package io.confluent.kafka.schemaregistry.encryption.hcvault;

import com.google.crypto.tink.KmsClient;
import io.confluent.kafka.schemaregistry.encryption.tink.KmsDriver;
import io.github.jopenlibs.vault.api.Logical;
import java.security.GeneralSecurityException;
import java.util.Map;
import java.util.Optional;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/hcvault/HcVaultKmsDriver.class */
public class HcVaultKmsDriver implements KmsDriver {
    public static final String TOKEN_ID = "token.id";
    public static final String NAMESPACE = "namespace";

    public String getKeyUrlPrefix() {
        return HcVaultKmsClient.PREFIX;
    }

    private String getToken(Map<String, ?> map) {
        return (String) map.get(TOKEN_ID);
    }

    private String getNamespace(Map<String, ?> map) {
        return (String) map.get(NAMESPACE);
    }

    public KmsClient newKmsClient(Map<String, ?> map, Optional<String> optional) throws GeneralSecurityException {
        Logical logical = (Logical) getTestClient(map);
        return newKmsClientWithHcVaultKms(optional, logical != null ? Optional.empty() : Optional.ofNullable(getToken(map)), Optional.ofNullable(getNamespace(map)), logical);
    }

    protected static KmsClient newKmsClientWithHcVaultKms(Optional<String> optional, Optional<String> optional2, Optional<String> optional3, Logical logical) throws GeneralSecurityException {
        HcVaultKmsClient hcVaultKmsClient = optional.isPresent() ? new HcVaultKmsClient(optional.get()) : new HcVaultKmsClient();
        if (optional2.isPresent()) {
            hcVaultKmsClient.withCredentials(optional2.get(), optional3);
        } else {
            hcVaultKmsClient.withDefaultCredentials();
        }
        if (logical != null) {
            hcVaultKmsClient.withVault(logical);
        }
        return hcVaultKmsClient;
    }
}
