package io.confluent.kafka.schemaregistry.storage.encoder;

import com.google.common.annotations.VisibleForTesting;
import com.google.crypto.tink.Aead;
import com.google.crypto.tink.KeyTemplate;
import com.google.crypto.tink.KeyTemplates;
import com.google.crypto.tink.KeysetHandle;
import com.google.crypto.tink.KeysetManager;
import com.google.crypto.tink.Registry;
import com.google.crypto.tink.aead.AeadConfig;
import com.google.crypto.tink.proto.AesGcmKey;
import com.google.crypto.tink.subtle.Hkdf;
import com.google.protobuf.ByteString;
import io.confluent.kafka.schemaregistry.exceptions.SchemaRegistryStoreException;
import io.confluent.kafka.schemaregistry.rest.SchemaRegistryConfig;
import io.confluent.kafka.schemaregistry.storage.KafkaSchemaRegistry;
import io.confluent.kafka.schemaregistry.storage.MD5;
import io.confluent.kafka.schemaregistry.storage.Metadata;
import io.confluent.kafka.schemaregistry.storage.SchemaRegistry;
import io.confluent.kafka.schemaregistry.storage.SchemaValue;
import io.confluent.kafka.schemaregistry.utils.QualifiedSubject;
import io.kcache.Cache;
import io.kcache.CacheUpdateHandler;
import io.kcache.KafkaCache;
import io.kcache.KafkaCacheConfig;
import io.kcache.exceptions.CacheInitializationException;
import io.kcache.utils.Caches;
import io.kcache.utils.InMemoryCache;
import java.io.Closeable;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.util.AbstractMap;
import java.util.Base64;
import java.util.Properties;
import java.util.Set;
import java.util.SortedMap;
import java.util.TreeMap;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.BiFunction;
import java.util.stream.Collectors;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.common.serialization.Serde;
import org.apache.kafka.common.serialization.Serdes;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/storage/encoder/MetadataEncoderService.class */
public class MetadataEncoderService implements Closeable {
    private static final String AES_GCM_KEY = "type.googleapis.com/google.crypto.tink.AesGcmKey";
    private static final String KEY_TEMPLATE_NAME = "AES128_GCM";
    private final KafkaSchemaRegistry schemaRegistry;
    private KeyTemplate keyTemplate;
    Cache<String, KeysetWrapper> encoders;
    private final AtomicBoolean initialized = new AtomicBoolean();
    private final CountDownLatch initLatch = new CountDownLatch(1);
    private static final Logger log = LoggerFactory.getLogger(MetadataEncoderService.class);
    private static final byte[] EMPTY_AAD = new byte[0];

    public MetadataEncoderService(SchemaRegistry schemaRegistry) {
        this.encoders = null;
        try {
            this.schemaRegistry = (KafkaSchemaRegistry) schemaRegistry;
            SchemaRegistryConfig config = schemaRegistry.config();
            if (encoderSecret(config) == null) {
                log.warn("No value specified for {}, sensitive metadata will not be encoded", SchemaRegistryConfig.METADATA_ENCODER_SECRET_CONFIG);
                return;
            }
            String string = config.getString(SchemaRegistryConfig.METADATA_ENCODER_TOPIC_CONFIG);
            this.keyTemplate = KeyTemplates.get(KEY_TEMPLATE_NAME);
            this.encoders = createCache(new Serdes.StringSerde(), new KeysetWrapperSerde(config), string, null);
        } catch (Exception e) {
            throw new IllegalArgumentException("Could not instantiate MetadataEncoderService", e);
        }
    }

    @VisibleForTesting
    protected MetadataEncoderService(SchemaRegistry schemaRegistry, Cache<String, KeysetWrapper> cache) {
        this.encoders = null;
        try {
            this.schemaRegistry = (KafkaSchemaRegistry) schemaRegistry;
            if (encoderSecret(schemaRegistry.config()) == null) {
                log.warn("No value specified for {}, sensitive metadata will not be encoded", SchemaRegistryConfig.METADATA_ENCODER_SECRET_CONFIG);
            } else {
                this.keyTemplate = KeyTemplates.get(KEY_TEMPLATE_NAME);
                this.encoders = cache;
            }
        } catch (Exception e) {
            throw new IllegalArgumentException("Could not instantiate MetadataEncoderService", e);
        }
    }

    public KafkaSchemaRegistry getSchemaRegistry() {
        return this.schemaRegistry;
    }

