package com.tokera.ate.io.repo;

import com.tokera.ate.common.LoggerHook;
import com.tokera.ate.common.MapTools;
import com.tokera.ate.dao.kafka.MessageSerializer;
import com.tokera.ate.delegates.AteDelegate;
import com.tokera.ate.dto.msg.MessageDataDigestDto;
import com.tokera.ate.dto.msg.MessageDataDto;
import com.tokera.ate.dto.msg.MessageDataHeaderDto;
import com.tokera.ate.dto.msg.MessagePublicKeyDto;
import com.tokera.ate.enumerations.EnquireDomainKeyHandling;
import com.tokera.ate.io.api.IPartitionKey;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.function.Consumer;
import java.util.function.Function;
import org.bouncycastle.util.Arrays;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/tokera/ate/io/repo/TrustValidatorBuilder.class */
public final class TrustValidatorBuilder {
    private LoggerHook LOG;
    private Map<UUID, MessageDataDto> savedDatas;
    private final AteDelegate d = AteDelegate.get();
    private Consumer<Failure> onFailure = null;
    private Function<UUID, DataContainer> onGetData = null;
    private Function<UUID, MessageDataHeaderDto> onGetRootOfTrust = null;
    private Function<String, MessagePublicKeyDto> onGetPublicKey = null;

    /* loaded from: input_file:com/tokera/ate/io/repo/TrustValidatorBuilder$Failure.class */
    public static final class Failure {
        public final LoggerHook LOG;
        public final MessageDataHeaderDto header;
        public final String why;

        protected Failure(LoggerHook loggerHook, MessageDataHeaderDto messageDataHeaderDto, String str) {
            this.LOG = loggerHook;
            this.header = messageDataHeaderDto;
            this.why = str;
        }
    }

    /* loaded from: input_file:com/tokera/ate/io/repo/TrustValidatorBuilder$ValidatorBasic.class */
    public class ValidatorBasic {
        protected final AteDelegate d;
        protected final UUID id;
        protected final IPartitionKey partitionKey;
        protected final UUID parentId;
        protected final MessageDataDto existing;
        protected final DataContainer container;
        protected final MessageDataDto data;
        protected final MessageDataHeaderDto header;
        protected final MessageDataDigestDto digest;
        protected final String entityType;
        private MessageDataDto _parent;
        private boolean validatedParent;
        private boolean validatedIsntReparenting;
        private boolean validatedVersion;

        protected ValidatorBasic(IPartitionKey iPartitionKey, MessageDataDto messageDataDto) {
            this.d = AteDelegate.get();
            this._parent = null;
            this.validatedParent = false;
            this.validatedIsntReparenting = false;
            this.validatedVersion = false;
            MessageDataHeaderDto header = messageDataDto.getHeader();
            MessageDataDigestDto digest = messageDataDto.getDigest();
            if (header == null || digest == null) {
                throw new RuntimeException("Header or digest is invalid for this data object.");
            }
            this.id = header.getIdOrThrow();
            this.partitionKey = iPartitionKey;
            this.parentId = header.getParentId();
            this.data = messageDataDto;
            this.header = header;
            this.digest = messageDataDto.getDigest();
            this.entityType = header.getPayloadClazzOrThrow();
            this.container = TrustValidatorBuilder.this.getData(this.id);
            if (TrustValidatorBuilder.this.savedDatas == null || !TrustValidatorBuilder.this.savedDatas.containsKey(this.id)) {
                this.existing = this.container != null ? this.container.getLastDataOrNull() : null;
            } else {
                this.existing = (MessageDataDto) TrustValidatorBuilder.this.savedDatas.get(this.id);
            }
        }

        protected ValidatorBasic(ValidatorBasic validatorBasic) {
            this.d = AteDelegate.get();
            this._parent = null;
            this.validatedParent = false;
            this.validatedIsntReparenting = false;
            this.validatedVersion = false;
            this.id = validatorBasic.id;
            this.partitionKey = validatorBasic.partitionKey;
            this.parentId = validatorBasic.parentId;
            this.data = validatorBasic.data;
            this.header = validatorBasic.header;
            this.digest = validatorBasic.digest;
            this.existing = validatorBasic.existing;
            this.entityType = validatorBasic.entityType;
            this.container = validatorBasic.container;
            this.validatedParent = validatorBasic.validatedParent;
            this.validatedIsntReparenting = validatorBasic.validatedIsntReparenting;
            this.validatedVersion = validatorBasic.validatedVersion;
        }

