package com.atlassian.jira.upgrade.tasks;

import com.atlassian.annotations.VisibleForTesting;
import com.atlassian.beehive.ClusterLock;
import com.atlassian.beehive.ClusterLockService;
import com.atlassian.crowd.crypto.Algorithm;
import com.atlassian.crowd.crypto.DbConfigPasswordCipherEncryptor;
import com.atlassian.crowd.crypto.SaltingEncryptor;
import com.atlassian.crowd.embedded.api.Encryptor;
import com.atlassian.crowd.manager.property.EncryptionSettings;
import com.atlassian.db.config.password.DefaultCipherProvider;
import com.atlassian.jira.component.ComponentAccessor;
import com.atlassian.jira.config.properties.ApplicationPropertiesImpl;
import com.atlassian.jira.config.util.FileStores;
import com.atlassian.jira.database.DbConnection;
import com.atlassian.jira.database.QueryDslAccessor;
import com.atlassian.jira.model.querydsl.QDirectoryAttribute;
import com.atlassian.jira.model.querydsl.QOSPropertyEntry;
import com.atlassian.jira.model.querydsl.QOSPropertyString;
import com.atlassian.upgrade.api.UpgradeContext;
import com.atlassian.upgrade.spi.UpgradeTask;
import com.querydsl.core.types.Path;
import com.querydsl.core.types.dsl.NumberPath;
import com.querydsl.core.types.dsl.StringPath;
import java.io.File;
import java.util.ConcurrentModificationException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.function.UnaryOperator;
import javax.annotation.Nonnull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/jira/upgrade/tasks/UpgradeTask_Build814001.class */
public class UpgradeTask_Build814001 implements UpgradeTask {
    public static final String CROWD_ENCRYPTION_ENCRYPTOR_DEFAULT = "crowd.encryption.encryptor.default";
    public static final String CROWD_ENCRYPTION_ENCRYPTOR_KEY_PATH = "crowd.encryption.encryptor.AES.keyPath";
    private static final String ENCRYPTION_KEY = "AES";
    private static final String ENCRYPTION_ALGORITHM = "AES/CBC/PKCS5Padding";
    private static final String KEYS_DIRECTORY = "keys";
    private static final String ENCRYPTION_TYPE_PREFIX = "{AES_CBC_PKCS5Padding}";
    private static final String JIRA_MAIN_PROPERTIES_TYPE = "jira.properties";
    public static final int BUILD_NUMBER = 814001;
    private final QueryDslAccessor queryDslAccessor;
    private final ClusterLockService clusterLockService;
    private final String keysDirectory;

    @VisibleForTesting
    UpgradeTaskEncryptionSettings encryptionSettings;
    private static final Logger LOGGER = LoggerFactory.getLogger(UpgradeTask_Build814001.class);
    private static final String DEFAULT_ENCRYPTION_TYPE = Algorithm.AES.getKey();
    private static final List<String> PASSWORD_ATTRIBUTES = List.of("ldap.password", "application.password", "AZURE_AD_WEBAPP_CLIENT_SECRET", "crowd.server.http.proxy.password");

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/atlassian/jira/upgrade/tasks/UpgradeTask_Build814001$UpgradeTaskEncryptionSettings.class */
    public static class UpgradeTaskEncryptionSettings implements EncryptionSettings {
        Map<String, String> encryptionKeys = new HashMap();
        final String encryptionKey;
        final String keysDirectory;

