package io.confluent.kafka.schemaregistry.encryption.azure;

import com.azure.core.credential.TokenCredential;
import com.azure.core.http.HttpPipeline;
import com.azure.core.http.HttpPipelineBuilder;
import com.azure.core.http.policy.ExponentialBackoff;
import com.azure.core.http.policy.HttpPipelinePolicy;
import com.azure.core.http.policy.RetryPolicy;
import com.azure.identity.DefaultAzureCredentialBuilder;
import com.azure.security.keyvault.keys.cryptography.CryptographyClient;
import com.azure.security.keyvault.keys.cryptography.CryptographyClientBuilder;
import com.azure.security.keyvault.keys.cryptography.models.EncryptionAlgorithm;
import com.azure.security.keyvault.keys.implementation.KeyVaultCredentialPolicy;
import com.google.crypto.tink.Aead;
import com.google.crypto.tink.KmsClient;
import com.google.crypto.tink.subtle.Validators;
import java.security.GeneralSecurityException;
import java.time.Duration;
import java.util.Locale;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/azure/AzureKmsClient.class */
public final class AzureKmsClient implements KmsClient {
    public static final String PREFIX = "azure-kms://";
    private CryptographyClient cryptographyClient;
    private String keyUri;
    private TokenCredential provider;
    private static final EncryptionAlgorithm DEFAULT_ENCRYPTION_ALGORITHM = EncryptionAlgorithm.RSA_OAEP_256;
    private EncryptionAlgorithm algorithm;

    public AzureKmsClient() {
        this.algorithm = DEFAULT_ENCRYPTION_ALGORITHM;
    }

    public AzureKmsClient(String str) {
        this(str, DEFAULT_ENCRYPTION_ALGORITHM);
    }

    public AzureKmsClient(String str, EncryptionAlgorithm encryptionAlgorithm) {
        this.algorithm = DEFAULT_ENCRYPTION_ALGORITHM;
        if (str == null || str.isEmpty()) {
            throw new IllegalArgumentException("key URI must not be blank");
        }
        if (encryptionAlgorithm == null) {
            throw new IllegalArgumentException("algorithm must not be null");
        }
        if (!str.toLowerCase(Locale.US).startsWith(PREFIX)) {
            throw new IllegalArgumentException("key URI must starts with azure-kms://");
        }
        this.keyUri = str;
        this.algorithm = encryptionAlgorithm;
    }

    public boolean doesSupport(String str) {
        if (this.keyUri == null || !this.keyUri.equals(str)) {
            return this.keyUri == null && str.toLowerCase(Locale.US).startsWith(PREFIX);
        }
        return true;
    }

    public KmsClient withCredentials(String str) throws GeneralSecurityException {
        throw new UnsupportedOperationException("Not supported yet");
    }

    public KmsClient withDefaultCredentials() throws GeneralSecurityException {
        return withCredentialsProvider(new DefaultAzureCredentialBuilder().build());
    }

    public KmsClient withCredentialsProvider(TokenCredential tokenCredential) throws GeneralSecurityException {
        this.provider = tokenCredential;
        return this;
    }

    public KmsClient withCryptographyClient(CryptographyClient cryptographyClient) {
        this.cryptographyClient = cryptographyClient;
        return this;
    }

    public Aead getAead(String str) throws GeneralSecurityException {
        if (this.keyUri != null && !this.keyUri.equals(str)) {
            throw new GeneralSecurityException(String.format("this client is bound to %s, cannot load keys bound to %s", this.keyUri, str));
        }
        String validateKmsKeyUriAndRemovePrefix = Validators.validateKmsKeyUriAndRemovePrefix(PREFIX, str);
        HttpPipelineBuilder httpPipelineBuilder = new HttpPipelineBuilder();
        HttpPipelinePolicy[] httpPipelinePolicyArr = new HttpPipelinePolicy[2];
        httpPipelinePolicyArr[0] = new KeyVaultCredentialPolicy(this.provider == null ? new DefaultAzureCredentialBuilder().build() : this.provider, false);
        httpPipelinePolicyArr[1] = new RetryPolicy(new ExponentialBackoff(5, Duration.ofSeconds(1L), Duration.ofSeconds(16L)));
        HttpPipeline build = httpPipelineBuilder.policies(httpPipelinePolicyArr).build();
        CryptographyClient cryptographyClient = this.cryptographyClient;
        if (cryptographyClient == null) {
            cryptographyClient = new CryptographyClientBuilder().pipeline(build).keyIdentifier(validateKmsKeyUriAndRemovePrefix).buildClient();
        }
        return new AzureKmsAead(cryptographyClient, this.algorithm);
    }
}
