package org.simplify4u.plugins;

import io.vavr.control.Try;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.time.Duration;
import java.util.LinkedList;
import java.util.Map;
import java.util.Set;
import javax.inject.Inject;
import org.apache.maven.artifact.Artifact;
import org.apache.maven.artifact.ArtifactUtils;
import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugin.MojoFailureException;
import org.apache.maven.plugins.annotations.LifecyclePhase;
import org.apache.maven.plugins.annotations.Mojo;
import org.apache.maven.plugins.annotations.Parameter;
import org.apache.maven.plugins.annotations.ResolutionScope;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.operator.bc.BcPGPContentVerifierBuilderProvider;
import org.simplify4u.plugins.ArtifactResolver;
import org.simplify4u.plugins.ValidationChecksum;
import org.simplify4u.plugins.keyserver.PGPKeyNotFound;
import org.simplify4u.plugins.keysmap.KeysMap;
import org.simplify4u.plugins.skipfilters.CompositeSkipper;
import org.simplify4u.plugins.skipfilters.ProvidedDependencySkipper;
import org.simplify4u.plugins.skipfilters.ReactorDependencySkipper;
import org.simplify4u.plugins.skipfilters.ScopeSkipper;
import org.simplify4u.plugins.skipfilters.SkipFilter;
import org.simplify4u.plugins.skipfilters.SnapshotDependencySkipper;
import org.simplify4u.plugins.skipfilters.SystemDependencySkipper;
import org.simplify4u.plugins.utils.PGPKeyId;
import org.simplify4u.plugins.utils.PGPSignatureException;
import org.simplify4u.plugins.utils.PublicKeyUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Mojo(name = PGPVerifyMojo.MOJO_NAME, requiresProject = true, requiresDependencyResolution = ResolutionScope.TEST, defaultPhase = LifecyclePhase.VALIDATE, threadSafe = true)
/* loaded from: input_file:org/simplify4u/plugins/PGPVerifyMojo.class */
public class PGPVerifyMojo extends AbstractPGPMojo {
    private static final Logger LOGGER = LoggerFactory.getLogger(PGPVerifyMojo.class);
    public static final String MOJO_NAME = "check";
    private static final String PGP_VERIFICATION_RESULT_FORMAT = "{} PGP Signature {}\n       {} UserIds: {}";

    @Inject
    protected KeysMap keysMap;

    @Parameter(property = "pgpverify.scope", defaultValue = "test")
    private String scope;

    @Parameter(property = "pgpverify.failNoSignature", defaultValue = "false")
    private boolean failNoSignature;

    @Parameter(property = "pgpverify.strictNoSignature", defaultValue = "false")
    @Deprecated
    private boolean strictNoSignature;

    @Parameter(property = "pgpgverify.failWeakSignature", defaultValue = "false")
    private boolean failWeakSignature;

    @Parameter(property = "pgpverify.verifyPomFiles", defaultValue = "true")
    private boolean verifyPomFiles;

    @Parameter(property = "pgpverify.verifySnapshots", defaultValue = "false")
    private boolean verifySnapshots;

    @Parameter(property = "pgpverify.verifyPlugins", defaultValue = "false")
    private boolean verifyPlugins;

    @Parameter(property = "pgpverify.verifyPluginDependencies", defaultValue = "false")
    private boolean verifyPluginDependencies;

    @Parameter(property = "pgpverify.verifyAtypical", defaultValue = "false")
    private boolean verifyAtypical;

    @Parameter(property = "pgpverify.verifyProvidedDependencies", defaultValue = "false")
    private boolean verifyProvidedDependencies;

    @Parameter(property = "pgpverify.verifySystemDependencies", defaultValue = "false")
    private boolean verifySystemDependencies;

    @Parameter(property = "pgpverify.verifyReactorDependencies", defaultValue = "false")
    private boolean verifyReactorDependencies;

    @Parameter(property = "pgpverify.disableChecksum", defaultValue = "false")
    private boolean disableChecksum;

    @Parameter(property = "pgpverify.keysMapLocation", defaultValue = "")
    private String keysMapLocation;

    @Override // org.simplify4u.plugins.AbstractPGPMojo
    protected String getMojoName() {
        return MOJO_NAME;
    }

