package io.confluent.kafka.schemaregistry.encryption;

import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.crypto.tink.KmsClient;
import com.google.crypto.tink.KmsClients;
import com.google.crypto.tink.aead.AeadConfig;
import com.google.crypto.tink.daead.DeterministicAeadConfig;
import com.google.protobuf.ByteString;
import io.confluent.kafka.schemaregistry.client.rest.entities.RuleMode;
import io.confluent.kafka.schemaregistry.rules.FieldRuleExecutor;
import io.confluent.kafka.schemaregistry.rules.FieldTransform;
import io.confluent.kafka.schemaregistry.rules.RuleContext;
import io.confluent.kafka.schemaregistry.rules.RuleException;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.time.Duration;
import java.util.Arrays;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ExecutionException;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.header.Header;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/FieldEncryptionExecutor.class */
public abstract class FieldEncryptionExecutor implements FieldRuleExecutor {
    public static final String TYPE = "ENCRYPT";
    public static final String DEFAULT_KMS_KEY_ID = "default.kms.key.id";
    public static final String ENCRYPT_KMS_KEY_ID = "encrypt.kms.key.id";
    private static final String ENCRYPT_PREFIX = "encrypt.";
    public static final String CACHE_EXPIRY_SECS = "cache.expiry.secs";
    public static final String CACHE_SIZE = "cache.size";
    public static final String KEY_DETERMINISTIC = "key.deterministic";
    public static final String VALUE_DETERMINISTIC = "value.deterministic";
    public static final String TEST_CLIENT = "test.client";
    private static final int LENGTH_VERSION = 1;
    private static final int LENGTH_ENCRYPTED_DEK = 4;
    private static final int LENGTH_KEK_ID = 4;
    private static final int LENGTH_DEK_FORMAT = 4;
    private String defaultKekId;
    private Map<String, Cryptor> cryptors;
    private int cacheExpirySecs = 300;
    private int cacheSize = 1000;
    private boolean keyDeterministic = false;
    private boolean valueDeterministic = false;
    private Object testClient;
    private LoadingCache<EncryptKey, Dek> dekEncryptCache;
    private LoadingCache<DecryptKey, Dek> dekDecryptCache;
    private static final byte VERSION = 0;
    public static final byte[] EMPTY_AAD = new byte[VERSION];

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.confluent.kafka.schemaregistry.encryption.FieldEncryptionExecutor$3, reason: invalid class name */
    /* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/FieldEncryptionExecutor$3.class */
    public static /* synthetic */ class AnonymousClass3 {
        static final /* synthetic */ int[] $SwitchMap$io$confluent$kafka$schemaregistry$rules$RuleContext$Type;
        static final /* synthetic */ int[] $SwitchMap$io$confluent$kafka$schemaregistry$client$rest$entities$RuleMode = new int[RuleMode.values().length];

        static {
            try {
                $SwitchMap$io$confluent$kafka$schemaregistry$client$rest$entities$RuleMode[RuleMode.WRITE.ordinal()] = FieldEncryptionExecutor.LENGTH_VERSION;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$confluent$kafka$schemaregistry$client$rest$entities$RuleMode[RuleMode.READ.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            $SwitchMap$io$confluent$kafka$schemaregistry$rules$RuleContext$Type = new int[RuleContext.Type.values().length];
            try {
                $SwitchMap$io$confluent$kafka$schemaregistry$rules$RuleContext$Type[RuleContext.Type.BYTES.ordinal()] = FieldEncryptionExecutor.LENGTH_VERSION;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$io$confluent$kafka$schemaregistry$rules$RuleContext$Type[RuleContext.Type.STRING.ordinal()] = 2;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/FieldEncryptionExecutor$DecryptKey.class */
    public static class DecryptKey {
        private final String kekId;
        private final byte[] encryptedDek;

        public DecryptKey(String str, byte[] bArr) {
            this.kekId = str;
            this.encryptedDek = bArr;
        }

