package software.amazon.awssdk.s3accessgrants.cache;

import com.github.benmanes.caffeine.cache.AsyncCache;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.github.benmanes.caffeine.cache.Expiry;
import com.github.benmanes.caffeine.cache.stats.CacheStats;
import java.time.Instant;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.TimeUnit;
import org.assertj.core.util.VisibleForTesting;
import software.amazon.awssdk.annotations.NotNull;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.identity.spi.AwsCredentialsIdentity;
import software.amazon.awssdk.services.s3control.S3ControlAsyncClient;
import software.amazon.awssdk.services.s3control.model.Credentials;
import software.amazon.awssdk.services.s3control.model.GetDataAccessRequest;
import software.amazon.awssdk.services.s3control.model.GetDataAccessResponse;
import software.amazon.awssdk.services.s3control.model.Permission;
import software.amazon.awssdk.services.s3control.model.Privilege;
import software.amazon.awssdk.services.s3control.model.S3ControlException;
import software.amazon.awssdk.utils.Logger;

/* loaded from: input_file:software/amazon/awssdk/s3accessgrants/cache/S3AccessGrantsCache.class */
public class S3AccessGrantsCache {
    private AsyncCache<CacheKey, AwsCredentialsIdentity> cache;
    private final S3ControlAsyncClient s3ControlAsyncClient;
    private int maxCacheSize;
    private final S3AccessGrantsCachedAccountIdResolver s3AccessGrantsCachedAccountIdResolver;
    private final int cacheExpirationTimePercentage;
    private static final Logger logger = Logger.loggerFor(S3AccessGrantsCache.class);

    /* loaded from: input_file:software/amazon/awssdk/s3accessgrants/cache/S3AccessGrantsCache$Builder.class */
    public interface Builder {
        S3AccessGrantsCache build();

        S3AccessGrantsCache buildWithAccountIdResolver();

        Builder s3ControlAsyncClient(S3ControlAsyncClient s3ControlAsyncClient);

        Builder maxCacheSize(int i);

        Builder cacheExpirationTimePercentage(int i);

        Builder s3AccessGrantsCachedAccountIdResolver(S3AccessGrantsCachedAccountIdResolver s3AccessGrantsCachedAccountIdResolver);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:software/amazon/awssdk/s3accessgrants/cache/S3AccessGrantsCache$BuilderImpl.class */
    public static final class BuilderImpl implements Builder {
        private S3ControlAsyncClient s3ControlAsyncClient;
        private int maxCacheSize;
        private S3AccessGrantsCachedAccountIdResolver s3AccessGrantsCachedAccountIdResolver;
        private int cacheExpirationTimePercentage;

        private BuilderImpl() {
            this.maxCacheSize = S3AccessGrantsConstants.DEFAULT_ACCESS_GRANTS_MAX_CACHE_SIZE;
        }

        @Override // software.amazon.awssdk.s3accessgrants.cache.S3AccessGrantsCache.Builder
        public S3AccessGrantsCache build() {
            return new S3AccessGrantsCache(this.s3ControlAsyncClient, S3AccessGrantsCachedAccountIdResolver.builder().S3ControlAsyncClient(this.s3ControlAsyncClient).build(), this.maxCacheSize, this.cacheExpirationTimePercentage);
        }

        @Override // software.amazon.awssdk.s3accessgrants.cache.S3AccessGrantsCache.Builder
        public S3AccessGrantsCache buildWithAccountIdResolver() {
            return new S3AccessGrantsCache(this.s3ControlAsyncClient, this.s3AccessGrantsCachedAccountIdResolver, this.maxCacheSize, this.cacheExpirationTimePercentage);
        }

        @Override // software.amazon.awssdk.s3accessgrants.cache.S3AccessGrantsCache.Builder
        public Builder s3ControlAsyncClient(S3ControlAsyncClient s3ControlAsyncClient) {
            this.s3ControlAsyncClient = s3ControlAsyncClient;
            return this;
        }

        @Override // software.amazon.awssdk.s3accessgrants.cache.S3AccessGrantsCache.Builder
        public Builder maxCacheSize(int i) {
            this.maxCacheSize = i;
            return this;
        }

