package io.confluent.kafka.schemaregistry.encryption.hcvault;

import com.google.crypto.tink.Aead;
import com.google.crypto.tink.KeyTemplates;
import com.google.crypto.tink.KeysetHandle;
import io.confluent.kafka.schemaregistry.encryption.FieldEncryptionExecutor;
import io.confluent.kafka.schemaregistry.encryption.FieldEncryptionProperties;
import io.github.jopenlibs.vault.api.Logical;
import io.github.jopenlibs.vault.response.LogicalResponse;
import java.util.Base64;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/hcvault/HcVaultFieldEncryptionProperties.class */
public class HcVaultFieldEncryptionProperties extends FieldEncryptionProperties {
    public HcVaultFieldEncryptionProperties(List<String> list) {
        super(list);
    }

    public HcVaultFieldEncryptionProperties(List<String> list, Class<?> cls) {
        super(list, cls);
    }

    public String getKmsType() {
        return "hcvault";
    }

    public String getKmsKeyId() {
        return "http://127.0.0.1:8200/transit/keys/my-key";
    }

    public Map<String, Object> getClientProperties(String str) throws Exception {
        List<String> ruleNames = getRuleNames();
        HashMap hashMap = new HashMap();
        hashMap.put("schema.registry.url", str);
        hashMap.put("auto.register.schemas", "false");
        hashMap.put("use.latest.version", "true");
        hashMap.put("latest.cache.ttl.sec", "60");
        hashMap.put("rule.executors", String.join(",", ruleNames));
        for (String str2 : ruleNames) {
            hashMap.put("rule.executors." + str2 + ".class", getRuleExecutor().getName());
            hashMap.put("rule.executors." + str2 + ".param.token.id", "dev-only-token");
            hashMap.put("rule.executors." + str2 + ".param.test.client", getTestClient());
        }
        return hashMap;
    }

    public Object getTestClient() throws Exception {
        return mockClient(getKmsKeyId());
    }

    static Logical mockClient(String str) throws Exception {
        Aead aead = (Aead) KeysetHandle.generateNew(KeyTemplates.get("AES128_GCM")).getPrimitive(Aead.class);
        HashMap hashMap = new HashMap();
        LogicalResponse logicalResponse = (LogicalResponse) Mockito.mock(LogicalResponse.class);
        Mockito.when(logicalResponse.getData()).thenReturn(hashMap);
        Logical logical = (Logical) Mockito.mock(Logical.class);
        Mockito.when(logical.write((String) ArgumentMatchers.any(String.class), (Map) ArgumentMatchers.any(Map.class))).thenAnswer(invocationOnMock -> {
            Map map = (Map) invocationOnMock.getArgument(1);
            if (map.containsKey("plaintext")) {
                hashMap.put("ciphertext", Base64.getEncoder().encodeToString(aead.encrypt(Base64.getDecoder().decode((String) map.get("plaintext")), FieldEncryptionExecutor.EMPTY_AAD)));
            } else {
                hashMap.put("plaintext", Base64.getEncoder().encodeToString(aead.decrypt(Base64.getDecoder().decode((String) map.get("ciphertext")), FieldEncryptionExecutor.EMPTY_AAD)));
            }
            return logicalResponse;
        });
        return logical;
    }
}