        public String getKekId() {
            return this.kekId;
        }

        public byte[] getEncryptedDek() {
            return this.encryptedDek;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            DecryptKey decryptKey = (DecryptKey) obj;
            return Objects.equals(this.kekId, decryptKey.kekId) && Arrays.equals(this.encryptedDek, decryptKey.encryptedDek);
        }

        public int hashCode() {
            return (31 * Objects.hash(this.kekId)) + Arrays.hashCode(this.encryptedDek);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/FieldEncryptionExecutor$Dek.class */
    public static class Dek {
        private final byte[] rawDek;
        private final byte[] encryptedDek;

        public Dek(byte[] bArr, byte[] bArr2) {
            this.rawDek = bArr;
            this.encryptedDek = bArr2;
        }

        public byte[] getRawDek() {
            return this.rawDek;
        }

        public byte[] getEncryptedDek() {
            return this.encryptedDek;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            Dek dek = (Dek) obj;
            return Arrays.equals(this.rawDek, dek.rawDek) && Arrays.equals(this.encryptedDek, dek.encryptedDek);
        }

        public int hashCode() {
            return (31 * Arrays.hashCode(this.rawDek)) + Arrays.hashCode(this.encryptedDek);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/FieldEncryptionExecutor$EncryptKey.class */
    public static class EncryptKey {
        private final String kekId;
        private final String dekFormat;

        public EncryptKey(String str, String str2) {
            this.kekId = str;
            this.dekFormat = str2;
        }

        public String getKekId() {
            return this.kekId;
        }

        public String getDekFormat() {
            return this.dekFormat;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            EncryptKey encryptKey = (EncryptKey) obj;
            return Objects.equals(this.kekId, encryptKey.kekId) && Objects.equals(this.dekFormat, encryptKey.dekFormat);
        }

        public int hashCode() {
            return Objects.hash(this.kekId, this.dekFormat);
        }
    }

    /* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/FieldEncryptionExecutor$FieldEncryptionExecutorTransform.class */
    class FieldEncryptionExecutorTransform implements FieldTransform {
        private RuleContext ctx;
        private String kekId;
        private Cryptor cryptor;
        private Dek dek;
        private boolean skip = false;
        private int count = FieldEncryptionExecutor.VERSION;

        FieldEncryptionExecutorTransform() {
        }

        public void init(RuleContext ruleContext) throws RuleException {
            try {
                this.ctx = ruleContext;
                Header lastHeader = ruleContext.headers().lastHeader(FieldEncryptionExecutor.getHeaderName(ruleContext));
                switch (AnonymousClass3.$SwitchMap$io$confluent$kafka$schemaregistry$client$rest$entities$RuleMode[ruleContext.ruleMode().ordinal()]) {
                    case FieldEncryptionExecutor.LENGTH_VERSION /* 1 */:
                        if (lastHeader == null) {
                            this.kekId = getKekId(ruleContext);
                            this.cryptor = FieldEncryptionExecutor.this.getCryptor(ruleContext.isKey());
                            this.dek = getDekForEncrypt(this.kekId, this.cryptor.getDekFormat());
                            break;
                        } else {
                            this.skip = true;
                            return;
                        }
                    case 2:
                        if (lastHeader != null) {
                            setStateFromHeader(lastHeader.value());
                            break;
                        } else {
                            this.skip = true;
                            return;
                        }
                    default:
                        throw new IllegalArgumentException("Unsupported rule mode " + ruleContext.ruleMode());
                }
            } catch (GeneralSecurityException e) {
                throw new RuleException(e);
            }
        }

        protected String getKekId(RuleContext ruleContext) {
            String parameter = ruleContext.getParameter(FieldEncryptionExecutor.ENCRYPT_KMS_KEY_ID);
            String str = parameter != null ? FieldEncryptionExecutor.this.getKeyUrlPrefix() + parameter : FieldEncryptionExecutor.this.defaultKekId;
            if (str == null) {
                throw new IllegalArgumentException("No key id found");
            }
            return str;
        }

