package com.alibaba.csp.ahas.shaded.com.alibaba.edas.acm.filter;

import com.alibaba.csp.ahas.shaded.com.alibaba.acm.shaded.com.aliyuncs.DefaultAcsClient;
import com.alibaba.csp.ahas.shaded.com.alibaba.acm.shaded.com.aliyuncs.auth.BasicSessionCredentials;
import com.alibaba.csp.ahas.shaded.com.alibaba.acm.shaded.com.aliyuncs.auth.InstanceProfileCredentialsProvider;
import com.alibaba.csp.ahas.shaded.com.alibaba.acm.shaded.com.aliyuncs.auth.StaticCredentialsProvider;
import com.alibaba.csp.ahas.shaded.com.alibaba.acm.shaded.com.aliyuncs.exceptions.ClientException;
import com.alibaba.csp.ahas.shaded.com.alibaba.acm.shaded.com.aliyuncs.http.FormatType;
import com.alibaba.csp.ahas.shaded.com.alibaba.acm.shaded.com.aliyuncs.http.MethodType;
import com.alibaba.csp.ahas.shaded.com.alibaba.acm.shaded.com.aliyuncs.http.ProtocolType;
import com.alibaba.csp.ahas.shaded.com.alibaba.acm.shaded.com.aliyuncs.kms.model.v20160120.DecryptRequest;
import com.alibaba.csp.ahas.shaded.com.alibaba.acm.shaded.com.aliyuncs.kms.model.v20160120.DecryptResponse;
import com.alibaba.csp.ahas.shaded.com.alibaba.acm.shaded.com.aliyuncs.kms.model.v20160120.EncryptRequest;
import com.alibaba.csp.ahas.shaded.com.alibaba.acm.shaded.com.aliyuncs.kms.model.v20160120.EncryptResponse;
import com.alibaba.csp.ahas.shaded.com.alibaba.acm.shaded.com.aliyuncs.kms.model.v20160120.GenerateDataKeyRequest;
import com.alibaba.csp.ahas.shaded.com.alibaba.acm.shaded.com.aliyuncs.kms.model.v20160120.GenerateDataKeyResponse;
import com.alibaba.csp.ahas.shaded.com.alibaba.acm.shaded.com.aliyuncs.profile.DefaultProfile;
import com.alibaba.csp.ahas.shaded.com.alibaba.acm.shaded.org.json.JSONObject;
import com.alibaba.csp.ahas.shaded.com.alibaba.acm.shaded.org.json.JSONTokener;
import com.alibaba.csp.ahas.shaded.com.taobao.diamond.common.Constants;
import com.alibaba.csp.ahas.shaded.com.taobao.diamond.exception.DiamondException;
import com.alibaba.csp.ahas.shaded.com.taobao.diamond.manager.IConfigFilterChain;
import com.alibaba.csp.ahas.shaded.com.taobao.diamond.manager.IConfigRequest;
import com.alibaba.csp.ahas.shaded.com.taobao.diamond.manager.IConfigResponse;
import com.alibaba.csp.ahas.shaded.com.taobao.diamond.manager.IFilterConfig;
import com.alibaba.csp.ahas.shaded.com.taobao.diamond.manager.impl.ConfigRequest;
import com.alibaba.csp.ahas.shaded.com.taobao.diamond.manager.impl.ConfigResponse;
import com.alibaba.csp.ahas.shaded.com.taobao.diamond.utils.AESUtils;
import com.alibaba.csp.ahas.shaded.com.taobao.diamond.utils.StringUtils;
import com.alibaba.nacos.api.PropertyKeyConst;

/* loaded from: input_file:BOOT-INF/lib/ahas-sentinel-client-1.6.6.jar:com/alibaba/csp/ahas/shaded/com/alibaba/edas/acm/filter/KMSConfigFilter.class */
public class KMSConfigFilter implements IACMConfigFilter {
    private DefaultAcsClient kmsClient;
    private String keyId;
    private int order = 100;

    @Override // com.alibaba.csp.ahas.shaded.com.taobao.diamond.manager.IConfigFilter
    public void doFilter(IConfigRequest iConfigRequest, IConfigResponse iConfigResponse, IConfigFilterChain iConfigFilterChain) throws DiamondException {
        String str = null;
        String str2 = null;
        try {
            ConfigRequest configRequest = (ConfigRequest) iConfigRequest;
            ConfigResponse configResponse = (ConfigResponse) iConfigResponse;
            if (iConfigRequest != null && configRequest.getDataId().startsWith(Constants.CIPHER_PREFIX)) {
                configRequest.getDataId();
                configRequest.getGroup();
                if (configRequest.getContent() != null) {
                    configRequest.setContent(encrypt(this.keyId, configRequest));
                }
            }
            iConfigFilterChain.doFilter(configRequest, configResponse);
            if (configResponse != null && configResponse.getDataId().startsWith(Constants.CIPHER_PREFIX)) {
                str = configResponse.getDataId();
                str2 = configResponse.getGroup();
                if (configResponse.getContent() != null) {
                    configResponse.setContent(decrypt(configResponse));
                }
            }
        } catch (ClientException e) {
            throw new DiamondException(500, String.format("KMS error, dataId: %s, groupId: %s", str, str2), e);
        } catch (Exception e2) {
            throw new DiamondException(e2);
        }
    }

