package kafka.tier.store.encryption;

import com.google.crypto.tink.Aead;
import com.google.crypto.tink.KeyTemplates;
import com.google.crypto.tink.KeysetHandle;
import com.google.crypto.tink.aead.AeadConfig;
import java.security.GeneralSecurityException;
import java.time.Duration;
import java.util.HashMap;
import java.util.Map;
import kafka.tier.exceptions.TierObjectStoreFatalException;
import kafka.tier.exceptions.TierObjectStoreRetriableException;
import kafka.tier.store.encryption.EncryptionKeyManager;
import org.apache.kafka.common.metrics.Metrics;
import org.apache.kafka.common.utils.Time;
import org.apache.kafka.server.util.MockTime;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.ValueSource;

/* loaded from: input_file:kafka/tier/store/encryption/EncryptionKeyManagerTest.class */
class EncryptionKeyManagerTest {
    MockTime time = new MockTime();
    Metrics metrics = new Metrics(this.time);

    /* loaded from: input_file:kafka/tier/store/encryption/EncryptionKeyManagerTest$DelayingAeads.class */
    private final class DelayingAeads implements Aead {
        private final Aead masterKeyAead;

        DelayingAeads(Aead aead) {
            this.masterKeyAead = aead;
        }

        public byte[] encrypt(byte[] bArr, byte[] bArr2) throws GeneralSecurityException {
            EncryptionKeyManagerTest.this.time.sleep(100L);
            return this.masterKeyAead.encrypt(bArr, bArr2);
        }

        public byte[] decrypt(byte[] bArr, byte[] bArr2) throws GeneralSecurityException {
            EncryptionKeyManagerTest.this.time.sleep(100L);
            return this.masterKeyAead.decrypt(bArr, bArr2);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:kafka/tier/store/encryption/EncryptionKeyManagerTest$MockKeypathHook.class */
    public static class MockKeypathHook implements EncryptionKeyManager.WellKnownKeypathHook {
        Map<String, String> current = new HashMap();

        MockKeypathHook() {
        }

        public void writeWellKnownPathMetadata(Map<String, String> map) {
            this.current = map;
        }

        public Map<String, String> fetchWellKnownPathMetadata() {
            return this.current;
        }
    }

    /* loaded from: input_file:kafka/tier/store/encryption/EncryptionKeyManagerTest$MutableBoolean.class */
    private static final class MutableBoolean {
        private boolean value;

        MutableBoolean(boolean z) {
            this.value = z;
        }

        void setValue(boolean z) {
            this.value = z;
        }

        boolean getValue() {
            return this.value;
        }
    }

    /* loaded from: input_file:kafka/tier/store/encryption/EncryptionKeyManagerTest$ThrowingAead.class */
    private static class ThrowingAead implements Aead {
        private final MutableBoolean shouldThrow;
        private final Aead masterKeyAead;

        ThrowingAead(MutableBoolean mutableBoolean, Aead aead) {
            this.shouldThrow = mutableBoolean;
            this.masterKeyAead = aead;
        }

        public byte[] encrypt(byte[] bArr, byte[] bArr2) throws GeneralSecurityException {
            if (this.shouldThrow.getValue()) {
                throw new GeneralSecurityException("throw!");
            }
            return this.masterKeyAead.encrypt(bArr, bArr2);
        }

        public byte[] decrypt(byte[] bArr, byte[] bArr2) throws GeneralSecurityException {
            if (this.shouldThrow.getValue()) {
                throw new GeneralSecurityException("throw!");
            }
            return this.masterKeyAead.decrypt(bArr, bArr2);
        }
    }

