package io.guise.mummy.deploy.aws;

import com.globalmentor.collections.Sets;
import com.globalmentor.collections.iterables.Iterables;
import com.globalmentor.net.DomainName;
import com.globalmentor.net.ResourceRecord;
import com.globalmentor.net.URIs;
import io.clogr.Clogged;
import io.confound.config.Configuration;
import io.confound.config.ConfigurationException;
import io.guise.mummy.Artifact;
import io.guise.mummy.MummyContext;
import io.guise.mummy.SourcePathArtifact;
import io.guise.mummy.deploy.ContentDeliveryTarget;
import io.guise.mummy.deploy.DeployTarget;
import io.guise.mummy.deploy.Dns;
import java.io.IOException;
import java.net.URI;
import java.time.LocalDate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.slf4j.Logger;
import org.zalando.fauxpas.FauxPas;
import org.zalando.fauxpas.ThrowingConsumer;
import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider;
import software.amazon.awssdk.core.exception.SdkException;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.acm.AcmClient;
import software.amazon.awssdk.services.acm.AcmClientBuilder;
import software.amazon.awssdk.services.acm.model.CertificateDetail;
import software.amazon.awssdk.services.acm.model.CertificateSummary;
import software.amazon.awssdk.services.acm.model.DomainStatus;
import software.amazon.awssdk.services.acm.model.DomainValidation;
import software.amazon.awssdk.services.acm.model.ResourceRecord;
import software.amazon.awssdk.services.acm.model.ValidationMethod;
import software.amazon.awssdk.services.cloudfront.CloudFrontClient;
import software.amazon.awssdk.services.cloudfront.CloudFrontClientBuilder;
import software.amazon.awssdk.services.cloudfront.model.Aliases;
import software.amazon.awssdk.services.cloudfront.model.CookiePreference;
import software.amazon.awssdk.services.cloudfront.model.CustomOriginConfig;
import software.amazon.awssdk.services.cloudfront.model.DefaultCacheBehavior;
import software.amazon.awssdk.services.cloudfront.model.Distribution;
import software.amazon.awssdk.services.cloudfront.model.DistributionConfig;
import software.amazon.awssdk.services.cloudfront.model.DistributionList;
import software.amazon.awssdk.services.cloudfront.model.DistributionSummary;
import software.amazon.awssdk.services.cloudfront.model.ItemSelection;
import software.amazon.awssdk.services.cloudfront.model.ListDistributionsRequest;
import software.amazon.awssdk.services.cloudfront.model.Origin;
import software.amazon.awssdk.services.cloudfront.model.OriginProtocolPolicy;
import software.amazon.awssdk.services.cloudfront.model.SSLSupportMethod;
import software.amazon.awssdk.services.cloudfront.model.ViewerCertificate;
import software.amazon.awssdk.services.cloudfront.model.ViewerProtocolPolicy;

/* loaded from: input_file:io/guise/mummy/deploy/aws/CloudFront.class */
public class CloudFront implements ContentDeliveryTarget, Clogged {
    public static final Region ACM_REGION;
    public static final String USER_AGENT_IDENTIFICATION = "Amazon CloudFront";
    private final String profile;
    private final AcmClient acmClient;
    private final CloudFrontClient cloudFrontClient;
    private String acmCertificateArn;
    public static final long CERTIFICATE_VALIDATION_DNS_TTL = 300;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* renamed from: io.guise.mummy.deploy.aws.CloudFront$1, reason: invalid class name */
    /* loaded from: input_file:io/guise/mummy/deploy/aws/CloudFront$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$software$amazon$awssdk$services$acm$model$DomainStatus = new int[DomainStatus.values().length];

        static {
            try {
                $SwitchMap$software$amazon$awssdk$services$acm$model$DomainStatus[DomainStatus.SUCCESS.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$software$amazon$awssdk$services$acm$model$DomainStatus[DomainStatus.PENDING_VALIDATION.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$software$amazon$awssdk$services$acm$model$DomainStatus[DomainStatus.FAILED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    @Override // io.guise.mummy.deploy.DeployTarget
    public Set<String> getSupportedProtocols() {
        return Set.of("https");
    }

