package org.apache.nifi.processors.azure.storage.utils;

import com.azure.core.http.ProxyOptions;
import com.microsoft.azure.storage.CloudStorageAccount;
import com.microsoft.azure.storage.OperationContext;
import com.microsoft.azure.storage.StorageCredentialsAccountAndKey;
import com.microsoft.azure.storage.StorageCredentialsSharedAccessSignature;
import com.microsoft.azure.storage.blob.CloudBlobClient;
import java.net.InetSocketAddress;
import java.net.Proxy;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.components.ValidationContext;
import org.apache.nifi.components.ValidationResult;
import org.apache.nifi.context.PropertyContext;
import org.apache.nifi.expression.ExpressionLanguageScope;
import org.apache.nifi.flowfile.FlowFile;
import org.apache.nifi.logging.ComponentLog;
import org.apache.nifi.processor.ProcessContext;
import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.proxy.ProxyConfiguration;
import org.apache.nifi.proxy.ProxySpec;
import org.apache.nifi.services.azure.storage.AzureStorageCredentialsDetails;
import org.apache.nifi.services.azure.storage.AzureStorageCredentialsService;
import org.apache.nifi.services.azure.storage.AzureStorageEmulatorCredentialsDetails;

/* loaded from: input_file:org/apache/nifi/processors/azure/storage/utils/AzureStorageUtils.class */
public final class AzureStorageUtils {
    public static final String BLOCK = "Block";
    public static final String PAGE = "Page";
    public static final String ACCOUNT_KEY_BASE_DESCRIPTION = "The storage account key. This is an admin-like password providing access to every container in this account. It is recommended one uses Shared Access Signature (SAS) token instead for fine-grained control with policies.";
    public static final String ACCOUNT_KEY_SECURITY_DESCRIPTION = " There are certain risks in allowing the account key to be stored as a flowfile attribute. While it does provide for a more flexible flow by allowing the account key to be fetched dynamically from a flowfile attribute, care must be taken to restrict access to the event provenance data (e.g., by strictly controlling the policies governing provenance for this processor). In addition, the provenance repositories may be put on encrypted disk partitions.";
    public static final String ACCOUNT_NAME_BASE_DESCRIPTION = "The storage account name.";
    public static final String ACCOUNT_NAME_SECURITY_DESCRIPTION = " There are certain risks in allowing the account name to be stored as a flowfile attribute. While it does provide for a more flexible flow by allowing the account name to be fetched dynamically from a flowfile attribute, care must be taken to restrict access to the event provenance data (e.g., by strictly controlling the policies governing provenance for this processor). In addition, the provenance repositories may be put on encrypted disk partitions.";
    public static final String ACCOUNT_NAME_CREDENTIAL_SERVICE_DESCRIPTION = " Instead of defining the Storage Account Name, Storage Account Key and SAS Token properties directly on the processor, the preferred way is to configure them through a controller service specified in the Storage Credentials property. The controller service can provide a common/shared configuration for multiple/all Azure processors. Furthermore, the credentials can also be looked up dynamically with the 'Lookup' version of the service.";
    public static final String SAS_TOKEN_BASE_DESCRIPTION = "Shared Access Signature token, including the leading '?'. Specify either SAS token (recommended) or Account Key.";
    public static final String SAS_TOKEN_SECURITY_DESCRIPTION = " There are certain risks in allowing the SAS token to be stored as a flowfile attribute. While it does provide for a more flexible flow by allowing the SAS token to be fetched dynamically from a flowfile attribute, care must be taken to restrict access to the event provenance data (e.g., by strictly controlling the policies governing provenance for this processor). In addition, the provenance repositories may be put on encrypted disk partitions.";
    public static final String STORAGE_ACCOUNT_KEY_PROPERTY_DESCRIPTOR_NAME = "storage-account-key";
    public static final PropertyDescriptor ACCOUNT_KEY = new PropertyDescriptor.Builder().name(STORAGE_ACCOUNT_KEY_PROPERTY_DESCRIPTOR_NAME).displayName("Storage Account Key").description("The storage account key. This is an admin-like password providing access to every container in this account. It is recommended one uses Shared Access Signature (SAS) token instead for fine-grained control with policies. There are certain risks in allowing the account key to be stored as a flowfile attribute. While it does provide for a more flexible flow by allowing the account key to be fetched dynamically from a flowfile attribute, care must be taken to restrict access to the event provenance data (e.g., by strictly controlling the policies governing provenance for this processor). In addition, the provenance repositories may be put on encrypted disk partitions.").addValidator(StandardValidators.NON_EMPTY_VALIDATOR).expressionLanguageSupported(ExpressionLanguageScope.FLOWFILE_ATTRIBUTES).required(false).sensitive(true).build();
    public static final String STORAGE_ACCOUNT_NAME_PROPERTY_DESCRIPTOR_NAME = "storage-account-name";
    public static final PropertyDescriptor ACCOUNT_NAME = new PropertyDescriptor.Builder().name(STORAGE_ACCOUNT_NAME_PROPERTY_DESCRIPTOR_NAME).displayName("Storage Account Name").description("The storage account name. There are certain risks in allowing the account name to be stored as a flowfile attribute. While it does provide for a more flexible flow by allowing the account name to be fetched dynamically from a flowfile attribute, care must be taken to restrict access to the event provenance data (e.g., by strictly controlling the policies governing provenance for this processor). In addition, the provenance repositories may be put on encrypted disk partitions. Instead of defining the Storage Account Name, Storage Account Key and SAS Token properties directly on the processor, the preferred way is to configure them through a controller service specified in the Storage Credentials property. The controller service can provide a common/shared configuration for multiple/all Azure processors. Furthermore, the credentials can also be looked up dynamically with the 'Lookup' version of the service.").addValidator(StandardValidators.NON_EMPTY_VALIDATOR).expressionLanguageSupported(ExpressionLanguageScope.FLOWFILE_ATTRIBUTES).required(false).sensitive(true).build();
