package com.google.cloud.broker.encryption.backends;

import com.google.api.client.googleapis.util.Utils;
import com.google.api.services.cloudkms.v1.CloudKMS;
import com.google.api.services.cloudkms.v1.model.DecryptRequest;
import com.google.api.services.cloudkms.v1.model.DecryptResponse;
import com.google.api.services.cloudkms.v1.model.EncryptRequest;
import com.google.api.services.cloudkms.v1.model.EncryptResponse;
import com.google.auth.http.HttpCredentialsAdapter;
import com.google.cloud.WriteChannel;
import com.google.cloud.broker.oauth.GoogleCredentialsFactory;
import com.google.cloud.broker.settings.AppSettings;
import com.google.cloud.storage.BlobId;
import com.google.cloud.storage.BlobInfo;
import com.google.cloud.storage.Storage;
import com.google.cloud.storage.StorageOptions;
import com.google.crypto.tink.Aead;
import com.google.crypto.tink.JsonKeysetReader;
import com.google.crypto.tink.JsonKeysetWriter;
import com.google.crypto.tink.KeysetHandle;
import com.google.crypto.tink.KeysetReader;
import com.google.crypto.tink.KeysetWriter;
import com.google.crypto.tink.aead.AeadConfig;
import com.google.crypto.tink.aead.AeadKeyTemplates;
import com.google.crypto.tink.proto.EncryptedKeyset;
import com.google.crypto.tink.proto.KeyTemplate;
import com.google.crypto.tink.proto.Keyset;
import java.io.IOException;
import java.io.OutputStream;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.channels.Channels;
import java.nio.channels.WritableByteChannel;
import java.security.GeneralSecurityException;

/* loaded from: input_file:com/google/cloud/broker/encryption/backends/CloudKMSBackend.class */
public class CloudKMSBackend extends AbstractEncryptionBackend {
    private static final String MEMORY = "memory";
    private Aead aead;
    private static KeyTemplate KEY_TEMPLATE;

    /* loaded from: input_file:com/google/cloud/broker/encryption/backends/CloudKMSBackend$CloudStorageKeysetManager.class */
    public static class CloudStorageKeysetManager implements KeysetWriter, KeysetReader {
        private URI dekUri;
        private Storage storageClient;

        CloudStorageKeysetManager(String str, Storage storage) {
            try {
                this.dekUri = new URI(str);
                this.storageClient = storage;
            } catch (URISyntaxException e) {
                throw new RuntimeException(e);
            }
        }

        public Keyset read() throws IOException {
            throw new UnsupportedOperationException();
        }

        public EncryptedKeyset readEncrypted() throws IOException {
            return JsonKeysetReader.withBytes(this.storageClient.readAllBytes(BlobId.of(this.dekUri.getAuthority(), this.dekUri.getPath().substring(1)), new Storage.BlobSourceOption[0])).readEncrypted();
        }

        public void write(Keyset keyset) throws IOException {
            throw new UnsupportedOperationException();
        }

        public void write(EncryptedKeyset encryptedKeyset) throws IOException {
            WriteChannel writer = this.storageClient.writer(BlobInfo.newBuilder(BlobId.of(this.dekUri.getAuthority(), this.dekUri.getPath().substring(1))).build(), new Storage.BlobWriteOption[0]);
            OutputStream newOutputStream = Channels.newOutputStream((WritableByteChannel) writer);
            JsonKeysetWriter.withOutputStream(newOutputStream).write(encryptedKeyset);
            newOutputStream.close();
            writer.close();
        }
    }

    /* loaded from: input_file:com/google/cloud/broker/encryption/backends/CloudKMSBackend$GcpKmsAead.class */
    public static final class GcpKmsAead implements Aead {
        private final CloudKMS kmsClient;
        private final String kekUri;

