package com.schibsted.security.strongbox.sdk.internal.encryption;

import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.services.kms.AWSKMS;
import com.amazonaws.services.kms.AWSKMSClientBuilder;
import com.amazonaws.services.kms.model.CancelKeyDeletionRequest;
import com.amazonaws.services.kms.model.CreateAliasRequest;
import com.amazonaws.services.kms.model.CreateKeyRequest;
import com.amazonaws.services.kms.model.DescribeKeyRequest;
import com.amazonaws.services.kms.model.EnableKeyRequest;
import com.amazonaws.services.kms.model.EnableKeyRotationRequest;
import com.amazonaws.services.kms.model.GenerateRandomRequest;
import com.amazonaws.services.kms.model.KMSInvalidStateException;
import com.amazonaws.services.kms.model.KeyMetadata;
import com.amazonaws.services.kms.model.NotFoundException;
import com.amazonaws.services.kms.model.ScheduleKeyDeletionRequest;
import com.schibsted.security.strongbox.sdk.exceptions.AlreadyExistsException;
import com.schibsted.security.strongbox.sdk.exceptions.DoesNotExistException;
import com.schibsted.security.strongbox.sdk.exceptions.UnexpectedStateException;
import com.schibsted.security.strongbox.sdk.internal.ClientConfigurationHelper;
import com.schibsted.security.strongbox.sdk.internal.RegionLocalResourceName;
import com.schibsted.security.strongbox.sdk.internal.access.IAMPolicyManager;
import com.schibsted.security.strongbox.sdk.internal.interfaces.ManagedResource;
import com.schibsted.security.strongbox.sdk.internal.kv4j.generated.Config;
import com.schibsted.security.strongbox.sdk.types.ClientConfiguration;
import com.schibsted.security.strongbox.sdk.types.SecretsGroupIdentifier;
import java.util.Date;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/schibsted/security/strongbox/sdk/internal/encryption/KMSManager.class */
public class KMSManager implements ManagedResource {
    private static final Logger log = LoggerFactory.getLogger(KMSManager.class);
    private static final int SLEEP_TIME = 100;
    private static final int MAX_RETRIES = 30;
    private final AWSKMS kms;
    private static final String ALIAS_PREFIX = "alias/";
    private final String aliasKeyName;
    private final SecretsGroupIdentifier group;
    private final AWSCredentialsProvider awsCredentials;
    private final ClientConfiguration clientConfiguration;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.schibsted.security.strongbox.sdk.internal.encryption.KMSManager$1, reason: invalid class name */
    /* loaded from: input_file:com/schibsted/security/strongbox/sdk/internal/encryption/KMSManager$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$schibsted$security$strongbox$sdk$internal$encryption$KMSKeyState = new int[KMSKeyState.values().length];

        static {
            try {
                $SwitchMap$com$schibsted$security$strongbox$sdk$internal$encryption$KMSKeyState[KMSKeyState.PENDING_DELETION.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$schibsted$security$strongbox$sdk$internal$encryption$KMSKeyState[KMSKeyState.DISABLED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    public KMSManager(AWSKMS awskms, AWSCredentialsProvider aWSCredentialsProvider, ClientConfiguration clientConfiguration, SecretsGroupIdentifier secretsGroupIdentifier) {
        this.kms = awskms;
        this.awsCredentials = aWSCredentialsProvider;
        this.clientConfiguration = clientConfiguration;
        this.group = secretsGroupIdentifier;
        this.aliasKeyName = ALIAS_PREFIX + new RegionLocalResourceName(secretsGroupIdentifier).toString();
    }

    public static KMSManager fromCredentials(AWSCredentialsProvider aWSCredentialsProvider, ClientConfiguration clientConfiguration, SecretsGroupIdentifier secretsGroupIdentifier) {
        return new KMSManager((AWSKMS) AWSKMSClientBuilder.standard().withCredentials(aWSCredentialsProvider).withClientConfiguration(ClientConfigurationHelper.transformAndVerifyOrThrow(clientConfiguration)).withRegion(secretsGroupIdentifier.region.getName()).build(), aWSCredentialsProvider, clientConfiguration, secretsGroupIdentifier);
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:9:0x005b. Please report as an issue. */
    public String create(boolean z) {
        String arn;
        Optional<KeyMetadata> describeKey = describeKey();
        if (!describeKey.isPresent()) {
            CreateKeyRequest createKeyRequest = new CreateKeyRequest();
            createKeyRequest.setDescription("This key is automatically managed by Strongbox");
            arn = this.kms.createKey(createKeyRequest).getKeyMetadata().getArn();
            CreateAliasRequest createAliasRequest = new CreateAliasRequest();
            createAliasRequest.setAliasName(this.aliasKeyName);
            createAliasRequest.setTargetKeyId(arn);
            this.kms.createAlias(createAliasRequest);
            EnableKeyRotationRequest enableKeyRotationRequest = new EnableKeyRotationRequest();
            enableKeyRotationRequest.setKeyId(arn);
            this.kms.enableKeyRotation(enableKeyRotationRequest);
        } else {
            if (!z) {
                throw new AlreadyExistsException(String.format("KMS key already exists for group=%s,region=%s, and override not set", this.group.name, this.group.region.getName()));
            }
            arn = describeKey.get().getArn();
            switch (AnonymousClass1.$SwitchMap$com$schibsted$security$strongbox$sdk$internal$encryption$KMSKeyState[KMSKeyState.fromString(describeKey.get().getKeyState()).ordinal()]) {
                case 1:
                    CancelKeyDeletionRequest cancelKeyDeletionRequest = new CancelKeyDeletionRequest();
                    cancelKeyDeletionRequest.withKeyId(arn);
                    this.kms.cancelKeyDeletion(cancelKeyDeletionRequest);
                case Config.VERSION /* 2 */:
                    EnableKeyRequest enableKeyRequest = new EnableKeyRequest();
                    enableKeyRequest.withKeyId(arn);
                    this.kms.enableKey(enableKeyRequest);
                    break;
                default:
                    throw new AlreadyExistsException(String.format("KMS key already exists for group=%s,region=%s", this.group.name, this.group.region.getName()));
            }
        }
        waitForKeyState(KMSKeyState.ENABLED);
        return arn;
    }

