package org.interledger.connector.crypto.cli.shell.commands;

import ch.qos.logback.core.rolling.helper.DateTokenConverter;
import com.google.api.gax.core.CredentialsProvider;
import com.google.auth.Credentials;
import com.google.auth.oauth2.ServiceAccountCredentials;
import com.google.cloud.ServiceOptions;
import com.google.cloud.kms.v1.stub.KeyManagementServiceStubSettings;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.util.Base64;
import java.util.Objects;
import java.util.Optional;
import javax.crypto.SecretKey;
import org.interledger.connector.core.ConfigConstants;
import org.interledger.crypto.CryptoConfigConstants;
import org.interledger.crypto.EncryptedSecret;
import org.interledger.crypto.EncryptionAlgorithm;
import org.interledger.crypto.EncryptionException;
import org.interledger.crypto.JavaKeystoreLoader;
import org.interledger.crypto.KeyMetadata;
import org.interledger.crypto.KeyStoreType;
import org.interledger.crypto.impl.GcpEncryptionService;
import org.interledger.crypto.impl.JksEncryptionService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.propertyeditors.CustomBooleanEditor;
import org.springframework.shell.Availability;
import org.springframework.shell.standard.ShellCommandGroup;
import org.springframework.shell.standard.ShellComponent;
import org.springframework.shell.standard.ShellMethod;
import org.springframework.shell.standard.ShellMethodAvailability;
import org.springframework.util.StringUtils;

@ShellCommandGroup("Encryption Commands")
@ShellComponent
/* loaded from: input_file:BOOT-INF/classes/org/interledger/connector/crypto/cli/shell/commands/EncryptionCommands.class */
public class EncryptionCommands {
    private static final String GCP_CONFIGURATION = "GCP Configuration";
    private static final String JKS_CONFIGURATION = "JKS Configuration";
    private static final String UNSET = "[unset]";
    private String gcpProjectId;
    private final Logger blankLineLogger = LoggerFactory.getLogger("blank.line.logger");
    private KeyStoreType keyStoreType = KeyStoreType.JKS;
    private String jksFileName = "crypto.p12";
    private String jksPassword = "password";
    private String secret0KeyAlias = CryptoConfigConstants.INTERLEDGER_CONNECTOR_KEYSTORE_JKS_SECRET0_ALIAS_DEFAULT;
    private String secret0KeyPassword = "password";
    private Optional<String> gcpKeyringLocationId = Optional.of("global");
    private Optional<String> keyringIdentifier = Optional.of(ConfigConstants.CONNECTOR);
    private EncryptionAlgorithm encryptionAlgorithm = EncryptionAlgorithm.GOOGLE_SYMMETRIC;
    private Optional<String> encryptionKeyIdentifier = Optional.of(CryptoConfigConstants.INTERLEDGER_CONNECTOR_KEYSTORE_JKS_SECRET0_ALIAS_DEFAULT);
    private String encryptionKeyVersion = CustomBooleanEditor.VALUE_1;
    private CredentialsProvider credentialsProvider = KeyManagementServiceStubSettings.defaultCredentialsProviderBuilder().build();

    public EncryptionCommands() {
        lookForGcpCredentials();
        if (this.gcpProjectId != null) {
            this.blankLineLogger.info("Using GCP as the default keystore platform");
            setKeystorePlatform(KeyStoreType.GCP.name());
        } else {
            this.blankLineLogger.info("Using JKS as the default keystore platform");
            setKeystorePlatform(KeyStoreType.JKS.name());
        }
    }

    private void lookForGcpCredentials() {
        if (Files.exists(Paths.get(System.getenv(ServiceOptions.CREDENTIAL_ENV_NAME), new String[0]), new LinkOption[0])) {
            try {
                Credentials credentials = this.credentialsProvider.getCredentials();
                if (credentials instanceof ServiceAccountCredentials) {
                    this.gcpProjectId = ((ServiceAccountCredentials) credentials).getProjectId();
                } else {
                    this.gcpProjectId = ServiceOptions.getDefaultProjectId();
                }
            } catch (Exception e) {
                this.blankLineLogger.warn("Failed to load GCP credentials. Cause: " + e.getMessage());
            }
        }
    }

