package org.apache.hadoop.crypto.key;

import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.services.kms.AWSKMS;
import com.amazonaws.services.kms.AWSKMSClientBuilder;
import com.amazonaws.services.kms.model.AliasListEntry;
import com.amazonaws.services.kms.model.DecryptRequest;
import com.amazonaws.services.kms.model.DescribeKeyRequest;
import com.amazonaws.services.kms.model.DescribeKeyResult;
import com.amazonaws.services.kms.model.EncryptRequest;
import com.amazonaws.services.kms.model.KeyMetadata;
import com.amazonaws.services.kms.model.ListAliasesRequest;
import com.amazonaws.services.kms.model.ListAliasesResult;
import java.nio.ByteBuffer;
import java.security.Key;
import java.util.Iterator;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/crypto/key/RangerAWSKMSProvider.class */
public class RangerAWSKMSProvider implements RangerKMSMKI {
    private static final Logger logger = LoggerFactory.getLogger(RangerAWSKMSProvider.class);
    static final String AWSKMS_MASTER_KEY_ID = "ranger.kms.awskms.masterkey.id";
    static final String AWS_CLIENT_ACCESSKEY = "ranger.kms.aws.client.accesskey";
    static final String AWS_CLIENT_SECRETKEY = "ranger.kms.aws.client.secretkey";
    static final String AWS_CLIENT_REGION = "ranger.kms.aws.client.region";
    private String masterKeyId;
    private KeyMetadata masterKeyMetadata;
    private AWSKMS keyVaultClient;

    protected RangerAWSKMSProvider(Configuration configuration, AWSKMS awskms) {
        this.masterKeyId = configuration.get(AWSKMS_MASTER_KEY_ID);
        this.keyVaultClient = awskms;
    }

    public RangerAWSKMSProvider(Configuration configuration) throws Exception {
        this(configuration, createKMSClient(configuration));
    }

    public static AWSKMS createKMSClient(Configuration configuration) throws Exception {
        String str = configuration.get(AWS_CLIENT_ACCESSKEY);
        String str2 = configuration.get(AWS_CLIENT_SECRETKEY);
        String str3 = configuration.get(AWS_CLIENT_REGION);
        AWSKMSClientBuilder standard = AWSKMSClientBuilder.standard();
        if (StringUtils.isNotEmpty(str) && StringUtils.isNotEmpty(str2)) {
            standard.withCredentials(new AWSStaticCredentialsProvider(new BasicAWSCredentials(str, str2)));
        }
        if (StringUtils.isNotEmpty(str3)) {
            standard.withRegion(str3);
        }
        return (AWSKMS) standard.build();
    }

    @Override // org.apache.hadoop.crypto.key.RangerKMSMKI
    public boolean generateMasterKey(String str) throws Exception {
        if (this.keyVaultClient == null) {
            throw new Exception("Key Vault Client is null. Please check the aws related configuration.");
        }
        DescribeKeyRequest describeKeyRequest = new DescribeKeyRequest();
        describeKeyRequest.setKeyId(this.masterKeyId);
        DescribeKeyResult describeKey = this.keyVaultClient.describeKey(describeKeyRequest);
        if (describeKey == null) {
            throw new Exception("Fetch KeyMetadata by describeKey failed");
        }
        ListAliasesRequest listAliasesRequest = new ListAliasesRequest();
        listAliasesRequest.setKeyId(describeKey.getKeyMetadata().getKeyId());
        ListAliasesResult listAliases = this.keyVaultClient.listAliases(listAliasesRequest);
        boolean z = false;
        if (listAliases != null) {
            Iterator it = listAliases.getAliases().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                AliasListEntry aliasListEntry = (AliasListEntry) it.next();
                logger.info("keyalias: " + aliasListEntry);
                if (aliasListEntry.getAliasName().equals(this.masterKeyId) && aliasListEntry.getTargetKeyId().equals(describeKey.getKeyMetadata().getKeyId())) {
                    z = true;
                    break;
                }
            }
        }
        if (!z && !describeKey.getKeyMetadata().getKeyId().equals(this.masterKeyId)) {
            throw new Exception("KeyMetadata do not match masterKeyId");
        }
        this.masterKeyMetadata = describeKey.getKeyMetadata();
        if (this.masterKeyMetadata == null) {
            throw new NoSuchMethodException("generateMasterKey is not implemented for AWS KMS");
        }
        logger.info("AWS Master key exist with KeyId: " + this.masterKeyId + " with Arn: " + this.masterKeyMetadata.getArn() + " with Description : " + this.masterKeyMetadata.getDescription());
        return true;
    }

    @Override // org.apache.hadoop.crypto.key.RangerKMSMKI
    public byte[] encryptZoneKey(Key key) throws Exception {
        EncryptRequest encryptRequest = new EncryptRequest();
        encryptRequest.setKeyId(this.masterKeyId);
        encryptRequest.setPlaintext(ByteBuffer.wrap(key.getEncoded()));
        ByteBuffer ciphertextBlob = this.keyVaultClient.encrypt(encryptRequest).getCiphertextBlob();
        byte[] bArr = new byte[ciphertextBlob.remaining()];
        ciphertextBlob.get(bArr);
        return bArr;
    }

    @Override // org.apache.hadoop.crypto.key.RangerKMSMKI
    public byte[] decryptZoneKey(byte[] bArr) throws Exception {
        DecryptRequest decryptRequest = new DecryptRequest();
        decryptRequest.setCiphertextBlob(ByteBuffer.wrap(bArr));
        ByteBuffer plaintext = this.keyVaultClient.decrypt(decryptRequest).getPlaintext();
        byte[] bArr2 = new byte[plaintext.remaining()];
        plaintext.get(bArr2);
        return bArr2;
    }

    @Override // org.apache.hadoop.crypto.key.RangerKMSMKI
    public String getMasterKey(String str) {
        return null;
    }
}
