package org.apache.hadoop.crypto.key.kms.server;

import java.io.IOException;
import java.net.URI;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.DefaultValue;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.apache.commons.codec.binary.Base64;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.crypto.key.KeyProvider;
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
import org.apache.hadoop.crypto.key.kms.KMSClientProvider;
import org.apache.hadoop.crypto.key.kms.server.KMSACLsType;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.delegation.web.HttpUserGroupInformation;
import org.apache.hadoop.thirdparty.com.google.common.base.Preconditions;
import org.apache.hadoop.thirdparty.com.google.common.base.Stopwatch;
import org.apache.hadoop.util.KMSUtil;
import org.apache.ranger.kms.metrics.KMSMetricWrapper;
import org.apache.ranger.kms.metrics.KMSMetrics;
import org.apache.ranger.kms.metrics.collector.KMSMetricsCollector;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
@Path("/v1")
/* loaded from: input_file:org/apache/hadoop/crypto/key/kms/server/KMS.class */
public class KMS {
    static final Logger LOG = LoggerFactory.getLogger(KMS.class);
    private static final String KEY_NAME_VALIDATION = "[a-z,A-Z,0-9](?!.*--)(?!.*__)(?!.*-_)(?!.*_-)[\\w\\-\\_]*";
    private static final int MAX_NUM_PER_BATCH = 10000;
    private static final String GENERATE_DEK_PATH_CONST = "_dek";
    private final KeyProviderCryptoExtension provider = KMSWebApp.getKeyProvider();
    private final KMSAudit kmsAudit = KMSWebApp.getKMSAudit();
    private KMSMetricsCollector kmsMetricsCollector = KMSMetricWrapper.getInstance(KMSWebApp.isMetricCollectionThreadSafe()).getKmsMetricsCollector();

    /* loaded from: input_file:org/apache/hadoop/crypto/key/kms/server/KMS$KMSOp.class */
    public enum KMSOp {
        CREATE_KEY,
        DELETE_KEY,
        ROLL_NEW_VERSION,
        INVALIDATE_CACHE,
        GET_KEYS,
        GET_KEYS_METADATA,
        GET_KEY_VERSIONS,
        GET_METADATA,
        GET_KEY_VERSION,
        GET_CURRENT_KEY,
        GENERATE_EEK,
        DECRYPT_EEK,
        REENCRYPT_EEK,
        REENCRYPT_EEK_BATCH
    }

    @Path("keys")
    @Consumes({"application/json"})
    @POST
    @Produces({"application/json"})
    public Response createKey(Map map, @Context HttpServletRequest httpServletRequest) throws Exception {
        LOG.debug("==> createKey()");
        try {
            try {
                KMSMetricsCollector.APIMetric createAPIMetric = this.kmsMetricsCollector.createAPIMetric(KMSMetrics.KMSMetric.KEY_CREATE_COUNT, KMSMetrics.KMSMetric.KEY_CREATE_ELAPSED_TIME);
                try {
                    KMSWebApp.getAdminCallsMeter().mark();
                    UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
                    String str = (String) map.get("name");
                    KMSUtil.checkNotEmpty(str, "name");
                    validateKeyName(str);
                    assertAccess(KMSACLsType.Type.CREATE, userGroupInformation, KMSOp.CREATE_KEY, str, httpServletRequest.getRemoteAddr());
                    String str2 = (String) map.get("cipher");
                    String str3 = (String) map.get("material");
                    int intValue = map.containsKey("length") ? ((Integer) map.get("length")).intValue() : 0;
                    String str4 = (String) map.get("description");
                    LOG.debug("Creating key: name={}, cipher={}, keyLength={}, description={}", new Object[]{str, str2, Integer.valueOf(intValue), str4});
                    Map map2 = (Map) map.get("attributes");
                    if (str3 != null) {
                        assertAccess(KMSACLsType.Type.SET_KEY_MATERIAL, userGroupInformation, KMSOp.CREATE_KEY, str, httpServletRequest.getRemoteAddr());
                    }
                    KeyProvider.Options options = new KeyProvider.Options(KMSWebApp.getConfiguration());
                    if (str2 != null) {
                        options.setCipher(str2);
                    }
                    if (intValue != 0) {
                        options.setBitLength(intValue);
                    }
                    options.setDescription(str4);
                    options.setAttributes(map2);
                    KeyProvider.KeyVersion keyVersion = (KeyProvider.KeyVersion) userGroupInformation.doAs(() -> {
                        KeyProvider.KeyVersion createKey = str3 != null ? this.provider.createKey(str, Base64.decodeBase64(str3), options) : this.provider.createKey(str, options);
                        this.provider.flush();
                        return createKey;
                    });
                    this.kmsAudit.ok(userGroupInformation, KMSOp.CREATE_KEY, str, "UserProvidedMaterial:" + (str3 != null) + " Description:" + str4);
                    if (!KMSWebApp.getACLs().hasAccess(KMSACLsType.Type.GET, userGroupInformation, httpServletRequest.getRemoteAddr())) {
                        keyVersion = removeKeyMaterial(keyVersion);
                    }
                    Map json = KMSUtil.toJSON(keyVersion);
                    String url = KMSMDCFilter.getURL();
                    Response build = Response.created(getKeyURI("/v1", str)).type("application/json").header("Location", getKeyURI(url.substring(0, url.lastIndexOf("keys")), str)).entity(json).build();
                    if (createAPIMetric != null) {
                        createAPIMetric.close();
                    }
                    LOG.debug("<== createKey()");
                    return build;
                } catch (Throwable th) {
                    if (createAPIMetric != null) {
                        try {
                            createAPIMetric.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Exception e) {
                LOG.error("Exception in createKey.", e);
                throw e;
            }
        } catch (Throwable th3) {
            LOG.debug("<== createKey()");
            throw th3;
        }
    }

