package io.confluent.kafka.schemaregistry.encryption;

import com.google.crypto.tink.Aead;
import com.google.crypto.tink.KmsClient;
import com.google.crypto.tink.proto.AesGcmKey;
import com.google.crypto.tink.proto.AesSivKey;
import com.google.protobuf.ByteString;
import io.confluent.dekregistry.client.CachedDekRegistryClient;
import io.confluent.dekregistry.client.DekRegistryClient;
import io.confluent.dekregistry.client.DekRegistryClientFactory;
import io.confluent.dekregistry.client.rest.entities.Dek;
import io.confluent.dekregistry.client.rest.entities.Kek;
import io.confluent.kafka.schemaregistry.client.rest.entities.RuleMode;
import io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException;
import io.confluent.kafka.schemaregistry.encryption.tink.Cryptor;
import io.confluent.kafka.schemaregistry.encryption.tink.DekFormat;
import io.confluent.kafka.schemaregistry.encryption.tink.KmsDriverManager;
import io.confluent.kafka.schemaregistry.rules.FieldRuleExecutor;
import io.confluent.kafka.schemaregistry.rules.FieldTransform;
import io.confluent.kafka.schemaregistry.rules.RuleClientException;
import io.confluent.kafka.schemaregistry.rules.RuleContext;
import io.confluent.kafka.schemaregistry.rules.RuleException;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.time.Clock;
import java.util.AbstractMap;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.kafka.common.config.ConfigException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/FieldEncryptionExecutor.class */
public class FieldEncryptionExecutor extends FieldRuleExecutor {
    public static final String TYPE = "ENCRYPT";
    public static final String ENCRYPT_KEK_NAME = "encrypt.kek.name";
    public static final String ENCRYPT_KMS_KEY_ID = "encrypt.kms.key.id";
    public static final String ENCRYPT_KMS_TYPE = "encrypt.kms.type";
    public static final String ENCRYPT_DEK_ALGORITHM = "encrypt.dek.algorithm";
    public static final String ENCRYPT_DEK_EXPIRY_DAYS = "encrypt.dek.expiry.days";
    public static final String KMS_TYPE_SUFFIX = "://";
    public static final String CACHE_EXPIRY_SECS = "cache.expiry.secs";
    public static final String CACHE_SIZE = "cache.size";
    public static final String CLOCK = "clock";
    protected static final int LATEST_VERSION = -1;
    protected static final int MILLIS_IN_DAY = 86400000;
    protected static final int VERSION_SIZE = 4;
    private Map<DekFormat, Cryptor> cryptors;
    private Map<String, ?> configs;
    private int cacheExpirySecs = LATEST_VERSION;
    private int cacheSize = 10000;
    private Clock clock = Clock.systemUTC();
    private DekRegistryClient client;
    private static final Logger log = LoggerFactory.getLogger(FieldEncryptionExecutor.class);
    protected static final byte MAGIC_BYTE = 0;
    public static final byte[] EMPTY_AAD = new byte[MAGIC_BYTE];

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.confluent.kafka.schemaregistry.encryption.FieldEncryptionExecutor$1, reason: invalid class name */
    /* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/FieldEncryptionExecutor$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$confluent$kafka$schemaregistry$encryption$tink$DekFormat;
        static final /* synthetic */ int[] $SwitchMap$io$confluent$kafka$schemaregistry$rules$RuleContext$Type;
        static final /* synthetic */ int[] $SwitchMap$io$confluent$kafka$schemaregistry$client$rest$entities$RuleMode = new int[RuleMode.values().length];