    @Override // io.guise.mummy.deploy.ContentDeliveryTarget
    public Set<String> getUserAgentIdentifications() {
        return Set.of(USER_AGENT_IDENTIFICATION);
    }

    public final Optional<String> getProfile() {
        return Optional.of(this.profile);
    }

    protected AcmClient getAcmClient() {
        return this.acmClient;
    }

    protected CloudFrontClient getCloudFrontClient() {
        return this.cloudFrontClient;
    }

    public Optional<String> getAcmCertificateArn() {
        return Optional.of(this.acmCertificateArn);
    }

    public CloudFront(@Nonnull MummyContext mummyContext, @Nonnull Configuration configuration) {
        this((String) mummyContext.getConfiguration().findString(AWS.CONFIG_KEY_DEPLOY_AWS_PROFILE).orElse(null));
    }

    public CloudFront(@Nullable String str) {
        this.profile = str;
        AcmClientBuilder region = AcmClient.builder().region(ACM_REGION);
        if (str != null) {
            region.credentialsProvider(ProfileCredentialsProvider.create(str));
        }
        this.acmClient = (AcmClient) region.build();
        CloudFrontClientBuilder region2 = CloudFrontClient.builder().region(Region.AWS_GLOBAL);
        if (str != null) {
            region2.credentialsProvider(ProfileCredentialsProvider.create(str));
        }
        this.cloudFrontClient = (CloudFrontClient) region2.build();
    }

    @Override // io.guise.mummy.deploy.ContentDeliveryTarget
    public S3Website getOriginTarget(MummyContext mummyContext) throws ConfigurationException {
        Stream<DeployTarget> stream = mummyContext.getDeployTargets().orElseThrow(IllegalStateException::new).stream();
        Class<S3Website> cls = S3Website.class;
        Objects.requireNonNull(S3Website.class);
        Stream<DeployTarget> filter = stream.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<S3Website> cls2 = S3Website.class;
        Objects.requireNonNull(S3Website.class);
        return (S3Website) filter.map((v1) -> {
            return r1.cast(v1);
        }).findFirst().orElseThrow(() -> {
            return new ConfigurationException("CloudFront deployement currently requires an S3 target to be configured first.");
        });
    }

