package org.apache.nifi.processors.azure;

import com.azure.core.cryptography.AsyncKeyEncryptionKey;
import com.azure.security.keyvault.keys.cryptography.KeyEncryptionKeyClientBuilder;
import com.azure.security.keyvault.keys.cryptography.models.KeyWrapAlgorithm;
import com.azure.security.keyvault.keys.models.JsonWebKey;
import com.azure.security.keyvault.keys.models.KeyOperation;
import com.azure.storage.blob.BlobClient;
import com.azure.storage.blob.BlobContainerClient;
import com.azure.storage.blob.specialized.cryptography.EncryptedBlobClientBuilder;
import com.azure.storage.blob.specialized.cryptography.EncryptionVersion;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Optional;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;
import org.apache.nifi.components.DescribedValue;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.components.ValidationContext;
import org.apache.nifi.components.ValidationResult;
import org.apache.nifi.context.PropertyContext;
import org.apache.nifi.expression.ExpressionLanguageScope;
import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.processors.azure.storage.utils.ClientSideEncryptionMethod;
import org.apache.nifi.util.StringUtils;

/* loaded from: input_file:org/apache/nifi/processors/azure/ClientSideEncryptionSupport.class */
public interface ClientSideEncryptionSupport {
    public static final List<KeyOperation> KEY_OPERATIONS = Arrays.asList(KeyOperation.WRAP_KEY, KeyOperation.UNWRAP_KEY);
    public static final PropertyDescriptor CSE_KEY_TYPE = new PropertyDescriptor.Builder().name("Client-Side Encryption Key Type").displayName("Client-Side Encryption Key Type").required(true).allowableValues(ClientSideEncryptionMethod.class).defaultValue(ClientSideEncryptionMethod.NONE.getValue()).description("Specifies the key type to use for client-side encryption.").build();
    public static final PropertyDescriptor CSE_KEY_ID = new PropertyDescriptor.Builder().name("Client-Side Encryption Key ID").displayName("Client-Side Encryption Key ID").description("Specifies the ID of the key to use for client-side encryption.").expressionLanguageSupported(ExpressionLanguageScope.FLOWFILE_ATTRIBUTES).required(true).addValidator(StandardValidators.NON_BLANK_VALIDATOR).dependsOn(CSE_KEY_TYPE, ClientSideEncryptionMethod.LOCAL, new DescribedValue[0]).build();
    public static final PropertyDescriptor CSE_LOCAL_KEY = new PropertyDescriptor.Builder().name("Client-Side Encryption Local Key").displayName("Client-Side Encryption Local Key").description("When using local client-side encryption, this is the raw key, encoded in hexadecimal").required(true).addValidator(StandardValidators.NON_BLANK_VALIDATOR).dependsOn(CSE_KEY_TYPE, ClientSideEncryptionMethod.LOCAL, new DescribedValue[0]).sensitive(true).build();

    default Collection<ValidationResult> validateClientSideEncryptionProperties(ValidationContext validationContext) {
        ArrayList arrayList = new ArrayList();
        ClientSideEncryptionMethod valueOf = ClientSideEncryptionMethod.valueOf(validationContext.getProperty(CSE_KEY_TYPE).getValue());
        String value = validationContext.getProperty(CSE_KEY_ID).getValue();
        String value2 = validationContext.getProperty(CSE_LOCAL_KEY).getValue();
        if (valueOf != ClientSideEncryptionMethod.NONE && StringUtils.isBlank(value)) {
            arrayList.add(new ValidationResult.Builder().subject(CSE_KEY_ID.getDisplayName()).explanation("Key ID must be set when client-side encryption is enabled").build());
        }
        if (ClientSideEncryptionMethod.LOCAL == valueOf) {
            arrayList.addAll(validateLocalKey(value2));
        }
        return arrayList;
    }

    default List<ValidationResult> validateLocalKey(String str) {
        ArrayList arrayList = new ArrayList();
        if (StringUtils.isBlank(str)) {
            arrayList.add(new ValidationResult.Builder().subject(CSE_LOCAL_KEY.getDisplayName()).explanation("Key must be set when client-side encryption is enabled").build());
        } else {
            try {
                byte[] decodeHex = Hex.decodeHex(str);
                if (getKeyWrapAlgorithm(decodeHex).isEmpty()) {
                    arrayList.add(new ValidationResult.Builder().subject(CSE_LOCAL_KEY.getDisplayName()).explanation(String.format("Key size in bits must be one of [128, 192, 256, 384, 512] instead of [%d]", Integer.valueOf(decodeHex.length * 8))).build());
                }
            } catch (IllegalArgumentException e) {
                arrayList.add(new ValidationResult.Builder().subject(CSE_LOCAL_KEY.getDisplayName()).explanation(e.getMessage()).build());
            } catch (DecoderException e2) {
                arrayList.add(new ValidationResult.Builder().subject(CSE_LOCAL_KEY.getDisplayName()).explanation("Key must be a valid hexadecimal string").build());
            }
        }
        return arrayList;
    }

    default boolean isClientSideEncryptionEnabled(PropertyContext propertyContext) {
        return ClientSideEncryptionMethod.valueOf(propertyContext.getProperty(CSE_KEY_TYPE).getValue()) != ClientSideEncryptionMethod.NONE;
    }

    default BlobClient getEncryptedBlobClient(PropertyContext propertyContext, BlobContainerClient blobContainerClient, String str) throws DecoderException {
        String value = propertyContext.getProperty(CSE_KEY_ID).getValue();
        String value2 = propertyContext.getProperty(CSE_LOCAL_KEY).getValue();
        BlobClient blobClient = blobContainerClient.getBlobClient(str);
        byte[] decodeHex = Hex.decodeHex(value2);
        return new EncryptedBlobClientBuilder(EncryptionVersion.V2).key((AsyncKeyEncryptionKey) new KeyEncryptionKeyClientBuilder().buildAsyncKeyEncryptionKey(JsonWebKey.fromAes(new SecretKeySpec(decodeHex, "AES"), KEY_OPERATIONS).setId(value)).block(), getKeyWrapAlgorithm(decodeHex).orElseThrow(() -> {
            return new IllegalArgumentException("Failed to derive key wrap algorithm");
        })).blobClient(blobClient).buildEncryptedBlobClient();
    }

    default Optional<String> getKeyWrapAlgorithm(byte[] bArr) {
        switch (bArr.length) {
            case 16:
                return Optional.of(KeyWrapAlgorithm.A128KW.toString());
            case 24:
                return Optional.of(KeyWrapAlgorithm.A192KW.toString());
            case 32:
            case 48:
            case 64:
                return Optional.of(KeyWrapAlgorithm.A256KW.toString());
            default:
                return Optional.empty();
        }
    }
}
