package io.confluent.dekregistry.storage;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.core.type.TypeReference;
import com.google.common.collect.Multimaps;
import com.google.common.collect.SetMultimap;
import com.google.common.collect.TreeMultimap;
import com.google.crypto.tink.Aead;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import io.confluent.dekregistry.client.rest.entities.CreateDekRequest;
import io.confluent.dekregistry.client.rest.entities.CreateKekRequest;
import io.confluent.dekregistry.client.rest.entities.Dek;
import io.confluent.dekregistry.client.rest.entities.Kek;
import io.confluent.dekregistry.client.rest.entities.KeyType;
import io.confluent.dekregistry.client.rest.entities.UpdateKekRequest;
import io.confluent.dekregistry.metrics.MetricsManager;
import io.confluent.dekregistry.storage.exceptions.AlreadyExistsException;
import io.confluent.dekregistry.storage.exceptions.DekGenerationException;
import io.confluent.dekregistry.storage.exceptions.InvalidKeyException;
import io.confluent.dekregistry.storage.exceptions.KeyNotSoftDeletedException;
import io.confluent.dekregistry.storage.exceptions.KeyReferenceExistsException;
import io.confluent.dekregistry.storage.exceptions.KeySoftDeletedException;
import io.confluent.dekregistry.storage.exceptions.TooManyKeysException;
import io.confluent.dekregistry.storage.serialization.EncryptionKeyIdSerde;
import io.confluent.dekregistry.storage.serialization.EncryptionKeySerde;
import io.confluent.dekregistry.storage.utils.CompositeCacheUpdateHandler;
import io.confluent.dekregistry.web.rest.handlers.EncryptionUpdateRequestHandler;
import io.confluent.kafka.schemaregistry.client.rest.RestService;
import io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException;
import io.confluent.kafka.schemaregistry.client.rest.utils.UrlList;
import io.confluent.kafka.schemaregistry.encryption.tink.Cryptor;
import io.confluent.kafka.schemaregistry.encryption.tink.DekFormat;
import io.confluent.kafka.schemaregistry.exceptions.SchemaRegistryException;
import io.confluent.kafka.schemaregistry.exceptions.SchemaRegistryRequestForwardingException;
import io.confluent.kafka.schemaregistry.exceptions.UnknownLeaderException;
import io.confluent.kafka.schemaregistry.storage.KafkaSchemaRegistry;
import io.confluent.kafka.schemaregistry.storage.Mode;
import io.confluent.kafka.schemaregistry.storage.SchemaRegistry;
import io.confluent.kafka.schemaregistry.utils.JacksonMapper;
import io.confluent.rest.RestConfigException;
import io.confluent.rest.exceptions.RestException;
import io.kcache.Cache;
import io.kcache.CacheUpdateHandler;
import io.kcache.KafkaCache;
import io.kcache.KafkaCacheConfig;
import io.kcache.KeyValue;
import io.kcache.KeyValueIterator;
import io.kcache.exceptions.CacheInitializationException;
import io.kcache.utils.Caches;
import io.kcache.utils.InMemoryCache;
import java.io.Closeable;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.TreeMap;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import java.util.stream.Collectors;
import javax.annotation.PostConstruct;
import javax.annotation.PreDestroy;
import javax.ws.rs.core.UriBuilder;
import org.apache.kafka.common.serialization.Serde;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:io/confluent/dekregistry/storage/DekRegistry.class */
public class DekRegistry implements Closeable {
    public static final int LATEST_VERSION = -1;
    public static final int MIN_VERSION = 1;
    public static final String X_FORWARD_HEADER = "X-Forward";
    public static final String AWS_KMS = "aws-kms";
    public static final String AZURE_KMS = "azure-kms";
    public static final String GCP_KMS = "gcp-kms";
    private final KafkaSchemaRegistry schemaRegistry;
    private final MetricsManager metricsManager;
    private final DekRegistryConfig config;
    final Cache<EncryptionKeyId, EncryptionKey> keys;
    private final SetMultimap<String, KeyEncryptionKeyId> sharedKeys;
    private final Map<DekFormat, Cryptor> cryptors;
    private final Map<String, Lock> tenantToLock = new ConcurrentHashMap();
    private final AtomicBoolean initialized = new AtomicBoolean();
    private final CountDownLatch initLatch = new CountDownLatch(1);
    private static final Logger log = LoggerFactory.getLogger(DekRegistry.class);
    public static final byte[] EMPTY_AAD = new byte[0];
    private static final TypeReference<Kek> KEK_TYPE = new TypeReference<Kek>() { // from class: io.confluent.dekregistry.storage.DekRegistry.1
    };
    private static final TypeReference<Dek> DEK_TYPE = new TypeReference<Dek>() { // from class: io.confluent.dekregistry.storage.DekRegistry.2
    };
    private static final TypeReference<Void> VOID_TYPE = new TypeReference<Void>() { // from class: io.confluent.dekregistry.storage.DekRegistry.3
    };

    @Inject
    public DekRegistry(SchemaRegistry schemaRegistry, MetricsManager metricsManager) {
        try {
            this.schemaRegistry = (KafkaSchemaRegistry) schemaRegistry;
            this.schemaRegistry.addUpdateRequestHandler(new EncryptionUpdateRequestHandler());
            this.metricsManager = metricsManager;
            this.config = new DekRegistryConfig(schemaRegistry.config().originalProperties());
            this.keys = createCache(new EncryptionKeyIdSerde(), new EncryptionKeySerde(), this.config.topic(), getCacheUpdateHandler(this.config));
            this.sharedKeys = Multimaps.synchronizedSetMultimap(TreeMultimap.create());
            this.cryptors = new ConcurrentHashMap();
        } catch (RestConfigException e) {
            throw new IllegalArgumentException("Could not instantiate DekRegistry", e);
        }
    }