        static {
            try {
                $SwitchMap$io$confluent$kafka$schemaregistry$client$rest$entities$RuleMode[RuleMode.WRITE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$confluent$kafka$schemaregistry$client$rest$entities$RuleMode[RuleMode.READ.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            $SwitchMap$io$confluent$kafka$schemaregistry$rules$RuleContext$Type = new int[RuleContext.Type.values().length];
            try {
                $SwitchMap$io$confluent$kafka$schemaregistry$rules$RuleContext$Type[RuleContext.Type.BYTES.ordinal()] = 1;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$io$confluent$kafka$schemaregistry$rules$RuleContext$Type[RuleContext.Type.STRING.ordinal()] = 2;
            } catch (NoSuchFieldError e4) {
            }
            $SwitchMap$io$confluent$kafka$schemaregistry$encryption$tink$DekFormat = new int[DekFormat.values().length];
            try {
                $SwitchMap$io$confluent$kafka$schemaregistry$encryption$tink$DekFormat[DekFormat.AES128_GCM.ordinal()] = 1;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$io$confluent$kafka$schemaregistry$encryption$tink$DekFormat[DekFormat.AES256_GCM.ordinal()] = 2;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$io$confluent$kafka$schemaregistry$encryption$tink$DekFormat[DekFormat.AES256_SIV.ordinal()] = 3;
            } catch (NoSuchFieldError e7) {
            }
        }
    }

    /* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/FieldEncryptionExecutor$FieldEncryptionExecutorTransform.class */
    public class FieldEncryptionExecutorTransform implements FieldTransform {
        private Cryptor cryptor;
        private String kekName;
        private Kek kek;
        private int dekExpiryDays;

        public FieldEncryptionExecutorTransform() {
        }

        public void init(RuleContext ruleContext) throws RuleException {
            this.cryptor = FieldEncryptionExecutor.this.getCryptor(ruleContext);
            this.kekName = getKekName(ruleContext);
            this.kek = getOrCreateKek(ruleContext);
            this.dekExpiryDays = getDekExpiryDays(ruleContext);
        }

        public boolean isDekRotated() {
            return this.dekExpiryDays > 0;
        }

        protected String getKekName(RuleContext ruleContext) throws RuleException {
            String parameter = ruleContext.getParameter(FieldEncryptionExecutor.ENCRYPT_KEK_NAME);
            if (parameter == null) {
                throw new RuleException("No kek name found");
            }
            int length = parameter.length();
            if (length == 0) {
                throw new RuleException("Empty kek name");
            }
            char charAt = parameter.charAt(FieldEncryptionExecutor.MAGIC_BYTE);
            if (!Character.isLetter(charAt) && charAt != '_') {
                throw new RuleException("Illegal initial character in kek name: " + parameter);
            }
            for (int i = 1; i < length; i++) {
                char charAt2 = parameter.charAt(i);
                if (!Character.isLetterOrDigit(charAt2) && charAt2 != '_' && charAt2 != '-') {
                    throw new RuleException("Illegal character in kek name: " + parameter);
                }
            }
            return parameter;
        }

        protected Kek getOrCreateKek(RuleContext ruleContext) throws RuleException {
            boolean z = ruleContext.ruleMode() == RuleMode.READ;
            CachedDekRegistryClient.KekId kekId = new CachedDekRegistryClient.KekId(this.kekName, z);
            String parameter = ruleContext.getParameter(FieldEncryptionExecutor.ENCRYPT_KMS_TYPE);
            String parameter2 = ruleContext.getParameter(FieldEncryptionExecutor.ENCRYPT_KMS_KEY_ID);
            Kek retrieveKekFromRegistry = retrieveKekFromRegistry(kekId);
            if (retrieveKekFromRegistry == null) {
                if (z) {
                    throw new RuleException("No kek found for " + this.kekName + " during consume");
                }
                if (parameter == null || parameter.isEmpty()) {
                    throw new RuleException("No kms type found for " + this.kekName + " during produce");
                }
                if (parameter2 == null || parameter2.isEmpty()) {
                    throw new RuleException("No kms key id found for " + this.kekName + " during produce");
                }
                retrieveKekFromRegistry = storeKekToRegistry(kekId, parameter, parameter2, false);
                if (retrieveKekFromRegistry == null) {
                    retrieveKekFromRegistry = retrieveKekFromRegistry(kekId);
                }
                if (retrieveKekFromRegistry == null) {
                    throw new RuleException("No kek found for " + this.kekName + " during produce");
                }
            }
            if (parameter != null && !parameter.isEmpty() && !parameter.equals(retrieveKekFromRegistry.getKmsType())) {
                throw new RuleException("Found " + this.kekName + " with kms type '" + retrieveKekFromRegistry.getKmsType() + "' which differs from rule kms type '" + parameter + "'");
            }
            if (parameter2 == null || parameter2.isEmpty() || parameter2.equals(retrieveKekFromRegistry.getKmsKeyId())) {
                return retrieveKekFromRegistry;
            }
            throw new RuleException("Found " + this.kekName + " with kms key id '" + retrieveKekFromRegistry.getKmsKeyId() + "' which differs from rule kms key id '" + parameter2 + "'");
        }

