package com.yahoo.athenz.auth.impl.aws;

import com.amazonaws.services.kms.AWSKMS;
import com.amazonaws.services.kms.AWSKMSClientBuilder;
import com.amazonaws.services.kms.model.DecryptRequest;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import com.amazonaws.services.s3.model.S3Object;
import com.amazonaws.services.s3.model.S3ObjectInputStream;
import com.yahoo.athenz.auth.PrivateKeyStore;
import com.yahoo.athenz.auth.ServerPrivateKey;
import com.yahoo.athenz.auth.util.Crypto;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.PrivateKey;
import org.eclipse.jetty.util.StringUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/auth/impl/aws/AwsPrivateKeyStore.class */
public class AwsPrivateKeyStore implements PrivateKeyStore {
    private static final Logger LOG = LoggerFactory.getLogger(AwsPrivateKeyStore.class);
    private static final String ATHENZ_PROP_AWS_S3_REGION = "athenz.aws.s3.region";
    private static final String ATHENZ_PROP_AWS_KMS_DECRYPT = "athenz.aws.store_kms_decrypt";
    private static final String ATHENZ_PROP_AWS_KMS_REGION = "athenz.aws.store_kms_region";
    private static final String ATHENZ_PROP_ZMS_BUCKET_NAME = "athenz.aws.zms.bucket_name";
    private static final String ATHENZ_PROP_ZMS_KEY_NAME = "athenz.aws.zms.key_name";
    private static final String ATHENZ_PROP_ZMS_KEY_ID_NAME = "athenz.aws.zms.key_id_name";
    private static final String ATHENZ_PROP_ZTS_BUCKET_NAME = "athenz.aws.zts.bucket_name";
    private static final String ATHENZ_PROP_ZTS_KEY_NAME = "athenz.aws.zts.key_name";
    private static final String ATHENZ_PROP_ZTS_KEY_ID_NAME = "athenz.aws.zts.key_id_name";
    private static final String ATHENZ_DEFAULT_KEY_NAME = "service_private_key";
    private static final String ATHENZ_DEFAULT_KEY_ID_NAME = "service_private_key_id";
    private static final String ZMS_SERVICE = "zms";
    private static final String ZTS_SERVICE = "zts";
    private final AmazonS3 s3;
    private final AWSKMS kms;
    private boolean kmsDecrypt;

    public AwsPrivateKeyStore() {
        this(initAmazonS3(), initAWSKMS());
        this.kmsDecrypt = Boolean.parseBoolean(System.getProperty(ATHENZ_PROP_AWS_KMS_DECRYPT, "false"));
    }

    private static AWSKMS initAWSKMS() {
        String property = System.getProperty(ATHENZ_PROP_AWS_KMS_REGION);
        return StringUtil.isEmpty(property) ? AWSKMSClientBuilder.defaultClient() : (AWSKMS) AWSKMSClientBuilder.standard().withRegion(property).build();
    }

    private static AmazonS3 initAmazonS3() {
        String property = System.getProperty(ATHENZ_PROP_AWS_S3_REGION);
        return StringUtil.isEmpty(property) ? AmazonS3ClientBuilder.defaultClient() : (AmazonS3) AmazonS3ClientBuilder.standard().withRegion(property).build();
    }

    public AwsPrivateKeyStore(AmazonS3 amazonS3, AWSKMS awskms) {
        this.s3 = amazonS3;
        this.kms = awskms;
    }