    public KafkaSchemaRegistry getSchemaRegistry() {
        return this.schemaRegistry;
    }

    public MetricsManager getMetricsManager() {
        return this.metricsManager;
    }

    protected <K, V> Cache<K, V> createCache(Serde<K> serde, Serde<V> serde2, String str, CacheUpdateHandler<K, V> cacheUpdateHandler) throws CacheInitializationException {
        Cache<K, V> concurrentCache = Caches.concurrentCache(new KafkaCache(new KafkaCacheConfig(getKafkaCacheProperties(str)), serde, serde2, cacheUpdateHandler, new InMemoryCache()));
        getSchemaRegistry().addLeaderChangeListener(bool -> {
            if (bool.booleanValue()) {
                concurrentCache.reset();
                concurrentCache.sync();
            }
        });
        return concurrentCache;
    }

    private Properties getKafkaCacheProperties(String str) {
        Properties properties = new Properties();
        properties.putAll(this.schemaRegistry.config().originalProperties());
        Set<String> stringPropertyNames = properties.stringPropertyNames();
        for (String str2 : stringPropertyNames) {
            if (str2.startsWith("kafkastore.")) {
                String replace = str2.replace("kafkastore", "kafkacache");
                if (!stringPropertyNames.contains(replace)) {
                    properties.put(replace, properties.get(str2));
                }
            }
        }
        properties.put("kafkacache.topic", str);
        return properties;
    }

    private CacheUpdateHandler<EncryptionKeyId, EncryptionKey> getCacheUpdateHandler(DekRegistryConfig dekRegistryConfig) {
        Map originalsWithPrefix = dekRegistryConfig.originalsWithPrefix("dek.registry.update.handlers.");
        originalsWithPrefix.put(DekCacheUpdateHandler.DEK_REGISTRY, this);
        List configuredInstances = dekRegistryConfig.getConfiguredInstances(DekRegistryConfig.DEK_REGISTRY_UPDATE_HANDLERS_CONFIG, DekCacheUpdateHandler.class, originalsWithPrefix);
        DefaultDekCacheUpdateHandler defaultDekCacheUpdateHandler = new DefaultDekCacheUpdateHandler(this);
        Iterator it = configuredInstances.iterator();
        while (it.hasNext()) {
            log.info("Registering custom cache handler: {}", ((DekCacheUpdateHandler) it.next()).getClass().getName());
        }
        configuredInstances.add(defaultDekCacheUpdateHandler);
        return new CompositeCacheUpdateHandler(configuredInstances);
    }

    public Cache<EncryptionKeyId, EncryptionKey> keys() {
        return this.keys;
    }

    public DekRegistryConfig config() {
        return this.config;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SetMultimap<String, KeyEncryptionKeyId> getSharedKeys() {
        return this.sharedKeys;
    }

    protected Cryptor getCryptor(DekFormat dekFormat) {
        return this.cryptors.computeIfAbsent(dekFormat, dekFormat2 -> {
            try {
                return new Cryptor(dekFormat);
            } catch (GeneralSecurityException e) {
                log.error("Invalid format {}", dekFormat);
                throw new IllegalArgumentException("Invalid format " + dekFormat, e);
            }
        });
    }

    @PostConstruct
    public void init() {
        if (this.initialized.get()) {
            return;
        }
        this.keys.init();
        if (!this.initialized.compareAndSet(false, true)) {
            throw new IllegalStateException("DekRegistry was already initialized");
        }
        this.initLatch.countDown();
    }

    public void waitForInit() throws InterruptedException {
        this.initLatch.await();
    }

    public boolean initialized() {
        return this.initialized.get();
    }

    public boolean isLeader() {
        return this.schemaRegistry.isLeader();
    }

    private boolean isLeader(Map<String, String> map) {
        String str = map.get(X_FORWARD_HEADER);
        return isLeader() && (str == null || Boolean.parseBoolean(str));
    }

    protected Lock lockFor(String str) {
        return this.tenantToLock.computeIfAbsent(str, str2 -> {
            return new ReentrantLock();
        });
    }

    private void lock(String str, Map<String, String> map) {
        String str2 = map.get(X_FORWARD_HEADER);
        if (str2 == null || Boolean.parseBoolean(str2)) {
            lockFor(str).lock();
        }
    }

    private void unlock(String str) {
        if (((ReentrantLock) lockFor(str)).isHeldByCurrentThread()) {
            lockFor(str).unlock();
        }
    }

    public List<String> getKekNames(boolean z) {
        return (List) getKeks(this.schemaRegistry.tenant(), z).stream().map(keyValue -> {
            return ((KeyEncryptionKeyId) keyValue.key).getName();
        }).collect(Collectors.toList());
    }

    protected List<KeyValue<EncryptionKeyId, EncryptionKey>> getKeks(String str, boolean z) {
        ArrayList arrayList = new ArrayList();
        KeyValueIterator range = keys().range(new KeyEncryptionKeyId(str, String.valueOf((char) 0)), true, new KeyEncryptionKeyId(str, String.valueOf((char) 65535)), false);
        while (range.hasNext()) {
            try {
                KeyValue keyValue = (KeyValue) range.next();
                if (!((EncryptionKey) keyValue.value).isDeleted() || z) {
                    arrayList.add(keyValue);
                }
            } catch (Throwable th) {
                if (range != null) {
                    try {
                        range.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        if (range != null) {
            range.close();
        }
        return arrayList;
    }

    public KeyEncryptionKey getKek(String str, boolean z) {
        KeyEncryptionKey keyEncryptionKey = (KeyEncryptionKey) this.keys.get(new KeyEncryptionKeyId(this.schemaRegistry.tenant(), str));
        if (keyEncryptionKey == null) {
            return null;
        }
        if (!keyEncryptionKey.isDeleted() || z) {
            return keyEncryptionKey;
        }
        return null;
    }

