package io.confluent.kafka.secretregistry.storage;

import io.confluent.kafka.schemaregistry.utils.QualifiedSubject;
import io.confluent.kafka.secretregistry.client.rest.RestService;
import io.confluent.kafka.secretregistry.client.rest.entities.Secret;
import io.confluent.kafka.secretregistry.client.rest.entities.requests.RegisterSecretRequest;
import io.confluent.kafka.secretregistry.client.rest.exceptions.RestClientException;
import io.confluent.kafka.secretregistry.client.rest.utils.UrlList;
import io.confluent.kafka.secretregistry.crypto.SecretTransformer;
import io.confluent.kafka.secretregistry.exceptions.IdGenerationException;
import io.confluent.kafka.secretregistry.exceptions.SecretRegistryException;
import io.confluent.kafka.secretregistry.exceptions.SecretRegistryInitializationException;
import io.confluent.kafka.secretregistry.exceptions.SecretRegistryRequestForwardingException;
import io.confluent.kafka.secretregistry.exceptions.SecretRegistryStoreException;
import io.confluent.kafka.secretregistry.exceptions.SecretRegistryTimeoutException;
import io.confluent.kafka.secretregistry.exceptions.UnknownMasterException;
import io.confluent.kafka.secretregistry.masterelector.kafka.KafkaGroupMasterElector;
import io.confluent.kafka.secretregistry.rest.SecretRegistryConfig;
import io.confluent.kafka.secretregistry.rest.SslFactory;
import io.confluent.kafka.secretregistry.rest.VersionId;
import io.confluent.kafka.secretregistry.rest.exceptions.Errors;
import io.confluent.kafka.secretregistry.storage.exceptions.StoreException;
import io.confluent.kafka.secretregistry.storage.exceptions.StoreInitializationException;
import io.confluent.kafka.secretregistry.storage.exceptions.StoreTimeoutException;
import io.confluent.kafka.secretregistry.storage.serialization.SecretRegistrySerializer;
import io.confluent.kafka.secretregistry.storage.serialization.Serializer;
import io.confluent.rest.Application;
import io.confluent.rest.RestConfig;
import io.confluent.rest.exceptions.RestException;
import java.io.IOException;
import java.net.InetAddress;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.kafka.common.MetricName;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.config.internals.ConfluentConfigs;
import org.apache.kafka.common.metrics.JmxReporter;
import org.apache.kafka.common.metrics.MetricConfig;
import org.apache.kafka.common.metrics.Metrics;
import org.apache.kafka.common.metrics.MetricsReporter;
import org.apache.kafka.common.metrics.Sensor;
import org.apache.kafka.common.metrics.stats.Value;
import org.apache.kafka.common.utils.Time;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/secretregistry/storage/KafkaSecretRegistry.class */
public class KafkaSecretRegistry implements SecretRegistry, MasterAwareSecretRegistry {
    public static final int MIN_VERSION = 1;
    public static final int MAX_VERSION = Integer.MAX_VALUE;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) KafkaSecretRegistry.class);
    private static final Pattern LISTENER_PATTERN = Pattern.compile("^(.*)://\\[?([0-9a-zA-Z\\-%._:]*)\\]?:(-?[0-9]+)");
    private final SecretRegistryConfig config;
    private final LookupCache<SecretRegistryKey, SecretRegistryValue> lookupCache;
    final KafkaStore<SecretRegistryKey, SecretRegistryValue> kafkaStore;
    private final Serializer<SecretRegistryKey, SecretRegistryValue> serializer;
    private final int kafkaStoreTimeoutMs;
    private final int initTimeout;
    private final boolean isEligibleForMasterElector;
    private SecretTransformer secretTransformer;
    private SecretRegistryIdentity myIdentity;
    private SecretRegistryIdentity masterIdentity;
    private RestService masterRestService;
    private SslFactory sslFactory;
    private Metrics metrics;
    private Sensor masterNodeSensor;
    private final Object masterLock = new Object();
    private MasterElector masterElector = null;