    @Path("key/{name:.*}")
    @DELETE
    public Response deleteKey(@PathParam("name") String str, @Context HttpServletRequest httpServletRequest) throws Exception {
        LOG.debug("==> deleteKey({})", str);
        try {
            try {
                KMSMetricsCollector.APIMetric createAPIMetric = this.kmsMetricsCollector.createAPIMetric(KMSMetrics.KMSMetric.DELETE_KEY_COUNT, KMSMetrics.KMSMetric.DELETE_KEY_ELAPSED_TIME);
                try {
                    KMSWebApp.getAdminCallsMeter().mark();
                    UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
                    assertAccess(KMSACLsType.Type.DELETE, userGroupInformation, KMSOp.DELETE_KEY, str, httpServletRequest.getRemoteAddr());
                    KMSUtil.checkNotEmpty(str, "name");
                    userGroupInformation.doAs(() -> {
                        this.provider.deleteKey(str);
                        this.provider.flush();
                        return null;
                    });
                    this.kmsAudit.ok(userGroupInformation, KMSOp.DELETE_KEY, str, "");
                    Response build = Response.ok().build();
                    if (createAPIMetric != null) {
                        createAPIMetric.close();
                    }
                    LOG.debug("<== deleteKey({})", str);
                    return build;
                } catch (Throwable th) {
                    if (createAPIMetric != null) {
                        try {
                            createAPIMetric.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Exception e) {
                LOG.error("Exception in deleteKey.", e);
                throw e;
            }
        } catch (Throwable th3) {
            LOG.debug("<== deleteKey({})", str);
            throw th3;
        }
    }

    @Path("key/{name:.*}")
    @Consumes({"application/json"})
    @POST
    @Produces({"application/json"})
    public Response rolloverKey(@PathParam("name") String str, Map map, @Context HttpServletRequest httpServletRequest) throws Exception {
        LOG.debug("==> rolloverKey({})", str);
        try {
            try {
                KMSMetricsCollector.APIMetric createAPIMetric = this.kmsMetricsCollector.createAPIMetric(KMSMetrics.KMSMetric.ROLL_NEW_VERSION_COUNT, KMSMetrics.KMSMetric.ROLL_NEW_VERSION_ELAPSED_TIME);
                try {
                    KMSWebApp.getAdminCallsMeter().mark();
                    UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
                    assertAccess(KMSACLsType.Type.ROLLOVER, userGroupInformation, KMSOp.ROLL_NEW_VERSION, str, httpServletRequest.getRemoteAddr());
                    KMSUtil.checkNotEmpty(str, "name");
                    String str2 = (String) map.get("material");
                    if (str2 != null) {
                        assertAccess(KMSACLsType.Type.SET_KEY_MATERIAL, userGroupInformation, KMSOp.ROLL_NEW_VERSION, str, httpServletRequest.getRemoteAddr());
                    }
                    KeyProvider.KeyVersion keyVersion = (KeyProvider.KeyVersion) userGroupInformation.doAs(() -> {
                        KeyProvider.KeyVersion rollNewVersion = str2 != null ? this.provider.rollNewVersion(str, Base64.decodeBase64(str2)) : this.provider.rollNewVersion(str);
                        this.provider.flush();
                        return rollNewVersion;
                    });
                    this.kmsAudit.ok(userGroupInformation, KMSOp.ROLL_NEW_VERSION, str, "UserProvidedMaterial:" + (str2 != null) + " NewVersion:" + keyVersion.getVersionName());
                    if (!KMSWebApp.getACLs().hasAccess(KMSACLsType.Type.GET, userGroupInformation, httpServletRequest.getRemoteAddr())) {
                        keyVersion = removeKeyMaterial(keyVersion);
                    }
                    Response build = Response.ok().type("application/json").entity(KMSUtil.toJSON(keyVersion)).build();
                    if (createAPIMetric != null) {
                        createAPIMetric.close();
                    }
                    LOG.debug("<== rolloverKey({})", str);
                    return build;
                } catch (Throwable th) {
                    if (createAPIMetric != null) {
                        try {
                            createAPIMetric.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Exception e) {
                LOG.error("Exception in rolloverKey.", e);
                throw e;
            }
        } catch (Throwable th3) {
            LOG.debug("<== rolloverKey({})", str);
            throw th3;
        }
    }