    public List<String> getDekSubjects(String str, boolean z) {
        return (List) getDeks(this.schemaRegistry.tenant(), str, z).stream().map(keyValue -> {
            return ((DataEncryptionKeyId) keyValue.key).getSubject();
        }).sorted().distinct().collect(Collectors.toList());
    }

    public List<Integer> getDekVersions(String str, String str2, DekFormat dekFormat, boolean z) {
        return (List) getDeks(this.schemaRegistry.tenant(), str, str2, dekFormat, z).stream().map(keyValue -> {
            return Integer.valueOf(((DataEncryptionKeyId) keyValue.key).getVersion());
        }).collect(Collectors.toList());
    }

    protected List<KeyValue<EncryptionKeyId, EncryptionKey>> getDeks(String str, String str2, boolean z) {
        ArrayList arrayList = new ArrayList();
        KeyValueIterator range = keys().range(new DataEncryptionKeyId(str, str2, String.valueOf((char) 0), DekFormat.AES128_GCM, 1), true, new DataEncryptionKeyId(str, str2, String.valueOf((char) 65535), DekFormat.AES256_SIV, Integer.MAX_VALUE), false);
        while (range.hasNext()) {
            try {
                KeyValue keyValue = (KeyValue) range.next();
                if (!((EncryptionKey) keyValue.value).isDeleted() || z) {
                    arrayList.add(keyValue);
                }
            } catch (Throwable th) {
                if (range != null) {
                    try {
                        range.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        if (range != null) {
            range.close();
        }
        return arrayList;
    }

    protected List<KeyValue<EncryptionKeyId, EncryptionKey>> getDeks(String str, String str2, String str3, DekFormat dekFormat, boolean z) {
        if (dekFormat == null) {
            dekFormat = DekFormat.AES256_GCM;
        }
        ArrayList arrayList = new ArrayList();
        KeyValueIterator range = keys().range(new DataEncryptionKeyId(str, str2, str3, dekFormat, 1), true, new DataEncryptionKeyId(str, str2, str3, dekFormat, Integer.MAX_VALUE), false);
        while (range.hasNext()) {
            try {
                KeyValue keyValue = (KeyValue) range.next();
                if (!((EncryptionKey) keyValue.value).isDeleted() || z) {
                    arrayList.add(keyValue);
                }
            } catch (Throwable th) {
                if (range != null) {
                    try {
                        range.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        if (range != null) {
            range.close();
        }
        return arrayList;
    }

    public DataEncryptionKey getLatestDek(String str, String str2, DekFormat dekFormat, boolean z) throws SchemaRegistryException {
        List<KeyValue<EncryptionKeyId, EncryptionKey>> deks = getDeks(this.schemaRegistry.tenant(), str, str2, dekFormat, z);
        Collections.reverse(deks);
        if (deks.isEmpty()) {
            return null;
        }
        return (DataEncryptionKey) deks.get(0).value;
    }

    public DataEncryptionKey getDek(String str, String str2, int i, DekFormat dekFormat, boolean z) throws SchemaRegistryException {
        if (i == -1) {
            return getLatestDek(str, str2, dekFormat, z);
        }
        String tenant = this.schemaRegistry.tenant();
        if (dekFormat == null) {
            dekFormat = DekFormat.AES256_GCM;
        }
        DataEncryptionKey dataEncryptionKey = (DataEncryptionKey) this.keys.get(new DataEncryptionKeyId(tenant, str, str2, dekFormat, i));
        if (dataEncryptionKey == null) {
            return null;
        }
        if (dataEncryptionKey.isDeleted() && !z) {
            return null;
        }
        KeyEncryptionKey kek = getKek(dataEncryptionKey.getKekName(), true);
        if (kek.isShared()) {
            dataEncryptionKey = generateRawDek(kek, dataEncryptionKey);
        }
        return dataEncryptionKey;
    }

    public Kek createKekOrForward(CreateKekRequest createKekRequest, Map<String, String> map) throws SchemaRegistryException {
        String tenant = this.schemaRegistry.tenant();
        lock(tenant, map);
        try {
            if (isLeader(map)) {
                Kek kekEntity = createKek(createKekRequest).toKekEntity();
                unlock(tenant);
                return kekEntity;
            }
            if (this.schemaRegistry.leaderIdentity() == null) {
                throw new UnknownLeaderException("Request failed since leader is unknown");
            }
            Kek forwardCreateKekRequestToLeader = forwardCreateKekRequestToLeader(createKekRequest, map);
            unlock(tenant);
            return forwardCreateKekRequestToLeader;
        } catch (Throwable th) {
            unlock(tenant);
            throw th;
        }
    }

    private Kek forwardCreateKekRequestToLeader(CreateKekRequest createKekRequest, Map<String, String> map) throws SchemaRegistryRequestForwardingException {
        RestService leaderRestService = this.schemaRegistry.leaderRestService();
        UrlList baseUrls = leaderRestService.getBaseUrls();
        String uri = UriBuilder.fromPath("/dek-registry/v1/keks").build(new Object[0]).toString();
        log.debug(String.format("Forwarding create key request to %s", baseUrls));
        try {
            return (Kek) leaderRestService.httpRequest(uri, "POST", toJson(createKekRequest), map, KEK_TYPE);
        } catch (RestClientException e) {
            throw new RestException(e.getMessage(), e.getStatus(), e.getErrorCode(), e);
        } catch (IOException e2) {
            throw new SchemaRegistryRequestForwardingException(String.format("Unexpected error while forwarding the create key request to %s", baseUrls), e2);
        }
    }