        @Deprecated
        public boolean validatePreviousVersion() {
            MessageDataDto lastDataOrNull;
            if (this.validatedVersion) {
                return true;
            }
            if (this.header.getPreviousVersion() != null && this.container != null && !this.container.isEmpty() && !this.container.hasVersion(this.header.getPreviousVersion())) {
                fail("referenced previous version does not exist");
                return false;
            }
            if (this.header.getMerges() != null) {
                Iterator<UUID> it = this.header.getMerges().iterator();
                while (it.hasNext()) {
                    UUID next = it.next();
                    if (this.container != null && !this.container.isEmpty() && !this.container.hasVersion(next)) {
                        fail("referenced previous version of merge does not exist");
                        return false;
                    }
                }
            }
            if (this.header.getPreviousVersion() != null || ((this.header.getMerges() != null && this.header.getMerges().size() > 0) || this.container == null || this.container.isEmpty() || (lastDataOrNull = this.container.getLastDataOrNull()) == null || !lastDataOrNull.hasPayload())) {
                this.validatedVersion = true;
                return true;
            }
            fail("existing record exists but is not referenced");
            return false;
        }

        public boolean validateParent() {
            if (this.validatedParent) {
                return true;
            }
            UUID parentId = this.header.getParentId();
            MessageDataDto messageDataDto = null;
            if (this.d.daoParents.getAllowedParentsSimple().containsKey(this.entityType)) {
                if (parentId == null) {
                    fail("must have parent for this entity type");
                    return false;
                }
                messageDataDto = TrustValidatorBuilder.this.savedDatas != null ? (MessageDataDto) MapTools.getOrNull(TrustValidatorBuilder.this.savedDatas, parentId) : null;
                if (messageDataDto == null) {
                    DataContainer data = TrustValidatorBuilder.this.getData(parentId);
                    messageDataDto = data != null ? data.getLastDataOrNull() : null;
                }
                if (messageDataDto == null) {
                    fail("parent is missing in chain of trust");
                    return false;
                }
                if (!this.d.daoParents.getAllowedParentsSimple().containsEntry(this.entityType, messageDataDto.getHeader().getPayloadClazzOrThrow())) {
                    fail("parent type not allowed [see PermitParentType]");
                    return false;
                }
            } else {
                if (!this.d.daoParents.getAllowedParentFreeSimple().contains(this.entityType)) {
                    fail("parent policy not defined for this entity type");
                    return false;
                }
                if (parentId != null) {
                    fail("parent not allowed for this entity type");
                    return false;
                }
            }
            this._parent = messageDataDto;
            this.validatedParent = true;
            return true;
        }

        public boolean validateIsntReparenting() {
            if (this.validatedIsntReparenting) {
                return true;
            }
            if (this.existing != null) {
                UUID parentId = this.existing.getHeader().getParentId();
                if (parentId != null && !parentId.equals(this.header.getParentId())) {
                    fail("parent has changed [was=" + parentId + ", now=" + this.header.getParentId() + "]");
                    return false;
                }
                if (!this.existing.getHeader().getInheritWrite() && this.existing.getHeader().getAllowWrite().isEmpty()) {
                    fail("record is immutable");
                    return false;
                }
            }
            this.validatedIsntReparenting = true;
            return true;
        }

        public boolean validateAll() {
            return validateParent() && validateIsntReparenting();
        }

        public ValidatorWithParentState upgradeWithParentChecks() {
            if (validateAll()) {
                return new ValidatorWithParentState(this, this._parent);
            }
            throw new RuntimeException("Attempted to upgrade validator but its in a failed state");
        }

        protected void fail(String str) {
            TrustValidatorBuilder.this.failure(this.header, str);
        }
    }

    /* loaded from: input_file:com/tokera/ate/io/repo/TrustValidatorBuilder$ValidatorWithLeafState.class */
    public class ValidatorWithLeafState extends ValidatorWithParentState {
        protected final MessageDataDto leaf;
        protected final MessagePublicKeyDto digestPublicKey;
        protected final boolean roleFound;
        private boolean validatedSignature;

        protected ValidatorWithLeafState(ValidatorWithParentState validatorWithParentState, MessageDataDto messageDataDto, MessagePublicKeyDto messagePublicKeyDto, boolean z) {
            super(validatorWithParentState);
            this.validatedSignature = false;
            this.leaf = messageDataDto;
            this.digestPublicKey = messagePublicKeyDto;
            this.roleFound = z;
        }

