package io.confluent.kafka.schemaregistry.encryption;

import com.google.crypto.tink.Aead;
import com.google.crypto.tink.KmsClient;
import com.google.protobuf.ByteString;
import io.confluent.dekregistry.client.CachedDekRegistryClient;
import io.confluent.dekregistry.client.DekRegistryClient;
import io.confluent.dekregistry.client.DekRegistryClientFactory;
import io.confluent.dekregistry.client.rest.entities.Dek;
import io.confluent.dekregistry.client.rest.entities.Kek;
import io.confluent.kafka.schemaregistry.client.rest.entities.RuleMode;
import io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException;
import io.confluent.kafka.schemaregistry.encryption.tink.Cryptor;
import io.confluent.kafka.schemaregistry.encryption.tink.DekFormat;
import io.confluent.kafka.schemaregistry.encryption.tink.KmsDriverManager;
import io.confluent.kafka.schemaregistry.rules.FieldRuleExecutor;
import io.confluent.kafka.schemaregistry.rules.FieldTransform;
import io.confluent.kafka.schemaregistry.rules.RuleContext;
import io.confluent.kafka.schemaregistry.rules.RuleException;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.kafka.common.config.ConfigException;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/FieldEncryptionExecutor.class */
public class FieldEncryptionExecutor implements FieldRuleExecutor {
    public static final String TYPE = "ENCRYPT";
    public static final String ENCRYPT_KEK_NAME = "encrypt.kek.name";
    public static final String ENCRYPT_KMS_KEY_ID = "encrypt.kms.key.id";
    public static final String ENCRYPT_KMS_TYPE = "encrypt.kms.type";
    public static final String ENCRYPT_DEK_ALGORITHM = "encrypt.dek.algorithm";
    public static final String KMS_TYPE_SUFFIX = "://";
    public static final byte[] EMPTY_AAD = new byte[0];
    public static final String CACHE_EXPIRY_SECS = "cache.expiry.secs";
    public static final String CACHE_SIZE = "cache.size";
    private Map<DekFormat, Cryptor> cryptors;
    private Map<String, ?> configs;
    private int cacheExpirySecs = -1;
    private int cacheSize = 10000;
    private DekRegistryClient client;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.confluent.kafka.schemaregistry.encryption.FieldEncryptionExecutor$1, reason: invalid class name */
    /* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/FieldEncryptionExecutor$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$confluent$kafka$schemaregistry$rules$RuleContext$Type;
        static final /* synthetic */ int[] $SwitchMap$io$confluent$kafka$schemaregistry$client$rest$entities$RuleMode = new int[RuleMode.values().length];

        static {
            try {
                $SwitchMap$io$confluent$kafka$schemaregistry$client$rest$entities$RuleMode[RuleMode.WRITE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$confluent$kafka$schemaregistry$client$rest$entities$RuleMode[RuleMode.READ.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            $SwitchMap$io$confluent$kafka$schemaregistry$rules$RuleContext$Type = new int[RuleContext.Type.values().length];
            try {
                $SwitchMap$io$confluent$kafka$schemaregistry$rules$RuleContext$Type[RuleContext.Type.BYTES.ordinal()] = 1;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$io$confluent$kafka$schemaregistry$rules$RuleContext$Type[RuleContext.Type.STRING.ordinal()] = 2;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/FieldEncryptionExecutor$DekInfo.class */
    public static class DekInfo {
        private byte[] rawDek;
        private final byte[] encryptedDek;

        public DekInfo(byte[] bArr, byte[] bArr2) {
            this.rawDek = bArr;
            this.encryptedDek = bArr2;
        }

        public byte[] getRawDek() {
            return this.rawDek;
        }

        public void setRawDek(byte[] bArr) {
            this.rawDek = bArr;
        }

        public byte[] getEncryptedDek() {
            return this.encryptedDek;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            DekInfo dekInfo = (DekInfo) obj;
            return Arrays.equals(this.rawDek, dekInfo.rawDek) && Arrays.equals(this.encryptedDek, dekInfo.encryptedDek);
        }

        public int hashCode() {
            return (31 * Arrays.hashCode(this.rawDek)) + Arrays.hashCode(this.encryptedDek);
        }
    }