    @POST
    @Path("key/{name:.*}/_invalidatecache")
    public Response invalidateCache(@PathParam("name") String str) throws Exception {
        LOG.debug("==> invalidateCache({})", str);
        try {
            try {
                KMSMetricsCollector.APIMetric createAPIMetric = this.kmsMetricsCollector.createAPIMetric(KMSMetrics.KMSMetric.INVALIDATE_CACHE_COUNT, KMSMetrics.KMSMetric.INVALIDATE_CACHE_ELAPSED_TIME);
                try {
                    KMSWebApp.getAdminCallsMeter().mark();
                    KMSUtil.checkNotEmpty(str, "name");
                    UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
                    assertAccess(KMSACLsType.Type.ROLLOVER, userGroupInformation, KMSOp.INVALIDATE_CACHE, str);
                    userGroupInformation.doAs(() -> {
                        this.provider.invalidateCache(str);
                        this.provider.flush();
                        return null;
                    });
                    this.kmsAudit.ok(userGroupInformation, KMSOp.INVALIDATE_CACHE, str, "");
                    Response build = Response.ok().build();
                    if (createAPIMetric != null) {
                        createAPIMetric.close();
                    }
                    LOG.debug("<== invalidateCache({})", str);
                    return build;
                } catch (Throwable th) {
                    if (createAPIMetric != null) {
                        try {
                            createAPIMetric.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Exception e) {
                LOG.error("Exception in invalidateCache for key name {}.", str, e);
                throw e;
            }
        } catch (Throwable th3) {
            LOG.debug("<== invalidateCache({})", str);
            throw th3;
        }
    }

    @GET
    @Produces({"application/json"})
    @Path("keys/metadata")
    public Response getKeysMetadata(@QueryParam("key") List<String> list, @Context HttpServletRequest httpServletRequest) throws Exception {
        LOG.debug("==> getKeysMetadata()");
        try {
            try {
                KMSMetricsCollector.APIMetric createAPIMetric = this.kmsMetricsCollector.createAPIMetric(KMSMetrics.KMSMetric.GET_KEYS_METADATA_COUNT, KMSMetrics.KMSMetric.GET_KEYS_METADATA_ELAPSED_TIME);
                try {
                    KMSWebApp.getAdminCallsMeter().mark();
                    UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
                    String[] strArr = (String[]) list.toArray(new String[0]);
                    assertAccess(KMSACLsType.Type.GET_METADATA, userGroupInformation, KMSOp.GET_KEYS_METADATA, httpServletRequest.getRemoteAddr());
                    List json = KMSServerJSONUtils.toJSON(strArr, (KeyProvider.Metadata[]) userGroupInformation.doAs(() -> {
                        return this.provider.getKeysMetadata(strArr);
                    }));
                    this.kmsMetricsCollector.updateMetric(KMSMetrics.KMSMetric.GET_KEYS_METADATA_KEYNAMES_COUNT, strArr.length);
                    this.kmsAudit.ok(userGroupInformation, KMSOp.GET_KEYS_METADATA, "");
                    Response build = Response.ok().type("application/json").entity(json).build();
                    if (createAPIMetric != null) {
                        createAPIMetric.close();
                    }
                    LOG.debug("<== getKeysMetadata()");
                    return build;
                } catch (Throwable th) {
                    if (createAPIMetric != null) {
                        try {
                            createAPIMetric.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Exception e) {
                LOG.error("Exception in getKeysMetadata.", e);
                throw e;
            }
        } catch (Throwable th3) {
            LOG.debug("<== getKeysMetadata()");
            throw th3;
        }
    }

