package com.atlassian.bitbucket.internal.mirroring.mirror.auth;

import com.atlassian.bitbucket.i18n.I18nService;
import com.atlassian.bitbucket.internal.mirroring.mirror.MirrorDescriptionUtils;
import com.atlassian.bitbucket.internal.mirroring.mirror.MirrorKeyUploadFailedException;
import com.atlassian.bitbucket.internal.mirroring.mirror.client.InternalUpstreamClientFactory;
import com.atlassian.bitbucket.internal.mirroring.mirror.dao.AoUpstreamServer;
import com.atlassian.bitbucket.internal.mirroring.mirror.dao.UpstreamServerDao;
import com.atlassian.bitbucket.internal.mirroring.mirror.ssh.MirrorKeyStorageException;
import com.atlassian.bitbucket.internal.mirroring.mirror.ssh.SshKeyStore;
import com.atlassian.bitbucket.mirroring.mirror.NoSuchUpstreamException;
import com.atlassian.bitbucket.mirroring.mirror.UpstreamServer;
import com.atlassian.bitbucket.mirroring.mirror.UpstreamServerType;
import com.atlassian.bitbucket.scm.mirror.MirrorSyncCommandParameters;
import com.atlassian.bitbucket.server.ApplicationPropertiesService;
import com.atlassian.fugue.Pair;
import com.atlassian.sal.api.transaction.TransactionTemplate;
import com.atlassian.util.concurrent.Promise;
import com.atlassian.util.concurrent.Promises;
import com.google.common.base.MoreObjects;
import com.google.common.base.Preconditions;
import com.google.common.collect.Maps;
import java.net.URI;
import java.nio.file.Path;
import java.util.Optional;
import java.util.concurrent.ConcurrentMap;
import javax.annotation.Nonnull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/bitbucket-mirroring-mirror-5.16.0.jar:com/atlassian/bitbucket/internal/mirroring/mirror/auth/DefaultSyncCredentialsManager.class */
public class DefaultSyncCredentialsManager implements SyncCredentialsManager {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) DefaultSyncCredentialsManager.class);
    private static final int NO_VERSION = -1;
    private final ConcurrentMap<String, Pair<Integer, Promise<DefaultCloudSyncCredentials>>> cloudCredentials = Maps.newConcurrentMap();
    private final ConcurrentMap<String, Pair<Integer, Promise<DefaultServerSyncCredentials>>> serverCredentials = Maps.newConcurrentMap();
    private final I18nService i18nService;
    private final ApplicationPropertiesService propertiesService;
    private final SshKeyStore sshKeyStore;
    private final TransactionTemplate transactionTemplate;
    private final InternalUpstreamClientFactory upstreamClientFactory;
    private final UpstreamServerDao upstreamServerDao;

    /* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/bitbucket-mirroring-mirror-5.16.0.jar:com/atlassian/bitbucket/internal/mirroring/mirror/auth/DefaultSyncCredentialsManager$BaseSyncCredentials.class */
    private abstract class BaseSyncCredentials implements SyncCredentials {
        protected final int version;
        protected final UpstreamServer upstream;

        private BaseSyncCredentials(@Nonnull UpstreamServer upstreamServer, int i) {
            this.version = i;
            this.upstream = upstreamServer;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public UpstreamServer getUpstream() {
            return this.upstream;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public int getVersion() {
            return this.version;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @FunctionalInterface
    /* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/bitbucket-mirroring-mirror-5.16.0.jar:com/atlassian/bitbucket/internal/mirroring/mirror/auth/DefaultSyncCredentialsManager$CredentialsProvider.class */
    public interface CredentialsProvider<C extends SyncCredentials> {
        @Nonnull
        Promise<C> get(int i, boolean z, @Nonnull UpstreamServer upstreamServer);
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/bitbucket-mirroring-mirror-5.16.0.jar:com/atlassian/bitbucket/internal/mirroring/mirror/auth/DefaultSyncCredentialsManager$DefaultCloudSyncCredentials.class */
    public class DefaultCloudSyncCredentials extends BaseSyncCredentials implements CloudSyncCredentials {
        private final OAuthAccessToken accessToken;

