
                Iterator it = list.iterator();
                while (it.hasNext()) {
                    ((X509Certificate) it.next()).checkValidity();
                }
            } catch (Throwable th) {
                logger.error("Sign check failed", th);
                z = true;
            }
            if (!z) {
                printCheckResult("sign", "", true);
            }
        } else {
            printCheckResult("sign", "it is recommended to use a signature", null);
        }
        if (launchServerConfig.components.values().stream().noneMatch(component -> {
            return component instanceof ProGuardComponent;
        })) {
            printCheckResult("launcher.enabledProGuard", "proguard not enabled", false);
        } else {
            printCheckResult("launcher.enabledProGuard", "", true);
        }
        if (launchServerConfig.launcher.stripLineNumbers) {
            printCheckResult("launcher.stripLineNumbers", "", true);
        } else {
            printCheckResult("launcher.stripLineNumbers", "stripLineNumbers not enabled", false);
        }
        switch (AnonymousClass1.$SwitchMap$pro$gravit$launcher$base$LauncherConfig$LauncherEnvironment[launchServerConfig.env.ordinal()]) {
            case 1:
                printCheckResult("env", "found env DEV", false);
                break;
            case 2:
                printCheckResult("env", "found env DEBUG", false);
                break;
            case 3:
                printCheckResult("env", "you can improve security by using env PROD", null);
                break;
            case 4:
                printCheckResult("env", "", true);
                break;
        }
        if (JVMHelper.OS_TYPE == JVMHelper.OS.LINUX) {
            try {
                for (String str2 : new String(IOHelper.read(Paths.get("/proc/self/status", new String[0]))).split("\n")) {
                    String[] split = str2.split(":");
                    if (split.length != 0) {
                        if (split[0].trim().equalsIgnoreCase("Uid")) {
                            String[] split2 = split[1].trim().split(" ");
                            Integer.parseInt(split2[0]);
                            if (Integer.parseInt(split2[0]) == 0 || Integer.parseInt(split2[0]) == 0) {
                                logger.error("The process is started as root! It is not recommended");
                            }
                        }
                        if (split[0].trim().equalsIgnoreCase("Gid")) {
                            String[] split3 = split[1].trim().split(" ");
                            Integer.parseInt(split3[0]);
                            if (Integer.parseInt(split3[0]) == 0 || Integer.parseInt(split3[0]) == 0) {
                                logger.error("The process is started as root group! It is not recommended");
                            }
                        }
                    }
                }
                if (checkOtherWriteAccess(IOHelper.getCodeSource(LaunchServer.class))) {
                    logger.warn("Write access to LaunchServer.jar. Please use 'chmod 755 LaunchServer.jar'");
                }
                if (Files.exists(this.server.dir.resolve(LaunchServer.LaunchServerDirectories.KEY_NAME), new LinkOption[0]) && checkOtherReadOrWriteAccess(this.server.dir.resolve(LaunchServer.LaunchServerDirectories.KEY_NAME))) {
                    logger.warn("Write or read access to .keys directory. Please use 'chmod -r 700.keys");
                }
                if (Files.exists(this.server.dir.resolve("LaunchServerConfig.json"), new LinkOption[0]) && checkOtherReadOrWriteAccess(this.server.dir.resolve("LaunchServerConfig.json"))) {
                    logger.warn("Write or read access to LaunchServerConfig.json. Please use 'chmod 600 LaunchServerConfig.json'");
                }
                if (Files.exists(this.server.dir.resolve("LaunchServerRuntimeConfig.json"), new LinkOption[0]) && checkOtherReadOrWriteAccess(this.server.dir.resolve("LaunchServerRuntimeConfig.json"))) {
                    logger.warn("Write or read access to LaunchServerRuntimeConfig.json. Please use 'chmod 600 LaunchServerRuntimeConfig.json'");
                }
            } catch (IOException e) {
                logger.error(e);
            }
        }
        logger.info("Check completed");
    }

    public boolean checkOtherWriteAccess(Path path) throws IOException {
        return Files.getPosixFilePermissions(path, new LinkOption[0]).contains(PosixFilePermission.OTHERS_WRITE);
    }

    public boolean checkOtherReadOrWriteAccess(Path path) throws IOException {
        Set<PosixFilePermission> posixFilePermissions = Files.getPosixFilePermissions(path, new LinkOption[0]);
        return posixFilePermissions.contains(PosixFilePermission.OTHERS_WRITE) || posixFilePermissions.contains(PosixFilePermission.OTHERS_READ);
    }
}
