package org.apache.hadoop.fs.s3a.impl;

import java.io.IOException;
import java.net.URI;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.s3a.DefaultS3ClientFactory;
import org.apache.hadoop.fs.s3a.S3ClientFactory;
import org.apache.hadoop.util.Preconditions;
import org.apache.hadoop.util.ReflectionUtils;
import org.apache.hadoop.util.functional.LazyAtomicReference;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.kms.KmsClient;
import software.amazon.awssdk.services.kms.KmsClientBuilder;
import software.amazon.awssdk.services.s3.S3AsyncClient;
import software.amazon.awssdk.services.s3.S3Client;
import software.amazon.encryption.s3.S3AsyncEncryptionClient;
import software.amazon.encryption.s3.S3EncryptionClient;
import software.amazon.encryption.s3.materials.DefaultCryptoMaterialsManager;
import software.amazon.encryption.s3.materials.Keyring;
import software.amazon.encryption.s3.materials.KmsKeyring;

/* loaded from: input_file:org/apache/hadoop/fs/s3a/impl/EncryptionS3ClientFactory.class */
public class EncryptionS3ClientFactory extends DefaultS3ClientFactory {
    private static final String ENCRYPTION_CLIENT_CLASSNAME = "software.amazon.encryption.s3.S3EncryptionClient";
    private static final LazyAtomicReference<Boolean> ENCRYPTION_CLIENT_AVAILABLE = LazyAtomicReference.lazyAtomicReferenceFromSupplier(EncryptionS3ClientFactory::checkForEncryptionClient);
    private S3Client s3Client;
    private S3AsyncClient s3AsyncClient;

    private static boolean checkForEncryptionClient() {
        try {
            EncryptionS3ClientFactory.class.getClassLoader().loadClass(ENCRYPTION_CLIENT_CLASSNAME);
            LOG.debug("encryption client class {} found", ENCRYPTION_CLIENT_CLASSNAME);
            return true;
        } catch (Exception e) {
            LOG.debug("encryption client class {} not found", ENCRYPTION_CLIENT_CLASSNAME, e);
            return false;
        }
    }

    private static synchronized boolean isEncryptionClientAvailable() {
        return ((Boolean) ENCRYPTION_CLIENT_AVAILABLE.get()).booleanValue();
    }

    @Override // org.apache.hadoop.fs.s3a.DefaultS3ClientFactory, org.apache.hadoop.fs.s3a.S3ClientFactory
    public S3Client createS3Client(URI uri, S3ClientFactory.S3ClientCreationParameters s3ClientCreationParameters) throws IOException {
        if (!isEncryptionClientAvailable()) {
            throw InstantiationIOException.unavailable(uri, ENCRYPTION_CLIENT_CLASSNAME, null, "No encryption client available");
        }
        this.s3Client = super.createS3Client(uri, s3ClientCreationParameters);
        this.s3AsyncClient = super.createS3AsyncClient(uri, s3ClientCreationParameters);
        return createS3EncryptionClient(s3ClientCreationParameters);
    }

    @Override // org.apache.hadoop.fs.s3a.DefaultS3ClientFactory, org.apache.hadoop.fs.s3a.S3ClientFactory
    public S3AsyncClient createS3AsyncClient(URI uri, S3ClientFactory.S3ClientCreationParameters s3ClientCreationParameters) throws IOException {
        if (isEncryptionClientAvailable()) {
            return createS3AsyncEncryptionClient(s3ClientCreationParameters);
        }
        throw InstantiationIOException.unavailable(uri, ENCRYPTION_CLIENT_CLASSNAME, null, "No encryption client available");
    }

    private S3Client createS3EncryptionClient(S3ClientFactory.S3ClientCreationParameters s3ClientCreationParameters) throws IOException {
        CSEMaterials clientSideEncryptionMaterials = s3ClientCreationParameters.getClientSideEncryptionMaterials();
        Preconditions.checkArgument(this.s3AsyncClient != null, "S3 async client not initialized");
        Preconditions.checkArgument(this.s3Client != null, "S3 client not initialized");
        Preconditions.checkArgument(s3ClientCreationParameters != null, "S3ClientCreationParameters is not initialized");
        S3EncryptionClient.Builder enableLegacyWrappingAlgorithms = S3EncryptionClient.builder().wrappedAsyncClient(this.s3AsyncClient).wrappedClient(this.s3Client).enableLegacyUnauthenticatedModes(true).enableLegacyWrappingAlgorithms(true);
        switch (clientSideEncryptionMaterials.getCseKeyType()) {
            case KMS:
                enableLegacyWrappingAlgorithms.cryptoMaterialsManager(DefaultCryptoMaterialsManager.builder().keyring(createKmsKeyring(s3ClientCreationParameters, clientSideEncryptionMaterials)).build());
                break;
            case CUSTOM:
                try {
                    enableLegacyWrappingAlgorithms.cryptoMaterialsManager(DefaultCryptoMaterialsManager.builder().keyring(getKeyringProvider(clientSideEncryptionMaterials.getCustomKeyringClassName(), clientSideEncryptionMaterials.getConf())).build());
                    break;
                } catch (RuntimeException e) {
                    throw new IOException("Failed to instantiate a custom keyring provider: " + e, e);
                }
        }
        return enableLegacyWrappingAlgorithms.build();
    }

