package org.simplify4u.plugins;

import io.vavr.control.Try;
import java.beans.ConstructorProperties;
import java.io.File;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import javax.inject.Inject;
import lombok.Generated;
import org.apache.maven.artifact.Artifact;
import org.apache.maven.artifact.ArtifactUtils;
import org.apache.maven.plugin.MojoFailureException;
import org.apache.maven.plugins.annotations.LifecyclePhase;
import org.apache.maven.plugins.annotations.Mojo;
import org.apache.maven.plugins.annotations.Parameter;
import org.apache.maven.plugins.annotations.ResolutionScope;
import org.simplify4u.plugins.ValidationChecksum;
import org.simplify4u.plugins.keysmap.KeysMap;
import org.simplify4u.plugins.keysmap.KeysMapLocationConfig;
import org.simplify4u.plugins.pgp.PublicKeyUtils;
import org.simplify4u.plugins.pgp.ReportsUtils;
import org.simplify4u.plugins.pgp.SignatureCheckResult;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Mojo(name = CheckMojo.MOJO_NAME, requiresDependencyResolution = ResolutionScope.TEST, defaultPhase = LifecyclePhase.VALIDATE, threadSafe = true)
/* loaded from: input_file:org/simplify4u/plugins/CheckMojo.class */
public class CheckMojo extends AbstractVerifyMojo<VerificationResult> {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(CheckMojo.class);
    public static final String MOJO_NAME = "check";
    private static final String PGP_VERIFICATION_RESULT_FORMAT = "{} PGP Signature {}\n       {} UserIds: {}";

    @Inject
    private KeysMap keysMap;

    @Inject
    private ReportsUtils reportsUtils;

    @Parameter(property = "pgpverify.failNoSignature")
    @Deprecated
    private Boolean failNoSignature;

    @Parameter(property = "pgpverify.strictNoSignature")
    @Deprecated
    private Boolean strictNoSignature;

    @Parameter(property = "pgpgverify.failWeakSignature", defaultValue = "false")
    private boolean failWeakSignature;

    @Parameter(property = "pgpverify.disableChecksum", defaultValue = "false")
    private boolean disableChecksum;

    @Parameter(property = "pgpverify.keysMapLocation", alias = "keysMapLocations")
    private List<KeysMapLocationConfig> keysMapLocation = new ArrayList();

    @Parameter(property = "pgpverify.reportFile", defaultValue = "${project.build.directory}/pgpverify-report.json")
    private File reportFile;

    @Parameter(property = "pgpverify.reportWrite", defaultValue = "false")
    private boolean reportWrite;

    /* loaded from: input_file:org/simplify4u/plugins/CheckMojo$VerificationResult.class */
    public static class VerificationResult {
        boolean error;
        SignatureCheckResult result;

        @Generated
        /* loaded from: input_file:org/simplify4u/plugins/CheckMojo$VerificationResult$VerificationResultBuilder.class */
        public static class VerificationResultBuilder {

            @Generated
            private boolean error;

            @Generated
            private SignatureCheckResult result;

            @Generated
            VerificationResultBuilder() {
            }

            @Generated
            public VerificationResultBuilder error(boolean z) {
                this.error = z;
                return this;
            }

            @Generated
            public VerificationResultBuilder result(SignatureCheckResult signatureCheckResult) {
                this.result = signatureCheckResult;
                return this;
            }

            @Generated
            public VerificationResult build() {
                return new VerificationResult(this.error, this.result);
            }

            @Generated
            public String toString() {
                return "CheckMojo.VerificationResult.VerificationResultBuilder(error=" + this.error + ", result=" + this.result + ")";
            }
        }

        @Generated
        @ConstructorProperties({"error", "result"})
        VerificationResult(boolean z, SignatureCheckResult signatureCheckResult) {
            this.error = z;
            this.result = signatureCheckResult;
        }

        @Generated
        public static VerificationResultBuilder builder() {
            return new VerificationResultBuilder();
        }
    }

