package org.elasticsearch.repositories.s3;

import com.amazonaws.ClientConfiguration;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AWSCredentialsProviderChain;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.AnonymousAWSCredentials;
import com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper;
import com.amazonaws.auth.STSAssumeRoleWithWebIdentitySessionCredentialsProvider;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.http.IdleConnectionReaper;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import java.io.Closeable;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.time.Clock;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.cluster.coordination.stateless.StoreHeartbeatService;
import org.elasticsearch.cluster.metadata.RepositoryMetadata;
import org.elasticsearch.cluster.node.DiscoveryNode;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.Maps;
import org.elasticsearch.core.IOUtils;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.env.Environment;
import org.elasticsearch.watcher.FileChangesListener;
import org.elasticsearch.watcher.FileWatcher;
import org.elasticsearch.watcher.ResourceWatcherService;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/elasticsearch/repositories/s3/S3Service.class */
public class S3Service implements Closeable {
    private static final Logger LOGGER;
    static final Setting<TimeValue> REPOSITORY_S3_CAS_TTL_SETTING;
    static final Setting<TimeValue> REPOSITORY_S3_CAS_ANTI_CONTENTION_DELAY_SETTING;
    private volatile Map<S3ClientSettings, AmazonS3Reference> clientsCache = Collections.emptyMap();
    private volatile Map<String, S3ClientSettings> staticClientSettings = Map.of("default", S3ClientSettings.getClientSettings(Settings.EMPTY, "default"));
    private volatile Map<Settings, S3ClientSettings> derivedClientSettings = Collections.emptyMap();
    final CustomWebIdentityTokenCredentialsProvider webIdentityTokenCredentialsProvider;
    final TimeValue compareAndExchangeTimeToLive;
    final TimeValue compareAndExchangeAntiContentionDelay;
    final boolean isStateless;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/repositories/s3/S3Service$CustomWebIdentityTokenCredentialsProvider.class */
    public static class CustomWebIdentityTokenCredentialsProvider implements AWSCredentialsProvider {
        private static final String STS_HOSTNAME = "https://sts.amazonaws.com";
        private STSAssumeRoleWithWebIdentitySessionCredentialsProvider credentialsProvider;
        private AWSSecurityTokenService stsClient;
        private String stsRegion;

        CustomWebIdentityTokenCredentialsProvider(Environment environment, SystemEnvironment systemEnvironment, JvmEnvironment jvmEnvironment, Clock clock, ResourceWatcherService resourceWatcherService) {
            if (systemEnvironment.getEnv("AWS_WEB_IDENTITY_TOKEN_FILE") == null) {
                return;
            }
            final Path resolve = environment.configFile().resolve("repository-s3/aws-web-identity-token-file");
            if (!Files.exists(resolve, new LinkOption[0])) {
                S3Service.LOGGER.warn("Cannot use AWS Web Identity Tokens: AWS_WEB_IDENTITY_TOKEN_FILE is defined but no corresponding symlink exists in the config directory");
                return;
            }
            if (!Files.isReadable(resolve)) {
                throw new IllegalStateException("Unable to read a Web Identity Token symlink in the config directory");
            }
            String env = systemEnvironment.getEnv("AWS_ROLE_ARN");
            if (env == null) {
                S3Service.LOGGER.warn("Unable to use a web identity token for authentication. The AWS_WEB_IDENTITY_TOKEN_FILE environment variable is set, but either AWS_ROLE_ARN is missing");
                return;
            }
            String str = (String) Objects.requireNonNullElseGet(systemEnvironment.getEnv("AWS_ROLE_SESSION_NAME"), () -> {
                return "aws-sdk-java-" + clock.millis();
            });
            AWSSecurityTokenServiceClientBuilder builder = AWSSecurityTokenServiceClient.builder();
            if ("regional".equalsIgnoreCase(systemEnvironment.getEnv("AWS_STS_REGIONAL_ENDPOINTS"))) {
                this.stsRegion = systemEnvironment.getEnv("AWS_REGION");
                if (this.stsRegion != null) {
                    SocketAccess.doPrivilegedVoid(() -> {
                        builder.withRegion(this.stsRegion);
                    });
                } else {
                    S3Service.LOGGER.warn("Unable to use regional STS endpoints because the AWS_REGION environment variable is not set");
                }
            }
            if (this.stsRegion == null) {
                builder.withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(jvmEnvironment.getProperty("com.amazonaws.sdk.stsMetadataServiceEndpointOverride", STS_HOSTNAME), (String) null));
            }
            builder.withCredentials(new AWSStaticCredentialsProvider(new AnonymousAWSCredentials()));
            Objects.requireNonNull(builder);
            this.stsClient = (AWSSecurityTokenService) SocketAccess.doPrivileged(builder::build);
            try {
                this.credentialsProvider = new STSAssumeRoleWithWebIdentitySessionCredentialsProvider.Builder(env, str, resolve.toString()).withStsClient(this.stsClient).build();
                FileWatcher fileWatcher = new FileWatcher(resolve);
                fileWatcher.addListener(new FileChangesListener() { // from class: org.elasticsearch.repositories.s3.S3Service.CustomWebIdentityTokenCredentialsProvider.1
                    public void onFileCreated(Path path) {
                        onFileChanged(path);
                    }

