package io.cdap.plugin.gcp.gcs.source;

import com.google.common.io.ByteStreams;
import com.google.crypto.tink.JsonKeysetReader;
import com.google.crypto.tink.KeysetHandle;
import com.google.crypto.tink.KmsClients;
import com.google.crypto.tink.StreamingAead;
import com.google.crypto.tink.config.TinkConfig;
import com.google.crypto.tink.integration.gcpkms.GcpKmsClient;
import io.cdap.plugin.gcp.crypto.Decryptor;
import io.cdap.plugin.gcp.crypto.FSInputSeekableByteChannel;
import java.io.IOException;
import java.nio.channels.SeekableByteChannel;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.util.Base64;
import java.util.Map;
import javax.annotation.Nullable;
import org.apache.hadoop.conf.Configurable;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FSDataInputStream;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.json.JSONObject;

/* loaded from: input_file:io/cdap/plugin/gcp/gcs/source/TinkDecryptor.class */
public class TinkDecryptor implements Decryptor, Configurable {
    private static final String METADATA_SUFFIX = "io.cdap.crypto.metadata.suffix";
    private static final String KMS = "kms";
    private static final String KEYSET = "keyset";
    private static final String AAD = "aad";
    private Configuration configuration;
    private String metadataSuffix;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/cdap/plugin/gcp/gcs/source/TinkDecryptor$DecryptInfo.class */
    public static final class DecryptInfo {
        private final KeysetHandle keysetHandle;
        private final byte[] aad;

        private DecryptInfo(KeysetHandle keysetHandle, byte[] bArr) {
            this.keysetHandle = keysetHandle;
            this.aad = bArr;
        }

        KeysetHandle getKeysetHandle() {
            return this.keysetHandle;
        }

        byte[] getAad() {
            return this.aad;
        }
    }

    public static Map<String, String> configure(String str, Map<String, String> map) {
        map.put(METADATA_SUFFIX, str);
        return map;
    }

    public TinkDecryptor() throws GeneralSecurityException {
        TinkConfig.register();
    }

    @Override // io.cdap.plugin.gcp.crypto.Decryptor
    public SeekableByteChannel open(FileSystem fileSystem, Path path, int i) throws IOException {
        DecryptInfo decryptInfo = getDecryptInfo(fileSystem, path);
        if (decryptInfo == null) {
            throw new IllegalArgumentException("Missing encryption metadata for file '" + path + "'. Expected metadata path is '" + new Path(path.getParent(), path.getName() + this.metadataSuffix) + "'");
        }
        try {
            return ((StreamingAead) decryptInfo.getKeysetHandle().getPrimitive(StreamingAead.class)).newSeekableDecryptingChannel(new FSInputSeekableByteChannel(fileSystem, path, i), decryptInfo.getAad());
        } catch (IOException e) {
            throw e;
        } catch (Exception e2) {
            throw new IOException(e2);
        }
    }

    @Override // org.apache.hadoop.conf.Configurable
    public void setConf(Configuration configuration) {
        this.configuration = configuration;
        this.metadataSuffix = configuration.get(METADATA_SUFFIX);
        if (this.metadataSuffix == null) {
            throw new IllegalArgumentException("Missing configuration 'io.cdap.crypto.metadata.suffix'");
        }
    }

    @Override // org.apache.hadoop.conf.Configurable
    public Configuration getConf() {
        return this.configuration;
    }

    @Nullable
    private DecryptInfo getDecryptInfo(FileSystem fileSystem, Path path) throws IOException {
        Path path2 = new Path(path.getParent(), path.getName() + this.metadataSuffix);
        if (!fileSystem.exists(path2)) {
            return null;
        }
        FSDataInputStream open = fileSystem.open(path2);
        Throwable th = null;
        try {
            try {
                JSONObject jSONObject = new JSONObject(new String(ByteStreams.toByteArray(open), StandardCharsets.UTF_8));
                if (open != null) {
                    if (0 != 0) {
                        try {
                            open.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        open.close();
                    }
                }
                try {
                    String string = jSONObject.getString("kms");
                    KmsClients.add(new GcpKmsClient(string).withDefaultCredentials());
                    return new DecryptInfo(KeysetHandle.read(JsonKeysetReader.withJsonObject(jSONObject.getJSONObject(KEYSET)), KmsClients.get(string).getAead(string)), Base64.getDecoder().decode(jSONObject.getString(AAD)));
                } catch (IOException e) {
                    throw e;
                } catch (Exception e2) {
                    throw new IOException(e2);
                }
            } finally {
            }
        } catch (Throwable th3) {
            if (open != null) {
                if (th != null) {
                    try {
                        open.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    open.close();
                }
            }
            throw th3;
        }
    }
}
