package com.amazonaws.encryptionsdk.kms;

import com.amazonaws.SdkClientException;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.encryptionsdk.CryptoAlgorithm;
import com.amazonaws.encryptionsdk.DataKey;
import com.amazonaws.encryptionsdk.EncryptedDataKey;
import com.amazonaws.encryptionsdk.MasterKeyProvider;
import com.amazonaws.encryptionsdk.MasterKeyRequest;
import com.amazonaws.encryptionsdk.exception.AwsCryptoException;
import com.amazonaws.encryptionsdk.exception.NoSuchMasterKeyException;
import com.amazonaws.encryptionsdk.exception.UnsupportedProviderException;
import com.amazonaws.encryptionsdk.internal.AwsKmsCmkArnInfo;
import com.amazonaws.encryptionsdk.kms.KmsMasterKeyProvider;
import com.amazonaws.handlers.RequestHandler2;
import com.amazonaws.regions.DefaultAwsRegionProviderChain;
import com.amazonaws.services.kms.AWSKMS;
import com.amazonaws.services.kms.AWSKMSClient;
import com.amazonaws.services.kms.AWSKMSClientBuilder;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import java.util.stream.Collectors;

/* loaded from: input_file:com/amazonaws/encryptionsdk/kms/AwsKmsMrkAwareMasterKeyProvider.class */
public final class AwsKmsMrkAwareMasterKeyProvider extends MasterKeyProvider<AwsKmsMrkAwareMasterKey> {
    private static final String PROVIDER_NAME = "aws-kms";
    private final List<String> keyIds_;
    private final List<String> grantTokens_;
    private final boolean isDiscovery_;
    private final DiscoveryFilter discoveryFilter_;
    private final String discoveryMrkRegion_;
    private final KmsMasterKeyProvider.RegionalClientSupplier regionalClientSupplier_;
    private final String defaultRegion_;

    /* loaded from: input_file:com/amazonaws/encryptionsdk/kms/AwsKmsMrkAwareMasterKeyProvider$Builder.class */
    public static class Builder implements Cloneable {
        private String defaultRegion_ = getSdkDefaultRegion();
        private Optional<KmsMasterKeyProvider.RegionalClientSupplier> regionalClientSupplier_ = Optional.empty();
        private AWSKMSClientBuilder templateBuilder_ = null;
        private DiscoveryFilter discoveryFilter_ = null;
        private String discoveryMrkRegion_ = this.defaultRegion_;

        Builder() {
        }

        /* renamed from: clone, reason: merged with bridge method [inline-methods] */
        public Builder m23clone() {
            try {
                Builder builder = (Builder) super.clone();
                if (this.templateBuilder_ != null) {
                    builder.templateBuilder_ = cloneClientBuilder(this.templateBuilder_);
                }
                return builder;
            } catch (CloneNotSupportedException e) {
                throw new Error("Impossible: CloneNotSupportedException", e);
            }
        }

        public Builder withDefaultRegion(String str) {
            this.defaultRegion_ = str;
            return this;
        }

        public Builder withDiscoveryMrkRegion(String str) {
            this.discoveryMrkRegion_ = str;
            return this;
        }

        public Builder withCustomClientFactory(KmsMasterKeyProvider.RegionalClientSupplier regionalClientSupplier) {
            if (this.templateBuilder_ != null) {
                throw clientSupplierComboException();
            }
            this.regionalClientSupplier_ = Optional.of(regionalClientSupplier);
            return this;
        }

        private RuntimeException clientSupplierComboException() {
            return new IllegalStateException("withCustomClientFactory cannot be used in conjunction with withCredentials or withClientBuilder");
        }

        public Builder withCredentials(AWSCredentialsProvider aWSCredentialsProvider) {
            if (this.regionalClientSupplier_.isPresent()) {
                throw clientSupplierComboException();
            }
            if (this.templateBuilder_ == null) {
                this.templateBuilder_ = AWSKMSClientBuilder.standard();
            }
            this.templateBuilder_.setCredentials(aWSCredentialsProvider);
            return this;
        }

        public Builder withCredentials(AWSCredentials aWSCredentials) {
            return withCredentials((AWSCredentialsProvider) new AWSStaticCredentialsProvider(aWSCredentials));
        }