    @Override // io.guise.mummy.deploy.DeployTarget
    public void prepare(MummyContext mummyContext) throws IOException {
        String certificateArn;
        try {
            AcmClient acmClient = getAcmClient();
            Logger logger = getLogger();
            S3Website originTarget = getOriginTarget(mummyContext);
            String bucket = originTarget.getBucket();
            Set<String> altBuckets = originTarget.getAltBuckets();
            Set<CertificateSummary> certificateSummariesByDomainName = getCertificateSummariesByDomainName(acmClient, bucket);
            for (CertificateSummary certificateSummary : certificateSummariesByDomainName) {
                logger.debug("Certificate with ARN `{}` exists for domain name `{}`.", certificateSummary.certificateArn(), certificateSummary.domainName());
            }
            if (certificateSummariesByDomainName.isEmpty()) {
                logger.info("Requesting certificate for domain name `{}` and alternative names `{}`.", bucket, altBuckets);
                certificateArn = acmClient.requestCertificate(builder -> {
                    builder.domainName(bucket);
                    if (!altBuckets.isEmpty()) {
                        builder.subjectAlternativeNames(altBuckets);
                    }
                    builder.validationMethod(ValidationMethod.DNS);
                }).certificateArn();
            } else {
                if (certificateSummariesByDomainName.size() > 1) {
                    throw new IOException(String.format("Multiple certificates per domain not supported; please remove all but one certificates for domain `%s`.", bucket));
                }
                certificateArn = ((CertificateSummary) Iterables.getOnly(certificateSummariesByDomainName)).certificateArn();
            }
            if (!$assertionsDisabled && certificateArn == null) {
                throw new AssertionError();
            }
            this.acmCertificateArn = certificateArn;
            CertificateDetail certificateDetail = null;
            int i = 1;
            while (true) {
                if (i > TimeUnit.MINUTES.toSeconds(1L)) {
                    break;
                }
                String str = certificateArn;
                CertificateDetail certificate = acmClient.describeCertificate(builder2 -> {
                    builder2.certificateArn(str);
                }).certificate();
                boolean z = true;
                if (certificate.domainName() != null) {
                    Iterator it = certificate.domainValidationOptions().iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        DomainValidation domainValidation = (DomainValidation) it.next();
                        if (domainValidation.validationMethod().equals(ValidationMethod.DNS) && domainValidation.resourceRecord() == null) {
                            z = false;
                            break;
                        }
                    }
                } else {
                    z = false;
                }
                if (z) {
                    certificateDetail = certificate;
                    break;
                } else {
                    try {
                        logger.info("Waiting for requested certificate `{}` to be recognized...", certificateArn);
                        TimeUnit.SECONDS.sleep(i);
                    } catch (InterruptedException e) {
                    }
                    i *= 2;
                }
            }
            if (certificateDetail == null) {
                throw new IOException(String.format("Requested certificate `%s` was never recognized. Correct any problems, perhaps wait a while longer, and deploy again.", certificateArn));
            }
            if (!Set.copyOf(certificateDetail.subjectAlternativeNames()).equals(Sets.immutableSetOf(altBuckets, new String[]{bucket}))) {
                logger.warn("Certificate `{}` alternate names `{}` do not match site domain {} and aliases `{}`.", new Object[]{certificateArn, List.copyOf(certificateDetail.subjectAlternativeNames()), bucket, altBuckets});
            }
            List<DomainValidation> domainValidationOptions = certificateDetail.domainValidationOptions();
            LinkedHashSet linkedHashSet = new LinkedHashSet(domainValidationOptions.size());
            for (DomainValidation domainValidation2 : domainValidationOptions) {
                switch (AnonymousClass1.$SwitchMap$software$amazon$awssdk$services$acm$model$DomainStatus[domainValidation2.validationStatus().ordinal()]) {
                    case SourcePathArtifact.POST_FILENAME_PATTERN_DATE_GROUP /* 1 */:
                        logger.debug("Certificate `{}` for domain name `{}` has been validated.", certificateArn, domainValidation2.domainName());
                        break;
                    case SourcePathArtifact.POST_FILENAME_PATTERN_YEAR_GROUP /* 2 */:
                        if (domainValidation2.validationMethod().equals(ValidationMethod.DNS)) {
                            ResourceRecord resourceRecord = domainValidation2.resourceRecord();
                            Optional<Dns> deployDns = mummyContext.getDeployDns();
                            String str2 = certificateArn;
                            ThrowingConsumer throwingConsumer = FauxPas.throwingConsumer(dns -> {
                                logger.info("Setting DNS entry [{}] `{}` = `{}` for certificate `{}` validation for domain name `{}`.", new Object[]{resourceRecord.typeAsString(), resourceRecord.name(), resourceRecord.value(), str2, domainValidation2.domainName()});
                                dns.setResourceRecord(resourceRecord.typeAsString(), DomainName.of(resourceRecord.name()), resourceRecord.value(), 300L);
                            });
                            String str3 = certificateArn;
                            deployDns.ifPresentOrElse(throwingConsumer, () -> {
                                logger.warn("No DNS configured. To validate certificate `{}` for domain name `{}`, resource record [{}] `{}` = `{}` must be set in the DNS manually.", new Object[]{str3, domainValidation2.domainName(), resourceRecord.typeAsString(), resourceRecord.name(), resourceRecord.value()});
                            });
                        } else {
                            logger.warn("Certificate `{}` specifies an unknown validation method `{}` for domain name `{}` and must be performed manually.", new Object[]{certificateArn, domainValidation2.validationMethod(), domainValidation2.domainName()});
                        }
                        linkedHashSet.add(domainValidation2.domainName());
                        break;
                    case SourcePathArtifact.POST_FILENAME_PATTERN_MONTH_GROUP /* 3 */:
                        throw new IOException(String.format("Certificate `%s` for domain name `%s` failed validation: `%s`. Please delete the certificate, correct any problems, and deploy again.", certificateArn, domainValidation2.domainName(), certificateDetail.failureReason()));
                    default:
                        throw new IOException(String.format("Unable to validate certificate `%s` for domain name `%s`; validation status indicates `%s`. Please delete the certificate and deploy again.", certificateArn, domainValidation2.domainName(), domainValidation2.validationStatus()));
                }
            }
            if (!linkedHashSet.isEmpty()) {
                throw new IOException(String.format("Certificate `%s` is still pending validation for domain names %s. Make sure your domain is configured with the correct NS records for your DNS, wait for the certificate to finish validating, and initiate deployment again.", certificateArn, linkedHashSet));
            }
        } catch (SdkException e2) {
            throw new IOException((Throwable) e2);
        }
    }