        private DefaultCloudSyncCredentials(@Nonnull OAuthAccessToken oAuthAccessToken, @Nonnull UpstreamServer upstreamServer, int i) {
            super(upstreamServer, i);
            this.accessToken = oAuthAccessToken;
            Preconditions.checkArgument(upstreamServer.getType() == UpstreamServerType.BITBUCKET_CLOUD, "Must be a cloud upstream");
        }

        @Override // com.atlassian.bitbucket.internal.mirroring.mirror.auth.SyncCredentials
        @Nonnull
        public MirrorSyncCommandParameters.Builder configure(@Nonnull MirrorSyncCommandParameters.Builder builder) {
            return builder.username("x-token-auth").password(this.accessToken.getValue());
        }

        @Override // com.atlassian.bitbucket.internal.mirroring.mirror.auth.CloudSyncCredentials
        @Nonnull
        public OAuthAccessToken getAccessToken() {
            return this.accessToken;
        }

        public String toString() {
            return MoreObjects.toStringHelper(this).add("accessToken", this.accessToken).add("upstream", this.upstream).add("version", this.version).toString();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/bitbucket-mirroring-mirror-5.16.0.jar:com/atlassian/bitbucket/internal/mirroring/mirror/auth/DefaultSyncCredentialsManager$DefaultServerSyncCredentials.class */
    public class DefaultServerSyncCredentials extends BaseSyncCredentials implements ServerSyncCredentials {
        private final Path keyFile;
        private final UpstreamServer upstream;

        private DefaultServerSyncCredentials(@Nonnull Path path, @Nonnull UpstreamServer upstreamServer, int i) {
            super(upstreamServer, i);
            this.keyFile = path;
            this.upstream = upstreamServer;
        }

        @Override // com.atlassian.bitbucket.internal.mirroring.mirror.auth.SyncCredentials
        @Nonnull
        public MirrorSyncCommandParameters.Builder configure(@Nonnull MirrorSyncCommandParameters.Builder builder) {
            return builder.privateKey(this.keyFile);
        }

        @Override // com.atlassian.bitbucket.internal.mirroring.mirror.auth.ServerSyncCredentials
        @Nonnull
        public Path getKeyFile() {
            return this.keyFile;
        }

        public String toString() {
            return MoreObjects.toStringHelper(this).add("keyFile", this.keyFile).add("upstream", this.upstream).add("version", this.version).toString();
        }
    }

    @Autowired
    public DefaultSyncCredentialsManager(I18nService i18nService, ApplicationPropertiesService applicationPropertiesService, SshKeyStore sshKeyStore, TransactionTemplate transactionTemplate, InternalUpstreamClientFactory internalUpstreamClientFactory, UpstreamServerDao upstreamServerDao) {
        this.i18nService = i18nService;
        this.propertiesService = applicationPropertiesService;
        this.sshKeyStore = sshKeyStore;
        this.transactionTemplate = transactionTemplate;
        this.upstreamClientFactory = internalUpstreamClientFactory;
        this.upstreamServerDao = upstreamServerDao;
    }

    @Override // com.atlassian.bitbucket.internal.mirroring.mirror.auth.SyncCredentialsManager
    @Nonnull
    public Promise<CloudSyncCredentials> getCloudCredentials(@Nonnull String str) {
        AoUpstreamServer upstreamOrFail = getUpstreamOrFail(str);
        if (upstreamOrFail.getType() != UpstreamServerType.BITBUCKET_CLOUD) {
            throw throwUpstreamUnsupported(upstreamOrFail);
        }
        return computeCredentials(-1, upstreamOrFail);
    }