    public ServerPrivateKey getPrivateKey(String str, String str2, String str3, String str4) {
        String property;
        String str5;
        String str6;
        String str7 = "." + str4.toLowerCase();
        if (ZMS_SERVICE.equals(str)) {
            property = System.getProperty(ATHENZ_PROP_ZMS_BUCKET_NAME);
            str5 = System.getProperty(ATHENZ_PROP_ZMS_KEY_NAME, ATHENZ_DEFAULT_KEY_NAME) + str7;
            str6 = System.getProperty(ATHENZ_PROP_ZMS_KEY_ID_NAME, ATHENZ_DEFAULT_KEY_ID_NAME) + str7;
        } else {
            if (!"zts".equals(str)) {
                LOG.error("Unknown service specified: {}", str);
                return null;
            }
            property = System.getProperty(ATHENZ_PROP_ZTS_BUCKET_NAME);
            str5 = System.getProperty(ATHENZ_PROP_ZTS_KEY_NAME, ATHENZ_DEFAULT_KEY_NAME) + str7;
            str6 = System.getProperty(ATHENZ_PROP_ZTS_KEY_ID_NAME, ATHENZ_DEFAULT_KEY_ID_NAME) + str7;
        }
        if (property == null) {
            LOG.error("No bucket name specified with system property");
            return null;
        }
        PrivateKey privateKey = null;
        try {
            privateKey = Crypto.loadPrivateKey(getDecryptedData(property, str5));
        } catch (Exception e) {
            LOG.error("unable to load private key", e);
        }
        if (privateKey == null) {
            return null;
        }
        return new ServerPrivateKey(privateKey, getDecryptedData(property, str6));
    }

    public PrivateKey getPrivateKey(String str, String str2, StringBuilder sb) {
        String property;
        String property2;
        String property3;
        if (ZMS_SERVICE.equals(str)) {
            property = System.getProperty(ATHENZ_PROP_ZMS_BUCKET_NAME);
            property2 = System.getProperty(ATHENZ_PROP_ZMS_KEY_NAME, ATHENZ_DEFAULT_KEY_NAME);
            property3 = System.getProperty(ATHENZ_PROP_ZMS_KEY_ID_NAME, ATHENZ_DEFAULT_KEY_ID_NAME);
        } else {
            if (!"zts".equals(str)) {
                LOG.error("Unknown service specified: {}", str);
                return null;
            }
            property = System.getProperty(ATHENZ_PROP_ZTS_BUCKET_NAME);
            property2 = System.getProperty(ATHENZ_PROP_ZTS_KEY_NAME, ATHENZ_DEFAULT_KEY_NAME);
            property3 = System.getProperty(ATHENZ_PROP_ZTS_KEY_ID_NAME, ATHENZ_DEFAULT_KEY_ID_NAME);
        }
        if (property == null) {
            LOG.error("No bucket name specified with system property");
            return null;
        }
        PrivateKey loadPrivateKey = Crypto.loadPrivateKey(getDecryptedData(property, property2));
        sb.append(getDecryptedData(property, property3));
        return loadPrivateKey;
    }

    public String getApplicationSecret(String str, String str2) {
        return getDecryptedData(str, str2);
    }

    private String getDecryptedData(String str, String str2) {
        S3ObjectInputStream objectContent;
        String str3 = "";
        S3Object object = getS3().getObject(str, str2);
        if (LOG.isDebugEnabled()) {
            LOG.debug("retrieving appName {}, key {}", str, str2);
        }
        if (null == object) {
            LOG.error("error retrieving key {}, from bucket {}", str2, str);
            return str3;
        }
        try {
            objectContent = object.getObjectContent();
        } catch (IOException e) {
            LOG.error("error getting application secret.", e);
        }
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            try {
                byte[] bArr = new byte[1024];
                while (true) {
                    int read = objectContent.read(bArr);
                    if (read == -1) {
                        break;
                    }
                    byteArrayOutputStream.write(bArr, 0, read);
                }
                if (this.kmsDecrypt) {
                    str3 = new String(getKMS().decrypt(new DecryptRequest().withCiphertextBlob(ByteBuffer.wrap(byteArrayOutputStream.toByteArray()))).getPlaintext().array());
                } else {
                    str3 = byteArrayOutputStream.toString();
                }
                byteArrayOutputStream.close();
                if (objectContent != null) {
                    objectContent.close();
                }
                return str3.trim();
            } catch (Throwable th) {
                try {
                    byteArrayOutputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } finally {
        }
    }

    AmazonS3 getS3() {
        return this.s3;
    }

    AWSKMS getKMS() {
        return this.kms;
    }
}