    @Override // io.guise.mummy.deploy.DeployTarget
    public Optional<URI> deploy(MummyContext mummyContext, Artifact artifact) throws IOException {
        String id;
        DomainName of;
        try {
            CloudFrontClient cloudFrontClient = getCloudFrontClient();
            Logger logger = getLogger();
            getProfile().ifPresent(str -> {
                getLogger().info("Using AWS CloudFront credentials profile `{}`.", str);
            });
            Stream<DeployTarget> stream = mummyContext.getDeployTargets().orElseThrow(IllegalStateException::new).stream();
            Class<S3> cls = S3.class;
            Objects.requireNonNull(S3.class);
            Stream<DeployTarget> filter = stream.filter((v1) -> {
                return r1.isInstance(v1);
            });
            Class<S3> cls2 = S3.class;
            Objects.requireNonNull(S3.class);
            S3 s3 = (S3) filter.map((v1) -> {
                return r1.cast(v1);
            }).findFirst().orElseThrow(() -> {
                return new ConfigurationException("CloudFront deployement currently requires an S3 target to be configured first.");
            });
            Region region = s3.getRegion();
            Stream<String> buckets = s3.buckets();
            Objects.requireNonNull(buckets);
            Iterable<String> iterable = buckets::iterator;
            for (String str2 : iterable) {
                Set<DistributionSummary> distributionSummariesByAliases = getDistributionSummariesByAliases(cloudFrontClient, Set.of(str2));
                for (DistributionSummary distributionSummary : distributionSummariesByAliases) {
                    logger.debug("Distribution ID `{}` (ARN `{}`) exists for S3 bucket `{}`.", new Object[]{distributionSummary.id(), distributionSummary.arn(), str2});
                }
                if (distributionSummariesByAliases.isEmpty()) {
                    logger.info("Creating distribution for S3 bucket `{}`.", str2);
                    StringBuilder sb = new StringBuilder();
                    sb.append("Created by ").append(mummyContext.getMummifierIdentification());
                    sb.append(" on ").append(LocalDate.now());
                    sb.append(".");
                    Origin origin = (Origin) Origin.builder().id(str2).domainName(S3Website.getBucketWebsiteEndpoint(str2, region)).customOriginConfig((CustomOriginConfig) CustomOriginConfig.builder().httpPort(80).httpsPort(443).originProtocolPolicy(OriginProtocolPolicy.HTTP_ONLY).build()).build();
                    Aliases aliases = (Aliases) Aliases.builder().items(new String[]{str2}).quantity(1).build();
                    ViewerCertificate viewerCertificate = (ViewerCertificate) ViewerCertificate.builder().acmCertificateArn(getAcmCertificateArn().orElseThrow(IllegalStateException::new)).sslSupportMethod(SSLSupportMethod.SNI_ONLY).build();
                    CookiePreference cookiePreference = (CookiePreference) CookiePreference.builder().forward(ItemSelection.NONE).build();
                    DistributionConfig distributionConfig = (DistributionConfig) DistributionConfig.builder().origins(builder -> {
                        builder.items(new Origin[]{origin}).quantity(1);
                    }).aliases(aliases).defaultCacheBehavior((DefaultCacheBehavior) DefaultCacheBehavior.builder().viewerProtocolPolicy(ViewerProtocolPolicy.REDIRECT_TO_HTTPS).forwardedValues(builder2 -> {
                        builder2.queryString(false).cookies(cookiePreference);
                    }).targetOriginId(origin.id()).trustedSigners(builder3 -> {
                        builder3.enabled(false).quantity(0);
                    }).minTTL(0L).build()).viewerCertificate(viewerCertificate).enabled(true).callerReference(UUID.randomUUID().toString()).comment(sb.toString()).build();
                    Distribution distribution = cloudFrontClient.createDistribution(builder4 -> {
                        builder4.distributionConfig(distributionConfig);
                    }).distribution();
                    id = distribution.id();
                    of = DomainName.of(distribution.domainName());
                } else {
                    if (distributionSummariesByAliases.size() > 1) {
                        throw new IOException(String.format("Multiple distributions found with an alias for bucket `%s`; all but one must be removed.", str2));
                    }
                    DistributionSummary distributionSummary2 = (DistributionSummary) Iterables.getOnly(distributionSummariesByAliases);
                    id = distributionSummary2.id();
                    of = DomainName.of(distributionSummary2.domainName());
                }
                DomainName resolve = DomainName.ROOT.resolve(DomainName.of(str2));
                Optional<Dns> deployDns = mummyContext.getDeployDns();
                Class<Route53> cls3 = Route53.class;
                Objects.requireNonNull(Route53.class);
                Optional<Dns> filter2 = deployDns.filter((v1) -> {
                    return r1.isInstance(v1);
                });
                Class<Route53> cls4 = Route53.class;
                Objects.requireNonNull(Route53.class);
                Optional<U> map = filter2.map((v1) -> {
                    return r1.cast(v1);
                });
                String str3 = id;
                DomainName domainName = of;
                ThrowingConsumer throwingConsumer = FauxPas.throwingConsumer(route53 -> {
                    logger.info("Setting DNS alias [A] record for domain name `{}` to CloudFront distribution `{}` domain `{}`.", new Object[]{resolve, str3, domainName});
                    route53.setAliasResourceRecord(ResourceRecord.Type.A, resolve, domainName.toString(), Route53.CLOUDFRONT_ALIAS_HOSTED_ZONE_ID);
                });
                String str4 = id;
                DomainName domainName2 = of;
                map.ifPresentOrElse(throwingConsumer, () -> {
                    logger.warn("No Route 53 DNS configured; an alias for domain name `{}` to CloudFront distribution `{}` domain `{}` must be set in the Route 53 manually if desired.", new Object[]{resolve, str4, domainName2});
                });
            }
            return Optional.of(URIs.createURI("https", (String) null, s3.getBucket(), -1, URIs.ROOT_PATH, (String) null, (String) null));
        } catch (SdkException e) {
            throw new IOException((Throwable) e);
        }
    }

