package org.apache.nifi.processors.aws.credentials.provider.service;

import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.Signer;
import java.util.ArrayList;
import java.util.Collection;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.List;
import org.apache.nifi.annotation.behavior.Restricted;
import org.apache.nifi.annotation.behavior.Restriction;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.Tags;
import org.apache.nifi.annotation.lifecycle.OnEnabled;
import org.apache.nifi.components.AllowableValue;
import org.apache.nifi.components.DescribedValue;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.components.RequiredPermission;
import org.apache.nifi.components.ValidationContext;
import org.apache.nifi.components.ValidationResult;
import org.apache.nifi.components.resource.ResourceCardinality;
import org.apache.nifi.components.resource.ResourceType;
import org.apache.nifi.context.PropertyContext;
import org.apache.nifi.controller.AbstractControllerService;
import org.apache.nifi.controller.ConfigurationContext;
import org.apache.nifi.expression.ExpressionLanguageScope;
import org.apache.nifi.migration.PropertyConfiguration;
import org.apache.nifi.migration.ProxyServiceMigration;
import org.apache.nifi.processor.exception.ProcessException;
import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.processors.aws.credentials.provider.factory.CredentialsStrategy;
import org.apache.nifi.processors.aws.credentials.provider.factory.strategies.AccessKeyPairCredentialsStrategy;
import org.apache.nifi.processors.aws.credentials.provider.factory.strategies.AnonymousCredentialsStrategy;
import org.apache.nifi.processors.aws.credentials.provider.factory.strategies.AssumeRoleCredentialsStrategy;
import org.apache.nifi.processors.aws.credentials.provider.factory.strategies.ExplicitDefaultCredentialsStrategy;
import org.apache.nifi.processors.aws.credentials.provider.factory.strategies.FileCredentialsStrategy;
import org.apache.nifi.processors.aws.credentials.provider.factory.strategies.ImplicitDefaultCredentialsStrategy;
import org.apache.nifi.processors.aws.credentials.provider.factory.strategies.NamedProfileCredentialsStrategy;
import org.apache.nifi.processors.aws.signer.AwsSignerType;
import org.apache.nifi.proxy.ProxyConfigurationService;
import org.apache.nifi.ssl.SSLContextProvider;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.regions.Region;

