package org.wso2.carbon.securevault.azure.repository;

import com.azure.core.exception.ResourceNotFoundException;
import com.azure.security.keyvault.secrets.SecretClient;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.nio.charset.StandardCharsets;
import java.util.Properties;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.securevault.azure.commons.ConfigUtils;
import org.wso2.carbon.securevault.azure.commons.Constants;
import org.wso2.carbon.securevault.azure.exception.AzureSecretRepositoryException;
import org.wso2.securevault.CipherFactory;
import org.wso2.securevault.CipherOperationMode;
import org.wso2.securevault.DecryptionProvider;
import org.wso2.securevault.EncodingType;
import org.wso2.securevault.definition.CipherInformation;
import org.wso2.securevault.keystore.IdentityKeyStoreWrapper;
import org.wso2.securevault.keystore.TrustKeyStoreWrapper;
import org.wso2.securevault.secret.SecretRepository;

/* loaded from: input_file:org/wso2/carbon/securevault/azure/repository/AzureSecretRepository.class */
public class AzureSecretRepository implements SecretRepository {
    private static final Log log = LogFactory.getLog(AzureSecretRepository.class);
    private static final String ALGORITHM = "algorithm";
    private static final String DEFAULT_ALGORITHM = "RSA";
    private static final String CONFIG_ENCRYPTION_ENABLED = "encryptionEnabled";
    private static final String SECRET_NAME_REGEX = "^[a-zA-Z0-9-]*$";
    private Boolean encryptionEnabled = false;
    private DecryptionProvider baseCipher;
    private SecretRepository parentRepository;
    private IdentityKeyStoreWrapper identityKeyStoreWrapper;
    private TrustKeyStoreWrapper trustKeyStoreWrapper;
    private ConfigUtils configUtils;
    private SecretClient secretClient;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/wso2/carbon/securevault/azure/repository/AzureSecretRepository$SecretReference.class */
    public static class SecretReference {
        private String secretName;
        private String secretVersion;

        public SecretReference(String str) {
            this.secretName = str;
        }

        public SecretReference(String str, String str2) {
            this.secretName = str;
            this.secretVersion = str2;
        }
    }

    public AzureSecretRepository(IdentityKeyStoreWrapper identityKeyStoreWrapper, TrustKeyStoreWrapper trustKeyStoreWrapper) {
        this.identityKeyStoreWrapper = identityKeyStoreWrapper;
        this.trustKeyStoreWrapper = trustKeyStoreWrapper;
    }

    public AzureSecretRepository() {
    }

    public void init(Properties properties, String str) {
        try {
            if (!Constants.AZURE_SECRET_CALLBACK_HANDLER.equals(str)) {
                this.configUtils = ConfigUtils.getInstance();
                this.encryptionEnabled = Boolean.valueOf(Boolean.parseBoolean(this.configUtils.getAzureSecretRepositoryConfig(properties, CONFIG_ENCRYPTION_ENABLED)));
                if (this.encryptionEnabled.booleanValue()) {
                    initDecryptionProvider(properties);
                }
            }
            this.secretClient = SecretClientFactory.getSecretClient(properties);
        } catch (AzureSecretRepositoryException e) {
            log.error("Failed to initialize secret repository.", e);
        }
    }

    @SuppressFBWarnings({"CRLF_INJECTION_LOGS"})
    public String getSecret(String str) {
        String str2 = "";
        try {
            str2 = retrieveSecretFromVault(str);
        } catch (AzureSecretRepositoryException e) {
            log.error("Secret retrieval failed.", e);
        }
        if (StringUtils.isNotEmpty(str2)) {
            if (log.isDebugEnabled()) {
                log.debug("Secret with reference '" + str.replaceAll(Constants.CRLF_SANITATION_REGEX, "") + "' was successfully retrieved from Azure Key Vault.");
            }
            if (this.encryptionEnabled.booleanValue()) {
                str2 = new String(this.baseCipher.decrypt(str2.trim().getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8);
                if (log.isDebugEnabled()) {
                    log.debug("Retrieved secret was successfully decrypted.");
                }
            }
        } else {
            log.error("Failed to retrieve secret with " + (StringUtils.isEmpty(str) ? "empty reference" : "reference '" + str + "'").replaceAll(Constants.CRLF_SANITATION_REGEX, "") + ". Value set to empty String.");
        }
        return str2;
    }

