package org.opensearch.repositories.s3;

import java.io.Closeable;
import java.io.IOException;
import java.net.Authenticator;
import java.net.InetSocketAddress;
import java.net.PasswordAuthentication;
import java.net.Proxy;
import java.net.Socket;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.file.Path;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.time.Duration;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;
import javax.net.ssl.SSLContext;
import org.apache.http.conn.ssl.DefaultHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.protocol.HttpContext;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.opensearch.cluster.metadata.RepositoryMetadata;
import org.opensearch.common.Nullable;
import org.opensearch.common.SuppressForbidden;
import org.opensearch.common.collect.MapBuilder;
import org.opensearch.common.settings.Settings;
import org.opensearch.core.common.Strings;
import org.opensearch.repositories.s3.ProxySettings;
import org.opensearch.repositories.s3.S3ClientSettings;
import org.opensearch.repositories.s3.utils.AwsRequestSigner;
import org.opensearch.repositories.s3.utils.Protocol;
import software.amazon.awssdk.auth.credentials.AwsCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.ContainerCredentialsProvider;
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider;
import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
import software.amazon.awssdk.core.SdkSystemSetting;
import software.amazon.awssdk.core.client.config.ClientOverrideConfiguration;
import software.amazon.awssdk.core.client.config.SdkAdvancedClientOption;
import software.amazon.awssdk.core.exception.SdkException;
import software.amazon.awssdk.core.retry.RetryMode;
import software.amazon.awssdk.core.retry.RetryPolicy;
import software.amazon.awssdk.core.retry.backoff.BackoffStrategy;
import software.amazon.awssdk.core.retry.conditions.RetryCondition;
import software.amazon.awssdk.http.SystemPropertyTlsKeyManagersProvider;
import software.amazon.awssdk.http.apache.ApacheHttpClient;
import software.amazon.awssdk.http.apache.ProxyConfiguration;
import software.amazon.awssdk.http.apache.internal.conn.SdkTlsSocketFactory;
import software.amazon.awssdk.profiles.ProfileFileSystemSetting;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.s3.S3Client;
import software.amazon.awssdk.services.s3.S3ClientBuilder;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.StsClientBuilder;
import software.amazon.awssdk.services.sts.auth.StsAssumeRoleCredentialsProvider;
import software.amazon.awssdk.services.sts.auth.StsWebIdentityTokenFileCredentialsProvider;
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/opensearch/repositories/s3/S3Service.class */
public class S3Service implements Closeable {
    private static final Logger logger;
    private static final String STS_ENDPOINT_OVERRIDE_SYSTEM_PROPERTY = "aws.stsEndpointOverride";
    private static final String DEFAULT_S3_ENDPOINT = "s3.amazonaws.com";
    private volatile Map<String, S3ClientSettings> staticClientSettings;
    static final /* synthetic */ boolean $assertionsDisabled;
    private volatile Map<S3ClientSettings, AmazonS3Reference> clientsCache = new ConcurrentHashMap();
    private volatile Map<Settings, S3ClientSettings> derivedClientSettings = new ConcurrentHashMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/opensearch/repositories/s3/S3Service$PrivilegedInstanceProfileCredentialsProvider.class */
    public static class PrivilegedInstanceProfileCredentialsProvider implements AwsCredentialsProvider {
        private final AwsCredentialsProvider credentials = initializeProvider();

        private PrivilegedInstanceProfileCredentialsProvider() {
        }

        private AwsCredentialsProvider initializeProvider() {
            return (SdkSystemSetting.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI.getStringValue().isPresent() || SdkSystemSetting.AWS_CONTAINER_CREDENTIALS_FULL_URI.getStringValue().isPresent()) ? ContainerCredentialsProvider.builder().asyncCredentialUpdateEnabled(true).build() : InstanceProfileCredentialsProvider.builder().asyncCredentialUpdateEnabled(true).build();
        }

        public AwsCredentials resolveCredentials() {
            AwsCredentialsProvider awsCredentialsProvider = this.credentials;
            Objects.requireNonNull(awsCredentialsProvider);
            return (AwsCredentials) SocketAccess.doPrivileged(awsCredentialsProvider::resolveCredentials);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/opensearch/repositories/s3/S3Service$PrivilegedSTSAssumeRoleSessionCredentialsProvider.class */
    public static class PrivilegedSTSAssumeRoleSessionCredentialsProvider<P extends AwsCredentialsProvider & AutoCloseable> implements AwsCredentialsProvider, Closeable {
        private final P credentials;
        private final StsClient stsClient;

        private PrivilegedSTSAssumeRoleSessionCredentialsProvider(@Nullable StsClient stsClient, P p) {
            this.stsClient = stsClient;
            this.credentials = p;
        }

