package com.cisco.argento.vulnerabilities;

import com.cisco.argento.management.AgentPolicy;
import com.cisco.argento.utils.HandlerUtils;
import com.cisco.argento.utils.ServletUtils;
import com.cisco.mtagent.tenant.MTAgentTenantAPI;
import java.io.ObjectInputStream;
import java.lang.management.ManagementFactory;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import org.picocontainer.Characteristics;

/* loaded from: input_file:oss-agent-mtagent-extension-deployment.jar:argentoDynamicService/argento-security-extension/tenants/argento/lib/argento-tenant.jar:com/cisco/argento/vulnerabilities/VulnerabilityAssessmentCheckRuntime.class */
public class VulnerabilityAssessmentCheckRuntime {
    private static final String VULNERABILITY_PREFIX = "vulnerability.";
    private static final String SECURITY_HEADER_PREFIX = "secheader.";
    private static final String PRIVILEGED_USER_VULNERABILITY = "vulnerability.PrivilegedUser";
    private static final String DYNAMIC_ATTACH_VULNERABILITY = "vulnerability.DynamicAttachEnabled";
    private static final String BOOT_CLASSPATH_VULNERABILITY = "vulnerability.BootClasspathAltered";
    private static final String NATIVE_AGENT_VULNERABILITY = "vulnerability.NativeAgentAttached";
    private static final String REMOTE_JMX_VULNERABILITY = "vulnerability.RemoteJMXEnabled";
    private static final String BYPASSING_SERIALIZATION_PATCH_VULNERABILITY = "vulnerability.BypassSerializationPatch";
    private static final String JAVA_AGENT_VULNERABILITY = "vulnerability.JavaAgentAttached";
    private static final String INSECURE_SSL_PROTOCOL_VULNERABILITY = "vulnerability.InsecureSSLProtocol";
    private static final String INSECURE_SSL_CIPHER_VULNERABILITY = "vulnerability.InsecureSSLCipher";
    private static final String INSECURE_SERIALIZATION_VULNERABILITY = "vulnerability.InsecureSerialization";
    private final HandlerUtils handlerUtils;
    private final ServletUtils servletUtils;
    private final MTAgentTenantAPI mtAgentTenantAPI;
    private String[] ciphers;
    private String[] protocols;

    public VulnerabilityAssessmentCheckRuntime(MTAgentTenantAPI mTAgentTenantAPI, HandlerUtils handlerUtils, ServletUtils servletUtils) {
        this.mtAgentTenantAPI = mTAgentTenantAPI;
        this.handlerUtils = handlerUtils;
        this.servletUtils = servletUtils;
    }

    public Map<String, String> getRuntimeConfigurationVulnerabilityMap() {
        HashMap hashMap = new HashMap();
        String property = System.getProperty("user.name");
        hashMap.put(PRIVILEGED_USER_VULNERABILITY, property.equalsIgnoreCase("root") || property.equalsIgnoreCase("administrator") ? Characteristics.TRUE : Characteristics.FALSE);
        hashMap.put(DYNAMIC_ATTACH_VULNERABILITY, ((System.getProperty("java.vendor").startsWith("IBM") && System.getProperty("com.ibm.tools.attach.enable") != null && !System.getProperty("com.ibm.tools.attach.enable").equalsIgnoreCase("no")) || (!System.getProperty("java.vendor").startsWith("IBM") && !hasOption("-XX:+DisableAttachMechanism"))) ? Characteristics.TRUE : Characteristics.FALSE);
        hashMap.put(BOOT_CLASSPATH_VULNERABILITY, hasOption("-Xbootclasspath") ? Characteristics.TRUE : Characteristics.FALSE);
        hashMap.put(NATIVE_AGENT_VULNERABILITY, (hasOption("-agentlib:") || hasOption("-agentpath:")) ? Characteristics.TRUE : Characteristics.FALSE);
        hashMap.put(REMOTE_JMX_VULNERABILITY, hasOption("-com.sun.management.jmxremote") ? Characteristics.TRUE : Characteristics.FALSE);
        hashMap.put(BYPASSING_SERIALIZATION_PATCH_VULNERABILITY, System.getProperty("org.apache.commons.collections.enableUnsafeSerialization") != null && System.getProperty("org.apache.commons.collections.enableUnsafeSerialization").equalsIgnoreCase(Characteristics.TRUE) ? Characteristics.TRUE : Characteristics.FALSE);
        hashMap.put(JAVA_AGENT_VULNERABILITY, hasJavaAgent() ? Characteristics.TRUE : Characteristics.FALSE);
        checkSSLSettings();
        StringBuilder sb = new StringBuilder();
        if (this.protocols != null) {
            for (String str : this.protocols) {
                if (AgentPolicy.getPolicy().getSslProtocolBlocklistHash().get(str) != null) {
                    if (sb.length() > 0) {
                        sb.append(",");
                    }
                    sb.append(str);
                }
                hashMap.put(INSECURE_SSL_PROTOCOL_VULNERABILITY, sb.toString());
            }
        }
        StringBuilder sb2 = new StringBuilder();
        if (this.ciphers != null) {
            for (String str2 : this.ciphers) {
                if (AgentPolicy.getPolicy().getSslCipherBlocklistHash().get(str2) != null) {
                    if (sb2.length() > 0) {
                        sb2.append(",");
                    }
                    sb2.append(str2);
                }
                hashMap.put(INSECURE_SSL_CIPHER_VULNERABILITY, sb2.toString());
            }
        }
        if (AgentPolicy.getPolicy().isActiveSerialization()) {
            checkSerializationReadObjectOverrideInLoadedClasses(hashMap);
        }
        checkSecurityHeaders(hashMap);
        return hashMap;
    }

