package org.squashtest.tm.service.internal.servers;

import com.fasterxml.jackson.annotation.JsonIgnore;
import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.annotation.JsonTypeInfo;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import jakarta.annotation.PostConstruct;
import jakarta.inject.Inject;
import jakarta.persistence.EntityManager;
import jakarta.persistence.NoResultException;
import jakarta.persistence.PersistenceContext;
import jakarta.persistence.Query;
import jakarta.transaction.Transactional;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.GeneralSecurityException;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Service;
import org.squashtest.tm.core.foundation.logger.Logger;
import org.squashtest.tm.core.foundation.logger.LoggerFactory;
import org.squashtest.tm.domain.project.GenericProject;
import org.squashtest.tm.domain.servers.AuthenticationProtocol;
import org.squashtest.tm.domain.servers.BasicAuthenticationCredentials;
import org.squashtest.tm.domain.servers.Credentials;
import org.squashtest.tm.domain.servers.StoredCredentials;
import org.squashtest.tm.domain.users.User;
import org.squashtest.tm.security.UserContextHolder;
import org.squashtest.tm.service.feature.FeatureManager;
import org.squashtest.tm.service.internal.repository.UserDao;
import org.squashtest.tm.service.internal.servers.Crypto;
import org.squashtest.tm.service.internal.servers.StoredContentHandlers;
import org.squashtest.tm.service.security.Authorizations;
import org.squashtest.tm.service.security.PermissionEvaluationService;
import org.squashtest.tm.service.servers.EncryptionKeyChangedException;
import org.squashtest.tm.service.servers.ManageableCredentials;
import org.squashtest.tm.service.servers.MissingEncryptionKeyException;
import org.squashtest.tm.service.servers.ServerAuthConfiguration;
import org.squashtest.tm.service.servers.StoredCredentialsManager;

@Transactional
@Service
/* loaded from: input_file:WEB-INF/lib/tm.service-10.0.0.RELEASE.jar:org/squashtest/tm/service/internal/servers/StoredCredentialsManagerImpl.class */
public class StoredCredentialsManagerImpl implements StoredCredentialsManager {
    private static final Logger LOGGER = LoggerFactory.getLogger(StoredCredentialsManagerImpl.class);
    private static final String OR_CURRENT_USER_OWNS_CREDENTIALS = " or authentication.name == #username";
    private static final String DELETE_ALL_USER_CREDENTIALS = "StoredCredentials.deleteAllUserCredentialsByUserId";
    private static final String DELETE_ALL_STORED_CREDENTIALS_FOR_SERVERS = "StoredCredentials.deleteAllStoredCredentialsForServers";
    private static final String DELETE_ALL_PROJECT_CREDENTIALS = "StoredCredentials.deleteAllProjectCredentialsByProjectId";
    private static final String JACKSON_TYPE_ID_ATTR = "@class";
    private static final String REFUSED_TO_STORE_CREDENTIALS_OF_TYPE = "Refused to store credentials of type '";
    private static final String BUSINESS_RULES_FORBID = "' : business rules forbid ";

    @PersistenceContext
    private EntityManager em;

    @Inject
    private FeatureManager features;

    @Inject
    private UserDao userDao;

    @Inject
    private PermissionEvaluationService permissionService;
    private ObjectMapper objectMapper;

    @Value("${squash.crypto.secret}")
    private char[] secret = new char[0];
    private boolean caseInsensitive = false;

    @JsonTypeInfo(include = JsonTypeInfo.As.PROPERTY, use = JsonTypeInfo.Id.CLASS)
    @JsonInclude
    /* loaded from: input_file:WEB-INF/lib/tm.service-10.0.0.RELEASE.jar:org/squashtest/tm/service/internal/servers/StoredCredentialsManagerImpl$InternalCredentialsMixin.class */
    interface InternalCredentialsMixin {
        @JsonIgnore
        AuthenticationProtocol getImplementedProtocol();
    }

