package org.apache.nifi.processors.cipher;

import com.exceptionfactory.jagged.DecryptingChannelFactory;
import com.exceptionfactory.jagged.RecipientStanzaReader;
import com.exceptionfactory.jagged.framework.armor.ArmoredDecryptingChannelFactory;
import com.exceptionfactory.jagged.framework.stream.StandardDecryptingChannelFactory;
import java.io.IOException;
import java.io.InputStream;
import java.io.PushbackInputStream;
import java.nio.channels.ReadableByteChannel;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.Provider;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.nifi.annotation.behavior.InputRequirement;
import org.apache.nifi.annotation.behavior.SupportsBatching;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.SeeAlso;
import org.apache.nifi.annotation.documentation.Tags;
import org.apache.nifi.annotation.lifecycle.OnScheduled;
import org.apache.nifi.components.ConfigVerificationResult;
import org.apache.nifi.components.DescribedValue;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.components.resource.ResourceCardinality;
import org.apache.nifi.components.resource.ResourceReference;
import org.apache.nifi.components.resource.ResourceType;
import org.apache.nifi.context.PropertyContext;
import org.apache.nifi.flowfile.FlowFile;
import org.apache.nifi.logging.ComponentLog;
import org.apache.nifi.processor.AbstractProcessor;
import org.apache.nifi.processor.ProcessContext;
import org.apache.nifi.processor.ProcessSession;
import org.apache.nifi.processor.Relationship;
import org.apache.nifi.processor.VerifiableProcessor;
import org.apache.nifi.processors.cipher.age.AgeKeyIndicator;
import org.apache.nifi.processors.cipher.age.AgeKeyReader;
import org.apache.nifi.processors.cipher.age.AgeKeyValidator;
import org.apache.nifi.processors.cipher.age.AgePrivateKeyReader;
import org.apache.nifi.processors.cipher.age.AgeProviderResolver;
import org.apache.nifi.processors.cipher.age.KeySource;
import org.apache.nifi.processors.cipher.io.ChannelStreamCallback;
import org.apache.nifi.stream.io.StreamUtils;

@CapabilityDescription("Decrypt content using the age-encryption.org/v1 specification. Detects binary or ASCII armored content encoding using the initial file header bytes. The age standard uses ChaCha20-Poly1305 for authenticated encryption of the payload. The age-keygen command supports generating X25519 key pairs for encryption and decryption operations.")
@InputRequirement(InputRequirement.Requirement.INPUT_REQUIRED)
@SupportsBatching
@Tags({"age", DecryptContentAge.VERSION_INDICATOR, "encryption", "ChaCha20-Poly1305", "X25519"})
@SeeAlso({EncryptContentAge.class})
/* loaded from: input_file:org/apache/nifi/processors/cipher/DecryptContentAge.class */
public class DecryptContentAge extends AbstractProcessor implements VerifiableProcessor {
    private static final int BUFFER_CAPACITY = 65552;
    private static final String KEY_VERIFICATION_STEP = "Verify Private Key Identities";
    private static final String NOT_FOUND_EXPLANATION = "Private Key Identities not found";
    private volatile List<RecipientStanzaReader> configuredRecipientStanzaReaders = Collections.emptyList();
    static final Relationship SUCCESS = new Relationship.Builder().name("success").description("Decryption Completed").build();
    static final Relationship FAILURE = new Relationship.Builder().name("failure").description("Decryption Failed").build();
    static final PropertyDescriptor PRIVATE_KEY_SOURCE = new PropertyDescriptor.Builder().name("Private Key Source").displayName("Private Key Source").description("Source of information determines the loading strategy for X25519 Private Key Identities").required(true).defaultValue(KeySource.PROPERTIES.getValue()).allowableValues(KeySource.class).build();
    static final PropertyDescriptor PRIVATE_KEY_IDENTITIES = new PropertyDescriptor.Builder().name("Private Key Identities").displayName("Private Key Identities").description("One or more X25519 Private Key Identities, separated with newlines, encoded according to the age specification, starting with AGE-SECRET-KEY-1").required(true).sensitive(true).addValidator(new AgeKeyValidator(AgeKeyIndicator.PRIVATE_KEY)).identifiesExternalResource(ResourceCardinality.SINGLE, ResourceType.TEXT, new ResourceType[0]).dependsOn(PRIVATE_KEY_SOURCE, KeySource.PROPERTIES, new DescribedValue[0]).build();
    static final PropertyDescriptor PRIVATE_KEY_IDENTITY_RESOURCES = new PropertyDescriptor.Builder().name("Private Key Identity Resources").displayName("Private Key Identity Resources").description("One or more files or URLs containing X25519 Private Key Identities, separated with newlines, encoded according to the age specification, starting with AGE-SECRET-KEY-1").required(true).addValidator(new AgeKeyValidator(AgeKeyIndicator.PRIVATE_KEY)).identifiesExternalResource(ResourceCardinality.MULTIPLE, ResourceType.FILE, new ResourceType[]{ResourceType.URL}).dependsOn(PRIVATE_KEY_SOURCE, KeySource.RESOURCES, new DescribedValue[0]).build();
    private static final Set<Relationship> RELATIONSHIPS = new LinkedHashSet(Arrays.asList(SUCCESS, FAILURE));
    private static final List<PropertyDescriptor> DESCRIPTORS = Arrays.asList(PRIVATE_KEY_SOURCE, PRIVATE_KEY_IDENTITIES, PRIVATE_KEY_IDENTITY_RESOURCES);
    private static final AgeKeyReader<RecipientStanzaReader> PRIVATE_KEY_READER = new AgePrivateKeyReader();
    private static final Provider CIPHER_PROVIDER = AgeProviderResolver.getCipherProvider();
    private static final String VERSION_INDICATOR = "age-encryption.org";
    private static final byte[] BINARY_VERSION_INDICATOR = VERSION_INDICATOR.getBytes(StandardCharsets.US_ASCII);
    private static final int INPUT_BUFFER_SIZE = BINARY_VERSION_INDICATOR.length;