    /* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/FieldEncryptionExecutor$FieldEncryptionExecutorTransform.class */
    class FieldEncryptionExecutorTransform implements FieldTransform {
        private Cryptor cryptor;
        private String kekName;
        private KekInfo kek;

        FieldEncryptionExecutorTransform() {
        }

        public void init(RuleContext ruleContext) throws RuleException {
            this.cryptor = FieldEncryptionExecutor.this.getCryptor(ruleContext);
            this.kekName = getKekName(ruleContext);
            this.kek = getKek(ruleContext, this.kekName);
        }

        protected String getKekName(RuleContext ruleContext) throws RuleException {
            String parameter = ruleContext.getParameter(FieldEncryptionExecutor.ENCRYPT_KEK_NAME);
            if (parameter == null) {
                throw new RuleException("No kek name found");
            }
            int length = parameter.length();
            if (length == 0) {
                throw new RuleException("Empty kek name");
            }
            char charAt = parameter.charAt(0);
            if (!Character.isLetter(charAt) && charAt != '_') {
                throw new RuleException("Illegal initial character in kek name: " + parameter);
            }
            for (int i = 1; i < length; i++) {
                char charAt2 = parameter.charAt(i);
                if (!Character.isLetterOrDigit(charAt2) && charAt2 != '_' && charAt2 != '-') {
                    throw new RuleException("Illegal character in kek name: " + parameter);
                }
            }
            return parameter;
        }

        protected KekInfo getKek(RuleContext ruleContext, String str) throws RuleException {
            CachedDekRegistryClient.KekId kekId = new CachedDekRegistryClient.KekId(str, ruleContext.ruleMode() == RuleMode.READ);
            String parameter = ruleContext.getParameter(FieldEncryptionExecutor.ENCRYPT_KMS_TYPE);
            String parameter2 = ruleContext.getParameter(FieldEncryptionExecutor.ENCRYPT_KMS_KEY_ID);
            KekInfo retrieveKekFromRegistry = retrieveKekFromRegistry(ruleContext, kekId);
            if (retrieveKekFromRegistry == null) {
                if (ruleContext.ruleMode() == RuleMode.READ) {
                    throw new RuleException("No kek found for " + str + " during consume");
                }
                if (parameter == null) {
                    throw new RuleException("No kms type found for " + str + " during produce");
                }
                if (parameter2 == null) {
                    throw new RuleException("No kms key id found for " + str + " during produce");
                }
                retrieveKekFromRegistry = storeKekToRegistry(ruleContext, kekId, new KekInfo(parameter, parameter2, false));
                if (retrieveKekFromRegistry == null) {
                    retrieveKekFromRegistry = retrieveKekFromRegistry(ruleContext, kekId);
                }
                if (retrieveKekFromRegistry == null) {
                    throw new RuleException("No kek found for " + str + " during produce");
                }
            }
            if (parameter != null && !parameter.equals(retrieveKekFromRegistry.getKmsType())) {
                throw new RuleException("Found " + str + " with different kms type: " + retrieveKekFromRegistry.getKmsType());
            }
            if (parameter2 == null || parameter2.equals(retrieveKekFromRegistry.getKmsKeyId())) {
                return retrieveKekFromRegistry;
            }
            throw new RuleException("Found " + str + " with different kms key id: " + retrieveKekFromRegistry.getKmsKeyId());
        }

        private KekInfo retrieveKekFromRegistry(RuleContext ruleContext, CachedDekRegistryClient.KekId kekId) throws RuleException {
            try {
                Kek kek = FieldEncryptionExecutor.this.client.getKek(kekId.getName(), kekId.isLookupDeleted());
                if (kek == null) {
                    return null;
                }
                return new KekInfo(kek.getKmsType(), kek.getKmsKeyId(), kek.isShared());
            } catch (RestClientException e) {
                if (e.getStatus() == 404) {
                    return null;
                }
                throw new RuleException("Could not get kek", e);
            } catch (IOException e2) {
                throw new RuleException("Could not get kek", e2);
            }
        }