    public KafkaSecretRegistry(SecretRegistryConfig secretRegistryConfig) throws SecretRegistryException {
        if (secretRegistryConfig == null) {
            throw new SecretRegistryException("Schema registry configuration is null");
        }
        this.config = secretRegistryConfig;
        this.isEligibleForMasterElector = secretRegistryConfig.getBoolean(SecretRegistryConfig.MASTER_ELIGIBILITY).booleanValue();
        this.kafkaStoreTimeoutMs = secretRegistryConfig.getInt(SecretRegistryConfig.KAFKASTORE_TIMEOUT_CONFIG).intValue();
        this.initTimeout = secretRegistryConfig.getInt(SecretRegistryConfig.KAFKASTORE_INIT_TIMEOUT_CONFIG).intValue();
        this.serializer = new SecretRegistrySerializer();
        this.lookupCache = lookupCache();
        this.kafkaStore = kafkaStore(secretRegistryConfig);
        this.secretTransformer = SecretTransformer.getSecretTransformer(secretRegistryConfig.masterEncryptionKey());
    }

    protected KafkaStore<SecretRegistryKey, SecretRegistryValue> kafkaStore(SecretRegistryConfig secretRegistryConfig) throws SecretRegistryException {
        return new KafkaStore<>(secretRegistryConfig, groupId(secretRegistryConfig), new KafkaStoreMessageHandler(this, this.lookupCache), this.serializer, this.lookupCache, new NoopKey());
    }

    protected static String groupId(SecretRegistryConfig secretRegistryConfig) {
        return secretRegistryConfig.getString(SecretRegistryConfig.KAFKASTORE_GROUP_ID_CONFIG).isEmpty() ? String.format("secret-registry-%s", secretRegistryConfig.getString("host.name")) : secretRegistryConfig.getString(SecretRegistryConfig.KAFKASTORE_GROUP_ID_CONFIG);
    }

    protected LookupCache<SecretRegistryKey, SecretRegistryValue> lookupCache() {
        return new InMemoryCache();
    }

    @Override // io.confluent.kafka.secretregistry.storage.SecretRegistry
    public SecretRegistryConfig config() {
        return this.config;
    }

    @Override // io.confluent.kafka.secretregistry.storage.SecretRegistry
    public void initStore() throws SecretRegistryException {
        try {
            this.kafkaStore.init();
            maybeRotateKeys();
        } catch (StoreException | StoreInitializationException e) {
            throw new SecretRegistryInitializationException("Error initializing kafka store while initializing secret registry", e);
        }
    }

    private void maybeRotateKeys() throws StoreException {
        String masterEncryptionOldKey = this.config.masterEncryptionOldKey();
        if (masterEncryptionOldKey != null) {
            log.info("Rotating master key");
            SecretTransformer secretTransformer = SecretTransformer.getSecretTransformer(masterEncryptionOldKey);
            Iterator<SecretRegistryKey> allKeys = this.kafkaStore.getAllKeys();
            while (allKeys.hasNext()) {
                try {
                    SecretRegistryKey next = allKeys.next();
                    SecretRegistryValue secretRegistryValue = this.kafkaStore.get(next);
                    if (secretRegistryValue instanceof SecretValue) {
                        this.kafkaStore.put(next, this.secretTransformer.transform(secretTransformer.transform((SecretValue) secretRegistryValue)));
                    }
                } catch (Exception e) {
                    log.info("Could not rotate, ignoring old master key");
                }
            }
            log.info("Done rotating master key");
        }
    }

    public static UriInfo getUriInfoForIdentity(String str, Integer num, List<String> list, String str2) throws SecretRegistryException {
        if (str == null) {
            try {
                str = InetAddress.getLocalHost().getHostAddress();
            } catch (Exception e) {
                throw new SecretRegistryException("Could not obtain URI info", e);
            }
        }
        if (num == null) {
            num = Integer.valueOf(SecretRegistryConfig.SECRETREGISTRY_PORT_DEFAULT);
        }
        if (list == null) {
            return new UriInfo(str2, str, num.intValue());
        }
        for (UriInfo uriInfo : parseListeners(list, str, num, Arrays.asList("http", "https"), "http")) {
            if (str2.equalsIgnoreCase(uriInfo.scheme())) {
                return uriInfo;
            }
        }
        throw new SecretRegistryException("No listener configured with requested scheme " + str2);
    }

