package org.duracloud.s3task.streaminghls;

import com.amazonaws.services.cloudfront.AmazonCloudFrontClient;
import com.amazonaws.services.cloudfront.model.AllowedMethods;
import com.amazonaws.services.cloudfront.model.CacheBehavior;
import com.amazonaws.services.cloudfront.model.CacheBehaviors;
import com.amazonaws.services.cloudfront.model.CloudFrontOriginAccessIdentityConfig;
import com.amazonaws.services.cloudfront.model.CloudFrontOriginAccessIdentitySummary;
import com.amazonaws.services.cloudfront.model.CookiePreference;
import com.amazonaws.services.cloudfront.model.CreateCloudFrontOriginAccessIdentityRequest;
import com.amazonaws.services.cloudfront.model.CreateDistributionRequest;
import com.amazonaws.services.cloudfront.model.CustomOriginConfig;
import com.amazonaws.services.cloudfront.model.DefaultCacheBehavior;
import com.amazonaws.services.cloudfront.model.DistributionConfig;
import com.amazonaws.services.cloudfront.model.DistributionSummary;
import com.amazonaws.services.cloudfront.model.ForwardedValues;
import com.amazonaws.services.cloudfront.model.GetCloudFrontOriginAccessIdentityRequest;
import com.amazonaws.services.cloudfront.model.Headers;
import com.amazonaws.services.cloudfront.model.ItemSelection;
import com.amazonaws.services.cloudfront.model.ListCloudFrontOriginAccessIdentitiesRequest;
import com.amazonaws.services.cloudfront.model.Method;
import com.amazonaws.services.cloudfront.model.Origin;
import com.amazonaws.services.cloudfront.model.OriginProtocolPolicy;
import com.amazonaws.services.cloudfront.model.Origins;
import com.amazonaws.services.cloudfront.model.S3OriginConfig;
import com.amazonaws.services.cloudfront.model.TrustedSigners;
import com.amazonaws.services.cloudfront.model.ViewerProtocolPolicy;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.model.BucketCrossOriginConfiguration;
import com.amazonaws.services.s3.model.CORSRule;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import org.duracloud.StorageTaskConstants;
import org.duracloud.s3storage.S3StorageProvider;
import org.duracloud.s3storageprovider.dto.EnableStreamingTaskParameters;
import org.duracloud.s3storageprovider.dto.EnableStreamingTaskResult;
import org.duracloud.s3task.streaminghls.BaseHlsTaskRunner;
import org.duracloud.storage.error.UnsupportedTaskException;
import org.duracloud.storage.provider.StorageProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpHeaders;

/* loaded from: input_file:WEB-INF/lib/s3storageprovider-6.1.1.jar:org/duracloud/s3task/streaminghls/EnableHlsTaskRunner.class */
public class EnableHlsTaskRunner extends BaseHlsTaskRunner {
    private final Logger log = LoggerFactory.getLogger(EnableHlsTaskRunner.class);
    private static final String TASK_NAME = "enable-hls";

    public EnableHlsTaskRunner(StorageProvider storageProvider, S3StorageProvider s3StorageProvider, AmazonS3 amazonS3, AmazonCloudFrontClient amazonCloudFrontClient, String str, String str2) {
        this.s3Provider = storageProvider;
        this.unwrappedS3Provider = s3StorageProvider;
        this.s3Client = amazonS3;
        this.cfClient = amazonCloudFrontClient;
        this.cfAccountId = str;
        this.dcHost = str2;
    }

    @Override // org.duracloud.s3task.streaminghls.BaseHlsTaskRunner, org.duracloud.storage.provider.TaskRunner
    public String getName() {
        return "enable-hls";
    }