    /* JADX WARN: Finally extract failed */
    @Override // org.simplify4u.plugins.AbstractPGPMojo
    public void executeConfiguredMojo() throws MojoExecutionException, MojoFailureException {
        initKeysMap();
        checkDeprecated();
        File file = new File(this.session.getCurrentProject().getBuild().getDirectory());
        SkipFilter prepareDependencyFilters = prepareDependencyFilters();
        SkipFilter preparePluginFilters = preparePluginFilters();
        long nanoTime = System.nanoTime();
        Set<Artifact> resolveProjectArtifacts = this.artifactResolver.resolveProjectArtifacts(this.session.getCurrentProject(), new ArtifactResolver.Configuration(prepareDependencyFilters, preparePluginFilters, this.verifyPomFiles, this.verifyPlugins, this.verifyPluginDependencies, this.verifyAtypical));
        LOGGER.info("Resolved {} artifact(s) in {}", Integer.valueOf(resolveProjectArtifacts.size()), Duration.ofNanos(System.nanoTime() - nanoTime));
        ValidationChecksum build = new ValidationChecksum.Builder().destination(file).artifacts(resolveProjectArtifacts).disabled(this.disableChecksum).build();
        if (build.checkValidation()) {
            logWithQuiet("Artifacts were already validated in a previous run. Execution finished early as the checksum for the collection of artifacts has not changed.");
            return;
        }
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Discovered project artifacts: {}", resolveProjectArtifacts);
        }
        long nanoTime2 = System.nanoTime();
        Map<Artifact, Artifact> resolveSignatures = this.artifactResolver.resolveSignatures(resolveProjectArtifacts, determineSignaturePolicy());
        LOGGER.info("Resolved {} signature(s) in {}", Integer.valueOf(resolveSignatures.size()), Duration.ofNanos(System.nanoTime() - nanoTime2));
        long nanoTime3 = System.nanoTime();
        try {
            verifyArtifactSignatures(resolveSignatures);
            LOGGER.info("Finished {} artifact(s) validation in {}", Integer.valueOf(resolveSignatures.size()), Duration.ofNanos(System.nanoTime() - nanoTime3));
            build.saveChecksum();
        } catch (Throwable th) {
            LOGGER.info("Finished {} artifact(s) validation in {}", Integer.valueOf(resolveSignatures.size()), Duration.ofNanos(System.nanoTime() - nanoTime3));
            throw th;
        }
    }

    private void checkDeprecated() {
        if (this.strictNoSignature) {
            LOGGER.warn("strictNoSignature is deprecated - this requirement can be expressed through the keysmap");
        }
    }

    private void initKeysMap() throws MojoExecutionException {
        Try.run(() -> {
            this.keysMap.load(this.keysMapLocation);
        }).getOrElseThrow(th -> {
            return new MojoExecutionException(th.getMessage(), th);
        });
    }

    private ArtifactResolver.SignatureRequirement determineSignaturePolicy() {
        return this.failNoSignature ? ArtifactResolver.SignatureRequirement.REQUIRED : ArtifactResolver.SignatureRequirement.NONE;
    }

    private SkipFilter prepareDependencyFilters() {
        LinkedList linkedList = new LinkedList();
        linkedList.add(new ScopeSkipper(this.scope));
        if (!this.verifySnapshots) {
            linkedList.add(new SnapshotDependencySkipper());
        }
        if (!this.verifyProvidedDependencies) {
            linkedList.add(new ProvidedDependencySkipper());
        }
        if (!this.verifySystemDependencies) {
            linkedList.add(new SystemDependencySkipper());
        }
        if (!this.verifyReactorDependencies) {
            linkedList.add(new ReactorDependencySkipper(this.session));
        }
        return new CompositeSkipper(linkedList);
    }

    private SkipFilter preparePluginFilters() {
        LinkedList linkedList = new LinkedList();
        if (!this.verifySnapshots) {
            linkedList.add(new SnapshotDependencySkipper());
        }
        return new CompositeSkipper(linkedList);
    }

    private void verifyArtifactSignatures(Map<Artifact, Artifact> map) throws MojoFailureException, MojoExecutionException {
        boolean z = true;
        for (Map.Entry<Artifact, Artifact> entry : map.entrySet()) {
            z = z && verifyPGPSignature(entry.getKey(), entry.getValue());
        }
        if (!z) {
            throw new MojoExecutionException("PGP signature error");
        }
    }