    public static List<UriInfo> parseListeners(List<String> list, String str, Integer num, List<String> list2, String str2) {
        if (list.isEmpty() || list.get(0).isEmpty()) {
            log.warn("DEPRECATION warning: `listeners` configuration is not configured. Falling back to the deprecated `port` configuration.");
            list = new ArrayList(1);
            list.add(str2 + "://" + str + QualifiedSubject.CONTEXT_DELIMITER + num);
        }
        ArrayList arrayList = new ArrayList(list.size());
        for (String str3 : list) {
            Matcher matcher = LISTENER_PATTERN.matcher(str3);
            if (!matcher.matches()) {
                throw new ConfigException("Listener doesn't have the right format (protocol://hostname:port).");
            }
            String lowerCase = matcher.group(1).toLowerCase(Locale.ENGLISH);
            String group = matcher.group(2);
            if (group == null || group.isEmpty() || group.equals("0.0.0.0")) {
                group = str;
            }
            int parseInt = Integer.parseInt(matcher.group(3));
            if (list2.contains(lowerCase)) {
                arrayList.add(new UriInfo(lowerCase, group, parseInt));
            } else {
                log.warn("Found a listener with an unsupported scheme (supported: {}). Ignoring listener '{}'", list2, str3);
            }
        }
        if (arrayList.isEmpty()) {
            throw new ConfigException("No listeners are configured. Must have at least one listener.");
        }
        return arrayList;
    }

    @Override // io.confluent.kafka.secretregistry.storage.SecretRegistry
    public void initRest(SslFactory sslFactory, UriInfo uriInfo) throws SecretRegistryException {
        try {
            log.info("Initializing REST with URI {}", uriInfo);
            this.sslFactory = sslFactory;
            this.myIdentity = new SecretRegistryIdentity(uriInfo.host(), Integer.valueOf(uriInfo.port()), Boolean.valueOf(this.isEligibleForMasterElector), uriInfo.scheme());
            MetricConfig timeWindow = new MetricConfig().samples(this.config.getInt("metrics.num.samples").intValue()).timeWindow(this.config.getLong("metrics.sample.window.ms").longValue(), TimeUnit.MILLISECONDS);
            List configuredInstances = this.config.getConfiguredInstances("metric.reporters", MetricsReporter.class);
            configuredInstances.add(new JmxReporter("kafka.secret.registry"));
            this.metrics = new Metrics(timeWindow, configuredInstances, Time.SYSTEM);
            this.masterNodeSensor = this.metrics.sensor("master-slave-role");
            this.masterNodeSensor.add(new MetricName("master-slave-role", "master-slave-role", "1.0 indicates the node is the active master in the cluster and is the node where all register secret requests are served.", Application.parseListToMap(this.config.getList(RestConfig.METRICS_TAGS_CONFIG))), new Value());
            log.info("Joining secret registry with Kafka-based coordination");
            this.masterElector = new KafkaGroupMasterElector(this.config, this.myIdentity, this);
            this.masterElector.init();
        } catch (SecretRegistryStoreException e) {
            throw new SecretRegistryInitializationException("Error electing master while initializing secret registry", e);
        } catch (SecretRegistryTimeoutException e2) {
            throw new SecretRegistryInitializationException(e2);
        }
    }

    public boolean isMaster() {
        synchronized (this.masterLock) {
            return this.masterIdentity != null && this.masterIdentity.equals(this.myIdentity);
        }
    }