    @JsonTypeInfo(include = JsonTypeInfo.As.PROPERTY, use = JsonTypeInfo.Id.CLASS)
    @JsonInclude
    /* loaded from: input_file:WEB-INF/lib/tm.service-10.0.0.RELEASE.jar:org/squashtest/tm/service/internal/servers/StoredCredentialsManagerImpl$InternalManageableCredentialsMixin.class */
    interface InternalManageableCredentialsMixin {
        @JsonIgnore
        AuthenticationProtocol getImplementedProtocol();
    }

    @JsonTypeInfo(include = JsonTypeInfo.As.PROPERTY, use = JsonTypeInfo.Id.CLASS)
    @JsonInclude
    /* loaded from: input_file:WEB-INF/lib/tm.service-10.0.0.RELEASE.jar:org/squashtest/tm/service/internal/servers/StoredCredentialsManagerImpl$InternalServerAuthConfigurationMixin.class */
    interface InternalServerAuthConfigurationMixin {
        @JsonIgnore
        AuthenticationProtocol getImplementedProtocol();
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    public boolean isSecretConfigured() {
        if (this.secret.length == 0 || this.secret[0] == 0) {
            return false;
        }
        for (int i = 0; i < this.secret.length; i++) {
            char c = this.secret[i];
            if (c != ' ' && c != '\t') {
                return true;
            }
        }
        return false;
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    public char[] getSecret() {
        return this.secret;
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    @PreAuthorize("hasRole('ROLE_ADMIN') or authentication.name == #username")
    public void storeUserCredentials(long j, String str, ManageableCredentials manageableCredentials) {
        checkUserLevelStorageAllowed(manageableCredentials);
        storeContent(buildUserCredentialsHandler(j, str), manageableCredentials);
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    public void storeCurrentUserCredentials(long j, ManageableCredentials manageableCredentials) {
        checkUserLevelStorageAllowed(manageableCredentials);
        storeContent(buildUserCredentialsHandler(j, UserContextHolder.getUsername()), manageableCredentials);
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    @PreAuthorize("hasRole('ROLE_ADMIN') or authentication.name == #username")
    public ManageableCredentials findUserCredentials(long j, String str) {
        return unsecuredFindUserCredentials(j, str);
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    public ManageableCredentials findCurrentUserCredentials(long j) {
        return unsecuredFindUserCredentials(j, UserContextHolder.getUsername());
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    public ManageableCredentials unsecuredFindUserCredentials(long j, String str) {
        return (ManageableCredentials) unsecuredFindContent(buildUserCredentialsHandler(j, str));
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    @PreAuthorize("hasRole('ROLE_ADMIN') or authentication.name == #username")
    public void deleteUserCredentials(long j, String str) {
        deleteContent(buildUserCredentialsHandler(j, str));
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    public void deleteAllUserCredentials(long j) {
        deleteAllUserCredentialsById(j);
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    public void storeAppLevelCredentials(long j, ManageableCredentials manageableCredentials) {
        this.permissionService.checkAtLeastOneProjectManagementPermissionOrAdmin();
        checkAppLevelStorageAllowed(manageableCredentials);
        storeContent(buildAppLevelHandler(j), manageableCredentials);
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    @PreAuthorize(Authorizations.HAS_ROLE_ADMIN)
    public ManageableCredentials findAppLevelCredentials(long j) {
        return unsecuredFindAppLevelCredentials(j);
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    public ManageableCredentials unsecuredFindAppLevelCredentials(long j) {
        return (ManageableCredentials) unsecuredFindContent(buildAppLevelHandler(j));
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    @PreAuthorize(Authorizations.HAS_ROLE_ADMIN)
    public void deleteAppLevelCredentials(long j) {
        deleteContent(buildAppLevelHandler(j));
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    public void deleteAllServerCredentials(List<Long> list) {
        if (list.isEmpty()) {
            return;
        }
        LOGGER.info("Deleting all credentials for server #{}", list);
        Query createNamedQuery = this.em.createNamedQuery(DELETE_ALL_STORED_CREDENTIALS_FOR_SERVERS);
        createNamedQuery.setParameter("serverIds", list);
        createNamedQuery.executeUpdate();
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    @PreAuthorize(Authorizations.HAS_ROLE_ADMIN)
    public void storeServerAuthConfiguration(long j, ServerAuthConfiguration serverAuthConfiguration) {
        storeContent(buildAuthConfigurationHandler(j), serverAuthConfiguration);
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    @PreAuthorize(Authorizations.HAS_ROLE_ADMIN)
    public ServerAuthConfiguration findServerAuthConfiguration(long j) {
        return unsecuredFindServerAuthConfiguration(j);
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    public ServerAuthConfiguration unsecuredFindServerAuthConfiguration(long j) {
        return (ServerAuthConfiguration) unsecuredFindContent(buildAuthConfigurationHandler(j));
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    @PreAuthorize(Authorizations.HAS_ROLE_ADMIN)
    public void deleteServerAuthConfiguration(long j) {
        deleteContent(buildAuthConfigurationHandler(j));
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    @PreAuthorize(Authorizations.MANAGE_PROJECT_OR_ROLE_ADMIN)
    public void storeProjectCredentials(long j, long j2, ManageableCredentials manageableCredentials) {
        checkProjectLevelStorageAllowed(manageableCredentials);
        storeContent(buildProjectHandler(j, j2), manageableCredentials);
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    public ManageableCredentials findProjectCredentials(long j, long j2) {
        return (ManageableCredentials) unsecuredFindContent(buildProjectHandler(j, j2));
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    @PreAuthorize(Authorizations.MANAGE_PROJECT_OR_ROLE_ADMIN)
    public void deleteProjectCredentials(long j, long j2) {
        deleteContent(buildProjectHandler(j, j2));
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    @PreAuthorize(Authorizations.MANAGE_PROJECT_OR_ROLE_ADMIN)
    public void deleteAllProjectCredentials(long j) {
        LOGGER.info("Deleting all project credentials for project #{}", Long.valueOf(j));
        Query createNamedQuery = this.em.createNamedQuery(DELETE_ALL_PROJECT_CREDENTIALS);
        createNamedQuery.setParameter("projectId", Long.valueOf(j));
        createNamedQuery.executeUpdate();
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    @PreAuthorize(Authorizations.HAS_ROLE_ADMIN)
    public void storeReportingCacheCredentials(long j, ManageableCredentials manageableCredentials) {
        storeContent(buildReportingCacheHandler(j), manageableCredentials);
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    public ManageableCredentials findReportingCacheCredentials(long j) {
        return (ManageableCredentials) unsecuredFindContent(buildReportingCacheHandler(j));
    }

