package org.apache.flink.shaded.net.snowflake.ingest.internal.apache.parquet.crypto.keytools;

import java.io.IOException;
import java.util.Base64;
import java.util.Set;
import org.apache.flink.shaded.net.snowflake.ingest.internal.apache.hadoop.conf.Configuration;
import org.apache.flink.shaded.net.snowflake.ingest.internal.apache.hadoop.fs.FileStatus;
import org.apache.flink.shaded.net.snowflake.ingest.internal.apache.hadoop.fs.FileSystem;
import org.apache.flink.shaded.net.snowflake.ingest.internal.apache.hadoop.fs.Path;
import org.apache.flink.shaded.net.snowflake.ingest.internal.apache.parquet.crypto.AesGcmDecryptor;
import org.apache.flink.shaded.net.snowflake.ingest.internal.apache.parquet.crypto.AesGcmEncryptor;
import org.apache.flink.shaded.net.snowflake.ingest.internal.apache.parquet.crypto.AesMode;
import org.apache.flink.shaded.net.snowflake.ingest.internal.apache.parquet.crypto.KeyAccessDeniedException;
import org.apache.flink.shaded.net.snowflake.ingest.internal.apache.parquet.crypto.ModuleCipherFactory;
import org.apache.flink.shaded.net.snowflake.ingest.internal.apache.parquet.crypto.ParquetCryptoRuntimeException;
import org.apache.flink.shaded.net.snowflake.ingest.internal.apache.parquet.hadoop.BadConfigurationException;
import org.apache.flink.shaded.net.snowflake.ingest.internal.apache.parquet.hadoop.util.ConfigurationUtil;
import org.apache.flink.shaded.net.snowflake.ingest.internal.apache.parquet.hadoop.util.HiddenFileFilter;

/* loaded from: input_file:org/apache/flink/shaded/net/snowflake/ingest/internal/apache/parquet/crypto/keytools/KeyToolkit.class */
public class KeyToolkit {
    public static final String KMS_CLIENT_CLASS_PROPERTY_NAME = "parquet.encryption.kms.client.class";
    public static final String KMS_INSTANCE_ID_PROPERTY_NAME = "parquet.encryption.kms.instance.id";
    public static final String KMS_INSTANCE_URL_PROPERTY_NAME = "parquet.encryption.kms.instance.url";
    public static final String KEY_ACCESS_TOKEN_PROPERTY_NAME = "parquet.encryption.key.access.token";
    public static final String DOUBLE_WRAPPING_PROPERTY_NAME = "parquet.encryption.double.wrapping";
    public static final String CACHE_LIFETIME_PROPERTY_NAME = "parquet.encryption.cache.lifetime.seconds";
    public static final String KEY_MATERIAL_INTERNAL_PROPERTY_NAME = "parquet.encryption.key.material.store.internally";
    public static final String DATA_KEY_LENGTH_PROPERTY_NAME = "parquet.encryption.data.key.length.bits";
    public static final String KEK_LENGTH_PROPERTY_NAME = "parquet.encryption.kek.length.bits";
    public static final boolean DOUBLE_WRAPPING_DEFAULT = true;
    public static final long CACHE_LIFETIME_DEFAULT_SECONDS = 600;
    public static final boolean KEY_MATERIAL_INTERNAL_DEFAULT = true;
    public static final int DATA_KEY_LENGTH_DEFAULT = 128;
    public static final int KEK_LENGTH_DEFAULT = 128;
    private static final int CACHE_CLEAN_PERIOD_FOR_KEY_ROTATION = 3600000;
    private static long lastCacheCleanForKeyRotationTime = 0;
    private static Object lastCacheCleanForKeyRotationTimeLock = new Object();
    static final TwoLevelCacheWithExpiration<KmsClient> KMS_CLIENT_CACHE_PER_TOKEN = KmsClientCache.INSTANCE.getCache();
    static final TwoLevelCacheWithExpiration<KeyEncryptionKey> KEK_WRITE_CACHE_PER_TOKEN = KEKWriteCache.INSTANCE.getCache();
    static final TwoLevelCacheWithExpiration<byte[]> KEK_READ_CACHE_PER_TOKEN = KEKReadCache.INSTANCE.getCache();

    /* loaded from: input_file:org/apache/flink/shaded/net/snowflake/ingest/internal/apache/parquet/crypto/keytools/KeyToolkit$KEKReadCache.class */
    private enum KEKReadCache {
        INSTANCE;

        private final TwoLevelCacheWithExpiration<byte[]> cache = new TwoLevelCacheWithExpiration<>();

        KEKReadCache() {
        }

        /* JADX INFO: Access modifiers changed from: private */
        public TwoLevelCacheWithExpiration<byte[]> getCache() {
            return this.cache;
        }
    }