        @Override // java.io.Closeable, java.lang.AutoCloseable
        public void close() throws IOException {
            SocketAccess.doPrivilegedIOException(() -> {
                this.credentials.close();
                if (this.stsClient == null) {
                    return null;
                }
                this.stsClient.close();
                return null;
            });
        }

        public AwsCredentials resolveCredentials() {
            P p = this.credentials;
            Objects.requireNonNull(p);
            return (AwsCredentials) SocketAccess.doPrivileged(p::resolveCredentials);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public S3Service(Path path) {
        this.staticClientSettings = MapBuilder.newMapBuilder().put("default", S3ClientSettings.getClientSettings(Settings.EMPTY, "default", path)).immutableMap();
    }

    public synchronized void refreshAndClearCache(Map<String, S3ClientSettings> map) {
        releaseCachedClients();
        this.staticClientSettings = MapBuilder.newMapBuilder(map).immutableMap();
        this.derivedClientSettings = Collections.emptyMap();
        if (!$assertionsDisabled && !this.staticClientSettings.containsKey("default")) {
            throw new AssertionError("always at least have 'default'");
        }
    }

    public AmazonS3Reference client(RepositoryMetadata repositoryMetadata) {
        S3ClientSettings s3ClientSettings = settings(repositoryMetadata);
        AmazonS3Reference amazonS3Reference = this.clientsCache.get(s3ClientSettings);
        if (amazonS3Reference != null && amazonS3Reference.tryIncRef()) {
            return amazonS3Reference;
        }
        synchronized (this) {
            AmazonS3Reference amazonS3Reference2 = this.clientsCache.get(s3ClientSettings);
            if (amazonS3Reference2 != null && amazonS3Reference2.tryIncRef()) {
                return amazonS3Reference2;
            }
            AmazonS3Reference amazonS3Reference3 = new AmazonS3Reference(buildClient(s3ClientSettings));
            amazonS3Reference3.incRef();
            this.clientsCache = MapBuilder.newMapBuilder(this.clientsCache).put(s3ClientSettings, amazonS3Reference3).immutableMap();
            return amazonS3Reference3;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public S3ClientSettings settings(RepositoryMetadata repositoryMetadata) {
        Settings settings = repositoryMetadata.settings();
        S3ClientSettings s3ClientSettings = this.derivedClientSettings.get(settings);
        if (s3ClientSettings != null) {
            return s3ClientSettings;
        }
        String str = (String) S3Repository.CLIENT_NAME.get(settings);
        S3ClientSettings s3ClientSettings2 = this.staticClientSettings.get(str);
        if (s3ClientSettings2 == null) {
            throw new IllegalArgumentException("Unknown s3 client name [" + str + "]. Existing client configs: " + Strings.collectionToDelimitedString(this.staticClientSettings.keySet(), ","));
        }
        synchronized (this) {
            S3ClientSettings s3ClientSettings3 = this.derivedClientSettings.get(settings);
            if (s3ClientSettings3 != null) {
                return s3ClientSettings3;
            }
            S3ClientSettings refine = s3ClientSettings2.refine(settings);
            this.derivedClientSettings = MapBuilder.newMapBuilder(this.derivedClientSettings).put(settings, refine).immutableMap();
            return refine;
        }
    }

    AmazonS3WithCredentials buildClient(S3ClientSettings s3ClientSettings) {
        setDefaultAwsProfilePath();
        S3ClientBuilder builder = S3Client.builder();
        AwsCredentialsProvider buildCredentials = buildCredentials(logger, s3ClientSettings);
        builder.credentialsProvider(buildCredentials);
        builder.httpClientBuilder(buildHttpClient(s3ClientSettings));
        builder.overrideConfiguration(buildOverrideConfiguration(s3ClientSettings));
        String str = Strings.hasLength(s3ClientSettings.endpoint) ? s3ClientSettings.endpoint : DEFAULT_S3_ENDPOINT;
        if (!(str.startsWith("http://") || str.startsWith("https://"))) {
            str = s3ClientSettings.protocol.toString() + "://" + str;
        }
        logger.debug("using endpoint [{}] and region [{}]", str, s3ClientSettings.region);
        builder.endpointOverride(URI.create(str));
        if (Strings.hasText(s3ClientSettings.region)) {
            builder.region(Region.of(s3ClientSettings.region));
        }
        if (s3ClientSettings.pathStyleAccess) {
            builder.forcePathStyle(true);
        }
        if (s3ClientSettings.disableChunkedEncoding) {
            builder.serviceConfiguration(builder2 -> {
                builder2.chunkedEncodingEnabled(false);
            });
        }
        Objects.requireNonNull(builder);
        return AmazonS3WithCredentials.create((S3Client) SocketAccess.doPrivileged(builder::build), buildCredentials);
    }

