package com.atlassian.bitbucket.internal.gpg.bc;

import com.atlassian.bitbucket.internal.gpg.GpgConstants;
import com.atlassian.bitbucket.internal.gpg.GpgSignatureVerifier;
import com.atlassian.bitbucket.internal.gpg.PublicKeySupplier;
import com.atlassian.bitbucket.internal.gpg.SignatureState;
import com.atlassian.bitbucket.scm.FeatureUnsupportedScmException;
import com.atlassian.bitbucket.scm.ScmExtendedCommandFactory;
import com.atlassian.bitbucket.scm.signed.InteractiveSignedObjectIdSource;
import com.atlassian.bitbucket.scm.signed.SignableObjectType;
import com.atlassian.bitbucket.scm.signed.SignedObjectCallback;
import com.atlassian.bitbucket.scm.signed.SignedObjectIdSource;
import com.atlassian.bitbucket.scm.signed.SignedObjectsContext;
import com.atlassian.bitbucket.scm.signed.SignedObjectsParameters;
import com.atlassian.bitbucket.scm.signed.SignedObjectsSummary;
import com.atlassian.bitbucket.scm.signed.StandardSignableObjectType;
import com.atlassian.bitbucket.server.ApplicationPropertiesService;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.sun.jersey.client.impl.CopyOnWriteHashMap;
import java.nio.charset.StandardCharsets;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.Future;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import javax.annotation.Nonnull;
import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/bitbucket-gpg-6.0.0.jar:com/atlassian/bitbucket/internal/gpg/bc/DefaultGpgSignatureVerifier.class */
public class DefaultGpgSignatureVerifier implements GpgSignatureVerifier {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) DefaultGpgSignatureVerifier.class);
    private final ScmExtendedCommandFactory commandFactory;
    private final LoadingCache<Long, List<PGPPublicKey>> keysCache;
    private final PGPContentVerifierBuilderProvider verifierBuilderProvider;
    private Future<Void> future;
    private VerifyingSignedObjectCallback callback;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/bitbucket-gpg-6.0.0.jar:com/atlassian/bitbucket/internal/gpg/bc/DefaultGpgSignatureVerifier$ObjectVerificationTask.class */
    public class ObjectVerificationTask extends CompletableFuture<SignatureState> {
        private final SignableObjectType type;

        private ObjectVerificationTask(SignableObjectType signableObjectType) {
            this.type = signableObjectType;
        }

        void onMissing() {
            complete(SignatureState.CANNOT_BE_CHECKED);
        }

        void onSigned(@Nonnull SignableObjectType signableObjectType, @Nonnull String str, @Nonnull String str2) {
            if (this.type == StandardSignableObjectType.TAG && signableObjectType != this.type) {
                complete(SignatureState.SIGNATURE_NOT_FOUND);
                return;
            }
            Optional<PGPSignature> parseSignature = SignatureUtil.parseSignature(str.getBytes(StandardCharsets.UTF_8));
            if (!parseSignature.isPresent()) {
                complete(SignatureState.CANNOT_BE_CHECKED);
                return;
            }
            PGPSignature pGPSignature = parseSignature.get();
            List publicKeys = DefaultGpgSignatureVerifier.this.getPublicKeys(pGPSignature.getKeyID());
            if (publicKeys.isEmpty()) {
                complete(SignatureState.PUBLIC_KEY_NOT_FOUND);
                return;
            }
            SignatureState signatureState = SignatureState.CANNOT_BE_CHECKED;
            Iterator it = publicKeys.iterator();
            while (it.hasNext()) {
                signatureState = verifySignature(str2.getBytes(StandardCharsets.UTF_8), pGPSignature, (PGPPublicKey) it.next());
                if (signatureState == SignatureState.GOOD || signatureState == SignatureState.GOOD_BUT_UNKNOWN_VALIDITY || signatureState == SignatureState.GOOD_BUT_KEY_HAS_EXPIRED) {
                    complete(signatureState);
                    return;
                }
            }
            complete(signatureState);
        }

