package com.schibsted.security.strongbox.sdk.internal.impl;

import com.schibsted.security.strongbox.sdk.SecretsGroup;
import com.schibsted.security.strongbox.sdk.exceptions.AlreadyExistsException;
import com.schibsted.security.strongbox.sdk.exceptions.DoesNotExistException;
import com.schibsted.security.strongbox.sdk.exceptions.PotentiallyMaliciousDataException;
import com.schibsted.security.strongbox.sdk.exceptions.StateCorruptionException;
import com.schibsted.security.strongbox.sdk.internal.converter.FormattedTimestamp;
import com.schibsted.security.strongbox.sdk.internal.encryption.BestEffortShredder;
import com.schibsted.security.strongbox.sdk.internal.encryption.DefaultEncryptionContext;
import com.schibsted.security.strongbox.sdk.internal.encryption.EncryptionPayload;
import com.schibsted.security.strongbox.sdk.internal.encryption.Encryptor;
import com.schibsted.security.strongbox.sdk.internal.kv4j.generated.Config;
import com.schibsted.security.strongbox.sdk.internal.kv4j.generated.Store;
import com.schibsted.security.strongbox.sdk.internal.kv4j.generic.frontend.KVStream;
import com.schibsted.security.strongbox.sdk.internal.srn.SecretSRN;
import com.schibsted.security.strongbox.sdk.types.NewSecretEntry;
import com.schibsted.security.strongbox.sdk.types.RawSecretEntry;
import com.schibsted.security.strongbox.sdk.types.SRN;
import com.schibsted.security.strongbox.sdk.types.SecretEntry;
import com.schibsted.security.strongbox.sdk.types.SecretIdentifier;
import com.schibsted.security.strongbox.sdk.types.SecretMetadata;
import com.schibsted.security.strongbox.sdk.types.SecretsGroupIdentifier;
import com.schibsted.security.strongbox.sdk.types.State;
import com.schibsted.security.strongbox.sdk.types.UserAlias;
import java.time.ZonedDateTime;
import java.time.chrono.ChronoZonedDateTime;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.locks.ReadWriteLock;

/* loaded from: input_file:com/schibsted/security/strongbox/sdk/internal/impl/DefaultSecretsGroup.class */
public class DefaultSecretsGroup implements SecretsGroup {
    private final Store store;
    private final Encryptor encryptor;
    private final SecretsGroupIdentifier groupIdentifier;
    private final String account;
    private final ReadWriteLock readWriteLock;

    public DefaultSecretsGroup(String str, SecretsGroupIdentifier secretsGroupIdentifier, Store store, Encryptor encryptor, ReadWriteLock readWriteLock) {
        this.store = store;
        this.encryptor = encryptor;
        this.groupIdentifier = secretsGroupIdentifier;
        this.account = str;
        this.readWriteLock = readWriteLock;
    }

    @Override // com.schibsted.security.strongbox.sdk.SecretsGroup
    public SRN srn(SecretIdentifier secretIdentifier) {
        return new SecretSRN(this.account, this.groupIdentifier, secretIdentifier);
    }

    @Override // com.schibsted.security.strongbox.sdk.SecretsGroup
    public RawSecretEntry create(NewSecretEntry newSecretEntry) {
        this.readWriteLock.writeLock().lock();
        try {
            try {
                RawSecretEntry createEntry = createEntry(newSecretEntry, 1L);
                this.store.create(createEntry);
                this.readWriteLock.writeLock().unlock();
                return createEntry;
            } catch (AlreadyExistsException e) {
                throw new AlreadyExistsException(String.format("A secret named '%s' already exists", newSecretEntry.secretIdentifier.name), e);
            }
        } catch (Throwable th) {
            this.readWriteLock.writeLock().unlock();
            throw th;
        }
    }

    @Override // com.schibsted.security.strongbox.sdk.SecretsGroup
    public RawSecretEntry addVersion(NewSecretEntry newSecretEntry) {
        this.readWriteLock.writeLock().lock();
        try {
            Optional<RawSecretEntry> findFirst = this.store.stream().filter(Config.name.eq(newSecretEntry.secretIdentifier)).reverse().findFirst();
            if (!findFirst.isPresent()) {
                throw new DoesNotExistException(String.format("Secret with name '%s' does not exist", newSecretEntry.secretIdentifier.name));
            }
            RawSecretEntry createEntry = createEntry(newSecretEntry, findFirst.get().version.longValue() + 1);
            this.store.create(createEntry);
            findFirst.get().bestEffortShred();
            this.readWriteLock.writeLock().unlock();
            return createEntry;
        } catch (Throwable th) {
            this.readWriteLock.writeLock().unlock();
            throw th;
        }
    }

    private RawSecretEntry createEntry(NewSecretEntry newSecretEntry, long j) {
        ZonedDateTime now = FormattedTimestamp.now();
        return createEntry(newSecretEntry, j, now, now, newSecretEntry.createdBy);
    }

    private RawSecretEntry createEntry(NewSecretEntry newSecretEntry, long j, ZonedDateTime zonedDateTime, ZonedDateTime zonedDateTime2, Optional<UserAlias> optional) {
        DefaultEncryptionContext defaultEncryptionContext = new DefaultEncryptionContext(this.groupIdentifier, newSecretEntry.secretIdentifier, j, newSecretEntry.state, newSecretEntry.notBefore, newSecretEntry.notAfter);
        byte[] byteArray = new EncryptionPayload(newSecretEntry.secretValue, newSecretEntry.userData, zonedDateTime, newSecretEntry.createdBy, zonedDateTime2, optional, newSecretEntry.comment).toByteArray();
        byte[] encrypt = this.encryptor.encrypt(byteArray, defaultEncryptionContext);
        if (byteArray == encrypt) {
            throw new StateCorruptionException("Internal error (file a bug): clearing the plaintext would corrupt the ciphertext!");
        }
        BestEffortShredder.shred(byteArray);
        return new RawSecretEntry(newSecretEntry.secretIdentifier, j, newSecretEntry.state, newSecretEntry.notBefore, newSecretEntry.notAfter, encrypt);
    }

