package internal.org.springframework.content.fragments;

import java.io.IOException;
import java.io.InputStream;
import java.util.Collection;
import java.util.List;
import java.util.function.BiFunction;
import java.util.function.Supplier;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import lombok.Generated;
import org.springframework.content.commons.io.RangeableResource;
import org.springframework.content.commons.mappingcontext.ContentProperty;
import org.springframework.content.commons.mappingcontext.MappingContext;
import org.springframework.content.commons.property.PropertyPath;
import org.springframework.content.commons.store.GetResourceParams;
import org.springframework.content.commons.store.StoreAccessException;
import org.springframework.content.encryption.engine.ContentEncryptionEngine;
import org.springframework.content.encryption.keys.DataEncryptionKeyAccessor;
import org.springframework.content.encryption.keys.DataEncryptionKeyWrapper;
import org.springframework.content.encryption.keys.StoredDataEncryptionKey;
import org.springframework.core.io.Resource;
import org.springframework.util.Assert;

/* loaded from: input_file:internal/org/springframework/content/fragments/ContentCryptoService.class */
class ContentCryptoService<S, DEK extends StoredDataEncryptionKey> {
    private final MappingContext mappingContext;
    private final DataEncryptionKeyAccessor<S, DEK> dataEncryptionKeyAccessor;
    private final List<DataEncryptionKeyWrapper<DEK>> dataEncryptionKeyWrappers;
    private final ContentEncryptionEngine encryptionEngine;
    private static final Pattern RANGE_PATTERN = Pattern.compile("\\Abytes=(?<firstPos>[0-9]*)-(?<lastPos>[0-9]*)\\Z");

    public S encrypt(S s, PropertyPath propertyPath, InputStream inputStream, BiFunction<S, InputStream, S> biFunction) {
        Assert.notNull(s, "entity not set");
        Assert.notNull(propertyPath, "propertyPath not set");
        Assert.notNull(inputStream, "plainText not set");
        ContentProperty resolveContentPropertyRequired = resolveContentPropertyRequired(s, propertyPath);
        ContentEncryptionEngine.EncryptionParameters createNewParameters = this.encryptionEngine.createNewParameters();
        List list = this.dataEncryptionKeyWrappers.stream().map(dataEncryptionKeyWrapper -> {
            return dataEncryptionKeyWrapper.wrapEncryptionKey(createNewParameters);
        }).toList();
        return this.dataEncryptionKeyAccessor.setKeys(biFunction.apply(s, this.encryptionEngine.encrypt(inputStream, createNewParameters)), resolveContentPropertyRequired, list);
    }

    public Resource decrypt(S s, PropertyPath propertyPath, GetResourceParams getResourceParams, Supplier<Resource> supplier) {
        Assert.notNull(s, "entity not set");
        Assert.notNull(propertyPath, "propertyPath not set");
        Collection<DEK> findKeys = this.dataEncryptionKeyAccessor.findKeys(s, resolveContentPropertyRequired(s, propertyPath));
        Resource resource = supplier.get();
        if (findKeys == null) {
            return resource;
        }
        ContentEncryptionEngine.EncryptionParameters decryptEncryptionParameters = decryptEncryptionParameters(findKeys);
        if (decryptEncryptionParameters == null) {
            throw new StoreAccessException(String.format("Content property %s can not be decrypted".formatted(propertyPath.getName()), new Object[0]));
        }
        ContentEncryptionEngine.InputStreamRequestParameters full = ContentEncryptionEngine.InputStreamRequestParameters.full();
        if (getResourceParams != null) {
            try {
                full = parseRangePattern(getResourceParams.getRange(), resource);
            } catch (IOException e) {
                throw new StoreAccessException(String.format("Content property %s can not be accessed".formatted(propertyPath.getName()), new Object[0]), e);
            }
        }
        ContentEncryptionEngine.InputStreamRequestParameters inputStreamRequestParameters = full;
        return new DecryptedResource(() -> {
            return this.encryptionEngine.decrypt(inputStreamRequestParameters2 -> {
                if (resource instanceof RangeableResource) {
                    ((RangeableResource) resource).setRange(constructRangePattern(inputStreamRequestParameters2));
                }
                try {
                    return resource.getInputStream();
                } catch (IOException e2) {
                    throw new StoreAccessException(String.format("Content property %s can not be accessed".formatted(propertyPath.getName()), new Object[0]), e2);
                }
            }, decryptEncryptionParameters, inputStreamRequestParameters);
        }, resource);
    }

    public S clearKeys(S s, PropertyPath propertyPath) {
        return this.dataEncryptionKeyAccessor.clearKeys(s, resolveContentPropertyRequired(s, propertyPath));
    }

    private ContentProperty resolveContentPropertyRequired(S s, PropertyPath propertyPath) {
        ContentProperty contentProperty = this.mappingContext.getContentProperty(s.getClass(), propertyPath.getName());
        if (contentProperty == null) {
            throw new StoreAccessException(String.format("Content property %s does not exist", propertyPath.getName()));
        }
        return contentProperty;
    }

    private ContentEncryptionEngine.EncryptionParameters decryptEncryptionParameters(Collection<DEK> collection) {
        for (DataEncryptionKeyWrapper<DEK> dataEncryptionKeyWrapper : this.dataEncryptionKeyWrappers) {
            for (DEK dek : collection) {
                if (dataEncryptionKeyWrapper.supports(dek)) {
                    return dataEncryptionKeyWrapper.unwrapEncryptionKey(dek);
                }
            }
        }
        return null;
    }

    private static ContentEncryptionEngine.InputStreamRequestParameters parseRangePattern(String str, Resource resource) throws IOException {
        if (str == null || str.isEmpty()) {
            return ContentEncryptionEngine.InputStreamRequestParameters.full();
        }
        Matcher matcher = RANGE_PATTERN.matcher(str);
        if (!matcher.matches()) {
            throw new StoreAccessException(String.format("Range request '%s' is not supported. Only a single byte-range is supported".formatted(str), new Object[0]));
        }
        String group = matcher.group("firstPos");
        String group2 = matcher.group("lastPos");
        if (group.isEmpty() && group2.isEmpty()) {
            return ContentEncryptionEngine.InputStreamRequestParameters.full();
        }
        if (group.isEmpty()) {
            return ContentEncryptionEngine.InputStreamRequestParameters.startingFrom(resource.contentLength() - Long.parseUnsignedLong(group2));
        }
        return new ContentEncryptionEngine.InputStreamRequestParameters(Long.parseUnsignedLong(group), group2.isEmpty() ? null : Long.valueOf(Long.parseUnsignedLong(group2)));
    }

    private static String constructRangePattern(ContentEncryptionEngine.InputStreamRequestParameters inputStreamRequestParameters) {
        long startByteOffset = inputStreamRequestParameters.getStartByteOffset();
        return "bytes=" + startByteOffset + "-" + startByteOffset;
    }

    @Generated
    public ContentCryptoService(MappingContext mappingContext, DataEncryptionKeyAccessor<S, DEK> dataEncryptionKeyAccessor, List<DataEncryptionKeyWrapper<DEK>> list, ContentEncryptionEngine contentEncryptionEngine) {
        this.mappingContext = mappingContext;
        this.dataEncryptionKeyAccessor = dataEncryptionKeyAccessor;
        this.dataEncryptionKeyWrappers = list;
        this.encryptionEngine = contentEncryptionEngine;
    }
}
