package org.apache.iceberg.encryption;

import java.nio.ByteBuffer;
import java.security.SecureRandom;
import org.apache.iceberg.io.InputFile;
import org.apache.iceberg.io.OutputFile;
import org.apache.iceberg.io.SeekableInputStream;
import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
import org.apache.iceberg.relocated.com.google.common.collect.Iterables;
import org.apache.iceberg.util.ByteBuffers;

/* loaded from: input_file:org/apache/iceberg/encryption/StandardEncryptionManager.class */
public class StandardEncryptionManager implements EncryptionManager {
    private final transient KeyManagementClient kmsClient;
    private final String tableKeyId;
    private final int dataKeyLength;
    private volatile transient SecureRandom lazyRNG = null;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/iceberg/encryption/StandardEncryptionManager$StandardDecryptedInputFile.class */
    public static class StandardDecryptedInputFile implements NativeEncryptionInputFile {
        private final EncryptedInputFile encryptedInputFile;
        private StandardKeyMetadata lazyKeyMetadata;
        private AesGcmInputFile lazyDecryptedInputFile;

        private StandardDecryptedInputFile(EncryptedInputFile encryptedInputFile) {
            this.lazyKeyMetadata = null;
            this.lazyDecryptedInputFile = null;
            this.encryptedInputFile = encryptedInputFile;
        }

        @Override // org.apache.iceberg.encryption.EncryptedInputFile
        public InputFile encryptedInputFile() {
            return this.encryptedInputFile.encryptedInputFile();
        }

        @Override // org.apache.iceberg.encryption.NativeEncryptionInputFile, org.apache.iceberg.encryption.EncryptedInputFile
        public StandardKeyMetadata keyMetadata() {
            if (null == this.lazyKeyMetadata) {
                this.lazyKeyMetadata = StandardKeyMetadata.castOrParse(this.encryptedInputFile.keyMetadata());
            }
            return this.lazyKeyMetadata;
        }

        private AesGcmInputFile decrypted() {
            if (null == this.lazyDecryptedInputFile) {
                this.lazyDecryptedInputFile = new AesGcmInputFile(this.encryptedInputFile.encryptedInputFile(), ByteBuffers.toByteArray(keyMetadata().encryptionKey()), ByteBuffers.toByteArray(keyMetadata().aadPrefix()));
            }
            return this.lazyDecryptedInputFile;
        }

        @Override // org.apache.iceberg.io.InputFile
        public long getLength() {
            return decrypted().getLength();
        }

        @Override // org.apache.iceberg.io.InputFile
        public SeekableInputStream newStream() {
            return decrypted().newStream();
        }

        @Override // org.apache.iceberg.io.InputFile
        public String location() {
            return decrypted().location();
        }

        @Override // org.apache.iceberg.io.InputFile
        public boolean exists() {
            return decrypted().exists();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/iceberg/encryption/StandardEncryptionManager$StandardEncryptedOutputFile.class */
    public class StandardEncryptedOutputFile implements NativeEncryptionOutputFile {
        private final OutputFile plainOutputFile;
        private final int dataKeyLength;
        private StandardKeyMetadata lazyKeyMetadata = null;
        private OutputFile lazyEncryptingOutputFile = null;

        StandardEncryptedOutputFile(OutputFile outputFile, int i) {
            this.plainOutputFile = outputFile;
            this.dataKeyLength = i;
        }

        @Override // org.apache.iceberg.encryption.NativeEncryptionOutputFile, org.apache.iceberg.encryption.EncryptedOutputFile
        public StandardKeyMetadata keyMetadata() {
            if (null == this.lazyKeyMetadata) {
                byte[] bArr = new byte[this.dataKeyLength];
                StandardEncryptionManager.this.workerRNG().nextBytes(bArr);
                byte[] bArr2 = new byte[16];
                StandardEncryptionManager.this.workerRNG().nextBytes(bArr2);
                this.lazyKeyMetadata = new StandardKeyMetadata(bArr, bArr2);
            }
            return this.lazyKeyMetadata;
        }

        @Override // org.apache.iceberg.encryption.EncryptedOutputFile
        public OutputFile encryptingOutputFile() {
            if (null == this.lazyEncryptingOutputFile) {
                this.lazyEncryptingOutputFile = new AesGcmOutputFile(this.plainOutputFile, ByteBuffers.toByteArray(keyMetadata().encryptionKey()), ByteBuffers.toByteArray(keyMetadata().aadPrefix()));
            }
            return this.lazyEncryptingOutputFile;
        }

        @Override // org.apache.iceberg.encryption.NativeEncryptionOutputFile
        public OutputFile plainOutputFile() {
            return this.plainOutputFile;
        }
    }

    public StandardEncryptionManager(String str, int i, KeyManagementClient keyManagementClient) {
        Preconditions.checkNotNull(str, "Invalid encryption key ID: null");
        Preconditions.checkArgument(i == 16 || i == 24 || i == 32, "Invalid data key length: %s (must be 16, 24, or 32)", i);
        Preconditions.checkNotNull(keyManagementClient, "Invalid KMS client: null");
        this.tableKeyId = str;
        this.kmsClient = keyManagementClient;
        this.dataKeyLength = i;
    }

    @Override // org.apache.iceberg.encryption.EncryptionManager
    public NativeEncryptionOutputFile encrypt(OutputFile outputFile) {
        return new StandardEncryptedOutputFile(outputFile, this.dataKeyLength);
    }

    @Override // org.apache.iceberg.encryption.EncryptionManager
    public NativeEncryptionInputFile decrypt(EncryptedInputFile encryptedInputFile) {
        return encryptedInputFile instanceof NativeEncryptionInputFile ? (NativeEncryptionInputFile) encryptedInputFile : new StandardDecryptedInputFile(encryptedInputFile);
    }

    @Override // org.apache.iceberg.encryption.EncryptionManager
    public Iterable<InputFile> decrypt(Iterable<EncryptedInputFile> iterable) {
        return Iterables.transform(iterable, this::decrypt);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public SecureRandom workerRNG() {
        if (this.lazyRNG == null) {
            this.lazyRNG = new SecureRandom();
        }
        return this.lazyRNG;
    }

    public ByteBuffer wrapKey(ByteBuffer byteBuffer) {
        if (this.kmsClient == null) {
            throw new IllegalStateException("Cannot wrap key after called after serialization (missing KMS client)");
        }
        return this.kmsClient.wrapKey(byteBuffer, this.tableKeyId);
    }

    public ByteBuffer unwrapKey(ByteBuffer byteBuffer) {
        if (this.kmsClient == null) {
            throw new IllegalStateException("Cannot wrap key after called after serialization (missing KMS client)");
        }
        return this.kmsClient.unwrapKey(byteBuffer, this.tableKeyId);
    }
}