    @GET
    @Produces({"application/json"})
    @Path("keys/names")
    public Response getKeyNames(@Context HttpServletRequest httpServletRequest) throws Exception {
        LOG.debug("==> getKeyNames()");
        try {
            try {
                KMSMetricsCollector.APIMetric createAPIMetric = this.kmsMetricsCollector.createAPIMetric(KMSMetrics.KMSMetric.GET_KEYS_COUNT, KMSMetrics.KMSMetric.GET_KEYS_ELAPSED_TIME);
                try {
                    KMSWebApp.getAdminCallsMeter().mark();
                    UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
                    assertAccess(KMSACLsType.Type.GET_KEYS, userGroupInformation, KMSOp.GET_KEYS, httpServletRequest.getRemoteAddr());
                    KeyProviderCryptoExtension keyProviderCryptoExtension = this.provider;
                    Objects.requireNonNull(keyProviderCryptoExtension);
                    List list = (List) userGroupInformation.doAs(keyProviderCryptoExtension::getKeys);
                    this.kmsAudit.ok(userGroupInformation, KMSOp.GET_KEYS, "");
                    Response build = Response.ok().type("application/json").entity(list).build();
                    if (createAPIMetric != null) {
                        createAPIMetric.close();
                    }
                    LOG.debug("<== getKeyNames()");
                    return build;
                } catch (Throwable th) {
                    if (createAPIMetric != null) {
                        try {
                            createAPIMetric.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Exception e) {
                LOG.error("Exception in getkeyNames.", e);
                throw e;
            }
        } catch (Throwable th3) {
            LOG.debug("<== getKeyNames()");
            throw th3;
        }
    }

    @GET
    @Path("key/{name:.*}")
    public Response getKey(@PathParam("name") String str, @Context HttpServletRequest httpServletRequest) throws Exception {
        LOG.debug("==> getKey({})", str);
        try {
            try {
                Response metadata = getMetadata(str, httpServletRequest);
                LOG.debug("<== getKey({})", str);
                return metadata;
            } catch (Exception e) {
                LOG.error("Exception in getKey.", e);
                throw e;
            }
        } catch (Throwable th) {
            LOG.debug("<== getKey({})", str);
            throw th;
        }
    }

    @GET
    @Produces({"application/json"})
    @Path("key/{name:.*}/_metadata")
    public Response getMetadata(@PathParam("name") String str, @Context HttpServletRequest httpServletRequest) throws Exception {
        LOG.debug("==> getMetadata({})", str);
        try {
            try {
                KMSMetricsCollector.APIMetric createAPIMetric = this.kmsMetricsCollector.createAPIMetric(KMSMetrics.KMSMetric.GET_METADATA_COUNT, KMSMetrics.KMSMetric.GET_METADATA_ELAPSED_TIME);
                try {
                    KMSWebApp.getAdminCallsMeter().mark();
                    UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
                    KMSUtil.checkNotEmpty(str, "name");
                    assertAccess(KMSACLsType.Type.GET_METADATA, userGroupInformation, KMSOp.GET_METADATA, str, httpServletRequest.getRemoteAddr());
                    Map json = KMSServerJSONUtils.toJSON(str, (KeyProvider.Metadata) userGroupInformation.doAs(() -> {
                        return this.provider.getMetadata(str);
                    }));
                    this.kmsAudit.ok(userGroupInformation, KMSOp.GET_METADATA, str, "");
                    Response build = Response.ok().type("application/json").entity(json).build();
                    if (createAPIMetric != null) {
                        createAPIMetric.close();
                    }
                    LOG.debug("<== getMetadata({})", str);
                    return build;
                } catch (Throwable th) {
                    if (createAPIMetric != null) {
                        try {
                            createAPIMetric.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Exception e) {
                LOG.error("Exception in getMetadata.", e);
                throw e;
            }
        } catch (Throwable th3) {
            LOG.debug("<== getMetadata({})", str);
            throw th3;
        }
    }

    @GET
    @Produces({"application/json"})
    @Path("key/{name:.*}/_currentversion")
    public Response getCurrentVersion(@PathParam("name") String str, @Context HttpServletRequest httpServletRequest) throws Exception {
        LOG.debug("==> getCurrentVersion({})", str);
        try {
            try {
                KMSMetricsCollector.APIMetric createAPIMetric = this.kmsMetricsCollector.createAPIMetric(KMSMetrics.KMSMetric.GET_CURRENT_KEY_COUNT, KMSMetrics.KMSMetric.GET_CURRENT_KEY_ELAPSED_TIME);
                try {
                    KMSWebApp.getKeyCallsMeter().mark();
                    UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
                    KMSUtil.checkNotEmpty(str, "name");
                    assertAccess(KMSACLsType.Type.GET, userGroupInformation, KMSOp.GET_CURRENT_KEY, str, httpServletRequest.getRemoteAddr());
                    Map json = KMSUtil.toJSON((KeyProvider.KeyVersion) userGroupInformation.doAs(() -> {
                        return this.provider.getCurrentKey(str);
                    }));
                    this.kmsAudit.ok(userGroupInformation, KMSOp.GET_CURRENT_KEY, str, "");
                    Response build = Response.ok().type("application/json").entity(json).build();
                    if (createAPIMetric != null) {
                        createAPIMetric.close();
                    }
                    LOG.debug("<== getCurrentVersion({})", str);
                    return build;
                } catch (Throwable th) {
                    if (createAPIMetric != null) {
                        try {
                            createAPIMetric.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Exception e) {
                LOG.error("Exception in getCurrentVersion.", e);
                throw e;
            }
        } catch (Throwable th3) {
            LOG.debug("<== getCurrentVersion({})", str);
            throw th3;
        }
    }