        private KekInfo storeKekToRegistry(RuleContext ruleContext, CachedDekRegistryClient.KekId kekId, KekInfo kekInfo) throws RuleException {
            try {
                Kek createKek = FieldEncryptionExecutor.this.client.createKek(kekId.getName(), kekInfo.getKmsType(), kekInfo.getKmsKeyId(), (Map) null, (String) null, kekInfo.isShared());
                return new KekInfo(createKek.getKmsType(), createKek.getKmsKeyId(), createKek.isShared());
            } catch (RestClientException e) {
                if (e.getStatus() == 409) {
                    return null;
                }
                throw new RuleException("Could not store kek", e);
            } catch (IOException e2) {
                throw new RuleException("Could not store kek", e2);
            }
        }

        protected DekInfo getDek(RuleContext ruleContext, String str, KekInfo kekInfo) throws RuleException, GeneralSecurityException {
            CachedDekRegistryClient.DekId dekId = new CachedDekRegistryClient.DekId(str, ruleContext.subject(), this.cryptor.getDekFormat(), ruleContext.ruleMode() == RuleMode.READ);
            Aead aead = null;
            DekInfo retrieveDekFromRegistry = retrieveDekFromRegistry(ruleContext, dekId);
            if (retrieveDekFromRegistry == null) {
                if (ruleContext.ruleMode() == RuleMode.READ) {
                    throw new RuleException("No dek found for " + str + " during consume");
                }
                if (!kekInfo.isShared()) {
                    aead = FieldEncryptionExecutor.getAead(FieldEncryptionExecutor.this.configs, kekInfo);
                    byte[] generateKey = FieldEncryptionExecutor.this.getCryptor(dekId.getDekFormat()).generateKey();
                    retrieveDekFromRegistry = new DekInfo(generateKey, aead.encrypt(generateKey, FieldEncryptionExecutor.EMPTY_AAD));
                }
                retrieveDekFromRegistry = storeDekToRegistry(ruleContext, dekId, retrieveDekFromRegistry);
                if (retrieveDekFromRegistry == null) {
                    retrieveDekFromRegistry = retrieveDekFromRegistry(ruleContext, dekId);
                }
                if (retrieveDekFromRegistry == null) {
                    throw new RuleException("No dek found for " + str + " during produce");
                }
            }
            if (retrieveDekFromRegistry.getRawDek() == null) {
                if (aead == null) {
                    aead = FieldEncryptionExecutor.getAead(FieldEncryptionExecutor.this.configs, kekInfo);
                }
                retrieveDekFromRegistry.setRawDek(aead.decrypt(retrieveDekFromRegistry.getEncryptedDek(), FieldEncryptionExecutor.EMPTY_AAD));
            }
            return retrieveDekFromRegistry;
        }

        private DekInfo retrieveDekFromRegistry(RuleContext ruleContext, CachedDekRegistryClient.DekId dekId) throws RuleException {
            try {
                Dek dek = FieldEncryptionExecutor.this.client.getDek(dekId.getKekName(), dekId.getSubject(), dekId.getDekFormat(), dekId.isLookupDeleted());
                if (dek == null) {
                    return null;
                }
                byte[] decode = dek.getKeyMaterial() != null ? Base64.getDecoder().decode(FieldEncryptionExecutor.toBytes(RuleContext.Type.STRING, dek.getKeyMaterial())) : null;
                byte[] decode2 = dek.getEncryptedKeyMaterial() != null ? Base64.getDecoder().decode(FieldEncryptionExecutor.toBytes(RuleContext.Type.STRING, dek.getEncryptedKeyMaterial())) : null;
                if (decode2 != null) {
                    return new DekInfo(decode, decode2);
                }
                return null;
            } catch (IOException e) {
                throw new RuleException("Could not get dek", e);
            } catch (RestClientException e2) {
                if (e2.getStatus() == 404) {
                    return null;
                }
                throw new RuleException("Could not get dek", e2);
            }
        }