        public Builder withClientBuilder(AWSKMSClientBuilder aWSKMSClientBuilder) {
            if (this.regionalClientSupplier_.isPresent()) {
                throw clientSupplierComboException();
            }
            this.templateBuilder_ = cloneClientBuilder(aWSKMSClientBuilder);
            return this;
        }

        public AwsKmsMrkAwareMasterKeyProvider buildDiscovery() {
            return new AwsKmsMrkAwareMasterKeyProvider(this.regionalClientSupplier_.orElse(clientFactory(new ConcurrentHashMap(), this.templateBuilder_)), this.defaultRegion_, Collections.emptyList(), Collections.emptyList(), true, this.discoveryFilter_, this.discoveryMrkRegion_ == null ? this.defaultRegion_ : this.discoveryMrkRegion_);
        }

        public AwsKmsMrkAwareMasterKeyProvider buildDiscovery(DiscoveryFilter discoveryFilter) {
            this.discoveryFilter_ = discoveryFilter;
            return buildDiscovery();
        }

        public AwsKmsMrkAwareMasterKeyProvider buildStrict(List<String> list) {
            return new AwsKmsMrkAwareMasterKeyProvider(this.regionalClientSupplier_.orElse(clientFactory(new ConcurrentHashMap(), this.templateBuilder_)), this.defaultRegion_, new ArrayList(list), Collections.emptyList(), false, null, null);
        }

        public AwsKmsMrkAwareMasterKeyProvider buildStrict(String... strArr) {
            return buildStrict(Arrays.asList(strArr));
        }

        static KmsMasterKeyProvider.RegionalClientSupplier clientFactory(ConcurrentHashMap<String, AWSKMS> concurrentHashMap, AWSKMSClientBuilder aWSKMSClientBuilder) {
            AWSKMSClientBuilder cloneClientBuilder = aWSKMSClientBuilder != null ? cloneClientBuilder(aWSKMSClientBuilder) : AWSKMSClientBuilder.standard();
            return str -> {
                if (concurrentHashMap.containsKey(str)) {
                    return (AWSKMS) concurrentHashMap.get(str);
                }
                KmsMasterKeyProvider.SuccessfulRequestCacher successfulRequestCacher = new KmsMasterKeyProvider.SuccessfulRequestCacher(concurrentHashMap, str);
                ArrayList arrayList = new ArrayList();
                if (cloneClientBuilder.getRequestHandlers() != null) {
                    arrayList.addAll(cloneClientBuilder.getRequestHandlers());
                }
                arrayList.add(successfulRequestCacher);
                return successfulRequestCacher.setClient((AWSKMS) cloneClientBuilder(cloneClientBuilder).withRegion(str).withRequestHandlers((RequestHandler2[]) arrayList.toArray(new RequestHandler2[arrayList.size()])).build());
            };
        }

        static AWSKMSClientBuilder cloneClientBuilder(AWSKMSClientBuilder aWSKMSClientBuilder) {
            if (aWSKMSClientBuilder.getEndpoint() != null) {
                throw new IllegalArgumentException("Setting endpoint configuration is not compatible with passing a builder to the KmsMasterKeyProvider. Use withCustomClientFactory instead.");
            }
            AWSKMSClientBuilder builder = AWSKMSClient.builder();
            builder.setClientConfiguration(aWSKMSClientBuilder.getClientConfiguration());
            builder.setCredentials(aWSKMSClientBuilder.getCredentials());
            builder.setEndpointConfiguration(aWSKMSClientBuilder.getEndpoint());
            builder.setMetricsCollector(aWSKMSClientBuilder.getMetricsCollector());
            if (aWSKMSClientBuilder.getRequestHandlers() != null) {
                builder.setRequestHandlers((RequestHandler2[]) aWSKMSClientBuilder.getRequestHandlers().toArray(new RequestHandler2[0]));
            }
            return builder;
        }

        private static String getSdkDefaultRegion() {
            try {
                return new DefaultAwsRegionProviderChain().getRegion();
            } catch (SdkClientException e) {
                return null;
            }
        }
    }

