package io.kroxylicious.kms.provider.aws.kms;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import edu.umd.cs.findbugs.annotations.NonNull;
import io.kroxylicious.kms.provider.aws.kms.model.DecryptRequest;
import io.kroxylicious.kms.provider.aws.kms.model.DecryptResponse;
import io.kroxylicious.kms.provider.aws.kms.model.DescribeKeyRequest;
import io.kroxylicious.kms.provider.aws.kms.model.DescribeKeyResponse;
import io.kroxylicious.kms.provider.aws.kms.model.ErrorResponse;
import io.kroxylicious.kms.provider.aws.kms.model.GenerateDataKeyRequest;
import io.kroxylicious.kms.provider.aws.kms.model.GenerateDataKeyResponse;
import io.kroxylicious.kms.service.DekPair;
import io.kroxylicious.kms.service.DestroyableRawSecretKey;
import io.kroxylicious.kms.service.Kms;
import io.kroxylicious.kms.service.KmsException;
import io.kroxylicious.kms.service.Serde;
import io.kroxylicious.kms.service.UnknownAliasException;
import io.kroxylicious.kms.service.UnknownKeyException;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.nio.charset.StandardCharsets;
import java.time.Duration;
import java.time.Instant;
import java.util.Objects;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.function.Function;
import javax.crypto.SecretKey;
import javax.net.ssl.SSLContext;

/* loaded from: input_file:io/kroxylicious/kms/provider/aws/kms/AwsKms.class */
public class AwsKms implements Kms<String, AwsKmsEdek> {
    static final String APPLICATION_X_AMZ_JSON_1_1 = "application/x-amz-json-1.1";
    private static final String AES_KEY_ALGO = "AES";
    private static final String TRENT_SERVICE_DESCRIBE_KEY = "TrentService.DescribeKey";
    private static final String TRENT_SERVICE_GENERATE_DATA_KEY = "TrentService.GenerateDataKey";
    private static final String TRENT_SERVICE_DECRYPT = "TrentService.Decrypt";
    static final String CONTENT_TYPE_HEADER = "Content-Type";
    static final String X_AMZ_TARGET_HEADER = "X-Amz-Target";
    public static final String ALIAS_PREFIX = "alias/";
    private final String accessKey;
    private final String secretKey;
    private final String region;
    private final Duration timeout;
    private final HttpClient client;
    private final URI awsUrl;
    private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
    private static final TypeReference<DescribeKeyResponse> DESCRIBE_KEY_RESPONSE_TYPE_REF = new TypeReference<DescribeKeyResponse>() { // from class: io.kroxylicious.kms.provider.aws.kms.AwsKms.1
    };
    private static final TypeReference<GenerateDataKeyResponse> GENERATE_DATA_KEY_RESPONSE_TYPE_REF = new TypeReference<GenerateDataKeyResponse>() { // from class: io.kroxylicious.kms.provider.aws.kms.AwsKms.2
    };
    private static final TypeReference<DecryptResponse> DECRYPT_RESPONSE_TYPE_REF = new TypeReference<DecryptResponse>() { // from class: io.kroxylicious.kms.provider.aws.kms.AwsKms.3
    };
    private static final TypeReference<ErrorResponse> ERROR_RESPONSE_TYPE_REF = new TypeReference<ErrorResponse>() { // from class: io.kroxylicious.kms.provider.aws.kms.AwsKms.4
    };

    /* JADX INFO: Access modifiers changed from: package-private */
    public AwsKms(URI uri, String str, String str2, String str3, Duration duration, SSLContext sSLContext) {
        Objects.requireNonNull(uri);
        Objects.requireNonNull(str);
        Objects.requireNonNull(str2);
        Objects.requireNonNull(str3);
        this.awsUrl = uri;
        this.accessKey = str;
        this.secretKey = str2;
        this.region = str3;
        this.timeout = duration;
        this.client = createClient(sSLContext);
    }

    private HttpClient createClient(SSLContext sSLContext) {
        HttpClient.Builder newBuilder = HttpClient.newBuilder();
        if (sSLContext != null) {
            newBuilder.sslContext(sSLContext);
        }
        return newBuilder.followRedirects(HttpClient.Redirect.NORMAL).connectTimeout(this.timeout).build();
    }

