package me.lamouri;

import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.dynamodbv2.AmazonDynamoDB;
import com.amazonaws.services.dynamodbv2.AmazonDynamoDBClientBuilder;
import com.amazonaws.services.dynamodbv2.model.AttributeValue;
import com.amazonaws.services.dynamodbv2.model.ComparisonOperator;
import com.amazonaws.services.dynamodbv2.model.Condition;
import com.amazonaws.services.dynamodbv2.model.GetItemRequest;
import com.amazonaws.services.dynamodbv2.model.GetItemResult;
import com.amazonaws.services.dynamodbv2.model.PutItemRequest;
import com.amazonaws.services.dynamodbv2.model.QueryRequest;
import com.amazonaws.services.dynamodbv2.model.QueryResult;
import com.amazonaws.services.dynamodbv2.model.ScanRequest;
import com.amazonaws.services.dynamodbv2.model.ScanResult;
import com.amazonaws.services.kms.AWSKMS;
import com.amazonaws.services.kms.AWSKMSClientBuilder;
import com.amazonaws.services.kms.model.DecryptRequest;
import com.amazonaws.services.kms.model.GenerateDataKeyRequest;
import com.amazonaws.services.kms.model.GenerateDataKeyResult;
import java.nio.ByteBuffer;
import java.util.Arrays;
import java.util.Base64;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.NoSuchElementException;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;

/* loaded from: input_file:me/lamouri/JCredStash.class */
public class JCredStash {
    protected AmazonDynamoDB amazonDynamoDBClient;
    protected AWSKMS awskmsClient;
    protected CredStashCrypto cryptoImpl;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:me/lamouri/JCredStash$ListItemIterator.class */
    public class ListItemIterator implements Iterator<StoredSecret> {
        protected final ScanRequest scanRequest;
        protected ScanResult scanResult = null;
        protected Iterator<Map<String, AttributeValue>> scanIterator = null;

        public ListItemIterator(String str, String str2) {
            this.scanRequest = new ScanRequest(str).withProjectionExpression("#N, version");
            this.scanRequest.addExpressionAttributeNamesEntry("#N", "name");
            if (str2 != null) {
                this.scanRequest.addExpressionAttributeValuesEntry(":secretPrefix", new AttributeValue(str2));
                this.scanRequest.setFilterExpression("begins_with(#N, :secretPrefix)");
            }
            nextPage();
        }

        protected void nextPage() {
            this.scanResult = JCredStash.this.amazonDynamoDBClient.scan(this.scanRequest.withExclusiveStartKey(this.scanResult == null ? null : this.scanResult.getLastEvaluatedKey()));
            if (this.scanResult.getCount().intValue() != 0) {
                this.scanIterator = this.scanResult.getItems().iterator();
            } else {
                this.scanResult = null;
                this.scanIterator = null;
            }
        }

        @Override // java.util.Iterator
        public boolean hasNext() {
            if (this.scanIterator == null) {
                return false;
            }
            if (this.scanIterator.hasNext()) {
                return true;
            }
            if (this.scanResult == null || this.scanResult.getLastEvaluatedKey() == null) {
                return false;
            }
            nextPage();
            return hasNext();
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.util.Iterator
        public StoredSecret next() {
            if (hasNext()) {
                return new StoredSecret(this.scanIterator.next());
            }
            throw new NoSuchElementException();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:me/lamouri/JCredStash$StoredSecret.class */
    public static class StoredSecret {
        protected Map<String, AttributeValue> item;

        protected static byte[] base64AttributeValueToBytes(AttributeValue attributeValue) {
            return Base64.getDecoder().decode(attributeValue.getS());
        }

        protected static byte[] hexAttributeValueToBytes(AttributeValue attributeValue) {
            try {
                return Hex.decodeHex(attributeValue.getS().toCharArray());
            } catch (DecoderException e) {
                throw new RuntimeException(e);
            }
        }

        public StoredSecret(Map<String, AttributeValue> map) {
            this.item = map;
        }

        public byte[] getKey() {
            return base64AttributeValueToBytes(this.item.get("key"));
        }

        public byte[] getContents() {
            return base64AttributeValueToBytes(this.item.get("contents"));
        }

