package software.amazon.cloudformation.encryption;

import com.amazonaws.PredefinedClientConfigurations;
import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider;
import com.amazonaws.encryptionsdk.AwsCrypto;
import com.amazonaws.encryptionsdk.CommitmentPolicy;
import com.amazonaws.encryptionsdk.MasterKeyProvider;
import com.amazonaws.encryptionsdk.exception.AwsCryptoException;
import com.amazonaws.encryptionsdk.kms.KmsMasterKey;
import com.amazonaws.encryptionsdk.kms.KmsMasterKeyProvider;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.fasterxml.jackson.core.type.TypeReference;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.UUID;
import org.bouncycastle.util.encoders.Base64;
import software.amazon.awssdk.core.SdkSystemSetting;
import software.amazon.cloudformation.exceptions.EncryptionException;
import software.amazon.cloudformation.proxy.Credentials;
import software.amazon.cloudformation.resource.Serializer;

/* loaded from: input_file:software/amazon/cloudformation/encryption/KMSCipher.class */
public class KMSCipher implements Cipher {
    private static final int STS_CONNECTION_TIMEOUT_MILLIS = 10000;
    private static final int STS_CONNECTION_TTL_MILLIS = 60000;
    private static final int STS_CLIENT_EXECUTION_TIMEOUT_MILLIS = 10000;
    private static final int STS_REQUEST_TIMEOUT_MILLIS = 10000;
    private static final int STS_SOCKET_TIMEOUT_MILLIS = 10000;
    private static final int STS_MAX_ERROR_RETRY = 3;
    private final AwsCrypto cryptoHelper;
    private final MasterKeyProvider<KmsMasterKey> kmsKeyProvider;
    private final Serializer serializer;
    private final TypeReference<Credentials> credentialsTypeReference;

    public KMSCipher(String str, String str2) {
        String str3 = (String) SdkSystemSetting.AWS_REGION.getStringValue().map((v0) -> {
            return v0.toString();
        }).orElse("us-east-1");
        this.kmsKeyProvider = KmsMasterKeyProvider.builder().withCredentials(getAssumeRoleSessionCredentialProvider(str2, (AWSSecurityTokenService) AWSSecurityTokenServiceClientBuilder.standard().withClientConfiguration(PredefinedClientConfigurations.defaultConfig().withConnectionTimeout(10000).withConnectionTTL(60000L).withClientExecutionTimeout(10000).withRequestTimeout(10000).withSocketTimeout(10000).withMaxErrorRetry(STS_MAX_ERROR_RETRY)).withRegion(str3).build())).withDefaultRegion(str3).buildStrict(new String[]{str});
        this.cryptoHelper = AwsCrypto.builder().withCommitmentPolicy(CommitmentPolicy.ForbidEncryptAllowDecrypt).build();
        this.serializer = new Serializer();
        this.credentialsTypeReference = getCredentialsTypeReference();
    }

    public KMSCipher(AwsCrypto awsCrypto, MasterKeyProvider<KmsMasterKey> masterKeyProvider) {
        this.kmsKeyProvider = masterKeyProvider;
        this.cryptoHelper = awsCrypto;
        this.serializer = new Serializer();
        this.credentialsTypeReference = getCredentialsTypeReference();
    }

    @Override // software.amazon.cloudformation.encryption.Cipher
    public Credentials decryptCredentials(String str) {
        try {
            Credentials credentials = (Credentials) this.serializer.deserialize(new String((byte[]) this.cryptoHelper.decryptData(this.kmsKeyProvider, Base64.decode(str)).getResult(), StandardCharsets.UTF_8), this.credentialsTypeReference);
            if (credentials == null) {
                throw new EncryptionException("Failed to decrypt credentials. Decrypted credentials are 'null'.");
            }
            return credentials;
        } catch (IOException | AwsCryptoException e) {
            throw new EncryptionException("Failed to decrypt credentials.", e);
        }
    }

    private static TypeReference<Credentials> getCredentialsTypeReference() {
        return new TypeReference<Credentials>() { // from class: software.amazon.cloudformation.encryption.KMSCipher.1
        };
    }

    private STSAssumeRoleSessionCredentialsProvider getAssumeRoleSessionCredentialProvider(String str, AWSSecurityTokenService aWSSecurityTokenService) {
        return new STSAssumeRoleSessionCredentialsProvider.Builder(str, UUID.randomUUID().toString()).withStsClient(aWSSecurityTokenService).build();
    }
}
