package io.confluent.kafka.schemaregistry.encryption.hcvault;

import com.bettercloud.vault.Vault;
import com.bettercloud.vault.VaultException;
import com.bettercloud.vault.response.LogicalResponse;
import com.google.common.collect.ImmutableMap;
import com.google.crypto.tink.Aead;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.util.Base64;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/hcvault/HcVaultKmsAead.class */
public class HcVaultKmsAead implements Aead {
    private final Vault vault;
    private final String encryptPath;
    private final String decryptPath;
    private final Pattern pattern = Pattern.compile("^/*([a-zA-Z0-9.:]+)/(.*)$");

    public HcVaultKmsAead(Vault vault, String str) throws GeneralSecurityException {
        this.vault = vault;
        this.encryptPath = getEncryptPath(str);
        this.decryptPath = getDecryptionPath(str);
    }

    private String getDecryptionPath(String str) throws GeneralSecurityException {
        try {
            String[] split = new URI(str).getPath().substring(1).split("/");
            split[1] = "decrypt";
            return String.join("/", split);
        } catch (URISyntaxException e) {
            throw new GeneralSecurityException("could not process uri " + str, e);
        }
    }

    private String getEncryptPath(String str) throws GeneralSecurityException {
        try {
            String[] split = new URI(str).getPath().substring(1).split("/");
            split[1] = "encrypt";
            return String.join("/", split);
        } catch (URISyntaxException e) {
            throw new GeneralSecurityException("could not process uri " + str, e);
        }
    }

    private String extractKey(String str) throws GeneralSecurityException {
        Matcher matcher = this.pattern.matcher(str);
        if (matcher.find()) {
            return matcher.group(2);
        }
        throw new GeneralSecurityException("malformed keyUri");
    }

    public byte[] encrypt(byte[] bArr, byte[] bArr2) throws GeneralSecurityException {
        try {
            LogicalResponse write = this.vault.logical().write(this.encryptPath, ImmutableMap.of("plaintext", Base64.getEncoder().encodeToString(bArr), "context", bArr2 == null ? "" : Base64.getEncoder().encodeToString(bArr2)));
            Map data = write.getData();
            if (((String) data.get("errors")) != null) {
                throw new GeneralSecurityException("failed to encrypt");
            }
            String str = (String) data.get("ciphertext");
            if (str == null) {
                throw new GeneralSecurityException("encryption failed: " + new String(write.getRestResponse().getBody(), StandardCharsets.UTF_8));
            }
            return str.getBytes(StandardCharsets.UTF_8);
        } catch (VaultException e) {
            throw new GeneralSecurityException("encryption failed", e);
        }
    }

    public byte[] decrypt(byte[] bArr, byte[] bArr2) throws GeneralSecurityException {
        try {
            LogicalResponse write = this.vault.logical().write(this.decryptPath, ImmutableMap.of("ciphertext", new String(bArr, StandardCharsets.UTF_8), "context", bArr2 == null ? "" : Base64.getEncoder().encodeToString(bArr2)));
            if (((String) write.getData().get("errors")) != null) {
                throw new GeneralSecurityException("failed to decrypt");
            }
            String str = (String) write.getData().get("plaintext");
            if (str == null) {
                throw new GeneralSecurityException("decryption failed");
            }
            return Base64.getDecoder().decode(str);
        } catch (VaultException e) {
            throw new GeneralSecurityException("decryption failed", e);
        }
    }
}
