package org.apache.nifi.parameter.aws;

import com.amazonaws.ClientConfiguration;
import com.amazonaws.Protocol;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.http.conn.ssl.SdkTLSSocketFactory;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.secretsmanager.AWSSecretsManager;
import com.amazonaws.services.secretsmanager.AWSSecretsManagerClientBuilder;
import com.amazonaws.services.secretsmanager.model.AWSSecretsManagerException;
import com.amazonaws.services.secretsmanager.model.GetSecretValueRequest;
import com.amazonaws.services.secretsmanager.model.GetSecretValueResult;
import com.amazonaws.services.secretsmanager.model.ListSecretsRequest;
import com.amazonaws.services.secretsmanager.model.ListSecretsResult;
import com.amazonaws.services.secretsmanager.model.ResourceNotFoundException;
import com.amazonaws.services.secretsmanager.model.SecretListEntry;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ObjectNode;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.regex.Pattern;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.Tags;
import org.apache.nifi.components.AllowableValue;
import org.apache.nifi.components.ConfigVerificationResult;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.controller.ConfigurationContext;
import org.apache.nifi.logging.ComponentLog;
import org.apache.nifi.parameter.AbstractParameterProvider;
import org.apache.nifi.parameter.Parameter;
import org.apache.nifi.parameter.ParameterDescriptor;
import org.apache.nifi.parameter.ParameterGroup;
import org.apache.nifi.parameter.VerifiableParameterProvider;
import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.processors.aws.credentials.provider.service.AWSCredentialsProviderService;
import org.apache.nifi.ssl.SSLContextService;

@CapabilityDescription("Fetches parameters from AWS SecretsManager.  Each secret becomes a Parameter group, which can map to a Parameter Context, with key/value pairs in the secret mapping to Parameters in the group.")
@Tags({"aws", "secretsmanager", "secrets", "manager"})
/* loaded from: input_file:org/apache/nifi/parameter/aws/AwsSecretsManagerParameterProvider.class */
public class AwsSecretsManagerParameterProvider extends AbstractParameterProvider implements VerifiableParameterProvider {
    private static final String DEFAULT_USER_AGENT = "NiFi";
    private final ObjectMapper objectMapper = new ObjectMapper();
    public static final PropertyDescriptor SECRET_NAME_PATTERN = new PropertyDescriptor.Builder().name("secret-name-pattern").displayName("Secret Name Pattern").description("A Regular Expression matching on Secret Name that identifies Secrets whose parameters should be fetched. Any secrets whose names do not match this pattern will not be fetched.").addValidator(StandardValidators.REGULAR_EXPRESSION_VALIDATOR).required(true).defaultValue(".*").build();
    public static final PropertyDescriptor AWS_CREDENTIALS_PROVIDER_SERVICE = new PropertyDescriptor.Builder().name("aws-credentials-provider-service").displayName("AWS Credentials Provider Service").description("Service used to obtain an Amazon Web Services Credentials Provider").required(true).identifiesControllerService(AWSCredentialsProviderService.class).build();
    public static final PropertyDescriptor REGION = new PropertyDescriptor.Builder().name("aws-region").displayName("Region").required(true).allowableValues(getAvailableRegions()).defaultValue(createAllowableValue(Regions.DEFAULT_REGION).getValue()).build();
    public static final PropertyDescriptor TIMEOUT = new PropertyDescriptor.Builder().name("aws-communications-timeout").displayName("Communications Timeout").required(true).addValidator(StandardValidators.TIME_PERIOD_VALIDATOR).defaultValue("30 secs").build();
    public static final PropertyDescriptor SSL_CONTEXT_SERVICE = new PropertyDescriptor.Builder().name("aws-ssl-context-service").displayName("SSL Context Service").description("Specifies an optional SSL Context Service that, if provided, will be used to create connections").required(false).identifiesControllerService(SSLContextService.class).build();
    private static final Protocol DEFAULT_PROTOCOL = Protocol.HTTPS;
    private static final List<PropertyDescriptor> PROPERTIES = Collections.unmodifiableList(Arrays.asList(SECRET_NAME_PATTERN, REGION, AWS_CREDENTIALS_PROVIDER_SERVICE, TIMEOUT, SSL_CONTEXT_SERVICE));

    protected List<PropertyDescriptor> getSupportedPropertyDescriptors() {
        return PROPERTIES;
    }

    public List<ParameterGroup> fetchParameters(ConfigurationContext configurationContext) {
        AWSSecretsManager configureClient = configureClient(configurationContext);
        ArrayList arrayList = new ArrayList();
        ListSecretsRequest listSecretsRequest = new ListSecretsRequest();
        ListSecretsResult listSecrets = configureClient.listSecrets(listSecretsRequest);
        while (true) {
            ListSecretsResult listSecretsResult = listSecrets;
            if (listSecretsResult.getSecretList().isEmpty()) {
                break;
            }
            Iterator it = listSecretsResult.getSecretList().iterator();
            while (it.hasNext()) {
                arrayList.addAll(fetchSecret(configureClient, configurationContext, ((SecretListEntry) it.next()).getName()));
            }
            String nextToken = listSecretsResult.getNextToken();
            if (nextToken == null) {
                break;
            }
            listSecretsRequest.setNextToken(nextToken);
            listSecrets = configureClient.listSecrets(listSecretsRequest);
        }
        return arrayList;
    }

