package org.projectnessie.catalog.files.s3;

import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.Objects;
import java.util.Optional;
import java.util.OptionalInt;
import javax.net.ssl.KeyManager;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import org.projectnessie.catalog.files.config.S3BucketOptions;
import org.projectnessie.catalog.files.config.S3Config;
import org.projectnessie.catalog.secrets.KeySecret;
import org.projectnessie.catalog.secrets.SecretType;
import org.projectnessie.catalog.secrets.SecretsProvider;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.http.SdkHttpClient;
import software.amazon.awssdk.http.SdkHttpConfigurationOption;
import software.amazon.awssdk.http.TlsTrustManagersProvider;
import software.amazon.awssdk.http.apache.ApacheHttpClient;
import software.amazon.awssdk.internal.http.AbstractFileStoreTlsKeyManagersProvider;
import software.amazon.awssdk.utils.AttributeMap;
import software.amazon.awssdk.utils.Validate;

/* loaded from: input_file:org/projectnessie/catalog/files/s3/S3Clients.class */
public class S3Clients {

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/projectnessie/catalog/files/s3/S3Clients$FileStoreTlsKeyManagersProvider.class */
    public static final class FileStoreTlsKeyManagersProvider extends AbstractFileStoreTlsKeyManagersProvider {
        private final Path storePath;
        private final String storeType;
        private final char[] password;

        FileStoreTlsKeyManagersProvider(Path path, String str, char[] cArr) {
            this.storePath = (Path) Validate.paramNotNull(path, "storePath");
            this.storeType = (String) Validate.paramNotBlank(str, "storeType");
            this.password = cArr;
        }

        public KeyManager[] keyManagers() {
            try {
                return createKeyManagers(this.storePath, this.storeType, this.password);
            } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e) {
                throw new RuntimeException(e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/projectnessie/catalog/files/s3/S3Clients$FileStoreTlsTrustManagersProvider.class */
    public static final class FileStoreTlsTrustManagersProvider implements TlsTrustManagersProvider {
        private final Path path;
        private final String type;
        private final char[] password;

        FileStoreTlsTrustManagersProvider(Path path, String str, char[] cArr) {
            this.path = path;
            this.type = str;
            this.password = cArr;
        }

        public TrustManager[] trustManagers() {
            try {
                InputStream newInputStream = Files.newInputStream(this.path, new OpenOption[0]);
                try {
                    KeyStore keyStore = KeyStore.getInstance(this.type);
                    keyStore.load(newInputStream, this.password);
                    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                    trustManagerFactory.init(keyStore);
                    TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
                    if (newInputStream != null) {
                        newInputStream.close();
                    }
                    return trustManagers;
                } catch (Throwable th) {
                    if (newInputStream != null) {
                        try {
                            newInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
                throw new RuntimeException(e);
            }
        }
    }

    public static SdkHttpClient apacheHttpClient(S3Config s3Config, SecretsProvider secretsProvider) {
        ApacheHttpClient.Builder builder = ApacheHttpClient.builder();
        s3Config.http().ifPresent(s3Http -> {
            OptionalInt maxHttpConnections = s3Http.maxHttpConnections();
            Objects.requireNonNull(builder);
            maxHttpConnections.ifPresent((v1) -> {
                r1.maxConnections(v1);
            });
            Optional readTimeout = s3Http.readTimeout();
            Objects.requireNonNull(builder);
            readTimeout.ifPresent(builder::socketTimeout);
            Optional connectTimeout = s3Http.connectTimeout();
            Objects.requireNonNull(builder);
            connectTimeout.ifPresent(builder::connectionTimeout);
            Optional connectionAcquisitionTimeout = s3Http.connectionAcquisitionTimeout();
            Objects.requireNonNull(builder);
            connectionAcquisitionTimeout.ifPresent(builder::connectionAcquisitionTimeout);
            Optional connectionMaxIdleTime = s3Http.connectionMaxIdleTime();
            Objects.requireNonNull(builder);
            connectionMaxIdleTime.ifPresent(builder::connectionMaxIdleTime);
            Optional connectionTimeToLive = s3Http.connectionTimeToLive();
            Objects.requireNonNull(builder);
            connectionTimeToLive.ifPresent(builder::connectionTimeToLive);
            Optional expectContinueEnabled = s3Http.expectContinueEnabled();
            Objects.requireNonNull(builder);
            expectContinueEnabled.ifPresent(builder::expectContinueEnabled);
        });
        s3Config.trustStore().ifPresent(secretStore -> {
            secretStore.path().ifPresent(path -> {
                builder.tlsTrustManagersProvider(new FileStoreTlsTrustManagersProvider(path, (String) secretStore.type().orElseThrow(() -> {
                    return new IllegalArgumentException("No trust store type");
                }), (char[]) secretStore.password().flatMap(uri -> {
                    return secretsProvider.getSecret(uri, SecretType.KEY, KeySecret.class);
                }).map((v0) -> {
                    return v0.key();
                }).map((v0) -> {
                    return v0.toCharArray();
                }).orElse(null)));
            });
        });
        s3Config.keyStore().ifPresent(secretStore2 -> {
            secretStore2.path().ifPresent(path -> {
                builder.tlsKeyManagersProvider(new FileStoreTlsKeyManagersProvider(path, (String) secretStore2.type().orElseThrow(() -> {
                    return new IllegalArgumentException("No key store type");
                }), (char[]) secretStore2.password().flatMap(uri -> {
                    return secretsProvider.getSecret(uri, SecretType.KEY, KeySecret.class);
                }).map((v0) -> {
                    return v0.key();
                }).map((v0) -> {
                    return v0.toCharArray();
                }).orElse(null)));
            });
        });
        AttributeMap.Builder builder2 = AttributeMap.builder();
        s3Config.trustAllCertificates().ifPresent(bool -> {
            builder2.put(SdkHttpConfigurationOption.TRUST_ALL_CERTIFICATES, bool);
        });
        return builder.buildWithDefaults(builder2.build());
    }

    public static AwsCredentialsProvider serverCredentialsProvider(S3BucketOptions s3BucketOptions, S3Sessions s3Sessions, SecretsProvider secretsProvider) {
        return s3BucketOptions.getEnabledServerIam().isPresent() ? s3Sessions.assumeRoleForServer(s3BucketOptions) : S3Utils.newCredentialsProvider(s3BucketOptions.effectiveAuthType(), s3BucketOptions, secretsProvider);
    }
}
