package kafka.tier.store;

import com.google.auth.oauth2.GoogleCredentials;
import com.google.cloud.ReadChannel;
import com.google.cloud.WriteChannel;
import com.google.cloud.storage.Blob;
import com.google.cloud.storage.BlobId;
import com.google.cloud.storage.BlobInfo;
import com.google.cloud.storage.Bucket;
import com.google.cloud.storage.Storage;
import com.google.cloud.storage.StorageException;
import com.google.cloud.storage.StorageOptions;
import com.google.common.collect.Lists;
import com.google.crypto.tink.Aead;
import com.google.crypto.tink.KeysetHandle;
import com.google.crypto.tink.aead.AeadConfig;
import com.google.crypto.tink.aead.KmsAeadKeyManager;
import com.google.crypto.tink.integration.gcpkms.GcpKmsClient;
import io.confluent.kafka.storage.checksum.E2EChecksumProtectedFileType;
import io.confluent.kafka.storage.checksum.E2EChecksumStore;
import io.confluent.kafka.storage.utils.E2EChecksumUtils;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.ByteBuffer;
import java.nio.channels.Channels;
import java.nio.channels.FileChannel;
import java.nio.channels.ReadableByteChannel;
import java.nio.file.StandardOpenOption;
import java.security.GeneralSecurityException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.OptionalInt;
import kafka.tier.exceptions.E2EChecksumInvalidException;
import kafka.tier.exceptions.TierObjectStoreFatalException;
import kafka.tier.exceptions.TierObjectStoreRetriableException;
import kafka.tier.store.TierObjectStore;
import kafka.tier.store.encryption.EncryptionKeyManager;
import kafka.tier.store.encryption.KeyContext;
import kafka.tier.store.encryption.KeySha;
import kafka.utils.CoreUtils;
import kafka.utils.Throttler;
import org.apache.kafka.common.metrics.Metrics;
import org.apache.kafka.common.utils.Crc32C;
import org.apache.kafka.common.utils.Time;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:kafka/tier/store/GcsTierObjectStore.class */
public class GcsTierObjectStore implements TierObjectStore {
    private static final Logger log = LoggerFactory.getLogger(GcsTierObjectStore.class);
    private static final int UNKNOWN_END_RANGE_CHUNK_SIZE = 1000000;
    private final Optional<String> clusterIdOpt;
    private final Optional<Integer> brokerIdOpt;
    private final String bucket;
    private final String prefix;
    private final int writeChunkSize;
    private final Storage storage;
    private final EncryptionKeyManager encryptionKeyManager;
    private final Optional<E2EChecksumStore> checksumStoreOpt;
    private static final int DEFAULT_GCS_DELETE_BATCH_SIZE = 500;
    private static final int ERROR_CODE_INVALID_REQ = 400;
    private static final String CRC32C_MISMATCH_STR = "calculated CRC32C";
    public static final String CRC32C_METADATA_KEY = "crc32c";

    /* loaded from: input_file:kafka/tier/store/GcsTierObjectStore$EncryptionKeyManagerHook.class */
    private class EncryptionKeyManagerHook implements EncryptionKeyManager.WellKnownKeypathHook {
        private EncryptionKeyManagerHook() {
        }

        @Override // kafka.tier.store.encryption.EncryptionKeyManager.WellKnownKeypathHook
        public void writeWellKnownPathMetadata(Map<String, String> map) {
            String lastActiveKeyPath = GcsTierObjectStore.this.lastActiveKeyPath();
            GcsTierObjectStore.log.info("Uploading newly generated key to path {}", lastActiveKeyPath);
            GcsTierObjectStore.this.storage.create(BlobInfo.newBuilder(BlobId.of(GcsTierObjectStore.this.bucket, lastActiveKeyPath)).setMetadata(map).build(), new Storage.BlobTargetOption[0]);
        }

        @Override // kafka.tier.store.encryption.EncryptionKeyManager.WellKnownKeypathHook
        public Map<String, String> fetchWellKnownPathMetadata() {
            String lastActiveKeyPath = GcsTierObjectStore.this.lastActiveKeyPath();
            GcsTierObjectStore.log.info("Downloading previously generated key from path {}", lastActiveKeyPath);
            Blob blob = GcsTierObjectStore.this.storage.get(BlobId.of(GcsTierObjectStore.this.bucket, lastActiveKeyPath), new Storage.BlobGetOption[]{Storage.BlobGetOption.fields(new Storage.BlobField[]{Storage.BlobField.METADATA})});
            return blob != null ? blob.getMetadata() : new HashMap();
        }
    }

    /* loaded from: input_file:kafka/tier/store/GcsTierObjectStore$GcsTierObjectStoreResponse.class */
    private static class GcsTierObjectStoreResponse implements TierObjectStoreResponse {
        private final InputStream inputStream;

        GcsTierObjectStoreResponse(ReadChannel readChannel, long j, OptionalInt optionalInt) throws IOException {
            int orElse = optionalInt.orElse(GcsTierObjectStore.UNKNOWN_END_RANGE_CHUNK_SIZE);
            readChannel.seek(j);
            readChannel.setChunkSize(orElse);
            this.inputStream = Channels.newInputStream((ReadableByteChannel) readChannel);
        }