    EncryptionKeyManagerTest() {
    }

    @ValueSource(booleans = {true, false})
    @ParameterizedTest
    public void testKeyGenerationOnFirstAccess(boolean z) throws GeneralSecurityException {
        Aead aead = (Aead) KeysetHandle.generateNew(KeyTemplates.get("AES256_GCM_RAW")).getPrimitive(Aead.class);
        MockKeypathHook mockKeypathHook = new MockKeypathHook();
        EncryptionKeyManager encryptionKeyManager = null;
        try {
            encryptionKeyManager = new EncryptionKeyManager(this.time, this.metrics, aead, Duration.ofMinutes(30L));
            if (z) {
                encryptionKeyManager.bindHook(mockKeypathHook);
            }
            KeySha activeKeySha = encryptionKeyManager.activeKeySha();
            Assertions.assertNotNull(activeKeySha);
            Assertions.assertFalse(encryptionKeyManager.keyContext(activeKeySha).cleartextDataKey.base64Encoded().isEmpty());
            if (z) {
                Assertions.assertEquals(encryptionKeyManager.registerKeyFromObjectMetadata(mockKeypathHook.current), activeKeySha);
            }
            if (encryptionKeyManager != null) {
                encryptionKeyManager.close();
            }
        } catch (Throwable th) {
            if (encryptionKeyManager != null) {
                encryptionKeyManager.close();
            }
            throw th;
        }
    }

    @Test
    public void testRestoreFromWellKnownKeypath() throws GeneralSecurityException {
        Aead aead = (Aead) KeysetHandle.generateNew(KeyTemplates.get("AES256_GCM_RAW")).getPrimitive(Aead.class);
        MockKeypathHook writeOutKey = writeOutKey(this.time, aead);
        KeySha fromBase64Encoded = KeySha.fromBase64Encoded(writeOutKey.current.get("io.confluent/key-sha-256"));
        EncryptionKeyManager encryptionKeyManager = null;
        try {
            encryptionKeyManager = new EncryptionKeyManager(this.time, this.metrics, aead, Duration.ofMinutes(30L));
            encryptionKeyManager.bindHook(writeOutKey);
            Assertions.assertEquals(fromBase64Encoded, encryptionKeyManager.activeKeySha());
            if (encryptionKeyManager != null) {
                encryptionKeyManager.close();
            }
        } catch (Throwable th) {
            if (encryptionKeyManager != null) {
                encryptionKeyManager.close();
            }
            throw th;
        }
    }

    @Test
    public void testRestoreExpiredKeyFromWellKnownKeypath() throws GeneralSecurityException {
        Duration ofMinutes = Duration.ofMinutes(30L);
        Aead aead = (Aead) KeysetHandle.generateNew(KeyTemplates.get("AES256_GCM_RAW")).getPrimitive(Aead.class);
        MockKeypathHook writeOutKey = writeOutKey(this.time, aead);
        this.time.sleep(ofMinutes.toMillis() + 1);
        KeySha fromBase64Encoded = KeySha.fromBase64Encoded(writeOutKey.current.get("io.confluent/key-sha-256"));
        EncryptionKeyManager encryptionKeyManager = null;
        try {
            encryptionKeyManager = new EncryptionKeyManager(this.time, this.metrics, aead, ofMinutes);
            encryptionKeyManager.bindHook(writeOutKey);
            Assertions.assertNotEquals(fromBase64Encoded, encryptionKeyManager.activeKeySha());
            Assertions.assertNotNull(encryptionKeyManager.keyContext(fromBase64Encoded));
            Assertions.assertEquals(KeySha.fromBase64Encoded(writeOutKey.current.get("io.confluent/key-sha-256")), encryptionKeyManager.activeKeySha());
            if (encryptionKeyManager != null) {
                encryptionKeyManager.close();
            }
        } catch (Throwable th) {
            if (encryptionKeyManager != null) {
                encryptionKeyManager.close();
            }
            throw th;
        }
    }

    @Test
    public void testKeyRotation() throws GeneralSecurityException {
        Duration ofMinutes = Duration.ofMinutes(30L);
        Aead aead = (Aead) KeysetHandle.generateNew(KeyTemplates.get("AES256_GCM_RAW")).getPrimitive(Aead.class);
        MockKeypathHook mockKeypathHook = new MockKeypathHook();
        EncryptionKeyManager encryptionKeyManager = null;
        try {
            encryptionKeyManager = new EncryptionKeyManager(this.time, this.metrics, aead, ofMinutes);
            encryptionKeyManager.bindHook(mockKeypathHook);
            KeySha activeKeySha = encryptionKeyManager.activeKeySha();
            this.time.sleep(ofMinutes.toMillis() + 1);
            KeySha activeKeySha2 = encryptionKeyManager.activeKeySha();
            Assertions.assertNotEquals(activeKeySha, activeKeySha2);
            Assertions.assertNotEquals(encryptionKeyManager.keyContext(activeKeySha).cleartextDataKey, encryptionKeyManager.keyContext(activeKeySha2).cleartextDataKey);
            Assertions.assertNotNull(encryptionKeyManager.keyContext(activeKeySha));
            Assertions.assertNotNull(encryptionKeyManager.keyContext(activeKeySha2));
            if (encryptionKeyManager != null) {
                encryptionKeyManager.close();
            }
        } catch (Throwable th) {
            if (encryptionKeyManager != null) {
                encryptionKeyManager.close();
            }
            throw th;
        }
    }

