package org.kiwiproject.ansible.vault;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.kiwiproject.base.KiwiPreconditions;
import org.kiwiproject.base.KiwiStrings;
import org.kiwiproject.base.process.ProcessHelper;
import org.kiwiproject.base.process.Processes;
import org.kiwiproject.io.KiwiIO;
import org.kiwiproject.logging.LazyLogParameterSupplier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/kiwiproject/ansible/vault/VaultEncryptionHelper.class */
public class VaultEncryptionHelper {
    private static final String ENCRYPTED_FILE_PATH_CANNOT_BE_NULL = "encryptedFilePath cannot be null";
    private static final int DEFAULT_TIMEOUT = 10;
    private final ProcessHelper processHelper;
    private final VaultConfiguration configuration;

    @Generated
    private static final Logger LOG = LoggerFactory.getLogger(VaultEncryptionHelper.class);
    private static final String LINE_SEPARATOR = System.lineSeparator();
    private static final TimeUnit DEFAULT_TIMEOUT_UNIT = TimeUnit.SECONDS;

    public VaultEncryptionHelper(VaultConfiguration vaultConfiguration) {
        this(vaultConfiguration, new ProcessHelper());
    }

    @VisibleForTesting
    VaultEncryptionHelper(VaultConfiguration vaultConfiguration, ProcessHelper processHelper) {
        KiwiPreconditions.checkArgumentNotNull(vaultConfiguration, "configuration is required");
        KiwiPreconditions.checkArgumentNotNull(processHelper, "processHelper is required");
        this.configuration = validateAndCopyVaultConfiguration(vaultConfiguration);
        this.processHelper = processHelper;
    }

    private static VaultConfiguration validateAndCopyVaultConfiguration(VaultConfiguration vaultConfiguration) {
        ArrayList arrayList = new ArrayList();
        addErrorIfBlankOrInvalid(arrayList, vaultConfiguration.getVaultPasswordFilePath(), "vaultPasswordFilePath", "vault password file");
        addErrorIfBlankOrInvalid(arrayList, vaultConfiguration.getAnsibleVaultPath(), "ansibleVaultPath", "ansible-vault executable");
        if (arrayList.isEmpty()) {
            return vaultConfiguration.copyOf();
        }
        throw new IllegalArgumentException(String.join(", ", arrayList));
    }

    private static void addErrorIfBlankOrInvalid(List<String> list, String str, String str2, String str3) {
        if (StringUtils.isBlank(str)) {
            list.add(str2 + " is required");
        } else if (isNotExistingPath(str)) {
            list.add(str3 + " does not exist: " + str);
        }
    }

    public static Optional<String> whichAnsibleVault() {
        return whichAnsibleVaultAsPath().map((v0) -> {
            return v0.toString();
        });
    }

    public static Optional<Path> whichAnsibleVaultAsPath() {
        return Processes.whichAsPath("ansible-vault");
    }

    public Path encryptFile(Path path) {
        KiwiPreconditions.checkArgumentNotNull(path, "plainTextFilePath cannot be null");
        return encryptFile(path.toString());
    }

    public Path encryptFile(String str) {
        return executeVaultCommandWithoutOutput(VaultEncryptCommand.from(this.configuration, str), str);
    }

    public Path encryptFile(Path path, String str) {
        KiwiPreconditions.checkArgumentNotNull(path, "plainTextFilePath cannot be null");
        return encryptFile(path.toString(), str);
    }

    public Path encryptFile(String str, String str2) {
        return executeVaultCommandWithoutOutput(VaultEncryptCommand.from(this.configuration, str2, str), str);
    }

    public Path decryptFile(Path path) {
        KiwiPreconditions.checkArgumentNotNull(path, ENCRYPTED_FILE_PATH_CANNOT_BE_NULL);
        return decryptFile(path.toString());
    }

    public Path decryptFile(String str) {
        return executeVaultCommandWithoutOutput(VaultDecryptCommand.from(this.configuration, str), str);
    }

    public Path decryptFile(Path path, Path path2) {
        KiwiPreconditions.checkArgumentNotNull(path, ENCRYPTED_FILE_PATH_CANNOT_BE_NULL);
        KiwiPreconditions.checkArgumentNotNull(path2, "outputFilePath cannot be null");
        return decryptFile(path.toString(), path2.toString());
    }

    public Path decryptFile(String str, String str2) {
        KiwiPreconditions.checkArgumentNotBlank(str, "encryptedFilePath cannot be blank");
        KiwiPreconditions.checkArgumentNotBlank(str2, "outputFilePath cannot be blank");
        Preconditions.checkArgument(!str2.equalsIgnoreCase(str), "outputFilePath must be different than encryptedFilePath (case-insensitive)");
        executeVaultCommandWithoutOutput(VaultDecryptCommand.from(this.configuration, str, str2), str);
        return Path.of(str2, new String[0]);
    }

    public String viewFile(Path path) {
        KiwiPreconditions.checkArgumentNotNull(path, ENCRYPTED_FILE_PATH_CANNOT_BE_NULL);
        return viewFile(path.toString());
    }

    public String viewFile(String str) {
        return executeVaultCommandReturningStdout(VaultViewCommand.from(this.configuration, str));
    }

