package io.confluent.kafka.schemaregistry.encryption.azure;

import com.azure.core.credential.TokenCredential;
import com.azure.identity.ClientSecretCredentialBuilder;
import com.azure.identity.DefaultAzureCredentialBuilder;
import com.azure.security.keyvault.keys.cryptography.CryptographyClient;
import com.google.crypto.tink.KmsClient;
import com.google.crypto.tink.KmsClients;
import io.confluent.kafka.schemaregistry.encryption.tink.KmsDriver;
import java.security.GeneralSecurityException;
import java.util.Map;
import java.util.Optional;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/azure/AzureKmsDriver.class */
public class AzureKmsDriver implements KmsDriver {
    public static final String TENANT_ID = "tenant.id";
    public static final String CLIENT_ID = "client.id";
    public static final String CLIENT_SECRET = "client.secret";

    public String getKeyUrlPrefix() {
        return AzureKmsClient.PREFIX;
    }

    private TokenCredential getCredentials(Map<String, ?> map) {
        String str = (String) map.get(TENANT_ID);
        String str2 = (String) map.get(CLIENT_ID);
        String str3 = (String) map.get(CLIENT_SECRET);
        return (str == null || str2 == null || str3 == null) ? new DefaultAzureCredentialBuilder().build() : new ClientSecretCredentialBuilder().tenantId(str).clientId(str2).clientSecret(str3).build();
    }

    public KmsClient registerKmsClient(Map<String, ?> map, Optional<String> optional) throws GeneralSecurityException {
        CryptographyClient cryptographyClient = (CryptographyClient) getTestClient(map);
        return registerWithAzureKms(optional, cryptographyClient != null ? Optional.empty() : Optional.of(getCredentials(map)), cryptographyClient);
    }

    public static KmsClient registerWithAzureKms(Optional<String> optional, Optional<TokenCredential> optional2, CryptographyClient cryptographyClient) throws GeneralSecurityException {
        AzureKmsClient azureKmsClient = optional.isPresent() ? new AzureKmsClient(optional.get()) : new AzureKmsClient();
        if (optional2.isPresent()) {
            azureKmsClient.withCredentialsProvider(optional2.get());
        } else {
            azureKmsClient.withDefaultCredentials();
        }
        if (cryptographyClient != null) {
            azureKmsClient.withCryptographyClient(cryptographyClient);
        }
        KmsClients.add(azureKmsClient);
        return azureKmsClient;
    }
}