    @Override // org.squashtest.tm.service.servers.StoredCredentialsManager
    @PreAuthorize(Authorizations.HAS_ROLE_ADMIN)
    public void deleteReportingCacheCredentials(long j) {
        deleteContent(buildReportingCacheHandler(j));
    }

    private void checkAppLevelStorageAllowed(ManageableCredentials manageableCredentials) {
        if (!manageableCredentials.allowsAppLevelStorage()) {
            throw new IllegalArgumentException("Refused to store credentials of type '" + String.valueOf(manageableCredentials.getImplementedProtocol()) + "' : business rules forbid to store such credentials as application-level credentials");
        }
    }

    private void checkUserLevelStorageAllowed(ManageableCredentials manageableCredentials) {
        if (!manageableCredentials.allowsUserLevelStorage()) {
            throw new IllegalArgumentException("Refused to store credentials of type '" + String.valueOf(manageableCredentials.getImplementedProtocol()) + "' : business rules forbid to store such credentials for human users");
        }
    }

    private void checkProjectLevelStorageAllowed(ManageableCredentials manageableCredentials) {
        if (!manageableCredentials.allowsProjectLevelStorage()) {
            throw new IllegalArgumentException("Refused to store credentials of type '" + String.valueOf(manageableCredentials.getImplementedProtocol()) + "' : business rules forbid to store such credentials as project-level credentials");
        }
    }