    public KeyEncryptionKey createKek(CreateKekRequest createKekRequest) throws SchemaRegistryException {
        this.keys.sync();
        String tenant = this.schemaRegistry.tenant();
        if (this.metricsManager.getKeyCount(tenant, KeyType.KEK) > this.config.maxKeys()) {
            throw new TooManyKeysException(KeyType.KEK.name());
        }
        KeyEncryptionKey keyEncryptionKey = new KeyEncryptionKey(createKekRequest.getName(), normalizeKmsType(createKekRequest.getKmsType()), createKekRequest.getKmsKeyId(), createKekRequest.getKmsProps() != null ? new TreeMap(createKekRequest.getKmsProps()) : Collections.emptySortedMap(), createKekRequest.getDoc(), createKekRequest.isShared(), createKekRequest.isDeleted());
        KeyEncryptionKeyId keyEncryptionKeyId = new KeyEncryptionKeyId(tenant, createKekRequest.getName());
        KeyEncryptionKey keyEncryptionKey2 = (KeyEncryptionKey) this.keys.get(keyEncryptionKeyId);
        if (keyEncryptionKey2 != null && (createKekRequest.isDeleted() == keyEncryptionKey2.isDeleted() || !keyEncryptionKey2.isEquivalent(keyEncryptionKey))) {
            throw new AlreadyExistsException(createKekRequest.getName());
        }
        this.keys.put(keyEncryptionKeyId, keyEncryptionKey);
        return (KeyEncryptionKey) this.keys.get(keyEncryptionKeyId);
    }

    private String normalizeKmsType(String str) {
        String lowerCase = str.toLowerCase(Locale.ROOT);
        return lowerCase.startsWith("aws") ? AWS_KMS : lowerCase.startsWith("azure") ? AZURE_KMS : lowerCase.startsWith("gcp") ? GCP_KMS : str;
    }

    public Dek createDekOrForward(String str, CreateDekRequest createDekRequest, Map<String, String> map) throws SchemaRegistryException {
        String tenant = this.schemaRegistry.tenant();
        lock(tenant, map);
        try {
            if (isLeader(map)) {
                Dek dekEntity = createDek(str, createDekRequest).toDekEntity();
                unlock(tenant);
                return dekEntity;
            }
            if (this.schemaRegistry.leaderIdentity() == null) {
                throw new UnknownLeaderException("Request failed since leader is unknown");
            }
            Dek forwardCreateDekRequestToLeader = forwardCreateDekRequestToLeader(str, createDekRequest, map);
            unlock(tenant);
            return forwardCreateDekRequestToLeader;
        } catch (Throwable th) {
            unlock(tenant);
            throw th;
        }
    }

    private Dek forwardCreateDekRequestToLeader(String str, CreateDekRequest createDekRequest, Map<String, String> map) throws SchemaRegistryRequestForwardingException {
        RestService leaderRestService = this.schemaRegistry.leaderRestService();
        UrlList baseUrls = leaderRestService.getBaseUrls();
        String uri = UriBuilder.fromPath("/dek-registry/v1/keks/{name}/deks").build(new Object[]{str}).toString();
        log.debug(String.format("Forwarding create key request to %s", baseUrls));
        try {
            return (Dek) leaderRestService.httpRequest(uri, "POST", toJson(createDekRequest), map, DEK_TYPE);
        } catch (RestClientException e) {
            throw new RestException(e.getMessage(), e.getStatus(), e.getErrorCode(), e);
        } catch (IOException e2) {
            throw new SchemaRegistryRequestForwardingException(String.format("Unexpected error while forwarding the create key request to %s", baseUrls), e2);
        }
    }

    public DataEncryptionKey createDek(String str, CreateDekRequest createDekRequest) throws SchemaRegistryException {
        this.keys.sync();
        String tenant = this.schemaRegistry.tenant();
        if (this.metricsManager.getKeyCount(tenant, KeyType.DEK) > this.config.maxKeys()) {
            throw new TooManyKeysException(KeyType.DEK.name());
        }
        DekFormat algorithm = createDekRequest.getAlgorithm() != null ? createDekRequest.getAlgorithm() : DekFormat.AES256_GCM;
        int intValue = createDekRequest.getVersion() != null ? createDekRequest.getVersion().intValue() : 1;
        DataEncryptionKey dataEncryptionKey = new DataEncryptionKey(str, createDekRequest.getSubject(), algorithm, intValue, createDekRequest.getEncryptedKeyMaterial(), createDekRequest.isDeleted());
        KeyEncryptionKey kek = getKek(dataEncryptionKey.getKekName(), true);
        if (dataEncryptionKey.getEncryptedKeyMaterial() == null) {
            if (!kek.isShared()) {
                throw new InvalidKeyException("encryptedKeyMaterial");
            }
            dataEncryptionKey = generateEncryptedDek(kek, dataEncryptionKey);
        }
        DataEncryptionKeyId dataEncryptionKeyId = new DataEncryptionKeyId(tenant, str, createDekRequest.getSubject(), algorithm, intValue);
        DataEncryptionKey dataEncryptionKey2 = (DataEncryptionKey) this.keys.get(dataEncryptionKeyId);
        if (dataEncryptionKey2 != null && (createDekRequest.isDeleted() == dataEncryptionKey2.isDeleted() || !dataEncryptionKey2.isEquivalent(dataEncryptionKey))) {
            throw new AlreadyExistsException(createDekRequest.getSubject());
        }
        this.keys.put(dataEncryptionKeyId, dataEncryptionKey);
        DataEncryptionKey dataEncryptionKey3 = (DataEncryptionKey) this.keys.get(dataEncryptionKeyId);
        if (kek.isShared() && this.schemaRegistry.getModeInScope(createDekRequest.getSubject()) != Mode.IMPORT) {
            dataEncryptionKey3 = generateRawDek(kek, dataEncryptionKey3);
        }
        return dataEncryptionKey3;
    }