    @VisibleForTesting
    public Cache<String, KeysetWrapper> getEncoders() {
        return this.encoders;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static Aead getPrimitive(String str) throws GeneralSecurityException {
        if (str == null) {
            throw new IllegalArgumentException("Secret is null");
        }
        return (Aead) Registry.getPrimitive(AES_GCM_KEY, AesGcmKey.newBuilder().setVersion(0).setKeyValue(ByteString.copyFrom(Hkdf.computeHkdf("HmacSha256", str.getBytes(StandardCharsets.UTF_8), (byte[]) null, (byte[]) null, 16))).build().toByteString(), Aead.class);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static String encoderSecret(SchemaRegistryConfig schemaRegistryConfig) {
        Password password = schemaRegistryConfig.getPassword(SchemaRegistryConfig.METADATA_ENCODER_SECRET_CONFIG);
        return password != null ? password.value() : System.getenv("METADATA_ENCODER_SECRET");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static String encoderOldSecret(SchemaRegistryConfig schemaRegistryConfig) {
        Password password = schemaRegistryConfig.getPassword(SchemaRegistryConfig.METADATA_ENCODER_OLD_SECRET_CONFIG);
        return password != null ? password.value() : System.getenv("METADATA_ENCODER_OLD_SECRET");
    }

    protected <K, V> Cache<K, V> createCache(Serde<K> serde, Serde<V> serde2, String str, CacheUpdateHandler<K, V> cacheUpdateHandler) throws CacheInitializationException {
        Cache<K, V> concurrentCache = Caches.concurrentCache(new KafkaCache(new KafkaCacheConfig(getKafkaCacheProperties(str)), serde, serde2, cacheUpdateHandler, new InMemoryCache()));
        getSchemaRegistry().addLeaderChangeListener(bool -> {
            if (bool.booleanValue()) {
                concurrentCache.reset();
                concurrentCache.sync();
            }
        });
        return concurrentCache;
    }

    private Properties getKafkaCacheProperties(String str) {
        Properties properties = new Properties();
        properties.putAll(this.schemaRegistry.config().originalProperties());
        Set<String> stringPropertyNames = properties.stringPropertyNames();
        for (String str2 : stringPropertyNames) {
            if (str2.startsWith("kafkastore.")) {
                String replace = str2.replace("kafkastore", "kafkacache");
                if (!stringPropertyNames.contains(replace)) {
                    properties.put(replace, properties.get(str2));
                }
            }
        }
        properties.put("kafkacache.topic", str);
        return properties;
    }

    public void init() {
        if (this.encoders == null || this.initialized.get()) {
            return;
        }
        this.encoders.init();
        maybeRotateSecrets();
        if (!this.initialized.compareAndSet(false, true)) {
            throw new IllegalStateException("Metadata encoder service was already initialized");
        }
        this.initLatch.countDown();
    }

    private void maybeRotateSecrets() {
        if (encoderOldSecret(this.schemaRegistry.config()) != null) {
            log.info("Rotating encoder secret");
            for (String str : this.encoders.keySet()) {
                KeysetWrapper keysetWrapper = (KeysetWrapper) this.encoders.get(str);
                if (keysetWrapper.isRotationNeeded()) {
                    try {
                        KeysetHandle keysetHandle = KeysetManager.withKeysetHandle(keysetWrapper.getKeysetHandle()).add(this.keyTemplate).getKeysetHandle();
                        this.encoders.put(str, new KeysetWrapper(KeysetManager.withKeysetHandle(keysetHandle).setPrimary(keysetHandle.getAt(keysetHandle.size()).getId()).getKeysetHandle(), false));
                    } catch (GeneralSecurityException e) {
                        log.error("Could not rotate key for {}", str, e);
                    }
                }
            }
            log.info("Done rotating encoder secret");
        }
    }

    public void waitForInit() throws InterruptedException {
        this.initLatch.await();
    }

