package org.sonatype.nexus.crypto.secrets.internal;

import com.fasterxml.jackson.annotation.JsonIgnore;
import com.fasterxml.jackson.annotation.JsonIgnoreType;
import com.fasterxml.jackson.core.Base64Variant;
import com.fasterxml.jackson.core.Base64Variants;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.sonatype.nexus.db.migrator.config.CipherConfig;
import java.nio.ByteBuffer;
import java.nio.CharBuffer;
import java.nio.charset.StandardCharsets;
import java.util.Optional;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import org.sonatype.goodies.common.ComponentSupport;
import org.sonatype.nexus.common.db.DatabaseCheck;
import org.sonatype.nexus.crypto.LegacyCipherFactory;
import org.sonatype.nexus.crypto.internal.PbeCipherFactory;
import org.sonatype.nexus.crypto.internal.error.CipherException;
import org.sonatype.nexus.crypto.secrets.EncryptedSecret;
import org.sonatype.nexus.crypto.secrets.Secret;
import org.sonatype.nexus.crypto.secrets.SecretData;
import org.sonatype.nexus.crypto.secrets.SecretsFactory;
import org.sonatype.nexus.crypto.secrets.SecretsService;
import org.sonatype.nexus.crypto.secrets.SecretsStore;
import org.sonatype.nexus.crypto.secrets.internal.EncryptionKeyList;

@Singleton
@Named
/* loaded from: input_file:org/sonatype/nexus/crypto/secrets/internal/SecretsServiceImpl.class */
public class SecretsServiceImpl extends ComponentSupport implements SecretsFactory, SecretsService {
    private static final Base64Variant BASE_64 = Base64Variants.getDefaultVariant();
    private static final String UNDERSCORE = "_";
    private static final String UNDERSCORE_ID = "_%d";
    private static final String MINIMUM_VERSION = "1.0";

    @Deprecated
    private final LegacyCipherFactory.PbeCipher legacyCipher;
    private final PbeCipherFactory cipherFactory;
    private final SecretsStore secretsStore;
    private final EncryptionKeySource encryptionKeySource;
    private final DatabaseCheck databaseCheck;
    private final EncryptionKeyList.SecretEncryptionKey defaultKey;

    @JsonIgnoreType
    /* loaded from: input_file:org/sonatype/nexus/crypto/secrets/internal/SecretsServiceImpl$SecretImpl.class */
    private class SecretImpl implements Secret {

        @JsonIgnore
        private final String tokenId;

        private SecretImpl(String str) {
            this.tokenId = str;
        }

        @Override // org.sonatype.nexus.crypto.secrets.Secret
        public String getId() {
            return this.tokenId;
        }

        @Override // org.sonatype.nexus.crypto.secrets.Secret
        public char[] decrypt() throws CipherException {
            return SecretsServiceImpl.this.decrypt(this.tokenId);
        }

        /* synthetic */ SecretImpl(SecretsServiceImpl secretsServiceImpl, String str, SecretImpl secretImpl) {
            this(str);
        }
    }

    @Inject
    public SecretsServiceImpl(LegacyCipherFactory legacyCipherFactory, PbeCipherFactory pbeCipherFactory, SecretsStore secretsStore, EncryptionKeySource encryptionKeySource, DatabaseCheck databaseCheck, @Named("${nexus.mybatis.cipher.password:-changeme}") String str, @Named("${nexus.mybatis.cipher.salt:-changeme}") String str2, @Named("${nexus.mybatis.cipher.iv:-0123456789ABCDEF}") String str3) {
        this.legacyCipher = ((LegacyCipherFactory) Preconditions.checkNotNull(legacyCipherFactory)).create(str, str2, str3);
        this.cipherFactory = (PbeCipherFactory) Preconditions.checkNotNull(pbeCipherFactory);
        this.secretsStore = (SecretsStore) Preconditions.checkNotNull(secretsStore);
        this.encryptionKeySource = (EncryptionKeySource) Preconditions.checkNotNull(encryptionKeySource);
        this.databaseCheck = (DatabaseCheck) Preconditions.checkNotNull(databaseCheck);
        this.defaultKey = new EncryptionKeyList.SecretEncryptionKey(null, str);
    }