    private void checkSerializationReadObjectOverrideInLoadedClasses(Map<String, String> map) {
        int i = 0;
        MTAgentTenantAPI.TenantPolicyMatchObjectWrapper[] ignoreSerializedClasses = AgentPolicy.getPolicy().getIgnoreSerializedClasses();
        for (Class cls : this.mtAgentTenantAPI.getInstrumentationHandle().getAllLoadedClasses()) {
            if (!this.mtAgentTenantAPI.doesMatchObjectWrappers(true, ignoreSerializedClasses, cls.getName())) {
                try {
                    if (cls.getDeclaredMethod("readObject", ObjectInputStream.class) != null) {
                        i++;
                        map.put("vulnerability.InsecureSerialization." + i, cls.getName() + "(loaded from " + this.mtAgentTenantAPI.getJarLocationFromClass(cls) + ") contains custom readObject(ObjectInputStream ois) method...");
                    }
                } catch (Throwable th) {
                }
            }
        }
    }

    private void checkSecurityHeaders(Map<String, String> map) {
        this.servletUtils.loadSecurityHeaderStats(SECURITY_HEADER_PREFIX, map);
    }

    public String showSSLSettings() {
        checkSSLSettings();
        StringBuilder sb = new StringBuilder();
        if (this.protocols != null) {
            sb.append("Protocols==>\n");
            for (String str : this.protocols) {
                sb.append("\n" + str);
            }
        }
        if (this.ciphers != null) {
            sb.append("\n\nCiphers==>\n");
            for (String str2 : this.ciphers) {
                sb.append("\n" + str2);
            }
        }
        return sb.toString();
    }

    private void checkSSLSettings() {
        try {
            if (this.ciphers != null) {
                return;
            }
            SSLServerSocket sSLServerSocket = (SSLServerSocket) ((SSLServerSocketFactory) SSLServerSocketFactory.getDefault()).createServerSocket();
            this.ciphers = sSLServerSocket.getEnabledCipherSuites();
            this.protocols = sSLServerSocket.getEnabledProtocols();
            sSLServerSocket.close();
        } catch (Exception e) {
            this.mtAgentTenantAPI.log("Could not check SSL protocol and ciphers, error: " + e);
        }
    }

    private boolean hasOption(String str) {
        Iterator it = ManagementFactory.getRuntimeMXBean().getInputArguments().iterator();
        while (it.hasNext()) {
            if (((String) it.next()).trim().toUpperCase().startsWith(str.toUpperCase())) {
                return true;
            }
        }
        return false;
    }

    private boolean hasJavaAgent() {
        Iterator it = ManagementFactory.getRuntimeMXBean().getInputArguments().iterator();
        while (it.hasNext()) {
            String trim = ((String) it.next()).trim();
            if (trim.startsWith("-javaagent") && trim.toUpperCase().indexOf("javaagent.jar".toUpperCase()) < 0) {
                return true;
            }
        }
        return false;
    }
}
