package com.atlassian.bamboo.crypto.instance;

import com.atlassian.bamboo.bandana.BandanaAccessVerifier;
import com.atlassian.bamboo.bandana.PlanAwareBandanaContext;
import com.atlassian.bamboo.fileserver.SystemDirectory;
import com.atlassian.bamboo.security.acegi.acls.HibernateMutableAclServiceImpl;
import com.atlassian.bamboo.utils.BambooFiles;
import com.atlassian.bandana.BandanaManager;
import com.atlassian.security.random.DefaultSecureRandomService;
import com.atlassian.security.random.SecureRandomService;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Throwables;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.log4j.Logger;
import org.bouncycastle.crypto.BlockCipher;
import org.bouncycastle.pqc.math.linearalgebra.ByteUtils;
import org.jetbrains.annotations.Contract;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* loaded from: input_file:com/atlassian/bamboo/crypto/instance/InstanceSecretStorage.class */
class InstanceSecretStorage {
    private final BandanaManager bandanaManager;
    static final int KEY_LENGTH_BITS = 256;
    private static final Logger log = Logger.getLogger(InstanceSecretStorage.class);
    private static final String PROPERTY_INSTANCE_CIPHER_KEY = BandanaAccessVerifier.createRestrictedKey("instance.cipher.key");
    private static final String PROPERTY_INSTANCE_CIPHER_IV = BandanaAccessVerifier.createRestrictedKey("instance.cipher.iv");
    private final SecureRandomService secureRandomService = DefaultSecureRandomService.getInstance();
    private final Map<Integer, Pair<byte[], byte[]>> keysAndIvs = new HashMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    public InstanceSecretStorage(BandanaManager bandanaManager) {
        this.bandanaManager = bandanaManager;
    }

    private Pair<byte[], byte[]> readKeyAndIv(int i) {
        byte[] keyFromDb = getKeyFromDb(i);
        byte[] keyFromFs = getKeyFromFs(i);
        byte[] ivFromDb = getIvFromDb(i);
        if (keyFromDb == null && keyFromFs == null && ivFromDb == null) {
            return null;
        }
        if (isDataComplete(keyFromDb, keyFromFs, ivFromDb)) {
            return Pair.of(restoreKey(keyFromDb, keyFromFs), ivFromDb);
        }
        throw new IllegalArgumentException("Unable to read cipher data for " + i);
    }

    private static boolean isDataComplete(byte[] bArr, byte[] bArr2, byte[] bArr3) {
        if (bArr != null && bArr2 != null && bArr3 != null) {
            return true;
        }
        if (bArr == null) {
            log.fatal("Database part of instance key is unavailable");
        }
        if (bArr2 == null) {
            log.fatal("Filesystem part of instance key is unavailable");
        }
        if (bArr3 != null) {
            return false;
        }
        log.fatal("Cipher initialisation vector is unavailable");
        return false;
    }

    @NotNull
    public Pair<byte[], byte[]> getKeyAndIv(BlockCipher blockCipher, int i, boolean z) {
        return getCipherData(i, z, blockCipher.getBlockSize());
    }

    @NotNull
    private Pair<byte[], byte[]> getCipherData(int i, boolean z, int i2) {
        Pair<byte[], byte[]> orCreateCipherData;
        if (z) {
            orCreateCipherData = getCipherData(i);
            Preconditions.checkArgument(orCreateCipherData != null, "Unknown cipher data id " + i);
        } else {
            orCreateCipherData = getOrCreateCipherData(i2, i);
        }
        return orCreateCipherData;
    }

    @NotNull
    private synchronized Pair<byte[], byte[]> getOrCreateCipherData(int i, int i2) {
        Pair<byte[], byte[]> cipherData = getCipherData(i2);
        if (cipherData == null) {
            cipherData = readKeyAndIv(i2);
            if (cipherData == null) {
                generateCipherData(i, i2);
                cipherData = readKeyAndIv(i2);
            }
            Preconditions.checkState(cipherData != null, "Expected crypto data to be available, but it was not.");
            this.keysAndIvs.put(Integer.valueOf(i2), cipherData);
        }
        return cipherData;
    }

    private synchronized Pair<byte[], byte[]> getCipherData(int i) {
        return this.keysAndIvs.get(Integer.valueOf(i));
    }

    private void generateCipherData(int i, int i2) {
        log.info("Initialising instance cryptography for cipher data id " + i2 + "...");
        log.info("Generating instance cipher key...");
        byte[] newByteArrayForKey = newByteArrayForKey();
        this.secureRandomService.nextBytes(newByteArrayForKey);
        storeKeyInDbAndFs(newByteArrayForKey, i2);
        storeIv(i, i2);
        log.info("Instance cryptography initialised.");
    }

    private void storeIv(int i, int i2) {
        log.info("Generating instance initialisation vector...");
        byte[] bArr = new byte[i];
        this.secureRandomService.nextBytes(bArr);
        setValueByteArray(this.bandanaManager, getInstanceCipherIvPropertyName(i2), bArr);
    }