        protected Dek getDekForEncrypt(String str, String str2) {
            try {
                return (Dek) FieldEncryptionExecutor.this.dekEncryptCache.get(new EncryptKey(str, str2));
            } catch (ExecutionException e) {
                throw new RuntimeException(e);
            }
        }

        protected Dek getDekForDecrypt(String str, byte[] bArr) {
            try {
                return (Dek) FieldEncryptionExecutor.this.dekDecryptCache.get(new DecryptKey(str, bArr));
            } catch (ExecutionException e) {
                throw new RuntimeException(e);
            }
        }

        private void setStateFromHeader(byte[] bArr) throws GeneralSecurityException {
            int length = bArr.length;
            ByteBuffer wrap = ByteBuffer.wrap(bArr);
            wrap.get();
            int i = length - 1;
            int i2 = wrap.getInt();
            int i3 = i - 4;
            if (i2 <= 0 || i2 > i3) {
                throw new GeneralSecurityException("invalid ciphertext");
            }
            byte[] bArr2 = new byte[i2];
            wrap.get(bArr2, FieldEncryptionExecutor.VERSION, i2);
            int i4 = i3 - i2;
            int i5 = wrap.getInt();
            int i6 = i4 - 4;
            if (i5 <= 0 || i5 > i6) {
                throw new GeneralSecurityException("invalid ciphertext");
            }
            byte[] bArr3 = new byte[i5];
            wrap.get(bArr3, FieldEncryptionExecutor.VERSION, i5);
            int i7 = i6 - i5;
            int i8 = wrap.getInt();
            int i9 = i7 - 4;
            if (i8 <= 0 || i8 > i9) {
                throw new GeneralSecurityException("invalid ciphertext");
            }
            byte[] bArr4 = new byte[i8];
            wrap.get(bArr4, FieldEncryptionExecutor.VERSION, i8);
            if (i9 - i8 != 0) {
                throw new GeneralSecurityException("invalid ciphertext");
            }
            this.kekId = new String(bArr2, StandardCharsets.UTF_8);
            this.cryptor = FieldEncryptionExecutor.this.getCryptor(new String(bArr3, StandardCharsets.UTF_8));
            this.dek = getDekForDecrypt(this.kekId, bArr4);
        }

        public Object transform(RuleContext ruleContext, RuleContext.FieldContext fieldContext, Object obj) throws RuleException {
            try {
                if (this.skip) {
                    return obj;
                }
                switch (AnonymousClass3.$SwitchMap$io$confluent$kafka$schemaregistry$client$rest$entities$RuleMode[ruleContext.ruleMode().ordinal()]) {
                    case FieldEncryptionExecutor.LENGTH_VERSION /* 1 */:
                        byte[] bytes = FieldEncryptionExecutor.toBytes(fieldContext, obj);
                        if (bytes == null) {
                            return obj;
                        }
                        byte[] encrypt = this.cryptor.encrypt(this.dek.getRawDek(), bytes, FieldEncryptionExecutor.EMPTY_AAD);
                        this.count += FieldEncryptionExecutor.LENGTH_VERSION;
                        if (fieldContext.getType() == RuleContext.Type.STRING) {
                            encrypt = Base64.getEncoder().encode(encrypt);
                        }
                        return FieldEncryptionExecutor.toObject(fieldContext, encrypt);
                    case 2:
                        byte[] bytes2 = FieldEncryptionExecutor.toBytes(fieldContext, obj);
                        if (fieldContext.getType() == RuleContext.Type.STRING) {
                            bytes2 = Base64.getDecoder().decode(bytes2);
                        }
                        byte[] decrypt = this.cryptor.decrypt(this.dek.getRawDek(), bytes2, FieldEncryptionExecutor.EMPTY_AAD);
                        this.count += FieldEncryptionExecutor.LENGTH_VERSION;
                        Object object = FieldEncryptionExecutor.toObject(fieldContext, decrypt);
                        return object != null ? object : obj;
                    default:
                        throw new IllegalArgumentException("Unsupported rule mode " + ruleContext.ruleMode());
                }
            } catch (GeneralSecurityException e) {
                throw new RuleException(e);
            }
        }

