package de.otto.kafka.messaging.e2ee.vault;

import de.otto.kafka.messaging.e2ee.EncryptionKeyProvider;
import io.github.jopenlibs.vault.json.Json;
import io.github.jopenlibs.vault.json.JsonArray;
import io.github.jopenlibs.vault.json.JsonObject;
import io.github.jopenlibs.vault.json.JsonValue;
import io.github.jopenlibs.vault.json.WriterConfig;
import java.time.Clock;
import java.time.Duration;
import java.time.OffsetDateTime;
import java.time.ZoneOffset;
import java.time.format.DateTimeFormatter;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalAmount;
import java.time.temporal.TemporalUnit;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.concurrent.locks.ReentrantLock;
import java.util.function.Predicate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/otto/kafka/messaging/e2ee/vault/CachedEncryptionKeyProvider.class */
public final class CachedEncryptionKeyProvider implements EncryptionKeyProvider {
    private static final DateTimeFormatter DTF = DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mmX");
    private static final Logger log = LoggerFactory.getLogger(CachedEncryptionKeyProvider.class);
    private static final String NAME_ENTRIES = "entries";
    private static final String NAME_TOPIC = "topic";
    private static final String NAME_VERSION = "version";
    private static final String NAME_ENCRYPTION_KEY_ATTRIBUTE_NAME = "encryptionKeyAttributeName";
    private static final String NAME_ENCODED_KEY = "encodedKey";
    private static final String NAME_EXPIRE_AT = "expireAt";
    private final ReentrantLock lock;
    private final EncryptionKeyProvider realEncryptionKeyProvider;
    private final SecondLevelCacheStorage cacheStorage;
    private final Clock clock;
    private final Duration cachingDuration;

    public CachedEncryptionKeyProvider(EncryptionKeyProvider encryptionKeyProvider, SecondLevelCacheStorage secondLevelCacheStorage, Duration duration) {
        this(encryptionKeyProvider, secondLevelCacheStorage, Clock.systemDefaultZone(), duration);
    }

    public CachedEncryptionKeyProvider(EncryptionKeyProvider encryptionKeyProvider, SecondLevelCacheStorage secondLevelCacheStorage, Clock clock, Duration duration) {
        this.lock = new ReentrantLock();
        this.realEncryptionKeyProvider = (EncryptionKeyProvider) Objects.requireNonNull(encryptionKeyProvider, "realEncryptionKeyProvider is required");
        this.cacheStorage = (SecondLevelCacheStorage) Objects.requireNonNull(secondLevelCacheStorage, "cacheStorage is required");
        this.clock = (Clock) Objects.requireNonNull(clock, "clock is required");
        this.cachingDuration = (Duration) Objects.requireNonNull(duration, "cachingDuration is required");
    }

