package com.netflix.spinnaker.kork.secrets.engines;

import com.amazonaws.services.secretsmanager.model.AWSSecretsManagerException;
import com.amazonaws.services.secretsmanager.model.DescribeSecretRequest;
import com.amazonaws.services.secretsmanager.model.DescribeSecretResult;
import com.amazonaws.services.secretsmanager.model.GetSecretValueRequest;
import com.amazonaws.services.secretsmanager.model.GetSecretValueResult;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.netflix.spinnaker.kork.secrets.EncryptedSecret;
import com.netflix.spinnaker.kork.secrets.InvalidSecretFormatException;
import com.netflix.spinnaker.kork.secrets.SecretEngine;
import com.netflix.spinnaker.kork.secrets.SecretException;
import com.netflix.spinnaker.kork.secrets.StandardSecretParameter;
import com.netflix.spinnaker.kork.secrets.user.UserSecret;
import com.netflix.spinnaker.kork.secrets.user.UserSecretMetadata;
import com.netflix.spinnaker.kork.secrets.user.UserSecretMetadataField;
import com.netflix.spinnaker.kork.secrets.user.UserSecretReference;
import com.netflix.spinnaker.kork.secrets.user.UserSecretSerde;
import com.netflix.spinnaker.kork.secrets.user.UserSecretSerdeFactory;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import lombok.NonNull;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:com/netflix/spinnaker/kork/secrets/engines/SecretsManagerSecretEngine.class */
public class SecretsManagerSecretEngine implements SecretEngine {
    protected static final String SECRET_NAME = "s";
    protected static final String SECRET_REGION = "r";
    protected static final String SECRET_KEY = StandardSecretParameter.KEY.getParameterName();
    private static final String IDENTIFIER = "secrets-manager";
    private final Map<String, Map<String, String>> cache = new HashMap();
    private final ObjectMapper mapper;
    private final UserSecretSerdeFactory userSecretSerdeFactory;
    private final SecretsManagerClientProvider clientProvider;

    public SecretsManagerSecretEngine(ObjectMapper objectMapper, UserSecretSerdeFactory userSecretSerdeFactory, SecretsManagerClientProvider secretsManagerClientProvider) {
        this.mapper = objectMapper;
        this.userSecretSerdeFactory = userSecretSerdeFactory;
        this.clientProvider = secretsManagerClientProvider;
    }

    public String identifier() {
        return IDENTIFIER;
    }

    public byte[] decrypt(EncryptedSecret encryptedSecret) {
        if (!encryptedSecret.isEncryptedFile()) {
            return getSecretString(encryptedSecret.getParams());
        }
        GetSecretValueResult secretValue = getSecretValue(encryptedSecret.getParams());
        return secretValue.getSecretBinary() != null ? toByteArray(secretValue.getSecretBinary()) : secretValue.getSecretString().getBytes(StandardCharsets.UTF_8);
    }

    @NonNull
    public UserSecret decrypt(@NonNull UserSecretReference userSecretReference) {
        if (userSecretReference == null) {
            throw new NullPointerException("reference is marked non-null but is null");
        }
        validate(userSecretReference);
        Map<String, String> parameters = userSecretReference.getParameters();
        Map map = (Map) getSecretDescription(parameters).getTags().stream().filter(tag -> {
            return tag.getKey().startsWith("spinnaker:");
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
        String str = (String) map.get(UserSecretMetadataField.TYPE.getTagKey());
        if (str == null) {
            throw new InvalidSecretFormatException("No " + UserSecretMetadataField.TYPE.getTagKey() + " tag found for " + userSecretReference);
        }
        UserSecretMetadata build = UserSecretMetadata.builder().type(str).encoding((String) map.getOrDefault(UserSecretMetadataField.ENCODING.getTagKey(), "json")).roles((List) Optional.ofNullable((String) map.get(UserSecretMetadataField.ROLES.getTagKey())).stream().flatMap(str2 -> {
            return Stream.of((Object[]) str2.split("\\s*,\\s*"));
        }).collect(Collectors.toList())).build();
        UserSecretSerde serdeFor = this.userSecretSerdeFactory.serdeFor(build);
        GetSecretValueResult secretValue = getSecretValue(parameters);
        ByteBuffer secretBinary = secretValue.getSecretBinary();
        return serdeFor.deserialize(secretBinary != null ? toByteArray(secretBinary) : secretValue.getSecretString().getBytes(StandardCharsets.UTF_8), build);
    }

