package com.netflix.spinnaker.kork.artifacts.artifactstore.s3;

import com.netflix.spinnaker.kork.artifacts.ArtifactTypes;
import com.netflix.spinnaker.kork.artifacts.artifactstore.ArtifactDecorator;
import com.netflix.spinnaker.kork.artifacts.artifactstore.ArtifactReferenceURI;
import com.netflix.spinnaker.kork.artifacts.artifactstore.ArtifactStoreGetter;
import com.netflix.spinnaker.kork.artifacts.model.Artifact;
import com.netflix.spinnaker.security.AuthenticatedRequest;
import com.netflix.spinnaker.security.UserPermissionEvaluator;
import java.util.Base64;
import java.util.NoSuchElementException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.security.authentication.AuthenticationServiceException;
import software.amazon.awssdk.services.s3.S3Client;
import software.amazon.awssdk.services.s3.model.GetObjectRequest;
import software.amazon.awssdk.services.s3.model.GetObjectTaggingRequest;
import software.amazon.awssdk.services.s3.model.Tag;

/* loaded from: input_file:com/netflix/spinnaker/kork/artifacts/artifactstore/s3/S3ArtifactStoreGetter.class */
public class S3ArtifactStoreGetter implements ArtifactStoreGetter {
    private static final Logger log = LogManager.getLogger(S3ArtifactStoreGetter.class);
    private final S3Client s3Client;
    private final UserPermissionEvaluator userPermissionEvaluator;
    private final String bucket;

    public S3ArtifactStoreGetter(S3Client s3Client, UserPermissionEvaluator userPermissionEvaluator, String str) {
        this.s3Client = s3Client;
        this.bucket = str;
        this.userPermissionEvaluator = userPermissionEvaluator;
    }

    @Override // com.netflix.spinnaker.kork.artifacts.artifactstore.ArtifactStoreGetter
    public Artifact get(ArtifactReferenceURI artifactReferenceURI, ArtifactDecorator... artifactDecoratorArr) {
        hasAuthorization(artifactReferenceURI, (String) AuthenticatedRequest.getSpinnakerUser().orElseThrow(() -> {
            return new NoSuchElementException("Could not authenticate due to missing user id");
        }));
        Artifact.ArtifactBuilder reference = Artifact.builder().type(ArtifactTypes.REMOTE_BASE64.getMimeType()).reference(Base64.getEncoder().encodeToString(this.s3Client.getObjectAsBytes((GetObjectRequest) GetObjectRequest.builder().bucket(this.bucket).key(artifactReferenceURI.paths()).build()).asByteArray()));
        if (artifactDecoratorArr == null) {
            return reference.build();
        }
        for (ArtifactDecorator artifactDecorator : artifactDecoratorArr) {
            reference = artifactDecorator.decorate(reference);
        }
        return reference.build();
    }

    private void hasAuthorization(ArtifactReferenceURI artifactReferenceURI, String str) {
        Tag tag = (Tag) this.s3Client.getObjectTagging((GetObjectTaggingRequest) GetObjectTaggingRequest.builder().bucket(this.bucket).key(artifactReferenceURI.paths()).build()).tagSet().stream().filter(tag2 -> {
            return tag2.key().equals(S3ArtifactStore.ENFORCE_PERMS_KEY);
        }).findFirst().orElse(null);
        if (tag == null || !(this.userPermissionEvaluator == null || this.userPermissionEvaluator.hasPermission(str, tag.value(), S3ArtifactStore.ENFORCE_PERMS_KEY, "READ"))) {
            log.error("Could not authenticate to retrieve artifact user={} applicationOfStoredArtifact={}", str, tag == null ? "(none)" : tag.value());
            throw new AuthenticationServiceException(str + " does not have permission to access this artifact");
        }
    }
}
