package com.netflix.spinnaker.kork.artifacts.artifactstore.s3;

import com.netflix.spinnaker.kork.artifacts.ArtifactTypes;
import com.netflix.spinnaker.kork.artifacts.artifactstore.ArtifactDecorator;
import com.netflix.spinnaker.kork.artifacts.artifactstore.ArtifactReferenceURI;
import com.netflix.spinnaker.kork.artifacts.artifactstore.ArtifactStore;
import com.netflix.spinnaker.kork.artifacts.artifactstore.ArtifactStoreURIBuilder;
import com.netflix.spinnaker.kork.artifacts.model.Artifact;
import com.netflix.spinnaker.security.AuthenticatedRequest;
import java.util.Base64;
import java.util.NoSuchElementException;
import java.util.regex.Pattern;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import software.amazon.awssdk.core.sync.RequestBody;
import software.amazon.awssdk.services.s3.S3Client;
import software.amazon.awssdk.services.s3.model.GetObjectRequest;
import software.amazon.awssdk.services.s3.model.GetObjectTaggingRequest;
import software.amazon.awssdk.services.s3.model.HeadObjectRequest;
import software.amazon.awssdk.services.s3.model.NoSuchKeyException;
import software.amazon.awssdk.services.s3.model.PutObjectRequest;
import software.amazon.awssdk.services.s3.model.Tag;
import software.amazon.awssdk.services.s3.model.Tagging;

/* loaded from: input_file:com/netflix/spinnaker/kork/artifacts/artifactstore/s3/S3ArtifactStore.class */
public class S3ArtifactStore extends ArtifactStore {
    private static final Logger log = LogManager.getLogger(S3ArtifactStore.class);
    private final S3Client s3Client;
    private final PermissionEvaluator permissionEvaluator;
    private final String bucket;
    private final ArtifactStoreURIBuilder uriBuilder;
    private final String applicationsRegex;
    private static final String ENFORCE_PERMS_KEY = "application";

    public S3ArtifactStore(S3Client s3Client, PermissionEvaluator permissionEvaluator, String str, ArtifactStoreURIBuilder artifactStoreURIBuilder, String str2) {
        this.s3Client = s3Client;
        this.bucket = str;
        this.permissionEvaluator = permissionEvaluator;
        this.uriBuilder = artifactStoreURIBuilder;
        this.applicationsRegex = str2;
    }

    @Override // com.netflix.spinnaker.kork.artifacts.artifactstore.ArtifactStore
    public Artifact store(Artifact artifact) {
        String str = (String) AuthenticatedRequest.getSpinnakerApplication().orElse(null);
        if (str == null) {
            log.warn("failed to retrieve application from request artifact={}", artifact.getName());
            return artifact;
        }
        if (this.applicationsRegex != null && !Pattern.matches(this.applicationsRegex, str)) {
            return artifact;
        }
        ArtifactReferenceURI buildArtifactURI = this.uriBuilder.buildArtifactURI(str, artifact);
        Artifact build = artifact.toBuilder().type(ArtifactTypes.REMOTE_BASE64.getMimeType()).reference(buildArtifactURI.uri()).build();
        if (objectExists(buildArtifactURI)) {
            return build;
        }
        this.s3Client.putObject((PutObjectRequest) PutObjectRequest.builder().bucket(this.bucket).key(buildArtifactURI.paths()).tagging((Tagging) Tagging.builder().tagSet(new Tag[]{(Tag) Tag.builder().key(ENFORCE_PERMS_KEY).value(str).build()}).build()).build(), RequestBody.fromBytes(getReferenceAsBytes(artifact)));
        return build;
    }

    private byte[] getReferenceAsBytes(Artifact artifact) {
        String reference = artifact.getReference();
        if (reference == null) {
            throw new IllegalArgumentException("reference cannot be null");
        }
        String type = artifact.getType();
        return (type == null || !type.endsWith("/base64")) ? reference.getBytes() : Base64.getDecoder().decode(reference);
    }

    @Override // com.netflix.spinnaker.kork.artifacts.artifactstore.ArtifactStore
    public Artifact get(ArtifactReferenceURI artifactReferenceURI, ArtifactDecorator... artifactDecoratorArr) {
        hasAuthorization(artifactReferenceURI, (String) AuthenticatedRequest.getSpinnakerUser().orElseThrow(() -> {
            return new NoSuchElementException("Could not authenticate due to missing user id");
        }));
        Artifact.ArtifactBuilder reference = Artifact.builder().type(ArtifactTypes.REMOTE_BASE64.getMimeType()).reference(Base64.getEncoder().encodeToString(this.s3Client.getObjectAsBytes((GetObjectRequest) GetObjectRequest.builder().bucket(this.bucket).key(artifactReferenceURI.paths()).build()).asByteArray()));
        if (artifactDecoratorArr == null) {
            return reference.build();
        }
        for (ArtifactDecorator artifactDecorator : artifactDecoratorArr) {
            reference = artifactDecorator.decorate(reference);
        }
        return reference.build();
    }

    private void hasAuthorization(ArtifactReferenceURI artifactReferenceURI, String str) {
        Tag tag = (Tag) this.s3Client.getObjectTagging((GetObjectTaggingRequest) GetObjectTaggingRequest.builder().bucket(this.bucket).key(artifactReferenceURI.paths()).build()).tagSet().stream().filter(tag2 -> {
            return tag2.key().equals(ENFORCE_PERMS_KEY);
        }).findFirst().orElse(null);
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (tag == null || !(this.permissionEvaluator == null || this.permissionEvaluator.hasPermission(authentication, tag.value(), ENFORCE_PERMS_KEY, "READ"))) {
            log.error("Could not authenticate to retrieve artifact user={} applicationOfStoredArtifact={}", str, tag == null ? "(none)" : tag.value());
            throw new AuthenticationServiceException(str + " does not have permission to access this artifact");
        }
    }

    private boolean objectExists(ArtifactReferenceURI artifactReferenceURI) {
        try {
            this.s3Client.headObject((HeadObjectRequest) HeadObjectRequest.builder().bucket(this.bucket).key(artifactReferenceURI.paths()).build());
            log.debug("Artifact exists. No need to store. reference={}", artifactReferenceURI.uri());
            return true;
        } catch (NoSuchKeyException e) {
            log.info("Artifact does not exist reference={}", artifactReferenceURI.uri());
            return false;
        }
    }
}