        @Override // kafka.tier.store.TierObjectStoreResponse, java.lang.AutoCloseable
        public void close() throws IOException {
            this.inputStream.close();
        }

        @Override // kafka.tier.store.TierObjectStoreResponse
        public InputStream getInputStream() {
            return this.inputStream;
        }
    }

    public GcsTierObjectStore(Time time, GcsTierObjectStoreConfig gcsTierObjectStoreConfig, Optional<E2EChecksumStore> optional) {
        this(storage(gcsTierObjectStoreConfig), encryptionKeyManager(gcsTierObjectStoreConfig, time, null), gcsTierObjectStoreConfig, optional);
    }

    public GcsTierObjectStore(Time time, Metrics metrics, GcsTierObjectStoreConfig gcsTierObjectStoreConfig, Optional<E2EChecksumStore> optional) {
        this(storage(gcsTierObjectStoreConfig), encryptionKeyManager(gcsTierObjectStoreConfig, time, metrics), gcsTierObjectStoreConfig, optional);
    }

    GcsTierObjectStore(Storage storage, EncryptionKeyManager encryptionKeyManager, GcsTierObjectStoreConfig gcsTierObjectStoreConfig, Optional<E2EChecksumStore> optional) {
        this.clusterIdOpt = gcsTierObjectStoreConfig.clusterIdOpt;
        this.brokerIdOpt = gcsTierObjectStoreConfig.brokerIdOpt;
        this.storage = storage;
        this.bucket = gcsTierObjectStoreConfig.gcsBucket;
        this.prefix = gcsTierObjectStoreConfig.gcsPrefix;
        this.writeChunkSize = gcsTierObjectStoreConfig.gcsWriteChunkSize.intValue();
        expectBucket(this.bucket, gcsTierObjectStoreConfig.gcsRegion);
        this.encryptionKeyManager = encryptionKeyManager;
        if (this.encryptionKeyManager != null) {
            this.encryptionKeyManager.bindHook(new EncryptionKeyManagerHook());
        }
        this.checksumStoreOpt = optional;
    }

    @Override // kafka.tier.store.TierObjectStore
    public TierObjectStore.Backend getBackend() {
        return TierObjectStore.Backend.GCS;
    }

    @Override // kafka.tier.store.TierObjectStore
    public BucketHealthResult checkBucketHealth() {
        try {
            ByteBuffer timeHealthPayload = TierObjectStoreUtils.timeHealthPayload();
            TierObjectStore.HealthMetadata healthMetadata = new TierObjectStore.HealthMetadata(this.clusterIdOpt, this.brokerIdOpt);
            String path = healthMetadata.toPath(this.prefix, TierObjectStore.FileType.HEALTH_CHECK);
            putBuf(path, healthMetadata.objectMetadata(this.clusterIdOpt, this.brokerIdOpt), timeHealthPayload);
            InputStream inputStream = getObject(healthMetadata, TierObjectStore.FileType.HEALTH_CHECK).getInputStream();
            Throwable th = null;
            while (true) {
                try {
                    try {
                        int read = inputStream.read();
                        if (read <= 0) {
                            break;
                        }
                        log.trace("Bucket probe read {} bytes", Integer.valueOf(read));
                    } finally {
                    }
                } finally {
                }
            }
            if (inputStream != null) {
                if (0 != 0) {
                    try {
                        inputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    inputStream.close();
                }
            }
            if (this.storage.delete(BlobId.of(this.bucket, path))) {
                return BucketHealthResult.HEALTHY;
            }
            throw new Exception("Error deleting health key " + path);
        } catch (Exception e) {
            log.error("Bucket health checker returned unclassified error", e);
            return BucketHealthResult.UNCLASSIFIED;
        }
    }

    @Override // kafka.tier.store.TierObjectStore
    public Map<String, List<VersionInformation>> listObject(String str, boolean z) {
        HashMap hashMap = new HashMap();
        try {
            for (Blob blob : this.storage.list(this.bucket, new Storage.BlobListOption[]{Storage.BlobListOption.prefix(str), Storage.BlobListOption.versions(z)}).iterateAll()) {
                hashMap.putIfAbsent(blob.getName(), new ArrayList());
                ((List) hashMap.get(blob.getName())).add(new VersionInformation(blob.getGeneration().toString()));
            }
            if (log.isDebugEnabled()) {
                StringBuilder sb = new StringBuilder();
                hashMap.forEach((str2, list) -> {
                    sb.append("[").append(str2).append("->").append(Arrays.toString(list.toArray())).append("] ");
                });
                log.debug("TierObjectStore listObjects versions: " + z + " prefix: " + str + " " + ((Object) sb));
            }
            return hashMap;
        } catch (StorageException e) {
            log.info("Google storage client returned exception while listing " + str + " " + e);
            throw new TierObjectStoreRetriableException(e.getMessage(), e);
        } catch (Exception e2) {
            log.info("Unknown exception while listing " + str + " " + e2);
            throw new TierObjectStoreFatalException(e2.getMessage(), e2);
        }
    }

