package io.confluent.kafka.schemaregistry.encryption.aws;

import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
import com.amazonaws.auth.PropertiesCredentials;
import com.amazonaws.services.kms.AWSKMS;
import com.google.crypto.tink.KmsClient;
import com.google.crypto.tink.integration.awskms.AwsKmsClient;
import io.confluent.kafka.schemaregistry.encryption.tink.KmsDriver;
import java.io.ByteArrayInputStream;
import java.lang.reflect.Field;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.util.Map;
import java.util.Optional;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/aws/AwsKmsDriver.class */
public class AwsKmsDriver implements KmsDriver {
    public static final String ACCESS_KEY_ID = "access.key.id";
    public static final String SECRET_ACCESS_KEY = "secret.access.key";

    public String getKeyUrlPrefix() {
        return "aws-kms://";
    }

    private AWSCredentialsProvider getCredentials(Map<String, ?> map) throws GeneralSecurityException {
        try {
            String str = (String) map.get(ACCESS_KEY_ID);
            String str2 = (String) map.get(SECRET_ACCESS_KEY);
            return (str == null || str2 == null) ? new DefaultAWSCredentialsProviderChain() : new AWSStaticCredentialsProvider(new PropertiesCredentials(new ByteArrayInputStream(("accessKey=" + str + "\nsecretKey=" + str2 + "\n").getBytes(StandardCharsets.UTF_8))));
        } catch (Exception e) {
            throw new GeneralSecurityException("cannot load credentials", e);
        }
    }

    public KmsClient newKmsClient(Map<String, ?> map, Optional<String> optional) throws GeneralSecurityException {
        AWSKMS awskms = (AWSKMS) getTestClient(map);
        return newKmsClientWithAwsKms(optional, awskms != null ? Optional.empty() : Optional.of(getCredentials(map)), awskms);
    }

    protected static KmsClient newKmsClientWithAwsKms(Optional<String> optional, Optional<AWSCredentialsProvider> optional2, AWSKMS awskms) throws GeneralSecurityException {
        AwsKmsClient awsKmsClient = optional.isPresent() ? new AwsKmsClient(optional.get()) : new AwsKmsClient();
        if (optional2.isPresent()) {
            awsKmsClient.withCredentialsProvider(optional2.get());
        } else {
            awsKmsClient.withDefaultCredentials();
        }
        if (awskms != null) {
            setAwsKms(awsKmsClient, awskms);
        }
        return awsKmsClient;
    }

    private static void setAwsKms(AwsKmsClient awsKmsClient, AWSKMS awskms) {
        try {
            Field declaredField = AwsKmsClient.class.getDeclaredField("awsKms");
            declaredField.setAccessible(true);
            declaredField.set(awsKmsClient, awskms);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}
