package org.simplify4u.plugins;

import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Lists;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.URISyntaxException;
import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import org.apache.maven.artifact.Artifact;
import org.apache.maven.artifact.ArtifactUtils;
import org.apache.maven.artifact.repository.ArtifactRepository;
import org.apache.maven.execution.MavenSession;
import org.apache.maven.plugin.AbstractMojo;
import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugin.MojoFailureException;
import org.apache.maven.plugins.annotations.Component;
import org.apache.maven.plugins.annotations.LifecyclePhase;
import org.apache.maven.plugins.annotations.Mojo;
import org.apache.maven.plugins.annotations.Parameter;
import org.apache.maven.plugins.annotations.ResolutionScope;
import org.apache.maven.project.MavenProject;
import org.apache.maven.repository.RepositorySystem;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPObjectFactory;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPSignatureList;
import org.bouncycastle.openpgp.PGPUtil;
import org.bouncycastle.openpgp.operator.bc.BcKeyFingerprintCalculator;
import org.bouncycastle.openpgp.operator.bc.BcPGPContentVerifierBuilderProvider;
import org.codehaus.plexus.resource.loader.ResourceNotFoundException;
import org.simplify4u.plugins.ArtifactResolver;
import org.simplify4u.plugins.skipfilters.CompositeSkipper;
import org.simplify4u.plugins.skipfilters.ProvidedDependencySkipper;
import org.simplify4u.plugins.skipfilters.ReactorDependencySkipper;
import org.simplify4u.plugins.skipfilters.ScopeSkipper;
import org.simplify4u.plugins.skipfilters.SkipFilter;
import org.simplify4u.plugins.skipfilters.SnapshotDependencySkipper;
import org.simplify4u.plugins.skipfilters.SystemDependencySkipper;

@Mojo(name = "check", requiresProject = true, requiresDependencyResolution = ResolutionScope.TEST, defaultPhase = LifecyclePhase.VALIDATE, threadSafe = true)
/* loaded from: input_file:org/simplify4u/plugins/PGPVerifyMojo.class */
public class PGPVerifyMojo extends AbstractMojo {
    private static final String PGP_VERIFICATION_RESULT_FORMAT = "%s PGP Signature %s\n       KeyId: %s UserIds: %s";

    @Parameter(property = "project", readonly = true, required = true)
    private MavenProject project;

    @Parameter(defaultValue = "${session}", readonly = true)
    private MavenSession session;

    @Component
    private RepositorySystem repositorySystem;

    @Component
    private KeysMap keysMap;

    @Parameter(defaultValue = "${localRepository}", readonly = true, required = true)
    private ArtifactRepository localRepository;

    @Parameter(defaultValue = "${project.remoteArtifactRepositories}", readonly = true, required = true)
    private List<ArtifactRepository> remoteRepositories;

    @Parameter(property = "pgpverify.keycache", defaultValue = "${settings.localRepository}/pgpkeys-cache", required = true)
    private File pgpKeysCachePath;

    @Parameter(property = "pgpverify.scope", defaultValue = "test")
    private String scope;

    @Parameter(property = "pgpverify.keyserver", defaultValue = "hkps://hkps.pool.sks-keyservers.net", required = true)
    private String pgpKeyServer;

    @Parameter(property = "pgpverify.failNoSignature", defaultValue = "false")
    private boolean failNoSignature;

    @Parameter(property = "pgpverify.strictNoSignature", defaultValue = "false")
    private boolean strictNoSignature;

    @Parameter(property = "pgpgverify.failWeakSignature", defaultValue = "false")
    private boolean failWeakSignature;

    @Parameter(property = "pgpverify.verifyPomFiles", defaultValue = "true")
    private boolean verifyPomFiles;

    @Parameter(property = "pgpverify.verifySnapshots", defaultValue = "false")
    private boolean verifySnapshots;

    @Parameter(property = "pgpverify.verifyPlugins", defaultValue = "false")
    private boolean verifyPlugins;

    @Parameter(property = "pgpverify.verifyProvidedDependencies", defaultValue = "false")
    private boolean verifyProvidedDependencies;

    @Parameter(property = "pgpverify.verifySystemDependencies", defaultValue = "false")
    private boolean verifySystemDependencies;

    @Parameter(property = "pgpverify.verifyReactorDependencies", defaultValue = "false")
    private boolean verifyReactorDependencies;

    @Parameter(property = "pgpverify.keysMapLocation", defaultValue = "")
    private String keysMapLocation;

    @Parameter(property = "pgpverify.skip", defaultValue = "false")
    private boolean skip;