        public void close() {
            if (this.skip) {
                return;
            }
            String headerName = FieldEncryptionExecutor.getHeaderName(this.ctx);
            switch (AnonymousClass3.$SwitchMap$io$confluent$kafka$schemaregistry$client$rest$entities$RuleMode[this.ctx.ruleMode().ordinal()]) {
                case FieldEncryptionExecutor.LENGTH_VERSION /* 1 */:
                    if (this.count > 0) {
                        this.ctx.headers().add(headerName, buildMetadata(this.cryptor.getDekFormat(), this.dek.getEncryptedDek()));
                        return;
                    }
                    return;
                case 2:
                    this.ctx.headers().remove(headerName);
                    return;
                default:
                    throw new IllegalArgumentException("Unsupported rule mode " + this.ctx.ruleMode());
            }
        }

        private byte[] buildMetadata(String str, byte[] bArr) {
            byte[] bytes = this.kekId.getBytes(StandardCharsets.UTF_8);
            byte[] bytes2 = str.getBytes(StandardCharsets.UTF_8);
            return ByteBuffer.allocate(5 + bytes.length + 4 + bytes2.length + 4 + bArr.length).put((byte) 0).putInt(bytes.length).put(bytes).putInt(bytes2.length).put(bytes2).putInt(bArr.length).put(bArr).array();
        }
    }

    public abstract String getKeyUrlPrefix();

    public void configure(Map<String, ?> map) {
        String str = (String) map.get(DEFAULT_KMS_KEY_ID);
        this.defaultKekId = str != null ? getKeyUrlPrefix() + str : null;
        Object obj = map.get(CACHE_EXPIRY_SECS);
        if (obj != null) {
            try {
                this.cacheExpirySecs = Integer.parseInt(obj.toString());
            } catch (NumberFormatException e) {
                throw new ConfigException("Cannot parse cache.expiry.secs");
            }
        }
        Object obj2 = map.get(CACHE_SIZE);
        if (obj2 != null) {
            try {
                this.cacheSize = Integer.parseInt(obj2.toString());
            } catch (NumberFormatException e2) {
                throw new ConfigException("Cannot parse cache.size");
            }
        }
        Object obj3 = map.get(KEY_DETERMINISTIC);
        if (obj3 != null) {
            this.keyDeterministic = Boolean.parseBoolean(obj3.toString());
        }
        Object obj4 = map.get(VALUE_DETERMINISTIC);
        if (obj4 != null) {
            this.valueDeterministic = Boolean.parseBoolean(obj4.toString());
        }
        this.testClient = map.get(TEST_CLIENT);
        this.dekEncryptCache = CacheBuilder.newBuilder().expireAfterWrite(Duration.ofSeconds(this.cacheExpirySecs)).maximumSize(this.cacheSize).build(new CacheLoader<EncryptKey, Dek>() { // from class: io.confluent.kafka.schemaregistry.encryption.FieldEncryptionExecutor.1
            public Dek load(EncryptKey encryptKey) throws Exception {
                String kekId = encryptKey.getKekId();
                byte[] generateKey = FieldEncryptionExecutor.this.getCryptor(encryptKey.getDekFormat()).generateKey();
                return new Dek(generateKey, FieldEncryptionExecutor.this.getKmsClient(kekId).getAead(kekId).encrypt(generateKey, FieldEncryptionExecutor.EMPTY_AAD));
            }
        });
        this.dekDecryptCache = CacheBuilder.newBuilder().maximumSize(this.cacheSize).build(new CacheLoader<DecryptKey, Dek>() { // from class: io.confluent.kafka.schemaregistry.encryption.FieldEncryptionExecutor.2
            public Dek load(DecryptKey decryptKey) throws Exception {
                String kekId = decryptKey.getKekId();
                byte[] encryptedDek = decryptKey.getEncryptedDek();
                return new Dek(FieldEncryptionExecutor.this.getKmsClient(kekId).getAead(kekId).decrypt(encryptedDek, FieldEncryptionExecutor.EMPTY_AAD), encryptedDek);
            }
        });
        this.cryptors = new HashMap();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public KmsClient getKmsClient(String str) throws GeneralSecurityException {
        try {
            return KmsClients.get(str);
        } catch (GeneralSecurityException e) {
            return registerKmsClient(Optional.of(str));
        }
    }