    @Override // kafka.tier.store.TierObjectStore
    public TierObjectStoreResponse getObject(TierObjectStore.ObjectStoreMetadata objectStoreMetadata, TierObjectStore.FileType fileType, Integer num, Integer num2, VersionInformation versionInformation) {
        String keyPath = keyPath(objectStoreMetadata, fileType);
        BlobId of = versionInformation != null ? BlobId.of(this.bucket, keyPath, Long.valueOf(Long.parseLong(versionInformation.getVersionId()))) : BlobId.of(this.bucket, keyPath);
        if (num != null && num2 != null && num.intValue() > num2.intValue()) {
            throw new IllegalStateException("Invalid range of byteOffsetStart and byteOffsetEnd");
        }
        if (num == null && num2 != null) {
            throw new IllegalStateException("Cannot specify a byteOffsetEnd without specifying a byteOffsetStart");
        }
        try {
            return new GcsTierObjectStoreResponse(getReader(objectStoreMetadata, fileType, of), num == null ? 0L : num.longValue(), num2 == null ? OptionalInt.empty() : OptionalInt.of(num2.intValue() - num.intValue()));
        } catch (Exception e) {
            throw new TierObjectStoreFatalException(String.format("Unknown exception when fetching object, blobId: %s metadata: %s type: %s range %s-%s", of, objectStoreMetadata, fileType, num, num2), e);
        } catch (StorageException e2) {
            throw new TierObjectStoreRetriableException(String.format("Failed to fetch object, blobId: %s metadata: %s type: %s range %s-%s", of, objectStoreMetadata, fileType, num, num2), e2);
        } catch (TierObjectStoreRetriableException e3) {
            throw e3;
        }
    }

    /* JADX WARN: Code restructure failed: missing block: B:62:0x00fc, code lost:
    
        throw new kafka.tier.exceptions.TierObjectStoreRetriableException("Encountered an exception when fetching snapshot from object store.", r10);
     */
    @Override // kafka.tier.store.TierObjectStore
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public java.nio.ByteBuffer getSnapshot(kafka.tier.store.TierObjectStore.ObjectStoreMetadata r6, kafka.tier.store.TierObjectStore.FileType r7, int r8) {
        /*
            Method dump skipped, instructions count: 256
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: kafka.tier.store.GcsTierObjectStore.getSnapshot(kafka.tier.store.TierObjectStore$ObjectStoreMetadata, kafka.tier.store.TierObjectStore$FileType, int):java.nio.ByteBuffer");
    }

    private ReadChannel getReader(TierObjectStore.ObjectStoreMetadata objectStoreMetadata, TierObjectStore.FileType fileType, BlobId blobId) {
        if (objectStoreMetadata.opaqueData().isEmpty() || !fileType.equals(TierObjectStore.FileType.SEGMENT)) {
            return this.storage.reader(blobId, new Storage.BlobSourceOption[0]);
        }
        return this.storage.reader(blobId, new Storage.BlobSourceOption[]{Storage.BlobSourceOption.decryptionKey(getKeyContext(objectStoreMetadata.opaqueData(), blobId).cleartextDataKey.base64Encoded())});
    }

    KeyContext getKeyContext(TierObjectStore.OpaqueData opaqueData, BlobId blobId) {
        if (this.encryptionKeyManager == null) {
            throw new TierObjectStoreFatalException("EncryptionKeyManager is not configured");
        }
        KeySha fromRawBytes = KeySha.fromRawBytes(opaqueData.intoByteArray());
        KeyContext keyContext = this.encryptionKeyManager.keyContext(fromRawBytes);
        if (keyContext == null) {
            log.info("EncryptionKeyManager cache miss while downloading object with KeySha {}, fetching object metadata for cache hydration", fromRawBytes);
            KeySha registerKeyFromObjectMetadata = this.encryptionKeyManager.registerKeyFromObjectMetadata(this.storage.get(blobId, new Storage.BlobGetOption[]{Storage.BlobGetOption.fields(new Storage.BlobField[]{Storage.BlobField.METADATA})}).getMetadata());
            if (!registerKeyFromObjectMetadata.equals(fromRawBytes)) {
                throw new TierObjectStoreFatalException(String.format("KeySha of key material restored from object metadata %s does not match KeySha provided via OpaqueData %s", registerKeyFromObjectMetadata, fromRawBytes));
            }
            keyContext = this.encryptionKeyManager.keyContext(fromRawBytes);
        }
        return keyContext;
    }

    @Override // kafka.tier.store.TierObjectStore
    public TierObjectStore.OpaqueData prepPutSegment() throws TierObjectStoreRetriableException, IOException {
        return this.encryptionKeyManager != null ? TierObjectStore.OpaqueData.fromByteArray(this.encryptionKeyManager.activeKeySha().toRawBytes()) : TierObjectStore.OpaqueData.ZEROED;
    }

