package software.amazon.awssdk.s3accessgrants.plugin;

import java.util.concurrent.CompletableFuture;
import java.util.regex.Pattern;
import software.amazon.awssdk.annotations.NotNull;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.core.exception.SdkServiceException;
import software.amazon.awssdk.identity.spi.AwsCredentialsIdentity;
import software.amazon.awssdk.identity.spi.IdentityProvider;
import software.amazon.awssdk.identity.spi.ResolveIdentityRequest;
import software.amazon.awssdk.metrics.MetricPublisher;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.s3accessgrants.cache.S3AccessGrantsCachedCredentialsProvider;
import software.amazon.awssdk.s3accessgrants.plugin.internal.S3AccessGrantsStaticOperationToPermissionMapper;
import software.amazon.awssdk.s3accessgrants.plugin.internal.S3AccessGrantsUtils;
import software.amazon.awssdk.services.s3control.S3ControlAsyncClient;
import software.amazon.awssdk.services.s3control.model.Credentials;
import software.amazon.awssdk.services.s3control.model.GetDataAccessRequest;
import software.amazon.awssdk.services.s3control.model.Permission;
import software.amazon.awssdk.services.s3control.model.Privilege;
import software.amazon.awssdk.services.s3control.model.S3ControlException;
import software.amazon.awssdk.services.sts.StsAsyncClient;
import software.amazon.awssdk.services.sts.model.GetCallerIdentityResponse;
import software.amazon.awssdk.utils.Validate;

/* loaded from: input_file:software/amazon/awssdk/s3accessgrants/plugin/S3AccessGrantsIdentityProvider.class */
public class S3AccessGrantsIdentityProvider implements IdentityProvider<AwsCredentialsIdentity> {
    private final IdentityProvider<? extends AwsCredentialsIdentity> credentialsProvider;
    private final Region region;
    private final Privilege privilege;
    private final Boolean isCacheEnabled;
    private final S3ControlAsyncClient s3control;
    private final StsAsyncClient stsAsyncClient;
    private final S3AccessGrantsStaticOperationToPermissionMapper permissionMapper;
    private final S3AccessGrantsCachedCredentialsProvider cache;
    private final boolean enableFallback;
    private final MetricPublisher metricsPublisher;
    private String CONTACT_TEAM_MESSAGE_TEMPLATE = "An internal exception has occurred. Valid %s was not passed to the %s. Please contact S3 access grants plugin team!";

    public S3AccessGrantsIdentityProvider(@NotNull IdentityProvider<? extends AwsCredentialsIdentity> identityProvider, @NotNull Region region, @NotNull StsAsyncClient stsAsyncClient, @NotNull Privilege privilege, @NotNull Boolean bool, @NotNull S3ControlAsyncClient s3ControlAsyncClient, @NotNull S3AccessGrantsCachedCredentialsProvider s3AccessGrantsCachedCredentialsProvider, @NotNull boolean z, @NotNull MetricPublisher metricPublisher) {
        S3AccessGrantsUtils.argumentNotNull(identityProvider, "Expecting an Identity Provider to be specified while configuring S3Clients!");
        S3AccessGrantsUtils.argumentNotNull(region, "Expecting a region to be configured on the S3Clients!");
        S3AccessGrantsUtils.argumentNotNull(stsAsyncClient, String.format(this.CONTACT_TEAM_MESSAGE_TEMPLATE, "sts client", "identity provider"));
        this.credentialsProvider = identityProvider;
        this.region = region;
        this.stsAsyncClient = stsAsyncClient;
        this.privilege = privilege;
        this.isCacheEnabled = bool;
        this.s3control = s3ControlAsyncClient;
        this.permissionMapper = new S3AccessGrantsStaticOperationToPermissionMapper();
        this.cache = s3AccessGrantsCachedCredentialsProvider;
        this.enableFallback = z;
        this.metricsPublisher = metricPublisher;
    }

    public Class<AwsCredentialsIdentity> identityType() {
        return AwsCredentialsIdentity.class;
    }

