package org.apache.nifi.controller.repository.crypto;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.nio.ByteBuffer;
import java.nio.file.Path;
import java.util.Objects;
import javax.crypto.CipherOutputStream;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.controller.repository.FileSystemRepository;
import org.apache.nifi.controller.repository.claim.ContentClaim;
import org.apache.nifi.controller.repository.claim.ResourceClaim;
import org.apache.nifi.controller.repository.claim.StandardContentClaim;
import org.apache.nifi.repository.encryption.AesCtrStreamRepositoryEncryptor;
import org.apache.nifi.repository.encryption.RepositoryEncryptor;
import org.apache.nifi.repository.encryption.configuration.EncryptedRepositoryType;
import org.apache.nifi.repository.encryption.configuration.EncryptionMetadataHeader;
import org.apache.nifi.repository.encryption.configuration.kms.StandardRepositoryKeyProviderFactory;
import org.apache.nifi.stream.io.ByteCountingOutputStream;
import org.apache.nifi.stream.io.NonCloseableOutputStream;
import org.apache.nifi.stream.io.StreamUtils;
import org.apache.nifi.util.NiFiProperties;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/controller/repository/crypto/EncryptedFileSystemRepository.class */
public class EncryptedFileSystemRepository extends FileSystemRepository {
    private static final Logger logger = LoggerFactory.getLogger(EncryptedFileSystemRepository.class);
    private RepositoryEncryptor<OutputStream, InputStream> repositoryEncryptor;
    private String keyId;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/nifi/controller/repository/crypto/EncryptedFileSystemRepository$EncryptedContentRepositoryOutputStream.class */
    public class EncryptedContentRepositoryOutputStream extends FileSystemRepository.ContentRepositoryOutputStream {
        private final CipherOutputStream cipherOutputStream;
        private final long startingOffset;

        EncryptedContentRepositoryOutputStream(StandardContentClaim standardContentClaim, ByteCountingOutputStream byteCountingOutputStream, String str, long j) {
            super(EncryptedFileSystemRepository.this, standardContentClaim, byteCountingOutputStream, 0);
            this.startingOffset = j;
            this.cipherOutputStream = (CipherOutputStream) EncryptedFileSystemRepository.this.repositoryEncryptor.encrypt(new NonCloseableOutputStream(byteCountingOutputStream), str, EncryptedFileSystemRepository.this.keyId);
        }

        @Override // org.apache.nifi.controller.repository.FileSystemRepository.ContentRepositoryOutputStream
        public String toString() {
            return "EncryptedFileSystemRepository Stream [" + this.scc + "]";
        }

        @Override // org.apache.nifi.controller.repository.FileSystemRepository.ContentRepositoryOutputStream, java.io.OutputStream
        public synchronized void write(int i) throws IOException {
            ByteBuffer allocate = ByteBuffer.allocate(4);
            allocate.putInt(i);
            writeBytes(allocate.array(), 0, 4);
        }

        @Override // org.apache.nifi.controller.repository.FileSystemRepository.ContentRepositoryOutputStream, java.io.OutputStream
        public synchronized void write(byte[] bArr) throws IOException {
            writeBytes(bArr, 0, bArr.length);
        }

        @Override // org.apache.nifi.controller.repository.FileSystemRepository.ContentRepositoryOutputStream, java.io.OutputStream
        public synchronized void write(byte[] bArr, int i, int i2) throws IOException {
            writeBytes(bArr, i, i2);
        }

        private void writeBytes(byte[] bArr, int i, int i2) throws IOException {
            if (this.closed) {
                throw new IOException("Stream is closed");
            }
            try {
                this.cipherOutputStream.write(bArr, i, i2);
                this.scc.setLength(this.bcos.getBytesWritten() - this.startingOffset);
            } catch (IOException e) {
                this.recycle = false;
                throw new IOException("Failed to write to " + this, e);
            }
        }

        @Override // org.apache.nifi.controller.repository.FileSystemRepository.ContentRepositoryOutputStream, java.io.OutputStream, java.io.Flushable
        public synchronized void flush() throws IOException {
            if (this.closed) {
                throw new IOException("Stream is closed");
            }
            this.cipherOutputStream.flush();
        }

