package com.atlassian.jira.plugins.webhooks.spi;

import com.atlassian.jira.plugins.webhooks.ao.CustomFields;
import com.atlassian.plugin.spring.scanner.annotation.export.ExportAsService;
import com.atlassian.webhooks.WebhookInvocation;
import com.atlassian.webhooks.WebhookRequestEnricher;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import javax.annotation.Nonnull;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;

@ExportAsService
@Component
/* loaded from: input_file:com/atlassian/jira/plugins/webhooks/spi/JiraWebhookBodySigner.class */
public class JiraWebhookBodySigner implements WebhookRequestEnricher {
    private static final String HEADER_NAME = "X-Hub-Signature";
    private static final Logger LOG = LoggerFactory.getLogger(JiraWebhookBodySigner.class);
    private static final String ALGORITHM = "sha256";
    private static final String ALGORITHM_HMAC_NAME = "Hmac" + ALGORITHM.toUpperCase();
    private static final String ALGORITHM_DIGEST_PREFIX = ALGORITHM.toLowerCase() + "=";

    public void enrich(@Nonnull WebhookInvocation webhookInvocation) {
        String str = (String) webhookInvocation.getWebhook().getConfiguration().get(CustomFields.SECRET);
        if (StringUtils.isNotEmpty(str)) {
            signBody(webhookInvocation, str);
        } else if (str != null) {
            LOG.warn("Secret provided to webhook signature provider is an empty string and will be ignored for invocation [{}]", webhookInvocation.getId());
        }
    }

    public int getWeight() {
        return 1000;
    }

    private void signBody(@Nonnull WebhookInvocation webhookInvocation, String str) {
        byte[] body = webhookInvocation.getRequestBuilder().getBody();
        try {
            Mac mac = Mac.getInstance(ALGORITHM_HMAC_NAME);
            mac.init(new SecretKeySpec(str.getBytes(StandardCharsets.UTF_8), ALGORITHM_HMAC_NAME));
            webhookInvocation.getRequestBuilder().header(HEADER_NAME, ALGORITHM_DIGEST_PREFIX + Hex.encodeHexString(mac.doFinal(body)));
        } catch (InvalidKeyException e) {
            LOG.warn("Secret provided to webhook signature is invalid and will be ignored for invocation [{}]", webhookInvocation.getId());
        } catch (NoSuchAlgorithmException e2) {
            LOG.error("Unable to initialize the signing algorithm [{}]. Webhooks will not be signed", ALGORITHM);
        }
    }
}