    public CompletableFuture<? extends AwsCredentialsIdentity> resolveIdentity(ResolveIdentityRequest resolveIdentityRequest) {
        try {
            String account = getCallerAccountID().join().account();
            validateRequestParameters(resolveIdentityRequest, account, this.privilege, this.isCacheEnabled);
            CompletableFuture resolveIdentity = this.credentialsProvider.resolveIdentity(resolveIdentityRequest);
            String obj = resolveIdentityRequest.property(S3AccessGrantsUtils.PREFIX_PROPERTY).toString();
            String obj2 = resolveIdentityRequest.property(S3AccessGrantsUtils.OPERATION_PROPERTY).toString();
            S3AccessGrantsUtils.logger.debug(() -> {
                return " Call access grants with the following request params! ";
            });
            S3AccessGrantsUtils.logger.debug(() -> {
                return " S3Prefix : " + obj;
            });
            S3AccessGrantsUtils.logger.debug(() -> {
                return " caller accountID : " + account;
            });
            S3AccessGrantsUtils.logger.debug(() -> {
                return " operation : " + obj2;
            });
            Permission permission = this.permissionMapper.getPermission(obj2);
            S3AccessGrantsUtils.logger.debug(() -> {
                return " permission : " + permission;
            });
            return this.isCacheEnabled.booleanValue() ? getCredentialsFromCache((AwsCredentialsIdentity) resolveIdentity.join(), permission, obj, account) : getCredentialsFromAccessGrants(createDataAccessRequest(account, obj, permission, this.privilege));
        } catch (SdkServiceException e) {
            if (shouldFallbackToDefaultCredentialsForThisCase(e.statusCode(), e.getCause()).booleanValue()) {
                return null;
            }
            throw e;
        }
    }

    private GetDataAccessRequest createDataAccessRequest(String str, String str2, Permission permission, Privilege privilege) {
        return (GetDataAccessRequest) GetDataAccessRequest.builder().accountId(str).target(str2).permission(permission).privilege(privilege).build();
    }

    CompletableFuture<? extends AwsCredentialsIdentity> getCredentialsFromAccessGrants(GetDataAccessRequest getDataAccessRequest) {
        S3AccessGrantsUtils.argumentNotNull(getDataAccessRequest, String.format(this.CONTACT_TEAM_MESSAGE_TEMPLATE, "request", "for calling access grants"));
        S3AccessGrantsUtils.logger.debug(() -> {
            return " Calling S3 Access Grants to validate access permissions!";
        });
        return this.s3control.getDataAccess(getDataAccessRequest).thenApply(getDataAccessResponse -> {
            Credentials credentials = getDataAccessResponse.credentials();
            return AwsSessionCredentials.builder().accessKeyId(credentials.accessKeyId()).secretAccessKey(credentials.secretAccessKey()).sessionToken(credentials.sessionToken()).build();
        });
    }

    CompletableFuture<? extends AwsCredentialsIdentity> getCredentialsFromCache(AwsCredentialsIdentity awsCredentialsIdentity, Permission permission, String str, String str2) {
        try {
            try {
                CompletableFuture<AwsCredentialsIdentity> exceptionally = this.cache.getDataAccess(awsCredentialsIdentity, permission, str, str2).exceptionally(th -> {
                    SdkServiceException unwrapAndBuildException = unwrapAndBuildException(th);
                    if (shouldFallbackToDefaultCredentialsForThisCase(unwrapAndBuildException.statusCode(), unwrapAndBuildException).booleanValue()) {
                        return awsCredentialsIdentity;
                    }
                    throw unwrapAndBuildException;
                });
                if (this.metricsPublisher != null) {
                    publishMetrics();
                }
                return exceptionally;
            } catch (Exception e) {
                SdkServiceException unwrapAndBuildException = unwrapAndBuildException(e);
                if (!shouldFallbackToDefaultCredentialsForThisCase(unwrapAndBuildException.statusCode(), unwrapAndBuildException).booleanValue()) {
                    throw unwrapAndBuildException;
                }
                CompletableFuture<? extends AwsCredentialsIdentity> supplyAsync = CompletableFuture.supplyAsync(() -> {
                    return awsCredentialsIdentity;
                });
                if (this.metricsPublisher != null) {
                    publishMetrics();
                }
                return supplyAsync;
            }
        } catch (Throwable th2) {
            if (this.metricsPublisher != null) {
                publishMetrics();
            }
            throw th2;
        }
    }