        private int getDekExpiryDays(RuleContext ruleContext) throws RuleException {
            String parameter = ruleContext.getParameter(FieldEncryptionExecutor.ENCRYPT_DEK_EXPIRY_DAYS);
            if (parameter == null || parameter.isEmpty()) {
                return FieldEncryptionExecutor.MAGIC_BYTE;
            }
            try {
                int parseInt = Integer.parseInt(parameter);
                if (parseInt < 0) {
                    throw new RuleException("Invalid value for encrypt.dek.expiry.days: " + parameter);
                }
                return parseInt;
            } catch (NumberFormatException e) {
                throw new RuleException("Invalid value for encrypt.dek.expiry.days: " + parameter);
            }
        }

        private Kek retrieveKekFromRegistry(CachedDekRegistryClient.KekId kekId) throws RuleException {
            try {
                return FieldEncryptionExecutor.this.client.getKek(kekId.getName(), kekId.isLookupDeleted());
            } catch (IOException e) {
                throw new RuleClientException("Could not get kek " + kekId.getName(), e);
            } catch (RestClientException e2) {
                if (e2.getStatus() == 404) {
                    return null;
                }
                throw new RuleClientException("Could not get kek " + kekId.getName(), e2);
            }
        }

        private Kek storeKekToRegistry(CachedDekRegistryClient.KekId kekId, String str, String str2, boolean z) throws RuleException {
            try {
                Kek createKek = FieldEncryptionExecutor.this.client.createKek(kekId.getName(), str, str2, (Map) null, (String) null, z);
                FieldEncryptionExecutor.log.info("Registered kek " + kekId.getName());
                return createKek;
            } catch (IOException e) {
                throw new RuleClientException("Could not register kek " + kekId.getName(), e);
            } catch (RestClientException e2) {
                if (e2.getStatus() == 409) {
                    return null;
                }
                throw new RuleClientException("Could not register kek " + kekId.getName(), e2);
            }
        }

        public Dek getOrCreateDek(RuleContext ruleContext, Integer num) throws RuleException, GeneralSecurityException {
            boolean z = ruleContext.ruleMode() == RuleMode.READ;
            CachedDekRegistryClient.DekId dekId = new CachedDekRegistryClient.DekId(this.kekName, ruleContext.subject(), num, this.cryptor.getDekFormat(), z);
            Aead aead = FieldEncryptionExecutor.MAGIC_BYTE;
            Dek retrieveDekFromRegistry = retrieveDekFromRegistry(dekId);
            boolean isExpired = isExpired(ruleContext, retrieveDekFromRegistry);
            if (isExpired) {
                FieldEncryptionExecutor.log.info("Dek with ts " + retrieveDekFromRegistry.getTimestamp() + " expired after " + this.dekExpiryDays + " day(s)");
            }
            if (retrieveDekFromRegistry == null || isExpired) {
                if (z) {
                    throw new RuleException("No dek found for " + this.kekName + " during consume");
                }
                byte[] bArr = FieldEncryptionExecutor.MAGIC_BYTE;
                if (!this.kek.isShared()) {
                    aead = FieldEncryptionExecutor.getAead(FieldEncryptionExecutor.this.configs, this.kek);
                    bArr = aead.encrypt(FieldEncryptionExecutor.this.generateKey(dekId.getDekFormat()), FieldEncryptionExecutor.EMPTY_AAD);
                }
                Integer valueOf = isExpired ? Integer.valueOf(retrieveDekFromRegistry.getVersion() + 1) : null;
                try {
                    retrieveDekFromRegistry = createDek(dekId, valueOf, bArr);
                } catch (RuleException e) {
                    if (retrieveDekFromRegistry == null) {
                        throw e;
                    }
                    FieldEncryptionExecutor.log.warn("Failed to create dek for " + this.kekName + ", subject " + ruleContext.subject() + ", version " + valueOf + ", using existing dek");
                }
            }
            if (retrieveDekFromRegistry.getKeyMaterialBytes() == null) {
                if (aead == null) {
                    aead = FieldEncryptionExecutor.getAead(FieldEncryptionExecutor.this.configs, this.kek);
                }
                retrieveDekFromRegistry.setKeyMaterial(aead.decrypt(retrieveDekFromRegistry.getEncryptedKeyMaterialBytes(), FieldEncryptionExecutor.EMPTY_AAD));
            }
            return retrieveDekFromRegistry;
        }