        @Override // software.amazon.awssdk.s3accessgrants.cache.S3AccessGrantsCache.Builder
        public Builder cacheExpirationTimePercentage(int i) {
            this.cacheExpirationTimePercentage = i;
            return this;
        }

        @Override // software.amazon.awssdk.s3accessgrants.cache.S3AccessGrantsCache.Builder
        public Builder s3AccessGrantsCachedAccountIdResolver(S3AccessGrantsCachedAccountIdResolver s3AccessGrantsCachedAccountIdResolver) {
            this.s3AccessGrantsCachedAccountIdResolver = s3AccessGrantsCachedAccountIdResolver;
            return this;
        }
    }

    /* loaded from: input_file:software/amazon/awssdk/s3accessgrants/cache/S3AccessGrantsCache$CustomCacheExpiry.class */
    private static class CustomCacheExpiry<K, V> implements Expiry<K, V> {
        private CustomCacheExpiry() {
        }

        public long expireAfterCreate(K k, V v, long j) {
            return Long.MIN_VALUE;
        }

        public long expireAfterUpdate(K k, V v, long j, long j2) {
            return j2;
        }

        public long expireAfterRead(K k, V v, long j, long j2) {
            return j2;
        }
    }

    private S3AccessGrantsCache(@NotNull S3ControlAsyncClient s3ControlAsyncClient, S3AccessGrantsCachedAccountIdResolver s3AccessGrantsCachedAccountIdResolver, int i, int i2) {
        if (s3ControlAsyncClient == null) {
            throw new IllegalArgumentException("S3ControlAsyncClient is required");
        }
        this.s3ControlAsyncClient = s3ControlAsyncClient;
        this.s3AccessGrantsCachedAccountIdResolver = s3AccessGrantsCachedAccountIdResolver;
        this.cacheExpirationTimePercentage = i2;
        this.maxCacheSize = i;
        this.cache = Caffeine.newBuilder().maximumSize(i).expireAfter(new CustomCacheExpiry()).recordStats().buildAsync();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public S3AccessGrantsCachedAccountIdResolver getS3AccessGrantsCachedAccountIdResolver() {
        return this.s3AccessGrantsCachedAccountIdResolver;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static Builder builder() {
        return new BuilderImpl();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CompletableFuture<AwsCredentialsIdentity> getCredentials(CacheKey cacheKey, String str, S3AccessGrantsAccessDeniedCache s3AccessGrantsAccessDeniedCache) throws S3ControlException {
        logger.debug(() -> {
            return "Fetching credentials from Access Grants for s3Prefix: " + cacheKey.s3Prefix;
        });
        CompletableFuture<AwsCredentialsIdentity> searchKeyInCacheAtPrefixLevel = searchKeyInCacheAtPrefixLevel(cacheKey);
        if (searchKeyInCacheAtPrefixLevel == null && (cacheKey.permission == Permission.READ || cacheKey.permission == Permission.WRITE)) {
            searchKeyInCacheAtPrefixLevel = searchKeyInCacheAtPrefixLevel(cacheKey.toBuilder().permission(Permission.READWRITE).build());
        }
        if (searchKeyInCacheAtPrefixLevel == null) {
            searchKeyInCacheAtPrefixLevel = searchKeyInCacheAtCharacterLevel(cacheKey);
        }
        if (searchKeyInCacheAtPrefixLevel == null && (cacheKey.permission == Permission.READ || cacheKey.permission == Permission.WRITE)) {
            searchKeyInCacheAtPrefixLevel = searchKeyInCacheAtCharacterLevel(cacheKey.toBuilder().permission(Permission.READWRITE).build());
        }
        if (searchKeyInCacheAtPrefixLevel == null) {
            try {
                logger.debug(() -> {
                    return "Credentials not available in the cache. Fetching credentials from Access Grants service.";
                });
                searchKeyInCacheAtPrefixLevel = getCredentialsFromService(cacheKey, str).thenApply(getDataAccessResponse -> {
                    Credentials credentials = getDataAccessResponse.credentials();
                    long ttl = getTTL(credentials.expiration());
                    AwsSessionCredentials build = AwsSessionCredentials.builder().accessKeyId(credentials.accessKeyId()).secretAccessKey(credentials.secretAccessKey()).sessionToken(credentials.sessionToken()).build();
                    String matchedGrantTarget = getDataAccessResponse.matchedGrantTarget();
                    if (matchedGrantTarget.endsWith("*")) {
                        putValueInCache(cacheKey.toBuilder().s3Prefix(processMatchedGrantTarget(matchedGrantTarget)).build(), CompletableFuture.supplyAsync(() -> {
                            return build;
                        }), ttl);
                    }
                    logger.debug(() -> {
                        return "Successfully retrieved the credentials from Access Grants service";
                    });
                    return build;
                });
            } catch (S3ControlException e) {
                logger.error(() -> {
                    return "Exception occurred while fetching the credentials: " + e;
                });
                if (e.statusCode() == 403) {
                    logger.debug(() -> {
                        return "Caching the Access Denied request.";
                    });
                    s3AccessGrantsAccessDeniedCache.putValueInCache(cacheKey, e);
                }
                throw e;
            }
        }
        return searchKeyInCacheAtPrefixLevel;
    }

