package io.confluent.kafka.schemaregistry.encryption.hcvault;

import com.google.crypto.tink.KmsClient;
import io.confluent.kafka.schemaregistry.encryption.tink.KmsDriver;
import io.github.jopenlibs.vault.SslConfig;
import io.github.jopenlibs.vault.api.Logical;
import java.security.GeneralSecurityException;
import java.util.Map;
import java.util.Optional;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/hcvault/HcVaultKmsDriver.class */
public class HcVaultKmsDriver implements KmsDriver {
    public static final String TOKEN_ID = "token.id";
    public static final String NAMESPACE = "namespace";
    public static final String SSL_KEYSTORE_LOCATION = "ssl.keystore.location";
    public static final String SSL_KEYSTORE_PASSWORD = "ssl.keystore.password";
    public static final String SSL_TRUSTSTORE_LOCATION = "ssl.truststore.location";
    public static final String VAULT_NAMESPACE = "VAULT_NAMESPACE";
    public static final String VAULT_SSL_KEYSTORE_LOCATION = "VAULT_SSL_KEYSTORE_LOCATION";
    public static final String VAULT_SSL_KEYSTORE_PASSWORD = "VAULT_SSL_KEYSTORE_PASSWORD";
    public static final String VAULT_SSL_TRUSTSTORE_LOCATION = "VAULT_SSL_TRUSTSTORE_LOCATION";

    public String getKeyUrlPrefix() {
        return HcVaultKmsClient.PREFIX;
    }

    private SslConfig getSslConfig(Map<String, ?> map) throws GeneralSecurityException {
        return getSslConfig((String) map.get(SSL_KEYSTORE_LOCATION), (String) map.get(SSL_KEYSTORE_PASSWORD), (String) map.get(SSL_TRUSTSTORE_LOCATION));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Removed duplicated region for block: B:17:0x0039 A[Catch: VaultException -> 0x0065, TryCatch #0 {VaultException -> 0x0065, blocks: (B:29:0x0004, B:6:0x0015, B:15:0x002c, B:17:0x0039, B:20:0x004e, B:21:0x005d), top: B:28:0x0004 }] */
    /* JADX WARN: Removed duplicated region for block: B:20:0x004e A[Catch: VaultException -> 0x0065, TryCatch #0 {VaultException -> 0x0065, blocks: (B:29:0x0004, B:6:0x0015, B:15:0x002c, B:17:0x0039, B:20:0x004e, B:21:0x005d), top: B:28:0x0004 }] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public static io.github.jopenlibs.vault.SslConfig getSslConfig(java.lang.String r5, java.lang.String r6, java.lang.String r7) throws java.security.GeneralSecurityException {
        /*
            r0 = r5
            if (r0 == 0) goto Lf
            r0 = r5
            boolean r0 = r0.isEmpty()     // Catch: io.github.jopenlibs.vault.VaultException -> L65
            if (r0 != 0) goto Lf
            r0 = 1
            goto L10
        Lf:
            r0 = 0
        L10:
            r8 = r0
            r0 = r7
            if (r0 == 0) goto L20
            r0 = r7
            boolean r0 = r0.isEmpty()     // Catch: io.github.jopenlibs.vault.VaultException -> L65
            if (r0 != 0) goto L20
            r0 = 1
            goto L21
        L20:
            r0 = 0
        L21:
            r9 = r0
            r0 = r8
            if (r0 != 0) goto L2c
            r0 = r9
            if (r0 == 0) goto L63
        L2c:
            io.github.jopenlibs.vault.SslConfig r0 = new io.github.jopenlibs.vault.SslConfig     // Catch: io.github.jopenlibs.vault.VaultException -> L65
            r1 = r0
            r1.<init>()     // Catch: io.github.jopenlibs.vault.VaultException -> L65
            r10 = r0
            r0 = r8
            if (r0 == 0) goto L49
            r0 = r10
            java.io.File r1 = new java.io.File     // Catch: io.github.jopenlibs.vault.VaultException -> L65
            r2 = r1
            r3 = r5
            r2.<init>(r3)     // Catch: io.github.jopenlibs.vault.VaultException -> L65
            r2 = r6
            io.github.jopenlibs.vault.SslConfig r0 = r0.keyStoreFile(r1, r2)     // Catch: io.github.jopenlibs.vault.VaultException -> L65
            r10 = r0
        L49:
            r0 = r9
            if (r0 == 0) goto L5d
            r0 = r10
            java.io.File r1 = new java.io.File     // Catch: io.github.jopenlibs.vault.VaultException -> L65
            r2 = r1
            r3 = r7
            r2.<init>(r3)     // Catch: io.github.jopenlibs.vault.VaultException -> L65
            io.github.jopenlibs.vault.SslConfig r0 = r0.trustStoreFile(r1)     // Catch: io.github.jopenlibs.vault.VaultException -> L65
            r10 = r0
        L5d:
            r0 = r10
            io.github.jopenlibs.vault.SslConfig r0 = r0.build()     // Catch: io.github.jopenlibs.vault.VaultException -> L65
            return r0
        L63:
            r0 = 0
            return r0
        L65:
            r8 = move-exception
            java.security.GeneralSecurityException r0 = new java.security.GeneralSecurityException
            r1 = r0
            java.lang.String r2 = "unable to create ssl config"
            r3 = r8
            r1.<init>(r2, r3)
            throw r0
        */
        throw new UnsupportedOperationException("Method not decompiled: io.confluent.kafka.schemaregistry.encryption.hcvault.HcVaultKmsDriver.getSslConfig(java.lang.String, java.lang.String, java.lang.String):io.github.jopenlibs.vault.SslConfig");
    }

    private String getToken(Map<String, ?> map) {
        return (String) map.get(TOKEN_ID);
    }

    private String getNamespace(Map<String, ?> map) {
        return (String) map.get(NAMESPACE);
    }

    public KmsClient newKmsClient(Map<String, ?> map, Optional<String> optional) throws GeneralSecurityException {
        Logical logical = (Logical) getTestClient(map);
        return newKmsClientWithHcVaultKms(optional, getSslConfig(map), logical != null ? Optional.empty() : Optional.ofNullable(getToken(map)), Optional.ofNullable(getNamespace(map)), logical);
    }

    protected static KmsClient newKmsClientWithHcVaultKms(Optional<String> optional, SslConfig sslConfig, Optional<String> optional2, Optional<String> optional3, Logical logical) throws GeneralSecurityException {
        HcVaultKmsClient hcVaultKmsClient = optional.isPresent() ? new HcVaultKmsClient(optional.get()) : new HcVaultKmsClient();
        if (optional2.isPresent()) {
            hcVaultKmsClient.withCredentials(sslConfig, optional2.get(), optional3);
        } else {
            hcVaultKmsClient.withDefaultCredentials();
        }
        if (logical != null) {
            hcVaultKmsClient.withVault(logical);
        }
        return hcVaultKmsClient;
    }
}
