package com.azure.storage.blob.specialized.cryptography;

import com.azure.core.cryptography.AsyncKeyEncryptionKey;
import com.azure.core.cryptography.AsyncKeyEncryptionKeyResolver;
import com.azure.core.http.HttpHeader;
import com.azure.core.http.HttpHeaders;
import com.azure.core.http.HttpMethod;
import com.azure.core.http.HttpPipelineCallContext;
import com.azure.core.http.HttpPipelineNextPolicy;
import com.azure.core.http.HttpResponse;
import com.azure.core.http.policy.HttpPipelinePolicy;
import com.azure.core.implementation.util.FluxUtil;
import com.azure.core.util.logging.ClientLogger;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.charset.Charset;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Locale;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicLong;
import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.ShortBufferException;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import reactor.core.Exceptions;
import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono;

/* loaded from: input_file:com/azure/storage/blob/specialized/cryptography/BlobDecryptionPolicy.class */
public class BlobDecryptionPolicy implements HttpPipelinePolicy {
    private final ClientLogger logger = new ClientLogger(BlobDecryptionPolicy.class);
    private final AsyncKeyEncryptionKeyResolver keyResolver;
    private final AsyncKeyEncryptionKey keyWrapper;

    /* loaded from: input_file:com/azure/storage/blob/specialized/cryptography/BlobDecryptionPolicy$DecryptedResponse.class */
    static class DecryptedResponse extends HttpResponse {
        private final Flux<ByteBuffer> plainTextBody;
        private final HttpHeaders httpHeaders;
        private final int statusCode;

        DecryptedResponse(HttpResponse httpResponse, Flux<ByteBuffer> flux) {
            super(httpResponse.getRequest());
            this.plainTextBody = flux;
            this.httpHeaders = httpResponse.getHeaders();
            this.statusCode = httpResponse.getStatusCode();
        }

        public int getStatusCode() {
            return this.statusCode;
        }

        public String getHeaderValue(String str) {
            return this.httpHeaders.getValue(str);
        }

        public HttpHeaders getHeaders() {
            return this.httpHeaders;
        }

        public Flux<ByteBuffer> getBody() {
            return this.plainTextBody;
        }

        public Mono<byte[]> getBodyAsByteArray() {
            return FluxUtil.collectBytesInByteBufferStream(this.plainTextBody);
        }

        public Mono<String> getBodyAsString() {
            return FluxUtil.collectBytesInByteBufferStream(this.plainTextBody).map(String::new);
        }

        public Mono<String> getBodyAsString(Charset charset) {
            return FluxUtil.collectBytesInByteBufferStream(this.plainTextBody).map(bArr -> {
                return new String(bArr, charset);
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public BlobDecryptionPolicy(AsyncKeyEncryptionKey asyncKeyEncryptionKey, AsyncKeyEncryptionKeyResolver asyncKeyEncryptionKeyResolver) {
        this.keyWrapper = asyncKeyEncryptionKey;
        this.keyResolver = asyncKeyEncryptionKeyResolver;
    }

    public Mono<HttpResponse> process(HttpPipelineCallContext httpPipelineCallContext, HttpPipelineNextPolicy httpPipelineNextPolicy) {
        HttpHeaders headers = httpPipelineCallContext.getHttpRequest().getHeaders();
        EncryptedBlobRange encryptedBlobRangeFromHeader = EncryptedBlobRange.getEncryptedBlobRangeFromHeader(headers.getValue("x-ms-range"));
        if (headers.getValue("x-ms-range") != null) {
            headers.put("x-ms-range", encryptedBlobRangeFromHeader.toBlobRange().toString());
        }
        return httpPipelineNextPolicy.process().flatMap(httpResponse -> {
            if (httpResponse.getRequest().getHttpMethod() != HttpMethod.GET || httpResponse.getBody() == null) {
                return Mono.just(httpResponse);
            }
            HttpHeaders headers2 = httpResponse.getHeaders();
            encryptedBlobRangeFromHeader.setAdjustedDownloadCount(Long.parseLong(headers2.getValue("Content-Length")));
            return Mono.just(new DecryptedResponse(httpResponse, decryptBlob(extractEncryptedDataFromResponse(headers2), httpResponse.getBody(), encryptedBlobRangeFromHeader, encryptedBlobRangeFromHeader.toBlobRange().getOffset() + encryptedBlobRangeFromHeader.toBlobRange().getCount().longValue() > blobSize(headers2).longValue() - 16)));
        });
    }