        GcpKmsAead(CloudKMS cloudKMS, String str) throws GeneralSecurityException {
            this.kmsClient = cloudKMS;
            this.kekUri = str;
        }

        public byte[] encrypt(byte[] bArr, byte[] bArr2) throws GeneralSecurityException {
            try {
                return ((EncryptResponse) this.kmsClient.projects().locations().keyRings().cryptoKeys().encrypt(this.kekUri, new EncryptRequest().encodePlaintext(bArr).encodeAdditionalAuthenticatedData(bArr2)).execute()).decodeCiphertext();
            } catch (IOException e) {
                throw new GeneralSecurityException("encryption failed", e);
            }
        }

        public byte[] decrypt(byte[] bArr, byte[] bArr2) throws GeneralSecurityException {
            try {
                return ((DecryptResponse) this.kmsClient.projects().locations().keyRings().cryptoKeys().decrypt(this.kekUri, new DecryptRequest().encodeCiphertext(bArr).encodeAdditionalAuthenticatedData(bArr2)).execute()).decodePlaintext();
            } catch (IOException e) {
                throw new GeneralSecurityException("decryption failed", e);
            }
        }
    }

    public CloudKMSBackend() {
        String string = AppSettings.getInstance().getString("encryption.cloud-kms.kek-uri");
        String string2 = AppSettings.getInstance().getString("encryption.cloud-kms.dek-uri");
        if (string.equalsIgnoreCase(MEMORY)) {
            try {
                this.aead = (Aead) KeysetHandle.generateNew(KEY_TEMPLATE).getPrimitive(Aead.class);
            } catch (GeneralSecurityException e) {
                throw new RuntimeException(e);
            }
        } else {
            try {
                this.aead = (Aead) readKeyset(string2, string, getStorageClient(), getKMSClient()).getPrimitive(Aead.class);
            } catch (GeneralSecurityException e2) {
                throw new RuntimeException("Failed to initialize encryption backend", e2);
            }
        }
    }

    public byte[] decrypt(byte[] bArr) {
        try {
            return this.aead.decrypt(bArr, (byte[]) null);
        } catch (GeneralSecurityException e) {
            throw new RuntimeException(e);
        }
    }

    public byte[] encrypt(byte[] bArr) {
        try {
            return this.aead.encrypt(bArr, (byte[]) null);
        } catch (GeneralSecurityException e) {
            throw new RuntimeException(e);
        }
    }

    private static Storage getStorageClient() {
        return StorageOptions.newBuilder().setCredentials(GoogleCredentialsFactory.createCredentialsDetails(false, new String[]{"https://www.googleapis.com/auth/devstorage.read_write"}).getCredentials()).build().getService();
    }

    private static CloudKMS getKMSClient() {
        return new CloudKMS.Builder(Utils.getDefaultTransport(), Utils.getDefaultJsonFactory(), new HttpCredentialsAdapter(GoogleCredentialsFactory.createCredentialsDetails(false, new String[]{"https://www.googleapis.com/auth/cloudkms"}).getCredentials())).build();
    }

    private static KeysetHandle readKeyset(String str, String str2, Storage storage, CloudKMS cloudKMS) {
        try {
            return KeysetHandle.read(new CloudStorageKeysetManager(str, storage), new GcpKmsAead(cloudKMS, str2));
        } catch (IOException | GeneralSecurityException e) {
            throw new RuntimeException("Failed to read Keyset `" + str + "` with KMS key `" + str2 + "`", e);
        }
    }

    public static KeysetHandle generateAndWrite(String str, String str2) {
        return generateAndWrite(KEY_TEMPLATE, str, str2, getStorageClient(), getKMSClient());
    }

    private static KeysetHandle generateAndWrite(KeyTemplate keyTemplate, String str, String str2, Storage storage, CloudKMS cloudKMS) {
        try {
            GcpKmsAead gcpKmsAead = new GcpKmsAead(cloudKMS, str2);
            CloudStorageKeysetManager cloudStorageKeysetManager = new CloudStorageKeysetManager(str, storage);
            KeysetHandle generateNew = KeysetHandle.generateNew(keyTemplate);
            generateNew.write(cloudStorageKeysetManager, gcpKmsAead);
            return generateNew;
        } catch (IOException | GeneralSecurityException e) {
            throw new RuntimeException("Failed to write Keyset `" + str + "` with KMS key `" + str2 + "`", e);
        }
    }

    static {
        try {
            AeadConfig.register();
            KEY_TEMPLATE = AeadKeyTemplates.AES256_GCM;
        } catch (GeneralSecurityException e) {
            throw new RuntimeException("Failed to register Tink Aead", e);
        }
    }
}