    @ShellMethod(value = "Encrypt a plaintext value", key = {"e", "encrypt"})
    String encrypt(String str) throws Exception {
        return encryptHelper(str.getBytes());
    }

    @ShellMethod(value = "Encrypt a plaintext value encoded that is Base64-encoded", key = {"eb64", "encrypt-base64"})
    String encryptB64(String str) throws Exception {
        return encryptHelper(Base64.getDecoder().decode(str));
    }

    private String encryptHelper(byte[] bArr) throws Exception {
        Objects.requireNonNull(bArr);
        if (bArr.length == 0) {
            throw new RuntimeException("Secret must not be empty!");
        }
        if (this.keyStoreType.equals(KeyStoreType.GCP)) {
            return "Encoded Encrypted Secret: " + new GcpEncryptionService(this.gcpProjectId, this.gcpKeyringLocationId.get(), this.credentialsProvider).encrypt(KeyMetadata.builder().keyIdentifier(this.encryptionKeyIdentifier.get()).keyVersion(this.encryptionKeyVersion).keyringIdentifier(this.keyringIdentifier.get()).platformIdentifier(this.keyStoreType.getKeystoreId()).build(), this.encryptionAlgorithm, bArr).encodedValue();
        }
        if (!this.keyStoreType.equals(KeyStoreType.JKS)) {
            throw new RuntimeException("Please select a valid Keystore Platform! Unsupported Platform: " + this.keyStoreType);
        }
        return "Encoded Encrypted Secret: " + new JksEncryptionService(loadSecretKeyFromJavaKeystore(JavaKeystoreLoader.loadFromClasspath(this.jksFileName, this.jksPassword.toCharArray()))).encrypt(KeyMetadata.builder().platformIdentifier(this.keyStoreType.getKeystoreId()).keyringIdentifier(this.jksFileName).keyIdentifier(this.secret0KeyAlias).keyVersion(CustomBooleanEditor.VALUE_1).build(), this.encryptionAlgorithm, bArr).encodedValue();
    }

    @ShellMethod(value = "Decrypt an encrypted value", key = {DateTokenConverter.CONVERTER_KEY, "decrypt"})
    String decrypt(String str) throws Exception {
        if (str.length() <= 0) {
            throw new RuntimeException("cipherMessageB64 must not be empty!");
        }
        if (this.keyStoreType.equals(KeyStoreType.GCP)) {
            return "PlainText: " + new String(new GcpEncryptionService(this.gcpProjectId, this.gcpKeyringLocationId.get(), this.credentialsProvider).decrypt(EncryptedSecret.fromEncodedValue(str)));
        }
        if (!this.keyStoreType.equals(KeyStoreType.JKS)) {
            throw new RuntimeException("Please select a valid Keystore Platform! Unsupported Platform: " + this.keyStoreType);
        }
        return "PlainText: " + new String(new JksEncryptionService(loadSecretKeyFromJavaKeystore(JavaKeystoreLoader.loadFromClasspath(this.jksFileName, this.jksPassword.toCharArray()))).decrypt(EncryptedSecret.fromEncodedValue(str)));
    }

    @ShellMethod(value = "Set the keystore platform (defaults to Google KMS)", key = {"pid", "keystore-platform-id"})
    public String setKeystorePlatform(String str) {
        this.keyStoreType = KeyStoreType.valueOf(str.toUpperCase());
        if (KeyStoreType.GCP.equals(this.keyStoreType)) {
            this.encryptionAlgorithm = EncryptionAlgorithm.GOOGLE_SYMMETRIC;
        } else if (KeyStoreType.JKS.equals(this.keyStoreType)) {
            this.encryptionAlgorithm = EncryptionAlgorithm.AES_GCM;
        }
        return String.format("Keystore Platform set to: `%s`", str);
    }