        UpgradeTaskEncryptionSettings(String str, String str2) {
            this.encryptionKey = str;
            this.keysDirectory = str2;
        }

        public Optional<String> getDefaultEncryptor() {
            return Optional.ofNullable(this.encryptionKey);
        }

        public void setDefaultEncryptor(String str) {
        }

        public void setEncryptionKeyPath(String str, String str2) {
            this.encryptionKeys.put(str, str2);
        }

        public Optional<String> getEncryptionKeyPath(String str) {
            return Optional.ofNullable(this.encryptionKeys.get(str));
        }

        public String getKeyFilesDirectoryPath() {
            return this.keysDirectory;
        }
    }

    public UpgradeTask_Build814001(QueryDslAccessor queryDslAccessor, ClusterLockService clusterLockService, FileStores fileStores) {
        this.queryDslAccessor = queryDslAccessor;
        this.clusterLockService = clusterLockService;
        this.keysDirectory = fileStores.getHomeFilesystemPath().path(new String[]{KEYS_DIRECTORY}).asJavaPath().toString();
        this.encryptionSettings = new UpgradeTaskEncryptionSettings(ENCRYPTION_KEY, this.keysDirectory);
    }

    public int getBuildNumber() {
        return BUILD_NUMBER;
    }

    @Nonnull
    public String getShortDescription() {
        return "Encrypt AD/LDAP servers passwords.";
    }

    public void runUpgrade(UpgradeContext upgradeContext) {
        ClusterLock lockForName = this.clusterLockService.getLockForName(UpgradeTask_Build814001.class.getName());
        if (!lockForName.tryLock()) {
            LOGGER.warn(String.format("Unable to acquire %s lock. Failing the upgrade task.", UpgradeTask_Build814001.class.getName()));
            throw new ConcurrentModificationException(String.format("%d upgrade task has failed. Unable to acquire %s lock", Integer.valueOf(BUILD_NUMBER), lockForName));
        }
        try {
            if (isEncryptionAlreadyConfigured().booleanValue()) {
                LOGGER.info("Encryption already enabled. Skipping upgrade task");
            } else {
                encryptPasswordsAndSaveConfiguration();
            }
        } finally {
            lockForName.unlock();
        }
    }

    private Boolean isEncryptionAlreadyConfigured() {
        return (Boolean) this.queryDslAccessor.executeQuery(dbConnection -> {
            return Boolean.valueOf(dbConnection.newSqlQuery().select(QOSPropertyEntry.O_S_PROPERTY_ENTRY.id).from(QOSPropertyEntry.O_S_PROPERTY_ENTRY).join(QOSPropertyString.O_S_PROPERTY_STRING).on(QOSPropertyString.O_S_PROPERTY_STRING.id.eq(QOSPropertyEntry.O_S_PROPERTY_ENTRY.id)).where(QOSPropertyEntry.O_S_PROPERTY_ENTRY.entityName.eq("jira.properties").and(QOSPropertyEntry.O_S_PROPERTY_ENTRY.propertyKey.eq("crowd.encryption.encryptor.default")).and(QOSPropertyString.O_S_PROPERTY_STRING.value.isNotNull())).fetchCount() > 0);
        });
    }

    private void encryptPasswordsAndSaveConfiguration() {
        LOGGER.info("Enabling encryption");
        createKeysDirectory(this.keysDirectory);
        Encryptor andPrepareEncryptor = getAndPrepareEncryptor(this.encryptionSettings);
        UnaryOperator unaryOperator = str -> {
            return "{AES_CBC_PKCS5Padding}" + andPrepareEncryptor.encrypt(str);
        };
        this.queryDslAccessor.execute(dbConnection -> {
            encryptPasswords(unaryOperator, dbConnection);
            createApplicationProperty(dbConnection, "crowd.encryption.encryptor.default", DEFAULT_ENCRYPTION_TYPE);
            createApplicationProperty(dbConnection, CROWD_ENCRYPTION_ENCRYPTOR_KEY_PATH, this.encryptionSettings.getEncryptionKeyPath(ENCRYPTION_KEY).get());
        });
        ComponentAccessor.getComponentSafely(ApplicationPropertiesImpl.class).ifPresent((v0) -> {
            v0.refresh();
        });
    }

    private void createKeysDirectory(String str) {
        File file = new File(str);
        if (!file.exists() && !file.mkdirs()) {
            throw new RuntimeException("Migration failed. Could not create directory for encryption keys.");
        }
    }