    @NonNull
    public CompletionStage<DekPair<AwsKmsEdek>> generateDekPair(@NonNull String str) {
        return sendAsync(str, createRequest(new GenerateDataKeyRequest(str, "AES_256"), TRENT_SERVICE_GENERATE_DATA_KEY), GENERATE_DATA_KEY_RESPONSE_TYPE_REF, UnknownKeyException::new).thenApply(generateDataKeyResponse -> {
            return new DekPair(new AwsKmsEdek(str, generateDataKeyResponse.ciphertextBlob()), DestroyableRawSecretKey.takeOwnershipOf(generateDataKeyResponse.plaintext(), AES_KEY_ALGO));
        });
    }

    @NonNull
    public CompletionStage<SecretKey> decryptEdek(@NonNull AwsKmsEdek awsKmsEdek) {
        return sendAsync(awsKmsEdek.kekRef(), createRequest(new DecryptRequest(awsKmsEdek.kekRef(), awsKmsEdek.edek()), TRENT_SERVICE_DECRYPT), DECRYPT_RESPONSE_TYPE_REF, UnknownKeyException::new).thenApply(decryptResponse -> {
            return DestroyableRawSecretKey.takeOwnershipOf(decryptResponse.plaintext(), AES_KEY_ALGO);
        });
    }

    @NonNull
    /* renamed from: resolveAlias, reason: merged with bridge method [inline-methods] */
    public CompletableFuture<String> m1resolveAlias(@NonNull String str) {
        return sendAsync(str, createRequest(new DescribeKeyRequest("alias/" + str), TRENT_SERVICE_DESCRIBE_KEY), DESCRIBE_KEY_RESPONSE_TYPE_REF, UnknownAliasException::new).thenApply((v0) -> {
            return v0.keyMetadata();
        }).thenApply((v0) -> {
            return v0.keyId();
        });
    }

    private <T> CompletableFuture<T> sendAsync(@NonNull String str, HttpRequest httpRequest, TypeReference<T> typeReference, Function<String, KmsException> function) {
        return this.client.sendAsync(httpRequest, HttpResponse.BodyHandlers.ofByteArray()).thenApply(httpResponse -> {
            return checkResponseStatus(str, httpResponse, function);
        }).thenApply((v0) -> {
            return v0.body();
        }).thenApply(bArr -> {
            return decodeJson(typeReference, bArr);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static <T> T decodeJson(TypeReference<T> typeReference, byte[] bArr) {
        try {
            return (T) OBJECT_MAPPER.readValue(bArr, typeReference);
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    @NonNull
    public static HttpResponse<byte[]> checkResponseStatus(@NonNull String str, @NonNull HttpResponse<byte[]> httpResponse, @NonNull Function<String, KmsException> function) {
        ErrorResponse errorResponse;
        int statusCode = httpResponse.statusCode();
        if (statusCode >= 200 && statusCode < 300) {
            return httpResponse;
        }
        try {
            errorResponse = (ErrorResponse) decodeJson(ERROR_RESPONSE_TYPE_REF, (byte[]) httpResponse.body());
        } catch (UncheckedIOException e) {
            errorResponse = null;
        }
        if (errorResponse == null || !errorResponse.isNotFound()) {
            throw new KmsException("Operation failed, key %s, HTTP status code %d, AWS error: %s".formatted(str, Integer.valueOf(statusCode), errorResponse));
        }
        throw function.apply("key '%s' is not found (AWS error: %s).".formatted(str, errorResponse));
    }

    @NonNull
    public Serde<AwsKmsEdek> edekSerde() {
        return AwsKmsEdekSerde.instance();
    }

    @NonNull
    private URI getAwsUrl() {
        return this.awsUrl;
    }

    private HttpRequest createRequest(Object obj, String str) {
        return AwsV4SigningHttpRequestBuilder.newBuilder(this.accessKey, this.secretKey, this.region, "kms", Instant.now()).uri(getAwsUrl()).header(CONTENT_TYPE_HEADER, APPLICATION_X_AMZ_JSON_1_1).header(X_AMZ_TARGET_HEADER, str).POST(HttpRequest.BodyPublishers.ofByteArray(getBody(obj).getBytes(StandardCharsets.UTF_8))).build();
    }

    private String getBody(Object obj) {
        try {
            return OBJECT_MAPPER.writeValueAsString(obj);
        } catch (JsonProcessingException e) {
            throw new UncheckedIOException("Failed to create request body", e);
        }
    }
}