    public static Builder builder() {
        return new Builder();
    }

    private AwsKmsMrkAwareMasterKeyProvider(KmsMasterKeyProvider.RegionalClientSupplier regionalClientSupplier, String str, List<String> list, List<String> list2, boolean z, DiscoveryFilter discoveryFilter, String str2) {
        if (!z && (list == null || list.isEmpty())) {
            throw new IllegalArgumentException("Strict mode must be configured with a non-empty list of keyIds.");
        }
        if (!z && (list.contains(null) || list.contains(""))) {
            throw new IllegalArgumentException("Strict mode cannot be configured with a null key identifier.");
        }
        assertMrksAreUnique(list);
        if (!z && str == null && list.stream().map(str3 -> {
            return AwsKmsCmkArnInfo.parseInfoFromKeyArn(str3);
        }).anyMatch(awsKmsCmkArnInfo -> {
            return awsKmsCmkArnInfo == null;
        })) {
            throw new AwsCryptoException("Can't use non-ARN key identifiers or aliases when no default region is set");
        }
        if (!z && discoveryFilter != null) {
            throw new IllegalArgumentException("Strict mode cannot be configured with a discovery filter.");
        }
        if (z && !list.isEmpty()) {
            throw new IllegalArgumentException("Discovery mode can not be configured with keys.");
        }
        if (z && str2 == null) {
            throw new IllegalArgumentException("Discovery MRK region can not be null.");
        }
        this.regionalClientSupplier_ = regionalClientSupplier;
        this.defaultRegion_ = str;
        this.keyIds_ = Collections.unmodifiableList(new ArrayList(list));
        this.isDiscovery_ = z;
        this.discoveryFilter_ = discoveryFilter;
        this.discoveryMrkRegion_ = str2;
        this.grantTokens_ = list2;
    }

    static void assertMrksAreUnique(List<String> list) {
        List list2 = (List) ((Map) list.stream().collect(Collectors.groupingBy(AwsKmsMrkAwareMasterKeyProvider::getResourceForResourceTypeKey))).entrySet().stream().filter(entry -> {
            return ((List) entry.getValue()).size() > 1;
        }).filter(entry2 -> {
            return AwsKmsCmkArnInfo.isMRK((String) entry2.getKey());
        }).flatMap(entry3 -> {
            return ((List) entry3.getValue()).stream();
        }).collect(Collectors.toList());
        if (list2.size() > 1) {
            throw new IllegalArgumentException("Duplicate multi-region keys are not allowed:\n" + String.join(", ", list2));
        }
    }

    static String getResourceForResourceTypeKey(String str) {
        AwsKmsCmkArnInfo parseInfoFromKeyArn = AwsKmsCmkArnInfo.parseInfoFromKeyArn(str);
        if (parseInfoFromKeyArn != null && parseInfoFromKeyArn.getResourceType().equals("key")) {
            return parseInfoFromKeyArn.getResource();
        }
        return str;
    }

    @Override // com.amazonaws.encryptionsdk.MasterKeyProvider
    public String getDefaultProviderId() {
        return PROVIDER_NAME;
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // com.amazonaws.encryptionsdk.MasterKeyProvider
    public AwsKmsMrkAwareMasterKey getMasterKey(String str, String str2) throws UnsupportedProviderException, NoSuchMasterKeyException {
        if (!canProvide(str)) {
            throw new UnsupportedProviderException();
        }
        Optional<String> findFirst = this.keyIds_.stream().filter(str3 -> {
            return AwsKmsCmkArnInfo.awsKmsArnMatchForDecrypt(str3, str2);
        }).findFirst();
        if (!this.isDiscovery_ && !findFirst.isPresent()) {
            throw new NoSuchMasterKeyException("Key must be in supplied list of keyIds.");
        }
        AwsKmsCmkArnInfo parseInfoFromKeyArn = AwsKmsCmkArnInfo.parseInfoFromKeyArn(str2);
        if (this.isDiscovery_ && parseInfoFromKeyArn == null) {
            throw new NoSuchMasterKeyException("Cannot use AWS KMS identifiers when in discovery mode.");
        }
        if (this.isDiscovery_ && this.discoveryFilter_ != null && !this.discoveryFilter_.allowsPartitionAndAccount(parseInfoFromKeyArn.getPartition(), parseInfoFromKeyArn.getAccountId())) {
            throw new NoSuchMasterKeyException("Cannot use key in partition " + parseInfoFromKeyArn.getPartition() + " with account id " + parseInfoFromKeyArn.getAccountId() + " with configured discovery filter.");
        }
        String extractRegion = extractRegion(this.defaultRegion_, this.discoveryMrkRegion_, findFirst, parseInfoFromKeyArn, this.isDiscovery_);
        AwsKmsMrkAwareMasterKey awsKmsMrkAwareMasterKey = AwsKmsMrkAwareMasterKey.getInstance(this.regionalClientSupplier_.getClient(extractRegion), this.isDiscovery_ ? parseInfoFromKeyArn.toString(extractRegion) : findFirst.get(), this);
        awsKmsMrkAwareMasterKey.setGrantTokens(this.grantTokens_);
        return awsKmsMrkAwareMasterKey;
    }

