package com.google.cloud.storage.it;

import com.google.api.gax.paging.Page;
import com.google.auth.Credentials;
import com.google.cloud.WriteChannel;
import com.google.cloud.kms.v1.CreateCryptoKeyRequest;
import com.google.cloud.kms.v1.CreateKeyRingRequest;
import com.google.cloud.kms.v1.CryptoKey;
import com.google.cloud.kms.v1.CryptoKeyName;
import com.google.cloud.kms.v1.GetCryptoKeyRequest;
import com.google.cloud.kms.v1.GetKeyRingRequest;
import com.google.cloud.kms.v1.KeyManagementServiceGrpc;
import com.google.cloud.kms.v1.KeyRingName;
import com.google.cloud.kms.v1.LocationName;
import com.google.cloud.storage.Blob;
import com.google.cloud.storage.BlobId;
import com.google.cloud.storage.BlobInfo;
import com.google.cloud.storage.Bucket;
import com.google.cloud.storage.BucketInfo;
import com.google.cloud.storage.CopyWriter;
import com.google.cloud.storage.DataGeneration;
import com.google.cloud.storage.ServiceAccount;
import com.google.cloud.storage.Storage;
import com.google.cloud.storage.StorageException;
import com.google.cloud.storage.StorageOptions;
import com.google.cloud.storage.TransportCompatibility;
import com.google.cloud.storage.it.runner.StorageITRunner;
import com.google.cloud.storage.it.runner.annotations.Backend;
import com.google.cloud.storage.it.runner.annotations.CrossRun;
import com.google.cloud.storage.it.runner.annotations.Inject;
import com.google.cloud.storage.it.runner.registry.Generator;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterators;
import com.google.common.io.BaseEncoding;
import com.google.common.truth.Truth;
import com.google.iam.v1.Binding;
import com.google.iam.v1.IAMPolicyGrpc;
import com.google.iam.v1.Policy;
import com.google.iam.v1.SetIamPolicyRequest;
import io.grpc.ClientInterceptor;
import io.grpc.ManagedChannel;
import io.grpc.ManagedChannelBuilder;
import io.grpc.Metadata;
import io.grpc.Status;
import io.grpc.StatusRuntimeException;
import io.grpc.auth.MoreCallCredentials;
import io.grpc.stub.MetadataUtils;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.util.Iterator;
import java.util.Random;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.spec.SecretKeySpec;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.runner.RunWith;

@CrossRun(transports = {TransportCompatibility.Transport.HTTP, TransportCompatibility.Transport.GRPC}, backends = {Backend.PROD})
@RunWith(StorageITRunner.class)
/* loaded from: input_file:com/google/cloud/storage/it/ITKmsTest.class */
public class ITKmsTest {
    private static final long seed = -7071346537822433445L;
    private String kmsKeyOneResourcePath;
    private String kmsKeyTwoResourcePath;
    private static final String KMS_KEY_RING_NAME = "gcs_test_kms_key_ring";
    private static final String KMS_KEY_RING_LOCATION = "us";
    private static final String KMS_KEY_ONE_NAME = "gcs_kms_key_one";
    private static final String KMS_KEY_TWO_NAME = "gcs_kms_key_two";
    private ManagedChannel kmsChannel;
    private static final String BLOB_STRING_CONTENT = "Hello Google Cloud Storage!";
    private static final String CONTENT_TYPE = "text/plain";

    @Inject
    public Storage storage;

    @Inject
    public BucketInfo bucket;

    @Inject
    public Generator generator;
    private static Metadata.Key<String> requestParamsKey = Metadata.Key.of("x-goog-request-params", Metadata.ASCII_STRING_MARSHALLER);
    private static final Logger log = Logger.getLogger(ITKmsTest.class.getName());
    private static final byte[] BLOB_BYTE_CONTENT = {13, 14, 10, 13};
    private static final String BASE64_KEY = "JVzfVl8NLD9FjedFuStegjRfES5ll5zc59CIXw572OA=";
    private static final Key KEY = new SecretKeySpec(BaseEncoding.base64().decode(BASE64_KEY), "AES256");