    @VisibleForTesting
    public KeysetHandle getEncoder(String str) {
        if (this.encoders == null) {
            return null;
        }
        KeysetWrapper keysetWrapper = (KeysetWrapper) this.encoders.get(str);
        if (keysetWrapper == null) {
            this.encoders.sync();
            keysetWrapper = (KeysetWrapper) this.encoders.get(str);
        }
        if (keysetWrapper != null) {
            return keysetWrapper.getKeysetHandle();
        }
        return null;
    }

    public void encodeMetadata(SchemaValue schemaValue) throws SchemaRegistryStoreException {
        if (!this.initialized.get() || schemaValue == null || isEncoded(schemaValue)) {
            return;
        }
        try {
            transformMetadata(schemaValue, true, (aead, str) -> {
                try {
                    return Base64.getEncoder().encodeToString(aead.encrypt(str.getBytes(StandardCharsets.UTF_8), EMPTY_AAD));
                } catch (GeneralSecurityException e) {
                    throw new IllegalStateException("Could not encrypt sensitive metadata", e);
                }
            });
        } catch (IllegalStateException e) {
            throw new SchemaRegistryStoreException("Could not encrypt metadata for schema id " + schemaValue.getId(), e);
        }
    }

    private boolean isEncoded(SchemaValue schemaValue) {
        if (schemaValue == null || schemaValue.getMetadata() == null || schemaValue.getMetadata().getProperties() == null) {
            return false;
        }
        return schemaValue.getMetadata().getProperties().containsKey(SchemaValue.ENCODED_PROPERTY);
    }

    public void decodeMetadata(SchemaValue schemaValue) throws SchemaRegistryStoreException {
        if (this.initialized.get() && schemaValue != null && isEncoded(schemaValue)) {
            try {
                transformMetadata(schemaValue, false, (aead, str) -> {
                    try {
                        return new String(aead.decrypt(Base64.getDecoder().decode(str), EMPTY_AAD), StandardCharsets.UTF_8);
                    } catch (GeneralSecurityException e) {
                        throw new IllegalStateException("Could not decrypt sensitive metadata", e);
                    }
                });
            } catch (IllegalStateException e) {
                throw new SchemaRegistryStoreException("Could not decrypt metadata for schema id " + schemaValue.getId(), e);
            }
        }
    }

    private void transformMetadata(SchemaValue schemaValue, boolean z, BiFunction<Aead, String, String> biFunction) throws SchemaRegistryStoreException {
        Metadata metadata = schemaValue.getMetadata();
        if (metadata == null || metadata.getProperties() == null || metadata.getProperties().isEmpty() || metadata.getSensitive() == null || metadata.getSensitive().isEmpty()) {
            return;
        }
        try {
            String tenant = QualifiedSubject.create(this.schemaRegistry.tenant(), schemaValue.getSubject()).getTenant();
            KeysetHandle orCreateEncoder = z ? getOrCreateEncoder(tenant) : getEncoder(tenant);
            if (orCreateEncoder == null) {
                throw new SchemaRegistryStoreException("Could not get encoder for tenant " + tenant);
            }
            Aead aead = (Aead) orCreateEncoder.getPrimitive(Aead.class);
            SortedMap sortedMap = (SortedMap) metadata.getProperties().entrySet().stream().map(entry -> {
                return new AbstractMap.SimpleEntry((String) entry.getKey(), metadata.getSensitive().contains(entry.getKey()) ? (String) biFunction.apply(aead, (String) entry.getValue()) : (String) entry.getValue());
            }).collect(Collectors.toMap((v0) -> {
                return v0.getKey();
            }, (v0) -> {
                return v0.getValue();
            }, (str, str2) -> {
                return str2;
            }, TreeMap::new));
            if (z) {
                schemaValue.setMd5Bytes(MD5.ofSchema(schemaValue.toSchemaEntity()).bytes());
                sortedMap.put(SchemaValue.ENCODED_PROPERTY, "true");
            } else {
                sortedMap.remove(SchemaValue.ENCODED_PROPERTY);
            }
            schemaValue.setMetadata(new Metadata(metadata.getTags(), sortedMap, metadata.getSensitive()));
        } catch (GeneralSecurityException e) {
            throw new SchemaRegistryStoreException("Could not transform schema id " + schemaValue.getId(), e);
        }
    }

    private KeysetHandle getOrCreateEncoder(String str) {
        this.encoders.sync();
        return ((KeysetWrapper) this.encoders.computeIfAbsent(str, str2 -> {
            try {
                return new KeysetWrapper(KeysetHandle.generateNew(this.keyTemplate), false);
            } catch (GeneralSecurityException e) {
                throw new IllegalStateException("Could not create key template");
            }
        })).getKeysetHandle();
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        log.info("Shutting down MetadataEncoderService");
        if (this.encoders != null) {
            try {
                this.encoders.close();
            } catch (IOException e) {
            }
        }
    }

    static {
        try {
            AeadConfig.register();
        } catch (GeneralSecurityException e) {
            throw new IllegalArgumentException(e);
        }
    }
}