    @Override // io.confluent.kafka.secretregistry.storage.MasterAwareSecretRegistry
    public void setMaster(SecretRegistryIdentity secretRegistryIdentity) throws SecretRegistryTimeoutException, SecretRegistryStoreException, IdGenerationException {
        log.debug("Setting the master to " + secretRegistryIdentity);
        if (secretRegistryIdentity != null && !secretRegistryIdentity.getMasterEligibility()) {
            throw new IllegalStateException("Tried to set an ineligible node to master: " + secretRegistryIdentity);
        }
        synchronized (this.masterLock) {
            SecretRegistryIdentity secretRegistryIdentity2 = this.masterIdentity;
            this.masterIdentity = secretRegistryIdentity;
            if (this.masterIdentity == null) {
                this.masterRestService = null;
            } else {
                this.masterRestService = new RestService(this.masterIdentity.getUrl());
                if (this.sslFactory != null && this.sslFactory.sslContext() != null) {
                    this.masterRestService.setSslSocketFactory(this.sslFactory.sslContext().getSocketFactory());
                }
            }
            if (this.masterIdentity != null && !this.masterIdentity.equals(secretRegistryIdentity2) && isMaster()) {
                this.kafkaStore.markLastWrittenOffsetInvalid();
                try {
                    this.kafkaStore.waitUntilKafkaReaderReachesLastOffset(this.initTimeout);
                } catch (StoreException e) {
                    throw new SecretRegistryStoreException("Exception getting latest offset ", e);
                }
            }
            this.masterNodeSensor.record(isMaster() ? 1.0d : ConfluentConfigs.IP_CONNECTION_CREATION_RATE_THROTTLE_ENABLE_THRESHOLD_DEFAULT);
        }
    }

    public SecretRegistryIdentity myIdentity() {
        return this.myIdentity;
    }

    public SecretRegistryIdentity masterIdentity() {
        SecretRegistryIdentity secretRegistryIdentity;
        synchronized (this.masterLock) {
            secretRegistryIdentity = this.masterIdentity;
        }
        return secretRegistryIdentity;
    }

    @Override // io.confluent.kafka.secretregistry.storage.SecretRegistry
    public int register(Secret secret) throws SecretRegistryException {
        log.info("Registering secret '{}:{}'", secret.getPath(), secret.getKey());
        try {
            this.kafkaStore.waitUntilKafkaReaderReachesLastOffset(this.kafkaStoreTimeoutMs);
            Iterator<Secret> it = getAllVersions(secret.getPath(), secret.getKey()).iterator();
            int i = 1;
            while (it.hasNext()) {
                i = it.next().getVersion().intValue() + 1;
            }
            secret.setVersion(Integer.valueOf(i));
            this.kafkaStore.put(new SecretKey(secret.getPath(), secret.getKey(), secret.getVersion().intValue()), this.secretTransformer.transform(secret));
            return i;
        } catch (StoreTimeoutException e) {
            throw new SecretRegistryTimeoutException("Write to the Kafka store timed out while", e);
        } catch (StoreException e2) {
            throw new SecretRegistryStoreException("Error while registering the secret in the backend Kafka store", e2);
        }
    }

    public int registerOrForward(Secret secret, Map<String, String> map) throws SecretRegistryException {
        synchronized (this.masterLock) {
            if (isMaster()) {
                return register(secret);
            }
            if (this.masterIdentity == null) {
                throw new UnknownMasterException("Register secret request failed since master is unknown");
            }
            return forwardRegisterRequestToMaster(secret, map);
        }
    }

    @Override // io.confluent.kafka.secretregistry.storage.SecretRegistry
    public void deleteVersion(String str, String str2, int i) throws SecretRegistryException {
        log.info("Deleting secret '{}:{}' version {}", str, str2, Integer.valueOf(i));
        try {
            this.kafkaStore.waitUntilKafkaReaderReachesLastOffset(this.kafkaStoreTimeoutMs);
            this.kafkaStore.delete(new SecretKey(str, str2, i));
        } catch (StoreTimeoutException e) {
            throw new SecretRegistryTimeoutException("Write to the Kafka store timed out while", e);
        } catch (StoreException e2) {
            throw new SecretRegistryStoreException("Error while deleting the secret in the backend Kafka store", e2);
        }
    }

    public void deleteVersionOrForward(Map<String, String> map, String str, String str2, int i) throws SecretRegistryException {
        synchronized (this.masterLock) {
            if (isMaster()) {
                deleteVersion(str, str2, i);
            } else {
                if (this.masterIdentity == null) {
                    throw new UnknownMasterException("Register secret request failed since master is unknown");
                }
                forwardDeleteVersionRequestToMaster(map, str, str2, Integer.valueOf(i));
            }
        }
    }