    protected DataEncryptionKey generateEncryptedDek(KeyEncryptionKey keyEncryptionKey, DataEncryptionKey dataEncryptionKey) throws DekGenerationException {
        try {
            dataEncryptionKey = new DataEncryptionKey(dataEncryptionKey.getKekName(), dataEncryptionKey.getSubject(), dataEncryptionKey.getAlgorithm(), dataEncryptionKey.getVersion(), new String(Base64.getEncoder().encode(getAead(keyEncryptionKey).encrypt(getCryptor(dataEncryptionKey.getAlgorithm()).generateKey(), EMPTY_AAD)), StandardCharsets.UTF_8), dataEncryptionKey.isDeleted());
            return dataEncryptionKey;
        } catch (GeneralSecurityException e) {
            log.error("Could not generate encrypted dek for " + dataEncryptionKey.getSubject(), e);
            throw new DekGenerationException("Could not generate encrypted dek for " + dataEncryptionKey.getSubject());
        }
    }

    protected DataEncryptionKey generateRawDek(KeyEncryptionKey keyEncryptionKey, DataEncryptionKey dataEncryptionKey) throws DekGenerationException {
        try {
            String str = new String(Base64.getEncoder().encode(getAead(keyEncryptionKey).decrypt(Base64.getDecoder().decode(dataEncryptionKey.getEncryptedKeyMaterial().getBytes(StandardCharsets.UTF_8)), EMPTY_AAD)), StandardCharsets.UTF_8);
            DataEncryptionKey dataEncryptionKey2 = new DataEncryptionKey(dataEncryptionKey.getKekName(), dataEncryptionKey.getSubject(), dataEncryptionKey.getAlgorithm(), dataEncryptionKey.getVersion(), dataEncryptionKey.getEncryptedKeyMaterial(), dataEncryptionKey.isDeleted());
            dataEncryptionKey2.setKeyMaterial(str);
            dataEncryptionKey2.setTimestamp(dataEncryptionKey.getTimestamp());
            return dataEncryptionKey2;
        } catch (GeneralSecurityException e) {
            log.error("Could not generate raw dek for " + dataEncryptionKey.getSubject(), e);
            throw new DekGenerationException("Could not generate raw dek for " + dataEncryptionKey.getSubject());
        }
    }

    protected Aead getAead(KeyEncryptionKey keyEncryptionKey) throws GeneralSecurityException {
        return keyEncryptionKey.toKekEntity().toAead(this.config.originals());
    }

    public Kek putKekOrForward(String str, UpdateKekRequest updateKekRequest, Map<String, String> map) throws SchemaRegistryException {
        String tenant = this.schemaRegistry.tenant();
        lock(tenant, map);
        try {
            if (isLeader(map)) {
                KeyEncryptionKey putKek = putKek(str, updateKekRequest);
                return putKek != null ? putKek.toKekEntity() : null;
            }
            if (this.schemaRegistry.leaderIdentity() == null) {
                throw new UnknownLeaderException("Request failed since leader is unknown");
            }
            Kek forwardPutKekRequestToLeader = forwardPutKekRequestToLeader(str, updateKekRequest, map);
            unlock(tenant);
            return forwardPutKekRequestToLeader;
        } finally {
            unlock(tenant);
        }
    }

    private Kek forwardPutKekRequestToLeader(String str, UpdateKekRequest updateKekRequest, Map<String, String> map) throws SchemaRegistryRequestForwardingException {
        RestService leaderRestService = this.schemaRegistry.leaderRestService();
        UrlList baseUrls = leaderRestService.getBaseUrls();
        String uri = UriBuilder.fromPath("/dek-registry/v1/keks/{name}").build(new Object[]{str}).toString();
        log.debug(String.format("Forwarding put key request to %s", baseUrls));
        try {
            return (Kek) leaderRestService.httpRequest(uri, "PUT", toJson(updateKekRequest), map, KEK_TYPE);
        } catch (IOException e) {
            throw new SchemaRegistryRequestForwardingException(String.format("Unexpected error while forwarding the put key request to %s", baseUrls), e);
        } catch (RestClientException e2) {
            throw new RestException(e2.getMessage(), e2.getStatus(), e2.getErrorCode(), e2);
        }
    }

    public KeyEncryptionKey putKek(String str, UpdateKekRequest updateKekRequest) throws SchemaRegistryException {
        this.keys.sync();
        KeyEncryptionKeyId keyEncryptionKeyId = new KeyEncryptionKeyId(this.schemaRegistry.tenant(), str);
        KeyEncryptionKey keyEncryptionKey = (KeyEncryptionKey) this.keys.get(keyEncryptionKeyId);
        if (keyEncryptionKey == null || keyEncryptionKey.isDeleted()) {
            return null;
        }
        KeyEncryptionKey keyEncryptionKey2 = new KeyEncryptionKey(str, keyEncryptionKey.getKmsType(), keyEncryptionKey.getKmsKeyId(), updateKekRequest.getKmsProps() != null ? new TreeMap(updateKekRequest.getKmsProps()) : Collections.emptySortedMap(), updateKekRequest.getDoc() != null ? updateKekRequest.getDoc() : keyEncryptionKey.getDoc(), updateKekRequest.isShared() != null ? updateKekRequest.isShared().booleanValue() : keyEncryptionKey.isShared(), false);
        if (keyEncryptionKey2.isEquivalent(keyEncryptionKey)) {
            return keyEncryptionKey;
        }
        this.keys.put(keyEncryptionKeyId, keyEncryptionKey2);
        return (KeyEncryptionKey) this.keys.get(keyEncryptionKeyId);
    }

    public void deleteKekOrForward(String str, boolean z, Map<String, String> map) throws SchemaRegistryException {
        String tenant = this.schemaRegistry.tenant();
        lock(tenant, map);
        try {
            if (isLeader(map)) {
                deleteKek(str, z);
            } else {
                if (this.schemaRegistry.leaderIdentity() == null) {
                    throw new UnknownLeaderException("Request failed since leader is unknown");
                }
                forwardDeleteKekRequestToLeader(str, z, map);
            }
        } finally {
            unlock(tenant);
        }
    }