    /* loaded from: input_file:org/apache/flink/shaded/net/snowflake/ingest/internal/apache/parquet/crypto/keytools/KeyToolkit$KEKWriteCache.class */
    private enum KEKWriteCache {
        INSTANCE;

        private final TwoLevelCacheWithExpiration<KeyEncryptionKey> cache = new TwoLevelCacheWithExpiration<>();

        KEKWriteCache() {
        }

        /* JADX INFO: Access modifiers changed from: private */
        public TwoLevelCacheWithExpiration<KeyEncryptionKey> getCache() {
            return this.cache;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/flink/shaded/net/snowflake/ingest/internal/apache/parquet/crypto/keytools/KeyToolkit$KeyEncryptionKey.class */
    public static class KeyEncryptionKey {
        private final byte[] kekBytes;
        private final byte[] kekID;
        private String encodedKekID;
        private final String encodedWrappedKEK;

        /* JADX INFO: Access modifiers changed from: package-private */
        public KeyEncryptionKey(byte[] bArr, byte[] bArr2, String str) {
            this.kekBytes = bArr;
            this.kekID = bArr2;
            this.encodedWrappedKEK = str;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public byte[] getBytes() {
            return this.kekBytes;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public byte[] getID() {
            return this.kekID;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public String getEncodedID() {
            if (null == this.encodedKekID) {
                this.encodedKekID = Base64.getEncoder().encodeToString(this.kekID);
            }
            return this.encodedKekID;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public String getEncodedWrappedKEK() {
            return this.encodedWrappedKEK;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/flink/shaded/net/snowflake/ingest/internal/apache/parquet/crypto/keytools/KeyToolkit$KeyWithMasterID.class */
    public static class KeyWithMasterID {
        private final byte[] keyBytes;
        private final String masterID;

        /* JADX INFO: Access modifiers changed from: package-private */
        public KeyWithMasterID(byte[] bArr, String str) {
            this.keyBytes = bArr;
            this.masterID = str;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public byte[] getDataKey() {
            return this.keyBytes;
        }

        String getMasterID() {
            return this.masterID;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/flink/shaded/net/snowflake/ingest/internal/apache/parquet/crypto/keytools/KeyToolkit$KmsClientAndDetails.class */
    public static class KmsClientAndDetails {
        private KmsClient kmsClient;
        private String kmsInstanceID;
        private String kmsInstanceURL;

        public KmsClientAndDetails(KmsClient kmsClient, String str, String str2) {
            this.kmsClient = kmsClient;
            this.kmsInstanceID = str;
            this.kmsInstanceURL = str2;
        }

        public KmsClient getKmsClient() {
            return this.kmsClient;
        }

        public String getKmsInstanceID() {
            return this.kmsInstanceID;
        }

        public String getKmsInstanceURL() {
            return this.kmsInstanceURL;
        }
    }

    /* loaded from: input_file:org/apache/flink/shaded/net/snowflake/ingest/internal/apache/parquet/crypto/keytools/KeyToolkit$KmsClientCache.class */
    private enum KmsClientCache {
        INSTANCE;

        private final TwoLevelCacheWithExpiration<KmsClient> cache = new TwoLevelCacheWithExpiration<>();

        KmsClientCache() {
        }

        /* JADX INFO: Access modifiers changed from: private */
        public TwoLevelCacheWithExpiration<KmsClient> getCache() {
            return this.cache;
        }
    }

