package de.zalando.spring.cloud.config.aws.kms;

import com.amazonaws.services.kms.AWSKMS;
import com.amazonaws.services.kms.model.DecryptRequest;
import com.amazonaws.services.kms.model.EncryptRequest;
import java.nio.ByteBuffer;
import java.util.Base64;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.crypto.encrypt.TextEncryptor;
import org.springframework.util.Assert;

/* loaded from: input_file:de/zalando/spring/cloud/config/aws/kms/KmsTextEncryptor.class */
public class KmsTextEncryptor implements TextEncryptor {
    private static final Base64.Encoder BASE64_ENCODER = Base64.getEncoder();
    private static final String EMPTY_STRING = "";
    private static final boolean IS_ALGORITHM_AVAILABLE;
    private final Logger log = LoggerFactory.getLogger(getClass());
    private final AWSKMS kms;
    private final String kmsKeyId;
    private final String encryptionAlgorithm;

    public KmsTextEncryptor(AWSKMS awskms, String str, String str2) {
        Assert.notNull(awskms, "KMS client must not be null");
        Assert.notNull(str2, "encryptionAlgorithm must not be null");
        this.kms = awskms;
        this.kmsKeyId = str;
        this.encryptionAlgorithm = str2;
        checkAlgorithm(str2);
    }

    public String encrypt(String str) {
        Assert.hasText(this.kmsKeyId, "kmsKeyId must not be blank");
        if (str == null || str.isEmpty()) {
            return EMPTY_STRING;
        }
        EncryptRequest withPlaintext = new EncryptRequest().withKeyId(this.kmsKeyId).withPlaintext(ByteBuffer.wrap(str.getBytes()));
        checkAlgorithm(this.encryptionAlgorithm);
        if (IS_ALGORITHM_AVAILABLE) {
            withPlaintext.setEncryptionAlgorithm(this.encryptionAlgorithm);
        }
        return extractString(this.kms.encrypt(withPlaintext).getCiphertextBlob(), OutputMode.BASE64);
    }

    public String decrypt(String str) {
        if (str == null || str.isEmpty()) {
            return EMPTY_STRING;
        }
        EncryptedToken parse = EncryptedToken.parse(str);
        DecryptRequest withEncryptionContext = new DecryptRequest().withCiphertextBlob(parse.getCipherBytes()).withEncryptionContext(parse.getEncryptionContext());
        KmsTextEncryptorOptions options = parse.getOptions();
        String str2 = (String) Optional.ofNullable(options.getKeyId()).orElse(this.kmsKeyId);
        String str3 = (String) Optional.ofNullable(options.getEncryptionAlgorithm()).orElse(this.encryptionAlgorithm);
        checkAlgorithm(str3);
        if (IS_ALGORITHM_AVAILABLE) {
            withEncryptionContext.setEncryptionAlgorithm(str3);
            if (isAsymmetricEncryption(str3)) {
                Assert.hasText(str2, "kmsKeyId must not be blank. Asymmetric decryption requires the key to be known");
                withEncryptionContext.setKeyId(str2);
            }
        }
        return extractString(this.kms.decrypt(withEncryptionContext).getPlaintext(), options.getOutputMode());
    }

    private static String extractString(ByteBuffer byteBuffer, OutputMode outputMode) {
        if (!byteBuffer.hasRemaining()) {
            return EMPTY_STRING;
        }
        byte[] bArr = new byte[byteBuffer.remaining()];
        byteBuffer.get(bArr, byteBuffer.arrayOffset(), byteBuffer.remaining());
        return outputMode == OutputMode.BASE64 ? BASE64_ENCODER.encodeToString(bArr) : new String(bArr);
    }

    private void checkAlgorithm(String str) {
        if (!isAsymmetricEncryption(str) || IS_ALGORITHM_AVAILABLE) {
            return;
        }
        this.log.warn("Asymmetric encryption '{}' has been configured,but the version of aws-java-sdk you are using is outdated and does not support it. Please upgrade to a more recent version.", str);
    }

    private static boolean isAsymmetricEncryption(String str) {
        return !str.equals("SYMMETRIC_DEFAULT");
    }

    static {
        boolean z;
        try {
            Class.forName("com.amazonaws.services.kms.model.EncryptionAlgorithmSpec");
            z = true;
        } catch (Exception e) {
            z = false;
        }
        IS_ALGORITHM_AVAILABLE = z;
    }
}