    @Override // org.duracloud.s3task.streaminghls.BaseHlsTaskRunner, org.duracloud.storage.provider.TaskRunner
    public String performTask(String str) {
        Origins withQuantity;
        String domainName;
        EnableStreamingTaskParameters deserialize = EnableStreamingTaskParameters.deserialize(str);
        String spaceId = deserialize.getSpaceId();
        boolean isSecure = deserialize.isSecure();
        List<String> allowedOrigins = deserialize.getAllowedOrigins();
        this.log.info("Performing enable-hls task on space " + spaceId + ". Secure streaming set to " + isSecure);
        String bucketName = this.unwrappedS3Provider.getBucketName(spaceId);
        String originAccessId = getOriginAccessId();
        EnableStreamingTaskResult enableStreamingTaskResult = new EnableStreamingTaskResult();
        DistributionSummary existingDistribution = getExistingDistribution(bucketName);
        if (existingDistribution != null) {
            boolean z = !existingDistribution.getDefaultCacheBehavior().getTrustedSigners().getItems().isEmpty();
            if ((isSecure && !z) || (!isSecure && z)) {
                throw new UnsupportedTaskException("enable-hls", "The space " + spaceId + " is already configured to stream as " + (isSecure ? "OPEN" : "SECURE") + " and cannot be updated to stream as " + (isSecure ? "SECURE" : "OPEN") + ". To do this, you must first execute the " + StorageTaskConstants.DELETE_HLS_TASK_NAME + " task.");
            }
            String id = existingDistribution.getId();
            if (!existingDistribution.isEnabled().booleanValue()) {
                setDistributionState(id, true);
            }
            domainName = existingDistribution.getDomainName();
        } else {
            Origin withId = new Origin().withDomainName(bucketName + ".s3.amazonaws.com").withS3OriginConfig(new S3OriginConfig().withOriginAccessIdentity("origin-access-identity/cloudfront/" + originAccessId)).withId("S3-" + bucketName);
            TrustedSigners trustedSigners = new TrustedSigners();
            if (isSecure) {
                trustedSigners.setItems(Collections.singletonList(this.cfAccountId));
                trustedSigners.setEnabled(true);
                trustedSigners.setQuantity(1);
            } else {
                trustedSigners.setEnabled(false);
                trustedSigners.setQuantity(0);
            }
            DefaultCacheBehavior defaultCacheBehavior = new DefaultCacheBehavior();
            defaultCacheBehavior.setTrustedSigners(trustedSigners);
            defaultCacheBehavior.setViewerProtocolPolicy(ViewerProtocolPolicy.RedirectToHttps);
            defaultCacheBehavior.setAllowedMethods(new AllowedMethods().withItems(Method.GET, Method.HEAD, Method.OPTIONS).withQuantity(3));
            defaultCacheBehavior.setForwardedValues(new ForwardedValues().withQueryString(false).withCookies(new CookiePreference().withForward(ItemSelection.None)).withHeaders(new Headers().withItems(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD).withQuantity(3)));
            defaultCacheBehavior.setMinTTL(0L);
            defaultCacheBehavior.setTargetOriginId(withId.getId());
            CacheBehaviors cacheBehaviors = new CacheBehaviors();
            if (isSecure) {
                CustomOriginConfig withHTTPSPort = new CustomOriginConfig().withOriginProtocolPolicy(OriginProtocolPolicy.HttpsOnly).withHTTPPort(80).withHTTPSPort(443);
                String str2 = "Custom origin - " + this.dcHost + "/durastore/aux";
                withQuantity = new Origins().withItems(withId, new Origin().withDomainName(this.dcHost).withOriginPath("/durastore/aux").withId(str2).withCustomOriginConfig(withHTTPSPort)).withQuantity(2);
                cacheBehaviors = cacheBehaviors.withItems(new CacheBehavior().withPathPattern("/cookies").withTargetOriginId(str2).withViewerProtocolPolicy(ViewerProtocolPolicy.RedirectToHttps).withAllowedMethods(new AllowedMethods().withItems(Method.GET, Method.HEAD).withQuantity(2)).withForwardedValues(new ForwardedValues().withQueryString(true).withCookies(new CookiePreference().withForward(ItemSelection.All))).withTrustedSigners(new TrustedSigners().withEnabled(false).withQuantity(0)).withMinTTL(0L)).withQuantity(1);
            } else {
                withQuantity = new Origins().withItems(withId).withQuantity(1);
            }
            DistributionConfig withDefaultCacheBehavior = new DistributionConfig().withCallerReference("" + System.currentTimeMillis()).withOrigins(withQuantity).withEnabled(true).withComment("HLS streaming for space: " + spaceId).withDefaultCacheBehavior(defaultCacheBehavior);
            if (isSecure) {
                withDefaultCacheBehavior.setCacheBehaviors(cacheBehaviors);
            }
            domainName = this.cfClient.createDistribution(new CreateDistributionRequest(withDefaultCacheBehavior)).getDistribution().getDomainName();
        }
        setBucketAccessPolicy(bucketName, originAccessId);
        setCorsPolicy(bucketName, allowedOrigins, this.dcHost);
        Map<String, String> spaceProperties = this.s3Provider.getSpaceProperties(spaceId);
        spaceProperties.put("hls-streaming-host", domainName);
        spaceProperties.put("hls-streaming-type", isSecure ? BaseHlsTaskRunner.STREAMING_TYPE.SECURE.name() : BaseHlsTaskRunner.STREAMING_TYPE.OPEN.name());
        this.unwrappedS3Provider.setNewSpaceProperties(spaceId, spaceProperties);
        enableStreamingTaskResult.setResult("enable-hls task completed successfully");
        enableStreamingTaskResult.setStreamingHost(domainName);
        String serialize = enableStreamingTaskResult.serialize();
        this.log.info("Result of enable-hls task: " + serialize);
        return serialize;
    }