    @VisibleForTesting
    SecretsServiceImpl(LegacyCipherFactory legacyCipherFactory, PbeCipherFactory pbeCipherFactory, SecretsStore secretsStore, EncryptionKeySource encryptionKeySource, DatabaseCheck databaseCheck) throws CipherException {
        this(legacyCipherFactory, pbeCipherFactory, secretsStore, encryptionKeySource, databaseCheck, "changeme", "changeme", CipherConfig.DEFAULT_CIPHER_IV);
    }

    @Override // org.sonatype.nexus.crypto.secrets.SecretsFactory
    public Secret from(String str) {
        return new SecretImpl(this, str, null);
    }

    @Override // org.sonatype.nexus.crypto.secrets.SecretsService
    public Secret encrypt(String str, char[] cArr, String str2) throws CipherException {
        if (!this.databaseCheck.isAtLeast("1.0")) {
            return new SecretImpl(this, encryptLegacy(cArr), null);
        }
        Optional<EncryptionKeyList.SecretEncryptionKey> activeKey = this.encryptionKeySource.getActiveKey();
        String str3 = null;
        if (activeKey.isPresent()) {
            str3 = activeKey.get().getId();
        }
        return new SecretImpl(this, String.format(UNDERSCORE_ID, Integer.valueOf(this.secretsStore.create(str, str3, doEncrypt(cArr, activeKey), str2))), null);
    }

    @Override // org.sonatype.nexus.crypto.secrets.SecretsService
    public void remove(Secret secret) {
        Preconditions.checkNotNull(secret);
        if (isLegacyToken(secret.getId())) {
            this.log.debug("legacy tokens are not stored, deletion not needed.");
        } else {
            this.secretsStore.delete(parseToken(secret.getId()));
        }
    }

    private String doEncrypt(char[] cArr, Optional<EncryptionKeyList.SecretEncryptionKey> optional) throws CipherException {
        return optional.isPresent() ? this.cipherFactory.create(optional.get()).encrypt(toBytes(cArr)).toPhcString() : this.cipherFactory.create(this.defaultKey).encrypt(toBytes(cArr)).toPhcString();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public char[] decrypt(String str) throws CipherException {
        if (isLegacyToken(str)) {
            return decryptLegacy(str);
        }
        Optional<SecretData> read = this.secretsStore.read(parseToken(str));
        if (!read.isPresent()) {
            throw new CipherException("Unable find secret for the specified token");
        }
        SecretData secretData = read.get();
        Optional ofNullable = Optional.ofNullable(secretData.getKeyId());
        EncryptionKeySource encryptionKeySource = this.encryptionKeySource;
        encryptionKeySource.getClass();
        Optional flatMap = ofNullable.flatMap(encryptionKeySource::getKey);
        if (flatMap.isPresent()) {
            return toChars(this.cipherFactory.create((EncryptionKeyList.SecretEncryptionKey) flatMap.get()).decrypt(EncryptedSecret.parse(secretData.getSecret())));
        }
        if (secretData.getKeyId() == null) {
            return toChars(this.cipherFactory.create(this.defaultKey).decrypt(EncryptedSecret.parse(secretData.getSecret())));
        }
        this.log.warn("key id '{}' present in record but not found in existing secrets, secret id : {}", secretData.getKeyId(), secretData.getId());
        throw new CipherException(String.format("unable to find secret key with id '%s'.", secretData.getKeyId()));
    }

    @Deprecated
    private String encryptLegacy(char[] cArr) {
        if (cArr == null) {
            return null;
        }
        return BASE_64.encode(this.legacyCipher.encrypt(toBytes(cArr)));
    }

    @Deprecated
    private char[] decryptLegacy(String str) {
        if (str == null) {
            return null;
        }
        return toChars(this.legacyCipher.decrypt(BASE_64.decode(str)));
    }

    private int parseToken(String str) {
        Preconditions.checkArgument(str.startsWith("_"), "Unexpected token");
        return Integer.parseInt(str.substring(1));
    }

    private static boolean isLegacyToken(String str) {
        return !str.startsWith("_");
    }

    private static byte[] toBytes(char[] cArr) {
        ByteBuffer encode = StandardCharsets.UTF_8.encode(CharBuffer.wrap(cArr));
        byte[] bArr = new byte[encode.limit()];
        encode.get(bArr);
        return bArr;
    }

    private static char[] toChars(byte[] bArr) {
        CharBuffer decode = StandardCharsets.UTF_8.decode(ByteBuffer.wrap(bArr));
        char[] cArr = new char[decode.limit()];
        decode.get(cArr);
        return cArr;
    }
}