    @Override // kafka.tier.store.TierObjectStore
    public void putSegment(TierObjectStore.ObjectMetadata objectMetadata, File file, File file2, File file3, Optional<File> optional, Optional<ByteBuffer> optional2, Optional<ByteBuffer> optional3, Optional<Throttler> optional4) {
        Map<String, String> objectMetadata2 = objectMetadata.objectMetadata(this.clusterIdOpt, this.brokerIdOpt);
        try {
            try {
                putSegmentFile(objectMetadata2, objectMetadata, file, optional4);
                putFileUnencrypted(keyPath(objectMetadata, TierObjectStore.FileType.OFFSET_INDEX), objectMetadata2, file2, E2EChecksumProtectedFileType.OFFSET_INDEX, optional4);
                putFileUnencrypted(keyPath(objectMetadata, TierObjectStore.FileType.TIMESTAMP_INDEX), objectMetadata2, file3, E2EChecksumProtectedFileType.TIMESTAMP_INDEX, optional4);
                if (optional.isPresent()) {
                    putFileUnencrypted(keyPath(objectMetadata, TierObjectStore.FileType.PRODUCER_STATE), objectMetadata2, optional.get(), E2EChecksumProtectedFileType.PRODUCER_STATE, optional4);
                }
                if (optional2.isPresent()) {
                    putBuf(keyPath(objectMetadata, TierObjectStore.FileType.TRANSACTION_INDEX), objectMetadata2, optional2.get());
                }
                if (optional3.isPresent()) {
                    putBuf(keyPath(objectMetadata, TierObjectStore.FileType.EPOCH_STATE), objectMetadata2, optional3.get());
                }
            } catch (Exception e) {
                throw new TierObjectStoreFatalException("Unknown exception when uploading segment: " + objectMetadata, e);
            } catch (StorageException e2) {
                log.warn("Deleting partially uploaded files due to failed to upload segment: " + objectMetadata, e2);
                deleteObjects(objectsForSegment(objectMetadata));
                if (e2.getCode() != ERROR_CODE_INVALID_REQ || !e2.getMessage().contains(CRC32C_MISMATCH_STR)) {
                    throw new TierObjectStoreRetriableException("Failed to upload segment: " + objectMetadata, e2);
                }
                throw new E2EChecksumInvalidException(objectMetadata, e2);
            }
        } finally {
            this.checksumStoreOpt.ifPresent(e2EChecksumStore -> {
                TierObjectStoreUtils.postPutSegmentCleanup(e2EChecksumStore, file, file2, file3);
            });
        }
    }

    @Override // kafka.tier.store.TierObjectStore
    public void putInMemorySegment(TierObjectStore.ObjectMetadata objectMetadata, File file, File file2, File file3, Optional<ByteBuffer> optional, Optional<ByteBuffer> optional2, Optional<ByteBuffer> optional3) {
        Map<String, String> objectMetadata2 = objectMetadata.objectMetadata(this.clusterIdOpt, this.brokerIdOpt);
        try {
            try {
                putSegmentFile(objectMetadata2, objectMetadata, file, Optional.empty());
                putFileUnencrypted(keyPath(objectMetadata, TierObjectStore.FileType.OFFSET_INDEX), objectMetadata2, file2, E2EChecksumProtectedFileType.OFFSET_INDEX, Optional.empty());
                putFileUnencrypted(keyPath(objectMetadata, TierObjectStore.FileType.TIMESTAMP_INDEX), objectMetadata2, file3, E2EChecksumProtectedFileType.TIMESTAMP_INDEX, Optional.empty());
                if (optional.isPresent()) {
                    putBuf(keyPath(objectMetadata, TierObjectStore.FileType.PRODUCER_STATE), objectMetadata2, optional.get());
                }
                if (optional2.isPresent()) {
                    putBuf(keyPath(objectMetadata, TierObjectStore.FileType.TRANSACTION_INDEX), objectMetadata2, optional2.get());
                }
                if (optional3.isPresent()) {
                    putBuf(keyPath(objectMetadata, TierObjectStore.FileType.EPOCH_STATE), objectMetadata2, optional3.get());
                }
            } catch (Exception e) {
                throw new TierObjectStoreFatalException("Unknown exception when uploading segment: " + objectMetadata, e);
            } catch (StorageException e2) {
                log.warn("Deleting partially uploaded files due to failed to upload segment: " + objectMetadata, e2);
                deleteObjects(objectsForSegment(objectMetadata));
                if (e2.getCode() != ERROR_CODE_INVALID_REQ || !e2.getMessage().contains(CRC32C_MISMATCH_STR)) {
                    throw new TierObjectStoreRetriableException("Failed to upload segment: " + objectMetadata, e2);
                }
                throw new E2EChecksumInvalidException(objectMetadata, e2);
            }
        } finally {
            this.checksumStoreOpt.ifPresent(e2EChecksumStore -> {
                TierObjectStoreUtils.postPutSegmentCleanup(e2EChecksumStore, file, file2, file3);
            });
        }
    }

    private void putSegmentFile(Map<String, String> map, TierObjectStore.ObjectMetadata objectMetadata, File file, Optional<Throttler> optional) throws IOException {
        if (this.encryptionKeyManager != null) {
            putFileEncrypted(keyPath(objectMetadata, TierObjectStore.FileType.SEGMENT), map, file, objectMetadata.opaqueData(), E2EChecksumProtectedFileType.SEGMENT, optional);
        } else {
            if (!objectMetadata.opaqueData().isEmpty()) {
                throw new TierObjectStoreFatalException(String.format("Attempted to upload a segment with OpaqueData %s, but encryption is not configured", objectMetadata.opaqueData()));
            }
            putFileUnencrypted(keyPath(objectMetadata, TierObjectStore.FileType.SEGMENT), map, file, E2EChecksumProtectedFileType.SEGMENT, optional);
        }
    }

