package org.apache.hadoop.crypto.key;

import com.google.api.gax.rpc.AlreadyExistsException;
import com.google.cloud.kms.v1.CryptoKey;
import com.google.cloud.kms.v1.CryptoKeyName;
import com.google.cloud.kms.v1.CryptoKeyVersion;
import com.google.cloud.kms.v1.CryptoKeyVersionTemplate;
import com.google.cloud.kms.v1.DecryptResponse;
import com.google.cloud.kms.v1.EncryptResponse;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.KeyRing;
import com.google.cloud.kms.v1.KeyRingName;
import com.google.cloud.kms.v1.ProtectionLevel;
import com.google.protobuf.ByteString;
import java.lang.reflect.Field;
import java.security.Key;
import java.util.Map;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.log4j.Logger;
import org.bouncycastle.crypto.RuntimeCryptoException;

/* loaded from: input_file:org/apache/hadoop/crypto/key/RangerGoogleCloudHSMProvider.class */
public class RangerGoogleCloudHSMProvider implements RangerKMSMKI {
    private static final Logger logger = Logger.getLogger(RangerGoogleCloudHSMProvider.class);
    protected static final String GCP_KEYRING_ID = "ranger.kms.gcp.keyring.id";
    protected static final String GCP_CRED_JSON_FILE = "ranger.kms.gcp.cred.file";
    protected static final String GCP_PROJECT_ID = "ranger.kms.gcp.project.id";
    protected static final String GCP_LOCATION_ID = "ranger.kms.gcp.location.id";
    protected static final String GCP_MASTER_KEY_NAME = "ranger.kms.gcp.masterkey.name";
    private static final String GCP_CRED_ENV_VARIABLE = "GOOGLE_APPLICATION_CREDENTIALS";
    private String gcpKeyRingId;
    private String gcpAppCredFile;
    private String gcpProjectId;
    private String gcpLocationId;
    private String gcpMasterKeyName;
    private KeyManagementServiceClient client = null;
    private KeyRingName keyRingName = null;

    public RangerGoogleCloudHSMProvider(Configuration configuration) throws Exception {
        this.gcpKeyRingId = configuration.get(GCP_KEYRING_ID);
        this.gcpAppCredFile = configuration.get(GCP_CRED_JSON_FILE);
        this.gcpLocationId = configuration.get(GCP_LOCATION_ID);
        this.gcpProjectId = configuration.get(GCP_PROJECT_ID);
        this.gcpMasterKeyName = configuration.get(GCP_MASTER_KEY_NAME);
    }

    protected void validateGcpProps() {
        if (StringUtils.isEmpty(this.gcpAppCredFile) || !this.gcpAppCredFile.endsWith(".json")) {
            throw new RuntimeCryptoException("Error : Invalid GCP app Credential JSON file, Provided cred file : " + this.gcpAppCredFile);
        }
        if (StringUtils.isEmpty(this.gcpKeyRingId)) {
            throw new RuntimeCryptoException("Error : Please provide GCP app KeyringId, Provided keyring ID : " + this.gcpKeyRingId);
        }
        if (StringUtils.isEmpty(this.gcpLocationId)) {
            throw new RuntimeCryptoException("Error : Please provide the GCP app location Id, Provided location ID :" + this.gcpLocationId);
        }
        if (StringUtils.isEmpty(this.gcpProjectId)) {
            throw new RuntimeCryptoException("Error : Please provide the GCP app project Id, Provided ID : " + this.gcpProjectId);
        }
        if (StringUtils.isEmpty(this.gcpMasterKeyName)) {
            throw new RuntimeCryptoException("Error : Master key name must not be empty, Provided MasterKey Name : " + this.gcpMasterKeyName);
        }
    }

    @Override // org.apache.hadoop.crypto.key.RangerKMSMKI
    public void onInitialization() throws Exception {
        validateGcpProps();
        if (logger.isDebugEnabled()) {
            logger.debug("==> onInitialization() : {gcpProjectId - " + this.gcpProjectId + ", gcpLocationId - " + this.gcpLocationId + ", gcpKeyRingId - " + this.gcpKeyRingId + ", gcpAppCredFile Path - " + this.gcpAppCredFile + "}");
        }
        String str = null;
        this.client = getKeyClient(this.gcpAppCredFile);
        KeyRing keyRing = null;
        if (this.client != null) {
            this.keyRingName = KeyRingName.of(this.gcpProjectId, this.gcpLocationId, this.gcpKeyRingId);
            if (this.keyRingName != null) {
                keyRing = this.client.getKeyRing(this.keyRingName.toString());
                if (keyRing == null) {
                    str = "Unable to get Key Ring response for Project : " + this.gcpProjectId + " and Location : " + this.gcpLocationId;
                } else if (keyRing != null && !keyRing.getName().endsWith(this.gcpKeyRingId)) {
                    str = "Key Ring with name : " + this.gcpKeyRingId + " does not exist for Project : " + this.gcpProjectId + " and Location : " + this.gcpLocationId;
                }
            } else {
                str = "Unable to get Key Ring response for Project : " + this.gcpProjectId + " and Location : " + this.gcpLocationId;
            }
        } else {
            str = "Unable to create client object for Google Cloud HSM. Please check the Key HSM Log file OR Verify Google App Credential JSON file.";
        }
        if (logger.isDebugEnabled()) {
            logger.debug("<== onInitialization() : {this.keyRingName - " + this.keyRingName + ", keyRingResponse - " + keyRing + "}");
        }
        if (!StringUtils.isEmpty(str)) {
            throw new RuntimeCryptoException(str);
        }
    }

