package org.opensearch.repositories.s3;

import com.amazonaws.ClientConfiguration;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.http.IdleConnectionReaper;
import com.amazonaws.http.SystemPropertyTlsKeyManagersProvider;
import com.amazonaws.http.conn.ssl.SdkTLSSocketFactory;
import com.amazonaws.internal.SdkSSLContext;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import java.io.Closeable;
import java.io.IOException;
import java.net.Authenticator;
import java.net.InetSocketAddress;
import java.net.PasswordAuthentication;
import java.net.Proxy;
import java.net.Socket;
import java.security.SecureRandom;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import org.apache.http.conn.ssl.DefaultHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.protocol.HttpContext;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.opensearch.cluster.metadata.RepositoryMetadata;
import org.opensearch.common.Strings;
import org.opensearch.common.collect.MapBuilder;
import org.opensearch.common.settings.Settings;
import org.opensearch.repositories.s3.ProxySettings;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/opensearch/repositories/s3/S3Service.class */
public class S3Service implements Closeable {
    private static final Logger logger;
    private volatile Map<S3ClientSettings, AmazonS3Reference> clientsCache = Collections.emptyMap();
    private volatile Map<String, S3ClientSettings> staticClientSettings = MapBuilder.newMapBuilder().put("default", S3ClientSettings.getClientSettings(Settings.EMPTY, "default")).immutableMap();
    private volatile Map<Settings, S3ClientSettings> derivedClientSettings = Collections.emptyMap();
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/opensearch/repositories/s3/S3Service$PrivilegedInstanceProfileCredentialsProvider.class */
    public static class PrivilegedInstanceProfileCredentialsProvider implements AWSCredentialsProvider {
        private final AWSCredentialsProvider credentials;

        private PrivilegedInstanceProfileCredentialsProvider() {
            this.credentials = new EC2ContainerCredentialsProviderWrapper();
        }

        public AWSCredentials getCredentials() {
            AWSCredentialsProvider aWSCredentialsProvider = this.credentials;
            Objects.requireNonNull(aWSCredentialsProvider);
            return (AWSCredentials) SocketAccess.doPrivileged(aWSCredentialsProvider::getCredentials);
        }

        public void refresh() {
            AWSCredentialsProvider aWSCredentialsProvider = this.credentials;
            Objects.requireNonNull(aWSCredentialsProvider);
            SocketAccess.doPrivilegedVoid(aWSCredentialsProvider::refresh);
        }
    }

    public synchronized void refreshAndClearCache(Map<String, S3ClientSettings> map) {
        releaseCachedClients();
        this.staticClientSettings = MapBuilder.newMapBuilder(map).immutableMap();
        this.derivedClientSettings = Collections.emptyMap();
        if (!$assertionsDisabled && !this.staticClientSettings.containsKey("default")) {
            throw new AssertionError("always at least have 'default'");
        }
    }

    public AmazonS3Reference client(RepositoryMetadata repositoryMetadata) {
        S3ClientSettings s3ClientSettings = settings(repositoryMetadata);
        AmazonS3Reference amazonS3Reference = this.clientsCache.get(s3ClientSettings);
        if (amazonS3Reference != null && amazonS3Reference.tryIncRef()) {
            return amazonS3Reference;
        }
        synchronized (this) {
            AmazonS3Reference amazonS3Reference2 = this.clientsCache.get(s3ClientSettings);
            if (amazonS3Reference2 != null && amazonS3Reference2.tryIncRef()) {
                return amazonS3Reference2;
            }
            AmazonS3Reference amazonS3Reference3 = new AmazonS3Reference(buildClient(s3ClientSettings));
            amazonS3Reference3.incRef();
            this.clientsCache = MapBuilder.newMapBuilder(this.clientsCache).put(s3ClientSettings, amazonS3Reference3).immutableMap();
            return amazonS3Reference3;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public S3ClientSettings settings(RepositoryMetadata repositoryMetadata) {
        Settings settings = repositoryMetadata.settings();
        S3ClientSettings s3ClientSettings = this.derivedClientSettings.get(settings);
        if (s3ClientSettings != null) {
            return s3ClientSettings;
        }
        String str = (String) S3Repository.CLIENT_NAME.get(settings);
        S3ClientSettings s3ClientSettings2 = this.staticClientSettings.get(str);
        if (s3ClientSettings2 == null) {
            throw new IllegalArgumentException("Unknown s3 client name [" + str + "]. Existing client configs: " + Strings.collectionToDelimitedString(this.staticClientSettings.keySet(), ","));
        }
        synchronized (this) {
            S3ClientSettings s3ClientSettings3 = this.derivedClientSettings.get(settings);
            if (s3ClientSettings3 != null) {
                return s3ClientSettings3;
            }
            S3ClientSettings refine = s3ClientSettings2.refine(settings);
            this.derivedClientSettings = MapBuilder.newMapBuilder(this.derivedClientSettings).put(settings, refine).immutableMap();
            return refine;
        }
    }

