package org.wildfly.extension.elytron.expression;

import java.security.GeneralSecurityException;
import java.util.Collections;
import java.util.Map;
import org.jboss.as.controller.ExpressionResolver;
import org.jboss.as.controller.ExpressionResolverExtension;
import org.jboss.as.controller.OperationClientException;
import org.jboss.as.controller.OperationContext;
import org.jboss.as.controller.OperationFailedException;
import org.jboss.as.controller.capability.CapabilityServiceSupport;
import org.wildfly.common.Assert;
import org.wildfly.common.function.ExceptionBiConsumer;
import org.wildfly.common.function.ExceptionFunction;
import org.wildfly.extension.elytron.ElytronDescriptionConstants;
import org.wildfly.extension.elytron._private.ElytronSubsystemMessages;
import org.wildfly.security.credential.SecretKeyCredential;
import org.wildfly.security.credential.store.CredentialStore;
import org.wildfly.security.credential.store.CredentialStoreException;
import org.wildfly.security.encryption.CipherUtil;

/* loaded from: input_file:org/wildfly/extension/elytron/expression/ElytronExpressionResolver.class */
public class ElytronExpressionResolver implements ExpressionResolverExtension {
    private static final String CREDENTIAL_STORE_API_CAPABILITY = "org.wildfly.security.credential-store-api";
    private volatile boolean initialised = false;
    private final ThreadLocal<String> initialisingFor = new ThreadLocal<>();
    private volatile OperationFailedException firstFailure = null;
    private final ExceptionBiConsumer<ElytronExpressionResolver, OperationContext, OperationFailedException> configurator;
    private volatile String prefix;
    private volatile String completePrefix;
    private volatile String defaultResolver;
    private volatile Map<String, ResolverConfiguration> resolverConfigurations;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/wildfly/extension/elytron/expression/ElytronExpressionResolver$ResolverConfiguration.class */
    public static class ResolverConfiguration {
        private final String credentialStore;
        private final String alias;

        public ResolverConfiguration(String str, String str2) {
            this.credentialStore = (String) Assert.checkNotNullParam("credentialStore", str);
            this.alias = (String) Assert.checkNotNullParam(ElytronDescriptionConstants.ALIAS, str2);
        }

        public String getCredentialStore() {
            return this.credentialStore;
        }

        public String getAlias() {
            return this.alias;
        }
    }

    public ElytronExpressionResolver(ExceptionBiConsumer<ElytronExpressionResolver, OperationContext, OperationFailedException> exceptionBiConsumer) {
        this.configurator = exceptionBiConsumer;
    }

    public void initialize(OperationContext operationContext) throws OperationFailedException {
        ensureInitialised(null, operationContext);
    }

    public String resolveExpression(String str, OperationContext operationContext) {
        Assert.checkNotNullParam(ElytronDescriptionConstants.EXPRESSION, str);
        Assert.checkNotNullParam("context", operationContext);
        return resolveExpressionInternal(str, operationContext, null);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String resolveDeploymentExpression(String str, CapabilityServiceSupport capabilityServiceSupport) {
        return resolveExpressionInternal(str, null, capabilityServiceSupport);
    }

    private String resolveExpressionInternal(String str, OperationContext operationContext, CapabilityServiceSupport capabilityServiceSupport) {
        if (!$assertionsDisabled && operationContext != null && capabilityServiceSupport != null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && operationContext == null && capabilityServiceSupport == null) {
            throw new AssertionError();
        }
        if (str.length() <= 3) {
            return null;
        }
        String substring = str.substring(2, str.length() - 1);
        try {
            ensureInitialised(str, operationContext);
            if (!substring.startsWith(this.completePrefix)) {
                return null;
            }
            int indexOf = substring.indexOf(58, this.completePrefix.length());
            String substring2 = indexOf > 0 ? substring.substring(this.completePrefix.length(), indexOf) : this.defaultResolver;
            if (substring2 == null) {
                throw ElytronSubsystemMessages.ROOT_LOGGER.expressionResolutionWithoutResolver(str);
            }
            ResolverConfiguration resolverConfiguration = this.resolverConfigurations.get(substring2);
            if (resolverConfiguration == null) {
                throw ElytronSubsystemMessages.ROOT_LOGGER.invalidResolver(str);
            }
            ElytronSubsystemMessages.ROOT_LOGGER.tracef("Attempting to decrypt expression '%s' using credential store '%s' and alias '%s'.", str, resolverConfiguration.credentialStore, resolverConfiguration.alias);
            try {
                try {
                    return CipherUtil.decrypt(substring.substring(substring.lastIndexOf(58) + 1), resolveCredentialStore(resolverConfiguration.getCredentialStore(), operationContext, capabilityServiceSupport).retrieve(resolverConfiguration.getAlias(), SecretKeyCredential.class).getSecretKey());
                } catch (GeneralSecurityException e) {
                    throw ElytronSubsystemMessages.ROOT_LOGGER.unableToDecryptExpression(str, e);
                }
            } catch (CredentialStoreException e2) {
                throw ElytronSubsystemMessages.ROOT_LOGGER.unableToLoadCredential(e2);
            }
        } catch (OperationFailedException e3) {
            throw new IllegalStateException((Throwable) e3);
        }
    }

