package com.appiancorp.connectedsystems.migration.http;

import com.appiancorp.common.config.FatalConfigurationException;
import com.appiancorp.common.crypto.KeyStoreConfig;
import com.appiancorp.connectedsystems.ConnectedSystem;
import com.appiancorp.core.API;
import com.appiancorp.core.crypto.Cryptographer;
import com.appiancorp.core.crypto.KeyAlias;
import com.appiancorp.core.data.Dictionary;
import com.appiancorp.core.expr.fn.ref.Devariant;
import com.appiancorp.core.expr.portable.Type;
import com.appiancorp.core.expr.portable.Value;
import com.appiancorp.integration.http.HttpParameterConstants;
import com.appiancorp.migration.Migration;
import com.appiancorp.suiteapi.common.exceptions.AppianException;
import com.appiancorp.suiteapi.common.exceptions.ErrorCode;
import com.appiancorp.suiteapi.content.Content;
import com.appiancorp.suiteapi.type.TypedValue;
import com.appiancorp.type.AppianTypeLong;
import com.google.common.base.Supplier;
import org.bouncycastle.crypto.InvalidCipherTextException;

/* loaded from: input_file:com/appiancorp/connectedsystems/migration/http/EncryptUnencryptedPrivateKeyForGsaConnectedSystem.class */
public class EncryptUnencryptedPrivateKeyForGsaConnectedSystem implements Migration {
    public static final String MIGRATION_NAME = "EncryptUnencryptedPrivateKeyForGsaConnectedSystem";
    private final Supplier<KeyStoreConfig> keyStoreConfigSupplier;
    private final Cryptographer oldCryptographer;
    private final Cryptographer newCryptographer;

    public EncryptUnencryptedPrivateKeyForGsaConnectedSystem(Supplier<KeyStoreConfig> supplier) {
        this.keyStoreConfigSupplier = supplier;
        this.oldCryptographer = ((KeyStoreConfig) supplier.get()).getCryptographer(KeyAlias.ENCRYPTED_TEXT_FIELD);
        this.newCryptographer = ((KeyStoreConfig) supplier.get()).getCryptographer(KeyAlias.INTERNAL_ENCRYPTION_KEY);
    }

    @Override // com.appiancorp.migration.Migration
    public void migrate(Content content) {
        if (!(content instanceof ConnectedSystem)) {
            throw new IllegalArgumentException("Object must be a connected system");
        }
        ConnectedSystem connectedSystem = (ConnectedSystem) content;
        Dictionary dictionary = (Dictionary) API.typedValueToValue(connectedSystem.getSharedConfigParameters()).getValue();
        if (isGSA(dictionary.getValue(HttpParameterConstants.AUTH_TYPE_KEY))) {
            connectedSystem.setSharedConfigParameters(toTypedValue(encryptSecretKey(dictionary, content.getUuid())));
        }
    }

    @Override // com.appiancorp.migration.Migration
    public String getName() {
        return MIGRATION_NAME;
    }

    private TypedValue toTypedValue(Dictionary dictionary) {
        return new TypedValue(AppianTypeLong.DICTIONARY, API.coreToJava(AppianTypeLong.DICTIONARY, dictionary));
    }

    private boolean isGSA(Value value) {
        return "Google Service Account".equals(value.getValue());
    }

    private Dictionary encryptSecretKey(Dictionary dictionary, String str) {
        Dictionary dictionary2 = (Dictionary) dictionary.getAtKey(HttpParameterConstants.AUTH_DETAILS_KEY);
        if (dictionary2 == null) {
            throw new IllegalArgumentException("Google Service Account Connected System must have non-null auth details");
        }
        Value devariant = Devariant.devariant(dictionary2.getValue("privateKey"));
        if (devariant == null || devariant.isNull()) {
            return dictionary;
        }
        String str2 = (String) devariant.getValue();
        String str3 = str2;
        if (isNotEncrypted(str2)) {
            try {
                str3 = this.newCryptographer.encrypt(str2);
            } catch (Exception e) {
                throw new FatalConfigurationException(new AppianException(ErrorCode.CONNECTED_SYSTEM_FATAL_MIGRATION_ERROR, new Object[]{str}));
            }
        }
        return dictionary.set(HttpParameterConstants.AUTH_DETAILS_KEY, Type.DICTIONARY.valueOf(dictionary2.set("privateKey", Type.ENCRYPTED_TEXT.valueOf(str3))));
    }

    private boolean isNotEncrypted(String str) {
        return (isEncrypted(str, this.oldCryptographer) || isEncrypted(str, this.newCryptographer)) ? false : true;
    }

    private boolean isEncrypted(String str, Cryptographer cryptographer) {
        try {
            cryptographer.decrypt(str);
            return true;
        } catch (Exception e) {
            return false;
        } catch (InvalidCipherTextException e2) {
            return true;
        }
    }
}