    @ShellMethod(value = "Show current values", key = {"cv", "current-values"})
    public void showCurrentValues() {
        if (KeyStoreType.GCP.equals(this.keyStoreType)) {
            this.blankLineLogger.info("Keystore Type         : " + this.keyStoreType);
            this.blankLineLogger.info("GCP Project Id        : " + this.gcpProjectId);
            this.blankLineLogger.info("Keyring Location      : " + this.gcpKeyringLocationId.orElse(UNSET));
            this.blankLineLogger.info("Keyring Id            : " + this.keyringIdentifier.orElse(UNSET));
            this.blankLineLogger.info("Encryption Algorithm  : " + this.encryptionAlgorithm);
            this.blankLineLogger.info("Encryption Key Id     : " + this.encryptionKeyIdentifier.orElse(UNSET));
            this.blankLineLogger.info("Encryption Key Version: " + this.encryptionKeyVersion);
            return;
        }
        if (KeyStoreType.JKS.equals(this.keyStoreType)) {
            this.blankLineLogger.info("Keystore Type    : " + this.keyStoreType);
            this.blankLineLogger.info("JKS File         : " + this.jksFileName);
            this.blankLineLogger.info("JKS File Password: ********");
            this.blankLineLogger.info("Secret0 Alias    : " + this.secret0KeyAlias);
            this.blankLineLogger.info("Secret0 Password : ********");
        }
    }

    @ShellMethodAvailability({"e", "encrypt"})
    Availability availabilityCheck() {
        if (KeyStoreType.GCP.equals(this.keyStoreType)) {
            if (!this.gcpKeyringLocationId.isPresent()) {
                return Availability.unavailable("You must specify the GCP Keyring Location Id!");
            }
            if (!this.keyringIdentifier.isPresent()) {
                return Availability.unavailable("You must specify the keyring identifier!");
            }
            if (StringUtils.isEmpty(this.encryptionKeyIdentifier)) {
                return Availability.unavailable("You must specify the encryption key identifier!");
            }
            if (StringUtils.isEmpty(this.encryptionKeyVersion)) {
                return Availability.unavailable("You must specify the encryption key version!");
            }
            if (!this.encryptionAlgorithm.equals(EncryptionAlgorithm.GOOGLE_SYMMETRIC)) {
                return Availability.unavailable("GCP currently only supports " + EncryptionAlgorithm.GOOGLE_SYMMETRIC);
            }
        } else if (KeyStoreType.JKS.equals(this.keyStoreType)) {
            if (StringUtils.isEmpty(this.jksFileName)) {
                return Availability.unavailable("You must specify the JKS filename!");
            }
            if (this.jksPassword == null) {
                return Availability.unavailable("You must specify the JKS password!");
            }
            if (StringUtils.isEmpty(this.secret0KeyAlias)) {
                return Availability.unavailable("You must specify the Secret0 Key alias!");
            }
            if (this.secret0KeyPassword == null) {
                return Availability.unavailable("You must specify the Secret0 Key password!");
            }
            if (!this.encryptionAlgorithm.equals(EncryptionAlgorithm.AES_GCM)) {
                return Availability.unavailable("JKS currently only supports " + EncryptionAlgorithm.AES_GCM);
            }
        }
        return Availability.available();
    }

    @ShellMethod(value = "Set the JKS Filename", key = {"jksfn", "jks-filename"}, group = JKS_CONFIGURATION)
    public String setJksFileName(String str) {
        this.jksFileName = str;
        return String.format("JKS Filename set to: `%s`", str);
    }

    public Availability setJksFileNameAvailability() {
        return jksAvailability();
    }

    @ShellMethod(value = "Set the JKS Password", key = {"jkspw", "jks-password"}, group = JKS_CONFIGURATION)
    public String setJksPassword(String str) {
        this.jksPassword = str;
        this.secret0KeyPassword = str;
        return String.format("JKS Password set to: `%s`", "********");
    }

    public Availability setJksPasswordAvailability() {
        return jksAvailability();
    }