    @Test
    public void testEncryptKeyThrowingIsRetriableException() throws GeneralSecurityException {
        Duration ofMinutes = Duration.ofMinutes(30L);
        MockKeypathHook mockKeypathHook = new MockKeypathHook();
        KeysetHandle generateNew = KeysetHandle.generateNew(KeyTemplates.get("AES256_GCM_RAW"));
        MutableBoolean mutableBoolean = new MutableBoolean(false);
        EncryptionKeyManager encryptionKeyManager = null;
        try {
            encryptionKeyManager = new EncryptionKeyManager(this.time, this.metrics, new ThrowingAead(mutableBoolean, (Aead) generateNew.getPrimitive(Aead.class)), ofMinutes);
            encryptionKeyManager.bindHook(mockKeypathHook);
            mutableBoolean.setValue(true);
            encryptionKeyManager.getClass();
            Assertions.assertThrows(TierObjectStoreRetriableException.class, encryptionKeyManager::activeKeySha);
            if (encryptionKeyManager != null) {
                encryptionKeyManager.close();
            }
        } catch (Throwable th) {
            if (encryptionKeyManager != null) {
                encryptionKeyManager.close();
            }
            throw th;
        }
    }

    @Test
    public void testDecryptKeyFromWellKnownPathThrowingIsRetriableException() throws GeneralSecurityException {
        Duration ofMinutes = Duration.ofMinutes(30L);
        Aead aead = (Aead) KeysetHandle.generateNew(KeyTemplates.get("AES256_GCM_RAW")).getPrimitive(Aead.class);
        MockKeypathHook writeOutKey = writeOutKey(this.time, aead);
        MutableBoolean mutableBoolean = new MutableBoolean(false);
        EncryptionKeyManager encryptionKeyManager = null;
        try {
            encryptionKeyManager = new EncryptionKeyManager(this.time, this.metrics, new ThrowingAead(mutableBoolean, aead), ofMinutes);
            encryptionKeyManager.bindHook(writeOutKey);
            mutableBoolean.setValue(true);
            encryptionKeyManager.getClass();
            Assertions.assertThrows(TierObjectStoreRetriableException.class, encryptionKeyManager::activeKeySha);
            if (encryptionKeyManager != null) {
                encryptionKeyManager.close();
            }
        } catch (Throwable th) {
            if (encryptionKeyManager != null) {
                encryptionKeyManager.close();
            }
            throw th;
        }
    }

    @Test
    public void testDecryptKeyFromObjectMetadataThrowingIsRetriableException() throws GeneralSecurityException {
        Duration ofMinutes = Duration.ofMinutes(30L);
        Aead aead = (Aead) KeysetHandle.generateNew(KeyTemplates.get("AES256_GCM_RAW")).getPrimitive(Aead.class);
        MockKeypathHook writeOutKey = writeOutKey(this.time, aead);
        MutableBoolean mutableBoolean = new MutableBoolean(false);
        EncryptionKeyManager encryptionKeyManager = null;
        try {
            encryptionKeyManager = new EncryptionKeyManager(this.time, this.metrics, new ThrowingAead(mutableBoolean, aead), ofMinutes);
            encryptionKeyManager.bindHook(writeOutKey);
            mutableBoolean.setValue(true);
            Assertions.assertThrows(TierObjectStoreRetriableException.class, () -> {
                encryptionKeyManager.registerKeyFromObjectMetadata(writeOutKey.current);
            });
            if (encryptionKeyManager != null) {
                encryptionKeyManager.close();
            }
        } catch (Throwable th) {
            if (encryptionKeyManager != null) {
                encryptionKeyManager.close();
            }
            throw th;
        }
    }