        protected ValidatorWithLeafState(ValidatorWithLeafState validatorWithLeafState) {
            super(validatorWithLeafState);
            this.validatedSignature = false;
            this.leaf = validatorWithLeafState.leaf;
            this.digestPublicKey = validatorWithLeafState.digestPublicKey;
            this.roleFound = validatorWithLeafState.roleFound;
            this.validatedSignature = validatorWithLeafState.validatedSignature;
        }

        public boolean validateSignature() {
            if (this.validatedSignature) {
                return true;
            }
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            MessageSerializer.writeBytes(byteArrayOutputStream, this.header.createFlatBuffer());
            if (this.data.hasPayload()) {
                try {
                    byte[] payloadBytes = this.data.getPayloadBytes();
                    if (payloadBytes == null) {
                        fail("message data has payload but it did not appear to be attached");
                        return false;
                    }
                    byteArrayOutputStream.write(payloadBytes);
                } catch (IOException e) {
                    this.d.debugLogging.logTrustValidationException(e);
                    String message = e.getMessage();
                    if (message == null) {
                        message = e.toString();
                    }
                    fail(message.toLowerCase());
                    return false;
                }
            }
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            byte[] hashSha = this.d.encryptor.hashSha(this.digest.getSeedBytesOrThrow(), byteArray);
            if (!Arrays.areEqual(this.digest.getDigestBytesOrThrow(), hashSha)) {
                fail("digest differential");
                return false;
            }
            byte[] signatureBytes = this.digest.getSignatureBytes();
            if (hashSha.length <= 4) {
                fail("digest of payload bytes invalid");
                return false;
            }
            if (signatureBytes.length <= 4) {
                fail("signature bytes invalid");
                return false;
            }
            if (this.d.encryptor.verify(this.digestPublicKey, hashSha, signatureBytes)) {
                this.validatedSignature = true;
                return true;
            }
            fail("signature verification failed");
            return false;
        }

        @Override // com.tokera.ate.io.repo.TrustValidatorBuilder.ValidatorWithParentState, com.tokera.ate.io.repo.TrustValidatorBuilder.ValidatorBasic
        public boolean validateAll() {
            return super.validateAll() && validateSignature();
        }
    }

    /* loaded from: input_file:com/tokera/ate/io/repo/TrustValidatorBuilder$ValidatorWithParentState.class */
    public class ValidatorWithParentState extends ValidatorBasic {
        protected final MessageDataDto parent;
        private MessageDataDto _leaf;
        private MessagePublicKeyDto _digestPublicKey;
        private boolean _roleFound;
        private boolean validatedLeaf;

        protected ValidatorWithParentState(ValidatorBasic validatorBasic, MessageDataDto messageDataDto) {
            super(validatorBasic);
            this.validatedLeaf = false;
            this.parent = messageDataDto;
        }

        protected ValidatorWithParentState(ValidatorWithParentState validatorWithParentState) {
            super(validatorWithParentState);
            this.validatedLeaf = false;
            this.parent = validatorWithParentState.parent;
            this.validatedLeaf = validatorWithParentState.validatedLeaf;
        }