    public static void rotateMasterKeys(String str, Configuration configuration) throws IOException, ParquetCryptoRuntimeException, KeyAccessDeniedException, UnsupportedOperationException {
        if (configuration.getBoolean(KEY_MATERIAL_INTERNAL_PROPERTY_NAME, false)) {
            throw new UnsupportedOperationException("Key rotation is not supported for internal key material");
        }
        long currentTimeMillis = System.currentTimeMillis();
        synchronized (lastCacheCleanForKeyRotationTimeLock) {
            if (currentTimeMillis - lastCacheCleanForKeyRotationTime > 3600000) {
                KEK_WRITE_CACHE_PER_TOKEN.clear();
                lastCacheCleanForKeyRotationTime = currentTimeMillis;
            }
        }
        Path path = new Path(str);
        FileSystem fileSystem = path.getFileSystem(configuration);
        if (!fileSystem.exists(path) || !fileSystem.isDirectory(path)) {
            throw new ParquetCryptoRuntimeException("Couldn't rotate keys - folder doesn't exist or is not a directory: " + str);
        }
        FileStatus[] listStatus = fileSystem.listStatus(path, HiddenFileFilter.INSTANCE);
        if (listStatus.length == 0) {
            throw new ParquetCryptoRuntimeException("Couldn't rotate keys - no parquet files in folder " + str);
        }
        for (FileStatus fileStatus : listStatus) {
            Path path2 = fileStatus.getPath();
            HadoopFSKeyMaterialStore hadoopFSKeyMaterialStore = new HadoopFSKeyMaterialStore(fileSystem);
            hadoopFSKeyMaterialStore.initialize(path2, configuration, false);
            HadoopFSKeyMaterialStore hadoopFSKeyMaterialStore2 = new HadoopFSKeyMaterialStore(fileSystem);
            hadoopFSKeyMaterialStore2.initialize(path2, configuration, true);
            Set<String> keyIDSet = hadoopFSKeyMaterialStore.getKeyIDSet();
            FileKeyUnwrapper fileKeyUnwrapper = new FileKeyUnwrapper(configuration, path2, hadoopFSKeyMaterialStore);
            KeyWithMasterID dEKandMasterID = fileKeyUnwrapper.getDEKandMasterID(KeyMaterial.parse(hadoopFSKeyMaterialStore.getKeyMaterial("footerKey")));
            FileKeyWrapper fileKeyWrapper = new FileKeyWrapper(configuration, hadoopFSKeyMaterialStore2, fileKeyUnwrapper.getKmsClientAndDetails());
            fileKeyWrapper.getEncryptionKeyMetadata(dEKandMasterID.getDataKey(), dEKandMasterID.getMasterID(), true, "footerKey");
            keyIDSet.remove("footerKey");
            for (String str2 : keyIDSet) {
                KeyWithMasterID dEKandMasterID2 = fileKeyUnwrapper.getDEKandMasterID(KeyMaterial.parse(hadoopFSKeyMaterialStore.getKeyMaterial(str2)));
                fileKeyWrapper.getEncryptionKeyMetadata(dEKandMasterID2.getDataKey(), dEKandMasterID2.getMasterID(), false, str2);
            }
            hadoopFSKeyMaterialStore2.saveMaterial();
            hadoopFSKeyMaterialStore.removeMaterial();
            hadoopFSKeyMaterialStore2.moveMaterialTo(hadoopFSKeyMaterialStore);
        }
    }

    public static void removeCacheEntriesForToken(String str) {
        KMS_CLIENT_CACHE_PER_TOKEN.removeCacheEntriesForToken(str);
        KEK_WRITE_CACHE_PER_TOKEN.removeCacheEntriesForToken(str);
        KEK_READ_CACHE_PER_TOKEN.removeCacheEntriesForToken(str);
    }

    public static void removeCacheEntriesForAllTokens() {
        KMS_CLIENT_CACHE_PER_TOKEN.clear();
        KEK_WRITE_CACHE_PER_TOKEN.clear();
        KEK_READ_CACHE_PER_TOKEN.clear();
    }

    public static String encryptKeyLocally(byte[] bArr, byte[] bArr2, byte[] bArr3) {
        return Base64.getEncoder().encodeToString(((AesGcmEncryptor) ModuleCipherFactory.getEncryptor(AesMode.GCM, bArr2)).encrypt(false, bArr, bArr3));
    }

    public static byte[] decryptKeyLocally(String str, byte[] bArr, byte[] bArr2) {
        byte[] decode = Base64.getDecoder().decode(str);
        return ((AesGcmDecryptor) ModuleCipherFactory.getDecryptor(AesMode.GCM, bArr)).decrypt(decode, 0, decode.length, bArr2);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static KmsClient getKmsClient(String str, String str2, Configuration configuration, String str3, long j) {
        return KMS_CLIENT_CACHE_PER_TOKEN.getOrCreateInternalCache(str3, j).computeIfAbsent(str, str4 -> {
            return createAndInitKmsClient(configuration, str, str2, str3);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static KmsClient createAndInitKmsClient(Configuration configuration, String str, String str2, String str3) {
        try {
            Class<?> classFromConfig = ConfigurationUtil.getClassFromConfig(configuration, KMS_CLIENT_CLASS_PROPERTY_NAME, KmsClient.class);
            if (null == classFromConfig) {
                throw new ParquetCryptoRuntimeException("Unspecified parquet.encryption.kms.client.class");
            }
            KmsClient kmsClient = (KmsClient) classFromConfig.newInstance();
            kmsClient.initialize(configuration, str, str2, str3);
            return kmsClient;
        } catch (IllegalAccessException | InstantiationException | BadConfigurationException e) {
            throw new ParquetCryptoRuntimeException("Could not instantiate KmsClient class: " + ((Object) null), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String formatTokenForLog(String str) {
        return str.length() <= 5 ? str : str.substring(str.length() - 5);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean stringIsEmpty(String str) {
        return null == str || str.isEmpty();
    }
}