    @Override // kafka.tier.store.TierObjectStore
    public void putObject(final TierObjectStore.ObjectStoreMetadata objectStoreMetadata, File file, final TierObjectStore.FileType fileType) {
        try {
            putFileUnencrypted(keyPath(objectStoreMetadata, fileType), objectStoreMetadata.objectMetadata(this.clusterIdOpt, this.brokerIdOpt), file, fileType.toE2EChecksumProtectedFileType(), Optional.empty());
        } catch (StorageException e) {
            log.warn("Deleting partially uploaded files due to failed to upload segment: " + objectStoreMetadata, e);
            deleteObjects(new ArrayList<BlobId>() { // from class: kafka.tier.store.GcsTierObjectStore.1
                {
                    add(BlobId.of(GcsTierObjectStore.this.bucket, GcsTierObjectStore.this.keyPath(objectStoreMetadata, fileType)));
                }
            });
            throw new TierObjectStoreRetriableException(String.format("Failed to upload object %s, file %s, type %s", objectStoreMetadata, file, fileType), e);
        } catch (Exception e2) {
            throw new TierObjectStoreFatalException(String.format("Failed to upload object %s, file %s, type %s", objectStoreMetadata, file, fileType), e2);
        }
    }

    @Override // kafka.tier.store.TierObjectStore
    public void putBuffer(final TierObjectStore.ObjectStoreMetadata objectStoreMetadata, ByteBuffer byteBuffer, final TierObjectStore.FileType fileType) {
        try {
            putBuf(keyPath(objectStoreMetadata, fileType), objectStoreMetadata.objectMetadata(this.clusterIdOpt, this.brokerIdOpt), byteBuffer);
        } catch (Exception e) {
            throw new TierObjectStoreFatalException(String.format("Failed to upload object %s, buffer %s, type %s", objectStoreMetadata, byteBuffer, fileType), e);
        } catch (StorageException e2) {
            log.warn("Deleting partially uploaded files due to failed to upload segment: " + objectStoreMetadata, e2);
            deleteObjects(new ArrayList<BlobId>() { // from class: kafka.tier.store.GcsTierObjectStore.2
                {
                    add(BlobId.of(GcsTierObjectStore.this.bucket, GcsTierObjectStore.this.keyPath(objectStoreMetadata, fileType)));
                }
            });
            throw new TierObjectStoreRetriableException(String.format("Failed to upload object %s, buffer %s, type %s", objectStoreMetadata, byteBuffer, fileType), e2);
        }
    }

    @Override // kafka.tier.store.TierObjectStore
    public void restoreObjectByCopy(TierObjectStore.ObjectMetadata objectMetadata, String str, VersionInformation versionInformation) {
        String versionId = versionInformation.getVersionId();
        try {
            Storage.CopyRequest.Builder newBuilder = Storage.CopyRequest.newBuilder();
            BlobId of = BlobId.of(this.bucket, str, Long.valueOf(Long.parseLong(versionId)));
            BlobId of2 = BlobId.of(this.bucket, str);
            if (this.encryptionKeyManager == null || !str.endsWith(TierObjectStore.FileType.SEGMENT.suffix()) || objectMetadata.opaqueData().isEmpty()) {
                log.debug("Restore unencrypted object by copying the last live version {} to gs://{}/{}", new Object[]{versionId, this.bucket, str});
                newBuilder.setSource(of).setTarget(of2);
            } else {
                KeyContext keyContext = getKeyContext(objectMetadata.opaqueData(), of);
                if (keyContext == null) {
                    throw new TierObjectStoreFatalException(String.format("No valid KeyContext for copying object '%s'", str));
                }
                String base64Encoded = keyContext.cleartextDataKey.base64Encoded();
                log.debug("Restore encrypted object by copying the last live version {} to gs://{}/{}", new Object[]{versionId, this.bucket, str});
                newBuilder.setSource(of).setSourceOptions(new Storage.BlobSourceOption[]{Storage.BlobSourceOption.decryptionKey(base64Encoded)}).setTarget(of2, new Storage.BlobTargetOption[]{Storage.BlobTargetOption.encryptionKey(base64Encoded)});
            }
            this.storage.copy(newBuilder.build());
        } catch (Exception e) {
            throw new TierObjectStoreFatalException(String.format("Unknown exception when restoring object %s (version: %s)", str, versionId), e);
        } catch (StorageException e2) {
            throw new TierObjectStoreRetriableException(String.format("Failed to restore object %s (version: %s)", str, versionId), e2);
        }
    }

    private List<BlobId> objectsForSegment(TierObjectStore.ObjectMetadata objectMetadata) {
        ArrayList arrayList = new ArrayList();
        for (TierObjectStore.FileType fileType : getFileTypesPerSegment()) {
            switch (fileType) {
                case TRANSACTION_INDEX:
                    if (objectMetadata.hasAbortedTxns()) {
                        arrayList.add(BlobId.of(this.bucket, keyPath(objectMetadata, fileType)));
                        break;
                    } else {
                        break;
                    }
                case EPOCH_STATE:
                    if (objectMetadata.hasEpochState()) {
                        arrayList.add(BlobId.of(this.bucket, keyPath(objectMetadata, fileType)));
                        break;
                    } else {
                        break;
                    }
                case PRODUCER_STATE:
                    if (objectMetadata.hasProducerState()) {
                        arrayList.add(BlobId.of(this.bucket, keyPath(objectMetadata, fileType)));
                        break;
                    } else {
                        break;
                    }
                default:
                    arrayList.add(BlobId.of(this.bucket, keyPath(objectMetadata, fileType)));
                    break;
            }
        }
        return arrayList;
    }