        public byte[] getHmac() {
            return hexAttributeValueToBytes(this.item.get("hmac"));
        }

        public String getVersion() {
            return this.item.get("version").getS();
        }

        public String getName() {
            return this.item.get("name").getS();
        }
    }

    public JCredStash() {
        this.amazonDynamoDBClient = AmazonDynamoDBClientBuilder.defaultClient();
        this.awskmsClient = AWSKMSClientBuilder.defaultClient();
        this.cryptoImpl = new CredStashBouncyCastleCrypto();
    }

    public JCredStash(Regions regions) {
        this.amazonDynamoDBClient = (AmazonDynamoDB) AmazonDynamoDBClientBuilder.standard().withRegion(regions).build();
        this.awskmsClient = (AWSKMS) AWSKMSClientBuilder.standard().withRegion(regions).build();
        this.cryptoImpl = new CredStashBouncyCastleCrypto();
    }

    public JCredStash(AWSCredentialsProvider aWSCredentialsProvider) {
        this.amazonDynamoDBClient = (AmazonDynamoDB) AmazonDynamoDBClientBuilder.standard().withCredentials(aWSCredentialsProvider).build();
        this.awskmsClient = (AWSKMS) AWSKMSClientBuilder.standard().withCredentials(aWSCredentialsProvider).build();
        this.cryptoImpl = new CredStashBouncyCastleCrypto();
    }

    public JCredStash(AWSCredentialsProvider aWSCredentialsProvider, Regions regions) {
        this.amazonDynamoDBClient = (AmazonDynamoDB) AmazonDynamoDBClientBuilder.standard().withCredentials(aWSCredentialsProvider).withRegion(regions).build();
        this.awskmsClient = (AWSKMS) AWSKMSClientBuilder.standard().withCredentials(aWSCredentialsProvider).withRegion(regions).build();
        this.cryptoImpl = new CredStashBouncyCastleCrypto();
    }

    public JCredStash(AmazonDynamoDB amazonDynamoDB, AWSKMS awskms) {
        this.amazonDynamoDBClient = amazonDynamoDB;
        this.awskmsClient = awskms;
        this.cryptoImpl = new CredStashBouncyCastleCrypto();
    }

    protected QueryRequest basicQueryRequest(String str, String str2) {
        return new QueryRequest(str).withLimit(1).withScanIndexForward(false).withConsistentRead(true).addKeyConditionsEntry("name", new Condition().withComparisonOperator(ComparisonOperator.EQ).withAttributeValueList(new AttributeValue[]{new AttributeValue(str2)}));
    }

    public String getHighestVersion(String str, String str2) {
        QueryResult query = this.amazonDynamoDBClient.query(basicQueryRequest(str, str2).withProjectionExpression("version"));
        if (query.getCount().intValue() == 0) {
            return null;
        }
        return new StoredSecret((Map) query.getItems().get(0)).getVersion();
    }

    protected StoredSecret readVersionedDynamoItem(String str, String str2, String str3) {
        HashMap hashMap = new HashMap();
        hashMap.put("name", new AttributeValue(str2));
        hashMap.put("version", new AttributeValue(str3));
        GetItemResult item = this.amazonDynamoDBClient.getItem(new GetItemRequest(str, hashMap, true));
        if (item == null) {
            return null;
        }
        return new StoredSecret(item.getItem());
    }

    protected StoredSecret readHighestVersionDynamoItem(String str, String str2) {
        QueryResult query = this.amazonDynamoDBClient.query(basicQueryRequest(str, str2));
        if (query.getCount().intValue() == 0) {
            return null;
        }
        return new StoredSecret((Map) query.getItems().get(0));
    }

    protected Iterator<StoredSecret> listDynamoItem(String str, String str2) {
        return new ListItemIterator(str, str2);
    }

    public Map<String, String> getAllSecrets(String str, String str2, Map<String, String> map) {
        Iterator<StoredSecret> listDynamoItem = listDynamoItem(str, str2);
        HashMap hashMap = new HashMap();
        while (listDynamoItem.hasNext()) {
            StoredSecret next = listDynamoItem.next();
            String name = next.getName();
            String version = next.getVersion();
            if (!hashMap.containsKey(name) || ((String) hashMap.get(name)).compareTo(version) < 0) {
                hashMap.put(name, version);
            }
        }
        HashMap hashMap2 = new HashMap();
        for (Map.Entry entry : hashMap.entrySet()) {
            hashMap2.put(entry.getKey(), getSecret(str, (String) entry.getKey(), map, (String) entry.getValue()));
        }
        return hashMap2;
    }

