package io.confluent.kafka.schemaregistry.encryption.local;

import com.google.crypto.tink.KmsClient;
import io.confluent.kafka.schemaregistry.encryption.tink.KmsDriver;
import java.security.GeneralSecurityException;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Optional;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/local/LocalKmsDriver.class */
public class LocalKmsDriver implements KmsDriver {
    public static final String SECRET = "secret";
    public static final String OLD_SECRETS = "old.secrets";
    public static final String LOCAL_SECRET = "LOCAL_SECRET";
    public static final String LOCAL_OLD_SECRETS = "LOCAL_OLD_SECRETS";

    public String getKeyUrlPrefix() {
        return LocalKmsClient.PREFIX;
    }

    private String getSecret(Map<String, ?> map) throws GeneralSecurityException {
        String str = (String) map.get(SECRET);
        if (str == null) {
            str = System.getenv(LOCAL_SECRET);
        }
        if (str == null) {
            throw new GeneralSecurityException("cannot load secret");
        }
        return str;
    }

    private List<String> getOldSecrets(Map<String, ?> map) {
        String str = (String) map.get(OLD_SECRETS);
        if (str == null) {
            str = System.getenv(LOCAL_OLD_SECRETS);
        }
        return str != null ? Arrays.asList(str.split(",")) : Collections.emptyList();
    }

    public KmsClient newKmsClient(Map<String, ?> map, Optional<String> optional) throws GeneralSecurityException {
        return new LocalKmsClient(optional.orElse(LocalKmsClient.PREFIX), getSecret(map), getOldSecrets(map));
    }
}
