package com.floragunn.searchguard.configuration.variables;

import com.floragunn.codova.documents.DocReader;
import com.floragunn.codova.documents.DocWriter;
import com.floragunn.codova.documents.DocumentParseException;
import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.searchsupport.cstate.ComponentState;
import com.floragunn.searchsupport.cstate.ComponentStateProvider;
import com.google.common.io.BaseEncoding;
import com.google.common.io.Files;
import java.io.File;
import java.io.IOException;
import java.nio.charset.Charset;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;

/* loaded from: input_file:com/floragunn/searchguard/configuration/variables/EncryptionKeys.class */
public class EncryptionKeys implements ComponentStateProvider {
    private static final Logger log = LogManager.getLogger(EncryptionKeys.class);
    public static final Setting<?> ENCRYPTION_KEYS_SETTING = Setting.groupSetting("searchguard.config_vars.encryption_keys.", new Setting.Property[]{Setting.Property.NodeScope});
    private static final Entry DEFAULT_ENTRY = new Entry("default", "AES/CBC/PKCS5Padding", new SecretKeySpec(BaseEncoding.base64().decode("v9hGHVFiTgj+eAhjJrDgAEy5GUoTBUwXkAKEpfCL6dQ="), "AES"), false);
    private final Map<String, Entry> entries;
    private final Entry active;
    private final ComponentState componentState = new ComponentState(1000, (String) null, "encryption_keys", EncryptionKeys.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/configuration/variables/EncryptionKeys$Entry.class */
    public static class Entry {
        final String id;
        final SecretKeySpec secretKeySpec;
        final String cipher;
        final boolean gcm;
        final boolean active;

        Entry(String str, String str2, SecretKeySpec secretKeySpec, boolean z) {
            this.id = str;
            this.cipher = str2;
            this.secretKeySpec = secretKeySpec;
            this.gcm = str2.contains("/GCM/");
            this.active = z;
        }

        static Entry fromFile(String str, String str2, File file, boolean z) throws IOException {
            return new Entry(str, str2, new SecretKeySpec(BaseEncoding.base64().decode(Files.asCharSource(file, Charset.defaultCharset()).read()), "AES"), z);
        }

        static Entry fromSettings(String str, Settings settings) throws IOException {
            String str2 = settings.get("cipher", "AES/CBC/NoPadding");
            boolean booleanValue = settings.getAsBoolean("active", false).booleanValue();
            if (settings.hasValue("key_file")) {
                return fromFile(str, str2, new File(settings.get("file")), booleanValue);
            }
            if (settings.hasValue("key")) {
                return new Entry(str, str2, new SecretKeySpec(BaseEncoding.base64().decode(settings.get("key")), "AES"), booleanValue);
            }
            throw new RuntimeException("Encryption key must be specified as key_file or key");
        }
    }

    public EncryptionKeys(Settings settings) {
        this.entries = createEntryMap(settings, this.componentState);
        this.active = getActive(this.entries);
        this.componentState.updateStateFromParts();
        this.componentState.setMessage("active: " + this.active.id);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Map<String, Object> getEncryptedData(Object obj) throws EncryptionException {
        byte[] bArr;
        byte[] writeAsBytes = DocWriter.json().writeAsBytes(obj);
        try {
            try {
                Entry entry = this.active;
                if (entry == null) {
                    throw new EncryptionException("Could not find active encryption key");
                }
                Cipher cipher = Cipher.getInstance(entry.cipher);
                if (entry.gcm) {
                    bArr = new byte[16];
                    new SecureRandom().nextBytes(bArr);
                    cipher.init(1, entry.secretKeySpec, new GCMParameterSpec(128, bArr));
                } else {
                    bArr = new byte[16];
                    new SecureRandom().nextBytes(bArr);
                    cipher.init(1, entry.secretKeySpec, new IvParameterSpec(bArr));
                }
                ImmutableMap ofNonNull = ImmutableMap.ofNonNull("value", BaseEncoding.base64().encode(cipher.doFinal(writeAsBytes)), "key", entry.id, "iv", bArr != null ? BaseEncoding.base16().encode(bArr) : null);
                Arrays.fill(writeAsBytes, (byte) 0);
                return ofNonNull;
            } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
                throw new EncryptionException(e);
            }
        } catch (Throwable th) {
            Arrays.fill(writeAsBytes, (byte) 0);
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Object getDecryptedData(Map<String, Object> map) throws EncryptionException, DocumentParseException {
        Map map2 = (Map) map.get("encrypted");
        return getDecryptedData((String) map2.get("value"), (String) map2.get("key"), (String) map2.get("iv"));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Object getDecryptedData(ConfigVar configVar) throws DocumentParseException, EncryptionException {
        return getDecryptedData(configVar.getEncValue(), configVar.getEncKey(), configVar.getEncIv());
    }

    Object getDecryptedData(String str, String str2, String str3) throws EncryptionException, DocumentParseException {
        byte[] decode = BaseEncoding.base64().decode(str);
        try {
            Entry entry = this.entries.get(str2);
            if (entry == null) {
                throw new EncryptionException("Unknown encryption key: " + str2);
            }
            Cipher cipher = Cipher.getInstance(entry.cipher);
            if (entry.gcm) {
                cipher.init(2, entry.secretKeySpec, new GCMParameterSpec(128, BaseEncoding.base16().decode(str3)));
            } else {
                cipher.init(2, entry.secretKeySpec, new IvParameterSpec(BaseEncoding.base16().decode(str3)));
            }
            byte[] doFinal = cipher.doFinal(decode);
            try {
                Object read = DocReader.json().read(doFinal);
                Arrays.fill(doFinal, (byte) 0);
                return read;
            } catch (Throwable th) {
                Arrays.fill(doFinal, (byte) 0);
                throw th;
            }
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            throw new EncryptionException(e);
        }
    }

    private static Map<String, Entry> createEntryMap(Settings settings, ComponentState componentState) {
        Map groups = settings.getGroups(ENCRYPTION_KEYS_SETTING.getKey());
        HashMap hashMap = new HashMap();
        hashMap.put(DEFAULT_ENTRY.id, DEFAULT_ENTRY);
        for (Map.Entry entry : groups.entrySet()) {
            String str = (String) entry.getKey();
            try {
                hashMap.put(str, Entry.fromSettings(str, (Settings) entry.getValue()));
                componentState.getOrCreatePart("encryption_key", str).setInitialized();
            } catch (Exception e) {
                componentState.getOrCreatePart("encryption_key", str).setFailed(e);
                log.error("Error while creating encryption key " + str, e);
            }
        }
        return Collections.unmodifiableMap(hashMap);
    }

    private static Entry getActive(Map<String, Entry> map) {
        for (Entry entry : map.values()) {
            if (entry.active) {
                return entry;
            }
        }
        return map.get("default");
    }

    public ComponentState getComponentState() {
        return null;
    }
}
