package org.apache.parquet.crypto.keytools.samples;

import java.io.IOException;
import java.util.Arrays;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import okhttp3.ConnectionSpec;
import okhttp3.MediaType;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.RequestBody;
import okhttp3.Response;
import org.apache.hadoop.conf.Configuration;
import org.apache.parquet.crypto.KeyAccessDeniedException;
import org.apache.parquet.crypto.ParquetCryptoRuntimeException;
import org.apache.parquet.crypto.keytools.KmsClient;
import org.codehaus.jackson.map.ObjectMapper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/parquet/crypto/keytools/samples/VaultClient.class */
public class VaultClient implements KmsClient {
    private static final String DEFAULT_TRANSIT_ENGINE = "/v1/transit/";
    private static final String transitWrapEndpoint = "encrypt/";
    private static final String transitUnwrapEndpoint = "decrypt/";
    private static final String tokenHeader = "X-Vault-Token";
    private String kmsToken;
    private Configuration hadoopConfiguration;
    private String endPointPrefix;
    private OkHttpClient httpClient = new OkHttpClient.Builder().connectionSpecs(Arrays.asList(ConnectionSpec.MODERN_TLS, ConnectionSpec.COMPATIBLE_TLS)).build();
    private static final Logger LOG = LoggerFactory.getLogger(VaultClient.class);
    private static final MediaType JSON_MEDIA_TYPE = MediaType.get("application/json; charset=utf-8");
    private static final ObjectMapper objectMapper = new ObjectMapper();

    public void initialize(Configuration configuration, String str, String str2, String str3) throws KeyAccessDeniedException {
        this.hadoopConfiguration = configuration;
        checkToken(str3);
        this.kmsToken = str3;
        if (str2.equals("DEFAULT")) {
            throw new ParquetCryptoRuntimeException("Vault URL not provided");
        }
        if (!str2.endsWith("/")) {
            str2 = str2 + "/";
        }
        String str4 = DEFAULT_TRANSIT_ENGINE;
        if (!str.equals("DEFAULT")) {
            str4 = "/v1/" + str;
            if (!str4.endsWith("/")) {
                str4 = str4 + "/";
            }
        }
        this.endPointPrefix = str2 + str4;
    }

    public String wrapKey(byte[] bArr, String str) throws KeyAccessDeniedException {
        refreshToken();
        HashMap hashMap = new HashMap(1);
        hashMap.put("plaintext", Base64.getEncoder().encodeToString(bArr));
        return parseReturn(getContentFromTransitEngine(this.endPointPrefix + transitWrapEndpoint, buildPayload(hashMap), str), "ciphertext");
    }

    public byte[] unwrapKey(String str, String str2) throws KeyAccessDeniedException {
        refreshToken();
        HashMap hashMap = new HashMap(1);
        hashMap.put("ciphertext", str);
        return Base64.getDecoder().decode(parseReturn(getContentFromTransitEngine(this.endPointPrefix + transitUnwrapEndpoint, buildPayload(hashMap), str2), "plaintext"));
    }

    private String buildPayload(Map<String, String> map) {
        try {
            return objectMapper.writeValueAsString(map);
        } catch (IOException e) {
            throw new ParquetCryptoRuntimeException("Failed to build payload", e);
        }
    }

    private void checkToken(String str) {
        if (null == str || str.isEmpty() || str.equals("DEFAULT")) {
            throw new ParquetCryptoRuntimeException("Wrong Vault token : " + str);
        }
    }

    private void refreshToken() {
        this.kmsToken = this.hadoopConfiguration.getTrimmed("parquet.encryption.key.access.token");
        checkToken(this.kmsToken);
    }

    private String getContentFromTransitEngine(String str, String str2, String str3) {
        LOG.info("masterKeyIdentifier: " + str3);
        return executeAndGetResponse(str, new Request.Builder().url(str + str3).header(tokenHeader, this.kmsToken).post(RequestBody.create(JSON_MEDIA_TYPE, str2)).build());
    }

    private String executeAndGetResponse(String str, Request request) {
        Response response;
        try {
            try {
                Response execute = this.httpClient.newCall(request).execute();
                String string = execute.body().string();
                if (execute.isSuccessful()) {
                    if (null != execute) {
                        execute.close();
                    }
                    return string;
                }
                if (401 == execute.code() || 403 == execute.code()) {
                    throw new KeyAccessDeniedException(string);
                }
                throw new IOException("Vault call [" + str + "] didn't succeed: " + string);
            } catch (IOException e) {
                throw new ParquetCryptoRuntimeException("Vault call [" + request.url().toString() + str + "] didn't succeed", e);
            }
        } finally {
            if (null != response) {
                response.close();
            }
        }
    }

    private static String parseReturn(String str, String str2) {
        try {
            String textValue = objectMapper.readTree(str).findValue(str2).getTextValue();
            if (null == textValue) {
                throw new ParquetCryptoRuntimeException("Failed to match vault response. " + str2 + " not found." + str);
            }
            return textValue;
        } catch (IOException e) {
            throw new ParquetCryptoRuntimeException("Failed to parse vault response. " + str2 + " not found." + str, e);
        }
    }
}
