package org.springframework.cloud.config.server.encryption;

import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.cloud.context.encrypt.KeyFormatException;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.security.crypto.codec.Hex;
import org.springframework.security.crypto.encrypt.TextEncryptor;
import org.springframework.security.rsa.crypto.RsaKeyHolder;
import org.springframework.security.rsa.crypto.RsaSecretEncryptor;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RequestMapping(path = {"${spring.cloud.config.server.prefix:}"})
@RestController
/* loaded from: input_file:org/springframework/cloud/config/server/encryption/EncryptionController.class */
public class EncryptionController {
    private static Log logger = LogFactory.getLog(EncryptionController.class);
    private volatile TextEncryptorLocator encryptorLocator;
    private EnvironmentPrefixHelper helper = new EnvironmentPrefixHelper();
    private String defaultApplicationName = "application";
    private String defaultProfile = "default";

    public EncryptionController(TextEncryptorLocator textEncryptorLocator) {
        this.encryptorLocator = textEncryptorLocator;
    }

    public void setDefaultApplicationName(String str) {
        this.defaultApplicationName = str;
    }

    public void setDefaultProfile(String str) {
        this.defaultProfile = str;
    }

    @GetMapping({"/key"})
    public String getPublicKey() {
        return getPublicKey(this.defaultApplicationName, this.defaultProfile);
    }

    @GetMapping({"/key/{name}/{profiles}"})
    public String getPublicKey(@PathVariable String str, @PathVariable String str2) {
        RsaKeyHolder encryptor = getEncryptor(str, str2, "");
        if (encryptor instanceof RsaKeyHolder) {
            return encryptor.getPublicKey();
        }
        throw new KeyNotAvailableException();
    }

    @GetMapping({"encrypt/status"})
    public Map<String, Object> status() {
        validateEncryptionWeakness(getEncryptor(this.defaultApplicationName, this.defaultProfile, ""));
        return Collections.singletonMap("status", "OK");
    }

    @PostMapping({"encrypt"})
    public String encrypt(@RequestBody String str, @RequestHeader("Content-Type") MediaType mediaType) {
        return encrypt(this.defaultApplicationName, this.defaultProfile, str, mediaType);
    }

    @PostMapping({"/encrypt/{name}/{profiles}"})
    public String encrypt(@PathVariable String str, @PathVariable String str2, @RequestBody String str3, @RequestHeader("Content-Type") MediaType mediaType) {
        String stripFormData = stripFormData(str3, mediaType, false);
        TextEncryptor encryptor = getEncryptor(str, str2, stripFormData);
        validateEncryptionWeakness(encryptor);
        String addPrefix = this.helper.addPrefix(this.helper.getEncryptorKeys(str, str2, stripFormData), encryptor.encrypt(this.helper.stripPrefix(stripFormData)));
        if (logger.isInfoEnabled()) {
            logger.info("Encrypted data");
        }
        return addPrefix;
    }

    @PostMapping({"decrypt"})
    public String decrypt(@RequestBody String str, @RequestHeader("Content-Type") MediaType mediaType) {
        return decrypt(this.defaultApplicationName, this.defaultProfile, str, mediaType);
    }

    @PostMapping({"/decrypt/{name}/{profiles}"})
    public String decrypt(@PathVariable String str, @PathVariable String str2, @RequestBody String str3, @RequestHeader("Content-Type") MediaType mediaType) {
        try {
            TextEncryptor encryptor = getEncryptor(str, str2, str3);
            checkDecryptionPossible(encryptor);
            validateEncryptionWeakness(encryptor);
            String decrypt = encryptor.decrypt(stripFormData(this.helper.stripPrefix(str3), mediaType, true));
            if (logger.isInfoEnabled()) {
                logger.info("Decrypted cipher data");
            }
            return decrypt;
        } catch (IllegalArgumentException | IllegalStateException e) {
            if (logger.isErrorEnabled()) {
                logger.error("Cannot decrypt key:" + str + ", value:" + str3 + ", Please verify if encrypt.key is set correctly", e);
            }
            throw new InvalidCipherException();
        }
    }