    @Rule
    public final DataGeneration dataGeneration = new DataGeneration(new Random(seed));
    private Metadata requestParamsHeader = new Metadata();

    @Before
    public void setup() {
        StorageOptions options = this.storage.getOptions();
        String projectId = options.getProjectId();
        Credentials credentials = options.getCredentials();
        this.kmsChannel = ManagedChannelBuilder.forTarget("cloudkms.googleapis.com:443").build();
        KeyManagementServiceGrpc.KeyManagementServiceBlockingStub keyManagementServiceBlockingStub = (KeyManagementServiceGrpc.KeyManagementServiceBlockingStub) KeyManagementServiceGrpc.newBlockingStub(this.kmsChannel).withCallCredentials(MoreCallCredentials.from(credentials));
        IAMPolicyGrpc.IAMPolicyBlockingStub iAMPolicyBlockingStub = (IAMPolicyGrpc.IAMPolicyBlockingStub) IAMPolicyGrpc.newBlockingStub(this.kmsChannel).withCallCredentials(MoreCallCredentials.from(credentials));
        ensureKmsKeyRingExistsForTests(keyManagementServiceBlockingStub, projectId, KMS_KEY_RING_LOCATION, KMS_KEY_RING_NAME);
        ensureKmsKeyRingIamPermissionsForTests(iAMPolicyBlockingStub, projectId, KMS_KEY_RING_LOCATION, KMS_KEY_RING_NAME);
        this.kmsKeyOneResourcePath = ensureKmsKeyExistsForTests(keyManagementServiceBlockingStub, projectId, KMS_KEY_RING_LOCATION, KMS_KEY_RING_NAME, KMS_KEY_ONE_NAME);
        this.kmsKeyTwoResourcePath = ensureKmsKeyExistsForTests(keyManagementServiceBlockingStub, projectId, KMS_KEY_RING_LOCATION, KMS_KEY_RING_NAME, KMS_KEY_TWO_NAME);
    }

    @After
    public void after() {
        if (this.kmsChannel != null) {
            try {
                this.kmsChannel.shutdownNow();
            } catch (Exception e) {
                log.log(Level.WARNING, "Error while trying to shutdown kms channel", (Throwable) e);
            }
            this.kmsChannel = null;
        }
    }

    private String ensureKmsKeyRingExistsForTests(KeyManagementServiceGrpc.KeyManagementServiceBlockingStub keyManagementServiceBlockingStub, String str, String str2, String str3) throws StatusRuntimeException {
        String keyRingName = KeyRingName.of(str, str2, str3).toString();
        try {
            GetKeyRingRequest build = GetKeyRingRequest.newBuilder().setName(keyRingName).build();
            this.requestParamsHeader.put(requestParamsKey, "name=" + keyRingName);
            keyManagementServiceBlockingStub.withInterceptors(new ClientInterceptor[]{MetadataUtils.newAttachHeadersInterceptor(this.requestParamsHeader)}).getKeyRing(build);
        } catch (StatusRuntimeException e) {
            if (e.getStatus().getCode() != Status.Code.NOT_FOUND) {
                throw e;
            }
            String locationName = LocationName.of(str, str2).toString();
            CreateKeyRingRequest build2 = CreateKeyRingRequest.newBuilder().setParent(locationName).setKeyRingId(str3).build();
            this.requestParamsHeader.put(requestParamsKey, "parent=" + locationName);
            keyManagementServiceBlockingStub.withInterceptors(new ClientInterceptor[]{MetadataUtils.newAttachHeadersInterceptor(this.requestParamsHeader)}).createKeyRing(build2);
        }
        return keyRingName;
    }