    private void publishMetrics() {
        try {
            this.metricsPublisher.publish(this.cache.getAccessGrantsMetrics().collect());
            this.metricsPublisher.close();
        } catch (Exception e) {
            S3AccessGrantsUtils.logger.warn(() -> {
                return "Something went wrong while publishing metrics using the metrics publisher. Please contact S3 access grants plugin team!";
            });
            S3AccessGrantsUtils.logger.warn(() -> {
                return "cause for metrics publisher error : " + e.getMessage();
            });
        }
    }

    private void validateRequestParameters(ResolveIdentityRequest resolveIdentityRequest, String str, Privilege privilege, Boolean bool) {
        S3AccessGrantsUtils.logger.debug(() -> {
            return "Validating the request parameters before sending a request to S3 Access grants!";
        });
        S3AccessGrantsUtils.argumentNotNull(resolveIdentityRequest, String.format(this.CONTACT_TEAM_MESSAGE_TEMPLATE, "request", "identity provider"));
        S3AccessGrantsUtils.argumentNotNull(str, "Expecting account id to be configured on the plugin!");
        S3AccessGrantsUtils.argumentNotNull(privilege, String.format(this.CONTACT_TEAM_MESSAGE_TEMPLATE, "privilege", "identity provider"));
        S3AccessGrantsUtils.argumentNotNull(bool, String.format(this.CONTACT_TEAM_MESSAGE_TEMPLATE, "cache setting", "identity provider"));
        Pattern compile = Pattern.compile("s3://[a-z0-9.-]*");
        S3AccessGrantsUtils.argumentNotNull(resolveIdentityRequest.property(S3AccessGrantsUtils.PREFIX_PROPERTY), String.format(this.CONTACT_TEAM_MESSAGE_TEMPLATE, "S3Prefix", "identity provider"));
        Validate.isTrue(compile.matcher(resolveIdentityRequest.property(S3AccessGrantsUtils.PREFIX_PROPERTY).toString()).find(), String.format(this.CONTACT_TEAM_MESSAGE_TEMPLATE, "S3Prefix", "identity provider"), new Object[0]);
        S3AccessGrantsUtils.argumentNotNull(resolveIdentityRequest.property(S3AccessGrantsUtils.OPERATION_PROPERTY), String.format(this.CONTACT_TEAM_MESSAGE_TEMPLATE, "operation", "identity provider"));
        S3AccessGrantsUtils.logger.debug(() -> {
            return "Validation Complete. The request parameters can be forwarded to S3 Access grants!";
        });
    }

    private SdkServiceException unwrapAndBuildException(Throwable th) {
        while (th.getCause() != null) {
            th = th.getCause();
        }
        if (!(th instanceof S3ControlException)) {
            return SdkServiceException.builder().message(th.getMessage()).cause(th).build();
        }
        S3ControlException s3ControlException = (S3ControlException) th;
        return SdkServiceException.builder().statusCode(s3ControlException.statusCode()).message(s3ControlException.getMessage()).cause(th).build();
    }

    Boolean shouldFallbackToDefaultCredentialsForThisCase(int i, Throwable th) {
        if (this.enableFallback) {
            S3AccessGrantsUtils.logger.debug(() -> {
                return " Fall back enabled on the plugin! falling back to evaluate permission through policies!";
            });
            return true;
        }
        if (i == 404 && (th instanceof UnsupportedOperationException)) {
            S3AccessGrantsUtils.logger.debug(() -> {
                return " Operation not supported by S3 access grants! fall back to evaluate permission through policies!";
            });
            return true;
        }
        S3AccessGrantsUtils.logger.error(() -> {
            return " Fall back not enabled! An attempt will not be made to evaluate permissions through policies! " + th.getMessage();
        });
        return false;
    }

    CompletableFuture<GetCallerIdentityResponse> getCallerAccountID() {
        S3AccessGrantsUtils.logger.debug(() -> {
            return "requesting STS to fetch caller accountID!";
        });
        return this.stsAsyncClient.getCallerIdentity();
    }
}