    public void validate(EncryptedSecret encryptedSecret) {
        Set keySet = encryptedSecret.getParams().keySet();
        if (!keySet.contains(SECRET_NAME)) {
            throw new InvalidSecretFormatException("Secret name parameter is missing (s=...)");
        }
        if (!keySet.contains(SECRET_REGION)) {
            throw new InvalidSecretFormatException("Secret region parameter is missing (r=...)");
        }
        if (encryptedSecret.isEncryptedFile() && keySet.contains(SECRET_KEY)) {
            throw new InvalidSecretFormatException("Encrypted file should not specify key");
        }
    }

    public void validate(@NonNull UserSecretReference userSecretReference) {
        if (userSecretReference == null) {
            throw new NullPointerException("reference is marked non-null but is null");
        }
        Set keySet = userSecretReference.getParameters().keySet();
        if (!keySet.contains(SECRET_NAME)) {
            throw new InvalidSecretFormatException("Secret name parameter is missing (s=...)");
        }
        if (!keySet.contains(SECRET_REGION)) {
            throw new InvalidSecretFormatException("Secret region parameter is missing (r=...)");
        }
    }

    public void clearCache() {
        this.cache.clear();
    }

    protected DescribeSecretResult getSecretDescription(Map<String, String> map) {
        String str = map.get(SECRET_REGION);
        String str2 = map.get(SECRET_NAME);
        try {
            return this.clientProvider.getClientForSecretParameters(map).describeSecret(new DescribeSecretRequest().withSecretId(str2));
        } catch (AWSSecretsManagerException e) {
            throw new SecretException(String.format("An error occurred when using AWS Secrets Manager to describe secret: [secretName: %s, secretRegion: %s]", str2, str), e);
        }
    }

    protected GetSecretValueResult getSecretValue(Map<String, String> map) {
        String str = map.get(SECRET_REGION);
        String str2 = map.get(SECRET_NAME);
        try {
            return this.clientProvider.getClientForSecretParameters(map).getSecretValue(new GetSecretValueRequest().withSecretId(str2));
        } catch (AWSSecretsManagerException e) {
            throw new SecretException(String.format("An error occurred when using AWS Secrets Manager to fetch: [secretName: %s, secretRegion: %s]", str2, str), e);
        }
    }

    private byte[] getSecretString(Map<String, String> map) {
        String str = map.get(SECRET_KEY);
        return str == null ? getSecretValue(map).getSecretString().getBytes(StandardCharsets.UTF_8) : ((String) Optional.ofNullable(this.cache.computeIfAbsent(map.get(SECRET_NAME), str2 -> {
            try {
                return (Map) this.mapper.readerForMapOf(String.class).readValue(getSecretValue(map).getSecretString());
            } catch (JsonProcessingException | IllegalArgumentException e) {
                throw new SecretException(String.format("Failed to parse secret when using AWS Secrets Manager to fetch: %s", map), e);
            }
        }).get(str)).orElseThrow(() -> {
            return new SecretException(String.format("Specified key not found in AWS Secrets Manager: %s", map));
        })).getBytes(StandardCharsets.UTF_8);
    }

    private static byte[] toByteArray(ByteBuffer byteBuffer) {
        byte[] bArr = new byte[byteBuffer.remaining()];
        byteBuffer.get(bArr);
        return bArr;
    }
}