        public boolean validateLeaf() {
            MessageDataHeaderDto rootOfTrust;
            if (this.validatedLeaf) {
                return true;
            }
            MessagePublicKeyDto messagePublicKeyDto = null;
            MessageDataDto messageDataDto = this.existing;
            if (messageDataDto == null) {
                messageDataDto = this.parent;
            }
            if (messageDataDto == null) {
                String orDefault = this.d.daoParents.getAllowedImplicitAuthoritySimple().getOrDefault(this.entityType, null);
                if (orDefault == null && this.d.daoParents.getAllowedDynamicImplicitAuthoritySimple().containsKey(this.entityType)) {
                    orDefault = this.header.getImplicitAuthority().stream().findFirst().orElse(null);
                    if (orDefault == null) {
                        fail("record missing implicit authority");
                        return false;
                    }
                }
                if (this.d.daoParents.getAllowedParentFreeSimple().contains(this.entityType) && this.d.daoParents.getAllowedParentClaimableSimple().contains(this.entityType)) {
                    messagePublicKeyDto = new MessagePublicKeyDto(this.d.encryptor.getTrustOfPublicWrite().key());
                    this.d.debugLogging.logClaimed(this.partitionKey, this.id, this.entityType);
                } else {
                    if (!this.d.daoParents.getAllowedParentFreeSimple().contains(this.entityType) || orDefault == null) {
                        fail("record has no leaf to attach to");
                        return false;
                    }
                    try {
                        MessagePublicKeyDto enquireDomainKey = this.d.implicitSecurity.enquireDomainKey(orDefault, EnquireDomainKeyHandling.SilentIgnore, this.partitionKey, TrustValidatorBuilder.this.onGetPublicKey);
                        if (enquireDomainKey == null) {
                            fail("dns or log record for implicit authority missing [" + orDefault + "]");
                            return false;
                        }
                        if (this.d.bootstrapConfig.isExtraValidation() && !this.d.validationUtil.validateOrLog(enquireDomainKey, TrustValidatorBuilder.this.LOG)) {
                            fail("implicit trust returns a public key that failed validation");
                            return false;
                        }
                        messagePublicKeyDto = enquireDomainKey;
                        this.d.debugLogging.logRooted(this.partitionKey, this.id, this.entityType, orDefault);
                    } catch (Throwable th) {
                        this.d.debugLogging.logTrustValidationException(th);
                        fail(th.getMessage());
                        return false;
                    }
                }
            }
            ArrayList arrayList = new ArrayList();
            boolean z = false;
            while (messageDataDto != null) {
                MessageDataHeaderDto header = messageDataDto.getHeader();
                for (String str : header.getAllowWrite()) {
                    arrayList.add(str);
                    if (str.equals(this.digest.getPublicKeyHash())) {
                        z = true;
                        MessagePublicKeyDto publicKey = TrustValidatorBuilder.this.getPublicKey(str);
                        if (publicKey != null) {
                            messagePublicKeyDto = publicKey;
                        }
                        if (messagePublicKeyDto != null) {
                            break;
                        }
                    }
                }
                if (!header.getInheritWrite()) {
                    break;
                }
                UUID parentId = header.getParentId();
                if (parentId == null) {
                    messageDataDto = null;
                } else if (TrustValidatorBuilder.this.savedDatas == null || !TrustValidatorBuilder.this.savedDatas.containsKey(parentId)) {
                    DataContainer data = TrustValidatorBuilder.this.getData(parentId);
                    messageDataDto = data != null ? data.getLastDataOrNull() : null;
                } else {
                    messageDataDto = (MessageDataDto) TrustValidatorBuilder.this.savedDatas.get(parentId);
                }
            }
            if (messagePublicKeyDto == null && (rootOfTrust = TrustValidatorBuilder.this.getRootOfTrust(this.id)) != null) {
                for (String str2 : rootOfTrust.getAllowWrite()) {
                    arrayList.add(str2);
                    if (str2.equals(this.digest.getPublicKeyHash())) {
                        z = true;
                        MessagePublicKeyDto publicKey2 = TrustValidatorBuilder.this.getPublicKey(str2);
                        if (publicKey2 != null) {
                            messagePublicKeyDto = publicKey2;
                        }
                        if (messagePublicKeyDto != null) {
                            break;
                        }
                    }
                }
            }
            if (messagePublicKeyDto == null) {
                noDigest(arrayList);
                return false;
            }
            this._digestPublicKey = messagePublicKeyDto;
            this._leaf = messageDataDto;
            this._roleFound = z;
            this.validatedLeaf = true;
            return true;
        }

        private void noDigest(List<String> list) {
            if (this._roleFound) {
                fail("entity has write roles but public key is missing");
                return;
            }
            String str = "clazz=" + this.entityType + ", id=" + this.id;
            String str2 = this.parent != null ? "clazz=" + this.parent.getHeader().getPayloadClazzOrThrow() + ", id=" + this.parentId : "null";
            String str3 = this.existing != null ? !this.existing.hasPayload() ? "tombstoned" : "payload=" + this.existing.getPayloadBytes().length + " bytes" : "new";
            StringBuilder sb = new StringBuilder();
            sb.append("entity has no right to attach to its parent");
            sb.append("\n [leaf: ").append(str3).append("]");
            sb.append("\n [entity: ").append(str).append("]");
            sb.append("\n [parent: ").append(str2).append("]");
            for (String str4 : list) {
                sb.append("\n [needs: hash=").append(str4);
                MessagePublicKeyDto publicKey = TrustValidatorBuilder.this.getPublicKey(str4);
                if (publicKey == null) {
                    sb.append(", missing");
                } else if (publicKey.getAlias() != null) {
                    sb.append(", alias=").append(publicKey.getAlias());
                }
                sb.append("]");
            }
            if (list.size() <= 0) {
                if (this.existing != null) {
                    sb.append("\n [needs: impossible as record is missed write roles.]");
                } else if (this.parent != null) {
                    sb.append("\n [needs: impossible as no existing record exists and its parent is immutable.]");
                } else {
                    sb.append("\n [needs: impossible as no existing record exists and its orphaned.]");
                }
            }
            if (this.digest != null) {
                sb.append("\n [digest: hash=").append(this.digest.getPublicKeyHash());
                MessagePublicKeyDto publicKey2 = TrustValidatorBuilder.this.getPublicKey(this.digest.getPublicKeyHash());
                if (publicKey2 == null) {
                    sb.append(", missing");
                } else if (publicKey2.getAlias() != null) {
                    sb.append(", alias=").append(publicKey2.getAlias());
                }
                sb.append("]");
            }
            sb.append("\n from ");
            fail(sb.toString());
        }