        void onUnsigned(SignableObjectType signableObjectType) {
            complete(SignatureState.SIGNATURE_NOT_FOUND);
        }

        private Date getExpireDate(PGPPublicKey pGPPublicKey) {
            long validSeconds = pGPPublicKey.getValidSeconds();
            if (validSeconds == 0) {
                return null;
            }
            return new Date(pGPPublicKey.getCreationTime().getTime() + (1000 * validSeconds));
        }

        private SignatureState verifySignature(byte[] bArr, PGPSignature pGPSignature, PGPPublicKey pGPPublicKey) {
            try {
                pGPSignature.init(DefaultGpgSignatureVerifier.this.verifierBuilderProvider, pGPPublicKey);
                pGPSignature.update(bArr);
                try {
                    if (!pGPSignature.verify()) {
                        return SignatureState.BAD;
                    }
                    if (pGPPublicKey.hasRevocation()) {
                        return SignatureState.GOOD_BUT_MADE_WITH_REVOKED_KEY;
                    }
                    Date expireDate = getExpireDate(pGPPublicKey);
                    return (expireDate == null || expireDate.getTime() >= System.currentTimeMillis()) ? SignatureState.GOOD : pGPSignature.getCreationTime().before(expireDate) ? SignatureState.GOOD_BUT_KEY_HAS_EXPIRED : SignatureState.GOOD_BUT_MADE_BY_EXPIRED_KEY;
                } catch (PGPException e) {
                    return SignatureState.CANNOT_BE_CHECKED;
                }
            } catch (PGPException e2) {
                return SignatureState.CANNOT_BE_CHECKED;
            }
        }
    }

    /* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/bitbucket-gpg-6.0.0.jar:com/atlassian/bitbucket/internal/gpg/bc/DefaultGpgSignatureVerifier$VerifyingSignedObjectCallback.class */
    private class VerifyingSignedObjectCallback implements SignedObjectCallback {
        private final Map<String, ObjectVerificationTask> tasks = new CopyOnWriteHashMap();
        private final InteractiveSignedObjectIdSource objectIdProvider = new InteractiveSignedObjectIdSource();

        VerifyingSignedObjectCallback() {
        }

        void complete() {
            this.objectIdProvider.complete();
        }

        SignedObjectIdSource getObjectIdSource() {
            return this.objectIdProvider;
        }

        SignatureState verify(@Nonnull SignableObjectType signableObjectType, @Nonnull String str) {
            ObjectVerificationTask objectVerificationTask = new ObjectVerificationTask(signableObjectType);
            this.tasks.put(str, objectVerificationTask);
            this.objectIdProvider.add(str);
            try {
                return objectVerificationTask.get(5L, TimeUnit.SECONDS);
            } catch (InterruptedException e) {
                Thread.currentThread().interrupt();
                return SignatureState.CANNOT_BE_CHECKED;
            } catch (ExecutionException e2) {
                DefaultGpgSignatureVerifier.log.warn("Failed to retrieve signature details for {}", str, e2);
                return SignatureState.CANNOT_BE_CHECKED;
            } catch (TimeoutException e3) {
                DefaultGpgSignatureVerifier.log.warn("Timed out waiting for signature details for {}", str);
                return SignatureState.CANNOT_BE_CHECKED;
            }
        }

        @Override // com.atlassian.bitbucket.scm.signed.SignedObjectCallback
        public void onEnd(@Nonnull SignedObjectsSummary signedObjectsSummary) {
            if (this.tasks.isEmpty()) {
                return;
            }
            DefaultGpgSignatureVerifier.log.debug("Never got a response for the following requested objects: [{}]", StringUtils.join(this.tasks.keySet(), ", "));
        }

        @Override // com.atlassian.bitbucket.scm.signed.SignedObjectCallback
        public void onMissing(@Nonnull String str) {
            ObjectVerificationTask remove = this.tasks.remove(str);
            if (remove != null) {
                remove.onMissing();
            } else {
                DefaultGpgSignatureVerifier.log.warn("Ignoring unexpected signed object {}", str);
            }
        }