        private Dek createDek(CachedDekRegistryClient.DekId dekId, Integer num, byte[] bArr) throws RuleException {
            Dek storeDekToRegistry = storeDekToRegistry(new CachedDekRegistryClient.DekId(dekId.getKekName(), dekId.getSubject(), num, dekId.getDekFormat(), dekId.isLookupDeleted()), bArr);
            if (storeDekToRegistry == null) {
                storeDekToRegistry = retrieveDekFromRegistry(dekId);
            }
            if (storeDekToRegistry == null) {
                throw new RuleException("No dek found for " + dekId.getKekName() + " during produce");
            }
            return storeDekToRegistry;
        }

        private boolean isExpired(RuleContext ruleContext, Dek dek) {
            return ruleContext.ruleMode() != RuleMode.READ && this.dekExpiryDays > 0 && dek != null && (FieldEncryptionExecutor.this.clock.millis() - dek.getTimestamp().longValue()) / 86400000 >= ((long) this.dekExpiryDays);
        }

        private Dek retrieveDekFromRegistry(CachedDekRegistryClient.DekId dekId) throws RuleException {
            try {
                Dek dekVersion = dekId.getVersion() != null ? FieldEncryptionExecutor.this.client.getDekVersion(dekId.getKekName(), dekId.getSubject(), dekId.getVersion().intValue(), dekId.getDekFormat(), dekId.isLookupDeleted()) : FieldEncryptionExecutor.this.client.getDek(dekId.getKekName(), dekId.getSubject(), dekId.getDekFormat(), dekId.isLookupDeleted());
                if (dekVersion != null) {
                    if (dekVersion.getEncryptedKeyMaterial() != null) {
                        return dekVersion;
                    }
                }
                return null;
            } catch (RestClientException e) {
                if (e.getStatus() == 404) {
                    return null;
                }
                throw new RuleClientException("Could not get dek for kek " + dekId.getKekName() + ", subject " + dekId.getSubject(), e);
            } catch (IOException e2) {
                throw new RuleClientException("Could not get dek for kek " + dekId.getKekName() + ", subject " + dekId.getSubject(), e2);
            }
        }

        private Dek storeDekToRegistry(CachedDekRegistryClient.DekId dekId, byte[] bArr) throws RuleException {
            String str;
            if (bArr != null) {
                try {
                    str = (String) FieldEncryptionExecutor.toObject(RuleContext.Type.STRING, Base64.getEncoder().encode(bArr));
                } catch (IOException e) {
                    throw new RuleClientException("Could not register dek for kek " + dekId.getKekName() + ", subject " + dekId.getSubject(), e);
                } catch (RestClientException e2) {
                    if (e2.getStatus() == 409) {
                        return null;
                    }
                    throw new RuleClientException("Could not register dek for kek " + dekId.getKekName() + ", subject " + dekId.getSubject(), e2);
                }
            } else {
                str = null;
            }
            String str2 = str;
            Dek createDek = dekId.getVersion() != null ? FieldEncryptionExecutor.this.client.createDek(dekId.getKekName(), dekId.getSubject(), dekId.getVersion().intValue(), dekId.getDekFormat(), str2) : FieldEncryptionExecutor.this.client.createDek(dekId.getKekName(), dekId.getSubject(), dekId.getDekFormat(), str2);
            FieldEncryptionExecutor.log.info("Registered dek for kek " + dekId.getKekName() + ", subject " + dekId.getSubject());
            return createDek;
        }

