package org.nuxeo.ecm.core.storage.sql;

import com.amazonaws.AmazonClientException;
import com.amazonaws.AmazonServiceException;
import com.amazonaws.ClientConfiguration;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3Client;
import com.amazonaws.services.s3.AmazonS3EncryptionClient;
import com.amazonaws.services.s3.model.CannedAccessControlList;
import com.amazonaws.services.s3.model.CryptoConfiguration;
import com.amazonaws.services.s3.model.EncryptionMaterials;
import com.amazonaws.services.s3.model.GetObjectRequest;
import com.amazonaws.services.s3.model.ObjectListing;
import com.amazonaws.services.s3.model.ObjectMetadata;
import com.amazonaws.services.s3.model.S3ObjectSummary;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.regex.Pattern;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.nuxeo.common.utils.SizeUtils;
import org.nuxeo.runtime.api.Framework;

/* loaded from: input_file:org/nuxeo/ecm/core/storage/sql/S3BinaryManager.class */
public class S3BinaryManager extends BinaryCachingManager {
    public static final String BUCKET_NAME_KEY = "nuxeo.s3storage.bucket";
    public static final String BUCKET_REGION_KEY = "nuxeo.s3storage.region";
    public static final String AWS_ID_KEY = "nuxeo.s3storage.awsid";
    public static final String AWS_ID_ENV_KEY = "AWS_ACCESS_KEY_ID";
    public static final String AWS_SECRET_KEY = "nuxeo.s3storage.awssecret";
    public static final String AWS_SECRET_ENV_KEY = "AWS_SECRET_ACCESS_KEY";
    public static final String CACHE_SIZE_KEY = "nuxeo.s3storage.cachesize";
    public static final String DEFAULT_CACHE_SIZE = "100 MB";
    public static final String KEYSTORE_FILE_KEY = "nuxeo.s3storage.crypt.keystore.file";
    public static final String KEYSTORE_PASS_KEY = "nuxeo.s3storage.crypt.keystore.password";
    public static final String PRIVKEY_ALIAS_KEY = "nuxeo.s3storage.crypt.key.alias";
    public static final String PRIVKEY_PASS_KEY = "nuxeo.s3storage.crypt.key.password";
    public static final String PROXY_HOST_KEY = "nuxeo.http.proxy.host";
    public static final String PROXY_PORT_KEY = "nuxeo.http.proxy.port";
    public static final String PROXY_LOGIN_KEY = "nuxeo.http.proxy.login";
    public static final String PROXY_PASSWORD_KEY = "nuxeo.http.proxy.password";
    private static final String MD5 = "MD5";
    protected String bucketName;
    protected BasicAWSCredentials awsCredentials;
    protected ClientConfiguration clientConfiguration;
    protected EncryptionMaterials encryptionMaterials;
    protected CryptoConfiguration cryptoConfiguration;
    protected String repositoryName;
    protected BinaryFileCache fileCache;
    protected AmazonS3 amazonS3;
    private static final Log log = LogFactory.getLog(S3BinaryManager.class);
    public static final String DEFAULT_BUCKET_REGION = null;
    private static final Pattern MD5_RE = Pattern.compile("[0-9a-f]{32}");

    /* loaded from: input_file:org/nuxeo/ecm/core/storage/sql/S3BinaryManager$S3BinaryFileCache.class */
    public class S3BinaryFileCache extends BinaryFileCache {
        public S3BinaryFileCache(File file, long j) {
            super(file, j);
        }

        public boolean fetchFile(String str, File file) {
            try {
                String eTag = S3BinaryManager.this.amazonS3.getObject(new GetObjectRequest(S3BinaryManager.this.bucketName, str), file).getETag();
                if ((S3BinaryManager.this.amazonS3 instanceof AmazonS3EncryptionClient) || eTag.equals(str)) {
                    return true;
                }
                S3BinaryManager.log.error("Invalid ETag in S3, ETag=" + eTag + " digest=" + str);
                return false;
            } catch (AmazonClientException e) {
                if (S3BinaryManager.isMissingKey(e)) {
                    return false;
                }
                S3BinaryManager.log.error("Unknown binary: " + str, e);
                return false;
            }
        }

        public Long fetchLength(String str) {
            try {
                ObjectMetadata objectMetadata = S3BinaryManager.this.amazonS3.getObjectMetadata(S3BinaryManager.this.bucketName, str);
                String eTag = objectMetadata.getETag();
                if ((S3BinaryManager.this.amazonS3 instanceof AmazonS3EncryptionClient) || eTag.equals(str)) {
                    return Long.valueOf(objectMetadata.getContentLength());
                }
                S3BinaryManager.log.error("Invalid ETag in S3, ETag=" + eTag + " digest=" + str);
                return null;
            } catch (AmazonClientException e) {
                if (S3BinaryManager.isMissingKey(e)) {
                    return null;
                }
                S3BinaryManager.log.error("Unknown binary: " + str, e);
                return null;
            }
        }
    }

