package org.apache.seatunnel.shade.connector.file.org.apache.parquet.crypto.keytools;

import java.io.IOException;
import java.util.Base64;
import java.util.concurrent.ConcurrentMap;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.seatunnel.shade.connector.file.org.apache.parquet.crypto.DecryptionKeyRetriever;
import org.apache.seatunnel.shade.connector.file.org.apache.parquet.crypto.ParquetCryptoRuntimeException;
import org.apache.seatunnel.shade.connector.file.org.apache.parquet.crypto.keytools.KeyToolkit;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/seatunnel/shade/connector/file/org/apache/parquet/crypto/keytools/FileKeyUnwrapper.class */
public class FileKeyUnwrapper implements DecryptionKeyRetriever {
    private static final Logger LOG = LoggerFactory.getLogger(FileKeyUnwrapper.class);
    private final ConcurrentMap<String, byte[]> kekPerKekID;
    private KeyToolkit.KmsClientAndDetails kmsClientAndDetails;
    private FileKeyMaterialStore keyMaterialStore;
    private boolean checkedKeyMaterialInternalStorage;
    private final Configuration hadoopConfiguration;
    private final Path parquetFilePath;
    private final String accessToken;
    private final long cacheEntryLifetime;

    /* JADX INFO: Access modifiers changed from: package-private */
    public FileKeyUnwrapper(Configuration configuration, Path path) {
        this.kmsClientAndDetails = null;
        this.keyMaterialStore = null;
        this.checkedKeyMaterialInternalStorage = false;
        this.hadoopConfiguration = configuration;
        this.parquetFilePath = path;
        this.cacheEntryLifetime = 1000 * configuration.getLong(KeyToolkit.CACHE_LIFETIME_PROPERTY_NAME, 600L);
        this.accessToken = configuration.getTrimmed(KeyToolkit.KEY_ACCESS_TOKEN_PROPERTY_NAME, "DEFAULT");
        KeyToolkit.KMS_CLIENT_CACHE_PER_TOKEN.checkCacheForExpiredTokens(this.cacheEntryLifetime);
        KeyToolkit.KEK_READ_CACHE_PER_TOKEN.checkCacheForExpiredTokens(this.cacheEntryLifetime);
        this.kekPerKekID = KeyToolkit.KEK_READ_CACHE_PER_TOKEN.getOrCreateInternalCache(this.accessToken, this.cacheEntryLifetime);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Creating file key unwrapper. KeyMaterialStore: {}; token snippet: {}", this.keyMaterialStore, KeyToolkit.formatTokenForLog(this.accessToken));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public FileKeyUnwrapper(Configuration configuration, Path path, FileKeyMaterialStore fileKeyMaterialStore) {
        this(configuration, path);
        this.keyMaterialStore = fileKeyMaterialStore;
        this.checkedKeyMaterialInternalStorage = true;
    }

    @Override // org.apache.seatunnel.shade.connector.file.org.apache.parquet.crypto.DecryptionKeyRetriever
    public byte[] getKey(byte[] bArr) {
        KeyMaterial parse;
        KeyMetadata parse2 = KeyMetadata.parse(bArr);
        if (!this.checkedKeyMaterialInternalStorage) {
            if (!parse2.keyMaterialStoredInternally()) {
                try {
                    this.keyMaterialStore = new HadoopFSKeyMaterialStore(this.parquetFilePath.getFileSystem(this.hadoopConfiguration));
                    this.keyMaterialStore.initialize(this.parquetFilePath, this.hadoopConfiguration, false);
                } catch (IOException e) {
                    throw new ParquetCryptoRuntimeException("Failed to open key material store", e);
                }
            }
            this.checkedKeyMaterialInternalStorage = true;
        }
        if (parse2.keyMaterialStoredInternally()) {
            parse = parse2.getKeyMaterial();
        } else {
            String keyReference = parse2.getKeyReference();
            String keyMaterial = this.keyMaterialStore.getKeyMaterial(keyReference);
            if (null == keyMaterial) {
                throw new ParquetCryptoRuntimeException("Null key material for keyIDinFile: " + keyReference);
            }
            parse = KeyMaterial.parse(keyMaterial);
        }
        return getDEKandMasterID(parse).getDataKey();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public KeyToolkit.KeyWithMasterID getDEKandMasterID(KeyMaterial keyMaterial) {
        byte[] decryptKeyLocally;
        if (null == this.kmsClientAndDetails) {
            this.kmsClientAndDetails = getKmsClientFromConfigOrKeyMaterial(keyMaterial);
        }
        boolean isDoubleWrapped = keyMaterial.isDoubleWrapped();
        String masterKeyID = keyMaterial.getMasterKeyID();
        String wrappedDEK = keyMaterial.getWrappedDEK();
        KmsClient kmsClient = this.kmsClientAndDetails.getKmsClient();
        if (isDoubleWrapped) {
            String kekID = keyMaterial.getKekID();
            String wrappedKEK = keyMaterial.getWrappedKEK();
            byte[] computeIfAbsent = this.kekPerKekID.computeIfAbsent(kekID, str -> {
                return kmsClient.unwrapKey(wrappedKEK, masterKeyID);
            });
            if (null == computeIfAbsent) {
                throw new ParquetCryptoRuntimeException("Null KEK, after unwrapping in KMS with master key " + masterKeyID);
            }
            decryptKeyLocally = KeyToolkit.decryptKeyLocally(wrappedDEK, computeIfAbsent, Base64.getDecoder().decode(kekID));
        } else {
            decryptKeyLocally = kmsClient.unwrapKey(wrappedDEK, masterKeyID);
        }
        return new KeyToolkit.KeyWithMasterID(decryptKeyLocally, masterKeyID);
    }

    KeyToolkit.KmsClientAndDetails getKmsClientFromConfigOrKeyMaterial(KeyMaterial keyMaterial) {
        String trimmed = this.hadoopConfiguration.getTrimmed(KeyToolkit.KMS_INSTANCE_ID_PROPERTY_NAME);
        if (KeyToolkit.stringIsEmpty(trimmed)) {
            trimmed = keyMaterial.getKmsInstanceID();
            if (null == trimmed) {
                throw new ParquetCryptoRuntimeException("KMS instance ID is missing both in properties and file key material");
            }
        }
        String trimmed2 = this.hadoopConfiguration.getTrimmed(KeyToolkit.KMS_INSTANCE_URL_PROPERTY_NAME);
        if (KeyToolkit.stringIsEmpty(trimmed2)) {
            trimmed2 = keyMaterial.getKmsInstanceURL();
            if (null == trimmed2) {
                throw new ParquetCryptoRuntimeException("KMS instance URL is missing both in properties and file key material");
            }
        }
        KmsClient kmsClient = KeyToolkit.getKmsClient(trimmed, trimmed2, this.hadoopConfiguration, this.accessToken, this.cacheEntryLifetime);
        if (null == kmsClient) {
            throw new ParquetCryptoRuntimeException("KMSClient was not successfully created for reading encrypted data.");
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("File unwrapper - KmsClient: {}; InstanceId: {}; InstanceURL: {}", new Object[]{kmsClient, trimmed, trimmed2});
        }
        return new KeyToolkit.KmsClientAndDetails(kmsClient, trimmed, trimmed2);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public KeyToolkit.KmsClientAndDetails getKmsClientAndDetails() {
        return this.kmsClientAndDetails;
    }
}