        public Object transform(RuleContext ruleContext, RuleContext.FieldContext fieldContext, Object obj) throws RuleException {
            if (obj == null) {
                return null;
            }
            try {
                switch (AnonymousClass1.$SwitchMap$io$confluent$kafka$schemaregistry$client$rest$entities$RuleMode[ruleContext.ruleMode().ordinal()]) {
                    case 1:
                        byte[] bytes = FieldEncryptionExecutor.toBytes(fieldContext.getType(), obj);
                        if (bytes == null) {
                            throw new RuleException("Type '" + fieldContext.getType() + "' not supported for encryption");
                        }
                        Dek orCreateDek = getOrCreateDek(ruleContext, isDekRotated() ? Integer.valueOf(FieldEncryptionExecutor.LATEST_VERSION) : null);
                        byte[] encrypt = this.cryptor.encrypt(orCreateDek.getKeyMaterialBytes(), bytes, FieldEncryptionExecutor.EMPTY_AAD);
                        if (isDekRotated()) {
                            encrypt = prefixVersion(orCreateDek.getVersion(), encrypt);
                        }
                        if (fieldContext.getType() == RuleContext.Type.STRING) {
                            encrypt = Base64.getEncoder().encode(encrypt);
                        }
                        return FieldEncryptionExecutor.toObject(fieldContext.getType(), encrypt);
                    case 2:
                        byte[] bytes2 = FieldEncryptionExecutor.toBytes(fieldContext.getType(), obj);
                        if (bytes2 == null) {
                            return obj;
                        }
                        if (fieldContext.getType() == RuleContext.Type.STRING) {
                            bytes2 = Base64.getDecoder().decode(bytes2);
                        }
                        Integer num = FieldEncryptionExecutor.MAGIC_BYTE;
                        if (isDekRotated()) {
                            Map.Entry<Integer, byte[]> extractVersion = extractVersion(bytes2);
                            num = extractVersion.getKey();
                            bytes2 = extractVersion.getValue();
                        }
                        return FieldEncryptionExecutor.toObject(fieldContext.getType(), this.cryptor.decrypt(getOrCreateDek(ruleContext, num).getKeyMaterialBytes(), bytes2, FieldEncryptionExecutor.EMPTY_AAD));
                    default:
                        throw new IllegalArgumentException("Unsupported rule mode " + ruleContext.ruleMode());
                }
            } catch (Exception e) {
                throw new RuleException(e);
            }
        }

        private byte[] prefixVersion(int i, byte[] bArr) {
            byte[] bArr2 = new byte[bArr.length + 1 + FieldEncryptionExecutor.VERSION_SIZE];
            ByteBuffer wrap = ByteBuffer.wrap(bArr2);
            wrap.put((byte) 0);
            wrap.putInt(i);
            wrap.put(bArr);
            return bArr2;
        }

        private Map.Entry<Integer, byte[]> extractVersion(byte[] bArr) throws RuleException {
            ByteBuffer wrap = ByteBuffer.wrap(bArr);
            if (wrap.get() != 0) {
                throw new RuleException("Unknown magic byte!");
            }
            int i = wrap.getInt();
            int length = (bArr.length - 1) - FieldEncryptionExecutor.VERSION_SIZE;
            byte[] bArr2 = new byte[length];
            wrap.get(bArr2, FieldEncryptionExecutor.MAGIC_BYTE, length);
            return new AbstractMap.SimpleEntry(Integer.valueOf(i), bArr2);
        }

        public void close() {
        }
    }

    public boolean addOriginalConfigs() {
        return true;
    }

    public void configure(Map<String, ?> map) {
        super.configure(map);
        this.configs = map;
        Object obj = map.get(CACHE_EXPIRY_SECS);
        if (obj != null) {
            try {
                this.cacheExpirySecs = Integer.parseInt(obj.toString());
            } catch (NumberFormatException e) {
                throw new ConfigException("Cannot parse cache.expiry.secs");
            }
        }
        Object obj2 = map.get(CACHE_SIZE);
        if (obj2 != null) {
            try {
                this.cacheSize = Integer.parseInt(obj2.toString());
            } catch (NumberFormatException e2) {
                throw new ConfigException("Cannot parse cache.size");
            }
        }
        Object obj3 = map.get(CLOCK);
        if (obj3 instanceof Clock) {
            this.clock = (Clock) obj3;
        }
        Object obj4 = map.get("schema.registry.url");
        if (obj4 == null) {
            throw new ConfigException("Missing schema registry url!");
        }
        this.client = DekRegistryClientFactory.newClient(Arrays.asList(obj4.toString().split("\\s*,\\s*")), this.cacheSize, this.cacheExpirySecs, map, Collections.emptyMap());
        this.cryptors = new ConcurrentHashMap();
    }