    private Keyring createKmsKeyring(S3ClientFactory.S3ClientCreationParameters s3ClientCreationParameters, CSEMaterials cSEMaterials) {
        KmsClientBuilder builder = KmsClient.builder();
        if (s3ClientCreationParameters.getCredentialSet() != null) {
            builder.credentialsProvider(s3ClientCreationParameters.getCredentialSet());
        }
        if (s3ClientCreationParameters.getKmsRegion() != null) {
            builder.region(Region.of(s3ClientCreationParameters.getKmsRegion()));
        } else if (s3ClientCreationParameters.getRegion() != null) {
            builder.region(Region.of(s3ClientCreationParameters.getRegion()));
        } else if (s3ClientCreationParameters.getEndpoint() != null) {
            builder.endpointOverride(getS3Endpoint(s3ClientCreationParameters.getEndpoint(), cSEMaterials.getConf()));
        }
        return KmsKeyring.builder().kmsClient((KmsClient) builder.build()).wrappingKeyId(cSEMaterials.getKmsKeyId()).enableLegacyWrappingAlgorithms(true).build();
    }

    private S3AsyncClient createS3AsyncEncryptionClient(S3ClientFactory.S3ClientCreationParameters s3ClientCreationParameters) throws IOException {
        Preconditions.checkArgument(this.s3AsyncClient != null, "S3 async client not initialized");
        Preconditions.checkArgument(s3ClientCreationParameters != null, "S3ClientCreationParameters is not initialized");
        S3AsyncEncryptionClient.Builder enableLegacyWrappingAlgorithms = S3AsyncEncryptionClient.builder().wrappedClient(this.s3AsyncClient).enableLegacyUnauthenticatedModes(true).enableLegacyWrappingAlgorithms(true);
        CSEMaterials clientSideEncryptionMaterials = s3ClientCreationParameters.getClientSideEncryptionMaterials();
        switch (clientSideEncryptionMaterials.getCseKeyType()) {
            case KMS:
                enableLegacyWrappingAlgorithms.cryptoMaterialsManager(DefaultCryptoMaterialsManager.builder().keyring(createKmsKeyring(s3ClientCreationParameters, clientSideEncryptionMaterials)).build());
                break;
            case CUSTOM:
                try {
                    enableLegacyWrappingAlgorithms.cryptoMaterialsManager(DefaultCryptoMaterialsManager.builder().keyring(getKeyringProvider(clientSideEncryptionMaterials.getCustomKeyringClassName(), clientSideEncryptionMaterials.getConf())).build());
                    break;
                } catch (RuntimeException e) {
                    throw new IOException("Failed to instantiate a custom keyring provider: " + e, e);
                }
        }
        return enableLegacyWrappingAlgorithms.build();
    }

    private Keyring getKeyringProvider(String str, Configuration configuration) {
        Class<? extends Keyring> customKeyringProviderClass = getCustomKeyringProviderClass(str);
        try {
            return (Keyring) ReflectionUtils.newInstance(customKeyringProviderClass, configuration);
        } catch (Exception e) {
            LOG.warn("Failed to create Keyring provider", e);
            try {
                return (Keyring) ReflectionUtils.newInstance(customKeyringProviderClass, configuration, new Class[]{Configuration.class}, new Object[]{configuration});
            } catch (Exception e2) {
                throw new RuntimeException("Failed to create Keyring provider", e2);
            }
        }
    }

    private Class<? extends Keyring> getCustomKeyringProviderClass(String str) {
        Preconditions.checkArgument((str == null || str.isEmpty()) ? false : true, "Custom Keyring class name is null or empty");
        try {
            return Class.forName(str).asSubclass(Keyring.class);
        } catch (ClassNotFoundException e) {
            throw new IllegalArgumentException("Custom CryptographicMaterialsManager class " + str + "not found", e);
        }
    }
}