    @Override // io.confluent.kafka.secretregistry.storage.SecretRegistry
    public List<Integer> deleteKey(String str, String str2) throws SecretRegistryException {
        log.info("Deleting key '{}:{}'", str, str2);
        try {
            ArrayList arrayList = new ArrayList();
            this.kafkaStore.waitUntilKafkaReaderReachesLastOffset(this.kafkaStoreTimeoutMs);
            for (Secret secret : getAllVersions(str, str2)) {
                deleteVersion(secret.getPath(), secret.getKey(), secret.getVersion().intValue());
                arrayList.add(secret.getVersion());
            }
            return arrayList;
        } catch (StoreTimeoutException e) {
            throw new SecretRegistryTimeoutException("Write to the Kafka store timed out while", e);
        } catch (StoreException e2) {
            throw new SecretRegistryStoreException("Error while deleting the key in the backend Kafka store", e2);
        }
    }

    public List<Integer> deleteKeyOrForward(Map<String, String> map, String str, String str2) throws SecretRegistryException {
        synchronized (this.masterLock) {
            if (isMaster()) {
                return deleteKey(str, str2);
            }
            if (this.masterIdentity == null) {
                throw new UnknownMasterException("Register secret request failed since master is unknown");
            }
            return forwardDeleteKeyRequestToMaster(map, str, str2);
        }
    }

    @Override // io.confluent.kafka.secretregistry.storage.SecretRegistry
    public Set<String> deletePath(String str) throws SecretRegistryException {
        log.info("Deleting path '{}'", str);
        try {
            HashSet hashSet = new HashSet();
            this.kafkaStore.waitUntilKafkaReaderReachesLastOffset(this.kafkaStoreTimeoutMs);
            Iterator<SecretRegistryValue> all = this.kafkaStore.getAll(new SecretKey(str, SecretKey.MIN_KEY, 1), new SecretKey(str, SecretKey.MAX_KEY, Integer.MAX_VALUE));
            while (all.hasNext()) {
                Secret transform = this.secretTransformer.transform((SecretValue) all.next());
                deleteVersion(transform.getPath(), transform.getKey(), transform.getVersion().intValue());
                hashSet.add(transform.getKey());
            }
            return hashSet;
        } catch (StoreTimeoutException e) {
            throw new SecretRegistryTimeoutException("Write to the Kafka store timed out while", e);
        } catch (StoreException e2) {
            throw new SecretRegistryStoreException("Error while deleting the path in the backend Kafka store", e2);
        }
    }

    public Set<String> deletePathOrForward(Map<String, String> map, String str) throws SecretRegistryException {
        synchronized (this.masterLock) {
            if (isMaster()) {
                return deletePath(str);
            }
            if (this.masterIdentity == null) {
                throw new UnknownMasterException("Register secret request failed since master is unknown");
            }
            return forwardDeletePathRequestToMaster(map, str);
        }
    }

    private int forwardRegisterRequestToMaster(Secret secret, Map<String, String> map) throws SecretRegistryRequestForwardingException {
        UrlList baseUrls = this.masterRestService.getBaseUrls();
        RegisterSecretRequest registerSecretRequest = new RegisterSecretRequest();
        registerSecretRequest.setSecret(secret.getSecret());
        log.debug(String.format("Forwarding registering secret request %s to %s", registerSecretRequest, baseUrls));
        try {
            return this.masterRestService.registerSecret(map, registerSecretRequest, secret.getPath(), secret.getKey());
        } catch (RestClientException e) {
            throw new RestException(e.getMessage(), e.getStatus(), e.getErrorCode(), e);
        } catch (IOException e2) {
            throw new SecretRegistryRequestForwardingException(String.format("Unexpected error while forwarding the registering secret request %s to %s", registerSecretRequest, baseUrls), e2);
        }
    }

    private int forwardDeleteVersionRequestToMaster(Map<String, String> map, String str, String str2, Integer num) throws SecretRegistryRequestForwardingException {
        UrlList baseUrls = this.masterRestService.getBaseUrls();
        log.debug(String.format("Forwarding deleteSecretVersion secret version request %s-%s-%s to %s", str, str2, num, baseUrls));
        try {
            return this.masterRestService.deleteVersion(map, str, str2, String.valueOf(num));
        } catch (RestClientException e) {
            throw new RestException(e.getMessage(), e.getStatus(), e.getErrorCode(), e);
        } catch (IOException e2) {
            throw new SecretRegistryRequestForwardingException(String.format("Unexpected error while forwarding deleteSecretVersion secret version request %s-%s-%s to %s", str, str2, num, baseUrls), e2);
        }
    }