    @ShellMethod(value = "Set the JKS Secret0 Alias", key = {"jkss0a", "jks-secret0-alias"}, group = JKS_CONFIGURATION)
    public String setSecret0KeyAlias(String str) {
        this.secret0KeyAlias = str;
        return String.format("JKS secret0KeyAlias set to: `%s`", str);
    }

    public Availability setSecret0KeyAliasAvailability() {
        return jksAvailability();
    }

    @ShellMethod(value = "Set the JKS Secret0 Password", key = {"jkss0pw", "jks-secret0-password"}, group = JKS_CONFIGURATION)
    public String setSecret0KeyPassword(String str) {
        this.secret0KeyAlias = str;
        return String.format("JKS secret0KeyPassword set to: `%s`", str);
    }

    public Availability setSecret0KeyAvailability() {
        return jksAvailability();
    }

    public Availability setGcpProjectIdAvailability() {
        return gcpAvailability();
    }

    @ShellMethod(value = "Set the GCP Location Id", key = {"gcplid", "gcp-location-id"}, group = GCP_CONFIGURATION)
    public String setGcpLocationId(String str) {
        this.gcpKeyringLocationId = Optional.ofNullable(str);
        return String.format("GCP LocationId set to: `%s`", this.gcpKeyringLocationId.orElse(UNSET));
    }

    public Availability setGcpLocationIdAvailability() {
        return gcpAvailability();
    }

    @ShellMethod(value = "Set the Keyring platform", key = {"krid", "keyring-id"}, group = GCP_CONFIGURATION)
    public String setKeyringIdentifier(String str) {
        this.keyringIdentifier = Optional.ofNullable(str);
        return String.format("Keyring Identifier set to: `%s`", this.keyringIdentifier.orElse(UNSET));
    }

    public Availability setKeyringIdentifierAvailability() {
        return gcpAvailability();
    }

    @ShellMethod(value = "Set the Encryption Algorithm", key = {"ea", "encryption-alg"}, group = GCP_CONFIGURATION)
    public String setEncryptionAlgorithm(String str) {
        this.encryptionAlgorithm = EncryptionAlgorithm.valueOf(str);
        return String.format("Encryption algorithm set to: `%s`", this.encryptionAlgorithm);
    }

    public Availability setEncryptionAlgorithmAvailability() {
        return gcpAvailability();
    }

    @ShellMethod(value = "Set the Key Identifier to use for encryption", key = {"ekid", "encryption-key-id"}, group = GCP_CONFIGURATION)
    public String setEncryptionKeyIdentifier(String str) {
        this.encryptionKeyIdentifier = Optional.ofNullable(str);
        return String.format("Encryption Key Identifier set to: `%s`", this.encryptionKeyIdentifier.orElse(UNSET));
    }

    public Availability setEncryptionKeyIdentifierAvailability() {
        return gcpAvailability();
    }

    @ShellMethod(value = "Set the Key version to use for encryption", key = {"ekv", "encryption-key-version"}, group = GCP_CONFIGURATION)
    public String setEncryptionKeyVersion(String str) {
        this.encryptionKeyVersion = (String) Objects.requireNonNull(str);
        return String.format("Encryption Key Version set to: `%s`", this.encryptionKeyVersion);
    }

    public Availability setEncryptionKeyVersionAvailability() {
        return gcpAvailability();
    }

    private Availability jksAvailability() {
        return KeyStoreType.JKS.equals(this.keyStoreType) ? Availability.available() : Availability.unavailable("Only available for JKS Keystores!");
    }

    private Availability gcpAvailability() {
        return KeyStoreType.GCP.equals(this.keyStoreType) ? Availability.available() : Availability.unavailable("Only available for GCP KMS Keystore!");
    }

    private SecretKey loadSecretKeyFromJavaKeystore(KeyStore keyStore) throws Exception {
        Objects.requireNonNull(keyStore);
        if (keyStore.isKeyEntry(this.secret0KeyAlias)) {
            return (SecretKey) keyStore.getKey(this.secret0KeyAlias, this.secret0KeyPassword.toCharArray());
        }
        throw new EncryptionException("No KeyEntry found for secret0Alias: " + this.secret0KeyAlias);
    }
}