    Flux<ByteBuffer> decryptBlob(String str, Flux<ByteBuffer> flux, EncryptedBlobRange encryptedBlobRange, boolean z) {
        EncryptionData andValidateEncryptionData = getAndValidateEncryptionData(str);
        AtomicLong atomicLong = new AtomicLong(0L);
        AtomicLong atomicLong2 = new AtomicLong(0L);
        return (andValidateEncryptionData == null ? flux : getKeyEncryptionKey(andValidateEncryptionData).flatMapMany(bArr -> {
            try {
                Cipher cipher = getCipher(bArr, andValidateEncryptionData, encryptedBlobRange.getOffsetAdjustment() <= 16 ? andValidateEncryptionData.getContentEncryptionIV() : new byte[16], z);
                return flux.map(byteBuffer -> {
                    int update;
                    int outputSize = cipher.getOutputSize(byteBuffer.remaining());
                    ByteBuffer allocate = outputSize > byteBuffer.remaining() ? ByteBuffer.allocate(outputSize) : byteBuffer.duplicate();
                    int remaining = byteBuffer.remaining();
                    if (atomicLong.longValue() + remaining >= encryptedBlobRange.getAdjustedDownloadCount().longValue()) {
                        try {
                            update = cipher.doFinal(byteBuffer, allocate);
                        } catch (GeneralSecurityException e) {
                            throw this.logger.logExceptionAsError(Exceptions.propagate(e));
                        }
                    } else {
                        try {
                            update = cipher.update(byteBuffer, allocate);
                        } catch (ShortBufferException e2) {
                            throw this.logger.logExceptionAsError(Exceptions.propagate(e2));
                        }
                    }
                    atomicLong.addAndGet(remaining);
                    allocate.position(0);
                    allocate.limit(update);
                    return allocate;
                });
            } catch (InvalidKeyException e) {
                throw this.logger.logExceptionAsError(Exceptions.propagate(e));
            }
        })).map(byteBuffer -> {
            int limit = byteBuffer.limit();
            if (atomicLong2.longValue() <= encryptedBlobRange.getOffsetAdjustment()) {
                int offsetAdjustment = encryptedBlobRange.getOffsetAdjustment() - ((int) atomicLong2.longValue());
                byteBuffer.position(offsetAdjustment <= byteBuffer.limit() ? offsetAdjustment : byteBuffer.limit());
            }
            long offsetAdjustment2 = encryptedBlobRange.getOriginalRange().getCount() == null ? Long.MAX_VALUE : encryptedBlobRange.getOffsetAdjustment() + encryptedBlobRange.getOriginalRange().getCount().longValue();
            if (limit + atomicLong2.longValue() > offsetAdjustment2) {
                byteBuffer.limit(atomicLong2.longValue() <= offsetAdjustment2 ? limit - ((int) ((limit + atomicLong2.longValue()) - offsetAdjustment2)) : byteBuffer.position());
            } else if (limit + atomicLong2.longValue() > encryptedBlobRange.getOffsetAdjustment()) {
                byteBuffer.limit(limit);
            } else {
                byteBuffer.limit(byteBuffer.position());
            }
            atomicLong2.addAndGet(limit);
            return byteBuffer;
        });
    }

    private EncryptionData getAndValidateEncryptionData(String str) {
        if (str == null) {
            return null;
        }
        try {
            EncryptionData encryptionData = (EncryptionData) new ObjectMapper().readValue(str, EncryptionData.class);
            if (encryptionData == null) {
                return encryptionData;
            }
            Objects.requireNonNull(encryptionData.getContentEncryptionIV(), "contentEncryptionIV in encryptionData cannot be null");
            Objects.requireNonNull(encryptionData.getWrappedContentKey().getEncryptedKey(), "encryptedKey in encryptionData.wrappedContentKey cannot be null");
            if ("1.0".equals(encryptionData.getEncryptionAgent().getProtocol())) {
                return encryptionData;
            }
            throw this.logger.logExceptionAsError(new IllegalArgumentException(String.format(Locale.ROOT, "Invalid Encryption Agent. This version of the client library does not understand the Encryption Agent set on the blob message: %s", encryptionData.getEncryptionAgent())));
        } catch (IOException e) {
            throw this.logger.logExceptionAsError(new RuntimeException(e));
        }
    }

    private Mono<byte[]> getKeyEncryptionKey(EncryptionData encryptionData) {
        Mono just;
        if (this.keyResolver != null) {
            just = this.keyResolver.buildAsyncKeyEncryptionKey(encryptionData.getWrappedContentKey().getKeyId()).onErrorResume(NullPointerException.class, nullPointerException -> {
                throw this.logger.logExceptionAsError(Exceptions.propagate(nullPointerException));
            });
        } else {
            if (!encryptionData.getWrappedContentKey().getKeyId().equals(this.keyWrapper.getKeyId().block())) {
                throw this.logger.logExceptionAsError(new IllegalArgumentException("Key mismatch. The key id stored on the service does not match the specified key."));
            }
            just = Mono.just(this.keyWrapper);
        }
        return just.flatMap(asyncKeyEncryptionKey -> {
            return asyncKeyEncryptionKey.unwrapKey(encryptionData.getWrappedContentKey().getAlgorithm(), encryptionData.getWrappedContentKey().getEncryptedKey());
        });
    }

    private Cipher getCipher(byte[] bArr, EncryptionData encryptionData, byte[] bArr2, boolean z) throws InvalidKeyException {
        try {
            switch (encryptionData.getEncryptionAgent().getAlgorithm()) {
                case AES_CBC_256:
                    Cipher cipher = z ? Cipher.getInstance("AES/CBC/PKCS5Padding") : Cipher.getInstance("AES/CBC/NoPadding");
                    cipher.init(2, new SecretKeySpec(bArr, 0, bArr.length, "AES"), new IvParameterSpec(bArr2));
                    return cipher;
                default:
                    throw this.logger.logExceptionAsError(new IllegalArgumentException("Invalid Encryption Algorithm found on the resource. This version of the client library does not support the specified encryption algorithm."));
            }
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | NoSuchPaddingException e) {
            throw this.logger.logExceptionAsError(Exceptions.propagate(e));
        }
    }

    private Long blobSize(HttpHeaders httpHeaders) {
        return httpHeaders.getValue("Content-Range") != null ? Long.valueOf(httpHeaders.getValue("Content-Range").split("/")[1]) : Long.valueOf(httpHeaders.getValue("Content-Length"));
    }

    private String extractEncryptedDataFromResponse(HttpHeaders httpHeaders) {
        HashMap hashMap = new HashMap();
        Iterator it = httpHeaders.iterator();
        while (it.hasNext()) {
            HttpHeader httpHeader = (HttpHeader) it.next();
            String name = httpHeader.getName();
            if (name.startsWith("x-ms-meta-")) {
                hashMap.put(name.substring("x-ms-meta-".length()), httpHeader.getValue());
            }
        }
        return (String) hashMap.get("encryptiondata");
    }
}