    public static final String STORAGE_ENDPOINT_SUFFIX_PROPERTY_DESCRIPTOR_NAME = "storage-endpoint-suffix";
    public static final PropertyDescriptor ENDPOINT_SUFFIX = new PropertyDescriptor.Builder().name(STORAGE_ENDPOINT_SUFFIX_PROPERTY_DESCRIPTOR_NAME).displayName("Common Storage Account Endpoint Suffix").description("Storage accounts in public Azure always use a common FQDN suffix. Override this endpoint suffix with a different suffix in certain circumstances (like Azure Stack or non-public Azure regions). The preferred way is to configure them through a controller service specified in the Storage Credentials property. The controller service can provide a common/shared configuration for multiple/all Azure processors. Furthermore, the credentials can also be looked up dynamically with the 'Lookup' version of the service.").addValidator(StandardValidators.NON_BLANK_VALIDATOR).expressionLanguageSupported(ExpressionLanguageScope.FLOWFILE_ATTRIBUTES).required(false).sensitive(false).build();
    public static final PropertyDescriptor CONTAINER = new PropertyDescriptor.Builder().name("container-name").displayName("Container Name").description("Name of the Azure storage container. In case of PutAzureBlobStorage processor, container can be created if it does not exist.").addValidator(StandardValidators.NON_EMPTY_VALIDATOR).expressionLanguageSupported(ExpressionLanguageScope.FLOWFILE_ATTRIBUTES).required(true).build();
    public static final String STORAGE_SAS_TOKEN_PROPERTY_DESCRIPTOR_NAME = "storage-sas-token";
    public static final PropertyDescriptor PROP_SAS_TOKEN = new PropertyDescriptor.Builder().name(STORAGE_SAS_TOKEN_PROPERTY_DESCRIPTOR_NAME).displayName("SAS Token").description("Shared Access Signature token, including the leading '?'. Specify either SAS token (recommended) or Account Key. There are certain risks in allowing the SAS token to be stored as a flowfile attribute. While it does provide for a more flexible flow by allowing the SAS token to be fetched dynamically from a flowfile attribute, care must be taken to restrict access to the event provenance data (e.g., by strictly controlling the policies governing provenance for this processor). In addition, the provenance repositories may be put on encrypted disk partitions.").required(false).expressionLanguageSupported(ExpressionLanguageScope.FLOWFILE_ATTRIBUTES).sensitive(true).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).build();
    public static final PropertyDescriptor STORAGE_CREDENTIALS_SERVICE = new PropertyDescriptor.Builder().name("storage-credentials-service").displayName("Storage Credentials").description("The Controller Service used to obtain Azure Storage Credentials. Instead of the processor level properties, the credentials can be configured here through a common/shared controller service, which is the preferred way. The 'Lookup' version of the service can also be used to select the credentials dynamically at runtime based on a FlowFile attribute (if the processor has FlowFile input).").identifiesControllerService(AzureStorageCredentialsService.class).required(false).build();
    public static final PropertyDescriptor MANAGED_IDENTITY_CLIENT_ID = new PropertyDescriptor.Builder().name("managed-identity-client-id").displayName("Managed Identity Client ID").description("Client ID of the managed identity. The property is required when User Assigned Managed Identity is used for authentication. It must be empty in case of System Assigned Managed Identity.").sensitive(true).required(false).addValidator(StandardValidators.NON_BLANK_VALIDATOR).expressionLanguageSupported(ExpressionLanguageScope.NONE).build();
    public static final PropertyDescriptor SERVICE_PRINCIPAL_TENANT_ID = new PropertyDescriptor.Builder().name("service-principal-tenant-id").displayName("Service Principal Tenant ID").description("Tenant ID of the Azure Active Directory hosting the Service Principal. The property is required when Service Principal authentication is used.").sensitive(true).required(false).addValidator(StandardValidators.NON_BLANK_VALIDATOR).expressionLanguageSupported(ExpressionLanguageScope.NONE).build();
    public static final PropertyDescriptor SERVICE_PRINCIPAL_CLIENT_ID = new PropertyDescriptor.Builder().name("service-principal-client-id").displayName("Service Principal Client ID").description("Client ID (or Application ID) of the Client/Application having the Service Principal. The property is required when Service Principal authentication is used.").sensitive(true).required(false).addValidator(StandardValidators.NON_BLANK_VALIDATOR).expressionLanguageSupported(ExpressionLanguageScope.NONE).build();
    public static final PropertyDescriptor SERVICE_PRINCIPAL_CLIENT_SECRET = new PropertyDescriptor.Builder().name("service-principal-client-secret").displayName("Service Principal Client Secret").description("Password of the Client/Application. The property is required when Service Principal authentication is used.").sensitive(true).required(false).addValidator(StandardValidators.NON_BLANK_VALIDATOR).expressionLanguageSupported(ExpressionLanguageScope.NONE).build();
    private static final ProxySpec[] PROXY_SPECS = {ProxySpec.HTTP, ProxySpec.SOCKS};
    public static final PropertyDescriptor PROXY_CONFIGURATION_SERVICE = ProxyConfiguration.createProxyConfigPropertyDescriptor(false, PROXY_SPECS);