    private void forwardDeleteKekRequestToLeader(String str, boolean z, Map<String, String> map) throws SchemaRegistryRequestForwardingException {
        RestService leaderRestService = this.schemaRegistry.leaderRestService();
        UrlList baseUrls = leaderRestService.getBaseUrls();
        String uri = UriBuilder.fromPath("/dek-registry/v1/keks/{name}").queryParam("permanent", new Object[]{Boolean.valueOf(z)}).build(new Object[]{str}).toString();
        log.debug(String.format("Forwarding delete key request to %s", baseUrls));
        try {
            leaderRestService.httpRequest(uri, "DELETE", (byte[]) null, map, VOID_TYPE);
        } catch (RestClientException e) {
            throw new RestException(e.getMessage(), e.getStatus(), e.getErrorCode(), e);
        } catch (IOException e2) {
            throw new SchemaRegistryRequestForwardingException(String.format("Unexpected error while forwarding the delete key request to %s", baseUrls), e2);
        }
    }

    public void deleteKek(String str, boolean z) throws SchemaRegistryException {
        this.keys.sync();
        String tenant = this.schemaRegistry.tenant();
        if (!getDeks(tenant, str, z).isEmpty()) {
            throw new KeyReferenceExistsException(str);
        }
        KeyEncryptionKeyId keyEncryptionKeyId = new KeyEncryptionKeyId(tenant, str);
        KeyEncryptionKey keyEncryptionKey = (KeyEncryptionKey) this.keys.get(keyEncryptionKeyId);
        if (keyEncryptionKey == null) {
            return;
        }
        if (z) {
            if (!keyEncryptionKey.isDeleted()) {
                throw new KeyNotSoftDeletedException(str);
            }
            this.keys.remove(keyEncryptionKeyId);
        } else {
            if (keyEncryptionKey.isDeleted()) {
                return;
            }
            this.keys.put(keyEncryptionKeyId, new KeyEncryptionKey(str, keyEncryptionKey.getKmsType(), keyEncryptionKey.getKmsKeyId(), keyEncryptionKey.getKmsProps(), keyEncryptionKey.getDoc(), keyEncryptionKey.isShared(), true));
        }
    }

    public void deleteDekOrForward(String str, String str2, DekFormat dekFormat, boolean z, Map<String, String> map) throws SchemaRegistryException {
        String tenant = this.schemaRegistry.tenant();
        lock(tenant, map);
        try {
            if (isLeader(map)) {
                deleteDek(str, str2, dekFormat, z);
            } else {
                if (this.schemaRegistry.leaderIdentity() == null) {
                    throw new UnknownLeaderException("Request failed since leader is unknown");
                }
                forwardDeleteDekRequestToLeader(str, str2, dekFormat, z, map);
            }
        } finally {
            unlock(tenant);
        }
    }

    private void forwardDeleteDekRequestToLeader(String str, String str2, DekFormat dekFormat, boolean z, Map<String, String> map) throws SchemaRegistryRequestForwardingException {
        RestService leaderRestService = this.schemaRegistry.leaderRestService();
        UrlList baseUrls = leaderRestService.getBaseUrls();
        UriBuilder queryParam = UriBuilder.fromPath("/dek-registry/v1/keks/{name}/deks/{subject}").queryParam("permanent", new Object[]{Boolean.valueOf(z)});
        if (dekFormat != null) {
            queryParam = queryParam.queryParam("algorithm", new Object[]{dekFormat.name()});
        }
        String uri = queryParam.build(new Object[]{str, str2}).toString();
        log.debug(String.format("Forwarding delete key request to %s", baseUrls));
        try {
            leaderRestService.httpRequest(uri, "DELETE", (byte[]) null, map, VOID_TYPE);
        } catch (RestClientException e) {
            throw new RestException(e.getMessage(), e.getStatus(), e.getErrorCode(), e);
        } catch (IOException e2) {
            throw new SchemaRegistryRequestForwardingException(String.format("Unexpected error while forwarding the delete key request to %s", baseUrls), e2);
        }
    }

    public void deleteDek(String str, String str2, DekFormat dekFormat, boolean z) throws SchemaRegistryException {
        this.keys.sync();
        List<KeyValue<EncryptionKeyId, EncryptionKey>> deks = getDeks(this.schemaRegistry.tenant(), str, str2, dekFormat, z);
        if (!z) {
            for (KeyValue<EncryptionKeyId, EncryptionKey> keyValue : deks) {
                if (!((EncryptionKey) keyValue.value).isDeleted()) {
                    DataEncryptionKeyId dataEncryptionKeyId = (DataEncryptionKeyId) keyValue.key;
                    DataEncryptionKey dataEncryptionKey = (DataEncryptionKey) keyValue.value;
                    this.keys.put(dataEncryptionKeyId, new DataEncryptionKey(str, dataEncryptionKey.getSubject(), dataEncryptionKey.getAlgorithm(), dataEncryptionKey.getVersion(), dataEncryptionKey.getEncryptedKeyMaterial(), true));
                }
            }
            return;
        }
        for (KeyValue<EncryptionKeyId, EncryptionKey> keyValue2 : deks) {
            if (!((EncryptionKey) keyValue2.value).isDeleted()) {
                throw new KeyNotSoftDeletedException(((DataEncryptionKeyId) keyValue2.key).getSubject());
            }
        }
        Iterator<KeyValue<EncryptionKeyId, EncryptionKey>> it = deks.iterator();
        while (it.hasNext()) {
            this.keys.remove((DataEncryptionKeyId) it.next().key);
        }
    }