    private TextEncryptor getEncryptor(String str, String str2, String str3) {
        if (this.encryptorLocator == null) {
            if (logger.isDebugEnabled()) {
                logger.debug("Text encryptorLocator is null.");
            }
            throw new KeyNotInstalledException();
        }
        TextEncryptor locate = this.encryptorLocator.locate(this.helper.getEncryptorKeys(str, str2, str3));
        if (locate != null) {
            return locate;
        }
        if (logger.isDebugEnabled()) {
            logger.debug("TextEncryptor is null.");
        }
        throw new KeyNotInstalledException();
    }

    private void validateEncryptionWeakness(TextEncryptor textEncryptor) {
        if (textEncryptor.encrypt("FOO").equals("FOO")) {
            throw new EncryptionTooWeakException();
        }
    }

    private void checkDecryptionPossible(TextEncryptor textEncryptor) {
        if ((textEncryptor instanceof RsaSecretEncryptor) && !((RsaSecretEncryptor) textEncryptor).canDecrypt()) {
            throw new DecryptionNotSupportedException();
        }
    }

    private String stripFormData(String str, MediaType mediaType, boolean z) {
        if (str.endsWith("=") && !mediaType.equals(MediaType.TEXT_PLAIN)) {
            try {
                str = URLDecoder.decode(str, "UTF-8");
                if (z) {
                    str = str.replace(" ", "+");
                }
            } catch (UnsupportedEncodingException e) {
            }
            String substring = str.substring(0, str.length() - 1);
            if (z) {
                if (str.endsWith("=") && str.length() / 2 != (str.length() + 1) / 2) {
                    try {
                        Hex.decode(substring);
                        return substring;
                    } catch (IllegalArgumentException e2) {
                        try {
                            Base64.getDecoder().decode(substring.getBytes());
                            return substring;
                        } catch (IllegalArgumentException e3) {
                        }
                    }
                }
                return str;
            }
            str = substring;
        }
        return str;
    }

    @ExceptionHandler({KeyFormatException.class})
    public ResponseEntity<Map<String, Object>> keyFormat() {
        HashMap hashMap = new HashMap();
        hashMap.put("status", "BAD_REQUEST");
        hashMap.put("description", "Key data not in correct format (PEM or jks keystore)");
        return new ResponseEntity<>(hashMap, HttpStatus.BAD_REQUEST);
    }

    @ExceptionHandler({KeyNotAvailableException.class})
    public ResponseEntity<Map<String, Object>> keyUnavailable() {
        HashMap hashMap = new HashMap();
        hashMap.put("status", "NOT_FOUND");
        hashMap.put("description", "No public key available");
        return new ResponseEntity<>(hashMap, HttpStatus.NOT_FOUND);
    }

    @ExceptionHandler({DecryptionNotSupportedException.class})
    public ResponseEntity<Map<String, Object>> decryptionDisabled() {
        HashMap hashMap = new HashMap();
        hashMap.put("status", "BAD_REQUEST");
        hashMap.put("description", "Server-side decryption is not supported");
        return new ResponseEntity<>(hashMap, HttpStatus.BAD_REQUEST);
    }

    @ExceptionHandler({KeyNotInstalledException.class})
    public ResponseEntity<Map<String, Object>> notInstalled() {
        HashMap hashMap = new HashMap();
        hashMap.put("status", "NO_KEY");
        hashMap.put("description", "No key was installed for encryption service");
        return new ResponseEntity<>(hashMap, HttpStatus.NOT_FOUND);
    }

    @ExceptionHandler({EncryptionTooWeakException.class})
    public ResponseEntity<Map<String, Object>> encryptionTooWeak() {
        HashMap hashMap = new HashMap();
        hashMap.put("status", "INVALID");
        hashMap.put("description", "The encryption algorithm is not strong enough");
        return new ResponseEntity<>(hashMap, HttpStatus.NOT_FOUND);
    }

    @ExceptionHandler({InvalidCipherException.class})
    public ResponseEntity<Map<String, Object>> invalidCipher() {
        HashMap hashMap = new HashMap();
        hashMap.put("status", "INVALID");
        hashMap.put("description", "Text not encrypted with this key");
        return new ResponseEntity<>(hashMap, HttpStatus.BAD_REQUEST);
    }
}
