package org.openmetadata.service.secrets;

import com.google.common.annotations.VisibleForTesting;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.regex.Pattern;
import javax.ws.rs.core.Response;
import org.openmetadata.annotations.PasswordField;
import org.openmetadata.common.utils.CommonUtil;
import org.openmetadata.schema.auth.BasicAuthMechanism;
import org.openmetadata.schema.entity.automations.Workflow;
import org.openmetadata.schema.entity.services.ServiceType;
import org.openmetadata.schema.entity.services.ingestionPipelines.IngestionPipeline;
import org.openmetadata.schema.entity.teams.AuthenticationMechanism;
import org.openmetadata.schema.security.client.OpenMetadataJWTClientConfig;
import org.openmetadata.schema.security.secrets.Parameters;
import org.openmetadata.schema.security.secrets.SecretsManagerProvider;
import org.openmetadata.schema.services.connections.metadata.OpenMetadataConnection;
import org.openmetadata.service.Entity;
import org.openmetadata.service.exception.InvalidServiceConnectionException;
import org.openmetadata.service.exception.SecretsManagerException;
import org.openmetadata.service.fernet.Fernet;
import org.openmetadata.service.search.models.IndexMapping;
import org.openmetadata.service.secrets.converter.ClassConverterFactory;
import org.openmetadata.service.security.auth.BotTokenCache;
import org.openmetadata.service.util.AuthenticationMechanismBuilder;
import org.openmetadata.service.util.IngestionPipelineBuilder;
import org.openmetadata.service.util.ReflectionUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/openmetadata/service/secrets/SecretsManager.class */
public abstract class SecretsManager {
    private final SecretsConfig secretsConfig;
    private final SecretsManagerProvider secretsManagerProvider;
    private static final Logger LOG = LoggerFactory.getLogger(SecretsManager.class);
    private static final Set<Class<?>> DO_NOT_ENCRYPT_CLASSES = Set.of(OpenMetadataJWTClientConfig.class, BasicAuthMechanism.class);
    private Fernet fernet = Fernet.getInstance();
    private final SecretsIdConfig secretsIdConfig = builSecretsIdConfig();

    /* loaded from: input_file:org/openmetadata/service/secrets/SecretsManager$SecretsConfig.class */
    public static final class SecretsConfig extends Record {
        private final String clusterName;
        private final String prefix;
        private final List<String> tags;
        private final Parameters parameters;

        public SecretsConfig(String str, String str2, List<String> list, Parameters parameters) {
            this.clusterName = str;
            this.prefix = str2;
            this.tags = list;
            this.parameters = parameters;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, SecretsConfig.class), SecretsConfig.class, "clusterName;prefix;tags;parameters", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsConfig;->clusterName:Ljava/lang/String;", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsConfig;->prefix:Ljava/lang/String;", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsConfig;->tags:Ljava/util/List;", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsConfig;->parameters:Lorg/openmetadata/schema/security/secrets/Parameters;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, SecretsConfig.class), SecretsConfig.class, "clusterName;prefix;tags;parameters", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsConfig;->clusterName:Ljava/lang/String;", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsConfig;->prefix:Ljava/lang/String;", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsConfig;->tags:Ljava/util/List;", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsConfig;->parameters:Lorg/openmetadata/schema/security/secrets/Parameters;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, SecretsConfig.class, Object.class), SecretsConfig.class, "clusterName;prefix;tags;parameters", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsConfig;->clusterName:Ljava/lang/String;", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsConfig;->prefix:Ljava/lang/String;", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsConfig;->tags:Ljava/util/List;", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsConfig;->parameters:Lorg/openmetadata/schema/security/secrets/Parameters;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String clusterName() {
            return this.clusterName;
        }

        public String prefix() {
            return this.prefix;
        }

        public List<String> tags() {
            return this.tags;
        }

        public Parameters parameters() {
            return this.parameters;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/openmetadata/service/secrets/SecretsManager$SecretsIdConfig.class */
    public static final class SecretsIdConfig extends Record {
        private final String separator;
        private final Boolean needsStartingSeparator;
        private final String cleanSecretReplacer;
        private final Pattern secretIdPattern;