    private String getOriginAccessId() {
        String existingOriginAccessId = getExistingOriginAccessId();
        return existingOriginAccessId != null ? existingOriginAccessId : this.cfClient.createCloudFrontOriginAccessIdentity(new CreateCloudFrontOriginAccessIdentityRequest(new CloudFrontOriginAccessIdentityConfig().withCallerReference("" + System.currentTimeMillis()).withComment("DuraCloud Origin Access ID"))).getCloudFrontOriginAccessIdentity().getId();
    }

    private String getExistingOriginAccessId() {
        List<CloudFrontOriginAccessIdentitySummary> items = this.cfClient.listCloudFrontOriginAccessIdentities(new ListCloudFrontOriginAccessIdentitiesRequest()).getCloudFrontOriginAccessIdentityList().getItems();
        if (items == null || items.size() <= 0) {
            return null;
        }
        return items.iterator().next().getId();
    }

    private void setBucketAccessPolicy(String str, String str2) {
        String s3CanonicalUserId = this.cfClient.getCloudFrontOriginAccessIdentity(new GetCloudFrontOriginAccessIdentityRequest(str2)).getCloudFrontOriginAccessIdentity().getS3CanonicalUserId();
        StringBuilder sb = new StringBuilder();
        sb.append("{\"Version\":\"2012-10-17\",");
        sb.append("\"Id\":\"PolicyForCloudFrontPrivateContent\",");
        sb.append("\"Statement\":[{");
        sb.append("\"Sid\":\"Grant CloudFront access to private content\",");
        sb.append("\"Effect\":\"Allow\",");
        sb.append("\"Principal\":{\"CanonicalUser\":\"" + s3CanonicalUserId + "\"},");
        sb.append("\"Action\":\"s3:GetObject\",");
        sb.append("\"Resource\":\"arn:aws:s3:::" + str + "/*\"");
        sb.append("}]}");
        this.s3Client.setBucketPolicy(str, sb.toString());
    }

    private void setCorsPolicy(String str, List<String> list, String str2) {
        if (null == list || list.isEmpty()) {
            list = new ArrayList();
            list.add("https://*");
        } else {
            list.add("https://" + str2);
        }
        ArrayList arrayList = new ArrayList();
        for (String str3 : list) {
            CORSRule cORSRule = new CORSRule();
            cORSRule.setAllowedOrigins(str3);
            cORSRule.setAllowedMethods(CORSRule.AllowedMethods.GET, CORSRule.AllowedMethods.HEAD);
            cORSRule.setMaxAgeSeconds(3000);
            cORSRule.setAllowedHeaders("*");
            arrayList.add(cORSRule);
        }
        this.s3Client.setBucketCrossOriginConfiguration(str, new BucketCrossOriginConfiguration().withRules(arrayList));
    }
}