    @Nullable
    private byte[] getKeyFromFs(int i) {
        Path keyFile = getKeyFile(i);
        if (!Files.exists(keyFile, new LinkOption[0])) {
            return null;
        }
        try {
            return Files.readAllBytes(keyFile);
        } catch (IOException e) {
            throw Throwables.propagate(e);
        }
    }

    @Nullable
    private byte[] getKeyFromDb(int i) {
        return getValueByteArray(this.bandanaManager, getInstanceCipherKeyPropertyName(i));
    }

    @Nullable
    private byte[] getIvFromDb(int i) {
        return getValueByteArray(this.bandanaManager, getInstanceCipherIvPropertyName(i));
    }

    private void storeKeyInDbAndFs(byte[] bArr, int i) {
        Path createKeyFile = createKeyFile(i);
        log.info("Securely storing instance key...");
        byte[] newByteArrayForKey = newByteArrayForKey();
        this.secureRandomService.nextBytes(newByteArrayForKey);
        try {
            Files.write(createKeyFile, ByteUtils.xor(newByteArrayForKey, bArr), new OpenOption[0]);
            setValueByteArray(this.bandanaManager, getInstanceCipherKeyPropertyName(i), newByteArrayForKey);
        } catch (IOException e) {
            throw Throwables.propagate(e);
        }
    }

    private Path createKeyFile(int i) {
        Path keyFile = getKeyFile(i);
        try {
            Path parent = keyFile.getParent();
            Files.createDirectories(parent, new FileAttribute[0]);
            BambooFiles.setAccessibleOnlyByOwner(parent);
            Files.write(keyFile, new byte[0], new OpenOption[0]);
            BambooFiles.setAccessibleOnlyByOwner(keyFile);
            return keyFile;
        } catch (IOException e) {
            throw Throwables.propagate(e);
        }
    }

    private Path getKeyFile(int i) {
        return getInstanceCipherDirectory().resolve("cipher.key_" + i);
    }

    @VisibleForTesting
    protected Path getInstanceCipherDirectory() {
        return Paths.get(SystemDirectory.getConfigDirectory().getAbsolutePath(), new String[0]).resolve("cipher");
    }

    private static byte[] newByteArrayForKey() {
        return new byte[32];
    }

    private byte[] restoreKey(byte[] bArr, byte[] bArr2) {
        return ByteUtils.xor(bArr, bArr2);
    }

    @Contract("null -> null; !null -> !null")
    private static byte[] stringToBytes(String str) {
        if (str == null) {
            return null;
        }
        return Base64.getDecoder().decode(str);
    }

    @NotNull
    private static String bytesToString(@NotNull byte[] bArr) {
        return Base64.getEncoder().encodeToString(bArr);
    }

    private static void setValueByteArray(BandanaManager bandanaManager, String str, byte[] bArr) {
        bandanaManager.setValue(PlanAwareBandanaContext.GLOBAL_CONTEXT, str, bytesToString(bArr));
    }

    @Nullable
    private static byte[] getValueByteArray(BandanaManager bandanaManager, @NotNull String str) {
        return stringToBytes((String) bandanaManager.getValue(PlanAwareBandanaContext.GLOBAL_CONTEXT, str));
    }

    @VisibleForTesting
    static String getInstanceCipherKeyPropertyName(int i) {
        return PROPERTY_INSTANCE_CIPHER_KEY + HibernateMutableAclServiceImpl.BAMBOO_PERMISSION_FORM_SEPARATOR + i;
    }

    @VisibleForTesting
    static String getInstanceCipherIvPropertyName(int i) {
        return PROPERTY_INSTANCE_CIPHER_IV + HibernateMutableAclServiceImpl.BAMBOO_PERMISSION_FORM_SEPARATOR + i;
    }
}