    private boolean verifyPGPSignature(Artifact artifact, Artifact artifact2) throws MojoFailureException {
        if (artifact2 == null) {
            return verifySignatureUnavailable(artifact);
        }
        File file = artifact.getFile();
        File file2 = artifact2.getFile();
        LOGGER.debug("Artifact file: {}", file);
        LOGGER.debug("Artifact sign: {}", file2);
        try {
            try {
                FileInputStream fileInputStream = new FileInputStream(file2);
                Throwable th = null;
                try {
                    try {
                        PGPSignature loadSignature = this.pgpSignatureUtils.loadSignature(fileInputStream);
                        if (fileInputStream != null) {
                            if (0 != 0) {
                                try {
                                    fileInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                fileInputStream.close();
                            }
                        }
                        verifyWeakSignature(loadSignature);
                        PGPKeyId retrieveKeyId = this.pgpSignatureUtils.retrieveKeyId(loadSignature);
                        PGPPublicKeyRing keyRing = this.pgpKeysCache.getKeyRing(retrieveKeyId);
                        PGPPublicKey keyFromRing = retrieveKeyId.getKeyFromRing(keyRing);
                        if (this.keysMap.isValidKey(artifact, keyFromRing, keyRing)) {
                            loadSignature.init(new BcPGPContentVerifierBuilderProvider(), keyFromRing);
                            this.pgpSignatureUtils.readFileContentInto(loadSignature, file);
                            LOGGER.debug("signature.KeyAlgorithm: {} signature.hashAlgorithm: {}", Integer.valueOf(loadSignature.getKeyAlgorithm()), Integer.valueOf(loadSignature.getHashAlgorithm()));
                            return verifySignatureStatus(loadSignature.verify(), artifact, keyFromRing, keyRing);
                        }
                        LOGGER.error("Not allowed artifact {} and keyID:\n\t{}\n\t{}", new Object[]{artifact.getId(), String.format("%s = %s", ArtifactUtils.key(artifact), PublicKeyUtils.fingerprintForMaster(keyFromRing, keyRing)), this.pgpKeysCache.getUrlForShowKey(retrieveKeyId)});
                        return false;
                    } finally {
                    }
                } catch (Throwable th3) {
                    if (fileInputStream != null) {
                        if (th != null) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    throw th3;
                }
            } catch (IOException | PGPException e) {
                throw new MojoFailureException("Failed to process signature '" + file2 + "' for artifact " + artifact.getId(), e);
            }
        } catch (PGPKeyNotFound e2) {
            if (!this.keysMap.isKeyMissing(artifact)) {
                LOGGER.error("PGP key {} not found on keyserver for artifact {}", this.pgpKeysCache.getUrlForShowKey(null), artifact.getId());
                return false;
            }
            artifact.getClass();
            logWithQuiet("{} PGP key not found on keyserver, consistent with keys map.", artifact::getId);
            return true;
        } catch (PGPSignatureException e3) {
            if (!this.keysMap.isBrokenSignature(artifact)) {
                LOGGER.error("Failed to process signature '{}' for artifact {} - {}", new Object[]{file2, artifact.getId(), e3.getMessage()});
                return false;
            }
            artifact.getClass();
            logWithQuiet("{} PGP Signature is broken, consistent with keys map.", artifact::getId);
            return true;
        }
    }

    private void verifyWeakSignature(PGPSignature pGPSignature) throws MojoFailureException {
        String checkWeakHashAlgorithm = this.pgpSignatureUtils.checkWeakHashAlgorithm(pGPSignature);
        if (checkWeakHashAlgorithm == null) {
            return;
        }
        String str = "Weak signature algorithm used: " + checkWeakHashAlgorithm;
        if (this.failWeakSignature) {
            LOGGER.error(str);
            throw new MojoFailureException(str);
        }
        LOGGER.warn(str);
    }

    private boolean verifySignatureUnavailable(Artifact artifact) {
        if (this.keysMap.isEmpty()) {
            LOGGER.warn("No signature for {}", artifact.getId());
            return true;
        }
        if (this.keysMap.isNoSignature(artifact)) {
            artifact.getClass();
            logWithQuiet("{} PGP Signature unavailable, consistent with keys map.", artifact::getId);
            return true;
        }
        if (this.keysMap.isWithKey(artifact)) {
            LOGGER.error("Unsigned artifact is listed with key in keys map: {}", artifact.getId());
            return false;
        }
        LOGGER.error("Unsigned artifact not listed in keys map: {}", artifact.getId());
        return false;
    }

    private boolean verifySignatureStatus(boolean z, Artifact artifact, PGPPublicKey pGPPublicKey, PGPPublicKeyRing pGPPublicKeyRing) {
        if (z) {
            artifact.getClass();
            logWithQuiet(PGP_VERIFICATION_RESULT_FORMAT, artifact::getId, () -> {
                return "OK";
            }, () -> {
                return PublicKeyUtils.keyIdDescription(pGPPublicKey, pGPPublicKeyRing);
            }, () -> {
                return PublicKeyUtils.getUserIDs(pGPPublicKey, pGPPublicKeyRing);
            });
            return true;
        }
        if (this.keysMap.isBrokenSignature(artifact)) {
            artifact.getClass();
            logWithQuiet("{} PGP Signature is broken, consistent with keys map.", artifact::getId);
            return true;
        }
        if (!LOGGER.isErrorEnabled()) {
            return false;
        }
        LOGGER.error(PGP_VERIFICATION_RESULT_FORMAT, new Object[]{artifact.getId(), "INVALID", PublicKeyUtils.keyIdDescription(pGPPublicKey, pGPPublicKeyRing), PublicKeyUtils.getUserIDs(pGPPublicKey, pGPPublicKeyRing)});
        return false;
    }
}
