package io.helidon.config.encryption;

import io.helidon.common.pki.Keys;
import io.helidon.config.Config;
import io.helidon.config.ConfigItem;
import io.helidon.config.MissingValueException;
import io.helidon.config.spi.ConfigFilter;
import java.lang.System;
import java.security.PrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.util.Arrays;
import java.util.HashSet;
import java.util.function.Function;

/* loaded from: input_file:io/helidon/config/encryption/EncryptionFilter.class */
public final class EncryptionFilter implements ConfigFilter {
    static final String PREFIX_GCM = "${GCM=";
    static final String PREFIX_RSA = "${RSA-P=";
    private static final System.Logger LOGGER = System.getLogger(EncryptionFilter.class.getName());
    private static final String PREFIX_ALIAS = "${ALIAS=";
    private static final String PREFIX_CLEAR = "${CLEAR=";
    private final PrivateKey privateKey;
    private final char[] masterPassword;
    private final boolean requireEncryption;
    private final ConfigFilter clearFilter;
    private final ConfigFilter rsaFilter;
    private final ConfigFilter aesFilter;
    private final ConfigFilter aliasFilter;

    /* loaded from: input_file:io/helidon/config/encryption/EncryptionFilter$Builder.class */
    public static class Builder {
        private char[] masterPassword;
        private Keys privateKeyConfig;
        private boolean fromConfig = false;
        private boolean requireEncryption = true;

        private Builder fromConfig() {
            this.fromConfig = true;
            return this;
        }

        public Builder masterPassword(char[] cArr) {
            this.masterPassword = Arrays.copyOf(cArr, cArr.length);
            return this;
        }

        public Builder privateKey(Keys keys) {
            this.privateKeyConfig = keys;
            return this;
        }

        public Builder requireEncryption(boolean z) {
            this.requireEncryption = z;
            return this;
        }

        public Function<Config, ConfigFilter> buildProvider() {
            return config -> {
                return new EncryptionFilter(this, config);
            };
        }
    }

    private EncryptionFilter(Builder builder, Config config) {
        if (builder.fromConfig) {
            this.requireEncryption = ((Boolean) EncryptionUtil.getEnv(ConfigProperties.REQUIRE_ENCRYPTION_ENV_VARIABLE).map(Boolean::parseBoolean).or(() -> {
                return config.get(ConfigProperties.REQUIRE_ENCRYPTION_CONFIG_KEY).asBoolean().asOptional();
            }).orElse(true)).booleanValue();
            this.masterPassword = EncryptionUtil.resolveMasterPassword(this.requireEncryption, config).orElse(null);
            this.privateKey = EncryptionUtil.resolvePrivateKey(config.get("security.config.rsa")).orElse(null);
        } else {
            this.requireEncryption = builder.requireEncryption;
            this.privateKey = (PrivateKey) builder.privateKeyConfig.privateKey().orElseThrow(() -> {
                return new ConfigEncryptionException("Private key configuration is invalid");
            });
            this.masterPassword = builder.masterPassword;
        }
        if (null != this.privateKey && !(this.privateKey instanceof RSAPrivateKey)) {
            throw new ConfigEncryptionException("Private key must be an RSA private key, but is: " + this.privateKey.getClass().getName());
        }
        ConfigFilter configFilter = (key, str) -> {
            return str;
        };
        this.aesFilter = null == this.masterPassword ? configFilter : (key2, str2) -> {
            return decryptAes(this.masterPassword, str2);
        };
        this.rsaFilter = null == this.privateKey ? configFilter : (key3, str3) -> {
            return decryptRsa(this.privateKey, str3);
        };
        this.clearFilter = this::clearText;
        this.aliasFilter = (key4, str4) -> {
            return aliased(str4, config);
        };
    }

    private static String removePlaceholder(String str, String str2) {
        return str2.substring(str.length(), str2.length() - 1);
    }

    public static Function<Config, ConfigFilter> fromConfig() {
        return builder().fromConfig().buildProvider();
    }

    public static Builder builder() {
        return new Builder();
    }

    public String apply(Config.Key key, String str) {
        return maybeDecode(key, str);
    }

    public ConfigItem apply(Config.Key key, ConfigItem configItem) {
        String apply = apply(key, configItem.item());
        return apply.equals(configItem.item()) ? configItem : ConfigItem.builder().cacheItem(false).item(apply).build();
    }

    private String maybeDecode(Config.Key key, String str) {
        HashSet hashSet = new HashSet();
        do {
            hashSet.add(str);
            if (!str.startsWith("${") && !str.endsWith("}")) {
                return str;
            }
            str = this.aesFilter.apply(key, this.rsaFilter.apply(key, this.clearFilter.apply(key, this.aliasFilter.apply(key, str))));
        } while (!hashSet.contains(str));
        return str;
    }

    private String clearText(Config.Key key, String str) {
        if (!str.startsWith(PREFIX_CLEAR)) {
            return str;
        }
        if (this.requireEncryption) {
            throw new ConfigEncryptionException("Key \"" + String.valueOf(key) + "\" is a clear text password, yet encryption is required");
        }
        return removePlaceholder(PREFIX_CLEAR, str);
    }

    private String aliased(String str, Config config) {
        if (!str.startsWith(PREFIX_ALIAS)) {
            return str;
        }
        String removePlaceholder = removePlaceholder(PREFIX_ALIAS, str);
        return (String) config.get(removePlaceholder).asString().orElseThrow(MissingValueException.createSupplier(Config.Key.create(removePlaceholder)));
    }

    private String decryptRsa(PrivateKey privateKey, String str) {
        if (!str.startsWith(PREFIX_RSA)) {
            return str;
        }
        try {
            return EncryptionUtil.decryptRsa(privateKey, removePlaceholder(PREFIX_RSA, str));
        } catch (ConfigEncryptionException e) {
            LOGGER.log(System.Logger.Level.TRACE, () -> {
                return "Failed to decrypt " + str;
            }, e);
            return str;
        }
    }

    private String decryptAes(char[] cArr, String str) {
        if (!str.startsWith(PREFIX_GCM)) {
            return str;
        }
        try {
            return EncryptionUtil.decryptAes(cArr, str.substring(PREFIX_GCM.length(), str.length() - 1));
        } catch (ConfigEncryptionException e) {
            LOGGER.log(System.Logger.Level.TRACE, () -> {
                return "Failed to decrypt " + str;
            }, e);
            return str;
        }
    }
}