    @Override // com.schibsted.security.strongbox.sdk.SecretsGroup
    public SecretEntry decrypt(RawSecretEntry rawSecretEntry, SecretIdentifier secretIdentifier, long j) {
        SecretEntry decryptEvenIfNotActive = decryptEvenIfNotActive(rawSecretEntry, secretIdentifier, j);
        ZonedDateTime now = FormattedTimestamp.now();
        if ((!decryptEvenIfNotActive.notAfter.isPresent() || decryptEvenIfNotActive.notAfter.get().compareTo((ChronoZonedDateTime<?>) now) >= 0) && ((!decryptEvenIfNotActive.notBefore.isPresent() || decryptEvenIfNotActive.notBefore.get().compareTo((ChronoZonedDateTime<?>) now) <= 0) && decryptEvenIfNotActive.state == State.ENABLED)) {
            return decryptEvenIfNotActive;
        }
        throw new IllegalArgumentException("The secret must be active to be decrypted with this method");
    }

    @Override // com.schibsted.security.strongbox.sdk.SecretsGroup
    public SecretEntry decryptEvenIfNotActive(RawSecretEntry rawSecretEntry, SecretIdentifier secretIdentifier, long j) {
        DefaultEncryptionContext defaultEncryptionContext = new DefaultEncryptionContext(this.groupIdentifier, secretIdentifier, j, rawSecretEntry.state, rawSecretEntry.notBefore, rawSecretEntry.notAfter);
        byte[] decrypt = this.encryptor.decrypt(rawSecretEntry.encryptedPayload, defaultEncryptionContext);
        EncryptionPayload fromByteArray = EncryptionPayload.fromByteArray(decrypt);
        verifyNotTamperedWithOrThrow(rawSecretEntry, defaultEncryptionContext);
        SecretEntry secretEntry = new SecretEntry(fromByteArray, rawSecretEntry);
        BestEffortShredder.shred(decrypt);
        return secretEntry;
    }

    private void verifyNotTamperedWithOrThrow(RawSecretEntry rawSecretEntry, DefaultEncryptionContext defaultEncryptionContext) {
        if (!rawSecretEntry.secretIdentifier.equals(defaultEncryptionContext.secretIdentifier) || !rawSecretEntry.version.equals(defaultEncryptionContext.secretVersion)) {
            throw new PotentiallyMaliciousDataException("The metadata in the raw entry does not match the encrypted data!");
        }
    }

    @Override // com.schibsted.security.strongbox.sdk.SecretsGroup
    public RawSecretEntry update(SecretMetadata secretMetadata) {
        this.readWriteLock.writeLock().lock();
        try {
            Optional<RawSecretEntry> findFirst = stream().filter(Config.name.eq(secretMetadata.secretIdentifier).AND(Config.version.eq(Long.valueOf(secretMetadata.version)))).findFirst();
            if (!findFirst.isPresent()) {
                throw new DoesNotExistException(String.format("Secret with name=%s,version=%s does not exist", secretMetadata.secretIdentifier.name, Long.valueOf(secretMetadata.version)));
            }
            SecretEntry decryptEvenIfNotActive = decryptEvenIfNotActive(findFirst.get(), secretMetadata.secretIdentifier, secretMetadata.version);
            NewSecretEntry newSecretEntry = new NewSecretEntry(secretMetadata.secretIdentifier, decryptEvenIfNotActive.secretValue, secretMetadata.state.orElse(decryptEvenIfNotActive.state), decryptEvenIfNotActive.createdBy, decryptEvenIfNotActive.notBefore, decryptEvenIfNotActive.notAfter, secretMetadata.comment.orElse(decryptEvenIfNotActive.comment), secretMetadata.userData.orElse(decryptEvenIfNotActive.userData));
            RawSecretEntry createEntry = createEntry(newSecretEntry, decryptEvenIfNotActive.version, decryptEvenIfNotActive.created, FormattedTimestamp.now(), secretMetadata.modifiedBy);
            this.store.update(createEntry, findFirst.get());
            findFirst.get().bestEffortShred();
            decryptEvenIfNotActive.bestEffortShred();
            newSecretEntry.bestEffortShred();
            this.readWriteLock.writeLock().unlock();
            return createEntry;
        } catch (Throwable th) {
            this.readWriteLock.writeLock().unlock();
            throw th;
        }
    }

    @Override // com.schibsted.security.strongbox.sdk.SecretsGroup
    public KVStream<RawSecretEntry> stream() {
        return this.store.stream();
    }

    @Override // com.schibsted.security.strongbox.sdk.SecretsGroup
    public void delete(SecretIdentifier secretIdentifier) {
        this.store.delete(secretIdentifier);
    }

    @Override // com.schibsted.security.strongbox.sdk.SecretsGroup
    public Set<SecretIdentifier> identifiers() {
        return this.store.keySet();
    }

    @Override // com.schibsted.security.strongbox.sdk.SecretsGroup, java.lang.AutoCloseable
    public void close() {
        this.readWriteLock.writeLock().lock();
        try {
            this.store.close();
        } finally {
            this.readWriteLock.writeLock().unlock();
        }
    }
}