    @Override // com.atlassian.bitbucket.internal.mirroring.mirror.auth.SyncCredentialsManager
    @Nonnull
    public Promise<SyncCredentials> getCredentials(@Nonnull String str) {
        return computeCredentials(-1, getUpstreamOrFail(str));
    }

    @Override // com.atlassian.bitbucket.internal.mirroring.mirror.auth.SyncCredentialsManager
    @Nonnull
    public Promise<ServerSyncCredentials> getServerCredentials(@Nonnull String str) {
        AoUpstreamServer upstreamOrFail = getUpstreamOrFail(str);
        if (upstreamOrFail.getType() != UpstreamServerType.BITBUCKET_SERVER) {
            throw throwUpstreamUnsupported(upstreamOrFail);
        }
        return computeCredentials(-1, upstreamOrFail);
    }

    @Override // com.atlassian.bitbucket.internal.mirroring.mirror.auth.SyncCredentialsManager
    @Nonnull
    public Promise<SyncCredentials> refresh(@Nonnull SyncCredentials syncCredentials) {
        return computeCredentials(((BaseSyncCredentials) syncCredentials).getVersion(), ((BaseSyncCredentials) syncCredentials).getUpstream());
    }

    @Nonnull
    private <C extends SyncCredentials> Promise<C> computeCredentials(int i, @Nonnull UpstreamServer upstreamServer) {
        switch (upstreamServer.getType()) {
            case BITBUCKET_CLOUD:
                return computeCredentialsFor(this.cloudCredentials, i, this::getCloudCredentials, upstreamServer);
            case BITBUCKET_SERVER:
                return computeCredentialsFor(this.serverCredentials, i, this::getServerCredentials, upstreamServer);
            default:
                throw throwUpstreamUnsupported(upstreamServer);
        }
    }

    private <C extends SyncCredentials> Promise<C> computeCredentialsFor(@Nonnull ConcurrentMap<String, Pair<Integer, Promise<C>>> concurrentMap, int i, @Nonnull CredentialsProvider<C> credentialsProvider, @Nonnull UpstreamServer upstreamServer) {
        return concurrentMap.compute(upstreamServer.getId(), (str, pair) -> {
            boolean z = pair == null;
            boolean z2 = i != -1;
            boolean z3 = (z || ((Promise) pair.right()).isDone()) ? false : true;
            boolean z4 = (z || z3 || !isError((Promise) pair.right())) ? false : true;
            boolean z5 = !z && ((Integer) pair.left()).intValue() > i;
            Preconditions.checkState(!z || i == -1, "Unexpected state: computation does not exist in the map but a refresh has been requested");
            if (z3 || (z5 && !z4)) {
                if (log.isTraceEnabled()) {
                    log.trace("Using existing credentials computation for {} because: {}", MirrorDescriptionUtils.describe(upstreamServer), z3 ? "it is still ongoing" : "the caller has stale credentials");
                }
                return pair;
            }
            boolean z6 = z2 || z4;
            if (log.isTraceEnabled()) {
                log.trace("Computing credentials for {} because: {}. {}", MirrorDescriptionUtils.describe(upstreamServer), z ? "this is the first computation for that upstream since the application started" : z2 ? "the caller has asked for a refresh of the credentials" : "the last computation resulted in an error");
            }
            return Pair.pair(Integer.valueOf(i + 1), credentialsProvider.get(i + 1, z6, upstreamServer));
        }).right();
    }

    private static Throwable detailsIfDebug(Throwable th) {
        if (log.isDebugEnabled()) {
            return th;
        }
        return null;
    }

    private <C> boolean isError(Promise<C> promise) {
        if (!promise.isDone()) {
            return false;
        }
        try {
            promise.claim();
            return false;
        } catch (Throwable th) {
            return true;
        }
    }