    @SuppressForbidden(reason = "Need to provide this override to v2 SDK so that path does not default to home path")
    static void setDefaultAwsProfilePath() {
        if (ProfileFileSystemSetting.AWS_SHARED_CREDENTIALS_FILE.getStringValue().isEmpty()) {
            SocketAccess.doPrivileged(() -> {
                return System.setProperty(ProfileFileSystemSetting.AWS_SHARED_CREDENTIALS_FILE.property(), System.getProperty("opensearch.path.conf"));
            });
        }
        if (ProfileFileSystemSetting.AWS_CONFIG_FILE.getStringValue().isEmpty()) {
            SocketAccess.doPrivileged(() -> {
                return System.setProperty(ProfileFileSystemSetting.AWS_CONFIG_FILE.property(), System.getProperty("opensearch.path.conf"));
            });
        }
    }

    static ApacheHttpClient.Builder buildHttpClient(S3ClientSettings s3ClientSettings) {
        ApacheHttpClient.Builder builder = ApacheHttpClient.builder();
        if (!s3ClientSettings.proxySettings.equals(ProxySettings.NO_PROXY_SETTINGS)) {
            if (s3ClientSettings.proxySettings.getType() == ProxySettings.ProxyType.SOCKS) {
                SocketAccess.doPrivilegedVoid(() -> {
                    if (s3ClientSettings.proxySettings.isAuthenticated()) {
                        Authenticator.setDefault(new Authenticator() { // from class: org.opensearch.repositories.s3.S3Service.1
                            @Override // java.net.Authenticator
                            protected PasswordAuthentication getPasswordAuthentication() {
                                return new PasswordAuthentication(S3ClientSettings.this.proxySettings.getUsername(), S3ClientSettings.this.proxySettings.getPassword().toCharArray());
                            }
                        });
                    }
                    builder.socketFactory(createSocksSslConnectionSocketFactory(s3ClientSettings.proxySettings.getAddress()));
                });
            } else {
                builder.proxyConfiguration(buildHttpProxyConfiguration(s3ClientSettings));
            }
        }
        builder.socketTimeout(Duration.ofMillis(s3ClientSettings.readTimeoutMillis));
        builder.maxConnections(Integer.valueOf(s3ClientSettings.maxSyncConnections));
        builder.connectionAcquisitionTimeout(Duration.ofMillis(s3ClientSettings.connectionAcquisitionTimeoutMillis));
        return builder;
    }

    static ProxyConfiguration buildHttpProxyConfiguration(S3ClientSettings s3ClientSettings) {
        ProxyConfiguration.Builder builder = ProxyConfiguration.builder();
        if (s3ClientSettings.proxySettings.getType() == ProxySettings.ProxyType.SOCKS) {
            return (ProxyConfiguration) builder.build();
        }
        try {
            return (ProxyConfiguration) builder.endpoint(new URI((s3ClientSettings.proxySettings.getType() == ProxySettings.ProxyType.DIRECT ? Protocol.HTTP : s3ClientSettings.proxySettings.getType().toProtocol()).toString(), null, s3ClientSettings.proxySettings.getHost(), s3ClientSettings.proxySettings.getPort(), null, null, null)).username(s3ClientSettings.proxySettings.getUsername()).password(s3ClientSettings.proxySettings.getPassword()).build();
        } catch (URISyntaxException e) {
            throw SdkException.create("Invalid proxy URL", e);
        }
    }

    static ClientOverrideConfiguration buildOverrideConfiguration(S3ClientSettings s3ClientSettings) {
        ClientOverrideConfiguration.Builder builder = ClientOverrideConfiguration.builder();
        if (Strings.hasLength(s3ClientSettings.signerOverride)) {
            builder = builder.putAdvancedOption(SdkAdvancedClientOption.SIGNER, AwsRequestSigner.fromSignerName(s3ClientSettings.signerOverride).getSigner());
        }
        RetryPolicy.Builder builder2 = (RetryPolicy.Builder) SocketAccess.doPrivileged(() -> {
            return RetryPolicy.builder().numRetries(Integer.valueOf(s3ClientSettings.maxRetries)).retryCapacityCondition((RetryCondition) null);
        });
        if (s3ClientSettings.throttleRetries) {
            builder2.throttlingBackoffStrategy(BackoffStrategy.defaultThrottlingStrategy(RetryMode.STANDARD));
        } else {
            builder2.throttlingBackoffStrategy(BackoffStrategy.none());
        }
        return (ClientOverrideConfiguration) builder.retryPolicy(builder2.build()).build();
    }

