package amazon.emr.metrics;

import amazon.emr.metrics.InstanceControllerRpcClient;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.auth.policy.Action;
import com.amazonaws.auth.policy.Condition;
import com.amazonaws.auth.policy.Policy;
import com.amazonaws.auth.policy.Resource;
import com.amazonaws.auth.policy.Statement;
import com.amazonaws.auth.policy.actions.S3Actions;
import com.amazonaws.auth.policy.conditions.StringCondition;
import com.amazonaws.services.s3.AmazonS3Client;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient;
import com.amazonaws.services.securitytoken.model.GetFederationTokenRequest;
import java.io.IOException;
import org.joda.time.DateTime;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:amazon/emr/metrics/SessionS3Client.class */
public class SessionS3Client {
    static final Logger logger = LoggerFactory.getLogger(SessionS3Client.class);
    public InstanceControllerRpcClient.GetPolicyResponse policy;
    InstanceControllerRpcClient client;
    Credentials credentials;
    private String bucket;
    private String prefix;
    private AmazonS3Client s3client;
    private String s3ClientToken;

    public SessionS3Client() {
        this.policy = null;
        this.client = null;
        this.credentials = null;
        this.s3client = null;
        this.s3ClientToken = "";
        updateToken();
        this.bucket = this.policy.bucket;
        this.prefix = this.policy.keyPrefix;
    }

    public SessionS3Client(String str, String str2, String str3) throws RuntimeException, IOException {
        this.policy = null;
        this.client = null;
        this.credentials = null;
        this.s3client = null;
        this.s3ClientToken = "";
        this.credentials = Credentials.newInstance(str);
        this.bucket = str2;
        this.prefix = str3;
    }

    public String getBucket() {
        return this.bucket;
    }

    public String getPrefix() {
        return this.prefix;
    }

    public BasicSessionCredentials getBasicSessionCredentials() {
        ensureToken();
        if (this.policy == null) {
            return null;
        }
        return new BasicSessionCredentials(this.policy.accessKeyId, this.policy.secretAccessKey, this.policy.sessionToken);
    }

    public AmazonS3Client s3Client() {
        ensureToken();
        if (this.policy == null) {
            logger.info("return null AmazonS3Client due to no session token");
            return null;
        }
        if (this.s3ClientToken.equals(this.policy.sessionToken)) {
            return this.s3client;
        }
        logger.info("create AmazonS3Client with token {}", trimSecret(this.policy.sessionToken, 16));
        this.s3client = new AmazonS3Client(new BasicSessionCredentials(this.policy.accessKeyId, this.policy.secretAccessKey, this.policy.sessionToken));
        this.s3ClientToken = this.policy.sessionToken;
        return this.s3client;
    }

    private void ensureToken() {
        if (this.policy == null || this.policy.expirationTime + 60000 < new DateTime().getMillis()) {
            updateToken();
        }
        if (this.policy == null || expired()) {
            this.policy = null;
        }
    }

    private void updateToken() {
        try {
            if (this.credentials != null) {
                this.policy = requestSessionToken();
            } else {
                if (this.client == null) {
                    this.client = new InstanceControllerRpcClient();
                }
                this.policy = this.client.getPolicy();
            }
            logger.info("get {}", getTraceStr(this.policy));
        } catch (Exception e) {
            logger.info("could NOT get policy {}", e);
        }
    }

    private boolean expired() {
        return this.policy == null || this.policy.expirationTime < new DateTime().getMillis();
    }

    private InstanceControllerRpcClient.GetPolicyResponse requestSessionToken() throws RuntimeException, IOException {
        AWSSecurityTokenServiceClient aWSSecurityTokenServiceClient = new AWSSecurityTokenServiceClient(new BasicAWSCredentials(this.credentials.accessId, this.credentials.privateKey));
        Policy withStatements = new Policy().withStatements(new Statement[]{new Statement(Statement.Effect.Allow).withActions(new Action[]{S3Actions.DeleteObject, S3Actions.DeleteObjectVersion, S3Actions.GetObject, S3Actions.GetObjectVersion, S3Actions.PutObject}).withResources(new Resource[]{new Resource(String.format("arn:aws:s3:::%s/%s", this.bucket, this.prefix)), new Resource(String.format("arn:aws:s3:::%s/%s*", this.bucket, this.prefix))}), new Statement(Statement.Effect.Allow).withActions(new Action[]{S3Actions.ListObjects}).withConditions(new Condition[]{new StringCondition(StringCondition.StringComparisonType.StringLike, "s3:prefix", this.prefix + "*")}).withResources(new Resource[]{new Resource(String.format("arn:aws:s3:::%s", this.bucket))})});
        logger.info("Serialized policy {}", withStatements.toJson());
        com.amazonaws.services.securitytoken.model.Credentials credentials = aWSSecurityTokenServiceClient.getFederationToken(new GetFederationTokenRequest().withDurationSeconds(3600).withName(MetricsUtil.getHostName()).withPolicy(withStatements.toJson())).getCredentials();
        InstanceControllerRpcClient.GetPolicyResponse getPolicyResponse = new InstanceControllerRpcClient.GetPolicyResponse();
        getPolicyResponse.accessKeyId = credentials.getAccessKeyId();
        getPolicyResponse.secretAccessKey = credentials.getSecretAccessKey();
        getPolicyResponse.sessionToken = credentials.getSessionToken();
        getPolicyResponse.expirationTime = 3600000 + new DateTime().getMillis();
        getPolicyResponse.bucket = this.bucket;
        getPolicyResponse.keyPrefix = this.prefix;
        return getPolicyResponse;
    }

    public String getTraceStr(InstanceControllerRpcClient.GetPolicyResponse getPolicyResponse) {
        StringBuilder sb = new StringBuilder(256);
        sb.append("Policy accessKeyId: " + getPolicyResponse.accessKeyId);
        sb.append(" secretAccessKey: " + trimSecret(getPolicyResponse.secretAccessKey, 4));
        sb.append(" sessionToken " + trimSecret(getPolicyResponse.sessionToken, 16));
        sb.append(" bucket: " + getPolicyResponse.bucket);
        sb.append(" prefix: " + getPolicyResponse.keyPrefix);
        sb.append(" expiration: " + MetricsUtil.getTimeStr(getPolicyResponse.expirationTime));
        return sb.toString();
    }

    private static String trimSecret(String str, int i) {
        return str.length() > i ? str.substring(0, i) + "****" : "****";
    }
}
