package io.kroxylicious.filter.encryption;

import com.fasterxml.jackson.annotation.JsonProperty;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.Nullable;
import io.kroxylicious.filter.encryption.dek.CipherSpec;
import io.kroxylicious.filter.encryption.dek.DekManager;
import io.kroxylicious.filter.encryption.inband.DecryptionDekCache;
import io.kroxylicious.filter.encryption.inband.EncryptionDekCache;
import io.kroxylicious.filter.encryption.inband.InBandDecryptionManager;
import io.kroxylicious.filter.encryption.inband.InBandEncryptionManager;
import io.kroxylicious.kms.service.Kms;
import io.kroxylicious.kms.service.KmsService;
import io.kroxylicious.proxy.filter.FilterFactory;
import io.kroxylicious.proxy.filter.FilterFactoryContext;
import io.kroxylicious.proxy.plugin.Plugin;
import io.kroxylicious.proxy.plugin.PluginConfigurationException;
import io.kroxylicious.proxy.plugin.PluginImplConfig;
import io.kroxylicious.proxy.plugin.PluginImplName;
import io.micrometer.core.instrument.Metrics;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.time.Duration;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ThreadLocalRandom;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.crypto.Cipher;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Plugin(configType = Config.class)
/* loaded from: input_file:io/kroxylicious/filter/encryption/RecordEncryption.class */
public class RecordEncryption<K, E> implements FilterFactory<Config, SharedEncryptionContext<K, E>> {
    static final ScheduledExecutorService RETRY_POOL = Executors.newSingleThreadScheduledExecutor(runnable -> {
        Thread thread = new Thread(runnable, "kmsRetry");
        thread.setDaemon(true);
        return thread;
    });
    private static KmsMetrics kmsMetrics = MicrometerKmsMetrics.create(Metrics.globalRegistry);
    private static final Logger LOGGER = LoggerFactory.getLogger(RecordEncryption.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/kroxylicious/filter/encryption/RecordEncryption$Config.class */
    public static final class Config extends Record {

        @JsonProperty(required = true)
        private final String kms;
        private final Object kmsConfig;

        @JsonProperty(required = true)
        private final String selector;
        private final Object selectorConfig;

        @JsonProperty
        private final Map<String, Object> experimental;

        Config(@JsonProperty(required = true) @PluginImplName(KmsService.class) String str, @PluginImplConfig(implNameProperty = "kms") Object obj, @JsonProperty(required = true) @PluginImplName(KekSelectorService.class) String str2, @PluginImplConfig(implNameProperty = "selector") Object obj2, @JsonProperty Map<String, Object> map) {
            Map<String, Object> of = map == null ? Map.of() : map;
            this.kms = str;
            this.kmsConfig = obj;
            this.selector = str2;
            this.selectorConfig = obj2;
            this.experimental = of;
        }

        KmsCacheConfig kmsCache() {
            return new KmsCacheConfig(getExperimentalInt("decryptedDekCacheSize"), getExperimentalLong("decryptedDekExpireAfterAccessSeconds"), getExperimentalInt("resolvedAliasCacheSize"), getExperimentalLong("resolvedAliasExpireAfterWriteSeconds"), getExperimentalLong("resolvedAliasRefreshAfterWriteSeconds"), getExperimentalLong("notFoundAliasExpireAfterWriteSeconds"));
        }

        @Nullable
        private Integer getExperimentalInt(String str) {
            if (!this.experimental.containsKey(str)) {
                return null;
            }
            Object obj = this.experimental.get(str);
            if (obj instanceof Number) {
                return Integer.valueOf(((Number) obj).intValue());
            }
            return null;
        }

        @Nullable
        private Long getExperimentalLong(String str) {
            if (!this.experimental.containsKey(str)) {
                return null;
            }
            Object obj = this.experimental.get(str);
            if (obj instanceof Number) {
                return Long.valueOf(((Number) obj).longValue());
            }
            return null;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, Config.class), Config.class, "kms;kmsConfig;selector;selectorConfig;experimental", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$Config;->kms:Ljava/lang/String;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$Config;->kmsConfig:Ljava/lang/Object;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$Config;->selector:Ljava/lang/String;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$Config;->selectorConfig:Ljava/lang/Object;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$Config;->experimental:Ljava/util/Map;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, Config.class), Config.class, "kms;kmsConfig;selector;selectorConfig;experimental", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$Config;->kms:Ljava/lang/String;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$Config;->kmsConfig:Ljava/lang/Object;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$Config;->selector:Ljava/lang/String;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$Config;->selectorConfig:Ljava/lang/Object;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$Config;->experimental:Ljava/util/Map;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, Config.class, Object.class), Config.class, "kms;kmsConfig;selector;selectorConfig;experimental", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$Config;->kms:Ljava/lang/String;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$Config;->kmsConfig:Ljava/lang/Object;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$Config;->selector:Ljava/lang/String;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$Config;->selectorConfig:Ljava/lang/Object;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$Config;->experimental:Ljava/util/Map;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        @JsonProperty(required = true)
        public String kms() {
            return this.kms;
        }

        public Object kmsConfig() {
            return this.kmsConfig;
        }

        @JsonProperty(required = true)
        public String selector() {
            return this.selector;
        }

        public Object selectorConfig() {
            return this.selectorConfig;
        }

