package org.apache.beam.it.gcp.kms;

import com.google.api.gax.core.CredentialsProvider;
import com.google.cloud.kms.v1.CryptoKey;
import com.google.cloud.kms.v1.CryptoKeyName;
import com.google.cloud.kms.v1.CryptoKeyVersion;
import com.google.cloud.kms.v1.CryptoKeyVersionTemplate;
import com.google.cloud.kms.v1.DecryptResponse;
import com.google.cloud.kms.v1.EncryptResponse;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.KeyRing;
import com.google.cloud.kms.v1.KeyRingName;
import com.google.cloud.kms.v1.LocationName;
import com.google.protobuf.ByteString;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Optional;
import java.util.stream.StreamSupport;
import org.apache.beam.it.common.ResourceManager;
import org.apache.beam.vendor.guava.v32_1_2_jre.com.google.common.annotations.VisibleForTesting;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/beam/it/gcp/kms/KMSResourceManager.class */
public class KMSResourceManager implements ResourceManager {
    private static final Logger LOG = LoggerFactory.getLogger(KMSResourceManager.class);
    private static final String DEFAULT_KMS_REGION = "us-central1";
    private final String projectId;
    private final String region;
    private final KMSClientFactory clientFactory;
    private KeyRing keyRing;

    /* loaded from: input_file:org/apache/beam/it/gcp/kms/KMSResourceManager$Builder.class */
    public static final class Builder {
        private final String projectId;
        private CredentialsProvider credentialsProvider;
        private String region;

        private Builder(String str, CredentialsProvider credentialsProvider) {
            this.projectId = str;
            this.region = KMSResourceManager.DEFAULT_KMS_REGION;
            this.credentialsProvider = credentialsProvider;
        }

        public Builder setCredentialsProvider(CredentialsProvider credentialsProvider) {
            this.credentialsProvider = credentialsProvider;
            return this;
        }

        public Builder setRegion(String str) {
            this.region = str;
            return this;
        }

        public KMSResourceManager build() {
            return new KMSResourceManager(this);
        }
    }

    private KMSResourceManager(Builder builder) {
        this(new KMSClientFactory(builder.credentialsProvider), builder);
    }

    @VisibleForTesting
    KMSResourceManager(KMSClientFactory kMSClientFactory, Builder builder) {
        this.clientFactory = kMSClientFactory;
        this.projectId = builder.projectId;
        this.region = builder.region;
        this.keyRing = null;
    }

    public static Builder builder(String str, CredentialsProvider credentialsProvider) {
        return new Builder(str, credentialsProvider);
    }

    private void maybeCreateKeyRing(String str) {
        KeyManagementServiceClient kMSClient = this.clientFactory.getKMSClient();
        try {
            LocationName of = LocationName.of(this.projectId, this.region);
            KeyRing build = KeyRing.newBuilder().build();
            LOG.info("Checking if keyring {} already exists in KMS.", str);
            String keyRingName = KeyRingName.of(this.projectId, this.region, str).toString();
            Optional findFirst = StreamSupport.stream(kMSClient.listKeyRings(of).iterateAll().spliterator(), false).filter(keyRing -> {
                return keyRing.getName().equals(keyRingName);
            }).findFirst();
            if (findFirst.isPresent()) {
                LOG.info("Keyring {} already exists. Retrieving the keyring from KMS.", str);
                this.keyRing = (KeyRing) findFirst.get();
                LOG.info("Retrieved keyring {}.", this.keyRing.getName());
            } else {
                LOG.info("Keyring {} does not exist. Creating the keyring in KMS.", str);
                this.keyRing = kMSClient.createKeyRing(of, str, build);
                LOG.info("Created keyring {}.", this.keyRing.getName());
            }
            if (kMSClient != null) {
                kMSClient.close();
            }
        } catch (Throwable th) {
            if (kMSClient != null) {
                try {
                    kMSClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public synchronized CryptoKey getOrCreateCryptoKey(String str, String str2) {
        CryptoKey cryptoKey;
        if (this.keyRing == null) {
            maybeCreateKeyRing(str);
        }
        KeyManagementServiceClient kMSClient = this.clientFactory.getKMSClient();
        try {
            CryptoKey build = CryptoKey.newBuilder().setPurpose(CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT).setVersionTemplate(CryptoKeyVersionTemplate.newBuilder().setAlgorithm(CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION)).build();
            LOG.info("Checking if symmetric key {} already exists in KMS.", str2);
            String cryptoKeyName = CryptoKeyName.of(this.projectId, this.region, str, str2).toString();
            Optional findFirst = StreamSupport.stream(kMSClient.listCryptoKeys(this.keyRing.getName()).iterateAll().spliterator(), false).filter(cryptoKey2 -> {
                return cryptoKey2.getName().equals(cryptoKeyName);
            }).findFirst();
            if (findFirst.isPresent()) {
                LOG.info("Symmetric key {} already exists. Retrieving the key from KMS.", str2);
                cryptoKey = (CryptoKey) findFirst.get();
                LOG.info("Retrieved symmetric key {}.", cryptoKey.getName());
            } else {
                LOG.info("Symmetric key {} does not exist. Creating the key in KMS.", str2);
                cryptoKey = kMSClient.createCryptoKey(this.keyRing.getName(), str2, build);
                LOG.info("Created symmetric key {}.", cryptoKey.getName());
            }
            CryptoKey cryptoKey3 = cryptoKey;
            if (kMSClient != null) {
                kMSClient.close();
            }
            return cryptoKey3;
        } catch (Throwable th) {
            if (kMSClient != null) {
                try {
                    kMSClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public synchronized String encrypt(String str, String str2, String str3) {
        CryptoKeyName of = CryptoKeyName.of(this.projectId, this.region, str, str2);
        LOG.info("Encrypting given message using key {}.", of.toString());
        KeyManagementServiceClient kMSClient = this.clientFactory.getKMSClient();
        try {
            EncryptResponse encrypt = kMSClient.encrypt(of, ByteString.copyFromUtf8(str3));
            LOG.info("Successfully encrypted message.");
            String str4 = new String(Base64.getEncoder().encode(encrypt.getCiphertext().toByteArray()), StandardCharsets.UTF_8);
            if (kMSClient != null) {
                kMSClient.close();
            }
            return str4;
        } catch (Throwable th) {
            if (kMSClient != null) {
                try {
                    kMSClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public synchronized String decrypt(String str, String str2, String str3) {
        CryptoKeyName of = CryptoKeyName.of(this.projectId, this.region, str, str2);
        LOG.info("Decrypting given ciphertext using key {}.", of.toString());
        KeyManagementServiceClient kMSClient = this.clientFactory.getKMSClient();
        try {
            DecryptResponse decrypt = kMSClient.decrypt(of, ByteString.copyFrom(Base64.getDecoder().decode(str3.getBytes(StandardCharsets.UTF_8))));
            LOG.info("Successfully decrypted ciphertext.");
            String stringUtf8 = decrypt.getPlaintext().toStringUtf8();
            if (kMSClient != null) {
                kMSClient.close();
            }
            return stringUtf8;
        } catch (Throwable th) {
            if (kMSClient != null) {
                try {
                    kMSClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public void cleanupAll() {
        LOG.info("Not cleaning up KMS keys.");
    }
}