        @Override // com.atlassian.bitbucket.scm.signed.SignedObjectCallback
        public void onSigned(@Nonnull SignableObjectType signableObjectType, @Nonnull String str, @Nonnull String str2, @Nonnull String str3) {
            ObjectVerificationTask remove = this.tasks.remove(str);
            if (remove != null) {
                remove.onSigned(signableObjectType, str2, str3);
            } else {
                DefaultGpgSignatureVerifier.log.warn("Ignoring unexpected signed object {}", str);
            }
        }

        @Override // com.atlassian.bitbucket.scm.signed.SignedObjectCallback
        public void onStart(@Nonnull SignedObjectsContext signedObjectsContext) {
        }

        @Override // com.atlassian.bitbucket.scm.signed.SignedObjectCallback
        public void onUnsigned(SignableObjectType signableObjectType, @Nonnull String str) {
            ObjectVerificationTask remove = this.tasks.remove(str);
            if (remove != null) {
                remove.onUnsigned(signableObjectType);
            } else {
                DefaultGpgSignatureVerifier.log.warn("Ignoring unexpected signed object {}", str);
            }
        }
    }

    public DefaultGpgSignatureVerifier(ScmExtendedCommandFactory scmExtendedCommandFactory, ApplicationPropertiesService applicationPropertiesService, final PublicKeySupplier publicKeySupplier, PGPContentVerifierBuilderProvider pGPContentVerifierBuilderProvider) {
        this.commandFactory = scmExtendedCommandFactory;
        this.verifierBuilderProvider = pGPContentVerifierBuilderProvider;
        this.keysCache = CacheBuilder.newBuilder().maximumSize(applicationPropertiesService.getPluginProperty(GpgConstants.PROP_KEY_CACHE_SIZE, 250)).build(new CacheLoader<Long, List<PGPPublicKey>>() { // from class: com.atlassian.bitbucket.internal.gpg.bc.DefaultGpgSignatureVerifier.1
            @Override // com.google.common.cache.CacheLoader
            public List<PGPPublicKey> load(@Nonnull Long l) throws Exception {
                return publicKeySupplier.getPublicKey(l.longValue());
            }
        });
    }

    @Override // com.atlassian.bitbucket.internal.gpg.GpgSignatureVerifier
    public void onEnd() {
        if (this.callback != null) {
            this.callback.complete();
            try {
                this.future.get(1L, TimeUnit.SECONDS);
            } catch (InterruptedException e) {
                Thread.currentThread().interrupt();
                this.future.cancel(true);
            } catch (ExecutionException e2) {
                log.warn("Process failed", (Throwable) e2);
            } catch (TimeoutException e3) {
                log.debug("signedObjects command did not finish; canceling");
                this.future.cancel(true);
            }
            this.callback = null;
        }
    }

    @Override // com.atlassian.bitbucket.internal.gpg.GpgSignatureVerifier
    public void onStart() {
        this.callback = new VerifyingSignedObjectCallback();
        try {
            this.future = this.commandFactory.signedObjects(new SignedObjectsParameters.Builder().objectIdSource(this.callback.getObjectIdSource()).build(), this.callback).asynchronous().start();
        } catch (FeatureUnsupportedScmException e) {
            this.callback = null;
        }
    }

    @Override // com.atlassian.bitbucket.internal.gpg.GpgSignatureVerifier
    @Nonnull
    public SignatureState verify(@Nonnull SignableObjectType signableObjectType, @Nonnull String str) {
        return this.callback.verify(signableObjectType, str);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public List<PGPPublicKey> getPublicKeys(long j) {
        try {
            return this.keysCache.get(Long.valueOf(j));
        } catch (ExecutionException e) {
            log.warn("Could not load GPG keys for key {}", Long.toHexString(j), e);
            return Collections.emptyList();
        }
    }
}