    @Test
    public void testMetrics() throws GeneralSecurityException {
        Duration ofSeconds = Duration.ofSeconds(1L);
        MockKeypathHook mockKeypathHook = new MockKeypathHook();
        DelayingAeads delayingAeads = new DelayingAeads((Aead) KeysetHandle.generateNew(KeyTemplates.get("AES256_GCM_RAW")).getPrimitive(Aead.class));
        EncryptionKeyManager encryptionKeyManager = null;
        try {
            encryptionKeyManager = new EncryptionKeyManager(this.time, this.metrics, delayingAeads, ofSeconds);
            encryptionKeyManager.bindHook(mockKeypathHook);
            Assertions.assertEquals(0.0d, (Double) this.metrics.metric(encryptionKeyManager.metrics.encryptCountMetricName).metricValue());
            Assertions.assertEquals(0.0d, (Double) this.metrics.metric(encryptionKeyManager.metrics.decryptCountMetricName).metricValue());
            Assertions.assertEquals(0L, (Long) this.metrics.metric(encryptionKeyManager.metrics.activeKeyAgeMetricName).metricValue());
            Assertions.assertEquals(1000L, (Long) this.metrics.metric(encryptionKeyManager.metrics.maxKeyAgeMetricName).metricValue());
            encryptionKeyManager.activeKeySha();
            this.time.sleep(500L);
            Assertions.assertEquals(500L, (Long) this.metrics.metric(encryptionKeyManager.metrics.activeKeyAgeMetricName).metricValue());
            Assertions.assertEquals(1.0d, (Double) this.metrics.metric(encryptionKeyManager.metrics.encryptCountMetricName).metricValue());
            Assertions.assertEquals(0.0d, (Double) this.metrics.metric(encryptionKeyManager.metrics.decryptCountMetricName).metricValue());
            this.time.sleep(5000L);
            writeOutKey(this.time, mockKeypathHook, delayingAeads);
            encryptionKeyManager.activeKeySha();
            Assertions.assertEquals(1.0d, (Double) this.metrics.metric(encryptionKeyManager.metrics.encryptCountMetricName).metricValue());
            Assertions.assertEquals(1.0d, (Double) this.metrics.metric(encryptionKeyManager.metrics.decryptCountMetricName).metricValue());
            Assertions.assertEquals(100L, (Long) this.metrics.metric(encryptionKeyManager.metrics.activeKeyAgeMetricName).metricValue());
            Assertions.assertEquals(200.0d, (Double) this.metrics.metric(encryptionKeyManager.metrics.encrypt50PMetricName).metricValue());
            Assertions.assertEquals(100.0d, (Double) this.metrics.metric(encryptionKeyManager.metrics.decrypt50PMetricName).metricValue());
            if (encryptionKeyManager != null) {
                encryptionKeyManager.close();
            }
        } catch (Throwable th) {
            if (encryptionKeyManager != null) {
                encryptionKeyManager.close();
            }
            throw th;
        }
    }

    private void writeOutKey(Time time, MockKeypathHook mockKeypathHook, Aead aead) {
        EncryptionKeyManager encryptionKeyManager = null;
        try {
            encryptionKeyManager = new EncryptionKeyManager(time, (Metrics) null, aead, Duration.ofDays(0L));
            encryptionKeyManager.bindHook(mockKeypathHook);
            Assertions.assertNotNull(encryptionKeyManager.activeKeySha());
            if (encryptionKeyManager != null) {
                encryptionKeyManager.close();
            }
        } catch (Throwable th) {
            if (encryptionKeyManager != null) {
                encryptionKeyManager.close();
            }
            throw th;
        }
    }

    private MockKeypathHook writeOutKey(Time time, Aead aead) {
        MockKeypathHook mockKeypathHook = new MockKeypathHook();
        writeOutKey(time, mockKeypathHook, aead);
        return mockKeypathHook;
    }

    static {
        try {
            AeadConfig.register();
        } catch (GeneralSecurityException e) {
            throw new TierObjectStoreFatalException("failed to initialize Tink", e);
        }
    }
}