    @Override // com.schibsted.security.strongbox.sdk.internal.interfaces.ManagedResource
    public String create() {
        return create(false);
    }

    private void waitForKeyState(KMSKeyState kMSKeyState) {
        String str = "Unknown";
        for (int i = 0; i < MAX_RETRIES; i++) {
            try {
                Optional<KeyMetadata> describeKey = describeKey();
                if (describeKey.isPresent()) {
                    str = describeKey.get().getKeyState();
                    if (KMSKeyState.fromString(str) == kMSKeyState) {
                        return;
                    }
                }
                log.info("Waiting for key to reach state:'{}'", kMSKeyState.name());
                Thread.sleep(100L);
            } catch (InterruptedException e) {
                throw new UnexpectedStateException(this.aliasKeyName, str, kMSKeyState.name(), "Error occurred while waiting for KMS key to update", e);
            }
        }
        throw new UnexpectedStateException(this.aliasKeyName, str, kMSKeyState.name(), "KMS key did not reach expected state before timeout");
    }

    public byte[] generateRandom(Integer num) {
        GenerateRandomRequest generateRandomRequest = new GenerateRandomRequest();
        generateRandomRequest.withNumberOfBytes(num);
        return this.kms.generateRandom(generateRandomRequest).getPlaintext().array();
    }

    @Override // com.schibsted.security.strongbox.sdk.internal.interfaces.ManagedResource
    public void delete() {
        deleteAndGetSchedule();
        waitForKeyState(KMSKeyState.PENDING_DELETION);
    }

    @Override // com.schibsted.security.strongbox.sdk.internal.interfaces.ManagedResource
    public Optional<String> awsAdminPolicy() {
        return Optional.of("    {\n        \"Sid\": \"KMS\",\n        \"Effect\": \"Allow\",\n        \"Action\": [\n            \"kms:*\"\n        ],\n        \"Resource\": \"" + getArn() + "\"\n    }");
    }

    @Override // com.schibsted.security.strongbox.sdk.internal.interfaces.ManagedResource
    public Optional<String> awsReadOnlyPolicy() {
        return Optional.of("    {\n        \"Sid\": \"KMS\",\n        \"Effect\": \"Allow\",\n        \"Action\": [\n            \"kms:Decrypt\",\n            \"kms:DescribeKey\"\n        ],\n        \"Resource\": \"" + getArn() + "\"\n    }");
    }

    @Override // com.schibsted.security.strongbox.sdk.internal.interfaces.ManagedResource
    public String getArn() {
        Optional<KeyMetadata> describeKey = describeKey();
        if (describeKey.isPresent()) {
            return describeKey.get().getArn();
        }
        throw new DoesNotExistException(String.format("Failed to find KMS key with alias '%s'", getAliasArn()));
    }

    @Override // com.schibsted.security.strongbox.sdk.internal.interfaces.ManagedResource
    public boolean exists() {
        return exists(false);
    }

    public boolean exists(boolean z) {
        Optional<KeyMetadata> describeKey = describeKey();
        if (!describeKey.isPresent()) {
            return false;
        }
        if (!z) {
            return true;
        }
        switch (AnonymousClass1.$SwitchMap$com$schibsted$security$strongbox$sdk$internal$encryption$KMSKeyState[KMSKeyState.fromString(describeKey.get().getKeyState()).ordinal()]) {
            case 1:
            case Config.VERSION /* 2 */:
                return false;
            default:
                return true;
        }
    }

    public String getAliasArn() {
        return String.format("arn:aws:kms:%s:%s:%s", this.group.region.getName(), IAMPolicyManager.getAccount(this.awsCredentials, this.clientConfiguration), this.aliasKeyName);
    }

    private Optional<KeyMetadata> describeKey() {
        try {
            DescribeKeyRequest describeKeyRequest = new DescribeKeyRequest();
            describeKeyRequest.withKeyId(getAliasArn());
            return Optional.of(this.kms.describeKey(describeKeyRequest).getKeyMetadata());
        } catch (NotFoundException e) {
            return Optional.empty();
        }
    }

    public int pendingDeletionWindowInDays() {
        return 7;
    }

    private Date deleteAndGetSchedule() {
        String arn = getArn();
        try {
            int pendingDeletionWindowInDays = pendingDeletionWindowInDays();
            ScheduleKeyDeletionRequest scheduleKeyDeletionRequest = new ScheduleKeyDeletionRequest();
            scheduleKeyDeletionRequest.withKeyId(arn).withPendingWindowInDays(Integer.valueOf(pendingDeletionWindowInDays));
            return this.kms.scheduleKeyDeletion(scheduleKeyDeletionRequest).getDeletionDate();
        } catch (KMSInvalidStateException e) {
            throw new UnexpectedStateException(arn, KMSKeyState.ENABLED.toString(), KMSKeyState.PENDING_DELETION.toString(), "Unable to delete KMS keys", e);
        }
    }
}