    @GET
    @Produces({"application/json"})
    @Path("keyversion/{versionName:.*}")
    public Response getKeyVersion(@PathParam("versionName") String str, @Context HttpServletRequest httpServletRequest) throws Exception {
        LOG.debug("==> getKeyVersion({})", str);
        try {
            try {
                KMSMetricsCollector.APIMetric createAPIMetric = this.kmsMetricsCollector.createAPIMetric(KMSMetrics.KMSMetric.GET_KEY_VERSION_COUNT, KMSMetrics.KMSMetric.GET_KEY_VERSION_ELAPSED_TIME);
                try {
                    KMSWebApp.getKeyCallsMeter().mark();
                    UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
                    KMSUtil.checkNotEmpty(str, "versionName");
                    assertAccess(KMSACLsType.Type.GET, userGroupInformation, KMSOp.GET_KEY_VERSION, httpServletRequest.getRemoteAddr());
                    KeyProvider.KeyVersion keyVersion = (KeyProvider.KeyVersion) userGroupInformation.doAs(() -> {
                        return this.provider.getKeyVersion(str);
                    });
                    if (keyVersion != null) {
                        this.kmsAudit.ok(userGroupInformation, KMSOp.GET_KEY_VERSION, keyVersion.getName(), "");
                    }
                    Response build = Response.ok().type("application/json").entity(KMSUtil.toJSON(keyVersion)).build();
                    if (createAPIMetric != null) {
                        createAPIMetric.close();
                    }
                    LOG.debug("<== getKeyVersion({})", str);
                    return build;
                } catch (Throwable th) {
                    if (createAPIMetric != null) {
                        try {
                            createAPIMetric.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Throwable th3) {
                LOG.debug("<== getKeyVersion({})", str);
                throw th3;
            }
        } catch (Exception e) {
            LOG.error("Exception in getKeyVersion.", e);
            throw e;
        }
    }

    @GET
    @Produces({"application/json"})
    @Path("key/{name:.*}/_dek")
    public Response generateDataKey(@PathParam("name") String str, @Context HttpServletRequest httpServletRequest) throws Exception {
        LOG.debug("==> generateDataKey(name={}", str);
        try {
            try {
                UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
                KMSUtil.checkNotEmpty(str, "name");
                KMSMetricsCollector.APIMetric createAPIMetric = this.kmsMetricsCollector.createAPIMetric(KMSMetrics.KMSMetric.EEK_GENERATE_COUNT, KMSMetrics.KMSMetric.EEK_GENERATE_ELAPSED_TIME);
                try {
                    assertAccess(KMSACLsType.Type.GENERATE_EEK, userGroupInformation, KMSOp.GENERATE_EEK, str, httpServletRequest.getRemoteAddr());
                    KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion = (KeyProviderCryptoExtension.EncryptedKeyVersion) userGroupInformation.doAs(() -> {
                        return this.provider.generateEncryptedKey(str);
                    });
                    this.kmsAudit.ok(userGroupInformation, KMSOp.GENERATE_EEK, str, "generateDataKey execution");
                    if (createAPIMetric != null) {
                        createAPIMetric.close();
                    }
                    createAPIMetric = this.kmsMetricsCollector.createAPIMetric(KMSMetrics.KMSMetric.EEK_DECRYPT_COUNT, KMSMetrics.KMSMetric.EEK_DECRYPT_ELAPSED_TIME);
                    try {
                        assertAccess(KMSACLsType.Type.DECRYPT_EEK, userGroupInformation, KMSOp.DECRYPT_EEK, str, httpServletRequest.getRemoteAddr());
                        KeyProvider.KeyVersion keyVersion = (KeyProvider.KeyVersion) userGroupInformation.doAs(() -> {
                            return this.provider.decryptEncryptedKey(new KMSClientProvider.KMSEncryptedKeyVersion(encryptedKeyVersion.getEncryptionKeyName(), encryptedKeyVersion.getEncryptionKeyVersionName(), encryptedKeyVersion.getEncryptedKeyIv(), "EEK", encryptedKeyVersion.getEncryptedKeyVersion().getMaterial()));
                        });
                        this.kmsAudit.ok(userGroupInformation, KMSOp.DECRYPT_EEK, str, "generateDataKey execution");
                        if (createAPIMetric != null) {
                            createAPIMetric.close();
                        }
                        HashMap hashMap = new HashMap();
                        hashMap.put("edek", KMSUtil.toJSON(encryptedKeyVersion));
                        hashMap.put("dek", KMSUtil.toJSON(keyVersion));
                        Response build = Response.ok().type("application/json").entity(hashMap).build();
                        LOG.debug("<== generateDataKey(name={}", str);
                        return build;
                    } finally {
                    }
                } finally {
                }
            } catch (Exception e) {
                LOG.error("Exception in generateDataKey:", e);
                throw new IOException(e);
            }
        } catch (Throwable th) {
            LOG.debug("<== generateDataKey(name={}", str);
            throw th;
        }
    }

