package org.apache.hadoop.fs.s3a.auth;

import com.amazonaws.ClientConfiguration;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
import com.amazonaws.services.securitytoken.model.Credentials;
import com.amazonaws.services.securitytoken.model.GetSessionTokenRequest;
import java.io.Closeable;
import java.io.IOException;
import java.util.concurrent.TimeUnit;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.s3a.Constants;
import org.apache.hadoop.fs.s3a.Invoker;
import org.apache.hadoop.fs.s3a.S3AUtils;
import org.apache.hadoop.fs.s3a.auth.delegation.DelegationConstants;
import org.apache.hadoop.thirdparty.com.google.common.base.Preconditions;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
@InterfaceStability.Unstable
/* loaded from: input_file:WEB-INF/lib/hadoop-aws-3.3.4.jar:org/apache/hadoop/fs/s3a/auth/STSClientFactory.class */
public class STSClientFactory {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) STSClientFactory.class);

    /* loaded from: input_file:WEB-INF/lib/hadoop-aws-3.3.4.jar:org/apache/hadoop/fs/s3a/auth/STSClientFactory$STSClient.class */
    public static final class STSClient implements Closeable {
        private final AWSSecurityTokenService tokenService;
        private final Invoker invoker;

        private STSClient(AWSSecurityTokenService aWSSecurityTokenService, Invoker invoker) {
            this.tokenService = aWSSecurityTokenService;
            this.invoker = invoker;
        }

        @Override // java.io.Closeable, java.lang.AutoCloseable
        public void close() throws IOException {
            try {
                this.tokenService.shutdown();
            } catch (UnsupportedOperationException e) {
            }
        }

        public Credentials requestSessionCredentials(long j, TimeUnit timeUnit) throws IOException {
            int seconds = (int) timeUnit.toSeconds(j);
            STSClientFactory.LOG.debug("Requesting session token of duration {}", Long.valueOf(j));
            GetSessionTokenRequest getSessionTokenRequest = new GetSessionTokenRequest();
            getSessionTokenRequest.setDurationSeconds(Integer.valueOf(seconds));
            return (Credentials) this.invoker.retry("request session credentials", "", true, () -> {
                STSClientFactory.LOG.info("Requesting Amazon STS Session credentials");
                return this.tokenService.getSessionToken(getSessionTokenRequest).getCredentials();
            });
        }

        public Credentials requestRole(String str, String str2, String str3, long j, TimeUnit timeUnit) throws IOException {
            STSClientFactory.LOG.debug("Requesting role {} with duration {}; policy = {}", str, Long.valueOf(j), str3);
            AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest();
            assumeRoleRequest.setDurationSeconds(Integer.valueOf((int) timeUnit.toSeconds(j)));
            assumeRoleRequest.setRoleArn(str);
            assumeRoleRequest.setRoleSessionName(str2);
            if (StringUtils.isNotEmpty(str3)) {
                assumeRoleRequest.setPolicy(str3);
            }
            return (Credentials) this.invoker.retry("request role credentials", "", true, () -> {
                return this.tokenService.assumeRole(assumeRoleRequest).getCredentials();
            });
        }
    }

    public static AWSSecurityTokenServiceClientBuilder builder(Configuration configuration, String str, AWSCredentialsProvider aWSCredentialsProvider) throws IOException {
        return builder(aWSCredentialsProvider, S3AUtils.createAwsConf(configuration, str, Constants.AWS_SERVICE_IDENTIFIER_STS), configuration.getTrimmed("fs.s3a.assumed.role.sts.endpoint", ""), configuration.getTrimmed("fs.s3a.assumed.role.sts.endpoint.region", ""));
    }

    public static AWSSecurityTokenServiceClientBuilder builder(Configuration configuration, String str, AWSCredentialsProvider aWSCredentialsProvider, String str2, String str3) throws IOException {
        return builder(aWSCredentialsProvider, S3AUtils.createAwsConf(configuration, str, Constants.AWS_SERVICE_IDENTIFIER_STS), str2, str3);
    }

    public static AWSSecurityTokenServiceClientBuilder builder(AWSCredentialsProvider aWSCredentialsProvider, ClientConfiguration clientConfiguration, String str, String str2) {
        AWSSecurityTokenServiceClientBuilder standard = AWSSecurityTokenServiceClientBuilder.standard();
        Preconditions.checkArgument(aWSCredentialsProvider != null, "No credentials");
        standard.withClientConfiguration(clientConfiguration);
        standard.withCredentials(aWSCredentialsProvider);
        boolean equals = DelegationConstants.STS_STANDARD.equals(str);
        if (!StringUtils.isNotEmpty(str) || equals) {
            Preconditions.checkArgument(StringUtils.isEmpty(str2), "STS signing region set set to %s but no STS endpoint specified", str2);
        } else {
            Preconditions.checkArgument(StringUtils.isNotEmpty(str2), "STS endpoint is set to %s but no signing region was provided", str);
            LOG.debug("STS Endpoint={}; region='{}'", str, str2);
            standard.withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(str, str2));
        }
        return standard;
    }

    public static STSClient createClientConnection(AWSSecurityTokenService aWSSecurityTokenService, Invoker invoker) throws IOException {
        return new STSClient(aWSSecurityTokenService, invoker);
    }
}