        @JsonProperty
        public Map<String, Object> experimental() {
            return this.experimental;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/kroxylicious/filter/encryption/RecordEncryption$KmsCacheConfig.class */
    public static final class KmsCacheConfig extends Record {
        private final Integer decryptedDekCacheSize;
        private final Duration decryptedDekExpireAfterAccessDuration;
        private final Integer resolvedAliasCacheSize;
        private final Duration resolvedAliasExpireAfterWriteDuration;
        private final Duration resolvedAliasRefreshAfterWriteDuration;
        private final Duration notFoundAliasExpireAfterWriteDuration;
        private static final KmsCacheConfig DEFAULT_CONFIG = new KmsCacheConfig((Integer) null, (Long) null, (Integer) null, (Long) null, (Long) null, (Long) null);

        KmsCacheConfig(Integer num, Duration duration, Integer num2, Duration duration2, Duration duration3, Duration duration4) {
            Integer num3 = (Integer) Objects.requireNonNullElse(num, 1000);
            Duration duration5 = (Duration) Objects.requireNonNullElse(duration, Duration.ofHours(1L));
            Integer num4 = (Integer) Objects.requireNonNullElse(num2, 1000);
            Duration duration6 = (Duration) Objects.requireNonNullElse(duration2, Duration.ofMinutes(10L));
            Duration duration7 = (Duration) Objects.requireNonNullElse(duration3, Duration.ofMinutes(8L));
            Duration duration8 = (Duration) Objects.requireNonNullElse(duration4, Duration.ofSeconds(30L));
            this.decryptedDekCacheSize = num3;
            this.decryptedDekExpireAfterAccessDuration = duration5;
            this.resolvedAliasCacheSize = num4;
            this.resolvedAliasExpireAfterWriteDuration = duration6;
            this.resolvedAliasRefreshAfterWriteDuration = duration7;
            this.notFoundAliasExpireAfterWriteDuration = duration8;
        }

        KmsCacheConfig(Integer num, Long l, Integer num2, Long l2, Long l3, Long l4) {
            this((Integer) mapNotNull(num, Function.identity()), (Duration) mapNotNull(l, (v0) -> {
                return Duration.ofSeconds(v0);
            }), (Integer) mapNotNull(num2, Function.identity()), (Duration) mapNotNull(l2, (v0) -> {
                return Duration.ofSeconds(v0);
            }), (Duration) mapNotNull(l3, (v0) -> {
                return Duration.ofSeconds(v0);
            }), (Duration) mapNotNull(l4, (v0) -> {
                return Duration.ofSeconds(v0);
            }));
        }

        static <T, Y> Y mapNotNull(T t, Function<T, Y> function) {
            if (t == null) {
                return null;
            }
            return function.apply(t);
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, KmsCacheConfig.class), KmsCacheConfig.class, "decryptedDekCacheSize;decryptedDekExpireAfterAccessDuration;resolvedAliasCacheSize;resolvedAliasExpireAfterWriteDuration;resolvedAliasRefreshAfterWriteDuration;notFoundAliasExpireAfterWriteDuration", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$KmsCacheConfig;->decryptedDekCacheSize:Ljava/lang/Integer;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$KmsCacheConfig;->decryptedDekExpireAfterAccessDuration:Ljava/time/Duration;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$KmsCacheConfig;->resolvedAliasCacheSize:Ljava/lang/Integer;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$KmsCacheConfig;->resolvedAliasExpireAfterWriteDuration:Ljava/time/Duration;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$KmsCacheConfig;->resolvedAliasRefreshAfterWriteDuration:Ljava/time/Duration;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$KmsCacheConfig;->notFoundAliasExpireAfterWriteDuration:Ljava/time/Duration;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, KmsCacheConfig.class), KmsCacheConfig.class, "decryptedDekCacheSize;decryptedDekExpireAfterAccessDuration;resolvedAliasCacheSize;resolvedAliasExpireAfterWriteDuration;resolvedAliasRefreshAfterWriteDuration;notFoundAliasExpireAfterWriteDuration", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$KmsCacheConfig;->decryptedDekCacheSize:Ljava/lang/Integer;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$KmsCacheConfig;->decryptedDekExpireAfterAccessDuration:Ljava/time/Duration;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$KmsCacheConfig;->resolvedAliasCacheSize:Ljava/lang/Integer;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$KmsCacheConfig;->resolvedAliasExpireAfterWriteDuration:Ljava/time/Duration;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$KmsCacheConfig;->resolvedAliasRefreshAfterWriteDuration:Ljava/time/Duration;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$KmsCacheConfig;->notFoundAliasExpireAfterWriteDuration:Ljava/time/Duration;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, KmsCacheConfig.class, Object.class), KmsCacheConfig.class, "decryptedDekCacheSize;decryptedDekExpireAfterAccessDuration;resolvedAliasCacheSize;resolvedAliasExpireAfterWriteDuration;resolvedAliasRefreshAfterWriteDuration;notFoundAliasExpireAfterWriteDuration", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$KmsCacheConfig;->decryptedDekCacheSize:Ljava/lang/Integer;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$KmsCacheConfig;->decryptedDekExpireAfterAccessDuration:Ljava/time/Duration;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$KmsCacheConfig;->resolvedAliasCacheSize:Ljava/lang/Integer;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$KmsCacheConfig;->resolvedAliasExpireAfterWriteDuration:Ljava/time/Duration;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$KmsCacheConfig;->resolvedAliasRefreshAfterWriteDuration:Ljava/time/Duration;", "FIELD:Lio/kroxylicious/filter/encryption/RecordEncryption$KmsCacheConfig;->notFoundAliasExpireAfterWriteDuration:Ljava/time/Duration;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public Integer decryptedDekCacheSize() {
            return this.decryptedDekCacheSize;
        }

