package org.apache.nifi.processors.aws.credentials.provider.factory.strategies;

import com.amazonaws.ClientConfiguration;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient;
import java.net.URI;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Collection;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.components.ValidationContext;
import org.apache.nifi.components.ValidationResult;
import org.apache.nifi.context.PropertyContext;
import org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors;
import org.apache.nifi.processors.aws.credentials.provider.factory.CredentialsStrategy;
import org.apache.nifi.processors.aws.signer.AwsCustomSignerUtil;
import org.apache.nifi.processors.aws.signer.AwsSignerType;
import org.apache.nifi.ssl.SSLContextService;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.http.apache.ApacheHttpClient;
import software.amazon.awssdk.http.apache.ProxyConfiguration;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.StsClientBuilder;
import software.amazon.awssdk.services.sts.auth.StsAssumeRoleCredentialsProvider;
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;

/* loaded from: input_file:org/apache/nifi/processors/aws/credentials/provider/factory/strategies/AssumeRoleCredentialsStrategy.class */
public class AssumeRoleCredentialsStrategy extends AbstractCredentialsStrategy {
    private static final String VPCE_ENDPOINT_SUFFIX = ".vpce.amazonaws.com";

    public AssumeRoleCredentialsStrategy() {
        super("Assume Role", new PropertyDescriptor[]{CredentialPropertyDescriptors.ASSUME_ROLE_ARN, CredentialPropertyDescriptors.ASSUME_ROLE_NAME, CredentialPropertyDescriptors.MAX_SESSION_TIME});
    }

    @Override // org.apache.nifi.processors.aws.credentials.provider.factory.strategies.AbstractCredentialsStrategy, org.apache.nifi.processors.aws.credentials.provider.factory.CredentialsStrategy
    public boolean canCreatePrimaryCredential(PropertyContext propertyContext) {
        return false;
    }

    @Override // org.apache.nifi.processors.aws.credentials.provider.factory.strategies.AbstractCredentialsStrategy, org.apache.nifi.processors.aws.credentials.provider.factory.CredentialsStrategy
    public boolean canCreateDerivedCredential(PropertyContext propertyContext) {
        String value = propertyContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_ARN).getValue();
        String value2 = propertyContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_NAME).getValue();
        return (value == null || value.isEmpty() || value2 == null || value2.isEmpty()) ? false : true;
    }

    protected boolean proxyVariablesValidForAssumeRole(PropertyContext propertyContext) {
        String value = propertyContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_PROXY_HOST).getValue();
        String value2 = propertyContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_PROXY_PORT).getValue();
        return (value == null || value.isEmpty() || value2 == null || value2.isEmpty()) ? false : true;
    }

    @Override // org.apache.nifi.processors.aws.credentials.provider.factory.strategies.AbstractCredentialsStrategy, org.apache.nifi.processors.aws.credentials.provider.factory.CredentialsStrategy
    public Collection<ValidationResult> validate(ValidationContext validationContext, CredentialsStrategy credentialsStrategy) {
        ArrayList arrayList = new ArrayList();
        if (validationContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_ARN).isSet()) {
            Integer asInteger = validationContext.getProperty(CredentialPropertyDescriptors.MAX_SESSION_TIME).asInteger();
            if (asInteger.intValue() < 900 || asInteger.intValue() > 3600) {
                arrayList.add(new ValidationResult.Builder().valid(false).input(asInteger + "").explanation(CredentialPropertyDescriptors.MAX_SESSION_TIME.getDisplayName() + " must be between 900 and 3600 seconds").build());
            }
            if (validationContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_PROXY_HOST).isSet() ^ validationContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_PROXY_PORT).isSet()) {
                arrayList.add(new ValidationResult.Builder().input("Assume Role Proxy Host and Port").valid(false).explanation("Assume role with proxy requires both host and port for the proxy to be set").build());
            }
        }
        return arrayList;
    }

    @Override // org.apache.nifi.processors.aws.credentials.provider.factory.strategies.AbstractCredentialsStrategy, org.apache.nifi.processors.aws.credentials.provider.factory.CredentialsStrategy
    public AWSCredentialsProvider getCredentialsProvider(PropertyContext propertyContext) {
        throw new UnsupportedOperationException();
    }