    public Path rekeyFile(Path path, Path path2) {
        KiwiPreconditions.checkArgumentNotNull(path, ENCRYPTED_FILE_PATH_CANNOT_BE_NULL);
        KiwiPreconditions.checkArgumentNotNull(path2, "newVaultPasswordFilePath cannot be null");
        return rekeyFile(path.toString(), path2.toString());
    }

    public Path rekeyFile(String str, String str2) {
        KiwiPreconditions.checkArgumentNotBlank(str, "encryptedFilePath cannot be blank");
        KiwiPreconditions.checkArgumentNotBlank(str2, "newVaultPasswordFilePath cannot be blank");
        Preconditions.checkArgument(!str2.equalsIgnoreCase(this.configuration.getVaultPasswordFilePath()), "newVaultPasswordFilePath file must be different than configuration.vaultPasswordFilePath (case-insensitive)");
        return executeVaultCommandWithoutOutput(VaultRekeyCommand.from(this.configuration, str, str2), str);
    }

    private Path executeVaultCommandWithoutOutput(OsCommand osCommand, String str) {
        executeVaultCommand(osCommand);
        return Path.of(str, new String[0]);
    }

    public String encryptString(String str, String str2) {
        return executeVaultCommandReturningStdout(VaultEncryptStringCommand.from(this.configuration, str, str2));
    }

    public String encryptString(String str, String str2, String str3) {
        return executeVaultCommandReturningStdout(VaultEncryptStringCommand.from(this.configuration, str, str2, str3));
    }

    public String decryptString(String str) {
        KiwiPreconditions.checkArgumentNotBlank(this.configuration.getTempDirectory(), "configuration.tempDirectory is required for decryptString");
        VaultEncryptedVariable vaultEncryptedVariable = new VaultEncryptedVariable(str);
        Path generateRandomFilePath = vaultEncryptedVariable.generateRandomFilePath(this.configuration.getTempDirectory());
        try {
            try {
                createTempDirectoryIfNecessary(Path.of(this.configuration.getTempDirectory(), new String[0]));
                writeEncryptStringContentToTempFile(vaultEncryptedVariable, generateRandomFilePath);
                String executeVaultCommandReturningStdout = executeVaultCommandReturningStdout(VaultDecryptCommand.toStdoutFrom(this.configuration, generateRandomFilePath.toString()));
                deleteFileQuietly(generateRandomFilePath);
                return executeVaultCommandReturningStdout;
            } catch (Exception e) {
                LOG.error("Error decrypting", e);
                throw e;
            }
        } catch (Throwable th) {
            deleteFileQuietly(generateRandomFilePath);
            throw th;
        }
    }

    private static boolean isNotExistingPath(String str) {
        return !isExistingPath(str);
    }

    private static boolean isExistingPath(String str) {
        return Files.exists(Path.of(str, new String[0]), new LinkOption[0]);
    }

    private static void createTempDirectoryIfNecessary(Path path) {
        try {
            Files.createDirectories(path, new FileAttribute[0]);
        } catch (IOException e) {
            String format = KiwiStrings.format("Error creating temporary directory: {}", path);
            LOG.error(format);
            throw new UncheckedIOException(format, e);
        }
    }

    private void writeEncryptStringContentToTempFile(VaultEncryptedVariable vaultEncryptedVariable, Path path) {
        try {
            LOG.trace("Payload to write ----{}{}{}----- End payload ----", new Object[]{LINE_SEPARATOR, vaultEncryptedVariable.getEncryptedFileContent(), LINE_SEPARATOR});
            Files.write(path, vaultEncryptedVariable.getEncryptedFileBytes(), new OpenOption[0]);
            LOG.debug("Wrote temporary file containing encrypt_string content: {}", path);
        } catch (IOException e) {
            LOG.error("Error writing temp file: {}", path, e);
            throw new UncheckedIOException("Error copying to temp file", e);
        }
    }

    private void deleteFileQuietly(Path path) {
        try {
            LOG.debug("Delete path: {}", path);
            Files.delete(path);
        } catch (IOException e) {
            LOG.error("Could not delete path: {}", path, e);
        }
    }

    private String executeVaultCommandReturningStdout(OsCommand osCommand) {
        return KiwiIO.readInputStreamOf(executeVaultCommand(osCommand));
    }

    private Process executeVaultCommand(OsCommand osCommand) {
        Logger logger = LOG;
        Objects.requireNonNull(osCommand);
        logger.debug("Ansible command: {}", LazyLogParameterSupplier.lazy(osCommand::getCommandParts));
        Process launch = this.processHelper.launch(osCommand.getCommandParts());
        Integer orElseThrow = this.processHelper.waitForExit(launch, 10L, DEFAULT_TIMEOUT_UNIT).orElseThrow(() -> {
            return new VaultEncryptionException("ansible-vault did not exit before timeout");
        });
        LOG.debug("ansible-vault exit code: {}", orElseThrow);
        if (orElseThrow.intValue() == 0) {
            return launch;
        }
        String readErrorStreamOf = KiwiIO.readErrorStreamOf(launch);
        String trim = StringUtils.isBlank(readErrorStreamOf) ? "[no stderr]" : readErrorStreamOf.trim();
        LOG.debug("Error output: [{}]", trim);
        throw new VaultEncryptionException(KiwiStrings.f("ansible-vault returned non-zero exit code {}. Stderr: {}", orElseThrow, trim));
    }
}
