package com.google.crypto.tink.integration.awskms;

import com.amazonaws.AmazonServiceException;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
import com.amazonaws.auth.PropertiesFileCredentialsProvider;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.kms.AWSKMS;
import com.amazonaws.services.kms.AWSKMSClientBuilder;
import com.google.auto.service.AutoService;
import com.google.common.base.Splitter;
import com.google.crypto.tink.Aead;
import com.google.crypto.tink.KmsClient;
import com.google.crypto.tink.KmsClients;
import com.google.errorprone.annotations.CanIgnoreReturnValue;
import java.security.GeneralSecurityException;
import java.util.List;
import java.util.Locale;
import java.util.Optional;
import javax.annotation.Nullable;

@AutoService({KmsClient.class})
/* loaded from: input_file:com/google/crypto/tink/integration/awskms/AwsKmsClient.class */
public final class AwsKmsClient implements KmsClient {
    public static final String PREFIX = "aws-kms://";

    @Nullable
    private AWSKMS awsKms;

    @Nullable
    private String keyUri;

    @Nullable
    private AWSCredentialsProvider provider;

    public AwsKmsClient() {
    }

    public AwsKmsClient(String str) {
        if (!str.toLowerCase(Locale.US).startsWith(PREFIX)) {
            throw new IllegalArgumentException("key URI must starts with aws-kms://");
        }
        this.keyUri = str;
    }

    public boolean doesSupport(String str) {
        if (this.keyUri == null || !this.keyUri.equals(str)) {
            return this.keyUri == null && str.toLowerCase(Locale.US).startsWith(PREFIX);
        }
        return true;
    }

    @CanIgnoreReturnValue
    public KmsClient withCredentials(String str) throws GeneralSecurityException {
        try {
            return str == null ? withDefaultCredentials() : withCredentialsProvider(new PropertiesFileCredentialsProvider(str));
        } catch (AmazonServiceException e) {
            throw new GeneralSecurityException("cannot load credentials", e);
        }
    }

    @CanIgnoreReturnValue
    public KmsClient withDefaultCredentials() throws GeneralSecurityException {
        try {
            return withCredentialsProvider(new DefaultAWSCredentialsProviderChain());
        } catch (AmazonServiceException e) {
            throw new GeneralSecurityException("cannot load default credentials", e);
        }
    }

    @CanIgnoreReturnValue
    public KmsClient withCredentialsProvider(AWSCredentialsProvider aWSCredentialsProvider) throws GeneralSecurityException {
        this.provider = aWSCredentialsProvider;
        return this;
    }

    @CanIgnoreReturnValue
    KmsClient withAwsKms(@Nullable AWSKMS awskms) {
        this.awsKms = awskms;
        return this;
    }

    private static String removePrefix(String str, String str2) {
        if (str2.toLowerCase(Locale.US).startsWith(str)) {
            return str2.substring(str.length());
        }
        throw new IllegalArgumentException(String.format("key URI must start with %s", str));
    }

    public Aead getAead(String str) throws GeneralSecurityException {
        if (this.keyUri != null && !this.keyUri.equals(str)) {
            throw new GeneralSecurityException(String.format("this client is bound to %s, cannot load keys bound to %s", this.keyUri, str));
        }
        try {
            String removePrefix = removePrefix(PREFIX, str);
            AWSKMS awskms = this.awsKms;
            List splitToList = Splitter.on(':').splitToList(removePrefix);
            if (splitToList.size() < 4) {
                throw new IllegalArgumentException("invalid key URI");
            }
            String str2 = (String) splitToList.get(3);
            if (awskms == null) {
                awskms = (AWSKMS) AWSKMSClientBuilder.standard().withCredentials(this.provider).withRegion(Regions.fromName(str2)).build();
            }
            return new AwsKmsAead(awskms, removePrefix);
        } catch (AmazonServiceException e) {
            throw new GeneralSecurityException("cannot load credentials from provider", e);
        }
    }

    @Deprecated
    public static void register(Optional<String> optional, Optional<String> optional2) throws GeneralSecurityException {
        registerWithAwsKms(optional, optional2, null);
    }

    static void registerWithAwsKms(Optional<String> optional, Optional<String> optional2, @Nullable AWSKMS awskms) throws GeneralSecurityException {
        AwsKmsClient awsKmsClient = optional.isPresent() ? new AwsKmsClient(optional.get()) : new AwsKmsClient();
        if (optional2.isPresent()) {
            awsKmsClient.withCredentials(optional2.get());
        } else {
            awsKmsClient.withDefaultCredentials();
        }
        awsKmsClient.withAwsKms(awskms);
        KmsClients.add(awsKmsClient);
    }
}
