package com.amazon.ws.emr.hadoop.fs.secretagent;

import com.amazon.ws.emr.hadoop.fs.exception.AccessDeniedException;
import com.amazon.ws.emr.hadoop.fs.identity.FileSystemOwner;
import com.amazon.ws.emr.hadoop.fs.s3.S3NativeCommonFileSystem;
import com.amazon.ws.emr.hadoop.fs.s3.lite.call.S3Call;
import com.amazon.ws.emr.hadoop.fs.s3.lite.call.S3Resource;
import com.amazon.ws.emr.hadoop.fs.shaded.com.amazonaws.auth.BasicSessionCredentials;
import com.amazon.ws.emr.hadoop.fs.shaded.com.amazonaws.emr.secretagent.client.SecretAgentClient;
import com.amazon.ws.emr.hadoop.fs.shaded.com.amazonaws.emr.secretagent.client.model.GetTemporaryCredentialsForResourcesRequest;
import com.amazon.ws.emr.hadoop.fs.shaded.com.amazonaws.emr.secretagent.client.model.ResourcePrivileges;
import com.amazon.ws.emr.hadoop.fs.shaded.com.amazonaws.emr.secretagent.client.model.SecretAgentClientException;
import com.amazon.ws.emr.hadoop.fs.shaded.com.amazonaws.emr.secretagent.client.model.TemporaryCredentials;
import com.amazon.ws.emr.hadoop.fs.shaded.com.google.common.annotations.VisibleForTesting;
import com.amazon.ws.emr.hadoop.fs.shaded.com.google.common.collect.Lists;
import com.amazonaws.auth.AWSSessionCredentials;
import com.amazonaws.auth.AWSSessionCredentialsProvider;
import java.time.ZonedDateTime;
import java.util.List;
import java.util.stream.Collectors;
import lombok.NonNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/amazon/ws/emr/hadoop/fs/secretagent/SecretAgentS3CredentialsProvider.class */
public class SecretAgentS3CredentialsProvider implements AWSSessionCredentialsProvider {
    private static final Logger logger = LoggerFactory.getLogger(SecretAgentS3CredentialsProvider.class);
    static final int DEFAULT_SECONDS_BEFORE_EXPIRATION_TO_REFRESH_CREDENTIALS = 300;
    private final int secondsBeforeExpirationToRefreshCredentials;
    private final SecretAgentClient secretAgentClient;
    private final FileSystemOwner fileSystemOwner;
    private final S3Call s3Call;
    private AWSSessionCredentials sessionCredentials;
    private ZonedDateTime expiration;

    public SecretAgentS3CredentialsProvider(@NonNull SecretAgentClient secretAgentClient, @NonNull FileSystemOwner fileSystemOwner, @NonNull S3Call s3Call) {
        this(secretAgentClient, fileSystemOwner, s3Call, 300);
        if (secretAgentClient == null) {
            throw new NullPointerException("secretAgentClient is marked non-null but is null");
        }
        if (fileSystemOwner == null) {
            throw new NullPointerException("fileSystemOwner is marked non-null but is null");
        }
        if (s3Call == null) {
            throw new NullPointerException("s3Call is marked non-null but is null");
        }
    }

    @VisibleForTesting
    SecretAgentS3CredentialsProvider(SecretAgentClient secretAgentClient, FileSystemOwner fileSystemOwner, S3Call s3Call, int i) {
        this.secretAgentClient = secretAgentClient;
        this.fileSystemOwner = fileSystemOwner;
        this.s3Call = s3Call;
        this.secondsBeforeExpirationToRefreshCredentials = i;
    }

    @Override // com.amazonaws.auth.AWSCredentialsProvider
    public AWSSessionCredentials getCredentials() {
        if (needsNewSession()) {
            startSession();
        }
        return this.sessionCredentials;
    }

    @Override // com.amazonaws.auth.AWSCredentialsProvider
    public void refresh() {
        startSession();
    }

    private void startSession() {
        if (this.s3Call.getS3Resources().isEmpty()) {
            throw new IllegalArgumentException("No S3 resources found for the call: " + this.s3Call.getClass().getSimpleName());
        }
        GetTemporaryCredentialsForResourcesRequest build = GetTemporaryCredentialsForResourcesRequest.builder().resourcePrivileges(Lists.newArrayList(ResourcePrivileges.builder().arn(getS3Path(this.s3Call.getS3Resources().iterator().next())).privilegeFilters((List) this.s3Call.getS3Actions().stream().map((v0) -> {
            return v0.name();
        }).collect(Collectors.toList())).build())).build();
        logger.debug("Retrieving credentials for s3 call: {} and request: {}", this.s3Call.getClass().getSimpleName(), build);
        try {
            TemporaryCredentials orElseThrow = this.secretAgentClient.getTemporaryCredentialsForResources(build).orElseThrow(() -> {
                return new AccessDeniedException("Secret Agent returned empty credentials for request: " + build.toString());
            });
            this.sessionCredentials = new BasicSessionCredentials(orElseThrow.getAwsAccessKeyId(), orElseThrow.getAwsSecretKey(), orElseThrow.getSessionToken());
            this.expiration = orElseThrow.getExpiration();
            logger.debug("Successfully retrieved credentials for {}", build);
        } catch (SecretAgentClientException e) {
            throw new AccessDeniedException("Failed to retrieve credentials from secret agent for request: " + build.toString(), e);
        }
    }

    private boolean needsNewSession() {
        return this.sessionCredentials == null || isCredentialsExpired();
    }

    private boolean isCredentialsExpired() {
        return this.expiration.toInstant().toEpochMilli() - System.currentTimeMillis() <= ((long) (this.secondsBeforeExpirationToRefreshCredentials * 1000));
    }

    @VisibleForTesting
    String getS3Path(S3Resource s3Resource) {
        StringBuilder sb = new StringBuilder(s3Resource.getBucketName());
        if (s3Resource.getPath() != null) {
            if (s3Resource.getPath().startsWith(S3NativeCommonFileSystem.PATH_DELIMITER)) {
                sb.append(s3Resource.getPath());
            } else {
                sb.append(S3NativeCommonFileSystem.PATH_DELIMITER).append(s3Resource.getPath());
            }
        }
        return sb.toString();
    }
}