    protected static Set<CertificateSummary> getCertificateSummariesByDomainName(@Nonnull AcmClient acmClient, @Nonnull String str) throws SdkException {
        Objects.requireNonNull(str);
        Stream<CertificateSummary> filter = certificateSummaries(acmClient).filter(certificateSummary -> {
            return certificateSummary.domainName().equals(str);
        });
        try {
            Set<CertificateSummary> set = (Set) filter.collect(Collectors.toSet());
            if (filter != null) {
                filter.close();
            }
            return set;
        } catch (Throwable th) {
            if (filter != null) {
                try {
                    filter.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    protected static Stream<CertificateSummary> certificateSummaries(@Nonnull AcmClient acmClient) throws SdkException {
        return acmClient.listCertificatesPaginator().stream().flatMap(listCertificatesResponse -> {
            return listCertificatesResponse.certificateSummaryList().stream();
        });
    }

    protected static Set<DistributionSummary> getDistributionSummariesByAliases(@Nonnull CloudFrontClient cloudFrontClient, @Nonnull Set<String> set) throws SdkException {
        Objects.requireNonNull(set);
        Stream<DistributionSummary> filter = distributionSummaries(cloudFrontClient).filter(distributionSummary -> {
            return Set.copyOf(distributionSummary.aliases().items()).equals(set);
        });
        try {
            Set<DistributionSummary> set2 = (Set) filter.collect(Collectors.toSet());
            if (filter != null) {
                filter.close();
            }
            return set2;
        } catch (Throwable th) {
            if (filter != null) {
                try {
                    filter.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    protected static Stream<DistributionSummary> distributionSummaries(@Nonnull CloudFrontClient cloudFrontClient) throws SdkException {
        DistributionList distributionList;
        ArrayList arrayList = new ArrayList();
        ListDistributionsRequest listDistributionsRequest = (ListDistributionsRequest) ListDistributionsRequest.builder().build();
        do {
            distributionList = cloudFrontClient.listDistributions(listDistributionsRequest).distributionList();
            arrayList.addAll(distributionList.items());
            listDistributionsRequest = (ListDistributionsRequest) ListDistributionsRequest.builder().marker(distributionList.nextMarker()).build();
        } while (distributionList.isTruncated().booleanValue());
        return arrayList.stream();
    }

    static {
        $assertionsDisabled = !CloudFront.class.desiredAssertionStatus();
        ACM_REGION = Region.US_EAST_1;
    }
}
