package com.azure.storage.blob.specialized.cryptography;

import com.azure.core.cryptography.AsyncKeyEncryptionKey;
import com.azure.core.cryptography.AsyncKeyEncryptionKeyResolver;
import com.azure.core.http.HttpHeaders;
import com.azure.core.http.HttpMethod;
import com.azure.core.http.HttpPipelineCallContext;
import com.azure.core.http.HttpPipelineNextPolicy;
import com.azure.core.http.HttpResponse;
import com.azure.core.http.policy.HttpPipelinePolicy;
import com.azure.core.util.DateTimeRfc1123;
import com.azure.core.util.FluxUtil;
import com.azure.core.util.logging.ClientLogger;
import com.azure.storage.blob.BlobAsyncClient;
import com.azure.storage.blob.models.BlobProperties;
import com.azure.storage.blob.models.BlobRange;
import com.azure.storage.blob.models.BlobRequestConditions;
import com.azure.storage.common.ParallelTransferOptions;
import com.azure.storage.common.implementation.BufferStagingArea;
import com.azure.storage.common.implementation.UploadUtils;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicLong;
import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.ShortBufferException;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import reactor.core.Exceptions;
import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono;

/* loaded from: input_file:com/azure/storage/blob/specialized/cryptography/BlobDecryptionPolicy.class */
public class BlobDecryptionPolicy implements HttpPipelinePolicy {
    private static final ClientLogger LOGGER = new ClientLogger(BlobDecryptionPolicy.class);
    private final AsyncKeyEncryptionKeyResolver keyResolver;
    private final AsyncKeyEncryptionKey keyWrapper;
    private final boolean requiresEncryption;
    private final BlobAsyncClient blobClient;

    /* loaded from: input_file:com/azure/storage/blob/specialized/cryptography/BlobDecryptionPolicy$DecryptedResponse.class */
    static class DecryptedResponse extends HttpResponse {
        private final Flux<ByteBuffer> plainTextBody;
        private final HttpHeaders httpHeaders;
        private final int statusCode;

        DecryptedResponse(HttpResponse httpResponse, Flux<ByteBuffer> flux) {
            super(httpResponse.getRequest());
            this.plainTextBody = flux;
            this.httpHeaders = httpResponse.getHeaders();
            this.statusCode = httpResponse.getStatusCode();
        }

        public int getStatusCode() {
            return this.statusCode;
        }

        public String getHeaderValue(String str) {
            return this.httpHeaders.getValue(str);
        }

        public HttpHeaders getHeaders() {
            return this.httpHeaders;
        }

        public Flux<ByteBuffer> getBody() {
            return this.plainTextBody;
        }

        public Mono<byte[]> getBodyAsByteArray() {
            return FluxUtil.collectBytesInByteBufferStream(this.plainTextBody);
        }

        public Mono<String> getBodyAsString() {
            return FluxUtil.collectBytesInByteBufferStream(this.plainTextBody).map(String::new);
        }

        public Mono<String> getBodyAsString(Charset charset) {
            return FluxUtil.collectBytesInByteBufferStream(this.plainTextBody).map(bArr -> {
                return new String(bArr, charset);
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public BlobDecryptionPolicy(AsyncKeyEncryptionKey asyncKeyEncryptionKey, AsyncKeyEncryptionKeyResolver asyncKeyEncryptionKeyResolver, boolean z, BlobAsyncClient blobAsyncClient) {
        this.keyWrapper = asyncKeyEncryptionKey;
        this.keyResolver = asyncKeyEncryptionKeyResolver;
        this.requiresEncryption = z;
        this.blobClient = blobAsyncClient;
    }

