package com.cloudera.cmf.service.objectstore.s3;

import com.cloudera.cmf.model.DbExternalAccount;
import com.cloudera.cmf.model.DbExternalAccountType;
import com.cloudera.cmf.persist.CmfEntityManager;
import com.cloudera.cmf.service.ServiceHandlerRegistry;
import com.cloudera.cmf.service.Validation;
import com.cloudera.cmf.service.ValidationContext;
import com.cloudera.cmf.service.objectstore.AbstractObjectStoreValidator;
import com.cloudera.cmf.service.objectstore.KeyDistributionPolicy;
import com.cloudera.cmf.service.objectstore.ObjectStoreConnector;
import com.cloudera.cmf.service.objectstore.ObjectStoreMetadata;
import com.cloudera.enterprise.MessageWithArgs;
import com.cloudera.server.web.common.Humanize;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableList;
import java.util.Collection;

/* loaded from: input_file:com/cloudera/cmf/service/objectstore/s3/S3SecurityValidator.class */
public class S3SecurityValidator extends AbstractObjectStoreValidator {

    @VisibleForTesting
    static final String KERBEROS_ERROR_KEY = "message.objectstore.validator.kerberos.error";

    public S3SecurityValidator() {
        super(false, "s3_security_validator");
    }

    @Override // com.cloudera.cmf.service.objectstore.AbstractObjectStoreValidator
    protected Collection<Validation> validate(ServiceHandlerRegistry serviceHandlerRegistry, ObjectStoreConnector objectStoreConnector, ValidationContext validationContext) {
        CmfEntityManager.currentCmfEntityManager();
        DbExternalAccount account = objectStoreConnector.getAccount();
        if (account == null || account.getType() == DbExternalAccountType.AWS_IAM_ROLES_AUTH) {
            return ImmutableList.of();
        }
        KeyDistributionPolicy keyDistributionPolicy = objectStoreConnector.getKeyDistributionPolicy();
        if (objectStoreConnector.getService().getConfigRelease().atMost(ObjectStoreMetadata.CONNECTOR_MODE_SUPPORTED.lowerEndpoint()) && keyDistributionPolicy == null) {
            keyDistributionPolicy = KeyDistributionPolicy.SECURE;
        }
        return (keyDistributionPolicy != KeyDistributionPolicy.SECURE || isKerberized(serviceHandlerRegistry, validationContext)) ? ImmutableList.of() : ImmutableList.of(Validation.error(validationContext, MessageWithArgs.of(KERBEROS_ERROR_KEY, new String[]{Humanize.humanizeServiceType(validationContext.getService().getServiceType())})));
    }
}