    AmazonS3 buildClient(S3ClientSettings s3ClientSettings) {
        AmazonS3ClientBuilder standard = AmazonS3ClientBuilder.standard();
        standard.withCredentials(buildCredentials(logger, s3ClientSettings));
        standard.withClientConfiguration(buildConfiguration(s3ClientSettings));
        String str = Strings.hasLength(s3ClientSettings.endpoint) ? s3ClientSettings.endpoint : "s3.amazonaws.com";
        if (!(str.startsWith("http://") || str.startsWith("https://"))) {
            str = s3ClientSettings.protocol.toString() + "://" + str;
        }
        String str2 = Strings.hasLength(s3ClientSettings.region) ? s3ClientSettings.region : null;
        logger.debug("using endpoint [{}] and region [{}]", str, str2);
        standard.withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(str, str2));
        if (s3ClientSettings.pathStyleAccess) {
            standard.enablePathStyleAccess();
        }
        if (s3ClientSettings.disableChunkedEncoding) {
            standard.disableChunkedEncoding();
        }
        Objects.requireNonNull(standard);
        return (AmazonS3) SocketAccess.doPrivileged(standard::build);
    }

    static ClientConfiguration buildConfiguration(S3ClientSettings s3ClientSettings) {
        ClientConfiguration clientConfiguration = new ClientConfiguration();
        clientConfiguration.setResponseMetadataCacheSize(0);
        clientConfiguration.setProtocol(s3ClientSettings.protocol);
        if (s3ClientSettings.proxySettings != ProxySettings.NO_PROXY_SETTINGS) {
            if (s3ClientSettings.proxySettings.getType() == ProxySettings.ProxyType.SOCKS) {
                SocketAccess.doPrivilegedVoid(() -> {
                    if (s3ClientSettings.proxySettings.isAuthenticated()) {
                        Authenticator.setDefault(new Authenticator() { // from class: org.opensearch.repositories.s3.S3Service.1
                            @Override // java.net.Authenticator
                            protected PasswordAuthentication getPasswordAuthentication() {
                                return new PasswordAuthentication(S3ClientSettings.this.proxySettings.getUsername(), S3ClientSettings.this.proxySettings.getPassword().toCharArray());
                            }
                        });
                    }
                    clientConfiguration.getApacheHttpClientConfig().setSslSocketFactory(createSocksSslConnectionSocketFactory(s3ClientSettings.proxySettings.getAddress()));
                });
            } else {
                if (s3ClientSettings.proxySettings.getType() != ProxySettings.ProxyType.DIRECT) {
                    clientConfiguration.setProxyProtocol(s3ClientSettings.proxySettings.getType().toProtocol());
                }
                clientConfiguration.setProxyHost(s3ClientSettings.proxySettings.getHostName());
                clientConfiguration.setProxyPort(s3ClientSettings.proxySettings.getPort());
                clientConfiguration.setProxyUsername(s3ClientSettings.proxySettings.getUsername());
                clientConfiguration.setProxyPassword(s3ClientSettings.proxySettings.getPassword());
            }
        }
        if (Strings.hasLength(s3ClientSettings.signerOverride)) {
            clientConfiguration.setSignerOverride(s3ClientSettings.signerOverride);
        }
        clientConfiguration.setMaxErrorRetry(s3ClientSettings.maxRetries);
        clientConfiguration.setUseThrottleRetries(s3ClientSettings.throttleRetries);
        clientConfiguration.setSocketTimeout(s3ClientSettings.readTimeoutMillis);
        return clientConfiguration;
    }

    private static SSLConnectionSocketFactory createSocksSslConnectionSocketFactory(final InetSocketAddress inetSocketAddress) {
        return new SdkTLSSocketFactory(SdkSSLContext.getPreferredSSLContext(new SystemPropertyTlsKeyManagersProvider().getKeyManagers(), new SecureRandom()), new DefaultHostnameVerifier()) { // from class: org.opensearch.repositories.s3.S3Service.2
            public Socket createSocket(HttpContext httpContext) throws IOException {
                return new Socket(new Proxy(Proxy.Type.SOCKS, inetSocketAddress));
            }
        };
    }

    static AWSCredentialsProvider buildCredentials(Logger logger2, S3ClientSettings s3ClientSettings) {
        S3BasicCredentials s3BasicCredentials = s3ClientSettings.credentials;
        if (s3BasicCredentials == null) {
            logger2.debug("Using instance profile credentials");
            return new PrivilegedInstanceProfileCredentialsProvider();
        }
        logger2.debug("Using basic key/secret credentials");
        return new AWSStaticCredentialsProvider(s3BasicCredentials);
    }

    private synchronized void releaseCachedClients() {
        Iterator<AmazonS3Reference> it = this.clientsCache.values().iterator();
        while (it.hasNext()) {
            it.next().decRef();
        }
        this.clientsCache = Collections.emptyMap();
        this.derivedClientSettings = Collections.emptyMap();
        IdleConnectionReaper.shutdown();
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        releaseCachedClients();
    }

    static {
        $assertionsDisabled = !S3Service.class.desiredAssertionStatus();
        logger = LogManager.getLogger(S3Service.class);
    }
}