    /* loaded from: input_file:org/nuxeo/ecm/core/storage/sql/S3BinaryManager$S3BinaryGarbageCollector.class */
    public static class S3BinaryGarbageCollector implements BinaryGarbageCollector {
        protected final S3BinaryManager binaryManager;
        protected volatile long startTime;
        protected BinaryManagerStatus status;
        protected Set<String> marked;

        public S3BinaryGarbageCollector(S3BinaryManager s3BinaryManager) {
            this.binaryManager = s3BinaryManager;
        }

        public String getId() {
            return "s3:" + this.binaryManager.bucketName;
        }

        public BinaryManagerStatus getStatus() {
            return this.status;
        }

        public boolean isInProgress() {
            return this.startTime != 0;
        }

        public void start() {
            if (this.startTime != 0) {
                throw new RuntimeException("Alread started");
            }
            this.startTime = System.currentTimeMillis();
            this.status = new BinaryManagerStatus();
            this.marked = new HashSet();
        }

        public void mark(String str) {
            this.marked.add(str);
        }

        public void stop(boolean z) {
            if (this.startTime == 0) {
                throw new RuntimeException("Not started");
            }
            try {
                HashSet hashSet = new HashSet();
                ObjectListing objectListing = null;
                do {
                    objectListing = objectListing == null ? this.binaryManager.amazonS3.listObjects(this.binaryManager.bucketName) : this.binaryManager.amazonS3.listNextBatchOfObjects(objectListing);
                    for (S3ObjectSummary s3ObjectSummary : objectListing.getObjectSummaries()) {
                        String key = s3ObjectSummary.getKey();
                        if (S3BinaryManager.isMD5(key)) {
                            long size = s3ObjectSummary.getSize();
                            if (this.marked.contains(key)) {
                                this.status.numBinaries++;
                                this.status.sizeBinaries += size;
                            } else {
                                this.status.numBinariesGC++;
                                this.status.sizeBinariesGC += size;
                                hashSet.add(key);
                                this.marked.remove(key);
                            }
                        }
                    }
                } while (objectListing.isTruncated());
                this.marked = null;
                if (z) {
                    Iterator it = hashSet.iterator();
                    while (it.hasNext()) {
                        this.binaryManager.removeBinary((String) it.next());
                    }
                }
                this.status.gcDuration = System.currentTimeMillis() - this.startTime;
                this.startTime = 0L;
            } catch (AmazonClientException e) {
                throw new RuntimeException((Throwable) e);
            }
        }
    }

