package org.apache.nifi.parameter.gcp;

import com.google.cloud.secretmanager.v1.ProjectName;
import com.google.cloud.secretmanager.v1.Secret;
import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
import com.google.cloud.secretmanager.v1.SecretManagerServiceSettings;
import com.google.cloud.secretmanager.v1.SecretVersionName;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.Tags;
import org.apache.nifi.components.ConfigVerificationResult;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.controller.ConfigurationContext;
import org.apache.nifi.gcp.credentials.service.GCPCredentialsService;
import org.apache.nifi.logging.ComponentLog;
import org.apache.nifi.parameter.AbstractParameterProvider;
import org.apache.nifi.parameter.Parameter;
import org.apache.nifi.parameter.ParameterGroup;
import org.apache.nifi.parameter.VerifiableParameterProvider;
import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.util.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@CapabilityDescription("Fetches parameters from GCP Secret Manager.  Each secret becomes a Parameter, which can be mapped to a Parameter Group by adding a GCP label named 'group-name'.")
@Tags({"gcp", "secret", "manager"})
/* loaded from: input_file:org/apache/nifi/parameter/gcp/GcpSecretManagerParameterProvider.class */
public class GcpSecretManagerParameterProvider extends AbstractParameterProvider implements VerifiableParameterProvider {
    private static final String GROUP_NAME_LABEL = "group-name";
    private static final String SECRETS_PATH = "secrets/";
    private static final Logger logger = LoggerFactory.getLogger(GcpSecretManagerParameterProvider.class);
    public static final PropertyDescriptor GROUP_NAME_PATTERN = new PropertyDescriptor.Builder().name("group-name-pattern").displayName("Group Name Pattern").description("A Regular Expression matching on the 'group-name' label value that identifies Secrets whose parameters should be fetched. Any secrets without a 'group-name' label value that matches this Regex will not be fetched.").addValidator(StandardValidators.REGULAR_EXPRESSION_VALIDATOR).required(true).defaultValue(".*").build();
    public static final PropertyDescriptor PROJECT_ID = new PropertyDescriptor.Builder().name("gcp-project-id").displayName("Project ID").description("Google Cloud Project ID").addValidator(StandardValidators.NON_EMPTY_VALIDATOR).required(true).build();
    public static final PropertyDescriptor GCP_CREDENTIALS_PROVIDER_SERVICE = new PropertyDescriptor.Builder().name("gcp-credentials-provider-service").displayName("GCP Credentials Provider Service").description("The Controller Service used to obtain Google Cloud Platform credentials.").required(true).identifiesControllerService(GCPCredentialsService.class).build();
    private static final List<PropertyDescriptor> PROPERTIES = Collections.unmodifiableList(Arrays.asList(GROUP_NAME_PATTERN, PROJECT_ID, GCP_CREDENTIALS_PROVIDER_SERVICE));

    protected List<PropertyDescriptor> getSupportedPropertyDescriptors() {
        return PROPERTIES;
    }

    public List<ParameterGroup> fetchParameters(ConfigurationContext configurationContext) throws IOException {
        HashMap hashMap = new HashMap();
        SecretManagerServiceClient configureClient = configureClient(configurationContext);
        SecretManagerServiceClient.ListSecretsPage page = configureClient.listSecrets(ProjectName.of(configurationContext.getProperty(PROJECT_ID).getValue())).getPage();
        do {
            for (Secret secret : page.getValues()) {
                String labelsOrDefault = secret.getLabelsOrDefault(GROUP_NAME_LABEL, (String) null);
                if (labelsOrDefault == null) {
                    getLogger().debug("Secret [{}] does not have the {} label, and will be skipped", new Object[]{secret.getName(), GROUP_NAME_LABEL});
                } else {
                    fetchSecret(configureClient, configurationContext, StringUtils.substringAfter(secret.getName(), SECRETS_PATH), labelsOrDefault, hashMap);
                }
            }
            if (page.hasNextPage()) {
                page = (SecretManagerServiceClient.ListSecretsPage) page.getNextPage();
            }
        } while (page.hasNextPage());
        return new ArrayList(hashMap.values());
    }

    public List<ConfigVerificationResult> verify(ConfigurationContext configurationContext, ComponentLog componentLog) {
        ArrayList arrayList = new ArrayList();
        try {
            List<ParameterGroup> fetchParameters = fetchParameters(configurationContext);
            int i = 0;
            Iterator<ParameterGroup> it = fetchParameters.iterator();
            while (it.hasNext()) {
                i += it.next().getParameters().size();
            }
            arrayList.add(new ConfigVerificationResult.Builder().outcome(ConfigVerificationResult.Outcome.SUCCESSFUL).verificationStepName("Fetch Parameters").explanation(String.format("Fetched secret keys [%d] as parameters within groups [%d]", Integer.valueOf(i), Integer.valueOf(fetchParameters.size()))).build());
        } catch (Exception e) {
            componentLog.error("Failed to fetch parameters", e);
            arrayList.add(new ConfigVerificationResult.Builder().outcome(ConfigVerificationResult.Outcome.FAILED).verificationStepName("Fetch Parameters").explanation("Failed to fetch parameters: " + e.getMessage()).build());
        }
        return arrayList;
    }

    private void fetchSecret(SecretManagerServiceClient secretManagerServiceClient, ConfigurationContext configurationContext, String str, String str2, Map<String, ParameterGroup> map) {
        Pattern compile = Pattern.compile(configurationContext.getProperty(GROUP_NAME_PATTERN).getValue());
        String value = configurationContext.getProperty(PROJECT_ID).getValue();
        if (!compile.matcher(str2).matches()) {
            logger.debug("Secret [{}] label [{}] does not match the group name pattern {}", new Object[]{str, str2, compile});
            return;
        }
        Parameter createParameter = createParameter(str, secretManagerServiceClient.accessSecretVersion(SecretVersionName.of(value, str, "latest")).getPayload().getData().toStringUtf8());
        if (createParameter != null) {
            ArrayList arrayList = new ArrayList(map.computeIfAbsent(str2, str3 -> {
                return new ParameterGroup(str2, new ArrayList());
            }).getParameters());
            arrayList.add(createParameter);
            map.put(str2, new ParameterGroup(str2, arrayList));
        }
    }

    private Parameter createParameter(String str, String str2) {
        return new Parameter.Builder().name(str).value(str2).provided(true).build();
    }

    SecretManagerServiceClient configureClient(ConfigurationContext configurationContext) throws IOException {
        GCPCredentialsService asControllerService = configurationContext.getProperty(GCP_CREDENTIALS_PROVIDER_SERVICE).asControllerService(GCPCredentialsService.class);
        return SecretManagerServiceClient.create(SecretManagerServiceSettings.newBuilder().setCredentialsProvider(() -> {
            return asControllerService.getGoogleCredentials();
        }).build());
    }
}