    @Override // kafka.tier.store.TierObjectStore
    public void deleteSegment(TierObjectStore.ObjectMetadata objectMetadata) {
        Blob blob;
        List<BlobId> objectsForSegment = objectsForSegment(objectMetadata);
        log.debug("Deleting " + objectsForSegment);
        ArrayList arrayList = new ArrayList();
        try {
            List delete = this.storage.delete(objectsForSegment);
            log.debug("Deletion result " + delete);
            for (int i = 0; i < delete.size(); i++) {
                if (!((Boolean) delete.get(i)).booleanValue() && (blob = this.storage.get(objectsForSegment.get(i))) != null) {
                    log.warn("Found object " + blob.getBlobId() + " that was expected to be deleted of " + objectMetadata);
                    arrayList.add(blob.getBlobId());
                }
            }
            if (!arrayList.isEmpty()) {
                throw new TierObjectStoreRetriableException("Deletion failed for " + objectMetadata + ". Blobs still exist in object storage with blob ids: " + arrayList);
            }
        } catch (Exception e) {
            throw new TierObjectStoreFatalException("Unknown exception when deleting segment: " + objectMetadata, e);
        } catch (StorageException e2) {
            throw new TierObjectStoreRetriableException("Failed to delete segment: " + objectMetadata, e2);
        }
    }

    @Override // kafka.tier.store.TierObjectStore
    public void deleteVersions(List<TierObjectStore.KeyAndVersion> list) {
        ArrayList arrayList = new ArrayList();
        for (TierObjectStore.KeyAndVersion keyAndVersion : list) {
            BlobId of = keyAndVersion.versionId() == null ? BlobId.of(this.bucket, keyAndVersion.key()) : BlobId.of(this.bucket, keyAndVersion.key(), Long.valueOf(Long.parseLong(keyAndVersion.versionId())));
            arrayList.add(of);
            log.debug("TierObjectStore sending delete request for " + of.getName());
            if (arrayList.size() >= DEFAULT_GCS_DELETE_BATCH_SIZE) {
                deleteObjects(arrayList);
                arrayList.clear();
            }
        }
        if (arrayList.isEmpty()) {
            return;
        }
        deleteObjects(arrayList);
    }

    private void deleteObjects(List<BlobId> list) {
        log.info("TierObjectStore sending batch delete request for " + list.size() + " objects");
        try {
            Iterator it = this.storage.delete(list).iterator();
            Iterator<BlobId> it2 = list.iterator();
            while (it.hasNext() && it2.hasNext()) {
                BlobId next = it2.next();
                if (((Boolean) it.next()).booleanValue()) {
                    log.info("Deleted blob " + next.toString());
                } else {
                    log.warn("Unable to delete blob " + next.toString() + ". Could be deletion failure or that blob is not found");
                }
            }
        } catch (StorageException e) {
            log.error("StorageException while deleting versioned objects of size: " + list.size(), e);
            throw new TierObjectStoreRetriableException("StorageException while deleting versioned objects. " + e);
        } catch (Exception e2) {
            log.error("Fatal exception while deleting versioned objects of size: " + list.size(), e2);
            throw new TierObjectStoreFatalException("Fatal exception while deleting versioned objects." + e2);
        }
    }

    @Override // kafka.tier.store.TierObjectStore
    public TierObjectAttribute objectExists(TierObjectStore.ObjectStoreMetadata objectStoreMetadata, TierObjectStore.FileType fileType) throws TierObjectStoreRetriableException {
        TierObjectAttribute tierObjectAttribute = new TierObjectAttribute(false);
        try {
            Blob blob = this.storage.get(this.bucket, keyPath(objectStoreMetadata, fileType), new Storage.BlobGetOption[0]);
            if (blob != null) {
                tierObjectAttribute.exist = true;
                tierObjectAttribute.size = blob.getSize().longValue();
            }
            return tierObjectAttribute;
        } catch (Exception e) {
            throw new TierObjectStoreFatalException("Unknown exception when checking object existence: " + objectStoreMetadata + " type: " + fileType, e);
        } catch (StorageException e2) {
            throw new TierObjectStoreRetriableException("Failed to check object existence: " + objectStoreMetadata + " type: " + fileType, e2);
        }
    }