        /* JADX WARN: Removed duplicated region for block: B:23:0x007b  */
        /* JADX WARN: Removed duplicated region for block: B:24:0x005c  */
        /* JADX WARN: Removed duplicated region for block: B:6:0x0048 A[Catch: RestClientException -> 0x008a, IOException -> 0x00a5, TryCatch #2 {IOException -> 0x00a5, RestClientException -> 0x008a, blocks: (B:26:0x0004, B:28:0x000b, B:4:0x0022, B:6:0x0048, B:7:0x005d, B:9:0x0067, B:10:0x007c), top: B:25:0x0004 }] */
        /* JADX WARN: Removed duplicated region for block: B:9:0x0067 A[Catch: RestClientException -> 0x008a, IOException -> 0x00a5, TryCatch #2 {IOException -> 0x00a5, RestClientException -> 0x008a, blocks: (B:26:0x0004, B:28:0x000b, B:4:0x0022, B:6:0x0048, B:7:0x005d, B:9:0x0067, B:10:0x007c), top: B:25:0x0004 }] */
        /*
            Code decompiled incorrectly, please refer to instructions dump.
            To view partially-correct add '--show-bad-code' argument
        */
        private io.confluent.kafka.schemaregistry.encryption.FieldEncryptionExecutor.DekInfo storeDekToRegistry(io.confluent.kafka.schemaregistry.rules.RuleContext r7, io.confluent.dekregistry.client.CachedDekRegistryClient.DekId r8, io.confluent.kafka.schemaregistry.encryption.FieldEncryptionExecutor.DekInfo r9) throws io.confluent.kafka.schemaregistry.rules.RuleException {
            /*
                r6 = this;
                r0 = r9
                if (r0 == 0) goto L21
                r0 = r9
                byte[] r0 = r0.getEncryptedDek()     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                if (r0 == 0) goto L21
                io.confluent.kafka.schemaregistry.rules.RuleContext$Type r0 = io.confluent.kafka.schemaregistry.rules.RuleContext.Type.STRING     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                java.util.Base64$Encoder r1 = java.util.Base64.getEncoder()     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                r2 = r9
                byte[] r2 = r2.getEncryptedDek()     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                byte[] r1 = r1.encode(r2)     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                java.lang.Object r0 = io.confluent.kafka.schemaregistry.encryption.FieldEncryptionExecutor.access$600(r0, r1)     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                java.lang.String r0 = (java.lang.String) r0     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                goto L22
            L21:
                r0 = 0
            L22:
                r10 = r0
                r0 = r6
                io.confluent.kafka.schemaregistry.encryption.FieldEncryptionExecutor r0 = io.confluent.kafka.schemaregistry.encryption.FieldEncryptionExecutor.this     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                io.confluent.dekregistry.client.DekRegistryClient r0 = io.confluent.kafka.schemaregistry.encryption.FieldEncryptionExecutor.access$100(r0)     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                r1 = r8
                java.lang.String r1 = r1.getKekName()     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                r2 = r8
                java.lang.String r2 = r2.getSubject()     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                r3 = r8
                io.confluent.kafka.schemaregistry.encryption.tink.DekFormat r3 = r3.getDekFormat()     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                r4 = r10
                io.confluent.dekregistry.client.rest.entities.Dek r0 = r0.createDek(r1, r2, r3, r4)     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                r11 = r0
                r0 = r11
                java.lang.String r0 = r0.getKeyMaterial()     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                if (r0 == 0) goto L5c
                java.util.Base64$Decoder r0 = java.util.Base64.getDecoder()     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                io.confluent.kafka.schemaregistry.rules.RuleContext$Type r1 = io.confluent.kafka.schemaregistry.rules.RuleContext.Type.STRING     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                r2 = r11
                java.lang.String r2 = r2.getKeyMaterial()     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                byte[] r1 = io.confluent.kafka.schemaregistry.encryption.FieldEncryptionExecutor.access$500(r1, r2)     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                byte[] r0 = r0.decode(r1)     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                goto L5d
            L5c:
                r0 = 0
            L5d:
                r12 = r0
                r0 = r11
                java.lang.String r0 = r0.getEncryptedKeyMaterial()     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                if (r0 == 0) goto L7b
                java.util.Base64$Decoder r0 = java.util.Base64.getDecoder()     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                io.confluent.kafka.schemaregistry.rules.RuleContext$Type r1 = io.confluent.kafka.schemaregistry.rules.RuleContext.Type.STRING     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                r2 = r11
                java.lang.String r2 = r2.getEncryptedKeyMaterial()     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                byte[] r1 = io.confluent.kafka.schemaregistry.encryption.FieldEncryptionExecutor.access$500(r1, r2)     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                byte[] r0 = r0.decode(r1)     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                goto L7c
            L7b:
                r0 = 0
            L7c:
                r13 = r0
                io.confluent.kafka.schemaregistry.encryption.FieldEncryptionExecutor$DekInfo r0 = new io.confluent.kafka.schemaregistry.encryption.FieldEncryptionExecutor$DekInfo     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                r1 = r0
                r2 = r12
                r3 = r13
                r1.<init>(r2, r3)     // Catch: io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException -> L8a java.io.IOException -> La5
                return r0
            L8a:
                r10 = move-exception
                r0 = r10
                int r0 = r0.getStatus()
                r1 = 409(0x199, float:5.73E-43)
                if (r0 != r1) goto L99
                r0 = 0
                return r0
            L99:
                io.confluent.kafka.schemaregistry.rules.RuleException r0 = new io.confluent.kafka.schemaregistry.rules.RuleException
                r1 = r0
                java.lang.String r2 = "Could not store dek"
                r3 = r10
                r1.<init>(r2, r3)
                throw r0
            La5:
                r10 = move-exception
                io.confluent.kafka.schemaregistry.rules.RuleException r0 = new io.confluent.kafka.schemaregistry.rules.RuleException
                r1 = r0
                java.lang.String r2 = "Could not store dek"
                r3 = r10
                r1.<init>(r2, r3)
                throw r0
            */
            throw new UnsupportedOperationException("Method not decompiled: io.confluent.kafka.schemaregistry.encryption.FieldEncryptionExecutor.FieldEncryptionExecutorTransform.storeDekToRegistry(io.confluent.kafka.schemaregistry.rules.RuleContext, io.confluent.dekregistry.client.CachedDekRegistryClient$DekId, io.confluent.kafka.schemaregistry.encryption.FieldEncryptionExecutor$DekInfo):io.confluent.kafka.schemaregistry.encryption.FieldEncryptionExecutor$DekInfo");
        }

