package com.google.crypto.tink.integration.awskmsv2;

import com.google.common.base.Splitter;
import com.google.crypto.tink.Aead;
import com.google.crypto.tink.KmsClient;
import com.google.crypto.tink.subtle.Validators;
import java.net.URI;
import java.nio.file.FileSystems;
import java.security.GeneralSecurityException;
import java.util.Locale;
import java.util.Objects;
import java.util.Optional;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider;
import software.amazon.awssdk.core.exception.SdkServiceException;
import software.amazon.awssdk.http.SdkHttpClient;
import software.amazon.awssdk.profiles.ProfileFile;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.kms.KmsClientBuilder;

/* loaded from: input_file:com/google/crypto/tink/integration/awskmsv2/AwsKmsV2Client.class */
public final class AwsKmsV2Client implements KmsClient {
    public static final String PREFIX = "aws-kms://";
    private static final String KMS_ENDPOINT_OVERRIDE = "KMS_ENDPOINT_OVERRIDE";
    private AwsCredentialsProvider provider;
    private SdkHttpClient httpClient;
    private String keyUri;
    private URI kmsEndpointOverride;

    @Override // com.google.crypto.tink.KmsClient
    public boolean doesSupport(String str) {
        if (this.keyUri == null || !this.keyUri.equals(str)) {
            return this.keyUri == null && str.toLowerCase(Locale.US).startsWith(PREFIX);
        }
        return true;
    }

    @Override // com.google.crypto.tink.KmsClient
    public AwsKmsV2Client withCredentials(String str) throws GeneralSecurityException {
        return withCredentialsProvider(ProfileCredentialsProvider.builder().profileFile(ProfileFile.builder().content(FileSystems.getDefault().getPath(str, new String[0])).mo12755build()).mo12755build());
    }

    @Override // com.google.crypto.tink.KmsClient
    public AwsKmsV2Client withDefaultCredentials() throws GeneralSecurityException {
        try {
            return withCredentialsProvider(DefaultCredentialsProvider.create());
        } catch (SdkServiceException e) {
            throw new GeneralSecurityException("Cannot load default credentials", e);
        }
    }

    public AwsKmsV2Client withCredentialsProvider(AwsCredentialsProvider awsCredentialsProvider) throws GeneralSecurityException {
        this.provider = awsCredentialsProvider;
        return this;
    }

    public AwsKmsV2Client withHttpClient(SdkHttpClient sdkHttpClient) {
        this.httpClient = sdkHttpClient;
        return this;
    }

    public AwsKmsV2Client withKmsEndpointOverride(URI uri) {
        this.kmsEndpointOverride = uri;
        return this;
    }

    private software.amazon.awssdk.services.kms.KmsClient createKmsClient(String str) {
        KmsClientBuilder kmsClientBuilder = (KmsClientBuilder) ((KmsClientBuilder) ((KmsClientBuilder) software.amazon.awssdk.services.kms.KmsClient.builder().credentialsProvider(this.provider)).region(Region.of(str))).httpClient(this.httpClient);
        Optional map = Optional.ofNullable(System.getenv().get(KMS_ENDPOINT_OVERRIDE)).map(URI::create);
        Objects.requireNonNull(kmsClientBuilder);
        map.ifPresent(kmsClientBuilder::endpointOverride);
        Optional ofNullable = Optional.ofNullable(this.kmsEndpointOverride);
        Objects.requireNonNull(kmsClientBuilder);
        ofNullable.ifPresent(kmsClientBuilder::endpointOverride);
        return kmsClientBuilder.mo12755build();
    }

    @Override // com.google.crypto.tink.KmsClient
    public Aead getAead(String str) throws GeneralSecurityException {
        if (this.keyUri != null && !this.keyUri.equals(str)) {
            throw new GeneralSecurityException(String.format("This client is bound to %s, cannot load keys bound to %s", this.keyUri, str));
        }
        try {
            String validateKmsKeyUriAndRemovePrefix = Validators.validateKmsKeyUriAndRemovePrefix(PREFIX, str);
            return new AwsKmsV2Aead(createKmsClient(Splitter.on(':').splitToList(validateKmsKeyUriAndRemovePrefix).get(3)), validateKmsKeyUriAndRemovePrefix);
        } catch (SdkServiceException e) {
            throw new GeneralSecurityException("Cannot load credentials from provider", e);
        }
    }
}
