package com.atlassian.jira.security.secrets;

import com.atlassian.jira.cluster.ClusterNodeProperties;
import com.atlassian.jira.config.properties.ApplicationProperties;
import com.atlassian.jira.config.util.JiraHome;
import com.atlassian.jira.permission.GlobalPermissionKey;
import com.atlassian.jira.security.GlobalPermissionManager;
import com.atlassian.jira.security.JiraAuthenticationContext;
import com.atlassian.secrets.api.SecretDao;
import com.atlassian.secrets.api.SecretService;
import com.atlassian.secrets.api.SecretServiceException;
import com.atlassian.secrets.service.SecretServiceFactory;
import com.atlassian.secrets.service.SecretServiceParams;
import com.google.common.base.Strings;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/jira/security/secrets/DefaultInternalJiraSecretsStorage.class */
public class DefaultInternalJiraSecretsStorage implements InternalJiraSecretsStorage {
    public static final String SECRETS_CONFIG_FILE_APP_PROPERTY = "jira.secret.config.file";
    public static final String JIRA_SECRET_STORAGE_MIGRATION_STATE = "jira.secret.storage.migration.state";
    private static final Logger log = LoggerFactory.getLogger(DefaultInternalJiraSecretsStorage.class);
    private final ApplicationProperties applicationProperties;
    private final ClusterNodeProperties clusterNodeProperties;
    private final SecretDao jiraSecretDao;
    private final GlobalPermissionManager globalPermissionManager;
    private final JiraAuthenticationContext authenticationContext;
    private final SecretService secretService;

    public DefaultInternalJiraSecretsStorage(ApplicationProperties applicationProperties, ClusterNodeProperties clusterNodeProperties, JiraHome jiraHome, SecretDao secretDao, GlobalPermissionManager globalPermissionManager, JiraAuthenticationContext jiraAuthenticationContext) {
        this.applicationProperties = applicationProperties;
        this.clusterNodeProperties = clusterNodeProperties;
        this.globalPermissionManager = globalPermissionManager;
        this.authenticationContext = jiraAuthenticationContext;
        this.jiraSecretDao = secretDao;
        Optional map = Optional.ofNullable(applicationProperties.getString(SECRETS_CONFIG_FILE_APP_PROPERTY)).map(str -> {
            return Paths.get(str, new String[0]);
        }).map((v0) -> {
            return v0.toAbsolutePath();
        });
        SecretServiceParams.SecretServiceParamsBuilder secretDao2 = new SecretServiceParams.SecretServiceParamsBuilder().setSecretDao(secretDao);
        if (map.isPresent()) {
            validateConfigFilePath((Path) map.get());
            secretDao2.setSecretsConfigFile((Path) map.get());
        } else {
            secretDao2.setHomeDirectory(jiraHome.getHome().toPath());
        }
        this.secretService = SecretServiceFactory.getSecretService(secretDao2.build());
    }

    @Override // com.atlassian.jira.security.secrets.InternalJiraSecretsStorage
    public void put(String str, String str2) {
        if (str2 != null) {
            this.secretService.put(str, str2);
        }
    }

    @Override // com.atlassian.jira.security.secrets.InternalJiraSecretsStorage
    public Optional<String> get(String str) {
        try {
            return this.secretService.get(str);
        } catch (SecretServiceException e) {
            log.debug("Error while unsealing secret " + str + " : ", e);
            return Optional.empty();
        }
    }

    @Override // com.atlassian.jira.security.secrets.InternalJiraSecretsStorage
    public void delete(String str) {
        if (!this.globalPermissionManager.hasPermission(GlobalPermissionKey.SYSTEM_ADMIN, this.authenticationContext.getLoggedInUser())) {
            throw new SecurityException("Only system administrators can remove secrets");
        }
        this.secretService.delete(str);
    }

    @Override // com.atlassian.jira.security.secrets.InternalJiraSecretsStorage
    public SecretMigrationState getMigrationState() {
        String string = this.applicationProperties.getString(JIRA_SECRET_STORAGE_MIGRATION_STATE);
        return Strings.isNullOrEmpty(string) ? SecretMigrationState.NOT_MIGRATED : SecretMigrationState.valueOf(string);
    }

    private void validateConfigFilePath(Path path) {
        if (!path.isAbsolute()) {
            throw new IllegalArgumentException("Config file path must be absolute");
        }
        if (!path.normalize().startsWith(Paths.get(this.clusterNodeProperties.getSharedHome(), new String[0]).toAbsolutePath().normalize())) {
            throw new IllegalArgumentException("Config file must be located in the shared home directory.");
        }
    }
}