    /* JADX WARN: Finally extract failed */
    @GET
    @Produces({"application/json"})
    @Path("key/{name:.*}/_eek")
    public Response generateEncryptedKeys(@PathParam("name") String str, @QueryParam("eek_op") String str2, @QueryParam("num_keys") @DefaultValue("1") int i, @Context HttpServletRequest httpServletRequest) throws Exception {
        LOG.debug("==> generateEncryptedKeys(name={}, eekOp={}, numKeys={})", new Object[]{str, str2, Integer.valueOf(i)});
        try {
            try {
                KMSMetricsCollector.APIMetric createAPIMetric = this.kmsMetricsCollector.createAPIMetric(KMSMetrics.KMSMetric.EEK_GENERATE_COUNT, KMSMetrics.KMSMetric.EEK_GENERATE_ELAPSED_TIME);
                try {
                    UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
                    KMSUtil.checkNotEmpty(str, "name");
                    KMSUtil.checkNotNull(str2, "eekOp");
                    if (!str2.equals("generate")) {
                        StringBuilder sb = new StringBuilder("IllegalArgumentException Wrong ");
                        sb.append("eek_op").append(" value, it must be ").append("generate").append(" or ").append("decrypt");
                        LOG.error(sb.toString());
                        throw new IllegalArgumentException(sb.toString());
                    }
                    LinkedList linkedList = new LinkedList();
                    try {
                        assertAccess(KMSACLsType.Type.GENERATE_EEK, userGroupInformation, KMSOp.GENERATE_EEK, str, httpServletRequest.getRemoteAddr());
                        userGroupInformation.doAs(() -> {
                            for (int i2 = 0; i2 < i; i2++) {
                                linkedList.add(this.provider.generateEncryptedKey(str));
                            }
                            return null;
                        });
                        this.kmsAudit.ok(userGroupInformation, KMSOp.GENERATE_EEK, str, "");
                        ArrayList arrayList = new ArrayList();
                        Iterator it = linkedList.iterator();
                        while (it.hasNext()) {
                            arrayList.add(KMSUtil.toJSON((KeyProviderCryptoExtension.EncryptedKeyVersion) it.next()));
                        }
                        KMSWebApp.getGenerateEEKCallsMeter().mark();
                        Response build = Response.ok().type("application/json").entity(arrayList).build();
                        if (createAPIMetric != null) {
                            createAPIMetric.close();
                        }
                        LOG.debug("<== generateEncryptedKeys(name={}, eekOp={}, numKeys={})", new Object[]{str, str2, Integer.valueOf(i)});
                        return build;
                    } catch (Exception e) {
                        LOG.error("Exception in generateEncryptedKeys:", e);
                        throw new IOException(e);
                    }
                } catch (Throwable th) {
                    if (createAPIMetric != null) {
                        try {
                            createAPIMetric.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Exception e2) {
                LOG.error("Exception in generateEncryptedKeys.", e2);
                throw e2;
            }
        } catch (Throwable th3) {
            LOG.debug("<== generateEncryptedKeys(name={}, eekOp={}, numKeys={})", new Object[]{str, str2, Integer.valueOf(i)});
            throw th3;
        }
    }