    @Override // de.otto.kafka.messaging.e2ee.EncryptionKeyProvider
    public EncryptionKeyProvider.KeyVersion retrieveKeyForEncryption(String str) {
        EncryptionKeyProvider.KeyVersion keyVersion;
        this.lock.lock();
        try {
            List<JsonObject> loadCacheEntries = loadCacheEntries();
            Object obj = null;
            JsonObject findAtMostOneEntry = findAtMostOneEntry(loadCacheEntries, jsonObject -> {
                return (!Objects.equals(str, jsonObject.getString(NAME_TOPIC)) || jsonObject.getString(NAME_ENCRYPTION_KEY_ATTRIBUTE_NAME) == null || jsonObject.getString(NAME_EXPIRE_AT) == null) ? false : true;
            }, sortByVersion());
            if (findAtMostOneEntry != null) {
                obj = new EncryptionKeyProvider.KeyVersion(findAtMostOneEntry.getInt(NAME_VERSION).intValue(), findAtMostOneEntry.getString(NAME_ENCRYPTION_KEY_ATTRIBUTE_NAME), findAtMostOneEntry.getString(NAME_ENCODED_KEY));
                if (OffsetDateTime.now(this.clock).isBefore(OffsetDateTime.parse(findAtMostOneEntry.getString(NAME_EXPIRE_AT), DTF).plus(Math.round(Math.random() * 120000.0d), (TemporalUnit) ChronoUnit.MILLIS))) {
                    log.debug("use cached key version for topic {}", str);
                    this.lock.unlock();
                    return obj;
                }
            }
            String retrieveNewExpiredAtTimestamp = retrieveNewExpiredAtTimestamp();
            try {
                keyVersion = this.realEncryptionKeyProvider.retrieveKeyForEncryption(str);
            } catch (Exception e) {
                if (findAtMostOneEntry == null) {
                    throw e;
                }
                log.warn("Retrieval of Vault EncryptionKey failed. Use cached EncryptionKey instead.", e);
                findAtMostOneEntry.set(NAME_EXPIRE_AT, Json.value(retrieveNewExpiredAtTimestamp));
                keyVersion = obj;
            }
            if (keyVersion == null) {
                return null;
            }
            if (findAtMostOneEntry == null || !keyVersion.equals(obj)) {
                JsonObject jsonObject2 = new JsonObject();
                jsonObject2.add(NAME_TOPIC, Json.value(str));
                jsonObject2.add(NAME_VERSION, Json.value(keyVersion.version()));
                jsonObject2.add(NAME_ENCRYPTION_KEY_ATTRIBUTE_NAME, Json.value((String) Objects.requireNonNull(keyVersion.encryptionKeyAttributeName())));
                jsonObject2.add(NAME_ENCODED_KEY, Json.value(keyVersion.encodedKey()));
                jsonObject2.add(NAME_EXPIRE_AT, Json.value(retrieveNewExpiredAtTimestamp));
                loadCacheEntries.add(jsonObject2);
            } else {
                log.debug("update cached key version for topic {} with new expiry date {}", str, retrieveNewExpiredAtTimestamp);
                findAtMostOneEntry.set(NAME_EXPIRE_AT, Json.value(retrieveNewExpiredAtTimestamp));
            }
            JsonArray jsonArray = new JsonArray();
            Iterator<JsonObject> it = loadCacheEntries.iterator();
            while (it.hasNext()) {
                jsonArray.add(it.next());
            }
            JsonObject jsonObject3 = new JsonObject();
            jsonObject3.add(NAME_ENTRIES, jsonArray);
            try {
                this.cacheStorage.storeEntry(jsonObject3.toString(WriterConfig.MINIMAL));
            } catch (Exception e2) {
                if (log.isDebugEnabled()) {
                    log.debug(e2.getMessage(), e2);
                } else {
                    log.warn("Failed to store 2nd-level cache value. Error: {}", e2.getMessage());
                }
            }
            EncryptionKeyProvider.KeyVersion keyVersion2 = keyVersion;
            this.lock.unlock();
            return keyVersion2;
        } finally {
            this.lock.unlock();
        }
    }

    @Override // de.otto.kafka.messaging.e2ee.EncryptionKeyProvider
    public String retrieveKeyForDecryption(String str, int i) {
        this.lock.lock();
        try {
            List<JsonObject> loadCacheEntries = loadCacheEntries();
            JsonObject findAtMostOneEntry = findAtMostOneEntry(loadCacheEntries, jsonObject -> {
                return Objects.equals(str, jsonObject.getString(NAME_TOPIC)) && i == jsonObject.getInt(NAME_VERSION).intValue() && jsonObject.getString(NAME_ENCRYPTION_KEY_ATTRIBUTE_NAME) == null;
            }, noSortOrder());
            if (findAtMostOneEntry != null) {
                String string = findAtMostOneEntry.getString(NAME_ENCODED_KEY);
                this.lock.unlock();
                return string;
            }
            String retrieveKeyForDecryption = this.realEncryptionKeyProvider.retrieveKeyForDecryption(str, i);
            JsonObject jsonObject2 = new JsonObject();
            jsonObject2.add(NAME_TOPIC, Json.value(str));
            jsonObject2.add(NAME_VERSION, Json.value(i));
            jsonObject2.add(NAME_ENCODED_KEY, Json.value(retrieveKeyForDecryption));
            loadCacheEntries.add(jsonObject2);
            JsonArray jsonArray = new JsonArray();
            Iterator<JsonObject> it = loadCacheEntries.iterator();
            while (it.hasNext()) {
                jsonArray.add(it.next());
            }
            JsonObject jsonObject3 = new JsonObject();
            jsonObject3.add(NAME_ENTRIES, jsonArray);
            try {
                this.cacheStorage.storeEntry(jsonObject3.toString(WriterConfig.MINIMAL));
            } catch (Exception e) {
                if (log.isDebugEnabled()) {
                    log.debug(e.getMessage(), e);
                } else {
                    log.warn("Failed to store 2nd-level cache value. Error: {}", e.getMessage());
                }
            }
            return retrieveKeyForDecryption;
        } finally {
            this.lock.unlock();
        }
    }