    private KeyManagementServiceClient getKeyClient(String str) {
        try {
            if (StringUtils.isEmpty(System.getenv(GCP_CRED_ENV_VARIABLE))) {
                updateEnv(GCP_CRED_ENV_VARIABLE, str);
            }
            return KeyManagementServiceClient.create();
        } catch (Exception e) {
            logger.error("Unable to create Google Cloud KMS Client, Error : ", e);
            return null;
        }
    }

    @Override // org.apache.hadoop.crypto.key.RangerKMSMKI
    public boolean generateMasterKey(String str) throws Throwable {
        try {
            if (this.client.createCryptoKey(this.keyRingName, this.gcpMasterKeyName, CryptoKey.newBuilder().setPurpose(CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT).setVersionTemplate(CryptoKeyVersionTemplate.newBuilder().setProtectionLevel(ProtectionLevel.HSM).setAlgorithm(CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION)).build()) == null) {
                logger.info("Failed to create master key : " + this.gcpMasterKeyName);
                return false;
            }
            logger.info("Master Key Created Successfully On Google Cloud HSM : " + this.gcpMasterKeyName);
            return true;
        } catch (Exception e) {
            if (!(e instanceof AlreadyExistsException)) {
                throw new RuntimeCryptoException("Failed to create master key with name '" + this.gcpMasterKeyName + "', Error - " + e.getMessage());
            }
            logger.info("MasterKey with the name '" + this.gcpMasterKeyName + "' already exist.");
            return true;
        }
    }

    @Override // org.apache.hadoop.crypto.key.RangerKMSMKI
    public String getMasterKey(String str) throws Throwable {
        return null;
    }

    @Override // org.apache.hadoop.crypto.key.RangerKMSMKI
    public byte[] encryptZoneKey(Key key) throws Exception {
        if (logger.isDebugEnabled()) {
            logger.debug("==> GCP encryptZoneKey()");
        }
        EncryptResponse encrypt = this.client.encrypt(CryptoKeyName.of(this.gcpProjectId, this.gcpLocationId, this.gcpKeyRingId, this.gcpMasterKeyName), ByteString.copyFrom(key.getEncoded()));
        if (encrypt == null) {
            throw new RuntimeCryptoException("Got null response for encrypt zone key operation, Please reverify/check configs!");
        }
        if (logger.isDebugEnabled()) {
            logger.debug("<== GCP encryptZoneKey() : EncryptResponse - { " + encrypt + " }");
        }
        return encrypt.getCiphertext().toByteArray();
    }

    @Override // org.apache.hadoop.crypto.key.RangerKMSMKI
    public byte[] decryptZoneKey(byte[] bArr) throws Exception {
        CryptoKeyName of = CryptoKeyName.of(this.gcpProjectId, this.gcpLocationId, this.gcpKeyRingId, this.gcpMasterKeyName);
        if (logger.isDebugEnabled()) {
            logger.debug("==> GCP decryptZoneKey() : CryptoKeyName - { " + of + " }");
        }
        DecryptResponse decrypt = this.client.decrypt(of, ByteString.copyFrom(bArr));
        if (decrypt == null) {
            throw new RuntimeCryptoException("Got null response for decrypt zone key operation!");
        }
        if (decrypt.getPlaintext() == null || StringUtils.isEmpty(decrypt.getPlaintext().toString())) {
            throw new RuntimeCryptoException("Error - Received null or empty decrypted zone key : " + decrypt.getPlaintext());
        }
        if (logger.isDebugEnabled()) {
            logger.debug("<== GCP decryptZoneKey() : DecryptResponse - { " + decrypt + " }");
        }
        return decrypt.getPlaintext().toByteArray();
    }

    private static void updateEnv(String str, String str2) throws ReflectiveOperationException {
        Map<String, String> map = System.getenv();
        Field declaredField = map.getClass().getDeclaredField("m");
        declaredField.setAccessible(true);
        ((Map) declaredField.get(map)).put(str, str2);
    }
}