        public Object transform(RuleContext ruleContext, RuleContext.FieldContext fieldContext, Object obj) throws RuleException {
            try {
                DekInfo dek = getDek(ruleContext, this.kekName, this.kek);
                switch (AnonymousClass1.$SwitchMap$io$confluent$kafka$schemaregistry$client$rest$entities$RuleMode[ruleContext.ruleMode().ordinal()]) {
                    case 1:
                        byte[] bytes = FieldEncryptionExecutor.toBytes(fieldContext.getType(), obj);
                        if (bytes == null) {
                            return obj;
                        }
                        byte[] encrypt = this.cryptor.encrypt(dek.getRawDek(), bytes, FieldEncryptionExecutor.EMPTY_AAD);
                        if (fieldContext.getType() == RuleContext.Type.STRING) {
                            encrypt = Base64.getEncoder().encode(encrypt);
                        }
                        return FieldEncryptionExecutor.toObject(fieldContext.getType(), encrypt);
                    case 2:
                        byte[] bytes2 = FieldEncryptionExecutor.toBytes(fieldContext.getType(), obj);
                        if (fieldContext.getType() == RuleContext.Type.STRING) {
                            bytes2 = Base64.getDecoder().decode(bytes2);
                        }
                        Object object = FieldEncryptionExecutor.toObject(fieldContext.getType(), this.cryptor.decrypt(dek.getRawDek(), bytes2, FieldEncryptionExecutor.EMPTY_AAD));
                        return object != null ? object : obj;
                    default:
                        throw new IllegalArgumentException("Unsupported rule mode " + ruleContext.ruleMode());
                }
            } catch (Exception e) {
                throw new RuleException(e);
            }
        }

        public void close() {
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/FieldEncryptionExecutor$KekInfo.class */
    public static class KekInfo {
        private final String kmsType;
        private final String kmsKeyId;
        private final boolean shared;

        public KekInfo(String str, String str2, boolean z) {
            this.kmsType = str;
            this.kmsKeyId = str2;
            this.shared = z;
        }

        public String getKmsType() {
            return this.kmsType;
        }

        public String getKmsKeyId() {
            return this.kmsKeyId;
        }

        public boolean isShared() {
            return this.shared;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            KekInfo kekInfo = (KekInfo) obj;
            return this.shared == kekInfo.shared && Objects.equals(this.kmsType, kekInfo.kmsType) && Objects.equals(this.kmsKeyId, kekInfo.kmsKeyId);
        }

        public int hashCode() {
            return Objects.hash(this.kmsType, this.kmsKeyId, Boolean.valueOf(this.shared));
        }
    }