    @Parameter(property = "pgpverify.quiet", defaultValue = "false")
    private boolean quiet;
    private PGPKeysCache pgpKeysCache;

    public void execute() throws MojoExecutionException, MojoFailureException {
        if (this.skip) {
            getLog().info("Skipping pgpverify:check");
            return;
        }
        SkipFilter prepareSkipFilters = prepareSkipFilters();
        prepareForKeys();
        ArtifactResolver artifactResolver = new ArtifactResolver(getLog(), this.repositorySystem, this.localRepository, this.remoteRepositories);
        verifyArtifactSignatures(artifactResolver.resolveSignatures(artifactResolver.resolveProjectArtifacts(this.project, prepareSkipFilters, this.verifyPomFiles, this.verifyPlugins), determineSignaturePolicy()));
    }

    private ArtifactResolver.SignatureRequirement determineSignaturePolicy() {
        return this.failNoSignature ? ArtifactResolver.SignatureRequirement.REQUIRED : this.strictNoSignature ? ArtifactResolver.SignatureRequirement.STRICT : ArtifactResolver.SignatureRequirement.NONE;
    }

    private SkipFilter prepareSkipFilters() {
        LinkedList linkedList = new LinkedList();
        linkedList.add(new ScopeSkipper(this.scope));
        if (!this.verifySnapshots) {
            linkedList.add(new SnapshotDependencySkipper());
        }
        if (!this.verifyProvidedDependencies) {
            linkedList.add(new ProvidedDependencySkipper());
        }
        if (!this.verifySystemDependencies) {
            linkedList.add(new SystemDependencySkipper());
        }
        if (!this.verifyReactorDependencies) {
            linkedList.add(new ReactorDependencySkipper(this.project, this.session));
        }
        return new CompositeSkipper(linkedList);
    }

    private void prepareForKeys() throws MojoFailureException, MojoExecutionException {
        initCache();
        try {
            this.keysMap.load(this.keysMapLocation);
        } catch (ResourceNotFoundException | IOException e) {
            throw new MojoExecutionException("load keys map", e);
        }
    }

    private void initCache() throws MojoFailureException {
        try {
            this.pgpKeysCache = new PGPKeysCache(getLog(), this.pgpKeysCachePath, this.pgpKeyServer);
        } catch (IOException | URISyntaxException | KeyManagementException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new MojoFailureException(e.getMessage(), e);
        }
    }

    private void verifyArtifactSignatures(Map<Artifact, Artifact> map) throws MojoFailureException, MojoExecutionException {
        boolean z = true;
        for (Map.Entry<Artifact, Artifact> entry : map.entrySet()) {
            z = z && verifyPGPSignature(entry.getKey(), entry.getValue());
        }
        if (!z) {
            throw new MojoExecutionException("PGP signature error");
        }
    }

    private boolean verifyPGPSignature(Artifact artifact, Artifact artifact2) throws MojoFailureException {
        if (artifact2 == null) {
            return verifySignatureUnavailable(artifact);
        }
        File file = artifact.getFile();
        File file2 = artifact2.getFile();
        ImmutableMap build = ImmutableMap.builder().put(1, "MD5").put(4, "DOUBLE_SHA").put(5, "MD2").put(6, "TIGER_192").put(7, "HAVAL_5_160").put(11, "SHA224").build();
        getLog().debug("Artifact file: " + file);
        getLog().debug("Artifact sign: " + file2);
        try {
            PGPSignatureList pGPSignatureList = (PGPSignatureList) new PGPObjectFactory(PGPUtil.getDecoderStream(new FileInputStream(file2)), new BcKeyFingerprintCalculator()).nextObject();
            if (pGPSignatureList == null) {
                throw new MojoFailureException("Invalid signature file: " + file2);
            }
            PGPSignature pGPSignature = pGPSignatureList.get(0);
            if (build.containsKey(Integer.valueOf(pGPSignature.getHashAlgorithm()))) {
                String str = "Weak signature algorithm used: " + ((String) build.get(Integer.valueOf(pGPSignature.getHashAlgorithm())));
                if (this.failWeakSignature) {
                    getLog().error(str);
                    throw new MojoFailureException(str);
                }
                getLog().warn(str);
            }
            PGPPublicKey key = this.pgpKeysCache.getKey(pGPSignature.getKeyID());
            if (!this.keysMap.isValidKey(artifact, key)) {
                getLog().error(String.format("Not allowed artifact %s and keyID:%n\t%s%n\t%s%n", artifact.getId(), String.format("%s = %s", ArtifactUtils.key(artifact), PublicKeyUtils.fingerprint(key)), this.pgpKeysCache.getUrlForShowKey(key.getKeyID())));
                return false;
            }
            pGPSignature.init(new BcPGPContentVerifierBuilderProvider(), key);
            PGPSignatures.readFileContentInto(pGPSignature, file);
            if (!pGPSignature.verify()) {
                getLog().warn(String.format(PGP_VERIFICATION_RESULT_FORMAT, artifact.getId(), "ERROR", PublicKeyUtils.fingerprint(key), Lists.newArrayList(key.getUserIDs())));
                getLog().warn(file.toString());
                getLog().warn(file2.toString());
                return false;
            }
            String format = String.format(PGP_VERIFICATION_RESULT_FORMAT, artifact.getId(), "OK", PublicKeyUtils.fingerprint(key), Lists.newArrayList(key.getUserIDs()));
            if (this.quiet) {
                getLog().debug(format);
                return true;
            }
            getLog().info(format);
            return true;
        } catch (IOException | PGPException e) {
            throw new MojoFailureException(e.getMessage(), e);
        }
    }

    private boolean verifySignatureUnavailable(Artifact artifact) {
        if (!this.keysMap.isNoKey(artifact)) {
            getLog().error("Unsigned artifact not listed in keys map: " + artifact.getId());
            return false;
        }
        String format = String.format("%s PGP Signature unavailable, consistent with keys map.", artifact.getId());
        if (this.quiet) {
            getLog().debug(format);
            return true;
        }
        getLog().info(format);
        return true;
    }
}