@CapabilityDescription("Defines credentials for Amazon Web Services processors. Uses default credentials without configuration. Default credentials support EC2 instance profile/role, default user profile, environment variables, etc. Additional options include access key / secret key pairs, credentials file, named profile, and assume role credentials.")
@Tags({"aws", "credentials", "provider"})
@Restricted(restrictions = {@Restriction(requiredPermission = RequiredPermission.ACCESS_ENVIRONMENT_CREDENTIALS, explanation = "The default configuration can read environment variables and system properties for credentials")})
/* loaded from: input_file:org/apache/nifi/processors/aws/credentials/provider/service/AWSCredentialsProviderControllerService.class */
public class AWSCredentialsProviderControllerService extends AbstractControllerService implements AWSCredentialsProviderService {
    private static final String OBSOLETE_PROXY_HOST = "assume-role-proxy-host";
    private static final String OBSOLETE_PROXY_PORT = "assume-role-proxy-port";
    public static final PropertyDescriptor USE_DEFAULT_CREDENTIALS = new PropertyDescriptor.Builder().name("default-credentials").displayName("Use Default Credentials").expressionLanguageSupported(ExpressionLanguageScope.NONE).required(false).addValidator(StandardValidators.BOOLEAN_VALIDATOR).sensitive(false).allowableValues(new String[]{"true", "false"}).defaultValue("false").description("If true, uses the Default Credential chain, including EC2 instance profiles or roles, environment variables, default user credentials, etc.").build();
    public static final PropertyDescriptor PROFILE_NAME = new PropertyDescriptor.Builder().name("profile-name").displayName("Profile Name").expressionLanguageSupported(ExpressionLanguageScope.ENVIRONMENT).required(false).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).sensitive(false).description("The AWS profile name for credentials from the profile configuration file.").build();
    public static final PropertyDescriptor CREDENTIALS_FILE = new PropertyDescriptor.Builder().name("Credentials File").displayName("Credentials File").expressionLanguageSupported(ExpressionLanguageScope.NONE).required(false).identifiesExternalResource(ResourceCardinality.SINGLE, ResourceType.FILE, new ResourceType[0]).description("Path to a file containing AWS access key and secret key in properties file format.").build();
    public static final PropertyDescriptor ACCESS_KEY_ID = new PropertyDescriptor.Builder().name("Access Key").displayName("Access Key ID").expressionLanguageSupported(ExpressionLanguageScope.ENVIRONMENT).required(false).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).sensitive(true).build();
    public static final PropertyDescriptor SECRET_KEY = new PropertyDescriptor.Builder().name("Secret Key").displayName("Secret Access Key").expressionLanguageSupported(ExpressionLanguageScope.ENVIRONMENT).required(false).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).sensitive(true).build();
    public static final PropertyDescriptor USE_ANONYMOUS_CREDENTIALS = new PropertyDescriptor.Builder().name("anonymous-credentials").displayName("Use Anonymous Credentials").expressionLanguageSupported(ExpressionLanguageScope.NONE).required(false).addValidator(StandardValidators.BOOLEAN_VALIDATOR).sensitive(false).allowableValues(new String[]{"true", "false"}).defaultValue("false").description("If true, uses Anonymous credentials").build();
    public static final PropertyDescriptor ASSUME_ROLE_ARN = new PropertyDescriptor.Builder().name("Assume Role ARN").displayName("Assume Role ARN").expressionLanguageSupported(ExpressionLanguageScope.NONE).required(false).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).sensitive(false).description("The AWS Role ARN for cross account access. This is used in conjunction with Assume Role Session Name and other Assume Role properties.").build();
    public static final PropertyDescriptor ASSUME_ROLE_NAME = new PropertyDescriptor.Builder().name("Assume Role Session Name").displayName("Assume Role Session Name").expressionLanguageSupported(ExpressionLanguageScope.NONE).required(true).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).sensitive(false).description("The AWS Role Session Name for cross account access. This is used in conjunction with Assume Role ARN.").dependsOn(ASSUME_ROLE_ARN, new AllowableValue[0]).build();
    public static final PropertyDescriptor ASSUME_ROLE_STS_REGION = new PropertyDescriptor.Builder().name("assume-role-sts-region").displayName("Assume Role STS Region").description("The AWS Security Token Service (STS) region").dependsOn(ASSUME_ROLE_ARN, new AllowableValue[0]).allowableValues(getAvailableRegions()).defaultValue(createAllowableValue(Region.US_WEST_2).getValue()).build();
    public static final PropertyDescriptor ASSUME_ROLE_EXTERNAL_ID = new PropertyDescriptor.Builder().name("assume-role-external-id").displayName("Assume Role External ID").expressionLanguageSupported(ExpressionLanguageScope.NONE).required(false).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).sensitive(false).description("External ID for cross-account access. This is used in conjunction with Assume Role ARN.").dependsOn(ASSUME_ROLE_ARN, new AllowableValue[0]).build();