        /* JADX INFO: Access modifiers changed from: protected */
        public SecretsIdConfig(String str, Boolean bool, String str2, Pattern pattern) {
            this.separator = str;
            this.needsStartingSeparator = bool;
            this.cleanSecretReplacer = str2;
            this.secretIdPattern = pattern;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, SecretsIdConfig.class), SecretsIdConfig.class, "separator;needsStartingSeparator;cleanSecretReplacer;secretIdPattern", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsIdConfig;->separator:Ljava/lang/String;", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsIdConfig;->needsStartingSeparator:Ljava/lang/Boolean;", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsIdConfig;->cleanSecretReplacer:Ljava/lang/String;", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsIdConfig;->secretIdPattern:Ljava/util/regex/Pattern;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, SecretsIdConfig.class), SecretsIdConfig.class, "separator;needsStartingSeparator;cleanSecretReplacer;secretIdPattern", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsIdConfig;->separator:Ljava/lang/String;", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsIdConfig;->needsStartingSeparator:Ljava/lang/Boolean;", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsIdConfig;->cleanSecretReplacer:Ljava/lang/String;", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsIdConfig;->secretIdPattern:Ljava/util/regex/Pattern;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, SecretsIdConfig.class, Object.class), SecretsIdConfig.class, "separator;needsStartingSeparator;cleanSecretReplacer;secretIdPattern", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsIdConfig;->separator:Ljava/lang/String;", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsIdConfig;->needsStartingSeparator:Ljava/lang/Boolean;", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsIdConfig;->cleanSecretReplacer:Ljava/lang/String;", "FIELD:Lorg/openmetadata/service/secrets/SecretsManager$SecretsIdConfig;->secretIdPattern:Ljava/util/regex/Pattern;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String separator() {
            return this.separator;
        }

        public Boolean needsStartingSeparator() {
            return this.needsStartingSeparator;
        }

        public String cleanSecretReplacer() {
            return this.cleanSecretReplacer;
        }

        public Pattern secretIdPattern() {
            return this.secretIdPattern;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecretsManager(SecretsManagerProvider secretsManagerProvider, SecretsConfig secretsConfig) {
        this.secretsManagerProvider = secretsManagerProvider;
        this.secretsConfig = secretsConfig;
    }

    protected SecretsIdConfig builSecretsIdConfig() {
        return new SecretsIdConfig("/", Boolean.TRUE, IndexMapping.indexNameSeparator, Pattern.compile("[^A-Za-z0-9/_\\-]"));
    }

    public Object encryptServiceConnectionConfig(Object obj, String str, String str2, ServiceType serviceType) {
        try {
            return encryptPasswordFields(SecretsUtil.convert(obj, str, str2, serviceType), buildSecretId(true, serviceType.value(), str2), true);
        } catch (Exception e) {
            String buildExceptionMessageConnection = SecretsUtil.buildExceptionMessageConnection(e.getMessage(), str, true);
            if (buildExceptionMessageConnection != null) {
                throw new InvalidServiceConnectionException(buildExceptionMessageConnection);
            }
            throw InvalidServiceConnectionException.byMessage(str, String.format("Failed to encrypt connection instance of %s. Did the Fernet Key change?", str));
        }
    }

    public Object decryptServiceConnectionConfig(Object obj, String str, ServiceType serviceType) {
        try {
            return decryptPasswordFields(SecretsUtil.convert(obj, str, null, serviceType));
        } catch (Exception e) {
            String buildExceptionMessageConnection = SecretsUtil.buildExceptionMessageConnection(e.getMessage(), str, false);
            if (buildExceptionMessageConnection != null) {
                throw new InvalidServiceConnectionException(buildExceptionMessageConnection);
            }
            throw InvalidServiceConnectionException.byMessage(str, String.format("Failed to decrypt connection instance of %s. Did the Fernet Key change?", str));
        }
    }

    public void encryptAuthenticationMechanism(String str, AuthenticationMechanism authenticationMechanism) {
        if (authenticationMechanism != null) {
            AuthenticationMechanismBuilder.addDefinedConfig(authenticationMechanism);
            try {
                encryptPasswordFields(authenticationMechanism, buildSecretId(true, Entity.BOT, str), true);
            } catch (Exception e) {
                throw new SecretsManagerException(Response.Status.BAD_REQUEST, String.format("Failed to encrypt user bot instance [%s]", str));
            }
        }
    }