    private void ensureKmsKeyRingIamPermissionsForTests(IAMPolicyGrpc.IAMPolicyBlockingStub iAMPolicyBlockingStub, String str, String str2, String str3) throws StatusRuntimeException {
        ServiceAccount serviceAccount = this.storage.getServiceAccount(str);
        String keyRingName = KeyRingName.of(str, str2, str3).toString();
        SetIamPolicyRequest build = SetIamPolicyRequest.newBuilder().setResource(keyRingName).setPolicy(Policy.newBuilder().addBindings(Binding.newBuilder().setRole("roles/cloudkms.cryptoKeyEncrypterDecrypter").addMembers("serviceAccount:" + serviceAccount.getEmail()).build()).build()).build();
        this.requestParamsHeader.put(requestParamsKey, "parent=" + keyRingName);
        try {
            iAMPolicyBlockingStub.withInterceptors(new ClientInterceptor[]{MetadataUtils.newAttachHeadersInterceptor(this.requestParamsHeader)}).setIamPolicy(build);
        } catch (StatusRuntimeException e) {
            if (log.isLoggable(Level.WARNING)) {
                log.log(Level.WARNING, "Unable to set IAM policy: {0}", e.getMessage());
            }
        }
    }

    private String ensureKmsKeyExistsForTests(KeyManagementServiceGrpc.KeyManagementServiceBlockingStub keyManagementServiceBlockingStub, String str, String str2, String str3, String str4) throws StatusRuntimeException {
        String cryptoKeyName = CryptoKeyName.of(str, str2, str3, str4).toString();
        try {
            this.requestParamsHeader.put(requestParamsKey, "name=" + cryptoKeyName);
            keyManagementServiceBlockingStub.withInterceptors(new ClientInterceptor[]{MetadataUtils.newAttachHeadersInterceptor(this.requestParamsHeader)}).getCryptoKey(GetCryptoKeyRequest.newBuilder().setName(cryptoKeyName).build());
        } catch (StatusRuntimeException e) {
            if (e.getStatus().getCode() != Status.Code.NOT_FOUND) {
                throw e;
            }
            String keyRingName = KeyRingName.of(str, str2, str3).toString();
            CreateCryptoKeyRequest build = CreateCryptoKeyRequest.newBuilder().setCryptoKeyId(str4).setParent(keyRingName).setCryptoKey(CryptoKey.newBuilder().setPurpose(CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT).build()).build();
            this.requestParamsHeader.put(requestParamsKey, "parent=" + keyRingName);
            keyManagementServiceBlockingStub.withInterceptors(new ClientInterceptor[]{MetadataUtils.newAttachHeadersInterceptor(this.requestParamsHeader)}).createCryptoKey(build);
        }
        return cryptoKeyName;
    }

    @Test
    public void testClearBucketDefaultKmsKeyName() {
        String randomBucketName = this.generator.randomBucketName();
        Bucket create = this.storage.create(BucketInfo.newBuilder(randomBucketName).setDefaultKmsKeyName(this.kmsKeyOneResourcePath).setLocation(KMS_KEY_RING_LOCATION).build(), new Storage.BucketTargetOption[0]);
        try {
            Assert.assertEquals(this.kmsKeyOneResourcePath, create.getDefaultKmsKeyName());
            Assert.assertNull(create.toBuilder().setDefaultKmsKeyName((String) null).build().update(new Storage.BucketTargetOption[0]).getDefaultKmsKeyName());
            BucketCleaner.doCleanup(randomBucketName, this.storage);
        } catch (Throwable th) {
            BucketCleaner.doCleanup(randomBucketName, this.storage);
            throw th;
        }
    }

    @Test
    public void testUpdateBucketDefaultKmsKeyName() {
        String randomBucketName = this.generator.randomBucketName();
        Bucket create = this.storage.create(BucketInfo.newBuilder(randomBucketName).setDefaultKmsKeyName(this.kmsKeyOneResourcePath).setLocation(KMS_KEY_RING_LOCATION).build(), new Storage.BucketTargetOption[0]);
        try {
            Assert.assertEquals(this.kmsKeyOneResourcePath, create.getDefaultKmsKeyName());
            Assert.assertEquals(this.kmsKeyTwoResourcePath, create.toBuilder().setDefaultKmsKeyName(this.kmsKeyTwoResourcePath).build().update(new Storage.BucketTargetOption[0]).getDefaultKmsKeyName());
            BucketCleaner.doCleanup(randomBucketName, this.storage);
        } catch (Throwable th) {
            BucketCleaner.doCleanup(randomBucketName, this.storage);
            throw th;
        }
    }