    @SuppressFBWarnings({"CRLF_INJECTION_LOGS"})
    public String getEncryptedData(String str) {
        if (!this.encryptionEnabled.booleanValue()) {
            throw new UnsupportedOperationException("Encryption has not been enabled.");
        }
        try {
            return retrieveSecretFromVault(str);
        } catch (AzureSecretRepositoryException e) {
            log.error("Retrieval of encrypted data of secret with reference '" + str.replaceAll(Constants.CRLF_SANITATION_REGEX, "") + "' from Azure Key Vault failed. Returning empty String.");
            return "";
        }
    }

    public void setParent(SecretRepository secretRepository) {
        this.parentRepository = secretRepository;
    }

    public SecretRepository getParent() {
        return this.parentRepository;
    }

    private void initDecryptionProvider(Properties properties) throws AzureSecretRepositoryException {
        if (this.identityKeyStoreWrapper == null) {
            throw new AzureSecretRepositoryException("Failed to initialize decryption provider. Keystore has not been initialized.");
        }
        String azureSecretRepositoryConfig = this.configUtils.getAzureSecretRepositoryConfig(properties, ALGORITHM);
        if (StringUtils.isEmpty(azureSecretRepositoryConfig)) {
            if (log.isDebugEnabled()) {
                log.debug("No algorithm configured. Using default value: RSA");
            }
            azureSecretRepositoryConfig = DEFAULT_ALGORITHM;
        }
        IdentityKeyStoreWrapper identityKeyStoreWrapper = this.identityKeyStoreWrapper;
        CipherInformation cipherInformation = new CipherInformation();
        cipherInformation.setAlgorithm(azureSecretRepositoryConfig);
        cipherInformation.setCipherOperationMode(CipherOperationMode.DECRYPT);
        cipherInformation.setInType(EncodingType.BASE64);
        this.baseCipher = CipherFactory.createCipher(cipherInformation, identityKeyStoreWrapper);
    }

    @SuppressFBWarnings({"CRLF_INJECTION_LOGS"})
    private String retrieveSecretFromVault(String str) throws AzureSecretRepositoryException {
        String str2 = "";
        if (this.secretClient != null) {
            SecretReference parseSecretReference = parseSecretReference(str);
            if (!parseSecretReference.secretName.matches(SECRET_NAME_REGEX)) {
                throw new AzureSecretRepositoryException("Invalid secret name: " + parseSecretReference.secretName.replaceAll(Constants.CRLF_SANITATION_REGEX, "") + ". Azure Key Vault secret names can only contain alphanumeric characters and dashes.");
            }
            if (log.isDebugEnabled()) {
                if (StringUtils.isNotEmpty(parseSecretReference.secretVersion)) {
                    log.debug("Secret version '" + parseSecretReference.secretVersion.replaceAll(Constants.CRLF_SANITATION_REGEX, "") + "' found for secret '" + parseSecretReference.secretName.replaceAll(Constants.CRLF_SANITATION_REGEX, "") + "'. Retrieving specified version of secret.");
                } else {
                    log.debug("Secret version not found for secret '" + str.replaceAll(Constants.CRLF_SANITATION_REGEX, "") + "'. Retrieving latest version of secret.");
                }
            }
            try {
                str2 = this.secretClient.getSecret(parseSecretReference.secretName, parseSecretReference.secretVersion).getValue();
            } catch (ResourceNotFoundException e) {
                throw new AzureSecretRepositoryException("Secret not found in Key Vault.", e);
            }
        }
        return str2;
    }

    @SuppressFBWarnings({"CRLF_INJECTION_LOGS"})
    private SecretReference parseSecretReference(String str) throws AzureSecretRepositoryException {
        if (!StringUtils.isNotEmpty(str)) {
            throw new AzureSecretRepositoryException("Secret alias cannot be empty.");
        }
        if (!str.contains(Constants.VERSION_DELIMITER)) {
            return new SecretReference(str);
        }
        if (StringUtils.countMatches(str, Constants.VERSION_DELIMITER) != 1) {
            throw new AzureSecretRepositoryException("Syntax error in secret reference '" + str.replaceAll(Constants.CRLF_SANITATION_REGEX, "") + "'. Secret reference should be in the format 'secretName" + Constants.VERSION_DELIMITER + "secretVersion'. Note that there should be only one " + Constants.VERSION_DELIMITER + Constants.DOT);
        }
        String[] split = str.split(Constants.VERSION_DELIMITER, -1);
        if (StringUtils.isEmpty(split[0])) {
            throw new AzureSecretRepositoryException("Secret name cannot be empty.");
        }
        return new SecretReference(split[0], split[1]);
    }

    public void setKeyStores(IdentityKeyStoreWrapper identityKeyStoreWrapper, TrustKeyStoreWrapper trustKeyStoreWrapper) {
        this.identityKeyStoreWrapper = identityKeyStoreWrapper;
        this.trustKeyStoreWrapper = trustKeyStoreWrapper;
    }
}