                    public void onFileChanged(Path path) {
                        if (path.equals(resolve)) {
                            S3Service.LOGGER.debug("WS web identity token file [{}] changed, updating credentials", path);
                            CustomWebIdentityTokenCredentialsProvider.this.credentialsProvider.refresh();
                        }
                    }
                });
                try {
                    resourceWatcherService.add(fileWatcher, ResourceWatcherService.Frequency.LOW);
                } catch (IOException e) {
                    throw new ElasticsearchException("failed to start watching AWS web identity token file [{}]", e, new Object[]{resolve});
                }
            } catch (Exception e2) {
                this.stsClient.shutdown();
                throw e2;
            }
        }

        boolean isActive() {
            return this.credentialsProvider != null;
        }

        String getStsRegion() {
            return this.stsRegion;
        }

        public AWSCredentials getCredentials() {
            Objects.requireNonNull(this.credentialsProvider, "credentialsProvider is not set");
            return this.credentialsProvider.getCredentials();
        }

        public void refresh() {
            if (this.credentialsProvider != null) {
                this.credentialsProvider.refresh();
            }
        }

        public void shutdown() throws IOException {
            if (this.credentialsProvider != null) {
                IOUtils.close(new Closeable[]{this.credentialsProvider, () -> {
                    this.stsClient.shutdown();
                }});
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/repositories/s3/S3Service$ErrorLoggingCredentialsProvider.class */
    public static class ErrorLoggingCredentialsProvider implements AWSCredentialsProvider {
        private final AWSCredentialsProvider delegate;
        private final Logger logger;

        ErrorLoggingCredentialsProvider(AWSCredentialsProvider aWSCredentialsProvider, Logger logger) {
            this.delegate = (AWSCredentialsProvider) Objects.requireNonNull(aWSCredentialsProvider);
            this.logger = (Logger) Objects.requireNonNull(logger);
        }

        public AWSCredentials getCredentials() {
            try {
                return this.delegate.getCredentials();
            } catch (Exception e) {
                this.logger.error(() -> {
                    return "Unable to load credentials from " + this.delegate;
                }, e);
                throw e;
            }
        }

        public void refresh() {
            try {
                this.delegate.refresh();
            } catch (Exception e) {
                this.logger.error(() -> {
                    return "Unable to refresh " + this.delegate;
                }, e);
                throw e;
            }
        }
    }

    @FunctionalInterface
    /* loaded from: input_file:org/elasticsearch/repositories/s3/S3Service$JvmEnvironment.class */
    interface JvmEnvironment {
        String getProperty(String str, String str2);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/repositories/s3/S3Service$PrivilegedAWSCredentialsProvider.class */
    public static class PrivilegedAWSCredentialsProvider implements AWSCredentialsProvider {
        private final AWSCredentialsProvider credentialsProvider;

        private PrivilegedAWSCredentialsProvider(AWSCredentialsProvider aWSCredentialsProvider) {
            this.credentialsProvider = aWSCredentialsProvider;
        }

        AWSCredentialsProvider getCredentialsProvider() {
            return this.credentialsProvider;
        }

        public AWSCredentials getCredentials() {
            AWSCredentialsProvider aWSCredentialsProvider = this.credentialsProvider;
            Objects.requireNonNull(aWSCredentialsProvider);
            return (AWSCredentials) SocketAccess.doPrivileged(aWSCredentialsProvider::getCredentials);
        }

        public void refresh() {
            AWSCredentialsProvider aWSCredentialsProvider = this.credentialsProvider;
            Objects.requireNonNull(aWSCredentialsProvider);
            SocketAccess.doPrivilegedVoid(aWSCredentialsProvider::refresh);
        }
    }

