package software.amazon.cryptography.dbencryptionsdk.dynamodb.enhancedclient;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Stream;
import software.amazon.awssdk.enhanced.dynamodb.AttributeConverter;
import software.amazon.awssdk.enhanced.dynamodb.TableMetadata;
import software.amazon.awssdk.enhanced.dynamodb.TableSchema;
import software.amazon.cryptography.dbencryptionsdk.dynamodb.DynamoDbEncryptionInterceptor;
import software.amazon.cryptography.dbencryptionsdk.dynamodb.model.DynamoDbEncryptionException;
import software.amazon.cryptography.dbencryptionsdk.dynamodb.model.DynamoDbTableEncryptionConfig;
import software.amazon.cryptography.dbencryptionsdk.dynamodb.model.DynamoDbTablesEncryptionConfig;
import software.amazon.cryptography.dbencryptionsdk.structuredencryption.model.CryptoAction;

/* loaded from: input_file:software/amazon/cryptography/dbencryptionsdk/dynamodb/enhancedclient/DynamoDbEnhancedClientEncryption.class */
public class DynamoDbEnhancedClientEncryption {
    public static DynamoDbEncryptionInterceptor CreateDynamoDbEncryptionInterceptor(CreateDynamoDbEncryptionInterceptorInput createDynamoDbEncryptionInterceptorInput) {
        HashMap hashMap = new HashMap();
        createDynamoDbEncryptionInterceptorInput.tableEncryptionConfigs().forEach((str, dynamoDbEnhancedTableEncryptionConfig) -> {
        });
        return DynamoDbEncryptionInterceptor.builder().config(DynamoDbTablesEncryptionConfig.builder().tableEncryptionConfigs(hashMap).build()).build();
    }

    private static Set<String> attributeNamesUsedInIndices(TableMetadata tableMetadata) {
        HashSet hashSet = new HashSet();
        Stream map = tableMetadata.indices().stream().map((v0) -> {
            return v0.partitionKey();
        }).filter((v0) -> {
            return v0.isPresent();
        }).map((v0) -> {
            return v0.get();
        }).map((v0) -> {
            return v0.name();
        });
        hashSet.getClass();
        map.forEach((v1) -> {
            r1.add(v1);
        });
        Stream map2 = tableMetadata.indices().stream().map((v0) -> {
            return v0.sortKey();
        }).filter((v0) -> {
            return v0.isPresent();
        }).map((v0) -> {
            return v0.get();
        }).map((v0) -> {
            return v0.name();
        });
        hashSet.getClass();
        map2.forEach((v1) -> {
            r1.add(v1);
        });
        return hashSet;
    }

    private static Set<String> attributeNamesUsedInPrimaryKey(TableMetadata tableMetadata) {
        HashSet hashSet = new HashSet();
        Stream stream = tableMetadata.primaryKeys().stream();
        hashSet.getClass();
        stream.forEach((v1) -> {
            r1.add(v1);
        });
        return hashSet;
    }

    private static void throwUsageError(String str, String str2, String str3, String str4) {
        throw DynamoDbEncryptionException.builder().message(String.format("Attribute %s of table %s is used as both %s and %s.", str2, str, str3, str4)).build();
    }

    private static void validateAttributeUsage(String str, String str2, String str3, Optional<Set<String>> optional, Optional<Set<String>> optional2, Optional<Set<String>> optional3) {
        if (optional.isPresent() && optional.get().contains(str2)) {
            throwUsageError(str, str2, str3, "@DynamoDbEncryptionSignOnly");
        }
        if (optional2.isPresent() && optional2.get().contains(str2)) {
            throwUsageError(str, str2, str3, "@DynamoDbEncryptionSignAndIncludeInEncryptionContext");
        }
        if (optional3.isPresent() && optional3.get().contains(str2)) {
            throwUsageError(str, str2, str3, "@DynamoDbEncryptionDoNothing");
        }
    }