    private List<Integer> forwardDeleteKeyRequestToMaster(Map<String, String> map, String str, String str2) throws SecretRegistryRequestForwardingException {
        UrlList baseUrls = this.masterRestService.getBaseUrls();
        log.debug(String.format("Forwarding delete key request for %s-%s to %s", str, str2, baseUrls));
        try {
            return this.masterRestService.deleteKey(map, str, str2);
        } catch (RestClientException e) {
            throw new RestException(e.getMessage(), e.getStatus(), e.getErrorCode(), e);
        } catch (IOException e2) {
            throw new SecretRegistryRequestForwardingException(String.format("Unexpected error while forwarding delete key request %s-%s to %s", str, str2, baseUrls), e2);
        }
    }

    private Set<String> forwardDeletePathRequestToMaster(Map<String, String> map, String str) throws SecretRegistryRequestForwardingException {
        UrlList baseUrls = this.masterRestService.getBaseUrls();
        log.debug(String.format("Forwarding delete path request for %s to %s", str, baseUrls));
        try {
            return this.masterRestService.deletePath(map, str);
        } catch (RestClientException e) {
            throw new RestException(e.getMessage(), e.getStatus(), e.getErrorCode(), e);
        } catch (IOException e2) {
            throw new SecretRegistryRequestForwardingException(String.format("Unexpected error while forwarding delete path request %s to %s", str, baseUrls), e2);
        }
    }

    public Secret validateAndGetSecret(String str, String str2, VersionId versionId) throws SecretRegistryException {
        Secret secret = get(str, str2, versionId.getVersionId());
        if (secret != null) {
            return secret;
        }
        if (!listPaths().contains(str)) {
            throw Errors.pathNotFoundException();
        }
        if (listKeys(str).contains(str2)) {
            throw Errors.versionNotFoundException();
        }
        throw Errors.keyNotFoundException();
    }

    @Override // io.confluent.kafka.secretregistry.storage.SecretRegistry
    public Secret get(String str, String str2, int i) throws SecretRegistryException {
        log.info("Getting secret '{}:{}' version {}", str, str2, Integer.valueOf(i));
        if (new VersionId(i).isLatest()) {
            return getLatestVersion(str, str2);
        }
        try {
            return this.secretTransformer.transform((SecretValue) this.kafkaStore.get(new SecretKey(str, str2, i)));
        } catch (StoreException e) {
            throw new SecretRegistryStoreException("Error while retrieving secret from the backend Kafka store", e);
        }
    }

    @Override // io.confluent.kafka.secretregistry.storage.SecretRegistry
    public Set<String> listPaths() throws SecretRegistryException {
        log.info("Listing all paths");
        try {
            return extractUniquePaths(this.kafkaStore.getAllKeys());
        } catch (StoreException e) {
            throw new SecretRegistryStoreException("Error from the backend Kafka store", e);
        }
    }

    private Set<String> extractUniquePaths(Iterator<SecretRegistryKey> it) throws StoreException {
        HashSet hashSet = new HashSet();
        while (it.hasNext()) {
            SecretRegistryKey next = it.next();
            if (next instanceof SecretKey) {
                SecretKey secretKey = (SecretKey) next;
                hashSet.add(secretKey.getPath());
            }
        }
        return hashSet;
    }

    @Override // io.confluent.kafka.secretregistry.storage.SecretRegistry
    public Set<String> listKeys(String str) throws SecretRegistryException {
        log.info("Listing keys for '{}'", str);
        try {
            return extractUniqueKeys(this.kafkaStore.getAll(new SecretKey(str, SecretKey.MIN_KEY, 1), new SecretKey(str, SecretKey.MAX_KEY, Integer.MAX_VALUE)));
        } catch (StoreException e) {
            throw new SecretRegistryStoreException("Error from the backend Kafka store", e);
        }
    }

    private Set<String> extractUniqueKeys(Iterator<SecretRegistryValue> it) {
        HashSet hashSet = new HashSet();
        while (it.hasNext()) {
            SecretRegistryValue next = it.next();
            if (next instanceof SecretValue) {
                hashSet.add(((SecretValue) next).getKey());
            }
        }
        return hashSet;
    }