    public void deleteDekVersionOrForward(String str, String str2, int i, DekFormat dekFormat, boolean z, Map<String, String> map) throws SchemaRegistryException {
        String tenant = this.schemaRegistry.tenant();
        lock(tenant, map);
        try {
            if (isLeader(map)) {
                deleteDekVersion(str, str2, i, dekFormat, z);
            } else {
                if (this.schemaRegistry.leaderIdentity() == null) {
                    throw new UnknownLeaderException("Request failed since leader is unknown");
                }
                forwardDeleteDekVersionRequestToLeader(str, str2, i, dekFormat, z, map);
            }
        } finally {
            unlock(tenant);
        }
    }

    private void forwardDeleteDekVersionRequestToLeader(String str, String str2, int i, DekFormat dekFormat, boolean z, Map<String, String> map) throws SchemaRegistryRequestForwardingException {
        RestService leaderRestService = this.schemaRegistry.leaderRestService();
        UrlList baseUrls = leaderRestService.getBaseUrls();
        UriBuilder queryParam = UriBuilder.fromPath("/dek-registry/v1/keks/{name}/deks/{subject}/versions/{version}").queryParam("permanent", new Object[]{Boolean.valueOf(z)});
        if (dekFormat != null) {
            queryParam = queryParam.queryParam("algorithm", new Object[]{dekFormat.name()});
        }
        String uri = queryParam.build(new Object[]{str, str2, Integer.valueOf(i)}).toString();
        log.debug(String.format("Forwarding delete key version request to %s", baseUrls));
        try {
            leaderRestService.httpRequest(uri, "DELETE", (byte[]) null, map, VOID_TYPE);
        } catch (RestClientException e) {
            throw new RestException(e.getMessage(), e.getStatus(), e.getErrorCode(), e);
        } catch (IOException e2) {
            throw new SchemaRegistryRequestForwardingException(String.format("Unexpected error while forwarding the delete key version request to %s", baseUrls), e2);
        }
    }

    public void deleteDekVersion(String str, String str2, int i, DekFormat dekFormat, boolean z) throws SchemaRegistryException {
        this.keys.sync();
        if (dekFormat == null) {
            dekFormat = DekFormat.AES256_GCM;
        }
        DataEncryptionKeyId dataEncryptionKeyId = new DataEncryptionKeyId(this.schemaRegistry.tenant(), str, str2, dekFormat, i);
        DataEncryptionKey dataEncryptionKey = (DataEncryptionKey) this.keys.get(dataEncryptionKeyId);
        if (dataEncryptionKey == null) {
            return;
        }
        if (z) {
            if (!dataEncryptionKey.isDeleted()) {
                throw new KeyNotSoftDeletedException(str2);
            }
            this.keys.remove(dataEncryptionKeyId);
        } else {
            if (dataEncryptionKey.isDeleted()) {
                return;
            }
            this.keys.put(dataEncryptionKeyId, new DataEncryptionKey(str, dataEncryptionKey.getSubject(), dataEncryptionKey.getAlgorithm(), dataEncryptionKey.getVersion(), dataEncryptionKey.getEncryptedKeyMaterial(), true));
        }
    }

    public void undeleteKekOrForward(String str, Map<String, String> map) throws SchemaRegistryException {
        String tenant = this.schemaRegistry.tenant();
        lock(tenant, map);
        try {
            if (isLeader(map)) {
                undeleteKek(str);
            } else {
                if (this.schemaRegistry.leaderIdentity() == null) {
                    throw new UnknownLeaderException("Request failed since leader is unknown");
                }
                forwardUndeleteKekRequestToLeader(str, map);
            }
        } finally {
            unlock(tenant);
        }
    }

    private void forwardUndeleteKekRequestToLeader(String str, Map<String, String> map) throws SchemaRegistryRequestForwardingException {
        RestService leaderRestService = this.schemaRegistry.leaderRestService();
        UrlList baseUrls = leaderRestService.getBaseUrls();
        String uri = UriBuilder.fromPath("/dek-registry/v1/keks/{name}/undelete").build(new Object[]{str}).toString();
        log.debug(String.format("Forwarding undelete key request to %s", baseUrls));
        try {
            leaderRestService.httpRequest(uri, "POST", (byte[]) null, map, VOID_TYPE);
        } catch (RestClientException e) {
            throw new RestException(e.getMessage(), e.getStatus(), e.getErrorCode(), e);
        } catch (IOException e2) {
            throw new SchemaRegistryRequestForwardingException(String.format("Unexpected error while forwarding the undelete key request to %s", baseUrls), e2);
        }
    }

    public void undeleteKek(String str) throws SchemaRegistryException {
        this.keys.sync();
        KeyEncryptionKeyId keyEncryptionKeyId = new KeyEncryptionKeyId(this.schemaRegistry.tenant(), str);
        KeyEncryptionKey keyEncryptionKey = (KeyEncryptionKey) this.keys.get(keyEncryptionKeyId);
        if (keyEncryptionKey != null && keyEncryptionKey.isDeleted()) {
            this.keys.put(keyEncryptionKeyId, new KeyEncryptionKey(str, keyEncryptionKey.getKmsType(), keyEncryptionKey.getKmsKeyId(), keyEncryptionKey.getKmsProps(), keyEncryptionKey.getDoc(), keyEncryptionKey.isShared(), false));
        }
    }

    public void undeleteDekOrForward(String str, String str2, DekFormat dekFormat, Map<String, String> map) throws SchemaRegistryException {
        String tenant = this.schemaRegistry.tenant();
        lock(tenant, map);
        try {
            if (isLeader(map)) {
                undeleteDek(str, str2, dekFormat);
            } else {
                if (this.schemaRegistry.leaderIdentity() == null) {
                    throw new UnknownLeaderException("Request failed since leader is unknown");
                }
                forwardUndeleteDekRequestToLeader(str, str2, dekFormat, map);
            }
        } finally {
            unlock(tenant);
        }
    }