    private static Map<String, CryptoAction> getActionsFromSchema(String str, TableSchema<?> tableSchema) {
        Set<String> signOnlyAttributes = getSignOnlyAttributes(tableSchema);
        Set<String> signAndIncludeInEncryptionContextAttributes = getSignAndIncludeInEncryptionContextAttributes(tableSchema);
        Set<String> doNothingAttributes = getDoNothingAttributes(tableSchema);
        Set<String> attributeNamesUsedInIndices = attributeNamesUsedInIndices(tableSchema.tableMetadata());
        Set<String> attributeNamesUsedInPrimaryKey = attributeNamesUsedInPrimaryKey(tableSchema.tableMetadata());
        List<String> attributeNames = tableSchema.attributeNames();
        HashMap hashMap = new HashMap();
        StringBuilder sb = new StringBuilder();
        sb.append(str).append(".");
        for (String str2 : attributeNames) {
            if (attributeNamesUsedInPrimaryKey.contains(str2)) {
                if (signAndIncludeInEncryptionContextAttributes.isEmpty()) {
                    validateAttributeUsage(str, str2, "a primary key", Optional.empty(), Optional.of(signAndIncludeInEncryptionContextAttributes), Optional.of(doNothingAttributes));
                    hashMap.put(str2, CryptoAction.SIGN_ONLY);
                } else {
                    validateAttributeUsage(str, str2, "a primary key", Optional.of(signOnlyAttributes), Optional.empty(), Optional.of(doNothingAttributes));
                    hashMap.put(str2, CryptoAction.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT);
                }
            } else if (signOnlyAttributes.contains(str2)) {
                validateAttributeUsage(str, str2, "@DynamoDbEncryptionSignOnly", Optional.empty(), Optional.of(signAndIncludeInEncryptionContextAttributes), Optional.of(doNothingAttributes));
                hashMap.put(str2, CryptoAction.SIGN_ONLY);
            } else if (signAndIncludeInEncryptionContextAttributes.contains(str2)) {
                validateAttributeUsage(str, str2, "@DynamoDbEncryptionSignAndIncludeInEncryptionContext", Optional.of(signOnlyAttributes), Optional.empty(), Optional.of(doNothingAttributes));
                hashMap.put(str2, CryptoAction.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT);
            } else if (attributeNamesUsedInIndices.contains(str2)) {
                validateAttributeUsage(str, str2, "an index key", Optional.empty(), Optional.of(signAndIncludeInEncryptionContextAttributes), Optional.of(doNothingAttributes));
                hashMap.put(str2, CryptoAction.SIGN_ONLY);
            } else if (doNothingAttributes.contains(str2)) {
                validateAttributeUsage(str, str2, "@DynamoDbEncryptionDoNothing", Optional.of(signOnlyAttributes), Optional.of(signAndIncludeInEncryptionContextAttributes), Optional.empty());
                hashMap.put(str2, CryptoAction.DO_NOTHING);
            } else {
                hashMap.put(str2, CryptoAction.ENCRYPT_AND_SIGN);
            }
            scanForIgnoredEncryptionTags(tableSchema, str2, sb);
        }
        return hashMap;
    }

    private static Map<String, CryptoAction> mergeActions(List<Map<String, CryptoAction>> list) {
        if (list.size() == 1) {
            return list.get(0);
        }
        HashSet hashSet = new HashSet();
        Iterator<Map<String, CryptoAction>> it = list.iterator();
        while (it.hasNext()) {
            hashSet.addAll(it.next().keySet());
        }
        HashMap hashMap = new HashMap();
        Iterator it2 = hashSet.iterator();
        while (it2.hasNext()) {
            String str = (String) it2.next();
            Optional empty = Optional.empty();
            Iterator<Map<String, CryptoAction>> it3 = list.iterator();
            while (it3.hasNext()) {
                CryptoAction cryptoAction = it3.next().get(str);
                if (cryptoAction != null) {
                    if (!empty.isPresent()) {
                        empty = Optional.of(cryptoAction);
                    } else if (!((CryptoAction) empty.get()).equals(cryptoAction)) {
                        throw DynamoDbEncryptionException.builder().message(String.format("Attribute %s set to %s in one table and %s in another.", str, empty.get(), cryptoAction)).build();
                    }
                }
            }
            hashMap.put(str, empty.get());
        }
        return hashMap;
    }

    private static String getPartitionKeyName(List<TableSchema<?>> list) {
        String primaryPartitionKey = list.get(0).tableMetadata().primaryPartitionKey();
        Iterator<TableSchema<?>> it = list.iterator();
        while (it.hasNext()) {
            String primaryPartitionKey2 = it.next().tableMetadata().primaryPartitionKey();
            if (!primaryPartitionKey.equals(primaryPartitionKey2)) {
                throw DynamoDbEncryptionException.builder().message(String.format("Primary Key set to %s in one table and %s in another.", primaryPartitionKey, primaryPartitionKey2)).build();
            }
        }
        return primaryPartitionKey;
    }

    private static Optional<String> getSortKeyName(List<TableSchema<?>> list) {
        Optional<String> primarySortKey = list.get(0).tableMetadata().primarySortKey();
        Iterator<TableSchema<?>> it = list.iterator();
        while (it.hasNext()) {
            Optional primarySortKey2 = it.next().tableMetadata().primarySortKey();
            if (!primarySortKey.equals(primarySortKey2)) {
                throw DynamoDbEncryptionException.builder().message(String.format("Primary Key set to %s in one table and %s in another.", primarySortKey, primarySortKey2)).build();
            }
        }
        return primarySortKey;
    }