    public Mono<HttpResponse> process(HttpPipelineCallContext httpPipelineCallContext, HttpPipelineNextPolicy httpPipelineNextPolicy) {
        HttpHeaders headers = httpPipelineCallContext.getHttpRequest().getHeaders();
        String value = headers.getValue("x-ms-range");
        if (value == null) {
            return httpPipelineNextPolicy.process().flatMap(httpResponse -> {
                if (httpResponse.getRequest().getHttpMethod() != HttpMethod.GET || httpResponse.getBody() == null) {
                    return Mono.just(httpResponse);
                }
                HttpHeaders headers2 = httpResponse.getHeaders();
                EncryptionData andValidateEncryptionData = EncryptionData.getAndValidateEncryptionData(httpResponse.getHeaderValue("x-ms-meta-encryptiondata"), this.requiresEncryption);
                if (andValidateEncryptionData == null) {
                    return Mono.just(httpResponse);
                }
                EncryptedBlobRange encryptedBlobRange = new EncryptedBlobRange(new BlobRange(0L), andValidateEncryptionData);
                encryptedBlobRange.setAdjustedDownloadCount(Long.parseLong(headers2.getValue("Content-Length")));
                return Mono.just(new DecryptedResponse(httpResponse, decryptBlob(httpResponse.getBody(), encryptedBlobRange, andValidateEncryptionData.getEncryptionAgent().getProtocol().equals("1.0") && encryptedBlobRange.toBlobRange().getOffset() + encryptedBlobRange.toBlobRange().getCount().longValue() > blobSize(headers2).longValue() - 16, andValidateEncryptionData, httpResponse.getRequest().getUrl().toString())));
            });
        }
        return this.blobClient.getPropertiesWithResponse(extractRequestConditionsFromRequest(headers)).flatMap(response -> {
            EncryptionData andValidateEncryptionData = EncryptionData.getAndValidateEncryptionData((String) ((BlobProperties) response.getValue()).getMetadata().get("encryptiondata"), this.requiresEncryption);
            headers.set("ETag", ((BlobProperties) response.getValue()).getETag());
            if (andValidateEncryptionData == null) {
                return httpPipelineNextPolicy.process();
            }
            EncryptedBlobRange encryptedBlobRangeFromHeader = EncryptedBlobRange.getEncryptedBlobRangeFromHeader(value, andValidateEncryptionData);
            if (httpPipelineCallContext.getHttpRequest().getHeaders().getValue("x-ms-range") != null) {
                headers.set("x-ms-range", encryptedBlobRangeFromHeader.toBlobRange().toString());
            }
            return httpPipelineNextPolicy.process().map(httpResponse2 -> {
                if (httpResponse2.getRequest().getHttpMethod() != HttpMethod.GET || httpResponse2.getBody() == null) {
                    return httpResponse2;
                }
                HttpHeaders headers2 = httpResponse2.getHeaders();
                if (httpResponse2.getHeaderValue("x-ms-meta-encryptiondata") == null) {
                    return httpResponse2;
                }
                encryptedBlobRangeFromHeader.setAdjustedDownloadCount(Long.parseLong(headers2.getValue("Content-Length")));
                return new DecryptedResponse(httpResponse2, decryptBlob(httpResponse2.getBody(), encryptedBlobRangeFromHeader, andValidateEncryptionData.getEncryptionAgent().getProtocol().equals("1.0") && encryptedBlobRangeFromHeader.toBlobRange().getOffset() + encryptedBlobRangeFromHeader.toBlobRange().getCount().longValue() > blobSize(headers2).longValue() - 16, andValidateEncryptionData, httpResponse2.getRequest().getUrl().toString()));
            });
        });
    }

    private BlobRequestConditions extractRequestConditionsFromRequest(HttpHeaders httpHeaders) {
        return new BlobRequestConditions().setLeaseId(httpHeaders.getValue("x-ms-lease-id")).setIfUnmodifiedSince(httpHeaders.getValue("If-Unmodified-Since") == null ? null : new DateTimeRfc1123(httpHeaders.getValue("If-Unmodified-Since")).getDateTime()).setIfNoneMatch(httpHeaders.getValue("If-None-Match")).setIfMatch(httpHeaders.getValue("If-Match")).setIfModifiedSince(httpHeaders.getValue("If-Modified-Since") == null ? null : new DateTimeRfc1123(httpHeaders.getValue("If-Modified-Since")).getDateTime());
    }

    Flux<ByteBuffer> decryptBlob(Flux<ByteBuffer> flux, EncryptedBlobRange encryptedBlobRange, boolean z, EncryptionData encryptionData, String str) {
        AtomicLong atomicLong = new AtomicLong(0L);
        return trimData(encryptedBlobRange, new AtomicLong(0L), encryptionData == null ? flux : getKeyEncryptionKey(encryptionData).flatMapMany(bArr -> {
            String protocol = encryptionData.getEncryptionAgent().getProtocol();
            boolean z2 = -1;
            switch (protocol.hashCode()) {
                case 48563:
                    if (protocol.equals("1.0")) {
                        z2 = false;
                        break;
                    }
                    break;
                case 49524:
                    if (protocol.equals("2.0")) {
                        z2 = true;
                        break;
                    }
                    break;
            }
            switch (z2) {
                case false:
                    return decryptV1(flux, encryptedBlobRange, z, encryptionData, str, atomicLong, bArr);
                case true:
                    return decryptV2(flux, encryptionData, bArr);
                default:
                    throw LOGGER.logExceptionAsError(new IllegalStateException("Encryption protocol not recognized: " + encryptionData.getEncryptionAgent().getProtocol()));
            }
        }));
    }