    static String extractRegion(String str, String str2, Optional<String> optional, AwsKmsCmkArnInfo awsKmsCmkArnInfo, boolean z) {
        return awsKmsCmkArnInfo == null ? str : (AwsKmsCmkArnInfo.isMRK(awsKmsCmkArnInfo.getResource()) && awsKmsCmkArnInfo.getResourceType().equals("key")) ? z ? str2 : AwsKmsCmkArnInfo.parseInfoFromKeyArn(optional.get()).getRegion() : awsKmsCmkArnInfo.getRegion();
    }

    @Override // com.amazonaws.encryptionsdk.MasterKeyProvider
    public List<AwsKmsMrkAwareMasterKey> getMasterKeysForEncryption(MasterKeyRequest masterKeyRequest) {
        if (this.isDiscovery_) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList(this.keyIds_.size());
        Iterator<String> it = this.keyIds_.iterator();
        while (it.hasNext()) {
            arrayList.add(getMasterKey(it.next()));
        }
        return arrayList;
    }

    @Override // com.amazonaws.encryptionsdk.MasterKeyProvider
    public DataKey<AwsKmsMrkAwareMasterKey> decryptDataKey(CryptoAlgorithm cryptoAlgorithm, Collection<? extends EncryptedDataKey> collection, Map<String, String> map) throws AwsCryptoException {
        ArrayList arrayList = new ArrayList();
        return (DataKey) collection.stream().filter(encryptedDataKey -> {
            if (!canProvide(encryptedDataKey.getProviderId())) {
                return false;
            }
            AwsKmsCmkArnInfo parseInfoFromKeyArn = AwsKmsCmkArnInfo.parseInfoFromKeyArn(new String(encryptedDataKey.getProviderInformation(), StandardCharsets.UTF_8));
            if (parseInfoFromKeyArn == null || !"key".equals(parseInfoFromKeyArn.getResourceType())) {
                throw new IllegalStateException("Invalid provider info in message.");
            }
            return true;
        }).map(encryptedDataKey2 -> {
            try {
                return getMasterKey(encryptedDataKey2.getProviderId(), new String(encryptedDataKey2.getProviderInformation(), StandardCharsets.UTF_8)).decryptDataKey(cryptoAlgorithm, Collections.singletonList(encryptedDataKey2), map);
            } catch (Exception e) {
                arrayList.add(e);
                return null;
            }
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).findFirst().orElseThrow(() -> {
            return buildCannotDecryptDksException((List<? extends Throwable>) arrayList);
        });
    }

    public List<String> getGrantTokens() {
        return new ArrayList(this.grantTokens_);
    }

    public AwsKmsMrkAwareMasterKeyProvider withGrantTokens(List<String> list) {
        return new AwsKmsMrkAwareMasterKeyProvider(this.regionalClientSupplier_, this.defaultRegion_, this.keyIds_, Collections.unmodifiableList(new ArrayList(list)), this.isDiscovery_, this.discoveryFilter_, this.discoveryMrkRegion_);
    }

    public AwsKmsMrkAwareMasterKeyProvider withGrantTokens(String... strArr) {
        return withGrantTokens(Arrays.asList(strArr));
    }
}