    @Override // kafka.tier.store.TierObjectStore
    public void close() {
        if (this.encryptionKeyManager != null) {
            this.encryptionKeyManager.close();
        }
    }

    private void putFileUnencrypted(String str, Map<String, String> map, File file, E2EChecksumProtectedFileType e2EChecksumProtectedFileType, Optional<Throttler> optional) throws IOException {
        BlobId of = BlobId.of(this.bucket, str);
        Optional empty = Optional.empty();
        if (this.checksumStoreOpt.isPresent() && this.checksumStoreOpt.get().checksumProtectionEnabled(e2EChecksumProtectedFileType)) {
            empty = E2EChecksumUtils.getBase64CrcFromStore(this.checksumStoreOpt.get(), file, map);
        }
        if (!empty.isPresent()) {
            BlobInfo build = BlobInfo.newBuilder(of).setMetadata(map).build();
            log.debug("Uploading object to gs://{}/{}, with throttling: {}", new Object[]{this.bucket, str, Boolean.valueOf(optional.isPresent())});
            doFileWrite(file, this.storage.writer(build, new Storage.BlobWriteOption[]{Storage.BlobWriteOption.doesNotExist()}), optional);
        } else {
            String str2 = (String) empty.get();
            map.put(CRC32C_METADATA_KEY, str2);
            BlobInfo build2 = BlobInfo.newBuilder(of).setMetadata(map).setCrc32c(str2).build();
            log.debug("Uploading object to gs://{}/{} with crc {}, with throttling: {}", new Object[]{this.bucket, str, str2, Boolean.valueOf(optional.isPresent())});
            doFileWrite(file, this.storage.writer(build2, new Storage.BlobWriteOption[]{Storage.BlobWriteOption.doesNotExist(), Storage.BlobWriteOption.crc32cMatch()}), optional);
            map.remove(CRC32C_METADATA_KEY);
        }
    }

    private void putFileEncrypted(String str, Map<String, String> map, File file, TierObjectStore.OpaqueData opaqueData, E2EChecksumProtectedFileType e2EChecksumProtectedFileType, Optional<Throttler> optional) throws IOException {
        if (opaqueData == null || opaqueData.isEmpty()) {
            throw new TierObjectStoreFatalException("Encryption was enabled but no valid OpaqueData object was provided");
        }
        KeySha fromRawBytes = KeySha.fromRawBytes(opaqueData.intoByteArray());
        KeyContext keyContext = this.encryptionKeyManager.keyContext(fromRawBytes);
        if (keyContext == null) {
            throw new TierObjectStoreFatalException(String.format("No valid KeyContext for KeySha '%s'", fromRawBytes));
        }
        map.putAll(keyContext.metadata);
        Storage.BlobWriteOption encryptionKey = Storage.BlobWriteOption.encryptionKey(keyContext.cleartextDataKey.base64Encoded());
        BlobId of = BlobId.of(this.bucket, str);
        Optional empty = Optional.empty();
        if (this.checksumStoreOpt.isPresent() && this.checksumStoreOpt.get().checksumProtectionEnabled(e2EChecksumProtectedFileType)) {
            empty = E2EChecksumUtils.getBase64CrcFromStore(this.checksumStoreOpt.get(), file, map);
        }
        if (!empty.isPresent()) {
            BlobInfo build = BlobInfo.newBuilder(of).setMetadata(map).build();
            log.debug("Uploading encrypted object to gs://{}/{} with KeySha {}, with throttling: {}", new Object[]{this.bucket, str, keyContext.keySha, Boolean.valueOf(optional.isPresent())});
            doFileWrite(file, this.storage.writer(build, new Storage.BlobWriteOption[]{encryptionKey, Storage.BlobWriteOption.doesNotExist()}), optional);
        } else {
            String str2 = (String) empty.get();
            map.put(CRC32C_METADATA_KEY, str2);
            BlobInfo build2 = BlobInfo.newBuilder(of).setMetadata(map).setCrc32c(str2).build();
            log.debug("Uploading encrypted object to gs://{}/{} with KeySha {} , crc {}, with throttling: {}", new Object[]{this.bucket, str, keyContext.keySha, str2, Boolean.valueOf(optional.isPresent())});
            doFileWrite(file, this.storage.writer(build2, new Storage.BlobWriteOption[]{encryptionKey, Storage.BlobWriteOption.doesNotExist(), Storage.BlobWriteOption.crc32cMatch()}), optional);
            map.remove(CRC32C_METADATA_KEY);
        }
    }

    /* JADX WARN: Finally extract failed */
    private void doFileWrite(File file, WriteChannel writeChannel, Optional<Throttler> optional) throws IOException {
        Throwable th = null;
        try {
            FileChannel open = FileChannel.open(file.toPath(), StandardOpenOption.READ);
            Throwable th2 = null;
            try {
                if (this.writeChunkSize > 0) {
                    writeChannel.setChunkSize(this.writeChunkSize);
                }
                long j = 0;
                long length = file.length();
                while (j < length) {
                    long transferTo = open.transferTo(j, length, writeChannel);
                    optional.ifPresent(throttler -> {
                        if (transferTo > 0) {
                            throttler.maybeThrottle(transferTo);
                        }
                    });
                    j += transferTo;
                }
                if (open != null) {
                    if (0 != 0) {
                        try {
                            open.close();
                        } catch (Throwable th3) {
                            th2.addSuppressed(th3);
                        }
                    } else {
                        open.close();
                    }
                }
                if (writeChannel != null) {
                    if (0 == 0) {
                        writeChannel.close();
                        return;
                    }
                    try {
                        writeChannel.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                }
            } catch (Throwable th5) {
                if (open != null) {
                    if (0 != 0) {
                        try {
                            open.close();
                        } catch (Throwable th6) {
                            th2.addSuppressed(th6);
                        }
                    } else {
                        open.close();
                    }
                }
                throw th5;
            }
        } catch (Throwable th7) {
            if (writeChannel != null) {
                if (0 != 0) {
                    try {
                        writeChannel.close();
                    } catch (Throwable th8) {
                        th.addSuppressed(th8);
                    }
                } else {
                    writeChannel.close();
                }
            }
            throw th7;
        }
    }

