package com.netflix.spinnaker.kork.tomcat;

import com.netflix.spinnaker.kork.tomcat.x509.BlocklistingSSLImplementation;
import com.netflix.spinnaker.kork.tomcat.x509.SslExtensionConfigurationProperties;
import org.apache.catalina.connector.Connector;
import org.apache.coyote.http11.AbstractHttp11JsseProtocol;
import org.apache.coyote.http11.AbstractHttp11Protocol;
import org.apache.tomcat.util.net.SSLHostConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.BeanUtils;
import org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.boot.web.server.Ssl;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;

@Component
/* loaded from: input_file:com/netflix/spinnaker/kork/tomcat/DefaultTomcatConnectorCustomizer.class */
class DefaultTomcatConnectorCustomizer implements TomcatConnectorCustomizer {
    private final Logger log = LoggerFactory.getLogger(getClass());
    private final TomcatConfigurationProperties tomcatConfigurationProperties;
    private final SslExtensionConfigurationProperties sslExtensionConfigurationProperties;

    /* JADX INFO: Access modifiers changed from: package-private */
    public DefaultTomcatConnectorCustomizer(TomcatConfigurationProperties tomcatConfigurationProperties, SslExtensionConfigurationProperties sslExtensionConfigurationProperties) {
        this.tomcatConfigurationProperties = tomcatConfigurationProperties;
        this.sslExtensionConfigurationProperties = sslExtensionConfigurationProperties;
    }

    public void customize(Connector connector) {
        applySSLSettings(connector);
        applyRelaxedURIProperties(connector);
        if (this.tomcatConfigurationProperties.getRejectIllegalHeader() != null) {
            connector.getProtocolHandler().setRejectIllegalHeader(this.tomcatConfigurationProperties.getRejectIllegalHeader().booleanValue());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Ssl copySslConfigurationWithClientAuth(TomcatServletWebServerFactory tomcatServletWebServerFactory) {
        Ssl ssl = new Ssl();
        BeanUtils.copyProperties(tomcatServletWebServerFactory.getSsl(), ssl);
        ssl.setClientAuth(Ssl.ClientAuth.NEED);
        ssl.setCiphers((String[]) this.tomcatConfigurationProperties.getCipherSuites().toArray(new String[this.tomcatConfigurationProperties.getCipherSuites().size()]));
        return ssl;
    }

    void applySSLSettings(Connector connector) {
        AbstractHttp11JsseProtocol protocolHandler = connector.getProtocolHandler();
        if ((protocolHandler instanceof AbstractHttp11JsseProtocol) && protocolHandler.isSSLEnabled()) {
            SSLHostConfig[] findSslHostConfigs = connector.findSslHostConfigs();
            if (findSslHostConfigs.length != 1) {
                throw new RuntimeException(String.format("Ssl configs: found %d, expected 1.", Integer.valueOf(findSslHostConfigs.length)));
            }
            protocolHandler.setSslImplementationName(BlocklistingSSLImplementation.class.getName());
            SSLHostConfig sSLHostConfig = findSslHostConfigs[0];
            sSLHostConfig.setHonorCipherOrder(true);
            sSLHostConfig.setCiphers(String.join(",", this.tomcatConfigurationProperties.getCipherSuites()));
            sSLHostConfig.setProtocols(String.join(",", this.tomcatConfigurationProperties.getTlsVersions()));
            sSLHostConfig.setCertificateRevocationListFile(this.sslExtensionConfigurationProperties.getCrlFile());
        }
    }

    void applyRelaxedURIProperties(Connector connector) {
        if (StringUtils.isEmpty(this.tomcatConfigurationProperties.getRelaxedPathCharacters()) && StringUtils.isEmpty(this.tomcatConfigurationProperties.getRelaxedQueryCharacters())) {
            return;
        }
        AbstractHttp11Protocol protocolHandler = connector.getProtocolHandler();
        if (!(protocolHandler instanceof AbstractHttp11Protocol)) {
            this.log.warn("Can't apply relaxedPath/Query config to connector of type $connector.protocolHandlerClassName");
            return;
        }
        if (!StringUtils.isEmpty(this.tomcatConfigurationProperties.getRelaxedPathCharacters())) {
            protocolHandler.setRelaxedPathChars(this.tomcatConfigurationProperties.getRelaxedPathCharacters());
        }
        if (StringUtils.isEmpty(this.tomcatConfigurationProperties.getRelaxedQueryCharacters())) {
            return;
        }
        protocolHandler.setRelaxedPathChars(this.tomcatConfigurationProperties.getRelaxedPathCharacters());
    }
}