    @Override // org.apache.nifi.processors.aws.credentials.provider.factory.strategies.AbstractCredentialsStrategy, org.apache.nifi.processors.aws.credentials.provider.factory.CredentialsStrategy
    public AWSCredentialsProvider getDerivedCredentialsProvider(PropertyContext propertyContext, AWSCredentialsProvider aWSCredentialsProvider) {
        String value = propertyContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_ARN).getValue();
        String value2 = propertyContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_NAME).getValue();
        int intValue = propertyContext.getProperty(CredentialPropertyDescriptors.MAX_SESSION_TIME).asInteger().intValue();
        String value3 = propertyContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_EXTERNAL_ID).getValue();
        String value4 = propertyContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_STS_REGION).getValue();
        String value5 = propertyContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_STS_ENDPOINT).getValue();
        String value6 = propertyContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_STS_SIGNER_OVERRIDE).getValue();
        SSLContextService asControllerService = propertyContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
        ClientConfiguration clientConfiguration = new ClientConfiguration();
        if (asControllerService != null) {
            clientConfiguration.getApacheHttpClientConfig().setSslSocketFactory(new SSLConnectionSocketFactory(asControllerService.createContext()));
        }
        if (proxyVariablesValidForAssumeRole(propertyContext)) {
            String value7 = propertyContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_PROXY_HOST).getValue();
            int intValue2 = propertyContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_PROXY_PORT).asInteger().intValue();
            clientConfiguration.withProxyHost(value7);
            clientConfiguration.withProxyPort(intValue2);
        }
        AwsSignerType forValue = AwsSignerType.forValue(value6);
        if (forValue == AwsSignerType.CUSTOM_SIGNER) {
            clientConfiguration.withSignerOverride(AwsCustomSignerUtil.registerCustomSigner(propertyContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_STS_CUSTOM_SIGNER_CLASS_NAME).evaluateAttributeExpressions().getValue()));
        } else if (forValue != AwsSignerType.DEFAULT_SIGNER) {
            clientConfiguration.withSignerOverride(value6);
        }
        AWSSecurityTokenServiceClient aWSSecurityTokenServiceClient = new AWSSecurityTokenServiceClient(aWSCredentialsProvider, clientConfiguration);
        if (value5 != null && !value5.isEmpty()) {
            if (forValue == AwsSignerType.CUSTOM_SIGNER) {
                aWSSecurityTokenServiceClient.setEndpoint(value5, aWSSecurityTokenServiceClient.getServiceName(), value4);
            } else if (value5.endsWith(VPCE_ENDPOINT_SUFFIX)) {
                aWSSecurityTokenServiceClient.setEndpoint(value5, aWSSecurityTokenServiceClient.getServiceName(), value4);
            } else {
                aWSSecurityTokenServiceClient.setEndpoint(value5);
            }
        }
        STSAssumeRoleSessionCredentialsProvider.Builder withRoleSessionDurationSeconds = new STSAssumeRoleSessionCredentialsProvider.Builder(value, value2).withStsClient(aWSSecurityTokenServiceClient).withRoleSessionDurationSeconds(intValue);
        if (value3 != null && !value3.isEmpty()) {
            withRoleSessionDurationSeconds = withRoleSessionDurationSeconds.withExternalId(value3);
        }
        return withRoleSessionDurationSeconds.build();
    }

    @Override // org.apache.nifi.processors.aws.credentials.provider.factory.CredentialsStrategy
    public AwsCredentialsProvider getAwsCredentialsProvider(PropertyContext propertyContext) {
        throw new UnsupportedOperationException();
    }

    @Override // org.apache.nifi.processors.aws.credentials.provider.factory.strategies.AbstractCredentialsStrategy, org.apache.nifi.processors.aws.credentials.provider.factory.CredentialsStrategy
    public AwsCredentialsProvider getDerivedAwsCredentialsProvider(PropertyContext propertyContext, AwsCredentialsProvider awsCredentialsProvider) {
        String value = propertyContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_ARN).getValue();
        String value2 = propertyContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_NAME).getValue();
        int intValue = propertyContext.getProperty(CredentialPropertyDescriptors.MAX_SESSION_TIME).asInteger().intValue();
        String value3 = propertyContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_EXTERNAL_ID).getValue();
        String value4 = propertyContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_STS_ENDPOINT).getValue();
        String value5 = propertyContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_STS_REGION).getValue();
        SSLContextService asControllerService = propertyContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
        StsAssumeRoleCredentialsProvider.Builder builder = StsAssumeRoleCredentialsProvider.builder();
        ApacheHttpClient.Builder builder2 = ApacheHttpClient.builder();
        if (asControllerService != null) {
            builder2.socketFactory(new SSLConnectionSocketFactory(asControllerService.createContext()));
        }
        if (proxyVariablesValidForAssumeRole(propertyContext)) {
            builder2.proxyConfiguration((ProxyConfiguration) ProxyConfiguration.builder().endpoint(URI.create(String.format("http://%s:%s", propertyContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_PROXY_HOST).getValue(), Integer.valueOf(propertyContext.getProperty(CredentialPropertyDescriptors.ASSUME_ROLE_PROXY_PORT).asInteger().intValue())))).build());
        }
        if (value5 == null) {
            throw new IllegalStateException("Assume Role Region is required to interact with STS");
        }
        StsClientBuilder httpClient = StsClient.builder().credentialsProvider(awsCredentialsProvider).region(Region.of(value5)).httpClient(builder2.build());
        if (value4 != null && !value4.isEmpty()) {
            httpClient.endpointOverride(URI.create(value4));
        }
        StsClient stsClient = (StsClient) httpClient.build();
        AssumeRoleRequest.Builder roleSessionName = AssumeRoleRequest.builder().roleArn(value).roleSessionName(value2);
        if (value3 != null && !value3.isEmpty()) {
            roleSessionName.externalId(value3);
        }
        builder.refreshRequest((AssumeRoleRequest) roleSessionName.build()).stsClient(stsClient).staleTime(Duration.ofSeconds(intValue));
        return builder.build();
    }
}