    public String createExpression(String str, String str2, OperationContext operationContext) throws OperationFailedException {
        ensureInitialised(null, operationContext);
        String str3 = str != null ? str : this.defaultResolver;
        if (str3 == null) {
            throw ElytronSubsystemMessages.ROOT_LOGGER.noResolverSpecifiedAndNoDefault();
        }
        ResolverConfiguration resolverConfiguration = this.resolverConfigurations.get(str3);
        if (resolverConfiguration == null) {
            throw ElytronSubsystemMessages.ROOT_LOGGER.noResolverWithSpecifiedName(str3);
        }
        try {
            SecretKeyCredential retrieve = resolveCredentialStore(resolverConfiguration.getCredentialStore(), operationContext, null).retrieve(resolverConfiguration.getAlias(), SecretKeyCredential.class);
            if (retrieve == null) {
                throw ElytronSubsystemMessages.ROOT_LOGGER.credentialDoesNotExist(resolverConfiguration.getAlias(), SecretKeyCredential.class.getSimpleName());
            }
            try {
                String encrypt = CipherUtil.encrypt(str2, retrieve.getSecretKey());
                return str == null ? String.format("${%s::%s}", this.prefix, encrypt) : String.format("${%s::%s:%s}", this.prefix, str3, encrypt);
            } catch (GeneralSecurityException e) {
                throw ElytronSubsystemMessages.ROOT_LOGGER.unableToEncryptClearText(e);
            }
        } catch (CredentialStoreException e2) {
            throw new OperationFailedException(ElytronSubsystemMessages.ROOT_LOGGER.unableToLoadCredential(e2));
        }
    }

    public ElytronExpressionResolver setPrefix(String str) {
        this.prefix = str;
        this.completePrefix = str + "::";
        return this;
    }

    public ElytronExpressionResolver setDefaultResolver(String str) {
        this.defaultResolver = str;
        return this;
    }

    public ElytronExpressionResolver setResolverConfigurations(Map<String, ResolverConfiguration> map) {
        this.resolverConfigurations = Collections.unmodifiableMap(map);
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void ensureInitialised(String str, OperationContext operationContext) throws OperationFailedException {
        String str2;
        if (this.initialised) {
            return;
        }
        if (this.firstFailure != null) {
            throw ElytronSubsystemMessages.ROOT_LOGGER.expressionResolverInitialisationAlreadyFailed(this.firstFailure);
        }
        if (str != null && (str2 = this.initialisingFor.get()) != null) {
            throw ElytronSubsystemMessages.ROOT_LOGGER.cycleDetectedInitialisingExpressionResolver(str2, str2);
        }
        synchronized (this) {
            try {
                if (!this.initialised) {
                    try {
                        this.initialisingFor.set(str);
                        if (operationContext == null) {
                            throw ElytronSubsystemMessages.ROOT_LOGGER.illegalNonManagementInitialization(getClass());
                        }
                        this.configurator.accept(this, operationContext);
                        this.initialised = true;
                        this.initialisingFor.set(null);
                    } catch (OperationFailedException e) {
                        this.firstFailure = e;
                        throw e;
                    }
                }
            } catch (Throwable th) {
                this.initialisingFor.set(null);
                throw th;
            }
        }
    }

    private CredentialStore resolveCredentialStore(String str, OperationContext operationContext, CapabilityServiceSupport capabilityServiceSupport) {
        ExpressionResolver.ExpressionResolutionUserException expressionResolutionUserException;
        ExceptionFunction exceptionFunction;
        try {
            if (operationContext != null) {
                try {
                    exceptionFunction = (ExceptionFunction) operationContext.getCapabilityRuntimeAPI(CREDENTIAL_STORE_API_CAPABILITY, str, ExceptionFunction.class);
                } catch (IllegalStateException e) {
                    if (operationContext.getCurrentStage() == OperationContext.Stage.MODEL) {
                        throw ElytronSubsystemMessages.ROOT_LOGGER.modelStageResolutionNotSupported(e);
                    }
                    throw e;
                }
            } else {
                Assert.checkNotNullParam("serviceSupport", capabilityServiceSupport);
                exceptionFunction = (ExceptionFunction) capabilityServiceSupport.getCapabilityRuntimeAPI(CREDENTIAL_STORE_API_CAPABILITY, str, ExceptionFunction.class);
            }
            return (CredentialStore) exceptionFunction.apply(operationContext);
        } catch (OperationFailedException | CapabilityServiceSupport.NoSuchCapabilityException | RuntimeException e2) {
            expressionResolutionUserException = e2 instanceof OperationClientException ? ElytronSubsystemMessages.ROOT_LOGGER.unableToInitializeCredentialStore(str, e2.getLocalizedMessage(), e2) : ElytronSubsystemMessages.ROOT_LOGGER.unableToResolveCredentialStore(str, e2.getLocalizedMessage(), e2);
            throw expressionResolutionUserException;
        } catch (ExpressionResolver.ExpressionResolutionServerException | ExpressionResolver.ExpressionResolutionUserException e3) {
            expressionResolutionUserException = e3;
            throw expressionResolutionUserException;
        }
    }

    static {
        $assertionsDisabled = !ElytronExpressionResolver.class.desiredAssertionStatus();
    }
}