    @Path("key/{name:.*}/_reencryptbatch")
    @Consumes({"application/json"})
    @POST
    @Produces({"application/json"})
    public Response reencryptEncryptedKeys(@PathParam("name") String str, List<Map> list) throws Exception {
        LOG.debug("==> reencryptEncryptedKeys(name={}, count={})", str, Integer.valueOf(list != null ? list.size() : 0));
        Stopwatch createStarted = Stopwatch.createStarted();
        try {
            try {
                KMSMetricsCollector.APIMetric createAPIMetric = this.kmsMetricsCollector.createAPIMetric(KMSMetrics.KMSMetric.REENCRYPT_EEK_BATCH_COUNT, KMSMetrics.KMSMetric.REENCRYPT_EEK_BATCH_ELAPSED_TIME);
                try {
                    KMSWebApp.getReencryptEEKBatchCallsMeter().mark();
                    KMSUtil.checkNotEmpty(str, "name");
                    KMSUtil.checkNotNull(list, "jsonPayload");
                    UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
                    if (list.size() > MAX_NUM_PER_BATCH) {
                        LOG.warn("Payload size {} too big for reencryptEncryptedKeys from user {}.", Integer.valueOf(list.size()), userGroupInformation);
                    }
                    assertAccess(KMSACLsType.Type.GENERATE_EEK, userGroupInformation, KMSOp.REENCRYPT_EEK_BATCH, str);
                    List parseJSONEncKeyVersions = KMSUtil.parseJSONEncKeyVersions(str, list);
                    Preconditions.checkArgument(parseJSONEncKeyVersions.size() == list.size(), "EncryptedKey size mismatch after parsing from json");
                    Iterator it = parseJSONEncKeyVersions.iterator();
                    while (it.hasNext()) {
                        Preconditions.checkArgument(str.equals(((KeyProviderCryptoExtension.EncryptedKeyVersion) it.next()).getEncryptionKeyName()), "All EncryptedKeys must be under the given key name " + str);
                    }
                    userGroupInformation.doAs(() -> {
                        this.provider.reencryptEncryptedKeys(parseJSONEncKeyVersions);
                        return null;
                    });
                    ArrayList arrayList = new ArrayList(parseJSONEncKeyVersions.size());
                    Iterator it2 = parseJSONEncKeyVersions.iterator();
                    while (it2.hasNext()) {
                        arrayList.add(KMSUtil.toJSON((KeyProviderCryptoExtension.EncryptedKeyVersion) it2.next()));
                    }
                    this.kmsMetricsCollector.updateMetric(KMSMetrics.KMSMetric.REENCRYPT_EEK_BATCH_KEYS_COUNT, parseJSONEncKeyVersions.size());
                    this.kmsAudit.ok(userGroupInformation, KMSOp.REENCRYPT_EEK_BATCH, str, "reencrypted " + parseJSONEncKeyVersions.size() + " keys");
                    LOG.debug("reencryptEncryptedKeys {} keys for key {} took {}", new Object[]{Integer.valueOf(list.size()), str, createStarted.stop()});
                    Response build = Response.ok().type("application/json").entity(arrayList).build();
                    if (createAPIMetric != null) {
                        createAPIMetric.close();
                    }
                    LOG.debug("<== reencryptEncryptedKeys(name={}, count={})", str, Integer.valueOf(list != null ? list.size() : 0));
                    return build;
                } catch (Throwable th) {
                    if (createAPIMetric != null) {
                        try {
                            createAPIMetric.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Exception e) {
                LOG.error("Exception in reencryptEncryptedKeys.", e);
                throw e;
            }
        } catch (Throwable th3) {
            LOG.debug("<== reencryptEncryptedKeys(name={}, count={})", str, Integer.valueOf(list != null ? list.size() : 0));
            throw th3;
        }
    }

    /* JADX WARN: Finally extract failed */
    @POST
    @Produces({"application/json"})
    @Path("keyversion/{versionName:.*}/_eek")
    public Response handleEncryptedKeyOp(@PathParam("versionName") String str, @QueryParam("eek_op") String str2, Map map, @Context HttpServletRequest httpServletRequest) throws Exception {
        Map json;
        LOG.debug("==> handleEncryptedKeyOp(versionName={}, eekOp={})", str, str2);
        try {
            try {
                KMSMetricsCollector.APIMetric captureElapsedTime = this.kmsMetricsCollector.captureElapsedTime();
                try {
                    UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
                    KMSUtil.checkNotEmpty(str, "versionName");
                    KMSUtil.checkNotNull(str2, "eekOp");
                    String str3 = (String) map.get("name");
                    String str4 = (String) map.get("iv");
                    String str5 = (String) map.get("material");
                    KMSUtil.checkNotNull(str4, "iv");
                    byte[] decodeBase64 = Base64.decodeBase64(str4);
                    KMSUtil.checkNotNull(str5, "material");
                    byte[] decodeBase642 = Base64.decodeBase64(str5);
                    if (str2.equals("decrypt")) {
                        KMSWebApp.getDecryptEEKCallsMeter().mark();
                        captureElapsedTime.setMetrics(KMSMetrics.KMSMetric.EEK_DECRYPT_COUNT, KMSMetrics.KMSMetric.EEK_DECRYPT_ELAPSED_TIME);
                        assertAccess(KMSACLsType.Type.DECRYPT_EEK, userGroupInformation, KMSOp.DECRYPT_EEK, str3, httpServletRequest.getRemoteAddr());
                        json = KMSUtil.toJSON((KeyProvider.KeyVersion) userGroupInformation.doAs(() -> {
                            return this.provider.decryptEncryptedKey(new KMSClientProvider.KMSEncryptedKeyVersion(str3, str, decodeBase64, "EEK", decodeBase642));
                        }));
                        this.kmsAudit.ok(userGroupInformation, KMSOp.DECRYPT_EEK, str3, "");
                    } else {
                        if (!str2.equals("reencrypt")) {
                            StringBuilder sb = new StringBuilder("IllegalArgumentException Wrong ");
                            sb.append("eek_op").append(" value, it must be ").append("generate").append(" or ").append("decrypt");
                            LOG.error(sb.toString());
                            throw new IllegalArgumentException(sb.toString());
                        }
                        KMSWebApp.getReencryptEEKCallsMeter().mark();
                        captureElapsedTime.setMetrics(KMSMetrics.KMSMetric.EEK_REENCRYPT_COUNT, KMSMetrics.KMSMetric.EEK_REENCRYPT_ELAPSED_TIME);
                        assertAccess(KMSACLsType.Type.GENERATE_EEK, userGroupInformation, KMSOp.REENCRYPT_EEK, str3);
                        json = KMSUtil.toJSON((KeyProviderCryptoExtension.EncryptedKeyVersion) userGroupInformation.doAs(() -> {
                            return this.provider.reencryptEncryptedKey(new KMSClientProvider.KMSEncryptedKeyVersion(str3, str, decodeBase64, "EEK", decodeBase642));
                        }));
                        this.kmsAudit.ok(userGroupInformation, KMSOp.REENCRYPT_EEK, str3, "");
                    }
                    Response build = Response.ok().type("application/json").entity(json).build();
                    if (captureElapsedTime != null) {
                        captureElapsedTime.close();
                    }
                    LOG.debug("<== handleEncryptedKeyOp(versionName={}, eekOp={})", str, str2);
                    return build;
                } catch (Throwable th) {
                    if (captureElapsedTime != null) {
                        try {
                            captureElapsedTime.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Exception e) {
                LOG.error("Exception in handleEncryptedKeyOp.", e);
                throw e;
            }
        } catch (Throwable th3) {
            LOG.debug("<== handleEncryptedKeyOp(versionName={}, eekOp={})", str, str2);
            throw th3;
        }
    }