    public void initialize(RepositoryDescriptor repositoryDescriptor) throws IOException {
        this.repositoryName = repositoryDescriptor.name;
        this.descriptor = new BinaryManagerDescriptor();
        this.descriptor.digest = MD5;
        log.info("Repository '" + repositoryDescriptor.name + "' using " + getClass().getSimpleName());
        this.bucketName = Framework.getProperty(BUCKET_NAME_KEY);
        String property = Framework.getProperty(BUCKET_REGION_KEY);
        if (StringUtils.isBlank(property)) {
            property = DEFAULT_BUCKET_REGION;
        }
        String property2 = Framework.getProperty(AWS_ID_KEY);
        String property3 = Framework.getProperty(AWS_SECRET_KEY);
        String property4 = Framework.getProperty(PROXY_HOST_KEY);
        String property5 = Framework.getProperty(PROXY_PORT_KEY);
        String property6 = Framework.getProperty(PROXY_LOGIN_KEY);
        String property7 = Framework.getProperty(PROXY_PASSWORD_KEY);
        String property8 = Framework.getProperty(CACHE_SIZE_KEY);
        if (StringUtils.isBlank(property8)) {
            property8 = DEFAULT_CACHE_SIZE;
        }
        String property9 = Framework.getProperty(KEYSTORE_FILE_KEY);
        String property10 = Framework.getProperty(KEYSTORE_PASS_KEY);
        String property11 = Framework.getProperty(PRIVKEY_ALIAS_KEY);
        String property12 = Framework.getProperty(PRIVKEY_PASS_KEY);
        if (StringUtils.isBlank(property2)) {
            property2 = System.getenv(AWS_ID_ENV_KEY);
        }
        if (StringUtils.isBlank(property3)) {
            property3 = System.getenv(AWS_SECRET_ENV_KEY);
        }
        if (StringUtils.isBlank(this.bucketName)) {
            throw new RuntimeException("Missing conf: nuxeo.s3storage.bucket");
        }
        if (StringUtils.isBlank(property2)) {
            throw new RuntimeException("Missing conf: nuxeo.s3storage.awsid");
        }
        if (StringUtils.isBlank(property3)) {
            throw new RuntimeException("Missing conf: nuxeo.s3storage.awssecret");
        }
        this.awsCredentials = new BasicAWSCredentials(property2, property3);
        this.clientConfiguration = new ClientConfiguration();
        if (StringUtils.isNotBlank(property4)) {
            this.clientConfiguration.setProxyHost(property4);
        }
        if (StringUtils.isNotBlank(property5)) {
            this.clientConfiguration.setProxyPort(Integer.parseInt(property5));
        }
        if (StringUtils.isNotBlank(property6)) {
            this.clientConfiguration.setProxyUsername(property6);
        }
        if (property7 != null) {
            this.clientConfiguration.setProxyPassword(property7);
        }
        this.encryptionMaterials = null;
        if (StringUtils.isNotBlank(property9)) {
            boolean z = true;
            if (property10 == null) {
                log.error("Keystore password missing");
                z = false;
            }
            if (StringUtils.isBlank(property11)) {
                log.error("Key alias missing");
                z = false;
            }
            if (property12 == null) {
                log.error("Key password missing");
                z = false;
            }
            if (!z) {
                throw new RuntimeException("S3 Crypto configuration incomplete");
            }
            try {
                FileInputStream fileInputStream = new FileInputStream(new File(property9));
                KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                keyStore.load(fileInputStream, property10.toCharArray());
                fileInputStream.close();
                if (!keyStore.isKeyEntry(property11)) {
                    throw new RuntimeException("Alias " + property11 + " is missing or not a key alias");
                }
                this.encryptionMaterials = new EncryptionMaterials(new KeyPair(keyStore.getCertificate(property11).getPublicKey(), (PrivateKey) keyStore.getKey(property11, property12.toCharArray())));
                this.cryptoConfiguration = new CryptoConfiguration();
            } catch (Exception e) {
                throw new RuntimeException("Could not read keystore: " + property9 + ", alias: " + property11, e);
            }
        }
        if (this.encryptionMaterials == null) {
            this.amazonS3 = new AmazonS3Client(this.awsCredentials, this.clientConfiguration);
        } else {
            this.amazonS3 = new AmazonS3EncryptionClient(this.awsCredentials, this.encryptionMaterials, this.clientConfiguration, this.cryptoConfiguration);
        }
        try {
            if (!this.amazonS3.doesBucketExist(this.bucketName)) {
                this.amazonS3.createBucket(this.bucketName, property);
                this.amazonS3.setBucketAcl(this.bucketName, CannedAccessControlList.Private);
            }
            File createTempFile = File.createTempFile("nxbincache.", "", null);
            createTempFile.delete();
            createTempFile.mkdir();
            createTempFile.deleteOnExit();
            this.fileCache = new S3BinaryFileCache(createTempFile, SizeUtils.parseSizeInBytes(property8));
            log.info("Using binary cache directory: " + createTempFile.getPath() + " size: " + property8);
            createGarbageCollector();
        } catch (AmazonClientException e2) {
            throw new IOException((Throwable) e2);
        } catch (AmazonServiceException e3) {
            throw new IOException((Throwable) e3);
        }
    }

    protected void createGarbageCollector() {
        this.garbageCollector = new S3BinaryGarbageCollector(this);
    }

    public Binary getBinary(InputStream inputStream) throws IOException {
        String eTag;
        File tempFile = this.fileCache.getTempFile();
        FileOutputStream fileOutputStream = new FileOutputStream(tempFile);
        try {
            String storeAndDigest = storeAndDigest(inputStream, fileOutputStream);
            inputStream.close();
            fileOutputStream.close();
            try {
                eTag = this.amazonS3.getObjectMetadata(this.bucketName, storeAndDigest).getETag();
            } catch (AmazonClientException e) {
                if (!isMissingKey(e)) {
                    throw new IOException((Throwable) e);
                }
                try {
                    eTag = this.amazonS3.putObject(this.bucketName, storeAndDigest, tempFile).getETag();
                } catch (AmazonClientException e2) {
                    throw new IOException((Throwable) e2);
                }
            }
            if ((this.amazonS3 instanceof AmazonS3EncryptionClient) || eTag.equals(storeAndDigest)) {
                return new Binary(this.fileCache.putFile(storeAndDigest, tempFile), storeAndDigest, this.repositoryName);
            }
            throw new IOException("Invalid ETag in S3, ETag=" + eTag + " digest=" + storeAndDigest);
        } catch (Throwable th) {
            inputStream.close();
            fileOutputStream.close();
            throw th;
        }
    }

    protected void removeBinary(String str) {
        this.amazonS3.deleteObject(this.bucketName, str);
    }

    protected static boolean isMissingKey(AmazonClientException amazonClientException) {
        if (amazonClientException instanceof AmazonServiceException) {
            return "NoSuchKey".equals(((AmazonServiceException) amazonClientException).getErrorCode()) || "Not Found".equals(amazonClientException.getMessage());
        }
        return false;
    }

    public static boolean isMD5(String str) {
        return MD5_RE.matcher(str).matches();
    }

    public BinaryFileCache fileCache() {
        return this.fileCache;
    }
}