    protected ByteBuffer decryptKeyWithKMS(byte[] bArr, Map<String, String> map) {
        return this.awskmsClient.decrypt(new DecryptRequest().withCiphertextBlob(ByteBuffer.wrap(bArr)).withEncryptionContext(map)).getPlaintext();
    }

    public String getSecret(String str, String str2, Map<String, String> map) {
        return getSecret(str, str2, map, null);
    }

    public String getSecret(String str, String str2, Map<String, String> map, String str3) {
        StoredSecret readHighestVersionDynamoItem = str3 == null ? readHighestVersionDynamoItem(str, str2) : readVersionedDynamoItem(str, str2, str3);
        if (readHighestVersionDynamoItem == null) {
            throw new RuntimeException("Secret " + str2 + " could not be found");
        }
        return getSecret(readHighestVersionDynamoItem, map);
    }

    protected String getSecret(StoredSecret storedSecret, Map<String, String> map) {
        ByteBuffer decryptKeyWithKMS = decryptKeyWithKMS(storedSecret.getKey(), map);
        byte[] bArr = new byte[32];
        decryptKeyWithKMS.get(bArr);
        byte[] bArr2 = new byte[decryptKeyWithKMS.remaining()];
        decryptKeyWithKMS.get(bArr2);
        byte[] contents = storedSecret.getContents();
        if (Arrays.equals(this.cryptoImpl.digest(bArr2, contents), storedSecret.getHmac())) {
            return new String(this.cryptoImpl.decrypt(bArr, contents));
        }
        throw new RuntimeException("HMAC integrity check failed");
    }

    public void putSecret(String str, String str2, String str3, String str4, Map<String, String> map) {
        String highestVersion = getHighestVersion(str, str2);
        if (highestVersion != null) {
            highestVersion = padVersion(Integer.parseInt(highestVersion) + 1);
        }
        putSecret(str, str2, str3, str4, map, highestVersion);
    }

    public void putSecret(String str, String str2, String str3, String str4, Map<String, String> map, String str5) {
        String str6 = str5;
        if (str6 == null) {
            str6 = padVersion(1);
        }
        GenerateDataKeyResult generateDataKey = this.awskmsClient.generateDataKey(new GenerateDataKeyRequest().withKeyId(str4).withEncryptionContext(map).withNumberOfBytes(64));
        ByteBuffer plaintext = generateDataKey.getPlaintext();
        ByteBuffer ciphertextBlob = generateDataKey.getCiphertextBlob();
        byte[] bArr = new byte[32];
        plaintext.get(bArr);
        byte[] bArr2 = new byte[plaintext.remaining()];
        plaintext.get(bArr2);
        byte[] bArr3 = new byte[ciphertextBlob.remaining()];
        ciphertextBlob.get(bArr3);
        byte[] encrypt = this.cryptoImpl.encrypt(bArr, str3.getBytes());
        byte[] digest = this.cryptoImpl.digest(bArr2, encrypt);
        HashMap hashMap = new HashMap();
        hashMap.put("name", new AttributeValue(str2));
        hashMap.put("version", new AttributeValue(str6));
        hashMap.put("key", new AttributeValue(new String(Base64.getEncoder().encode(bArr3))));
        hashMap.put("contents", new AttributeValue(new String(Base64.getEncoder().encode(encrypt))));
        hashMap.put("hmac", new AttributeValue(new String(Hex.encodeHex(digest))));
        HashMap hashMap2 = new HashMap();
        hashMap2.put("#N", "name");
        this.amazonDynamoDBClient.putItem(new PutItemRequest(str, hashMap).withConditionExpression("attribute_not_exists(#N)").withExpressionAttributeNames(hashMap2));
    }

    private String padVersion(int i) {
        return String.format("%019d", Integer.valueOf(i));
    }
}