    @Test
    public void testCreateBlobWithKmsKeyName() {
        String name = this.bucket.getName();
        BlobInfo build = BlobInfo.newBuilder(name, "test-create-with-kms-key-name-blob").build();
        Blob create = this.storage.create(build, BLOB_BYTE_CONTENT, new Storage.BlobTargetOption[]{Storage.BlobTargetOption.kmsKeyName(this.kmsKeyOneResourcePath)});
        Assert.assertNotNull(create);
        Assert.assertEquals(build.getBucket(), create.getBucket());
        Assert.assertEquals(build.getName(), create.getName());
        Assert.assertNotNull(create.getKmsKeyName());
        Assert.assertTrue(create.getKmsKeyName().startsWith(this.kmsKeyOneResourcePath));
        Assert.assertArrayEquals(BLOB_BYTE_CONTENT, this.storage.readAllBytes(name, "test-create-with-kms-key-name-blob", new Storage.BlobSourceOption[0]));
    }

    @Test(expected = StorageException.class)
    public void testCreateBlobWithKmsKeyNameAndCustomerSuppliedKeyFails() {
        this.storage.create(BlobInfo.newBuilder(this.bucket, "test-create-with-kms-key-name-blob").build(), BLOB_BYTE_CONTENT, new Storage.BlobTargetOption[]{Storage.BlobTargetOption.encryptionKey(KEY), Storage.BlobTargetOption.kmsKeyName(this.kmsKeyOneResourcePath)});
    }

    @Test
    public void testCreateBlobWithDefaultKmsKeyName() {
        String randomBucketName = this.generator.randomBucketName();
        Bucket create = this.storage.create(BucketInfo.newBuilder(randomBucketName).setDefaultKmsKeyName(this.kmsKeyOneResourcePath).setLocation(KMS_KEY_RING_LOCATION).build(), new Storage.BucketTargetOption[0]);
        Assert.assertEquals(create.getDefaultKmsKeyName(), this.kmsKeyOneResourcePath);
        try {
            BlobInfo build = BlobInfo.newBuilder(create, "test-create-with-default-kms-key-name-blob").build();
            Blob create2 = this.storage.create(build, BLOB_BYTE_CONTENT, new Storage.BlobTargetOption[0]);
            Assert.assertNotNull(create2);
            Assert.assertEquals(build.getBucket(), create2.getBucket());
            Assert.assertEquals(build.getName(), create2.getName());
            Assert.assertNotNull(create2.getKmsKeyName());
            Assert.assertTrue(create2.getKmsKeyName().startsWith(this.kmsKeyOneResourcePath));
            Assert.assertArrayEquals(BLOB_BYTE_CONTENT, this.storage.readAllBytes(randomBucketName, "test-create-with-default-kms-key-name-blob", new Storage.BlobSourceOption[0]));
            BucketCleaner.doCleanup(randomBucketName, this.storage);
        } catch (Throwable th) {
            BucketCleaner.doCleanup(randomBucketName, this.storage);
            throw th;
        }
    }

    @Test
    public void testGetBlobKmsKeyNameField() {
        BlobInfo build = BlobInfo.newBuilder(this.bucket, "test-get-selected-kms-key-name-field-blob").setContentType(CONTENT_TYPE).build();
        Assert.assertNotNull(this.storage.create(build, new Storage.BlobTargetOption[]{Storage.BlobTargetOption.kmsKeyName(this.kmsKeyOneResourcePath)}));
        Blob blob = this.storage.get(build.getBlobId(), new Storage.BlobGetOption[]{Storage.BlobGetOption.fields(new Storage.BlobField[]{Storage.BlobField.KMS_KEY_NAME})});
        Assert.assertEquals(build.getBlobId(), blob.getBlobId());
        Assert.assertTrue(blob.getKmsKeyName().startsWith(this.kmsKeyOneResourcePath));
        Assert.assertNull(blob.getContentType());
    }