    public static String crc32c(ByteBuffer byteBuffer) {
        long compute = Crc32C.compute(byteBuffer, 0, byteBuffer.remaining());
        ByteBuffer allocate = ByteBuffer.allocate(8);
        allocate.putLong(0, compute);
        byte[] bArr = new byte[4];
        allocate.position(4);
        allocate.get(bArr);
        return CoreUtils.toBase64(bArr);
    }

    public void putBuf(String str, Map<String, String> map, ByteBuffer byteBuffer) throws IOException {
        ByteBuffer duplicate = byteBuffer.duplicate();
        BlobInfo build = BlobInfo.newBuilder(BlobId.of(this.bucket, str)).setMetadata(map).setCrc32c(crc32c(byteBuffer)).build();
        log.debug("Uploading object {}", str);
        WriteChannel writer = this.storage.writer(build, new Storage.BlobWriteOption[]{Storage.BlobWriteOption.crc32cMatch()});
        Throwable th = null;
        try {
            try {
                if (this.writeChunkSize > 0) {
                    writer.setChunkSize(this.writeChunkSize);
                }
                while (duplicate.hasRemaining()) {
                    writer.write(duplicate);
                }
                if (writer != null) {
                    if (0 == 0) {
                        writer.close();
                        return;
                    }
                    try {
                        writer.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (writer != null) {
                if (th != null) {
                    try {
                        writer.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    writer.close();
                }
            }
            throw th4;
        }
    }

    private static EncryptionKeyManager encryptionKeyManager(GcsTierObjectStoreConfig gcsTierObjectStoreConfig, Time time, Metrics metrics) {
        if (gcsTierObjectStoreConfig.gcsSseCustomerEncryptionKey == null || gcsTierObjectStoreConfig.gcsSseCustomerEncryptionKey.isEmpty()) {
            return null;
        }
        String str = gcsTierObjectStoreConfig.gcsSseCustomerEncryptionKey;
        if (!str.startsWith("gcp-kms://")) {
            str = "gcp-kms://" + str;
        }
        log.info(String.format("Configuring EncryptionKeyManager using KMS key '%s'", str));
        try {
            GcpKmsClient.register(Optional.of(str), gcsTierObjectStoreConfig.gcsCredFilePath);
            AeadConfig.register();
            return new EncryptionKeyManager(time, metrics, (Aead) KeysetHandle.generateNew(KmsAeadKeyManager.createKeyTemplate(str)).getPrimitive(Aead.class), gcsTierObjectStoreConfig.encryptionKeyManagerKeyRotationInterval);
        } catch (GeneralSecurityException e) {
            throw new TierObjectStoreFatalException("Could not construct master key AEAD", e);
        }
    }

    private static Storage storage(GcsTierObjectStoreConfig gcsTierObjectStoreConfig) {
        if (!gcsTierObjectStoreConfig.gcsCredFilePath.isPresent()) {
            return StorageOptions.getDefaultInstance().getService();
        }
        try {
            return StorageOptions.newBuilder().setCredentials(GoogleCredentials.fromStream(new FileInputStream(gcsTierObjectStoreConfig.gcsCredFilePath.get())).createScoped(Lists.newArrayList(new String[]{"https://www.googleapis.com/auth/cloud-platform"}))).build().getService();
        } catch (IOException e) {
            throw new TierObjectStoreFatalException("Error in opening GCS credentials file", e);
        }
    }

    private void expectBucket(String str, String str2) throws TierObjectStoreFatalException {
        try {
            Bucket bucket = this.storage.get(str, new Storage.BucketGetOption[]{Storage.BucketGetOption.fields(new Storage.BucketField[]{Storage.BucketField.LOCATION})});
            if (bucket == null) {
                throw new TierObjectStoreFatalException("Configured bucket " + str + " does not exist or could not be found");
            }
            String location = bucket.getLocation();
            if (str2.equalsIgnoreCase(location)) {
                return;
            }
            log.warn("Bucket region {} does not match expected region {}", location, str2);
        } catch (StorageException e) {
            throw new TierObjectStoreFatalException("Unable to access bucket " + str, e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String lastActiveKeyPath() {
        return this.prefix + TierObjectStore.DataTypePathPrefix.LAST_ACTIVE_ENCRYPTION_KEY.prefix() + "last-active-key";
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String keyPath(TierObjectStore.ObjectStoreMetadata objectStoreMetadata, TierObjectStore.FileType fileType) {
        return objectStoreMetadata.toPath(this.prefix, fileType);
    }
}