    private static SSLConnectionSocketFactory createSocksSslConnectionSocketFactory(final InetSocketAddress inetSocketAddress) {
        try {
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(SystemPropertyTlsKeyManagersProvider.create().keyManagers(), null, new SecureRandom());
            return new SdkTlsSocketFactory(sSLContext, new DefaultHostnameVerifier()) { // from class: org.opensearch.repositories.s3.S3Service.2
                public Socket createSocket(HttpContext httpContext) throws IOException {
                    return new Socket(new Proxy(Proxy.Type.SOCKS, inetSocketAddress));
                }
            };
        } catch (KeyManagementException | NoSuchAlgorithmException e) {
            throw SdkException.create("Exception during SSL context creation for SOCKS proxy", e);
        }
    }

    static AwsCredentialsProvider buildCredentials(Logger logger2, S3ClientSettings s3ClientSettings) {
        AwsCredentials awsCredentials = s3ClientSettings.credentials;
        S3ClientSettings.IrsaCredentials buildFromEnviroment = buildFromEnviroment(s3ClientSettings.irsaCredentials);
        if (buildFromEnviroment == null) {
            if (awsCredentials != null) {
                logger2.debug("Using basic key/secret credentials");
                return StaticCredentialsProvider.create(awsCredentials);
            }
            logger2.debug("Using instance profile credentials");
            return new PrivilegedInstanceProfileCredentialsProvider();
        }
        logger2.debug("Using IRSA credentials");
        StsClient stsClient = (StsClient) SocketAccess.doPrivileged(() -> {
            StsClientBuilder builder = StsClient.builder();
            if (Strings.hasText(s3ClientSettings.region)) {
                builder.region(Region.of(s3ClientSettings.region));
            }
            String property = System.getProperty(STS_ENDPOINT_OVERRIDE_SYSTEM_PROPERTY);
            if (property != null) {
                builder = (StsClientBuilder) builder.endpointOverride(URI.create(property));
            }
            return (StsClient) (awsCredentials != null ? (StsClientBuilder) builder.credentialsProvider(StaticCredentialsProvider.create(awsCredentials)) : builder.credentialsProvider(DefaultCredentialsProvider.create())).build();
        });
        if (buildFromEnviroment.getIdentityTokenFile() == null) {
            StsAssumeRoleCredentialsProvider.Builder refreshRequest = StsAssumeRoleCredentialsProvider.builder().stsClient(stsClient).refreshRequest((AssumeRoleRequest) AssumeRoleRequest.builder().roleArn(buildFromEnviroment.getRoleArn()).roleSessionName(buildFromEnviroment.getRoleSessionName()).build());
            Objects.requireNonNull(refreshRequest);
            return new PrivilegedSTSAssumeRoleSessionCredentialsProvider(stsClient, (StsAssumeRoleCredentialsProvider) SocketAccess.doPrivileged(refreshRequest::build));
        }
        StsWebIdentityTokenFileCredentialsProvider.Builder webIdentityTokenFile = StsWebIdentityTokenFileCredentialsProvider.builder().stsClient(stsClient).roleArn(buildFromEnviroment.getRoleArn()).roleSessionName(buildFromEnviroment.getRoleSessionName()).webIdentityTokenFile(Path.of(buildFromEnviroment.getIdentityTokenFile(), new String[0]));
        Objects.requireNonNull(webIdentityTokenFile);
        return new PrivilegedSTSAssumeRoleSessionCredentialsProvider(stsClient, (StsWebIdentityTokenFileCredentialsProvider) SocketAccess.doPrivileged(webIdentityTokenFile::build));
    }

    private static S3ClientSettings.IrsaCredentials buildFromEnviroment(S3ClientSettings.IrsaCredentials irsaCredentials) {
        if (irsaCredentials == null) {
            return null;
        }
        String identityTokenFile = irsaCredentials.getIdentityTokenFile();
        if (identityTokenFile == null) {
            identityTokenFile = System.getenv(SdkSystemSetting.AWS_WEB_IDENTITY_TOKEN_FILE.environmentVariable());
        }
        String roleArn = irsaCredentials.getRoleArn();
        if (roleArn == null) {
            roleArn = System.getenv(SdkSystemSetting.AWS_ROLE_ARN.environmentVariable());
        }
        String roleSessionName = irsaCredentials.getRoleSessionName();
        if (roleSessionName == null) {
            roleSessionName = System.getenv(SdkSystemSetting.AWS_ROLE_SESSION_NAME.environmentVariable());
        }
        return new S3ClientSettings.IrsaCredentials(identityTokenFile, roleArn, roleSessionName);
    }

    public synchronized void releaseCachedClients() {
        Iterator<AmazonS3Reference> it = this.clientsCache.values().iterator();
        while (it.hasNext()) {
            it.next().decRef();
        }
        this.clientsCache = Collections.emptyMap();
        this.derivedClientSettings = Collections.emptyMap();
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        releaseCachedClients();
    }

    static {
        $assertionsDisabled = !S3Service.class.desiredAssertionStatus();
        logger = LogManager.getLogger(S3Service.class);
    }
}