    @Nonnull
    private Encryptor getAndPrepareEncryptor(EncryptionSettings encryptionSettings) {
        SaltingEncryptor saltingEncryptor = new SaltingEncryptor(new DbConfigPasswordCipherEncryptor(ENCRYPTION_ALGORITHM, ENCRYPTION_KEY, encryptionSettings, new DefaultCipherProvider()));
        saltingEncryptor.changeEncryptionKey();
        return saltingEncryptor;
    }

    private void encryptPasswords(UnaryOperator<String> unaryOperator, DbConnection dbConnection) {
        dbConnection.newSqlQuery().select(QDirectoryAttribute.DIRECTORY_ATTRIBUTE).from(QDirectoryAttribute.DIRECTORY_ATTRIBUTE).where(QDirectoryAttribute.DIRECTORY_ATTRIBUTE.name.in(PASSWORD_ATTRIBUTES)).fetch().forEach(directoryAttributeDTO -> {
            if (directoryAttributeDTO.getValue() == null || !isNotAlreadyEncrypted(directoryAttributeDTO.getValue())) {
                return;
            }
            dbConnection.update(QDirectoryAttribute.DIRECTORY_ATTRIBUTE).set(QDirectoryAttribute.DIRECTORY_ATTRIBUTE.value, (String) unaryOperator.apply(directoryAttributeDTO.getValue())).where(QDirectoryAttribute.DIRECTORY_ATTRIBUTE.directoryId.eq(directoryAttributeDTO.getDirectoryId()).and(QDirectoryAttribute.DIRECTORY_ATTRIBUTE.name.eq(directoryAttributeDTO.getName()))).execute();
        });
    }

    private boolean isNotAlreadyEncrypted(String str) {
        return !str.startsWith(ENCRYPTION_TYPE_PREFIX);
    }

    private void createApplicationProperty(DbConnection dbConnection, String str, String str2) {
        Long l = (Long) dbConnection.newSqlQuery().select(QOSPropertyEntry.O_S_PROPERTY_ENTRY.id).from(QOSPropertyEntry.O_S_PROPERTY_ENTRY).join(QOSPropertyString.O_S_PROPERTY_STRING).on(QOSPropertyString.O_S_PROPERTY_STRING.id.eq(QOSPropertyEntry.O_S_PROPERTY_ENTRY.id)).where(QOSPropertyEntry.O_S_PROPERTY_ENTRY.entityName.eq("jira.properties").and(QOSPropertyEntry.O_S_PROPERTY_ENTRY.propertyKey.eq(str))).fetchFirst();
        if (l == null) {
            l = dbConnection.insert(QOSPropertyEntry.O_S_PROPERTY_ENTRY).set((Path<StringPath>) QOSPropertyEntry.O_S_PROPERTY_ENTRY.entityName, (StringPath) "jira.properties").set((Path<NumberPath<Long>>) QOSPropertyEntry.O_S_PROPERTY_ENTRY.entityId, (NumberPath<Long>) 1L).set((Path<StringPath>) QOSPropertyEntry.O_S_PROPERTY_ENTRY.propertyKey, (StringPath) str).set((Path<NumberPath<Integer>>) QOSPropertyEntry.O_S_PROPERTY_ENTRY.type, (NumberPath<Integer>) 5).executeWithId();
        }
        if (dbConnection.update(QOSPropertyString.O_S_PROPERTY_STRING).set(QOSPropertyString.O_S_PROPERTY_STRING.value, str2).where(QOSPropertyString.O_S_PROPERTY_STRING.id.eq(l)).execute() == 0) {
            dbConnection.insert(QOSPropertyString.O_S_PROPERTY_STRING).set((Path<StringPath>) QOSPropertyString.O_S_PROPERTY_STRING.value, (StringPath) str2).set((Path<NumberPath<Long>>) QOSPropertyString.O_S_PROPERTY_STRING.id, (NumberPath<Long>) l).execute();
        }
    }
}