    @Override // de.otto.kafka.messaging.e2ee.EncryptionKeyProvider
    public String retrieveKeyForDecryption(String str, int i, String str2) {
        this.lock.lock();
        try {
            List<JsonObject> loadCacheEntries = loadCacheEntries();
            JsonObject findAtMostOneEntry = findAtMostOneEntry(loadCacheEntries, jsonObject -> {
                return Objects.equals(str, jsonObject.getString(NAME_TOPIC)) && i == jsonObject.getInt(NAME_VERSION).intValue() && Objects.equals(str2, jsonObject.getString(NAME_ENCRYPTION_KEY_ATTRIBUTE_NAME));
            }, noSortOrder());
            if (findAtMostOneEntry != null) {
                String string = findAtMostOneEntry.getString(NAME_ENCODED_KEY);
                this.lock.unlock();
                return string;
            }
            String retrieveKeyForDecryption = this.realEncryptionKeyProvider.retrieveKeyForDecryption(str, i, str2);
            JsonObject jsonObject2 = new JsonObject();
            jsonObject2.add(NAME_TOPIC, Json.value(str));
            jsonObject2.add(NAME_VERSION, Json.value(i));
            jsonObject2.add(NAME_ENCRYPTION_KEY_ATTRIBUTE_NAME, Json.value((String) Objects.requireNonNull(str2)));
            jsonObject2.add(NAME_ENCODED_KEY, Json.value(retrieveKeyForDecryption));
            loadCacheEntries.add(jsonObject2);
            JsonArray jsonArray = new JsonArray();
            Iterator<JsonObject> it = loadCacheEntries.iterator();
            while (it.hasNext()) {
                jsonArray.add(it.next());
            }
            JsonObject jsonObject3 = new JsonObject();
            jsonObject3.add(NAME_ENTRIES, jsonArray);
            this.cacheStorage.storeEntry(jsonObject3.toString(WriterConfig.MINIMAL));
            this.lock.unlock();
            return retrieveKeyForDecryption;
        } catch (Throwable th) {
            this.lock.unlock();
            throw th;
        }
    }

    private String retrieveNewExpiredAtTimestamp() {
        return OffsetDateTime.now(this.clock).withOffsetSameInstant(ZoneOffset.UTC).plus((TemporalAmount) this.cachingDuration).format(DTF);
    }

    private List<JsonObject> loadCacheEntries() {
        String str = null;
        try {
            str = this.cacheStorage.retrieveEntry();
        } catch (Exception e) {
            if (log.isDebugEnabled()) {
                log.debug(e.getMessage(), e);
            } else {
                log.warn("Failed to load 2nd-level cache value. Error: {}", e.getMessage());
            }
        }
        if (str == null || str.isEmpty()) {
            return new ArrayList();
        }
        JsonObject asObject = Json.parse(str).asObject();
        if (asObject.get(NAME_ENTRIES) == null) {
            return new ArrayList();
        }
        JsonArray asArray = asObject.get(NAME_ENTRIES).asArray();
        ArrayList arrayList = new ArrayList();
        Iterator it = asArray.values().iterator();
        while (it.hasNext()) {
            arrayList.add(((JsonValue) it.next()).asObject());
        }
        return arrayList;
    }

    private Comparator<JsonObject> sortByVersion() {
        return Comparator.comparingInt(jsonObject -> {
            return jsonObject.getInt(NAME_VERSION).intValue();
        });
    }

    private Comparator<JsonObject> noSortOrder() {
        return Comparator.comparingInt(jsonObject -> {
            return 0;
        });
    }

    private JsonObject findAtMostOneEntry(List<JsonObject> list, Predicate<JsonObject> predicate, Comparator<JsonObject> comparator) {
        JsonObject jsonObject = null;
        ArrayList arrayList = new ArrayList();
        for (JsonObject jsonObject2 : list) {
            if (predicate.test(jsonObject2)) {
                int compare = jsonObject != null ? comparator.compare(jsonObject, jsonObject2) : -1;
                if (compare < 0) {
                    arrayList.clear();
                    arrayList.add(jsonObject2);
                    jsonObject = jsonObject2;
                } else if (compare == 0) {
                    arrayList.add(jsonObject2);
                }
            }
        }
        if (arrayList.size() > 1) {
            throw new VaultRuntimeException("None deterministic encryption key. May clear your 2nd-Level-Cache to resolve the issue.");
        }
        return jsonObject;
    }
}