    public static final PropertyDescriptor ASSUME_ROLE_SSL_CONTEXT_SERVICE = new PropertyDescriptor.Builder().name("assume-role-ssl-context-service").displayName("Assume Role SSL Context Service").description("SSL Context Service used when connecting to the STS Endpoint.").identifiesControllerService(SSLContextProvider.class).required(false).dependsOn(ASSUME_ROLE_ARN, new AllowableValue[0]).build();
    public static final PropertyDescriptor ASSUME_ROLE_PROXY_CONFIGURATION_SERVICE = new PropertyDescriptor.Builder().name("assume-role-proxy-configuration-service").displayName("Assume Role Proxy Configuration Service").identifiesControllerService(ProxyConfigurationService.class).required(false).description("Proxy configuration for cross-account access, if needed within your environment. This will configure a proxy to request for temporary access keys into another AWS account.").dependsOn(ASSUME_ROLE_ARN, new AllowableValue[0]).build();
    public static final PropertyDescriptor ASSUME_ROLE_STS_ENDPOINT = new PropertyDescriptor.Builder().name("assume-role-sts-endpoint").displayName("Assume Role STS Endpoint Override").expressionLanguageSupported(ExpressionLanguageScope.NONE).required(false).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).sensitive(false).description("The default AWS Security Token Service (STS) endpoint (\"sts.amazonaws.com\") works for all accounts that are not for China (Beijing) region or GovCloud. You only need to set this property to \"sts.cn-north-1.amazonaws.com.cn\" when you are requesting session credentials for services in China(Beijing) region or to \"sts.us-gov-west-1.amazonaws.com\" for GovCloud.").dependsOn(ASSUME_ROLE_ARN, new AllowableValue[0]).build();
    public static final PropertyDescriptor ASSUME_ROLE_STS_SIGNER_OVERRIDE = new PropertyDescriptor.Builder().name("assume-role-sts-signer-override").displayName("Assume Role STS Signer Override").description("The AWS STS library uses Signature Version 4 by default. This property allows you to plug in your own custom signer implementation.").required(false).allowableValues(EnumSet.of(AwsSignerType.DEFAULT_SIGNER, AwsSignerType.AWS_V4_SIGNER, AwsSignerType.CUSTOM_SIGNER)).defaultValue(AwsSignerType.DEFAULT_SIGNER.getValue()).dependsOn(ASSUME_ROLE_ARN, new AllowableValue[0]).build();
    public static final PropertyDescriptor MAX_SESSION_TIME = new PropertyDescriptor.Builder().name("Session Time").displayName("Assume Role Session Time").description("Session time for role based session (between 900 and 3600 seconds). This is used in conjunction with Assume Role ARN.").defaultValue("3600").required(false).addValidator(StandardValidators.POSITIVE_INTEGER_VALIDATOR).sensitive(false).dependsOn(ASSUME_ROLE_ARN, new AllowableValue[0]).build();
    public static final PropertyDescriptor ASSUME_ROLE_STS_CUSTOM_SIGNER_CLASS_NAME = new PropertyDescriptor.Builder().name("custom-signer-class-name").displayName("Custom Signer Class Name").description(String.format("Fully qualified class name of the custom signer class. The signer must implement %s interface.", Signer.class.getName())).required(true).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).expressionLanguageSupported(ExpressionLanguageScope.ENVIRONMENT).dependsOn(ASSUME_ROLE_STS_SIGNER_OVERRIDE, AwsSignerType.CUSTOM_SIGNER, new DescribedValue[0]).build();
    public static final PropertyDescriptor ASSUME_ROLE_STS_CUSTOM_SIGNER_MODULE_LOCATION = new PropertyDescriptor.Builder().name("custom-signer-module-location").displayName("Custom Signer Module Location").description("Comma-separated list of paths to files and/or directories which contain the custom signer's JAR file and its dependencies (if any).").required(false).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).expressionLanguageSupported(ExpressionLanguageScope.ENVIRONMENT).identifiesExternalResource(ResourceCardinality.MULTIPLE, ResourceType.FILE, new ResourceType[]{ResourceType.DIRECTORY}).dependsOn(ASSUME_ROLE_STS_SIGNER_OVERRIDE, AwsSignerType.CUSTOM_SIGNER, new DescribedValue[0]).dynamicallyModifiesClasspath(true).build();
    private static final List<PropertyDescriptor> PROPERTY_DESCRIPTORS = List.of((Object[]) new PropertyDescriptor[]{USE_DEFAULT_CREDENTIALS, ACCESS_KEY_ID, SECRET_KEY, CREDENTIALS_FILE, PROFILE_NAME, USE_ANONYMOUS_CREDENTIALS, ASSUME_ROLE_ARN, ASSUME_ROLE_NAME, MAX_SESSION_TIME, ASSUME_ROLE_EXTERNAL_ID, ASSUME_ROLE_SSL_CONTEXT_SERVICE, ASSUME_ROLE_PROXY_CONFIGURATION_SERVICE, ASSUME_ROLE_STS_REGION, ASSUME_ROLE_STS_ENDPOINT, ASSUME_ROLE_STS_SIGNER_OVERRIDE, ASSUME_ROLE_STS_CUSTOM_SIGNER_CLASS_NAME, ASSUME_ROLE_STS_CUSTOM_SIGNER_MODULE_LOCATION});
    private volatile ConfigurationContext context;
    private volatile AWSCredentialsProvider credentialsProvider;
    private final List<CredentialsStrategy> strategies = List.of(new ExplicitDefaultCredentialsStrategy(), new AccessKeyPairCredentialsStrategy(), new FileCredentialsStrategy(), new NamedProfileCredentialsStrategy(), new AnonymousCredentialsStrategy(), new ImplicitDefaultCredentialsStrategy(), new AssumeRoleCredentialsStrategy());