    StoredContentHandlers.UserCredentialsHandler buildUserCredentialsHandler(long j, String str) {
        return new StoredContentHandlers.UserCredentialsHandler(j, str, () -> {
            return loadUserOrNull(str);
        });
    }

    StoredContentHandlers.AuthConfigurationHandler buildAuthConfigurationHandler(long j) {
        return new StoredContentHandlers.AuthConfigurationHandler(j);
    }

    StoredContentHandlers.AppLevelHandler buildAppLevelHandler(long j) {
        return new StoredContentHandlers.AppLevelHandler(j);
    }

    StoredContentHandlers.ProjectHandler buildProjectHandler(long j, long j2) {
        return new StoredContentHandlers.ProjectHandler(j, j2, () -> {
            return (GenericProject) this.em.find(GenericProject.class, Long.valueOf(j2));
        });
    }

    StoredContentHandlers.ReportingCacheHandler buildReportingCacheHandler(long j) {
        return new StoredContentHandlers.ReportingCacheHandler(j);
    }

    private <TYPE> void storeContent(StoredContentHandlers.StoredContentHandler<TYPE> storedContentHandler, Object obj) {
        if (!isSecretConfigured()) {
            throw new MissingEncryptionKeyException();
        }
        try {
            Crypto.EncryptionOutcome encryptedForm = toEncryptedForm(obj);
            try {
                loadStoredContent(storedContentHandler).setEncryptedCredentials(encryptedForm.getEncryptedText());
            } catch (NoResultException unused) {
                this.em.persist(storedContentHandler.buildNewStoredCredentials(this.em, encryptedForm));
            }
        } catch (IOException | GeneralSecurityException e) {
            LOGGER.error("Could encrypt the content because the JRE doesn't support the specified encryption algorithms.", new Object[0]);
            throw new RuntimeException(e);
        }
    }

    private <TYPE> TYPE unsecuredFindContent(StoredContentHandlers.StoredContentHandler<TYPE> storedContentHandler) {
        if (!isSecretConfigured()) {
            throw new MissingEncryptionKeyException();
        }
        LOGGER.debug("loading stored content for content handler '{}'", storedContentHandler);
        Crypto crypto = new Crypto(Arrays.copyOf(this.secret, this.secret.length));
        StoredCredentials storedCredentials = null;
        String str = null;
        try {
            try {
                try {
                    Class<TYPE> deserializationClass = storedContentHandler.getDeserializationClass();
                    storedCredentials = loadStoredContent(storedContentHandler);
                    str = crypto.decrypt(storedCredentials.getEncryptedCredentials());
                    TYPE type = (TYPE) this.objectMapper.readValue(str, deserializationClass);
                    crypto.dispose();
                    return type;
                } catch (Exception e) {
                    if (str == null) {
                        LOGGER.debug("The decryption failed for unknown reasons.", new Object[0]);
                        throw new RuntimeException(e);
                    }
                    TYPE type2 = (TYPE) fallbackOrDie(storedCredentials, str);
                    crypto.dispose();
                    return type2;
                }
            } catch (NoResultException unused) {
                LOGGER.debug("Content not found.", new Object[0]);
                crypto.dispose();
                return null;
            } catch (UnsupportedEncodingException | GeneralSecurityException e2) {
                LOGGER.error("Decryption failed probably because the encryption key changed. Less likely, is also can be that JRE doesn't support the specified encryption algorithms.", new Object[0]);
                throw new EncryptionKeyChangedException(e2);
            }
        } catch (Throwable th) {
            crypto.dispose();
            throw th;
        }
    }

    private <TYPE> TYPE fallbackOrDie(StoredCredentials storedCredentials, String str) {
        LOGGER.debug("The data format is wrong. Perhaps an instance of BasicAuthenticationCredentials, which cannot now be stored directly, needs migration ?", new Object[0]);
        try {
            return (TYPE) migrateToNewFormat(str, storedCredentials);
        } catch (IOException | ClassCastException e) {
            LOGGER.error("something has gone definitely wrong.", new Object[0]);
            LOGGER.error(e.getMessage(), e);
            throw investigateDeserializationError(str, e);
        } catch (GeneralSecurityException e2) {
            LOGGER.error("encryption exception while trying to migrate and restore old credentials ! Was the secret key changed ?", new Object[0]);
            throw new EncryptionKeyChangedException(e2);
        }
    }