    public abstract KmsClient registerKmsClient(Optional<String> optional) throws GeneralSecurityException;

    private static String getKeyFormat(boolean z) {
        return z ? Cryptor.DETERMINISTIC_KEY_FORMAT : Cryptor.RANDOM_KEY_FORMAT;
    }

    public String getDefaultKekId() {
        return this.defaultKekId;
    }

    public Object getTestClient() {
        return this.testClient;
    }

    public String type() {
        return TYPE;
    }

    public FieldTransform newTransform(RuleContext ruleContext) throws RuleException {
        FieldEncryptionExecutorTransform fieldEncryptionExecutorTransform = new FieldEncryptionExecutorTransform();
        fieldEncryptionExecutorTransform.init(ruleContext);
        return fieldEncryptionExecutorTransform;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Cryptor getCryptor(boolean z) {
        return getCryptor(z ? getKeyFormat(this.keyDeterministic) : getKeyFormat(this.valueDeterministic));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Cryptor getCryptor(String str) {
        return this.cryptors.computeIfAbsent(str, str2 -> {
            try {
                return new Cryptor(str);
            } catch (GeneralSecurityException e) {
                throw new IllegalArgumentException("Invalid format " + str, e);
            }
        });
    }

    public void setCryptor(String str, Cryptor cryptor) {
        this.cryptors.put(str, cryptor);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static byte[] toBytes(RuleContext.FieldContext fieldContext, Object obj) {
        switch (AnonymousClass3.$SwitchMap$io$confluent$kafka$schemaregistry$rules$RuleContext$Type[fieldContext.getType().ordinal()]) {
            case LENGTH_VERSION /* 1 */:
                if (obj instanceof ByteBuffer) {
                    return ((ByteBuffer) obj).array();
                }
                if (obj instanceof ByteString) {
                    return ((ByteString) obj).toByteArray();
                }
                if (obj instanceof byte[]) {
                    return (byte[]) obj;
                }
                throw new IllegalArgumentException("Unrecognized bytes object of type: " + obj.getClass().getName());
            case 2:
                return obj.toString().getBytes(StandardCharsets.UTF_8);
            default:
                return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Object toObject(RuleContext.FieldContext fieldContext, byte[] bArr) {
        switch (AnonymousClass3.$SwitchMap$io$confluent$kafka$schemaregistry$rules$RuleContext$Type[fieldContext.getType().ordinal()]) {
            case LENGTH_VERSION /* 1 */:
                return bArr;
            case 2:
                return new String(bArr, StandardCharsets.UTF_8);
            default:
                return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String getHeaderName(RuleContext ruleContext) {
        return getEncryptPrefix(ruleContext) + (ruleContext.isKey() ? "key" : "value");
    }

    private static String getEncryptPrefix(RuleContext ruleContext) {
        return ENCRYPT_PREFIX + ruleContext.rule().getName() + ".";
    }

    static {
        try {
            AeadConfig.register();
            DeterministicAeadConfig.register();
        } catch (GeneralSecurityException e) {
            throw new IllegalArgumentException(e);
        }
    }
}
