package io.confluent.kafka.schemaregistry.encryption.gcp;

import com.google.api.services.cloudkms.v1.CloudKMS;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.crypto.tink.KmsClient;
import com.google.crypto.tink.KmsClients;
import com.google.crypto.tink.integration.gcpkms.GcpKmsClient;
import io.confluent.kafka.schemaregistry.encryption.tink.KmsDriver;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.lang.reflect.Field;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.util.Map;
import java.util.Optional;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/gcp/GcpKmsDriver.class */
public class GcpKmsDriver implements KmsDriver {
    public static final String ACCOUNT_TYPE = "account.type";
    public static final String CLIENT_ID = "client.id";
    public static final String CLIENT_EMAIL = "client.email";
    public static final String PRIVATE_KEY_ID = "private.key.id";
    public static final String PRIVATE_KEY = "private.key";

    public String getKeyUrlPrefix() {
        return "gcp-kms://";
    }

    private GoogleCredentials getCredentials(Map<String, ?> map) throws GeneralSecurityException {
        try {
            String str = (String) map.get(ACCOUNT_TYPE);
            if (str == null) {
                str = "service_account";
            }
            String str2 = (String) map.get(CLIENT_ID);
            String str3 = (String) map.get(CLIENT_EMAIL);
            String str4 = (String) map.get(PRIVATE_KEY_ID);
            String str5 = (String) map.get(PRIVATE_KEY);
            return (str2 == null || str3 == null || str4 == null || str5 == null) ? GoogleCredentials.getApplicationDefault() : GoogleCredentials.fromStream(new ByteArrayInputStream(("{ \"type\": \"" + str + "\", \"client_id\": \"" + str2 + "\", \"client_email\": \"" + str3 + "\", \"private_key_id\": \"" + str4 + "\", \"private_key\": \"" + str5 + "\" }").getBytes(StandardCharsets.UTF_8)));
        } catch (IOException e) {
            throw new GeneralSecurityException("cannot load credentials", e);
        }
    }

    public KmsClient registerKmsClient(Map<String, ?> map, Optional<String> optional) throws GeneralSecurityException {
        CloudKMS cloudKMS = (CloudKMS) getTestClient(map);
        return registerWithCloudKms(optional, cloudKMS != null ? Optional.empty() : Optional.ofNullable(getCredentials(map)), cloudKMS);
    }

    public static KmsClient registerWithCloudKms(Optional<String> optional, Optional<GoogleCredentials> optional2, CloudKMS cloudKMS) throws GeneralSecurityException {
        GcpKmsClient gcpKmsClient = optional.isPresent() ? new GcpKmsClient(optional.get()) : new GcpKmsClient();
        if (cloudKMS != null) {
            setCloudKms(gcpKmsClient, cloudKMS);
        } else if (optional2.isPresent()) {
            gcpKmsClient.withCredentials(optional2.get());
        } else {
            gcpKmsClient.withDefaultCredentials();
        }
        KmsClients.add(gcpKmsClient);
        return gcpKmsClient;
    }

    private static void setCloudKms(GcpKmsClient gcpKmsClient, CloudKMS cloudKMS) {
        try {
            Field declaredField = GcpKmsClient.class.getDeclaredField("cloudKms");
            declaredField.setAccessible(true);
            declaredField.set(gcpKmsClient, cloudKMS);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}