    private AzureStorageUtils() {
    }

    public static CloudBlobClient createCloudBlobClient(ProcessContext processContext, ComponentLog componentLog, FlowFile flowFile) throws URISyntaxException {
        return getCloudStorageAccount(getStorageCredentialsDetails(processContext, flowFile)).createCloudBlobClient();
    }

    public static CloudStorageAccount getCloudStorageAccount(AzureStorageCredentialsDetails azureStorageCredentialsDetails) throws URISyntaxException {
        CloudStorageAccount cloudStorageAccount;
        if (azureStorageCredentialsDetails instanceof AzureStorageEmulatorCredentialsDetails) {
            String developmentStorageProxyUri = ((AzureStorageEmulatorCredentialsDetails) azureStorageCredentialsDetails).getDevelopmentStorageProxyUri();
            cloudStorageAccount = developmentStorageProxyUri != null ? CloudStorageAccount.getDevelopmentStorageAccount(new URI(developmentStorageProxyUri)) : CloudStorageAccount.getDevelopmentStorageAccount();
        } else {
            cloudStorageAccount = new CloudStorageAccount(azureStorageCredentialsDetails.getStorageCredentials(), true, azureStorageCredentialsDetails.getStorageSuffix(), azureStorageCredentialsDetails.getStorageAccountName());
        }
        return cloudStorageAccount;
    }

    public static AzureStorageCredentialsDetails getStorageCredentialsDetails(PropertyContext propertyContext, FlowFile flowFile) {
        Map attributes = flowFile != null ? flowFile.getAttributes() : Collections.emptyMap();
        AzureStorageCredentialsService asControllerService = propertyContext.getProperty(STORAGE_CREDENTIALS_SERVICE).asControllerService(AzureStorageCredentialsService.class);
        return asControllerService != null ? asControllerService.getStorageCredentialsDetails(attributes) : createStorageCredentialsDetails(propertyContext, attributes);
    }