    public String type() {
        return TYPE;
    }

    /* renamed from: newTransform, reason: merged with bridge method [inline-methods] */
    public FieldEncryptionExecutorTransform m1newTransform(RuleContext ruleContext) throws RuleException {
        FieldEncryptionExecutorTransform fieldEncryptionExecutorTransform = new FieldEncryptionExecutorTransform();
        fieldEncryptionExecutorTransform.init(ruleContext);
        return fieldEncryptionExecutorTransform;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Cryptor getCryptor(RuleContext ruleContext) {
        String parameter = ruleContext.getParameter(ENCRYPT_DEK_ALGORITHM);
        return getCryptor((parameter == null || parameter.isEmpty()) ? DekFormat.AES256_GCM : DekFormat.valueOf(parameter));
    }

    private Cryptor getCryptor(DekFormat dekFormat) {
        return this.cryptors.computeIfAbsent(dekFormat, dekFormat2 -> {
            try {
                return new Cryptor(dekFormat);
            } catch (GeneralSecurityException e) {
                throw new IllegalArgumentException("Invalid format " + dekFormat, e);
            }
        });
    }

    public Map<DekFormat, Cryptor> getCryptors() {
        return this.cryptors;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public byte[] generateKey(DekFormat dekFormat) throws GeneralSecurityException {
        byte[] generateDek = generateDek(dekFormat);
        if (generateDek == null) {
            return getCryptor(dekFormat).generateKey();
        }
        switch (AnonymousClass1.$SwitchMap$io$confluent$kafka$schemaregistry$encryption$tink$DekFormat[dekFormat.ordinal()]) {
            case 1:
            case 2:
                return AesGcmKey.newBuilder().setKeyValue(ByteString.copyFrom(generateDek)).build().toByteArray();
            case 3:
                return AesSivKey.newBuilder().setKeyValue(ByteString.copyFrom(generateDek)).build().toByteArray();
            default:
                throw new IllegalArgumentException("Invalid format " + dekFormat);
        }
    }

    protected byte[] generateDek(DekFormat dekFormat) throws GeneralSecurityException {
        return null;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static byte[] toBytes(RuleContext.Type type, Object obj) {
        switch (AnonymousClass1.$SwitchMap$io$confluent$kafka$schemaregistry$rules$RuleContext$Type[type.ordinal()]) {
            case 1:
                if (obj instanceof ByteBuffer) {
                    return ((ByteBuffer) obj).array();
                }
                if (obj instanceof ByteString) {
                    return ((ByteString) obj).toByteArray();
                }
                if (obj instanceof byte[]) {
                    return (byte[]) obj;
                }
                throw new IllegalArgumentException("Unrecognized bytes object of type: " + obj.getClass().getName());
            case 2:
                return obj.toString().getBytes(StandardCharsets.UTF_8);
            default:
                return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Object toObject(RuleContext.Type type, byte[] bArr) {
        switch (AnonymousClass1.$SwitchMap$io$confluent$kafka$schemaregistry$rules$RuleContext$Type[type.ordinal()]) {
            case 1:
                return bArr;
            case 2:
                return new String(bArr, StandardCharsets.UTF_8);
            default:
                return null;
        }
    }

    public void close() throws RuleException {
        if (this.client != null) {
            try {
                this.client.close();
            } catch (IOException e) {
                throw new RuleException(e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Aead getAead(Map<String, ?> map, Kek kek) throws GeneralSecurityException, RuleException {
        String str = kek.getKmsType() + KMS_TYPE_SUFFIX + kek.getKmsKeyId();
        KmsClient kmsClient = getKmsClient(map, str);
        if (kmsClient == null) {
            throw new RuleException("No kms client found for " + str);
        }
        return kmsClient.getAead(str);
    }

    private static KmsClient getKmsClient(Map<String, ?> map, String str) throws GeneralSecurityException {
        try {
            return KmsDriverManager.getDriver(str).getKmsClient(str);
        } catch (GeneralSecurityException e) {
            return KmsDriverManager.getDriver(str).registerKmsClient(map, Optional.of(str));
        }
    }
}