        @Override // com.tokera.ate.io.repo.TrustValidatorBuilder.ValidatorBasic
        public boolean validateAll() {
            return super.validateAll() && validateLeaf();
        }

        public ValidatorWithLeafState upgradeWithLeafState() {
            if (validateAll()) {
                return new ValidatorWithLeafState(this, this._leaf, this._digestPublicKey, this._roleFound);
            }
            throw new RuntimeException("Attempted to upgrade validator but its in a failed state");
        }
    }

    public TrustValidatorBuilder withLogger(LoggerHook loggerHook) {
        this.LOG = loggerHook;
        return this;
    }

    public TrustValidatorBuilder withSavedDatas(Map<UUID, MessageDataDto> map) {
        this.savedDatas = map;
        return this;
    }

    public TrustValidatorBuilder withFailureCallback(Consumer<Failure> consumer) {
        this.onFailure = consumer;
        return this;
    }

    public TrustValidatorBuilder withGetDataCallback(Function<UUID, DataContainer> function) {
        this.onGetData = function;
        return this;
    }

    public TrustValidatorBuilder withGetRootOfTrust(Function<UUID, MessageDataHeaderDto> function) {
        this.onGetRootOfTrust = function;
        return this;
    }

    public TrustValidatorBuilder withGetPublicKeyCallback(Function<String, MessagePublicKeyDto> function) {
        this.onGetPublicKey = function;
        return this;
    }

    public ValidatorBasic build(IPartitionKey iPartitionKey, MessageDataDto messageDataDto) {
        return new ValidatorBasic(iPartitionKey, messageDataDto);
    }

    public boolean validate(IPartitionKey iPartitionKey, MessageDataDto messageDataDto) {
        ValidatorBasic build = build(iPartitionKey, messageDataDto);
        try {
            if (!build.validateAll()) {
                return false;
            }
            ValidatorWithParentState upgradeWithParentChecks = build.upgradeWithParentChecks();
            if (upgradeWithParentChecks.validateAll()) {
                return upgradeWithParentChecks.upgradeWithLeafState().validateAll();
            }
            return false;
        } catch (Throwable th) {
            this.d.debugLogging.logTrustValidationException(th);
            failure(build.header, th.getMessage());
            return false;
        }
    }

    protected DataContainer getData(UUID uuid) {
        if (this.onGetData != null) {
            return this.onGetData.apply(uuid);
        }
        throw new RuntimeException("ValidatorBasic attempted to load a data but no callback was supplied to load one.");
    }

    protected MessageDataHeaderDto getRootOfTrust(UUID uuid) {
        if (this.onGetRootOfTrust != null) {
            return this.onGetRootOfTrust.apply(uuid);
        }
        throw new RuntimeException("ValidatorBasic attempted to load the root of trust but no callback was supplied to load one.");
    }

    protected MessagePublicKeyDto getPublicKey(String str) {
        if (this.onGetPublicKey != null) {
            return this.onGetPublicKey.apply(str);
        }
        throw new RuntimeException("ValidatorBasic attempted to load a public key but no callback was supplied to load one.");
    }

    protected void failure(MessageDataHeaderDto messageDataHeaderDto, String str) {
        Failure failure = new Failure(this.LOG, messageDataHeaderDto, str);
        if (this.onFailure != null) {
            this.onFailure.accept(failure);
        } else {
            this.d.genericLogger.warn(str);
        }
    }
}