        @Override // org.apache.nifi.controller.repository.FileSystemRepository.ContentRepositoryOutputStream, java.io.OutputStream, java.io.Closeable, java.lang.AutoCloseable
        public synchronized void close() throws IOException {
            this.closed = true;
            this.cipherOutputStream.flush();
            this.cipherOutputStream.close();
            this.scc.setLength(this.bcos.getBytesWritten() - this.startingOffset);
            super.close();
        }
    }

    public EncryptedFileSystemRepository() {
    }

    public EncryptedFileSystemRepository(NiFiProperties niFiProperties) throws IOException {
        super(niFiProperties);
        this.repositoryEncryptor = new AesCtrStreamRepositoryEncryptor(new StandardRepositoryKeyProviderFactory().getKeyProvider(EncryptedRepositoryType.CONTENT, niFiProperties), EncryptionMetadataHeader.CONTENT);
        this.keyId = (String) Objects.requireNonNull(niFiProperties.getContentRepositoryEncryptionKeyId(), "Key Identifier required");
    }

    @Override // org.apache.nifi.controller.repository.FileSystemRepository
    public long importFrom(InputStream inputStream, ContentClaim contentClaim) throws IOException {
        OutputStream write = write(contentClaim);
        try {
            long copy = StreamUtils.copy(inputStream, write);
            if (write != null) {
                write.close();
            }
            return copy;
        } catch (Throwable th) {
            if (write != null) {
                try {
                    write.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Override // org.apache.nifi.controller.repository.FileSystemRepository
    public long exportTo(ContentClaim contentClaim, OutputStream outputStream) throws IOException {
        logger.warn("Exporting content from {} to output stream {}. This content will be decrypted", contentClaim.getResourceClaim().getId(), outputStream);
        return super.exportTo(contentClaim, outputStream);
    }

    @Override // org.apache.nifi.controller.repository.FileSystemRepository
    public long exportTo(ContentClaim contentClaim, OutputStream outputStream, long j, long j2) throws IOException {
        logger.warn("Exporting content from {} (offset: {}, length: {}) to output stream {}. This content will be decrypted", new Object[]{contentClaim.getResourceClaim().getId(), Long.valueOf(j), Long.valueOf(j2), outputStream});
        return super.exportTo(contentClaim, outputStream, j, j2);
    }

    @Override // org.apache.nifi.controller.repository.FileSystemRepository
    public long exportTo(ContentClaim contentClaim, Path path, boolean z) throws IOException {
        logger.warn("Exporting content from {} to path {}. This content will be decrypted", contentClaim.getResourceClaim().getId(), path);
        return super.exportTo(contentClaim, path, z);
    }

    @Override // org.apache.nifi.controller.repository.FileSystemRepository
    public long exportTo(ContentClaim contentClaim, Path path, boolean z, long j, long j2) throws IOException {
        logger.warn("Exporting content from {} (offset: {}, length: {}) to path {}. This content will be decrypted", new Object[]{contentClaim.getResourceClaim().getId(), Long.valueOf(j), Long.valueOf(j2), path});
        return super.exportTo(contentClaim, path, z, j, j2);
    }

    @Override // org.apache.nifi.controller.repository.FileSystemRepository
    public InputStream read(ResourceClaim resourceClaim) {
        throw new UnsupportedOperationException("Cannot read full ResourceClaim as a Stream when using EncryptedFileSystemRepository");
    }

    public boolean isResourceClaimStreamSupported() {
        return false;
    }

    @Override // org.apache.nifi.controller.repository.FileSystemRepository
    public InputStream read(ContentClaim contentClaim) throws IOException {
        InputStream read = super.read(contentClaim);
        if (contentClaim == null) {
            return read;
        }
        return (InputStream) this.repositoryEncryptor.decrypt(read, getRecordId(contentClaim));
    }

    @Override // org.apache.nifi.controller.repository.FileSystemRepository
    public OutputStream write(ContentClaim contentClaim) throws IOException {
        StandardContentClaim validateContentClaimForWriting = validateContentClaimForWriting(contentClaim);
        ByteCountingOutputStream writableClaimStreamByResourceClaim = getWritableClaimStreamByResourceClaim(validateContentClaimForWriting.getResourceClaim());
        return new EncryptedContentRepositoryOutputStream(validateContentClaimForWriting, writableClaimStreamByResourceClaim, getRecordId(contentClaim), writableClaimStreamByResourceClaim.getBytesWritten());
    }

    public static String getRecordId(ContentClaim contentClaim) {
        if (contentClaim != null && contentClaim.getResourceClaim() != null && !StringUtils.isBlank(contentClaim.getResourceClaim().getId())) {
            return "nifi-ecr-rc-" + contentClaim.getResourceClaim().getId() + "+" + contentClaim.getOffset();
        }
        String str = "nifi-ecr-ts-" + System.nanoTime();
        logger.error("Cannot determine record ID from null content claim or claim with missing/empty resource claim ID; using timestamp-generated ID [{}]", str + "+0");
        return str;
    }
}