    private static DynamoDbTableEncryptionConfig getTableConfig(DynamoDbEnhancedTableEncryptionConfig dynamoDbEnhancedTableEncryptionConfig, String str) {
        ArrayList arrayList = new ArrayList();
        Iterator<TableSchema<?>> it = dynamoDbEnhancedTableEncryptionConfig.schemaOnEncrypt().iterator();
        while (it.hasNext()) {
            arrayList.add(getActionsFromSchema(str, it.next()));
        }
        Map<String, CryptoAction> mergeActions = mergeActions(arrayList);
        DynamoDbTableEncryptionConfig.Builder partitionKeyName = DynamoDbTableEncryptionConfig.builder().partitionKeyName(getPartitionKeyName(dynamoDbEnhancedTableEncryptionConfig.schemaOnEncrypt()));
        Optional<String> sortKeyName = getSortKeyName(dynamoDbEnhancedTableEncryptionConfig.schemaOnEncrypt());
        if (sortKeyName.isPresent()) {
            partitionKeyName = partitionKeyName.sortKeyName(sortKeyName.get());
        }
        if (!Objects.isNull(dynamoDbEnhancedTableEncryptionConfig.keyring())) {
            partitionKeyName = partitionKeyName.keyring(dynamoDbEnhancedTableEncryptionConfig.keyring());
        }
        if (!Objects.isNull(dynamoDbEnhancedTableEncryptionConfig.cmm())) {
            partitionKeyName = partitionKeyName.cmm(dynamoDbEnhancedTableEncryptionConfig.cmm());
        }
        if (!Objects.isNull(dynamoDbEnhancedTableEncryptionConfig.logicalTableName())) {
            partitionKeyName = partitionKeyName.logicalTableName(dynamoDbEnhancedTableEncryptionConfig.logicalTableName());
        }
        if (!Objects.isNull(dynamoDbEnhancedTableEncryptionConfig.plaintextOverride())) {
            partitionKeyName = partitionKeyName.plaintextOverride(dynamoDbEnhancedTableEncryptionConfig.plaintextOverride());
        }
        return partitionKeyName.allowedUnsignedAttributePrefix(dynamoDbEnhancedTableEncryptionConfig.allowedUnsignedAttributePrefix()).allowedUnsignedAttributes(dynamoDbEnhancedTableEncryptionConfig.allowedUnsignedAttributes()).attributeActionsOnEncrypt(mergeActions).legacyOverride(dynamoDbEnhancedTableEncryptionConfig.legacyOverride()).build();
    }

    private static Set<String> getSignOnlyAttributes(TableSchema<?> tableSchema) {
        return (Set) tableSchema.tableMetadata().customMetadataObject(SignOnlyTag.CUSTOM_DDB_ENCRYPTION_SIGN_ONLY_PREFIX, Set.class).orElseGet(HashSet::new);
    }

    private static Set<String> getSignAndIncludeInEncryptionContextAttributes(TableSchema<?> tableSchema) {
        return (Set) tableSchema.tableMetadata().customMetadataObject(SignAndIncludeInEncryptionContextTag.CUSTOM_DDB_ENCRYPTION_SIGN_AND_INCLUDE_PREFIX, Set.class).orElseGet(HashSet::new);
    }

    private static Set<String> getDoNothingAttributes(TableSchema<?> tableSchema) {
        return (Set) tableSchema.tableMetadata().customMetadataObject(DoNothingTag.CUSTOM_DDB_ENCRYPTION_DO_NOTHING_PREFIX, Set.class).orElseGet(HashSet::new);
    }

    private static void scanForIgnoredEncryptionTags(TableSchema<?> tableSchema, String str, StringBuilder sb) {
        AttributeConverter converterForAttribute = tableSchema.converterForAttribute(str);
        StringBuilder append = new StringBuilder(sb).append(str).append(".");
        if (Objects.nonNull(converterForAttribute) && Objects.nonNull(converterForAttribute.type()) && converterForAttribute.type().tableSchema().isPresent()) {
            TableSchema tableSchema2 = (TableSchema) converterForAttribute.type().tableSchema().get();
            Set<String> signOnlyAttributes = getSignOnlyAttributes(tableSchema2);
            if (signOnlyAttributes.size() > 0) {
                throw DynamoDbEncryptionException.builder().message(String.format("Detected DynamoDbEncryption Tag %s on a nested attribute with Path %s. This is NOT Supported at this time!", SignOnlyTag.CUSTOM_DDB_ENCRYPTION_SIGN_ONLY_PREFIX, append.append(signOnlyAttributes.toArray()[0]))).build();
            }
            Set<String> signAndIncludeInEncryptionContextAttributes = getSignAndIncludeInEncryptionContextAttributes(tableSchema2);
            if (signAndIncludeInEncryptionContextAttributes.size() > 0) {
                throw DynamoDbEncryptionException.builder().message(String.format("Detected DynamoDbEncryption Tag %s on a nested attribute with Path %s. This is NOT Supported at this time!", SignAndIncludeInEncryptionContextTag.CUSTOM_DDB_ENCRYPTION_SIGN_AND_INCLUDE_PREFIX, append.append(signAndIncludeInEncryptionContextAttributes.toArray()[0]))).build();
            }
            Set<String> doNothingAttributes = getDoNothingAttributes(tableSchema2);
            if (doNothingAttributes.size() > 0) {
                throw DynamoDbEncryptionException.builder().message(String.format("Detected DynamoDbEncryption Tag %s on a nested attribute with Path %s. This is NOT Supported at this time!", DoNothingTag.CUSTOM_DDB_ENCRYPTION_DO_NOTHING_PREFIX, append.append(doNothingAttributes.toArray()[0]))).build();
            }
            Iterator it = tableSchema2.attributeNames().iterator();
            while (it.hasNext()) {
                scanForIgnoredEncryptionTags(tableSchema2, (String) it.next(), append);
            }
        }
    }
}