    public static AzureStorageCredentialsDetails createStorageCredentialsDetails(PropertyContext propertyContext, Map<String, String> map) {
        StorageCredentialsAccountAndKey storageCredentialsSharedAccessSignature;
        String value = propertyContext.getProperty(ACCOUNT_NAME).evaluateAttributeExpressions(map).getValue();
        String value2 = propertyContext.getProperty(ENDPOINT_SUFFIX).evaluateAttributeExpressions(map).getValue();
        String value3 = propertyContext.getProperty(ACCOUNT_KEY).evaluateAttributeExpressions(map).getValue();
        String value4 = propertyContext.getProperty(PROP_SAS_TOKEN).evaluateAttributeExpressions(map).getValue();
        if (StringUtils.isBlank(value)) {
            throw new IllegalArgumentException(String.format("'%s' must not be empty.", ACCOUNT_NAME.getDisplayName()));
        }
        if (StringUtils.isNotBlank(value3)) {
            storageCredentialsSharedAccessSignature = new StorageCredentialsAccountAndKey(value, value3);
        } else {
            if (!StringUtils.isNotBlank(value4)) {
                throw new IllegalArgumentException(String.format("Either '%s' or '%s' must be defined.", ACCOUNT_KEY.getDisplayName(), PROP_SAS_TOKEN.getDisplayName()));
            }
            storageCredentialsSharedAccessSignature = new StorageCredentialsSharedAccessSignature(value4);
        }
        return new AzureStorageCredentialsDetails(value, value2, storageCredentialsSharedAccessSignature);
    }

    public static Collection<ValidationResult> validateCredentialProperties(ValidationContext validationContext) {
        ArrayList arrayList = new ArrayList();
        String value = validationContext.getProperty(STORAGE_CREDENTIALS_SERVICE).getValue();
        String value2 = validationContext.getProperty(ACCOUNT_NAME).getValue();
        String value3 = validationContext.getProperty(ACCOUNT_KEY).getValue();
        String value4 = validationContext.getProperty(PROP_SAS_TOKEN).getValue();
        String value5 = validationContext.getProperty(ENDPOINT_SUFFIX).getValue();
        if ((!StringUtils.isNotBlank(value) || !StringUtils.isBlank(value2) || !StringUtils.isBlank(value3) || !StringUtils.isBlank(value4)) && ((!StringUtils.isBlank(value) || !StringUtils.isNotBlank(value2) || !StringUtils.isNotBlank(value3) || !StringUtils.isBlank(value4)) && (!StringUtils.isBlank(value) || !StringUtils.isNotBlank(value2) || !StringUtils.isBlank(value3) || !StringUtils.isNotBlank(value4)))) {
            arrayList.add(new ValidationResult.Builder().subject("AzureStorageUtils Credentials").valid(false).explanation("either " + STORAGE_CREDENTIALS_SERVICE.getDisplayName() + ", or " + ACCOUNT_NAME.getDisplayName() + " with " + ACCOUNT_KEY.getDisplayName() + " or " + ACCOUNT_NAME.getDisplayName() + " with " + PROP_SAS_TOKEN.getDisplayName() + " must be specified").build());
        }
        if (StringUtils.isNotBlank(value) && StringUtils.isNotBlank(value5)) {
            arrayList.add(new ValidationResult.Builder().subject("AzureStorageUtils Credentials").explanation("Either " + STORAGE_CREDENTIALS_SERVICE.getDisplayName() + " or " + ENDPOINT_SUFFIX.getDisplayName() + " should be specified, not both.").build());
        }
        return arrayList;
    }

    public static void validateProxySpec(ValidationContext validationContext, Collection<ValidationResult> collection) {
        ProxyConfiguration.validateProxySpec(validationContext, collection, PROXY_SPECS);
    }

    public static void setProxy(OperationContext operationContext, ProcessContext processContext) {
        operationContext.setProxy(ProxyConfiguration.getConfiguration(processContext).createProxy());
    }

    public static ProxyOptions getProxyOptions(PropertyContext propertyContext) {
        ProxyConfiguration configuration = ProxyConfiguration.getConfiguration(propertyContext);
        if (configuration == ProxyConfiguration.DIRECT_CONFIGURATION) {
            return null;
        }
        ProxyOptions proxyOptions = new ProxyOptions(getProxyType(configuration), new InetSocketAddress(configuration.getProxyServerHost(), configuration.getProxyServerPort().intValue()));
        String proxyUserName = configuration.getProxyUserName();
        String proxyUserPassword = configuration.getProxyUserPassword();
        if (proxyUserName != null && proxyUserPassword != null) {
            proxyOptions.setCredentials(proxyUserName, proxyUserPassword);
        }
        return proxyOptions;
    }

    private static ProxyOptions.Type getProxyType(ProxyConfiguration proxyConfiguration) {
        if (proxyConfiguration.getProxyType() == Proxy.Type.HTTP) {
            return ProxyOptions.Type.HTTP;
        }
        if (proxyConfiguration.getProxyType() == Proxy.Type.SOCKS) {
            return ProxyOptions.Type.valueOf(proxyConfiguration.getSocksVersion().name());
        }
        throw new IllegalArgumentException("Unsupported proxy type: " + proxyConfiguration.getProxyType());
    }
}