    private void forwardUndeleteDekRequestToLeader(String str, String str2, DekFormat dekFormat, Map<String, String> map) throws SchemaRegistryRequestForwardingException {
        RestService leaderRestService = this.schemaRegistry.leaderRestService();
        UrlList baseUrls = leaderRestService.getBaseUrls();
        UriBuilder fromPath = UriBuilder.fromPath("/dek-registry/v1/keks/{name}/deks/{subject}/undelete");
        if (dekFormat != null) {
            fromPath = fromPath.queryParam("algorithm", new Object[]{dekFormat.name()});
        }
        String uri = fromPath.build(new Object[]{str, str2}).toString();
        log.debug(String.format("Forwarding undelete key request to %s", baseUrls));
        try {
            leaderRestService.httpRequest(uri, "POST", (byte[]) null, map, VOID_TYPE);
        } catch (RestClientException e) {
            throw new RestException(e.getMessage(), e.getStatus(), e.getErrorCode(), e);
        } catch (IOException e2) {
            throw new SchemaRegistryRequestForwardingException(String.format("Unexpected error while forwarding the undelete key request to %s", baseUrls), e2);
        }
    }

    public void undeleteDek(String str, String str2, DekFormat dekFormat) throws SchemaRegistryException {
        this.keys.sync();
        String tenant = this.schemaRegistry.tenant();
        KeyEncryptionKey keyEncryptionKey = (KeyEncryptionKey) this.keys.get(new KeyEncryptionKeyId(tenant, str));
        if (keyEncryptionKey == null) {
            return;
        }
        if (keyEncryptionKey.isDeleted()) {
            throw new KeySoftDeletedException(str);
        }
        for (KeyValue<EncryptionKeyId, EncryptionKey> keyValue : getDeks(tenant, str, str2, dekFormat, true)) {
            DataEncryptionKeyId dataEncryptionKeyId = (DataEncryptionKeyId) keyValue.key;
            DataEncryptionKey dataEncryptionKey = (DataEncryptionKey) keyValue.value;
            if (dataEncryptionKey.isDeleted()) {
                this.keys.put(dataEncryptionKeyId, new DataEncryptionKey(str, dataEncryptionKey.getSubject(), dataEncryptionKey.getAlgorithm(), dataEncryptionKey.getVersion(), dataEncryptionKey.getEncryptedKeyMaterial(), false));
            }
        }
    }

    public void undeleteDekVersionOrForward(String str, String str2, int i, DekFormat dekFormat, Map<String, String> map) throws SchemaRegistryException {
        String tenant = this.schemaRegistry.tenant();
        lock(tenant, map);
        try {
            if (isLeader(map)) {
                undeleteDekVersion(str, str2, i, dekFormat);
            } else {
                if (this.schemaRegistry.leaderIdentity() == null) {
                    throw new UnknownLeaderException("Request failed since leader is unknown");
                }
                forwardUndeleteDekVersionRequestToLeader(str, str2, i, dekFormat, map);
            }
        } finally {
            unlock(tenant);
        }
    }

    private void forwardUndeleteDekVersionRequestToLeader(String str, String str2, int i, DekFormat dekFormat, Map<String, String> map) throws SchemaRegistryRequestForwardingException {
        RestService leaderRestService = this.schemaRegistry.leaderRestService();
        UrlList baseUrls = leaderRestService.getBaseUrls();
        UriBuilder fromPath = UriBuilder.fromPath("/dek-registry/v1/keks/{name}/deks/{subject}/versions/{version}/undelete");
        if (dekFormat != null) {
            fromPath = fromPath.queryParam("algorithm", new Object[]{dekFormat.name()});
        }
        String uri = fromPath.build(new Object[]{str, str2, Integer.valueOf(i)}).toString();
        log.debug(String.format("Forwarding undelete key version request to %s", baseUrls));
        try {
            leaderRestService.httpRequest(uri, "POST", (byte[]) null, map, VOID_TYPE);
        } catch (IOException e) {
            throw new SchemaRegistryRequestForwardingException(String.format("Unexpected error while forwarding the undelete key version request to %s", baseUrls), e);
        } catch (RestClientException e2) {
            throw new RestException(e2.getMessage(), e2.getStatus(), e2.getErrorCode(), e2);
        }
    }

    public void undeleteDekVersion(String str, String str2, int i, DekFormat dekFormat) throws SchemaRegistryException {
        this.keys.sync();
        if (dekFormat == null) {
            dekFormat = DekFormat.AES256_GCM;
        }
        String tenant = this.schemaRegistry.tenant();
        KeyEncryptionKey keyEncryptionKey = (KeyEncryptionKey) this.keys.get(new KeyEncryptionKeyId(tenant, str));
        if (keyEncryptionKey == null) {
            return;
        }
        if (keyEncryptionKey.isDeleted()) {
            throw new KeySoftDeletedException(str);
        }
        DataEncryptionKeyId dataEncryptionKeyId = new DataEncryptionKeyId(tenant, str, str2, dekFormat, i);
        DataEncryptionKey dataEncryptionKey = (DataEncryptionKey) this.keys.get(dataEncryptionKeyId);
        if (dataEncryptionKey != null && dataEncryptionKey.isDeleted()) {
            this.keys.put(dataEncryptionKeyId, new DataEncryptionKey(str, dataEncryptionKey.getSubject(), dataEncryptionKey.getAlgorithm(), dataEncryptionKey.getVersion(), dataEncryptionKey.getEncryptedKeyMaterial(), false));
        }
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    @PreDestroy
    public void close() throws IOException {
        log.info("Shutting down dek registry");
        if (this.keys != null) {
            this.keys.close();
        }
    }

    private static byte[] toJson(Object obj) throws JsonProcessingException {
        return JacksonMapper.INSTANCE.writeValueAsBytes(obj);
    }
}
