package io.confluent.kafka.schemaregistry.encryption.hcvault;

import com.bettercloud.vault.Vault;
import com.google.crypto.tink.KmsClient;
import com.google.crypto.tink.KmsClients;
import io.confluent.kafka.schemaregistry.encryption.tink.KmsDriver;
import java.security.GeneralSecurityException;
import java.util.Map;
import java.util.Optional;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/hcvault/HcVaultKmsDriver.class */
public class HcVaultKmsDriver implements KmsDriver {
    public static final String TOKEN_ID = "token.id";

    public String getKeyUrlPrefix() {
        return HcVaultKmsClient.PREFIX;
    }

    private String getToken(Map<String, ?> map) {
        return (String) map.get(TOKEN_ID);
    }

    public KmsClient registerKmsClient(Map<String, ?> map, Optional<String> optional) throws GeneralSecurityException {
        Vault vault = (Vault) getTestClient(map);
        return registerWithHcVaultKms(optional, vault != null ? Optional.empty() : Optional.ofNullable(getToken(map)), vault);
    }

    public static KmsClient registerWithHcVaultKms(Optional<String> optional, Optional<String> optional2, Vault vault) throws GeneralSecurityException {
        HcVaultKmsClient hcVaultKmsClient = optional.isPresent() ? new HcVaultKmsClient(optional.get()) : new HcVaultKmsClient();
        if (optional2.isPresent()) {
            hcVaultKmsClient.withCredentials(optional2.get());
        } else {
            hcVaultKmsClient.withDefaultCredentials();
        }
        if (vault != null) {
            hcVaultKmsClient.withVault(vault);
        }
        KmsClients.add(hcVaultKmsClient);
        return hcVaultKmsClient;
    }
}