    @GET
    @Produces({"application/json"})
    @Path("key/{name:.*}/_versions")
    public Response getKeyVersions(@PathParam("name") String str, @Context HttpServletRequest httpServletRequest) throws Exception {
        LOG.debug("==> getKeyVersions({})", str);
        try {
            try {
                KMSMetricsCollector.APIMetric createAPIMetric = this.kmsMetricsCollector.createAPIMetric(KMSMetrics.KMSMetric.GET_KEY_VERSIONS_COUNT, KMSMetrics.KMSMetric.GET_KEY_VERSIONS_ELAPSED_TIME);
                try {
                    KMSWebApp.getKeyCallsMeter().mark();
                    UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
                    KMSUtil.checkNotEmpty(str, "name");
                    assertAccess(KMSACLsType.Type.GET, userGroupInformation, KMSOp.GET_KEY_VERSIONS, str, httpServletRequest.getRemoteAddr());
                    List json = KMSServerJSONUtils.toJSON((List) userGroupInformation.doAs(() -> {
                        return this.provider.getKeyVersions(str);
                    }));
                    this.kmsAudit.ok(userGroupInformation, KMSOp.GET_KEY_VERSIONS, str, "");
                    Response build = Response.ok().type("application/json").entity(json).build();
                    if (createAPIMetric != null) {
                        createAPIMetric.close();
                    }
                    LOG.debug("<== getKeyVersions({})", str);
                    return build;
                } catch (Throwable th) {
                    if (createAPIMetric != null) {
                        try {
                            createAPIMetric.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Exception e) {
                LOG.error("Exception in getKeyVersions.", e);
                throw e;
            }
        } catch (Throwable th3) {
            LOG.debug("<== getKeyVersions({})", str);
            throw th3;
        }
    }

    private void assertAccess(KMSACLsType.Type type, UserGroupInformation userGroupInformation, KMSOp kMSOp, String str) throws AccessControlException {
        KMSWebApp.getACLs().assertAccess(type, userGroupInformation, kMSOp, null, str);
    }

    private void assertAccess(KMSACLsType.Type type, UserGroupInformation userGroupInformation, KMSOp kMSOp, String str, String str2) throws AccessControlException {
        KMSWebApp.getACLs().assertAccess(type, userGroupInformation, kMSOp, str, str2);
    }

    private void validateKeyName(String str) {
        if (!Pattern.compile(KEY_NAME_VALIDATION).matcher(str).matches()) {
            throw new IllegalArgumentException("Key Name : " + str + ", should start with alpha/numeric letters and can have special characters - (hyphen) or _ (underscore)");
        }
    }

    private static KeyProvider.KeyVersion removeKeyMaterial(KeyProvider.KeyVersion keyVersion) {
        return new KMSClientProvider.KMSKeyVersion(keyVersion.getName(), keyVersion.getVersionName(), (byte[]) null);
    }

    private static URI getKeyURI(String str, String str2) {
        return UriBuilder.fromPath("{a}/{b}/{c}").build(new Object[]{str, "key", str2});
    }
}