    public List<ConfigVerificationResult> verify(ConfigurationContext configurationContext, ComponentLog componentLog) {
        ArrayList arrayList = new ArrayList();
        try {
            List<ParameterGroup> fetchParameters = fetchParameters(configurationContext);
            int i = 0;
            Iterator<ParameterGroup> it = fetchParameters.iterator();
            while (it.hasNext()) {
                i += it.next().getParameters().size();
            }
            arrayList.add(new ConfigVerificationResult.Builder().outcome(ConfigVerificationResult.Outcome.SUCCESSFUL).verificationStepName("Fetch Parameters").explanation(String.format("Fetched secret keys [%d] as parameters, across groups [%d]", Integer.valueOf(i), Integer.valueOf(fetchParameters.size()))).build());
        } catch (Exception e) {
            componentLog.error("Failed to fetch parameters", e);
            arrayList.add(new ConfigVerificationResult.Builder().outcome(ConfigVerificationResult.Outcome.FAILED).verificationStepName("Fetch Parameters").explanation("Failed to fetch parameters: " + e.getMessage()).build());
        }
        return arrayList;
    }

    private List<ParameterGroup> fetchSecret(AWSSecretsManager aWSSecretsManager, ConfigurationContext configurationContext, String str) {
        ArrayList arrayList = new ArrayList();
        Pattern compile = Pattern.compile(configurationContext.getProperty(SECRET_NAME_PATTERN).getValue());
        ArrayList arrayList2 = new ArrayList();
        if (!compile.matcher(str).matches()) {
            getLogger().debug("Secret [{}] does not match the secret name pattern {}", new Object[]{str, compile});
            return arrayList;
        }
        try {
            GetSecretValueResult secretValue = aWSSecretsManager.getSecretValue(new GetSecretValueRequest().withSecretId(str));
            if (secretValue.getSecretString() == null) {
                getLogger().debug("Secret [{}] is not configured", new Object[]{str});
                return arrayList;
            }
            ObjectNode parseSecret = parseSecret(secretValue.getSecretString());
            if (parseSecret == null) {
                getLogger().debug("Secret [{}] is not in the expected JSON key/value format", new Object[]{str});
                return arrayList;
            }
            Iterator fields = parseSecret.fields();
            while (fields.hasNext()) {
                Map.Entry entry = (Map.Entry) fields.next();
                String str2 = (String) entry.getKey();
                String textValue = ((JsonNode) entry.getValue()).textValue();
                if (textValue == null) {
                    getLogger().debug("Secret [{}] Parameter [{}] has no value", new Object[]{str, str2});
                } else {
                    arrayList2.add(createParameter(str2, textValue));
                }
            }
            arrayList.add(new ParameterGroup(str, arrayList2));
            return arrayList;
        } catch (AWSSecretsManagerException e) {
            throw new IllegalStateException("Error retrieving secret " + str, e);
        } catch (ResourceNotFoundException e2) {
            throw new IllegalStateException(String.format("Secret %s not found", str), e2);
        }
    }

    private Parameter createParameter(String str, String str2) {
        return new Parameter(new ParameterDescriptor.Builder().name(str).build(), str2, (String) null, true);
    }

    protected ClientConfiguration createConfiguration(ConfigurationContext configurationContext) {
        ClientConfiguration clientConfiguration = new ClientConfiguration();
        clientConfiguration.setMaxErrorRetry(0);
        clientConfiguration.setUserAgentPrefix(DEFAULT_USER_AGENT);
        clientConfiguration.setProtocol(DEFAULT_PROTOCOL);
        int intValue = configurationContext.getProperty(TIMEOUT).asTimePeriod(TimeUnit.MILLISECONDS).intValue();
        clientConfiguration.setConnectionTimeout(intValue);
        clientConfiguration.setSocketTimeout(intValue);
        SSLContextService asControllerService = configurationContext.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
        if (asControllerService != null) {
            clientConfiguration.getApacheHttpClientConfig().setSslSocketFactory(new SdkTLSSocketFactory(asControllerService.createContext(), SdkTLSSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER));
        }
        return clientConfiguration;
    }

    private ObjectNode parseSecret(String str) {
        try {
            ObjectNode readTree = this.objectMapper.readTree(str);
            if (readTree instanceof ObjectNode) {
                return readTree;
            }
            return null;
        } catch (JsonProcessingException e) {
            getLogger().debug("Error parsing JSON", e);
            return null;
        }
    }

    AWSSecretsManager configureClient(ConfigurationContext configurationContext) {
        return (AWSSecretsManager) AWSSecretsManagerClientBuilder.standard().withRegion(configurationContext.getProperty(REGION).getValue()).withClientConfiguration(createConfiguration(configurationContext)).withCredentials(getCredentialsProvider(configurationContext)).build();
    }

    protected AWSCredentialsProvider getCredentialsProvider(ConfigurationContext configurationContext) {
        return configurationContext.getProperty(AWS_CREDENTIALS_PROVIDER_SERVICE).asControllerService(AWSCredentialsProviderService.class).getCredentialsProvider();
    }

    private static AllowableValue createAllowableValue(Regions regions) {
        return new AllowableValue(regions.getName(), regions.getDescription(), "AWS Region Code : " + regions.getName());
    }

    private static AllowableValue[] getAvailableRegions() {
        ArrayList arrayList = new ArrayList();
        for (Regions regions : Regions.values()) {
            arrayList.add(createAllowableValue(regions));
        }
        return (AllowableValue[]) arrayList.toArray(new AllowableValue[0]);
    }
}