    private DefaultAcsClient kmsClient(String str, String str2, String str3) {
        return new DefaultAcsClient(DefaultProfile.getProfile(str, str2, str3));
    }

    private DefaultAcsClient kmsClient(String str, String str2) {
        return new DefaultAcsClient(DefaultProfile.getProfile(str), new InstanceProfileCredentialsProvider(str2));
    }

    private String decrypt(ConfigResponse configResponse) throws Exception {
        if (configResponse.getDataId().startsWith(Constants.CIPHER_KMS_AES_128_PREFIX)) {
            String encryptedDataKey = configResponse.getEncryptedDataKey();
            if (!StringUtils.isBlank(encryptedDataKey)) {
                return AESUtils.decrypt(configResponse.getContent(), decrypt(encryptedDataKey), "UTF-8");
            }
        }
        return decrypt(configResponse.getContent());
    }

    private String decrypt(String str) throws ClientException {
        DecryptRequest decryptRequest = new DecryptRequest();
        decryptRequest.setProtocol(ProtocolType.HTTPS);
        decryptRequest.setAcceptFormat(FormatType.JSON);
        decryptRequest.setMethod(MethodType.POST);
        decryptRequest.setCiphertextBlob(str);
        return ((DecryptResponse) this.kmsClient.getAcsResponse(decryptRequest)).getPlaintext();
    }

    private String encrypt(String str, ConfigRequest configRequest) throws Exception {
        if (!configRequest.getDataId().startsWith(Constants.CIPHER_KMS_AES_128_PREFIX)) {
            return encrypt(str, configRequest.getContent());
        }
        GenerateDataKeyResponse generateDataKey = generateDataKey(str, Constants.KMS_KEY_SPEC_AES_128);
        configRequest.setEncryptedDataKey(generateDataKey.getCiphertextBlob());
        return AESUtils.encrypt(configRequest.getContent(), generateDataKey.getPlaintext(), "UTF-8");
    }

    private GenerateDataKeyResponse generateDataKey(String str, String str2) throws ClientException {
        GenerateDataKeyRequest generateDataKeyRequest = new GenerateDataKeyRequest();
        generateDataKeyRequest.setProtocol(ProtocolType.HTTPS);
        generateDataKeyRequest.setAcceptFormat(FormatType.JSON);
        generateDataKeyRequest.setMethod(MethodType.POST);
        generateDataKeyRequest.setKeyId(str);
        generateDataKeyRequest.setKeySpec(str2);
        return (GenerateDataKeyResponse) this.kmsClient.getAcsResponse(generateDataKeyRequest);
    }

    private String encrypt(String str, String str2) throws ClientException {
        EncryptRequest encryptRequest = new EncryptRequest();
        encryptRequest.setProtocol(ProtocolType.HTTPS);
        encryptRequest.setAcceptFormat(FormatType.JSON);
        encryptRequest.setMethod(MethodType.POST);
        encryptRequest.setKeyId(str);
        encryptRequest.setPlaintext(str2);
        return ((EncryptResponse) this.kmsClient.getAcsResponse(encryptRequest)).getCiphertextBlob();
    }

    @Override // com.alibaba.csp.ahas.shaded.com.taobao.diamond.manager.IConfigFilter
    public void init(IFilterConfig iFilterConfig) {
        this.keyId = (String) iFilterConfig.getInitParameter("keyId");
        String str = (String) iFilterConfig.getInitParameter("regionId");
        String str2 = (String) iFilterConfig.getInitParameter(PropertyKeyConst.RAM_ROLE_NAME);
        String str3 = (String) iFilterConfig.getInitParameter("securityCredentials");
        if (!StringUtils.isBlank(str3)) {
            initKMSClientBySecurityCredentials(str, str3);
        } else if (StringUtils.isBlank(str2)) {
            this.kmsClient = kmsClient(str, (String) iFilterConfig.getInitParameter("accessKey"), (String) iFilterConfig.getInitParameter("secretKey"));
        } else {
            this.kmsClient = kmsClient(str, str2);
        }
        Object initParameter = iFilterConfig.getInitParameter("order");
        if (initParameter != null) {
            this.order = ((Integer) initParameter).intValue();
        }
    }

    private void initKMSClientBySecurityCredentials(String str, String str2) {
        JSONObject jSONObject = new JSONObject(new JSONTokener(str2));
        this.kmsClient = new DefaultAcsClient(DefaultProfile.getProfile(str), new StaticCredentialsProvider(new BasicSessionCredentials(jSONObject.getString("AccessKeyId"), jSONObject.getString("AccessKeySecret"), jSONObject.getString("SecurityToken"))));
    }

    @Override // com.alibaba.csp.ahas.shaded.com.taobao.diamond.manager.IConfigFilter
    public void deploy() {
        this.kmsClient = null;
    }

    @Override // com.alibaba.csp.ahas.shaded.com.taobao.diamond.manager.IConfigFilter
    public int getOrder() {
        return this.order;
    }

    @Override // com.alibaba.csp.ahas.shaded.com.taobao.diamond.manager.IConfigFilter
    public String getFilterName() {
        return getClass().getName();
    }
}