    public boolean addOriginalConfigs() {
        return true;
    }

    public void configure(Map<String, ?> map) {
        this.configs = map;
        Object obj = map.get(CACHE_EXPIRY_SECS);
        if (obj != null) {
            try {
                this.cacheExpirySecs = Integer.parseInt(obj.toString());
            } catch (NumberFormatException e) {
                throw new ConfigException("Cannot parse cache.expiry.secs");
            }
        }
        Object obj2 = map.get(CACHE_SIZE);
        if (obj2 != null) {
            try {
                this.cacheSize = Integer.parseInt(obj2.toString());
            } catch (NumberFormatException e2) {
                throw new ConfigException("Cannot parse cache.size");
            }
        }
        Object obj3 = map.get("schema.registry.url");
        if (obj3 == null) {
            throw new ConfigException("Missing schema registry url!");
        }
        this.client = DekRegistryClientFactory.newClient(Arrays.asList(obj3.toString().split("\\s*,\\s*")), this.cacheSize, this.cacheExpirySecs, map, Collections.emptyMap());
        this.cryptors = new ConcurrentHashMap();
    }

    public String type() {
        return TYPE;
    }

    public FieldTransform newTransform(RuleContext ruleContext) throws RuleException {
        FieldEncryptionExecutorTransform fieldEncryptionExecutorTransform = new FieldEncryptionExecutorTransform();
        fieldEncryptionExecutorTransform.init(ruleContext);
        return fieldEncryptionExecutorTransform;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Cryptor getCryptor(RuleContext ruleContext) {
        String parameter = ruleContext.getParameter(ENCRYPT_DEK_ALGORITHM);
        return getCryptor(parameter != null ? DekFormat.valueOf(parameter) : DekFormat.AES256_GCM);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Cryptor getCryptor(DekFormat dekFormat) {
        return this.cryptors.computeIfAbsent(dekFormat, dekFormat2 -> {
            try {
                return new Cryptor(dekFormat);
            } catch (GeneralSecurityException e) {
                throw new IllegalArgumentException("Invalid format " + dekFormat, e);
            }
        });
    }

    public Map<DekFormat, Cryptor> getCryptors() {
        return this.cryptors;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static byte[] toBytes(RuleContext.Type type, Object obj) {
        switch (AnonymousClass1.$SwitchMap$io$confluent$kafka$schemaregistry$rules$RuleContext$Type[type.ordinal()]) {
            case 1:
                if (obj instanceof ByteBuffer) {
                    return ((ByteBuffer) obj).array();
                }
                if (obj instanceof ByteString) {
                    return ((ByteString) obj).toByteArray();
                }
                if (obj instanceof byte[]) {
                    return (byte[]) obj;
                }
                throw new IllegalArgumentException("Unrecognized bytes object of type: " + obj.getClass().getName());
            case 2:
                return obj.toString().getBytes(StandardCharsets.UTF_8);
            default:
                return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Object toObject(RuleContext.Type type, byte[] bArr) {
        switch (AnonymousClass1.$SwitchMap$io$confluent$kafka$schemaregistry$rules$RuleContext$Type[type.ordinal()]) {
            case 1:
                return bArr;
            case 2:
                return new String(bArr, StandardCharsets.UTF_8);
            default:
                return null;
        }
    }

    public void close() throws RuleException {
        if (this.client != null) {
            try {
                this.client.close();
            } catch (IOException e) {
                throw new RuleException(e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Aead getAead(Map<String, ?> map, KekInfo kekInfo) throws GeneralSecurityException, RuleException {
        String str = kekInfo.getKmsType() + KMS_TYPE_SUFFIX + kekInfo.getKmsKeyId();
        KmsClient kmsClient = getKmsClient(map, str);
        if (kmsClient == null) {
            throw new RuleException("No kms client found for " + str);
        }
        return kmsClient.getAead(str);
    }

    private static KmsClient getKmsClient(Map<String, ?> map, String str) throws GeneralSecurityException {
        try {
            return KmsDriverManager.getDriver(str).getKmsClient(str);
        } catch (GeneralSecurityException e) {
            return KmsDriverManager.getDriver(str).registerKmsClient(map, Optional.of(str));
        }
    }
}
