package app.ztash.secretsmanager.core;

import app.ztash.secretsmanager.utils.SecretsManagerException;
import app.ztash.secretsmanager.utils.SecretsManagerUtil;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableEntryException;
import java.security.cert.CertificateException;
import java.security.spec.InvalidKeySpecException;
import java.util.Base64;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import lombok.Generated;
import org.jetbrains.annotations.NotNull;
import org.microcrafts.openziti.ldap.ZitiApp;
import org.microcrafts.openziti.ldap.ZitiLdapConnectionConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:app/ztash/secretsmanager/core/SecretsManagerInitializer.class */
public class SecretsManagerInitializer {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(SecretsManagerInitializer.class);
    private final String tokenFilePath;
    private final String tokenFileName;
    private final String keyStorePass;
    private final String token;

    public SecretsManagerInitializer(String str, String str2, String str3) {
        this.tokenFilePath = str;
        this.tokenFileName = str2;
        this.keyStorePass = str3;
        this.token = null;
    }

    public SecretsManagerInitializer(String str, String str2, String str3, boolean z) {
        this.tokenFilePath = str;
        this.token = str2;
        this.keyStorePass = str3;
        this.tokenFileName = null;
    }

    public SecretsManagerContext getContext() throws SecretsManagerException {
        SecretRepositoryCredentials secretAccessCreds;
        validateTokenFilePath(this.tokenFilePath);
        KeyStore initKeyStore = initKeyStore();
        File file = new File(this.tokenFilePath + File.separator + SecretsManagerUtil.getKeyFileName());
        if (file.exists()) {
            log.info("Reading zecrets access parameters from existing key store");
            secretAccessCreds = getSecretAccessCreds(initKeyStore, file);
        } else {
            log.info("Creating new key store to store and read zecrets access parameters");
            secretAccessCreds = setSecretAccessCreds(initKeyStore, file, getClaims(this.token != null ? this.token : validateGetToken(new File(this.tokenFilePath + File.separator + this.tokenFileName))));
        }
        try {
            return SecretsManagerContext.builder().secretRepositoryCredentials(secretAccessCreds).secretRepoServiceContext(new ZitiApp.CredentialBuilder().fromKey(secretAccessCreds.getSecretAccessIdentity()).build().getContext()).secretRepoConnectionConfig(new ZitiLdapConnectionConfig.Builder().service(SecretsManagerUtil.secretRepoService()).bindDn(SecretsManagerUtil.secretRepoConnectDn(secretAccessCreds)).bindPass(secretAccessCreds.getSecretAccessKey()).build()).build();
        } catch (Exception e) {
            log.error("Unable to initialize zecrets manager", e);
            throw new SecretsManagerException("Unable to initialize zecrets manager; Reason: ztash context initialization failed");
        }
    }

    @NotNull
    private KeyStore initKeyStore() {
        try {
            return KeyStore.getInstance(SecretsManagerUtil.getKeyFileType());
        } catch (KeyStoreException e) {
            throw new IllegalArgumentException(String.format("Keystore format : %s not supported", "PKCS12"), e);
        }
    }

    private SecretRepositoryCredentials setSecretAccessCreds(KeyStore keyStore, File file, Claims claims) {
        try {
            String str = (String) claims.get("zecretAccessKeyId", String.class);
            String str2 = (String) claims.get("zecretAccessKey", String.class);
            String enroll = ZitiApp.enroll(new ByteArrayInputStream(((String) claims.get("zecretAccessToken", String.class)).getBytes(StandardCharsets.UTF_8)));
            keyStore.load(null);
            SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBE");
            keyStore.setEntry("secret-access-key-id", new KeyStore.SecretKeyEntry(secretKeyFactory.generateSecret(new PBEKeySpec(str.toCharArray()))), new KeyStore.PasswordProtection(this.keyStorePass.toCharArray()));
            keyStore.setEntry("secret-access-key", new KeyStore.SecretKeyEntry(secretKeyFactory.generateSecret(new PBEKeySpec(str2.toCharArray()))), new KeyStore.PasswordProtection(this.keyStorePass.toCharArray()));
            keyStore.setEntry("secret-access-identity", new KeyStore.SecretKeyEntry(secretKeyFactory.generateSecret(new PBEKeySpec(enroll.toCharArray()))), new KeyStore.PasswordProtection(this.keyStorePass.toCharArray()));
            keyStore.store(new FileOutputStream(file), this.keyStorePass.toCharArray());
            return SecretRepositoryCredentials.builder().secretAccessKeyId(str).secretAccessKey(str2).secretAccessIdentity(enroll).build();
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException | InvalidKeySpecException e) {
            throw new IllegalArgumentException(String.format("Keystore : %s loading (or) entries reading error", file), e);
        }
    }

    private SecretRepositoryCredentials getSecretAccessCreds(KeyStore keyStore, File file) {
        try {
            SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBE");
            keyStore.load(new FileInputStream(file), this.keyStorePass.toCharArray());
            String str = new String(((PBEKeySpec) secretKeyFactory.getKeySpec(((KeyStore.SecretKeyEntry) keyStore.getEntry("secret-access-key-id", new KeyStore.PasswordProtection(this.keyStorePass.toCharArray()))).getSecretKey(), PBEKeySpec.class)).getPassword());
            return SecretRepositoryCredentials.builder().secretAccessKeyId(str).secretAccessKey(new String(((PBEKeySpec) secretKeyFactory.getKeySpec(((KeyStore.SecretKeyEntry) keyStore.getEntry("secret-access-key", new KeyStore.PasswordProtection(this.keyStorePass.toCharArray()))).getSecretKey(), PBEKeySpec.class)).getPassword())).secretAccessIdentity(new String(((PBEKeySpec) secretKeyFactory.getKeySpec(((KeyStore.SecretKeyEntry) keyStore.getEntry("secret-access-identity", new KeyStore.PasswordProtection(this.keyStorePass.toCharArray()))).getSecretKey(), PBEKeySpec.class)).getPassword())).build();
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException | InvalidKeySpecException e) {
            throw new IllegalArgumentException(String.format("Keystore : %s loading (or) entries reading error", file), e);
        }
    }

    private Claims getClaims(String str) {
        return (Claims) Jwts.parserBuilder().setSigningKey(new SecretKeySpec(Base64.getDecoder().decode("KkYtSmFOZFJnVWtYcDJzNXY4eS9CP0QoRytLYlBlU2hWbVlxM3Q2dzl6JEMmRilIQE1jUWZUalduWnI0dTd4IQ=="), SignatureAlgorithm.HS256.getJcaName())).build().parseClaimsJws(str).getBody();
    }

    private String validateGetToken(File file) {
        if (!file.exists()) {
            throw new IllegalArgumentException(String.format("Token file : %s does not exist", file));
        }
        if (!file.canRead()) {
            throw new IllegalArgumentException(String.format("Token file : %s should hava read permission", file));
        }
        try {
            return Files.readString(file.toPath());
        } catch (IOException e) {
            throw new IllegalArgumentException(String.format("Token file : %s could not be read", file), e);
        }
    }

    private void validateTokenFilePath(String str) {
        File file = new File(str);
        if (!file.exists()) {
            throw new IllegalArgumentException(String.format("Token file path : %s does not exist", str));
        }
        if (!file.isDirectory()) {
            throw new IllegalArgumentException(String.format("Token file path : %s is not a directory", str));
        }
        if (!file.canWrite()) {
            throw new IllegalArgumentException(String.format("Token file path : %s should hava write permission", str));
        }
    }
}