        public Duration decryptedDekExpireAfterAccessDuration() {
            return this.decryptedDekExpireAfterAccessDuration;
        }

        public Integer resolvedAliasCacheSize() {
            return this.resolvedAliasCacheSize;
        }

        public Duration resolvedAliasExpireAfterWriteDuration() {
            return this.resolvedAliasExpireAfterWriteDuration;
        }

        public Duration resolvedAliasRefreshAfterWriteDuration() {
            return this.resolvedAliasRefreshAfterWriteDuration;
        }

        public Duration notFoundAliasExpireAfterWriteDuration() {
            return this.notFoundAliasExpireAfterWriteDuration;
        }
    }

    private static void checkCipherSuite() {
        checkCipherSuite((v0) -> {
            return v0.newCipher();
        });
    }

    static void checkCipherSuite(Function<CipherSpec, Cipher> function) {
        List list = Arrays.stream(CipherSpec.values()).flatMap(cipherSpec -> {
            try {
                function.apply(cipherSpec);
                return Stream.empty();
            } catch (Exception e) {
                LOGGER.error("A Cipher could not be constructed for CipherSpec {}", cipherSpec, e);
                return Stream.of(cipherSpec);
            }
        }).toList();
        if (!list.isEmpty()) {
            throw new EncryptionConfigurationException("Cipher Suite check failed, one or more ciphers could not be loaded: " + ((String) list.stream().map((v0) -> {
                return v0.name();
            }).collect(Collectors.joining(","))));
        }
    }

    public SharedEncryptionContext<K, E> initialize(FilterFactoryContext filterFactoryContext, Config config) throws PluginConfigurationException {
        checkCipherSuite();
        Kms buildKms = buildKms(filterFactoryContext, config);
        DekManager dekManager = new DekManager(obj -> {
            return buildKms;
        }, null, 5000000L);
        return new SharedEncryptionContext<>(buildKms, config, dekManager, new EncryptionDekCache(dekManager, null, -1), new DecryptionDekCache(dekManager, null, -1));
    }

    @NonNull
    public RecordEncryptionFilter<K> createFilter(FilterFactoryContext filterFactoryContext, SharedEncryptionContext<K, E> sharedEncryptionContext) {
        FilterThreadExecutor filterThreadExecutor = new FilterThreadExecutor(filterFactoryContext.eventLoop());
        return new RecordEncryptionFilter<>(new InBandEncryptionManager(sharedEncryptionContext.dekManager().edekSerde(), 1048576, 8388608, sharedEncryptionContext.encryptionDekCache(), filterThreadExecutor), new InBandDecryptionManager(sharedEncryptionContext.dekManager(), sharedEncryptionContext.decryptionDekCache(), filterThreadExecutor), ((KekSelectorService) filterFactoryContext.pluginInstance(KekSelectorService.class, sharedEncryptionContext.configuration().selector())).buildSelector(sharedEncryptionContext.kms(), sharedEncryptionContext.configuration().selectorConfig()), filterThreadExecutor);
    }

    @NonNull
    private static <K, E> Kms<K, E> buildKms(FilterFactoryContext filterFactoryContext, Config config) {
        return wrapWithCachingKms(config, ResilientKms.wrap(InstrumentedKms.wrap(((KmsService) filterFactoryContext.pluginInstance(KmsService.class, config.kms())).buildKms(config.kmsConfig()), kmsMetrics), RETRY_POOL, new ExponentialJitterBackoffStrategy(Duration.ofMillis(500L), Duration.ofSeconds(5L), 2.0d, ThreadLocalRandom.current()), 3));
    }

    @NonNull
    private static <K, E> Kms<K, E> wrapWithCachingKms(Config config, Kms<K, E> kms) {
        KmsCacheConfig kmsCache = config.kmsCache();
        LOGGER.debug("KMS cache configuration: {}", kmsCache);
        return CachingKms.wrap(kms, kmsCache.decryptedDekCacheSize.intValue(), kmsCache.decryptedDekExpireAfterAccessDuration, kmsCache.resolvedAliasCacheSize.intValue(), kmsCache.resolvedAliasExpireAfterWriteDuration, kmsCache.resolvedAliasRefreshAfterWriteDuration, kmsCache.notFoundAliasExpireAfterWriteDuration);
    }
}