    private Flux<ByteBuffer> trimData(EncryptedBlobRange encryptedBlobRange, AtomicLong atomicLong, Flux<ByteBuffer> flux) {
        return flux.map(byteBuffer -> {
            int limit = byteBuffer.limit();
            if (atomicLong.longValue() <= encryptedBlobRange.getAmountPlaintextToSkip()) {
                byteBuffer.position(Math.min(encryptedBlobRange.getAmountPlaintextToSkip() - ((int) atomicLong.longValue()), byteBuffer.limit()));
            }
            long amountPlaintextToSkip = encryptedBlobRange.getOriginalRange().getCount() == null ? Long.MAX_VALUE : encryptedBlobRange.getAmountPlaintextToSkip() + encryptedBlobRange.getOriginalRange().getCount().longValue();
            if (limit + atomicLong.longValue() > amountPlaintextToSkip) {
                byteBuffer.limit(atomicLong.longValue() <= amountPlaintextToSkip ? limit - ((int) ((limit + atomicLong.longValue()) - amountPlaintextToSkip)) : byteBuffer.position());
            } else if (limit + atomicLong.longValue() > encryptedBlobRange.getAmountPlaintextToSkip()) {
                byteBuffer.limit(limit);
            } else {
                byteBuffer.limit(byteBuffer.position());
            }
            atomicLong.addAndGet(limit);
            return byteBuffer;
        });
    }

    private Flux<ByteBuffer> decryptV2(Flux<ByteBuffer> flux, EncryptionData encryptionData, byte[] bArr) {
        int dataLength = encryptionData.getEncryptedRegionInfo().getDataLength();
        int nonceLength = encryptionData.getEncryptedRegionInfo().getNonceLength();
        BufferStagingArea bufferStagingArea = new BufferStagingArea(dataLength + 16 + nonceLength, dataLength + 16 + nonceLength);
        Flux chunkSource = UploadUtils.chunkSource(flux, new ParallelTransferOptions().setBlockSizeLong(Long.valueOf(dataLength + 16 + nonceLength)));
        Objects.requireNonNull(bufferStagingArea);
        Flux flatMapSequential = chunkSource.flatMapSequential(bufferStagingArea::write);
        Objects.requireNonNull(bufferStagingArea);
        return flatMapSequential.concatWith(Flux.defer(bufferStagingArea::flush)).flatMapSequential(bufferAggregator -> {
            try {
                Cipher cipher = getCipher(bArr, encryptionData, bufferAggregator.getFirstNBytes(nonceLength), false);
                ByteBuffer allocate = ByteBuffer.allocate(dataLength);
                return bufferAggregator.asFlux().map(byteBuffer -> {
                    try {
                        cipher.update(byteBuffer, allocate);
                        return allocate;
                    } catch (ShortBufferException e) {
                        throw LOGGER.logExceptionAsError(Exceptions.propagate(e));
                    }
                }).then(Mono.fromCallable(() -> {
                    cipher.doFinal(ByteBuffer.allocate(0), allocate);
                    allocate.flip();
                    return allocate;
                })).flux();
            } catch (InvalidKeyException e) {
                return Mono.error(LOGGER.logExceptionAsError(Exceptions.propagate(e)));
            }
        });
    }

    private Flux<ByteBuffer> decryptV1(Flux<ByteBuffer> flux, EncryptedBlobRange encryptedBlobRange, boolean z, EncryptionData encryptionData, String str, AtomicLong atomicLong, byte[] bArr) {
        LOGGER.warning("Downloaded data found to be encrypted with v1 encryption, which is no longer secure. Uri: " + str);
        try {
            Cipher cipher = getCipher(bArr, encryptionData, encryptedBlobRange.getOffsetAdjustment() <= 16 ? encryptionData.getContentEncryptionIV() : new byte[16], z);
            return flux.map(byteBuffer -> {
                ByteBuffer allocate = ByteBuffer.allocate(cipher.getOutputSize(byteBuffer.remaining()));
                int remaining = byteBuffer.remaining();
                try {
                    if (atomicLong.longValue() + remaining >= encryptedBlobRange.getAdjustedDownloadCount().longValue()) {
                        cipher.doFinal(byteBuffer, allocate);
                    } else {
                        cipher.update(byteBuffer, allocate);
                    }
                    atomicLong.addAndGet(remaining);
                    allocate.flip();
                    return allocate;
                } catch (GeneralSecurityException e) {
                    throw LOGGER.logExceptionAsError(Exceptions.propagate(e));
                }
            });
        } catch (InvalidKeyException e) {
            throw LOGGER.logExceptionAsError(Exceptions.propagate(e));
        }
    }