    public void decryptAuthenticationMechanism(String str, AuthenticationMechanism authenticationMechanism) {
        if (authenticationMechanism != null) {
            AuthenticationMechanismBuilder.addDefinedConfig(authenticationMechanism);
            try {
                decryptPasswordFields(authenticationMechanism);
            } catch (Exception e) {
                throw new SecretsManagerException(Response.Status.BAD_REQUEST, String.format("Failed to decrypt user bot instance [%s]", str));
            }
        }
    }

    public void encryptIngestionPipeline(IngestionPipeline ingestionPipeline) {
        OpenMetadataConnection encryptOpenMetadataConnection = encryptOpenMetadataConnection(ingestionPipeline.getOpenMetadataServerConnection(), true);
        ingestionPipeline.setOpenMetadataServerConnection((OpenMetadataConnection) null);
        IngestionPipelineBuilder.addDefinedConfig(ingestionPipeline);
        try {
            encryptPasswordFields(ingestionPipeline, buildSecretId(true, Entity.PIPELINE, ingestionPipeline.getName()), true);
            ingestionPipeline.setOpenMetadataServerConnection(encryptOpenMetadataConnection);
        } catch (Exception e) {
            throw new SecretsManagerException(Response.Status.BAD_REQUEST, String.format("Failed to encrypt ingestion pipeline instance [%s]", ingestionPipeline.getName()));
        }
    }

    public void decryptIngestionPipeline(IngestionPipeline ingestionPipeline) {
        OpenMetadataConnection decryptOpenMetadataConnection = decryptOpenMetadataConnection(ingestionPipeline.getOpenMetadataServerConnection());
        ingestionPipeline.setOpenMetadataServerConnection((OpenMetadataConnection) null);
        IngestionPipelineBuilder.addDefinedConfig(ingestionPipeline);
        try {
            decryptPasswordFields(ingestionPipeline);
            ingestionPipeline.setOpenMetadataServerConnection(decryptOpenMetadataConnection);
        } catch (Exception e) {
            throw new SecretsManagerException(Response.Status.BAD_REQUEST, String.format("Failed to decrypt ingestion pipeline instance [%s]", ingestionPipeline.getName()));
        }
    }

    public Workflow encryptWorkflow(Workflow workflow) {
        OpenMetadataConnection encryptOpenMetadataConnection = encryptOpenMetadataConnection(workflow.getOpenMetadataServerConnection(), true);
        Workflow workflow2 = (Workflow) ClassConverterFactory.getConverter(Workflow.class).convert(workflow);
        workflow2.setOpenMetadataServerConnection((OpenMetadataConnection) null);
        try {
            encryptPasswordFields(workflow2, buildSecretId(true, Entity.WORKFLOW, workflow.getName()), true);
            workflow2.setOpenMetadataServerConnection(encryptOpenMetadataConnection);
            return workflow2;
        } catch (Exception e) {
            throw new SecretsManagerException(Response.Status.BAD_REQUEST, String.format("Failed to encrypt workflow instance [%s]", workflow.getName()));
        }
    }

    public Workflow decryptWorkflow(Workflow workflow) {
        OpenMetadataConnection decryptOpenMetadataConnection = decryptOpenMetadataConnection(workflow.getOpenMetadataServerConnection());
        Workflow workflow2 = (Workflow) ClassConverterFactory.getConverter(Workflow.class).convert(workflow);
        workflow2.setOpenMetadataServerConnection((OpenMetadataConnection) null);
        try {
            decryptPasswordFields(workflow2);
            workflow2.setOpenMetadataServerConnection(decryptOpenMetadataConnection);
            return workflow2;
        } catch (Exception e) {
            throw new SecretsManagerException(Response.Status.BAD_REQUEST, String.format("Failed to decrypt workflow instance [%s]", workflow.getName()));
        }
    }

