package com.jessecoyle;

import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
import com.amazonaws.regions.AwsRegionProvider;
import com.amazonaws.regions.DefaultAwsRegionProviderChain;
import com.amazonaws.regions.RegionUtils;
import com.amazonaws.services.dynamodbv2.AmazonDynamoDBClient;
import com.amazonaws.services.dynamodbv2.model.AttributeValue;
import com.amazonaws.services.dynamodbv2.model.ComparisonOperator;
import com.amazonaws.services.dynamodbv2.model.Condition;
import com.amazonaws.services.dynamodbv2.model.QueryRequest;
import com.amazonaws.services.dynamodbv2.model.QueryResult;
import com.amazonaws.services.dynamodbv2.model.ScanRequest;
import com.amazonaws.services.kms.AWSKMSClient;
import com.amazonaws.services.kms.model.DecryptRequest;
import java.nio.ByteBuffer;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import software.amazon.ion.SystemSymbols;

/* loaded from: input_file:com/jessecoyle/JCredStash.class */
public class JCredStash implements AutoCloseable {
    private static final String DEFAULT_TABLE = "credential-store";
    private String tableName;
    private AmazonDynamoDBClient amazonDynamoDBClient;
    private AWSKMSClient awskmsClient;
    private CredStashCrypto credStashCrypto;

    public JCredStash() {
        this(new CredStashBouncyCastleCrypto());
    }

    public JCredStash(String str) {
        this(str, new CredStashBouncyCastleCrypto());
    }

    public JCredStash(CredStashCrypto credStashCrypto) {
        this(DEFAULT_TABLE, credStashCrypto);
    }

    public JCredStash(String str, CredStashCrypto credStashCrypto) {
        this(str, new DefaultAWSCredentialsProviderChain(), new DefaultAwsRegionProviderChain(), credStashCrypto);
    }

    public JCredStash(String str, AWSCredentialsProvider aWSCredentialsProvider, AwsRegionProvider awsRegionProvider, CredStashCrypto credStashCrypto) {
        this(str, createAmazonDynamoDBClient(aWSCredentialsProvider, awsRegionProvider), createAwsKmsClient(aWSCredentialsProvider, awsRegionProvider), credStashCrypto);
    }

    private static AWSKMSClient createAwsKmsClient(AWSCredentialsProvider aWSCredentialsProvider, AwsRegionProvider awsRegionProvider) {
        AWSKMSClient aWSKMSClient = new AWSKMSClient(aWSCredentialsProvider);
        aWSKMSClient.setRegion(RegionUtils.getRegion(awsRegionProvider.getRegion()));
        return aWSKMSClient;
    }

    private static AmazonDynamoDBClient createAmazonDynamoDBClient(AWSCredentialsProvider aWSCredentialsProvider, AwsRegionProvider awsRegionProvider) {
        AmazonDynamoDBClient amazonDynamoDBClient = new AmazonDynamoDBClient(aWSCredentialsProvider);
        amazonDynamoDBClient.setRegion(RegionUtils.getRegion(awsRegionProvider.getRegion()));
        return amazonDynamoDBClient;
    }

    public JCredStash(String str, AmazonDynamoDBClient amazonDynamoDBClient, AWSKMSClient aWSKMSClient, CredStashCrypto credStashCrypto) {
        this.tableName = str;
        this.amazonDynamoDBClient = amazonDynamoDBClient;
        this.awskmsClient = aWSKMSClient;
        this.credStashCrypto = credStashCrypto;
    }

    private StoredSecret readDynamoItem(String str, String str2) {
        QueryResult query = this.amazonDynamoDBClient.query(new QueryRequest(str).withLimit(1).withScanIndexForward(false).withConsistentRead(true).addKeyConditionsEntry(SystemSymbols.NAME, new Condition().withComparisonOperator(ComparisonOperator.EQ).withAttributeValueList(new AttributeValue(str2))));
        if (query.getCount().intValue() == 0) {
            throw new RuntimeException("Secret " + str2 + " could not be found");
        }
        return new StoredSecret(query.getItems().get(0));
    }

    private ByteBuffer decryptKeyWithKMS(byte[] bArr, Map<String, String> map) {
        return this.awskmsClient.decrypt(new DecryptRequest().withCiphertextBlob(ByteBuffer.wrap(bArr)).withEncryptionContext(map)).getPlaintext();
    }

    public String getSecret(String str, Map<String, String> map) {
        StoredSecret readDynamoItem = readDynamoItem(this.tableName, str);
        ByteBuffer decryptKeyWithKMS = decryptKeyWithKMS(readDynamoItem.getKey(), map);
        byte[] bArr = new byte[32];
        decryptKeyWithKMS.get(bArr);
        byte[] bArr2 = new byte[decryptKeyWithKMS.remaining()];
        decryptKeyWithKMS.get(bArr2);
        if (Arrays.equals(this.credStashCrypto.digest(bArr2, readDynamoItem.getContents()), readDynamoItem.getHmac())) {
            return new String(this.credStashCrypto.decrypt(bArr, readDynamoItem.getContents()));
        }
        throw new RuntimeException("HMAC integrety check failed");
    }

    public List<CredentialVersion> listSecrets() {
        return (List) this.amazonDynamoDBClient.scan(new ScanRequest(this.tableName).withProjectionExpression("#N, version").withExpressionAttributeNames(new HashMap<String, String>() { // from class: com.jessecoyle.JCredStash.1
            {
                put("#N", SystemSymbols.NAME);
            }
        })).getItems().stream().map(map -> {
            return new CredentialVersion(((AttributeValue) map.get(SystemSymbols.NAME)).getS(), ((AttributeValue) map.get("version")).getS());
        }).collect(Collectors.toList());
    }

    public Map<String, String> findSecrets(String str, Map<String, String> map) {
        return (Map) WildcardHelper.credentialNamesMatchingWildcard(listSecrets(), str).collect(Collectors.toMap(str2 -> {
            return str2;
        }, str3 -> {
            return getSecret(str3, map);
        }));
    }

    @Override // java.lang.AutoCloseable
    public void close() {
        this.amazonDynamoDBClient.shutdown();
        this.awskmsClient.shutdown();
    }
}