    protected List<PropertyDescriptor> getSupportedPropertyDescriptors() {
        return PROPERTY_DESCRIPTORS;
    }

    public void migrateProperties(PropertyConfiguration propertyConfiguration) {
        ProxyServiceMigration.migrateProxyProperties(propertyConfiguration, ASSUME_ROLE_PROXY_CONFIGURATION_SERVICE, OBSOLETE_PROXY_HOST, OBSOLETE_PROXY_PORT, (String) null, (String) null);
    }

    public AWSCredentialsProvider getCredentialsProvider() throws ProcessException {
        return this.credentialsProvider;
    }

    public AwsCredentialsProvider getAwsCredentialsProvider() {
        AwsCredentialsProvider awsCredentialsProvider = selectPrimaryStrategy(this.context).getAwsCredentialsProvider(this.context);
        AwsCredentialsProvider awsCredentialsProvider2 = null;
        Iterator<CredentialsStrategy> it = this.strategies.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            CredentialsStrategy next = it.next();
            if (next.canCreateDerivedCredential(this.context)) {
                awsCredentialsProvider2 = next.getDerivedAwsCredentialsProvider(this.context, awsCredentialsProvider);
                break;
            }
        }
        return awsCredentialsProvider2 == null ? awsCredentialsProvider : awsCredentialsProvider2;
    }

    private CredentialsStrategy selectPrimaryStrategy(PropertyContext propertyContext) {
        for (CredentialsStrategy credentialsStrategy : this.strategies) {
            if (credentialsStrategy.canCreatePrimaryCredential(propertyContext)) {
                return credentialsStrategy;
            }
        }
        return null;
    }

    protected Collection<ValidationResult> customValidate(ValidationContext validationContext) {
        CredentialsStrategy selectPrimaryStrategy = selectPrimaryStrategy(validationContext);
        ArrayList arrayList = new ArrayList();
        Iterator<CredentialsStrategy> it = this.strategies.iterator();
        while (it.hasNext()) {
            Collection<ValidationResult> validate = it.next().validate(validationContext, selectPrimaryStrategy);
            if (validate != null) {
                arrayList.addAll(validate);
            }
        }
        return arrayList;
    }

    @OnEnabled
    public void onConfigured(ConfigurationContext configurationContext) {
        this.context = configurationContext;
        this.credentialsProvider = createCredentialsProvider(configurationContext);
        getLogger().debug("Using credentials provider: {}", new Object[]{this.credentialsProvider.getClass()});
    }

    private AWSCredentialsProvider createCredentialsProvider(PropertyContext propertyContext) {
        AWSCredentialsProvider credentialsProvider = selectPrimaryStrategy(propertyContext).getCredentialsProvider(propertyContext);
        AWSCredentialsProvider aWSCredentialsProvider = null;
        Iterator<CredentialsStrategy> it = this.strategies.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            CredentialsStrategy next = it.next();
            if (next.canCreateDerivedCredential(propertyContext)) {
                aWSCredentialsProvider = next.getDerivedCredentialsProvider(propertyContext, credentialsProvider);
                break;
            }
        }
        return aWSCredentialsProvider != null ? aWSCredentialsProvider : credentialsProvider;
    }

    public static AllowableValue[] getAvailableRegions() {
        ArrayList arrayList = new ArrayList();
        for (Region region : Region.regions()) {
            if (!region.isGlobalRegion()) {
                arrayList.add(createAllowableValue(region));
            }
        }
        return (AllowableValue[]) arrayList.toArray(new AllowableValue[0]);
    }

    public static AllowableValue createAllowableValue(Region region) {
        return new AllowableValue(region.id(), region.metadata().description(), "AWS Region Code : " + region.id());
    }

    public String toString() {
        return "AWSCredentialsProviderService[id=" + getIdentifier() + "]";
    }
}