    public OpenMetadataConnection encryptOpenMetadataConnection(OpenMetadataConnection openMetadataConnection, boolean z) {
        if (openMetadataConnection == null) {
            return null;
        }
        OpenMetadataConnection openMetadataConnection2 = (OpenMetadataConnection) ClassConverterFactory.getConverter(OpenMetadataConnection.class).convert(openMetadataConnection);
        try {
            encryptPasswordFields(openMetadataConnection2, buildSecretId(true, "serverconnection"), z);
            return openMetadataConnection2;
        } catch (Exception e) {
            throw new SecretsManagerException(Response.Status.BAD_REQUEST, "Failed to encrypt OpenMetadataConnection instance.");
        }
    }

    public OpenMetadataConnection decryptOpenMetadataConnection(OpenMetadataConnection openMetadataConnection) {
        if (openMetadataConnection == null) {
            return null;
        }
        OpenMetadataConnection openMetadataConnection2 = (OpenMetadataConnection) ClassConverterFactory.getConverter(OpenMetadataConnection.class).convert(openMetadataConnection);
        try {
            decryptPasswordFields(openMetadataConnection2);
            return openMetadataConnection2;
        } catch (Exception e) {
            throw new SecretsManagerException(Response.Status.BAD_REQUEST, "Failed to decrypt OpenMetadataConnection instance.");
        }
    }

    private Object encryptPasswordFields(Object obj, String str, boolean z) {
        try {
            if (!DO_NOT_ENCRYPT_CLASSES.contains(obj.getClass())) {
                Arrays.stream(obj.getClass().getMethods()).filter(ReflectionUtil::isGetMethodOfObject).forEach(method -> {
                    Object objectFromMethod = ReflectionUtil.getObjectFromMethod(method, obj);
                    String replaceFirst = method.getName().replaceFirst("get", BotTokenCache.EMPTY_STRING);
                    if (Boolean.TRUE.equals(CommonUtil.isOpenMetadataObject(objectFromMethod))) {
                        encryptPasswordFields(objectFromMethod, buildSecretId(false, str, replaceFirst.toLowerCase(Locale.ROOT)), z);
                    } else {
                        if (objectFromMethod == null || method.getAnnotation(PasswordField.class) == null) {
                            return;
                        }
                        String storeValue = storeValue(replaceFirst, this.fernet.decryptIfApplies((String) objectFromMethod), str, z);
                        ReflectionUtil.setValueInMethod(obj, Fernet.isTokenized(storeValue) ? storeValue : z ? this.fernet.encrypt(storeValue) : storeValue, ReflectionUtil.getToSetMethod(obj, objectFromMethod, replaceFirst));
                    }
                });
            }
            return obj;
        } catch (Exception e) {
            throw new SecretsManagerException(String.format("Error trying to encrypt object with secret ID [%s] due to [%s]", str, e.getMessage()));
        }
    }

    private Object decryptPasswordFields(Object obj) {
        try {
            Arrays.stream(obj.getClass().getMethods()).filter(ReflectionUtil::isGetMethodOfObject).forEach(method -> {
                Object objectFromMethod = ReflectionUtil.getObjectFromMethod(method, obj);
                String replaceFirst = method.getName().replaceFirst("get", BotTokenCache.EMPTY_STRING);
                if (Boolean.TRUE.equals(CommonUtil.isOpenMetadataObject(objectFromMethod))) {
                    decryptPasswordFields(objectFromMethod);
                } else {
                    if (objectFromMethod == null || method.getAnnotation(PasswordField.class) == null) {
                        return;
                    }
                    String str = (String) objectFromMethod;
                    ReflectionUtil.setValueInMethod(obj, Fernet.isTokenized(str) ? this.fernet.decrypt(str) : str, ReflectionUtil.getToSetMethod(obj, objectFromMethod, replaceFirst));
                }
            });
            return obj;
        } catch (Exception e) {
            throw new SecretsManagerException(String.format("Error trying to decrypt object [%s] due to [%s]", obj.toString(), e.getMessage()));
        }
    }

    protected abstract String storeValue(String str, String str2, String str3, boolean z);

