package io.helidon.config.encryption;

import io.helidon.config.mp.spi.MpConfigFilter;
import java.security.PrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.util.HashSet;
import java.util.NoSuchElementException;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.eclipse.microprofile.config.Config;

/* loaded from: input_file:io/helidon/config/encryption/MpEncryptionFilter.class */
public final class MpEncryptionFilter implements MpConfigFilter {
    private static final String PREFIX_LEGACY_AES = "${AES=";
    private static final String PREFIX_LEGACY_RSA = "${RSA=";
    static final String PREFIX_GCM = "${GCM=";
    static final String PREFIX_RSA = "${RSA-P=";
    private static final Logger LOGGER = Logger.getLogger(MpEncryptionFilter.class.getName());
    private static final String PREFIX_ALIAS = "${ALIAS=";
    private static final String PREFIX_CLEAR = "${CLEAR=";
    private PrivateKey privateKey;
    private char[] masterPassword;
    private boolean requireEncryption;
    private MpConfigFilter clearFilter;
    private MpConfigFilter rsaFilter;
    private MpConfigFilter aesFilter;
    private MpConfigFilter aliasFilter;

    @Deprecated
    public MpEncryptionFilter() {
    }

    @Override // io.helidon.config.mp.spi.MpConfigFilter
    public void init(Config config) {
        this.requireEncryption = ((Boolean) EncryptionUtil.getEnv(ConfigProperties.REQUIRE_ENCRYPTION_ENV_VARIABLE).map(Boolean::parseBoolean).or(() -> {
            return config.getOptionalValue(ConfigProperties.REQUIRE_ENCRYPTION_CONFIG_KEY, Boolean.class);
        }).orElse(true)).booleanValue();
        this.masterPassword = EncryptionUtil.resolveMasterPassword(this.requireEncryption, config).orElse(null);
        this.privateKey = EncryptionUtil.resolvePrivateKey(config).orElse(null);
        if (null != this.privateKey && !(this.privateKey instanceof RSAPrivateKey)) {
            throw new ConfigEncryptionException("Private key must be an RSA private key, but is: " + this.privateKey.getClass().getName());
        }
        MpConfigFilter mpConfigFilter = (str, str2) -> {
            return str2;
        };
        this.aesFilter = null == this.masterPassword ? mpConfigFilter : (str3, str4) -> {
            return decryptAes(this.masterPassword, str4);
        };
        this.rsaFilter = null == this.privateKey ? mpConfigFilter : (str5, str6) -> {
            return decryptRsa(this.privateKey, str6);
        };
        this.clearFilter = this::clearText;
        this.aliasFilter = (str7, str8) -> {
            return aliased(str8, config);
        };
    }

    @Override // io.helidon.config.mp.spi.MpConfigFilter
    public String apply(String str, String str2) {
        return maybeDecode(str, str2);
    }

    private static String removePlaceholder(String str, String str2) {
        return str2.substring(str.length(), str2.length() - 1);
    }

    private String maybeDecode(String str, String str2) {
        HashSet hashSet = new HashSet();
        do {
            hashSet.add(str2);
            if (!str2.startsWith("${") && !str2.endsWith("}")) {
                return str2;
            }
            str2 = this.aesFilter.apply(str, this.rsaFilter.apply(str, this.clearFilter.apply(str, this.aliasFilter.apply(str, str2))));
        } while (!hashSet.contains(str2));
        return str2;
    }

    private String clearText(String str, String str2) {
        if (!str2.startsWith(PREFIX_CLEAR)) {
            return str2;
        }
        if (this.requireEncryption) {
            throw new ConfigEncryptionException("Key \"" + str + "\" is a clear text password, yet encryption is required");
        }
        return removePlaceholder(PREFIX_CLEAR, str2);
    }

    private String aliased(String str, Config config) {
        return str.startsWith(PREFIX_ALIAS) ? (String) config.getOptionalValue(removePlaceholder(PREFIX_ALIAS, str), String.class).orElseThrow(() -> {
            return new NoSuchElementException("Aliased key not found. Value: " + str);
        }) : str;
    }

    private String decryptRsa(PrivateKey privateKey, String str) {
        if (str.startsWith(PREFIX_LEGACY_RSA)) {
            LOGGER.log(Level.WARNING, () -> {
                return "You are using legacy RSA encryption. Please re-encrypt the value with RSA-P.";
            });
            try {
                return EncryptionUtil.decryptRsaLegacy(privateKey, removePlaceholder(PREFIX_LEGACY_RSA, str));
            } catch (ConfigEncryptionException e) {
                LOGGER.log(Level.FINEST, e, () -> {
                    return "Failed to decrypt " + str;
                });
                return str;
            }
        }
        if (!str.startsWith(PREFIX_RSA)) {
            return str;
        }
        try {
            return EncryptionUtil.decryptRsa(privateKey, removePlaceholder(PREFIX_RSA, str));
        } catch (ConfigEncryptionException e2) {
            LOGGER.log(Level.FINEST, e2, () -> {
                return "Failed to decrypt " + str;
            });
            return str;
        }
    }

    private String decryptAes(char[] cArr, String str) {
        if (str.startsWith(PREFIX_LEGACY_AES)) {
            LOGGER.log(Level.WARNING, () -> {
                return "You are using legacy AES encryption. Please re-encrypt the value with GCM.";
            });
            try {
                return EncryptionUtil.decryptAesLegacy(cArr, str.substring(PREFIX_LEGACY_AES.length(), str.length() - 1));
            } catch (ConfigEncryptionException e) {
                LOGGER.log(Level.FINEST, e, () -> {
                    return "Failed to decrypt " + str;
                });
                return str;
            }
        }
        if (!str.startsWith(PREFIX_GCM)) {
            return str;
        }
        try {
            return EncryptionUtil.decryptAes(cArr, str.substring(PREFIX_GCM.length(), str.length() - 1));
        } catch (ConfigEncryptionException e2) {
            LOGGER.log(Level.FINEST, e2, () -> {
                return "Failed to decrypt " + str;
            });
            return str;
        }
    }
}
