package com.atlassian.secrets.service.aws;

import com.atlassian.secrets.api.SealedSecret;
import com.atlassian.secrets.api.SecretServiceBackend;
import com.atlassian.secrets.api.SecretServiceException;
import com.atlassian.secrets.api.SecretServiceType;
import com.atlassian.secrets.aws.DefaultSecretsManagerClientFactory;
import com.atlassian.secrets.aws.SecretsManagerClientFactory;
import com.atlassian.secrets.service.IdentifierBasedSecret;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.Assert;
import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;
import software.amazon.awssdk.services.secretsmanager.model.CreateSecretRequest;
import software.amazon.awssdk.services.secretsmanager.model.DeleteSecretRequest;
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest;
import software.amazon.awssdk.services.secretsmanager.model.PutSecretValueRequest;
import software.amazon.awssdk.services.secretsmanager.model.PutSecretValueResponse;
import software.amazon.awssdk.services.secretsmanager.model.ResourceNotFoundException;
import software.amazon.awssdk.services.secretsmanager.model.RestoreSecretRequest;

/* loaded from: input_file:com/atlassian/secrets/service/aws/AWSSecretBackend.class */
public class AWSSecretBackend implements SecretServiceBackend {
    public static final String AWS_FORCE_DELETE_SECRET_SYSTEM_PROP_KEY = "secret.service.aws.force.delete.secret";
    private static final Logger log = LoggerFactory.getLogger(AWSSecretBackend.class);
    private final String backendId;
    private final AWSSecretBackendConfig config;
    private final SecretsManagerClientFactory clientFactory;

    public AWSSecretBackend(String str, AWSSecretBackendConfig aWSSecretBackendConfig) {
        this(str, aWSSecretBackendConfig, new DefaultSecretsManagerClientFactory());
    }

    public AWSSecretBackend(String str, AWSSecretBackendConfig aWSSecretBackendConfig, SecretsManagerClientFactory secretsManagerClientFactory) {
        this.backendId = str;
        this.config = aWSSecretBackendConfig;
        this.clientFactory = secretsManagerClientFactory;
    }

    public SealedSecret seal(String str, String str2) throws SecretServiceException {
        Assert.hasText(str, "Secret identifier must not be empty.");
        try {
            SecretsManagerClient client = getClient();
            String secretName = getSecretName(str);
            try {
                PutSecretValueResponse putSecretValue = client.putSecretValue((PutSecretValueRequest) PutSecretValueRequest.builder().secretId(secretName).secretString(str2).build());
                client.restoreSecret((RestoreSecretRequest) RestoreSecretRequest.builder().secretId(secretName).build());
                log.debug("Updated AWS secret: {}", putSecretValue.name());
            } catch (ResourceNotFoundException e) {
                log.debug("Created AWS secret: {}", client.createSecret((CreateSecretRequest) CreateSecretRequest.builder().name(secretName).secretString(str2).description("Atlassian Data Center Managed Secret").build()).name());
            }
            return new IdentifierBasedSecret(str, this.backendId);
        } catch (RuntimeException e2) {
            log.error("Problem when saving a secret value into AWS Secret Manager: {}", e2.getMessage());
            throw new SecretServiceException("Problem when saving a secret value into AWS Secret Manager", e2);
        }
    }

    public String unseal(SealedSecret sealedSecret) throws SecretServiceException {
        if (!(sealedSecret instanceof IdentifierBasedSecret)) {
            throw new SecretServiceException("Expecting secret identifier but encrypted secret was passed in");
        }
        try {
            IdentifierBasedSecret identifierBasedSecret = (IdentifierBasedSecret) sealedSecret;
            String secretString = getClient().getSecretValue((GetSecretValueRequest) GetSecretValueRequest.builder().secretId(getSecretName(identifierBasedSecret.getIdentifier())).build()).secretString();
            log.debug("Retrieved AWS secret: {}", identifierBasedSecret.getIdentifier());
            return secretString;
        } catch (Exception e) {
            log.error("Problem when getting the secret value from AWS Secret Manager: {}", e.getMessage());
            throw new SecretServiceException("Problem when getting the secret value from AWS Secret Manager", e);
        }
    }

    public void delete(String str) throws SecretServiceException {
        try {
            log.debug("Deleting the secret with the identifier of {} in AWS.", str);
            getClient().deleteSecret((DeleteSecretRequest) DeleteSecretRequest.builder().secretId(getSecretName(str)).forceDeleteWithoutRecovery(Boolean.valueOf(getBooleanValueFor(AWS_FORCE_DELETE_SECRET_SYSTEM_PROP_KEY, true))).build());
            log.debug("Deleted AWS secret: {}", str);
        } catch (ResourceNotFoundException e) {
            log.info("Cannot find the secret value associated with the provided secret identifier");
        } catch (Exception e2) {
            log.error("Problem when deleting the secret value from AWS Secret Manager: {}", e2.getMessage());
            throw new SecretServiceException("Problem when deleting the secret value from AWS Secret Manager", e2);
        }
    }

    public SecretServiceType getType() {
        return SecretServiceType.AWS;
    }

    private SecretsManagerClient getClient() {
        return this.config.getEndpointOverride() != null ? this.clientFactory.getClient(this.config.getRegion(), this.config.getEndpointOverride()) : this.clientFactory.getClient(this.config.getRegion());
    }

    private String getSecretName(String str) {
        return this.config.getSecretNamePrefix() != null ? String.format("%s/%s", this.config.getSecretNamePrefix(), str) : str;
    }

    private static boolean getBooleanValueFor(String str, boolean z) {
        String property = System.getProperty(str);
        return property == null ? z : Boolean.parseBoolean(property);
    }
}