    /* JADX INFO: Access modifiers changed from: protected */
    public String buildSecretId(boolean z, String... strArr) {
        StringBuilder sb = new StringBuilder();
        if (z) {
            if (this.secretsConfig.prefix != null && !this.secretsConfig.prefix.isEmpty()) {
                if (Boolean.TRUE.equals(this.secretsIdConfig.needsStartingSeparator())) {
                    sb.append(this.secretsIdConfig.separator());
                }
                sb.append(this.secretsConfig.prefix);
            }
            if (Boolean.TRUE.equals(this.secretsIdConfig.needsStartingSeparator)) {
                sb.append(this.secretsIdConfig.separator());
            }
            sb.append(this.secretsConfig.clusterName);
        } else {
            sb.append("%s");
        }
        Object[] array = Arrays.stream(strArr).map(str -> {
            return this.secretsIdConfig.secretIdPattern.matcher(str).replaceAll(this.secretsIdConfig.cleanSecretReplacer);
        }).toArray();
        Arrays.stream(array).skip(z ? 0L : 1L).forEach(obj -> {
            if (Objects.isNull(obj)) {
                throw new SecretsManagerException("Cannot build a secret id with null values.");
            }
            sb.append(this.secretsIdConfig.separator);
            sb.append("%s");
        });
        return String.format(sb.toString(), array).toLowerCase();
    }

    @VisibleForTesting
    void setFernet(Fernet fernet) {
        this.fernet = fernet;
    }

    protected abstract void deleteSecretInternal(String str);

    public void deleteSecretsFromServiceConnectionConfig(Object obj, String str, String str2, ServiceType serviceType) {
        try {
            deleteSecrets(SecretsUtil.convert(obj, str, str2, serviceType), buildSecretId(true, serviceType.value(), str2));
        } catch (Exception e) {
            String buildExceptionMessageConnection = SecretsUtil.buildExceptionMessageConnection(e.getMessage(), str, true);
            if (buildExceptionMessageConnection == null) {
                throw InvalidServiceConnectionException.byMessage(str, String.format("Failed to delete secrets from connection instance of %s", str));
            }
            throw new InvalidServiceConnectionException(buildExceptionMessageConnection);
        }
    }

    public void deleteSecretsFromWorkflow(Workflow workflow) {
        Workflow workflow2 = (Workflow) ClassConverterFactory.getConverter(Workflow.class).convert(workflow);
        workflow2.setOpenMetadataServerConnection((OpenMetadataConnection) null);
        try {
            deleteSecrets(workflow2, buildSecretId(true, Entity.WORKFLOW, workflow.getName()));
        } catch (Exception e) {
            throw new SecretsManagerException(Response.Status.BAD_REQUEST, String.format("Failed to delete secrets from workflow instance [%s]", workflow.getName()));
        }
    }

    private void deleteSecrets(Object obj, String str) {
        if (DO_NOT_ENCRYPT_CLASSES.contains(obj.getClass())) {
            return;
        }
        Arrays.stream(obj.getClass().getMethods()).filter(ReflectionUtil::isGetMethodOfObject).forEach(method -> {
            Object objectFromMethod = ReflectionUtil.getObjectFromMethod(method, obj);
            String replaceFirst = method.getName().replaceFirst("get", BotTokenCache.EMPTY_STRING);
            if (Boolean.TRUE.equals(CommonUtil.isOpenMetadataObject(objectFromMethod))) {
                deleteSecrets(objectFromMethod, buildSecretId(false, str, replaceFirst.toLowerCase(Locale.ROOT)));
            } else {
                if (objectFromMethod == null || method.getAnnotation(PasswordField.class) == null) {
                    return;
                }
                deleteSecretInternal(buildSecretId(false, str, replaceFirst.toLowerCase(Locale.ROOT)));
            }
        });
    }

    public static Map<String, String> getTags(SecretsConfig secretsConfig) {
        HashMap hashMap = new HashMap();
        secretsConfig.tags.forEach(str -> {
            try {
                hashMap.put(str.split(":")[0], str.split(":")[1]);
            } catch (Exception e) {
                LOG.error(String.format("The SecretsConfig could not extract tag from [%s] due to [%s]", str, e.getMessage()));
            }
        });
        return hashMap;
    }

    public SecretsConfig getSecretsConfig() {
        return this.secretsConfig;
    }

    public SecretsManagerProvider getSecretsManagerProvider() {
        return this.secretsManagerProvider;
    }

    public SecretsIdConfig getSecretsIdConfig() {
        return this.secretsIdConfig;
    }
}