    @Override // io.confluent.kafka.secretregistry.storage.SecretRegistry
    public List<Integer> listVersions(String str, String str2) throws SecretRegistryException {
        log.info("Listing versions for '{}:{}'", str, str2);
        try {
            return extractUniqueVersions(this.kafkaStore.getAll(new SecretKey(str, str2, 1), new SecretKey(str, str2, Integer.MAX_VALUE)));
        } catch (StoreException e) {
            throw new SecretRegistryStoreException("Error from the backend Kafka store", e);
        }
    }

    private List<Integer> extractUniqueVersions(Iterator<SecretRegistryValue> it) {
        ArrayList arrayList = new ArrayList();
        while (it.hasNext()) {
            SecretRegistryValue next = it.next();
            if (next instanceof SecretValue) {
                arrayList.add(((SecretValue) next).getVersion());
            }
        }
        return arrayList;
    }

    @Override // io.confluent.kafka.secretregistry.storage.SecretRegistry
    public List<Secret> getAllLatest(String str) throws SecretRegistryException {
        log.info("Getting latest for '{}'", str);
        try {
            ArrayList arrayList = new ArrayList(latestKeys(str, this.kafkaStore.getAll(new SecretKey(str, SecretKey.MIN_KEY, 1), new SecretKey(str, SecretKey.MAX_KEY, Integer.MAX_VALUE))).values());
            Collections.sort(arrayList);
            return arrayList;
        } catch (StoreException e) {
            throw new SecretRegistryStoreException("Error from the backend Kafka store", e);
        }
    }

    @Override // io.confluent.kafka.secretregistry.storage.SecretRegistry
    public List<Secret> getAllVersions(String str, String str2) throws SecretRegistryException {
        log.info("Getting versions for '{}:{}'", str, str2);
        try {
            return sortSecrets(this.kafkaStore.getAll(new SecretKey(str, str2, 1), new SecretKey(str, str2, Integer.MAX_VALUE)));
        } catch (StoreException e) {
            throw new SecretRegistryStoreException("Error from the backend Kafka store", e);
        }
    }

    @Override // io.confluent.kafka.secretregistry.storage.SecretRegistry
    public Secret getLatestVersion(String str, String str2) throws SecretRegistryException {
        try {
            List<Secret> sortSecrets = sortSecrets(this.kafkaStore.getAll(new SecretKey(str, str2, 1), new SecretKey(str, str2, Integer.MAX_VALUE)));
            Secret secret = null;
            if (sortSecrets.size() > 0) {
                secret = sortSecrets.get(sortSecrets.size() - 1);
            }
            return secret;
        } catch (StoreException e) {
            throw new SecretRegistryStoreException("Error from the backend Kafka store", e);
        }
    }

    @Override // io.confluent.kafka.secretregistry.storage.SecretRegistry
    public void close() {
        log.info("Shutting down secret registry");
        this.kafkaStore.close();
        if (this.masterElector != null) {
            this.masterElector.close();
        }
    }

    KafkaStore<SecretRegistryKey, SecretRegistryValue> getKafkaStore() {
        return this.kafkaStore;
    }

    private List<Secret> sortSecrets(Iterator<SecretRegistryValue> it) {
        ArrayList arrayList = new ArrayList();
        while (it.hasNext()) {
            arrayList.add(this.secretTransformer.transform((SecretValue) it.next()));
        }
        Collections.sort(arrayList);
        return arrayList;
    }

    private Map<String, Secret> latestKeys(String str, Iterator<SecretRegistryValue> it) {
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        while (it.hasNext()) {
            Secret transform = this.secretTransformer.transform((SecretValue) it.next());
            String key = transform.getKey();
            int intValue = transform.getVersion().intValue();
            if (intValue == ((Integer) hashMap2.merge(key, Integer.valueOf(intValue), (v0, v1) -> {
                return Math.max(v0, v1);
            })).intValue()) {
                hashMap.put(key, transform);
            }
        }
        return hashMap;
    }
}