    private Promise<Path> createAndRegisterSshKeyFor(UpstreamServer upstreamServer) {
        Pair<Path, String> generateKeyPair = this.sshKeyStore.generateKeyPair(upstreamServer.getId(), getLabel());
        return this.upstreamClientFactory.createForServer(upstreamServer).uploadSshKey(generateKeyPair.right()).map(r3 -> {
            return (Path) generateKeyPair.left();
        }).done(path -> {
            log.info("The SSH key for this mirror was uploaded to {}", MirrorDescriptionUtils.describe(upstreamServer));
        }).fail(th -> {
            if (th instanceof MirrorKeyUploadFailedException) {
                log.error("Uploading the SSH key for {} failed. Upstream fetches will not proceed until this is corrected.", MirrorDescriptionUtils.describe(upstreamServer), detailsIfDebug(th));
            } else if (th instanceof MirrorKeyStorageException) {
                log.error("Storing the SSH key for {} failed. Upstream fetches will not proceed.", MirrorDescriptionUtils.describe(upstreamServer), detailsIfDebug(th));
            } else {
                log.error("An unexpected error was encountered while uploading and storing the SSH key for {}. Synchronization will not proceed.", MirrorDescriptionUtils.describe(upstreamServer), detailsIfDebug(th));
            }
        });
    }

    private boolean deleteSshKeyFor(@Nonnull UpstreamServer upstreamServer) {
        deleteUpstreamSshKeys(upstreamServer);
        return this.sshKeyStore.delete(upstreamServer.getId());
    }

    private void deleteUpstreamSshKeys(UpstreamServer upstreamServer) {
        try {
            this.upstreamClientFactory.createForServer(upstreamServer).deleteSshKeys();
        } catch (RuntimeException e) {
            log.info("Failed to delete SSH key with upstream {}: '{}'", upstreamServer.getBaseUrl(), e.getMessage(), detailsIfDebug(e));
        }
    }

    @Nonnull
    private Promise<DefaultCloudSyncCredentials> getCloudCredentials(int i, boolean z, UpstreamServer upstreamServer) {
        return this.upstreamClientFactory.createForCloud(upstreamServer).getAccessToken().map(oAuthAccessToken -> {
            return new DefaultCloudSyncCredentials(oAuthAccessToken, upstreamServer, i);
        });
    }

    private String getLabel() {
        URI baseUrl = this.propertiesService.getBaseUrl();
        return baseUrl != null ? "mirror " + baseUrl.toASCIIString() : "mirror " + this.propertiesService.getDisplayName() + "(" + this.propertiesService.getServerId() + ")";
    }

    @Nonnull
    private Promise<DefaultServerSyncCredentials> getServerCredentials(int i, boolean z, UpstreamServer upstreamServer) {
        if (!z) {
            Optional<Path> privateKey = this.sshKeyStore.getPrivateKey(upstreamServer.getId());
            if (privateKey.isPresent()) {
                log.trace("{}: SSH key found at {}", MirrorDescriptionUtils.describe(upstreamServer), privateKey.get().toAbsolutePath());
                return Promises.promise(new DefaultServerSyncCredentials(privateKey.get(), upstreamServer, i));
            }
        }
        if (z) {
            deleteSshKeyFor(upstreamServer);
        }
        log.info("Generating and configuring an SSH key for {}", MirrorDescriptionUtils.describe(upstreamServer));
        return createAndRegisterSshKeyFor(upstreamServer).map(path -> {
            return new DefaultServerSyncCredentials(path, upstreamServer, i);
        });
    }

    private AoUpstreamServer getUpstreamOrFail(@Nonnull String str) {
        return (AoUpstreamServer) this.transactionTemplate.execute(() -> {
            AoUpstreamServer byId = this.upstreamServerDao.getById(str);
            if (byId == null) {
                throw new NoSuchUpstreamException(this.i18nService.createKeyedMessage("bitbucket.mirroring.no.such.upstream.server", str));
            }
            return byId;
        });
    }

    private IllegalArgumentException throwUpstreamUnsupported(@Nonnull UpstreamServer upstreamServer) {
        return new IllegalArgumentException("Upstream " + upstreamServer.getId() + " of type " + upstreamServer.getType() + " is not supported");
    }
}