    @FunctionalInterface
    /* loaded from: input_file:org/elasticsearch/repositories/s3/S3Service$SystemEnvironment.class */
    interface SystemEnvironment {
        String getEnv(String str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public S3Service(Environment environment, Settings settings, ResourceWatcherService resourceWatcherService) {
        this.webIdentityTokenCredentialsProvider = new CustomWebIdentityTokenCredentialsProvider(environment, System::getenv, System::getProperty, Clock.systemUTC(), resourceWatcherService);
        this.compareAndExchangeTimeToLive = (TimeValue) REPOSITORY_S3_CAS_TTL_SETTING.get(settings);
        this.compareAndExchangeAntiContentionDelay = (TimeValue) REPOSITORY_S3_CAS_ANTI_CONTENTION_DELAY_SETTING.get(settings);
        this.isStateless = DiscoveryNode.isStateless(settings);
    }

    public synchronized void refreshAndClearCache(Map<String, S3ClientSettings> map) {
        releaseCachedClients();
        this.staticClientSettings = Maps.ofEntries(map.entrySet());
        this.derivedClientSettings = Collections.emptyMap();
        if (!$assertionsDisabled && !this.staticClientSettings.containsKey("default")) {
            throw new AssertionError("always at least have 'default'");
        }
    }

    public AmazonS3Reference client(RepositoryMetadata repositoryMetadata) {
        S3ClientSettings s3ClientSettings = settings(repositoryMetadata);
        AmazonS3Reference amazonS3Reference = this.clientsCache.get(s3ClientSettings);
        if (amazonS3Reference != null && amazonS3Reference.tryIncRef()) {
            return amazonS3Reference;
        }
        synchronized (this) {
            AmazonS3Reference amazonS3Reference2 = this.clientsCache.get(s3ClientSettings);
            if (amazonS3Reference2 != null && amazonS3Reference2.tryIncRef()) {
                return amazonS3Reference2;
            }
            AmazonS3Reference amazonS3Reference3 = new AmazonS3Reference(buildClient(s3ClientSettings));
            amazonS3Reference3.mustIncRef();
            this.clientsCache = Maps.copyMapWithAddedEntry(this.clientsCache, s3ClientSettings, amazonS3Reference3);
            return amazonS3Reference3;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public S3ClientSettings settings(RepositoryMetadata repositoryMetadata) {
        Settings settings = repositoryMetadata.settings();
        S3ClientSettings s3ClientSettings = this.derivedClientSettings.get(settings);
        if (s3ClientSettings != null) {
            return s3ClientSettings;
        }
        String str = (String) S3Repository.CLIENT_NAME.get(settings);
        S3ClientSettings s3ClientSettings2 = this.staticClientSettings.get(str);
        if (s3ClientSettings2 == null) {
            throw new IllegalArgumentException("Unknown s3 client name [" + str + "]. Existing client configs: " + Strings.collectionToDelimitedString(this.staticClientSettings.keySet(), ","));
        }
        synchronized (this) {
            S3ClientSettings s3ClientSettings3 = this.derivedClientSettings.get(settings);
            if (s3ClientSettings3 != null) {
                return s3ClientSettings3;
            }
            S3ClientSettings refine = s3ClientSettings2.refine(settings);
            this.derivedClientSettings = Maps.copyMapWithAddedOrReplacedEntry(this.derivedClientSettings, settings, refine);
            return refine;
        }
    }

    AmazonS3 buildClient(S3ClientSettings s3ClientSettings) {
        AmazonS3ClientBuilder buildClientBuilder = buildClientBuilder(s3ClientSettings);
        Objects.requireNonNull(buildClientBuilder);
        return (AmazonS3) SocketAccess.doPrivileged(buildClientBuilder::build);
    }