    @Test(timeout = 5000)
    public void testListBlobsKmsKeySelectedFields() throws InterruptedException {
        Page page;
        String[] strArr = {"test-list-blobs-selected-field-kms-key-name-blob1", "test-list-blobs-selected-field-kms-key-name-blob2"};
        BlobInfo build = BlobInfo.newBuilder(this.bucket, strArr[0]).setContentType(CONTENT_TYPE).build();
        BlobInfo build2 = BlobInfo.newBuilder(this.bucket, strArr[1]).setContentType(CONTENT_TYPE).build();
        Blob create = this.storage.create(build, new Storage.BlobTargetOption[]{Storage.BlobTargetOption.kmsKeyName(this.kmsKeyOneResourcePath)});
        Blob create2 = this.storage.create(build2, new Storage.BlobTargetOption[]{Storage.BlobTargetOption.kmsKeyName(this.kmsKeyOneResourcePath)});
        Assert.assertNotNull(create);
        Assert.assertNotNull(create2);
        Page list = this.storage.list(this.bucket.getName(), new Storage.BlobListOption[]{Storage.BlobListOption.prefix("test-list-blobs-selected-field-kms-key-name-blob"), Storage.BlobListOption.fields(new Storage.BlobField[]{Storage.BlobField.KMS_KEY_NAME})});
        while (true) {
            page = list;
            if (Iterators.size(page.iterateAll().iterator()) == 2) {
                break;
            }
            Thread.sleep(500L);
            list = this.storage.list(this.bucket.getName(), new Storage.BlobListOption[]{Storage.BlobListOption.prefix("test-list-blobs-selected-field-kms-key-name-blob"), Storage.BlobListOption.fields(new Storage.BlobField[]{Storage.BlobField.KMS_KEY_NAME})});
        }
        ImmutableSet of = ImmutableSet.of(strArr[0], strArr[1]);
        for (Blob blob : page.iterateAll()) {
            Assert.assertEquals(this.bucket.getName(), blob.getBucket());
            Assert.assertTrue(of.contains(blob.getName()));
            Assert.assertTrue(blob.getKmsKeyName().startsWith(this.kmsKeyOneResourcePath));
            Assert.assertNull(blob.getContentType());
        }
    }

    @Test
    @CrossRun.Exclude(transports = {TransportCompatibility.Transport.GRPC})
    public void testRotateFromCustomerEncryptionToKmsKey() {
        BlobId of = BlobId.of(this.bucket.getName(), "test-copy-blob-encryption-key-source");
        ImmutableMap of2 = ImmutableMap.of("k", "v");
        Assert.assertNotNull(this.storage.create(BlobInfo.newBuilder(of).build(), BLOB_BYTE_CONTENT, new Storage.BlobTargetOption[]{Storage.BlobTargetOption.encryptionKey(KEY)}));
        CopyWriter copy = this.storage.copy(Storage.CopyRequest.newBuilder().setSource(of).setSourceOptions(new Storage.BlobSourceOption[]{Storage.BlobSourceOption.decryptionKey(BASE64_KEY)}).setTarget(BlobInfo.newBuilder(this.bucket, "test-copy-blob-kms-key-target").setContentType(CONTENT_TYPE).setMetadata(of2).build(), new Storage.BlobTargetOption[]{Storage.BlobTargetOption.kmsKeyName(this.kmsKeyOneResourcePath)}).build());
        Assert.assertEquals(this.bucket.getName(), copy.getResult().getBucket());
        Assert.assertEquals("test-copy-blob-kms-key-target", copy.getResult().getName());
        Assert.assertEquals(CONTENT_TYPE, copy.getResult().getContentType());
        Assert.assertNotNull(copy.getResult().getKmsKeyName());
        Assert.assertTrue(copy.getResult().getKmsKeyName().startsWith(this.kmsKeyOneResourcePath));
        Assert.assertArrayEquals(BLOB_BYTE_CONTENT, copy.getResult().getContent(new Blob.BlobSourceOption[0]));
        Assert.assertEquals(of2, copy.getResult().getMetadata());
        Assert.assertTrue(copy.isDone());
        Assert.assertTrue(this.storage.delete(this.bucket.getName(), "test-copy-blob-kms-key-target", new Storage.BlobSourceOption[0]));
    }