    private <TYPE> void deleteContent(StoredContentHandlers.StoredContentHandler<TYPE> storedContentHandler) {
        try {
            this.em.remove(loadStoredContent(storedContentHandler));
        } catch (NoResultException unused) {
        }
    }

    private Crypto.EncryptionOutcome toEncryptedForm(Object obj) throws IOException, GeneralSecurityException {
        Crypto crypto = new Crypto(Arrays.copyOf(this.secret, this.secret.length));
        try {
            try {
                return crypto.encrypt(this.objectMapper.writeValueAsString(obj));
            } catch (JsonProcessingException e) {
                LOGGER.error("an error occured while storing the credentials due to serialization error ", e);
                throw new RuntimeException(e);
            }
        } finally {
            crypto.dispose();
        }
    }

    private StoredCredentials loadStoredContent(StoredContentHandlers.StoredContentHandler<?> storedContentHandler) {
        return (StoredCredentials) storedContentHandler.getLocateQuery(this.em).getSingleResult();
    }

    private User loadUserOrNull(String str) {
        User user = null;
        if (str != null) {
            user = this.caseInsensitive ? this.userDao.findUserByLoginIgnoreCase(str) : this.userDao.findUserByLogin(str);
        }
        return user;
    }

    private void deleteAllUserCredentialsById(long j) {
        LOGGER.info("Deleting all user credentials for user #{}", Long.valueOf(j));
        Query createNamedQuery = this.em.createNamedQuery(DELETE_ALL_USER_CREDENTIALS);
        createNamedQuery.setParameter("userId", Long.valueOf(j));
        createNamedQuery.executeUpdate();
    }

    private RuntimeException investigateDeserializationError(String str, Throwable th) {
        try {
            return new RuntimeException("missing implementation for ManageableCredentials type '" + ((String) ((Map) this.objectMapper.readValue(str, new TypeReference<Map<String, ?>>() { // from class: org.squashtest.tm.service.internal.servers.StoredCredentialsManagerImpl.1
            })).get(JACKSON_TYPE_ID_ATTR)) + "', or that type does not implement '" + ManageableCredentials.class.getName() + "'", th);
        } catch (IOException e) {
            return new EncryptionKeyChangedException(e);
        }
    }

    @PostConstruct
    void initialize() {
        ObjectMapper objectMapper = new ObjectMapper();
        objectMapper.addMixIn(Credentials.class, InternalCredentialsMixin.class);
        objectMapper.addMixIn(ManageableCredentials.class, InternalManageableCredentialsMixin.class);
        objectMapper.addMixIn(ServerAuthConfiguration.class, InternalServerAuthConfigurationMixin.class);
        this.objectMapper = objectMapper;
        this.caseInsensitive = this.features.isEnabled(FeatureManager.Feature.CASE_INSENSITIVE_LOGIN);
    }

    private ManageableCredentials migrateToNewFormat(String str, StoredCredentials storedCredentials) throws IOException, GeneralSecurityException {
        LOGGER.debug("attempting migration of the deprecated stored credentials", new Object[0]);
        ManageableCredentials tryAsBasicAuth = tryAsBasicAuth(str);
        storedCredentials.setEncryptedCredentials(toEncryptedForm(tryAsBasicAuth).getEncryptedText());
        LOGGER.debug("migration completed", new Object[0]);
        return tryAsBasicAuth;
    }

    private ManageableCredentials tryAsBasicAuth(String str) throws IOException {
        BasicAuthenticationCredentials basicAuthenticationCredentials = (BasicAuthenticationCredentials) this.objectMapper.readValue(str, BasicAuthenticationCredentials.class);
        return new ManageableBasicAuthCredentials(basicAuthenticationCredentials.getUsername(), basicAuthenticationCredentials.getPassword());
    }
}