    private Mono<byte[]> getKeyEncryptionKey(EncryptionData encryptionData) {
        return (this.keyResolver != null ? this.keyResolver.buildAsyncKeyEncryptionKey(encryptionData.getWrappedContentKey().getKeyId()).onErrorResume(NullPointerException.class, nullPointerException -> {
            throw LOGGER.logExceptionAsError(Exceptions.propagate(nullPointerException));
        }) : this.keyWrapper.getKeyId().flatMap(str -> {
            if (encryptionData.getWrappedContentKey().getKeyId().equals(str)) {
                return Mono.just(this.keyWrapper);
            }
            throw LOGGER.logExceptionAsError(Exceptions.propagate(new IllegalArgumentException("Key mismatch. The key id stored on the service does not match the specified key.")));
        })).flatMap(asyncKeyEncryptionKey -> {
            return asyncKeyEncryptionKey.unwrapKey(encryptionData.getWrappedContentKey().getAlgorithm(), encryptionData.getWrappedContentKey().getEncryptedKey());
        }).flatMap(bArr -> {
            String protocol = encryptionData.getEncryptionAgent().getProtocol();
            boolean z = -1;
            switch (protocol.hashCode()) {
                case 48563:
                    if (protocol.equals("1.0")) {
                        z = true;
                        break;
                    }
                    break;
                case 49524:
                    if (protocol.equals("2.0")) {
                        z = false;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
                    byte[] bArr = new byte[3];
                    try {
                        byteArrayInputStream.read(bArr);
                        if (ByteBuffer.wrap("2.0".getBytes(StandardCharsets.UTF_8)).compareTo(ByteBuffer.wrap(bArr)) != 0) {
                            return Mono.error(LOGGER.logExceptionAsError(new IllegalStateException("Padded wrapped key did not match protocol version")));
                        }
                        for (int i = 0; i < 5; i++) {
                            byteArrayInputStream.read();
                        }
                        if (byteArrayInputStream.available() != 32) {
                            return Mono.error(LOGGER.logExceptionAsError(new IllegalStateException("Wrapped key bytes were incorrect length")));
                        }
                        byte[] bArr2 = new byte[32];
                        byteArrayInputStream.read(bArr2);
                        return Mono.just(bArr2);
                    } catch (IOException e) {
                        return Mono.error(LOGGER.logThrowableAsError(e));
                    }
                case true:
                    return Mono.just(bArr);
                default:
                    return Mono.error(LOGGER.logExceptionAsError(new IllegalStateException("Invalid protocol version: " + encryptionData.getEncryptionAgent().getProtocol())));
            }
        });
    }

    private Cipher getCipher(byte[] bArr, EncryptionData encryptionData, byte[] bArr2, boolean z) throws InvalidKeyException {
        SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, 0, bArr.length, "AES");
        try {
            switch (encryptionData.getEncryptionAgent().getAlgorithm()) {
                case AES_CBC_256:
                    Cipher cipher = z ? Cipher.getInstance("AES/CBC/PKCS5Padding") : Cipher.getInstance("AES/CBC/NoPadding");
                    cipher.init(2, secretKeySpec, new IvParameterSpec(bArr2));
                    return cipher;
                case AES_GCM_256:
                    Cipher cipher2 = Cipher.getInstance("AES/GCM/NoPadding");
                    cipher2.init(2, secretKeySpec, new GCMParameterSpec(128, bArr2));
                    return cipher2;
                default:
                    throw LOGGER.logExceptionAsError(new IllegalArgumentException("Invalid Encryption Algorithm found on the resource. This version of the client library does not support the specified encryption algorithm: " + encryptionData.getEncryptionAgent().getAlgorithm()));
            }
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | NoSuchPaddingException e) {
            throw LOGGER.logExceptionAsError(Exceptions.propagate(e));
        }
    }

    private Long blobSize(HttpHeaders httpHeaders) {
        return httpHeaders.getValue("Content-Range") != null ? Long.valueOf(httpHeaders.getValue("Content-Range").split("/")[1]) : Long.valueOf(httpHeaders.getValue("Content-Length"));
    }
}