    @Test(expected = StorageException.class)
    public void testRotateFromCustomerEncryptionToKmsKeyWithCustomerEncryption() {
        BlobId of = BlobId.of(this.bucket.getName(), "test-copy-blob-encryption-key-source");
        ImmutableMap of2 = ImmutableMap.of("k", "v");
        Assert.assertNotNull(this.storage.create(BlobInfo.newBuilder(of).build(), BLOB_BYTE_CONTENT, new Storage.BlobTargetOption[]{Storage.BlobTargetOption.encryptionKey(KEY)}));
        this.storage.copy(Storage.CopyRequest.newBuilder().setSource(of).setSourceOptions(new Storage.BlobSourceOption[]{Storage.BlobSourceOption.decryptionKey(BASE64_KEY)}).setTarget(BlobInfo.newBuilder(this.bucket, "test-copy-blob-kms-key-target").setContentType(CONTENT_TYPE).setMetadata(of2).build(), new Storage.BlobTargetOption[]{Storage.BlobTargetOption.encryptionKey(KEY), Storage.BlobTargetOption.kmsKeyName(this.kmsKeyOneResourcePath)}).build());
    }

    @Test
    public void testListBucketDefaultKmsKeyName() throws InterruptedException {
        String randomBucketName = this.generator.randomBucketName();
        Bucket create = this.storage.create(BucketInfo.newBuilder(randomBucketName).setDefaultKmsKeyName(this.kmsKeyOneResourcePath).setLocation(KMS_KEY_RING_LOCATION).build(), new Storage.BucketTargetOption[0]);
        Assert.assertNotNull(create);
        Assert.assertTrue(create.getDefaultKmsKeyName().startsWith(this.kmsKeyOneResourcePath));
        try {
            Iterator it = this.storage.list(new Storage.BucketListOption[]{Storage.BucketListOption.prefix(randomBucketName), Storage.BucketListOption.fields(new Storage.BucketField[]{Storage.BucketField.ENCRYPTION})}).iterateAll().iterator();
            while (!it.hasNext()) {
                Thread.sleep(500L);
                it = this.storage.list(new Storage.BucketListOption[]{Storage.BucketListOption.prefix(randomBucketName), Storage.BucketListOption.fields(new Storage.BucketField[]{Storage.BucketField.ENCRYPTION})}).iterateAll().iterator();
            }
            while (it.hasNext()) {
                Bucket bucket = (Bucket) it.next();
                Assert.assertTrue(bucket.getName().startsWith(randomBucketName));
                Assert.assertNotNull(bucket.getDefaultKmsKeyName());
                Assert.assertTrue(bucket.getDefaultKmsKeyName().startsWith(this.kmsKeyOneResourcePath));
            }
        } finally {
            BucketCleaner.doCleanup(randomBucketName, this.storage);
        }
    }

    @Test
    public void testWriterWithKmsKeyName() throws IOException {
        Blob create = this.storage.create(BlobInfo.newBuilder(this.bucket, "test-empty-blob").build(), new Storage.BlobTargetOption[]{Storage.BlobTargetOption.kmsKeyName(this.kmsKeyOneResourcePath)});
        byte[] bytes = BLOB_STRING_CONTENT.getBytes(StandardCharsets.UTF_8);
        WriteChannel writer = create.writer(new Storage.BlobWriteOption[0]);
        Throwable th = null;
        try {
            try {
                int write = writer.write(ByteBuffer.wrap(bytes, 0, bytes.length));
                if (writer != null) {
                    if (0 != 0) {
                        try {
                            writer.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        writer.close();
                    }
                }
                Truth.assertThat(Integer.valueOf(write)).isEqualTo(Integer.valueOf(bytes.length));
                Truth.assertThat(create.getKmsKeyName()).isNotNull();
                Truth.assertThat(Boolean.valueOf(this.storage.delete(this.bucket.getName(), "test-empty-blob", new Storage.BlobSourceOption[0]))).isTrue();
            } finally {
            }
        } catch (Throwable th3) {
            if (writer != null) {
                if (th != null) {
                    try {
                        writer.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    writer.close();
                }
            }
            throw th3;
        }
    }
}