    protected AmazonS3ClientBuilder buildClientBuilder(S3ClientSettings s3ClientSettings) {
        AmazonS3ClientBuilder standard = AmazonS3ClientBuilder.standard();
        standard.withCredentials(buildCredentials(LOGGER, s3ClientSettings, this.webIdentityTokenCredentialsProvider));
        standard.withClientConfiguration(buildConfiguration(s3ClientSettings));
        String str = Strings.hasLength(s3ClientSettings.endpoint) ? s3ClientSettings.endpoint : "s3.amazonaws.com";
        if (!(str.startsWith("http://") || str.startsWith("https://"))) {
            str = s3ClientSettings.protocol.toString() + "://" + str;
        }
        String str2 = Strings.hasLength(s3ClientSettings.region) ? s3ClientSettings.region : null;
        LOGGER.debug("using endpoint [{}] and region [{}]", str, str2);
        standard.withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(str, str2));
        if (s3ClientSettings.pathStyleAccess) {
            standard.enablePathStyleAccess();
        }
        if (s3ClientSettings.disableChunkedEncoding) {
            standard.disableChunkedEncoding();
        }
        return standard;
    }

    static ClientConfiguration buildConfiguration(S3ClientSettings s3ClientSettings) {
        ClientConfiguration clientConfiguration = new ClientConfiguration();
        clientConfiguration.setResponseMetadataCacheSize(0);
        clientConfiguration.setProtocol(s3ClientSettings.protocol);
        if (Strings.hasText(s3ClientSettings.proxyHost)) {
            clientConfiguration.setProxyHost(s3ClientSettings.proxyHost);
            clientConfiguration.setProxyPort(s3ClientSettings.proxyPort);
            clientConfiguration.setProxyProtocol(s3ClientSettings.proxyScheme);
            clientConfiguration.setProxyUsername(s3ClientSettings.proxyUsername);
            clientConfiguration.setProxyPassword(s3ClientSettings.proxyPassword);
        }
        if (Strings.hasLength(s3ClientSettings.signerOverride)) {
            clientConfiguration.setSignerOverride(s3ClientSettings.signerOverride);
        }
        clientConfiguration.setMaxConnections(s3ClientSettings.maxConnections);
        clientConfiguration.setMaxErrorRetry(s3ClientSettings.maxRetries);
        clientConfiguration.setUseThrottleRetries(s3ClientSettings.throttleRetries);
        clientConfiguration.setSocketTimeout(s3ClientSettings.readTimeoutMillis);
        return clientConfiguration;
    }

    static AWSCredentialsProvider buildCredentials(Logger logger, S3ClientSettings s3ClientSettings, CustomWebIdentityTokenCredentialsProvider customWebIdentityTokenCredentialsProvider) {
        S3BasicCredentials s3BasicCredentials = s3ClientSettings.credentials;
        if (s3BasicCredentials != null) {
            logger.debug("Using basic key/secret credentials");
            return new AWSStaticCredentialsProvider(s3BasicCredentials);
        }
        if (customWebIdentityTokenCredentialsProvider.isActive()) {
            logger.debug("Using a custom provider chain of Web Identity Token and instance profile credentials");
            return new PrivilegedAWSCredentialsProvider(new AWSCredentialsProviderChain(List.of(new ErrorLoggingCredentialsProvider(customWebIdentityTokenCredentialsProvider, LOGGER), new ErrorLoggingCredentialsProvider(new EC2ContainerCredentialsProviderWrapper(), LOGGER))));
        }
        logger.debug("Using instance profile credentials");
        return new PrivilegedAWSCredentialsProvider(new EC2ContainerCredentialsProviderWrapper());
    }

    private synchronized void releaseCachedClients() {
        Iterator<AmazonS3Reference> it = this.clientsCache.values().iterator();
        while (it.hasNext()) {
            it.next().decRef();
        }
        this.clientsCache = Collections.emptyMap();
        this.derivedClientSettings = Collections.emptyMap();
        IdleConnectionReaper.shutdown();
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
        releaseCachedClients();
        this.webIdentityTokenCredentialsProvider.shutdown();
    }

    static {
        $assertionsDisabled = !S3Service.class.desiredAssertionStatus();
        LOGGER = LogManager.getLogger(S3Service.class);
        REPOSITORY_S3_CAS_TTL_SETTING = Setting.timeSetting("repository_s3.compare_and_exchange.time_to_live", StoreHeartbeatService.HEARTBEAT_FREQUENCY, new Setting.Property[]{Setting.Property.NodeScope});
        REPOSITORY_S3_CAS_ANTI_CONTENTION_DELAY_SETTING = Setting.timeSetting("repository_s3.compare_and_exchange.anti_contention_delay", TimeValue.timeValueSeconds(1L), TimeValue.timeValueMillis(1L), TimeValue.timeValueHours(24L), new Setting.Property[]{Setting.Property.NodeScope});
    }
}