    @Override // org.simplify4u.plugins.AbstractPGPMojo
    protected String getMojoName() {
        return MOJO_NAME;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.simplify4u.plugins.AbstractPGPMojo
    public void checkDeprecated() {
        super.checkDeprecated();
        if (this.strictNoSignature != null) {
            LOGGER.warn("strictNoSignature is deprecated - this requirement can be expressed through the keysMap");
        }
        if (this.failNoSignature != null) {
            LOGGER.warn("failNoSignature is deprecated - this requirement can be expressed through the keysMap");
        }
        if (Boolean.TRUE.equals(this.failNoSignature) && this.keysMap.isEmpty()) {
            LOGGER.warn("failNoSignature is true and keysMap is empty we add `* = any` to keysMap for backward compatibility");
            KeysMapLocationConfig keysMapLocationConfig = new KeysMapLocationConfig();
            keysMapLocationConfig.set("/any-valid-signatures.list");
            Try.run(() -> {
                this.keysMap.load(keysMapLocationConfig);
            }).getOrElseThrow(th -> {
                return new PGPMojoException(th.getMessage(), th);
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.simplify4u.plugins.AbstractPGPMojo
    public void setupMojo() throws MojoFailureException {
        super.setupMojo();
        LOGGER.debug("keysMapLocation={}", this.keysMapLocation);
        this.keysMapLocation.forEach(keysMapLocationConfig -> {
        });
        if (this.keysMap.isEmpty()) {
            LOGGER.warn("No keysmap specified in configuration or keysmap contains no entries. PGPVerify will only check artifacts against their signature. File corruption will be detected. However, without a keysmap as a reference for trust, valid signatures of any public key will be accepted.");
        }
    }

    @Override // org.simplify4u.plugins.AbstractVerifyMojo
    protected void shouldProcess(Set<Artifact> set, Runnable runnable) {
        ValidationChecksum build = new ValidationChecksum.Builder().destination(new File(this.session.getCurrentProject().getBuild().getDirectory())).artifacts(set).disabled(this.disableChecksum).build();
        if (build.checkValidation()) {
            logInfoWithQuiet("Artifacts were already validated in a previous run. Execution finished early as the checksum for the collection of artifacts has not changed.");
        } else {
            runnable.run();
            build.saveChecksum();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.simplify4u.plugins.AbstractVerifyMojo
    public VerificationResult processArtifactSignature(Artifact artifact, Artifact artifact2) {
        SignatureCheckResult checkSignature = this.signatureUtils.checkSignature(artifact, artifact2, this.pgpKeysCache);
        VerificationResult.VerificationResultBuilder result = VerificationResult.builder().result(checkSignature);
        switch (checkSignature.getStatus()) {
            case ARTIFACT_NOT_RESOLVED:
                throw new PGPMojoException("Artifact not resolved: %s", artifact.getId());
            case ERROR:
                throw new PGPMojoException("Failed to process signature for artifact %s", artifact.getId(), checkSignature.getErrorCause());
            case SIGNATURE_ERROR:
                if (!this.keysMap.isBrokenSignature(artifact)) {
                    LOGGER.error("Failed to process signature for artifact {} - {}", artifact.getId(), checkSignature.getErrorMessage());
                    result.error(true);
                    break;
                } else {
                    artifact.getClass();
                    logInfoWithQuiet("{} PGP Signature is broken, consistent with keys map.", artifact::getId);
                    result.error(false);
                    break;
                }
            case SIGNATURE_NOT_RESOLVED:
                result.error(!verifySignatureUnavailable(artifact));
                break;
            case SIGNATURE_VALID:
                verifyWeakSignature(checkSignature.getSignature().getHashAlgorithm());
                if (!this.keysMap.isValidKey(artifact, checkSignature.getKey())) {
                    LOGGER.error("Not allowed artifact {} and keyID:\n\t{}\n\t{}", new Object[]{artifact.getId(), String.format("%s = %s", ArtifactUtils.key(artifact), PublicKeyUtils.fingerprintForMaster(checkSignature.getKey())), checkSignature.getKeyShowUrl()});
                    result.error(true);
                    break;
                } else {
                    LOGGER.debug("signature.KeyAlgorithm: {} signature.hashAlgorithm: {}", Integer.valueOf(checkSignature.getKey().getAlgorithm()), Integer.valueOf(checkSignature.getSignature().getHashAlgorithm()));
                    artifact.getClass();
                    logInfoWithQuiet(PGP_VERIFICATION_RESULT_FORMAT, artifact::getId, () -> {
                        return "OK";
                    }, () -> {
                        return PublicKeyUtils.keyIdDescription(checkSignature.getKey());
                    }, () -> {
                        return checkSignature.getKey().getUids();
                    });
                    result.error(false);
                    break;
                }
            case SIGNATURE_INVALID:
                if (!this.keysMap.isBrokenSignature(artifact)) {
                    if (LOGGER.isErrorEnabled()) {
                        LOGGER.error(PGP_VERIFICATION_RESULT_FORMAT, new Object[]{artifact.getId(), "INVALID", PublicKeyUtils.keyIdDescription(checkSignature.getKey()), checkSignature.getKey().getUids()});
                    }
                    result.error(true);
                    break;
                } else {
                    artifact.getClass();
                    logInfoWithQuiet("{} PGP Signature is broken, consistent with keys map.", artifact::getId);
                    result.error(false);
                    break;
                }
            case KEY_NOT_FOUND:
                if (!this.keysMap.isKeyMissing(artifact)) {
                    LOGGER.error("PGP key {} not found on keyserver for artifact {}", checkSignature.getKeyShowUrl(), artifact.getId());
                    result.error(true);
                    break;
                } else {
                    artifact.getClass();
                    logInfoWithQuiet("{} PGP key not found on keyserver, consistent with keys map.", artifact::getId);
                    result.error(false);
                    break;
                }
            default:
                result.error(true);
                break;
        }
        return result.build();
    }

