package com.atlassian.stash.internal.plugin.hooks.verifycommitsignature;

import com.atlassian.bitbucket.commit.Commit;
import com.atlassian.bitbucket.dmz.signature.verification.SignatureState;
import com.atlassian.bitbucket.dmz.signature.verification.SignatureVerificationPublicKey;
import com.atlassian.bitbucket.dmz.signature.verification.SignatureVerificationResult;
import com.atlassian.bitbucket.idx.CommitIndex;
import com.atlassian.bitbucket.idx.CommitIndexer;
import com.atlassian.bitbucket.idx.IndexingContext;
import com.atlassian.bitbucket.repository.Repository;
import com.atlassian.bitbucket.scm.signed.StandardSignableObjectType;
import com.atlassian.bitbucket.server.ApplicationPropertiesService;
import com.atlassian.bitbucket.server.FeatureManager;
import com.atlassian.bitbucket.server.StandardFeature;
import com.atlassian.bitbucket.user.ApplicationUser;
import com.atlassian.stash.internal.plugin.hooks.verifycommitsignature.SignatureVerificationHelper;
import com.google.common.annotations.VisibleForTesting;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import javax.annotation.Nonnull;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/stash/internal/plugin/hooks/verifycommitsignature/SignedCommitIndexer.class */
public class SignedCommitIndexer implements CommitIndexer {
    public static final String COMMITS = "commits";
    public static final String IDX_PROP_SIGNATURE_FINGERPRINT = "signature_fingerprint";
    public static final String IDX_PROP_SIGNATURE_IS_SYSTEM_SIGNED = "signature_is_system_signed";
    public static final String IDX_PROP_SIGNATURE_OWNER = "signature_owner";
    public static final String IDX_PROP_SIGNATURE_STATE = "signature_state";
    public static final String IDX_PROP_SIGNATURE_TYPE = "signature_type";
    public static final String IDX_PROP_SIGNATURE_X509_ISSUER_CN = "signature_x509_issuer_cn";
    public static final String IDX_PROP_SIGNATURE_X509_ISSUER_O = "signature_x509_issuer_o";
    public static final String IDX_PROP_SIGNATURE_X509_ISSUER_OU = "signature_x509_issuer_ou";
    public static final String IDX_PROP_SIGNATURE_X509_ISSUER_SKI = "signature_x509_issuer_ski";
    public static final String IDX_PROP_SIGNATURE_X509_SIGNER_CN = "signature_x509_signer_cn";
    public static final String IDX_PROP_SIGNATURE_X509_SIGNER_O = "signature_x509_signer_o";
    public static final String IDX_PROP_SIGNATURE_X509_SIGNER_SHA1 = "signature_x509_signer_sha1";
    public static final String IDX_PROP_SIGNATURE_X509_SIGNER_SKI = "signature_x509_signer_ski";
    static final String ID = "com.atlassian.bitbucket.SignedCommitsIndexer";
    private static final Logger log = LoggerFactory.getLogger(SignedCommitIndexer.class);
    private final int batchSize;
    private final CommitIndex commitIndex;
    private final FeatureManager featureManager;
    private final SignatureVerificationHelper signatureVerificationHelper;

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    /* loaded from: input_file:com/atlassian/stash/internal/plugin/hooks/verifycommitsignature/SignedCommitIndexer$SimpleCommitDetails.class */
    public static class SimpleCommitDetails {
        private final String commitId;
        private final Date committerTimestamp;

        SimpleCommitDetails(Commit commit) {
            this.commitId = commit.getId();
            this.committerTimestamp = commit.getCommitterTimestamp();
        }

        public String getCommitId() {
            return this.commitId;
        }

        public Date getCommitterTimestamp() {
            return this.committerTimestamp;
        }
    }

    public SignedCommitIndexer(CommitIndex commitIndex, FeatureManager featureManager, ApplicationPropertiesService applicationPropertiesService, SignatureVerificationHelper signatureVerificationHelper) {
        this.commitIndex = commitIndex;
        this.featureManager = featureManager;
        this.signatureVerificationHelper = signatureVerificationHelper;
        this.batchSize = applicationPropertiesService.getPluginProperty("plugin.signed-commit.batch-size", 300);
    }

    @Nonnull
    public String getId() {
        return ID;
    }

    public boolean isEnabledForRepository(@Nonnull Repository repository) {
        return this.featureManager.isEnabled(StandardFeature.COMMIT_SHOW_SIGNATURES);
    }

    public void onAfterIndexing(@Nonnull IndexingContext indexingContext) {
        List<SimpleCommitDetails> requireCommitList = requireCommitList(indexingContext);
        if (requireCommitList.isEmpty()) {
            return;
        }
        verifyAndSaveSignatureProperties(indexingContext, requireCommitList);
        log.debug("Finished indexing signed commits of {}", indexingContext.getRepository().getName());
    }

    public void onBeforeIndexing(@Nonnull IndexingContext indexingContext) {
        indexingContext.put(COMMITS, new ArrayList());
        log.debug("Start indexing signed commits of {}", indexingContext.getRepository().getName());
    }