    /* loaded from: input_file:org/apache/nifi/processors/cipher/DecryptContentAge$DecryptingStreamCallback.class */
    private static class DecryptingStreamCallback extends ChannelStreamCallback {
        private final List<RecipientStanzaReader> recipientStanzaReaders;

        private DecryptingStreamCallback(List<RecipientStanzaReader> list) {
            super(DecryptContentAge.BUFFER_CAPACITY);
            this.recipientStanzaReaders = list;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.apache.nifi.processors.cipher.io.ChannelStreamCallback
        public ReadableByteChannel getReadableChannel(InputStream inputStream) throws IOException {
            PushbackInputStream pushbackInputStream = new PushbackInputStream(inputStream, DecryptContentAge.INPUT_BUFFER_SIZE);
            try {
                return getDecryptingChannelFactory(getVersionIndicator(pushbackInputStream)).newDecryptingChannel(super.getReadableChannel(pushbackInputStream), this.recipientStanzaReaders);
            } catch (GeneralSecurityException e) {
                throw new IOException("Channel initialization failed", e);
            }
        }

        private byte[] getVersionIndicator(PushbackInputStream pushbackInputStream) throws IOException {
            byte[] bArr = new byte[DecryptContentAge.INPUT_BUFFER_SIZE];
            StreamUtils.fillBuffer(pushbackInputStream, bArr);
            pushbackInputStream.unread(bArr);
            return bArr;
        }

        private DecryptingChannelFactory getDecryptingChannelFactory(byte[] bArr) {
            return Arrays.equals(DecryptContentAge.BINARY_VERSION_INDICATOR, bArr) ? new StandardDecryptingChannelFactory(DecryptContentAge.CIPHER_PROVIDER) : new ArmoredDecryptingChannelFactory(DecryptContentAge.CIPHER_PROVIDER);
        }
    }

    public Set<Relationship> getRelationships() {
        return RELATIONSHIPS;
    }

    public final List<PropertyDescriptor> getSupportedPropertyDescriptors() {
        return DESCRIPTORS;
    }

    public List<ConfigVerificationResult> verify(ProcessContext processContext, ComponentLog componentLog, Map<String, String> map) {
        ArrayList arrayList = new ArrayList();
        ConfigVerificationResult.Builder verificationStepName = new ConfigVerificationResult.Builder().verificationStepName(KEY_VERIFICATION_STEP);
        try {
            List<RecipientStanzaReader> recipientStanzaReaders = getRecipientStanzaReaders(processContext);
            if (recipientStanzaReaders.isEmpty()) {
                componentLog.warn(NOT_FOUND_EXPLANATION);
                verificationStepName.outcome(ConfigVerificationResult.Outcome.FAILED).explanation(NOT_FOUND_EXPLANATION);
            } else {
                String format = String.format("Private Key Identities found: %d", Integer.valueOf(recipientStanzaReaders.size()));
                componentLog.info(format);
                verificationStepName.outcome(ConfigVerificationResult.Outcome.SUCCESSFUL).explanation(format);
            }
        } catch (Exception e) {
            String format2 = String.format("%s: %s", NOT_FOUND_EXPLANATION, e);
            componentLog.warn(NOT_FOUND_EXPLANATION, e);
            verificationStepName.outcome(ConfigVerificationResult.Outcome.FAILED).explanation(format2);
        }
        arrayList.add(verificationStepName.build());
        return arrayList;
    }

    @OnScheduled
    public void onScheduled(ProcessContext processContext) throws IOException {
        this.configuredRecipientStanzaReaders = getRecipientStanzaReaders(processContext);
    }

    public void onTrigger(ProcessContext processContext, ProcessSession processSession) {
        FlowFile flowFile = processSession.get();
        if (flowFile == null) {
            return;
        }
        try {
            flowFile = processSession.write(flowFile, new DecryptingStreamCallback(this.configuredRecipientStanzaReaders));
            processSession.transfer(flowFile, SUCCESS);
        } catch (Exception e) {
            getLogger().error("Decryption Failed {}", new Object[]{flowFile, e});
            processSession.transfer(flowFile, FAILURE);
        }
    }

    private List<RecipientStanzaReader> getRecipientStanzaReaders(PropertyContext propertyContext) throws IOException {
        KeySource valueOf = KeySource.valueOf(propertyContext.getProperty(PRIVATE_KEY_SOURCE).getValue());
        ArrayList arrayList = new ArrayList();
        if (KeySource.PROPERTIES == valueOf) {
            arrayList.add(propertyContext.getProperty(PRIVATE_KEY_IDENTITIES).asResource());
        } else {
            arrayList.addAll(propertyContext.getProperty(PRIVATE_KEY_IDENTITY_RESOURCES).asResources().asList());
        }
        ArrayList arrayList2 = new ArrayList();
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            InputStream read = ((ResourceReference) it.next()).read();
            try {
                arrayList2.addAll(PRIVATE_KEY_READER.read(read));
                if (read != null) {
                    read.close();
                }
            } catch (Throwable th) {
                if (read != null) {
                    try {
                        read.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        if (arrayList2.isEmpty()) {
            throw new IOException(NOT_FOUND_EXPLANATION);
        }
        return arrayList2;
    }
}