    @Override // org.simplify4u.plugins.AbstractVerifyMojo
    protected void processVerificationResult(Collection<VerificationResult> collection) {
        if (this.reportWrite) {
            Try.run(() -> {
                this.reportsUtils.writeReportAsJson(this.reportFile, (Collection) collection.stream().map(verificationResult -> {
                    return verificationResult.result;
                }).collect(Collectors.toList()));
            }).getOrElseThrow(th -> {
                return new PGPMojoException(th.getMessage(), th);
            });
        }
        if (collection.stream().anyMatch(verificationResult -> {
            return verificationResult.error;
        })) {
            throw new PGPMojoException("Signature errors");
        }
    }

    private void verifyWeakSignature(int i) {
        String checkWeakHashAlgorithm = this.signatureUtils.checkWeakHashAlgorithm(i);
        if (checkWeakHashAlgorithm == null) {
            return;
        }
        String str = "Weak signature algorithm used: " + checkWeakHashAlgorithm;
        if (this.failWeakSignature) {
            LOGGER.error(str);
            throw new PGPMojoException(str);
        }
        LOGGER.warn(str);
    }

    private boolean verifySignatureUnavailable(Artifact artifact) {
        if (this.keysMap.isEmpty()) {
            LOGGER.warn("No signature for {}", artifact.getId());
            return true;
        }
        if (this.keysMap.isNoSignature(artifact)) {
            artifact.getClass();
            logInfoWithQuiet("{} PGP Signature unavailable, consistent with keys map.", artifact::getId);
            return true;
        }
        if (this.keysMap.isWithKey(artifact)) {
            LOGGER.error("Unsigned artifact is listed with key in keys map: {}", artifact.getId());
            return false;
        }
        LOGGER.error("Unsigned artifact not listed in keys map: {}", artifact.getId());
        return false;
    }
}