    public void onCommitAdded(@Nonnull Commit commit, @Nonnull IndexingContext indexingContext) {
        List<SimpleCommitDetails> requireCommitList = requireCommitList(indexingContext);
        requireCommitList.add(new SimpleCommitDetails(commit));
        if (requireCommitList.size() >= this.batchSize) {
            log.debug("Reached batch size limit of {} for {} and starting verification process", Integer.valueOf(this.batchSize), indexingContext.getRepository());
            verifyAndSaveSignatureProperties(indexingContext, requireCommitList);
            requireCommitList.clear();
        }
    }

    public void onCommitRemoved(@Nonnull Commit commit, @Nonnull IndexingContext indexingContext) {
    }

    private static List<SimpleCommitDetails> requireCommitList(IndexingContext indexingContext) {
        List<SimpleCommitDetails> list = (List) indexingContext.get(COMMITS);
        if (list == null) {
            throw new IllegalStateException("Unable to get commit list from context");
        }
        return list;
    }

    private void addMetadataProperty(Map<String, String> map, String str, String str2, String str3) {
        String str4 = map.get(str);
        if (StringUtils.isNotBlank(str4)) {
            this.commitIndex.addProperty(str2, str3, str4);
        }
    }

    private void includeX509SignatureMetadataProperties(Map<String, String> map, String str) {
        addMetadataProperty(map, "x509_issuer_ski", str, IDX_PROP_SIGNATURE_X509_ISSUER_SKI);
        addMetadataProperty(map, "x509_issuer_cn", str, IDX_PROP_SIGNATURE_X509_ISSUER_CN);
        addMetadataProperty(map, "x509_issuer_ou", str, IDX_PROP_SIGNATURE_X509_ISSUER_OU);
        addMetadataProperty(map, "x509_issuer_o", str, IDX_PROP_SIGNATURE_X509_ISSUER_O);
        addMetadataProperty(map, "x509_signer_ski", str, IDX_PROP_SIGNATURE_X509_SIGNER_SKI);
        addMetadataProperty(map, "x509_signer_cn", str, IDX_PROP_SIGNATURE_X509_SIGNER_CN);
        addMetadataProperty(map, "x509_signer_o", str, IDX_PROP_SIGNATURE_X509_SIGNER_O);
        addMetadataProperty(map, "x509_signer_sha1", str, IDX_PROP_SIGNATURE_X509_SIGNER_SHA1);
    }

    private void verifyAndSaveSignatureProperties(IndexingContext indexingContext, List<SimpleCommitDetails> list) {
        Repository repository = indexingContext.getRepository();
        try {
            SignatureVerificationHelper.SignedObjectsCallControl runSignedObjects = this.signatureVerificationHelper.runSignedObjects(repository);
            Throwable th = null;
            try {
                list.forEach(simpleCommitDetails -> {
                    String commitId = simpleCommitDetails.getCommitId();
                    Optional<SignatureVerificationResult> verify = runSignedObjects.verify(StandardSignableObjectType.COMMIT, commitId, simpleCommitDetails.getCommitterTimestamp());
                    if (!verify.isPresent()) {
                        log.debug("[{}] Commit {} could not get its signature verified via any provider", repository, commitId);
                        return;
                    }
                    SignatureVerificationResult signatureVerificationResult = verify.get();
                    SignatureState signatureState = signatureVerificationResult.getSignatureState();
                    log.trace("[{}] Commit {} verified as {} by commit indexer.", new Object[]{repository, commitId, signatureState});
                    if (signatureState.equals(SignatureState.SIGNATURE_NOT_FOUND) || signatureState.equals(SignatureState.ERROR)) {
                        return;
                    }
                    String signatureType = signatureVerificationResult.getSignatureType();
                    if (!StringUtils.isNotBlank(signatureType) || this.commitIndex.addProperty(commitId, IDX_PROP_SIGNATURE_TYPE, signatureType)) {
                        SignatureVerificationPublicKey verificationPublicKey = signatureVerificationResult.getVerificationPublicKey();
                        if (signatureState.isVerified() && verificationPublicKey == null) {
                            log.debug("[{}] Commit {} is verified but does not have a public key. signature details not saved.", repository, commitId);
                            return;
                        }
                        ApplicationUser owner = signatureVerificationResult.getOwner();
                        if (owner != null) {
                            this.commitIndex.addProperty(commitId, IDX_PROP_SIGNATURE_OWNER, owner.getName());
                        }
                        if (verificationPublicKey != null) {
                            this.commitIndex.addProperty(commitId, IDX_PROP_SIGNATURE_FINGERPRINT, verificationPublicKey.getFingerprint());
                        }
                        this.commitIndex.addProperty(commitId, IDX_PROP_SIGNATURE_STATE, String.valueOf(signatureState.getCode()));
                        Map<String, String> signatureMetadata = signatureVerificationResult.getSignatureMetadata();
                        if (signatureMetadata.isEmpty()) {
                            return;
                        }
                        if ("X509".equals(signatureType)) {
                            includeX509SignatureMetadataProperties(signatureMetadata, commitId);
                        }
                        addMetadataProperty(signatureMetadata, "is_system_signed", commitId, IDX_PROP_SIGNATURE_IS_SYSTEM_SIGNED);
                    }
                });
                if (runSignedObjects != null) {
                    if (0 != 0) {
                        try {
                            runSignedObjects.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        runSignedObjects.close();
                    }
                }
            } finally {
            }
        } catch (RuntimeException e) {
            log.warn("Could not successfully verify and save commit signature properties", e);
        }
    }
}