    @VisibleForTesting
    long getTTL(Instant instant) {
        return ((float) (instant.getEpochSecond() - Instant.now().getEpochSecond())) * (this.cacheExpirationTimePercentage / 100.0f);
    }

    private CompletableFuture<GetDataAccessResponse> getCredentialsFromService(CacheKey cacheKey, String str) throws S3ControlException {
        String resolve = this.s3AccessGrantsCachedAccountIdResolver.resolve(str, cacheKey.s3Prefix);
        logger.debug(() -> {
            return "Fetching credentials from Access Grants for accountId: " + resolve + ", s3Prefix: " + cacheKey.s3Prefix + ", permission: " + cacheKey.permission + ", privilege: " + Privilege.DEFAULT;
        });
        return this.s3ControlAsyncClient.getDataAccess((GetDataAccessRequest) GetDataAccessRequest.builder().accountId(resolve).target(cacheKey.s3Prefix).permission(cacheKey.permission).privilege(Privilege.DEFAULT).build());
    }

    private CompletableFuture<AwsCredentialsIdentity> searchKeyInCacheAtPrefixLevel(CacheKey cacheKey) {
        String str = cacheKey.s3Prefix;
        while (true) {
            String str2 = str;
            if (str2.equals("s3:")) {
                return null;
            }
            CompletableFuture<AwsCredentialsIdentity> ifPresent = this.cache.getIfPresent(cacheKey.toBuilder().s3Prefix(str2).build());
            if (ifPresent != null) {
                logger.debug(() -> {
                    return "Successfully retrieved credentials from the cache.";
                });
                return ifPresent;
            }
            str = getNextPrefix(str2);
        }
    }

    private CompletableFuture<AwsCredentialsIdentity> searchKeyInCacheAtCharacterLevel(CacheKey cacheKey) {
        String str = cacheKey.s3Prefix;
        while (true) {
            String str2 = str;
            if (str2.equals("s3://")) {
                return null;
            }
            CompletableFuture<AwsCredentialsIdentity> ifPresent = this.cache.getIfPresent(cacheKey.toBuilder().s3Prefix(str2 + "*").build());
            if (ifPresent != null) {
                logger.debug(() -> {
                    return "Successfully retrieved credentials from the cache.";
                });
                return ifPresent;
            }
            str = getNextPrefixByChar(str2);
        }
    }

    @VisibleForTesting
    void putValueInCache(CacheKey cacheKey, CompletableFuture<AwsCredentialsIdentity> completableFuture, long j) {
        logger.debug(() -> {
            return "Caching the credentials for s3Prefix:" + cacheKey.s3Prefix + " and permission: " + cacheKey.permission;
        });
        this.cache.put(cacheKey, completableFuture);
        this.cache.synchronous().policy().expireVariably().ifPresent(varExpiration -> {
            varExpiration.setExpiresAfter(cacheKey, j, TimeUnit.SECONDS);
        });
    }

    private String getNextPrefix(String str) {
        return str.substring(0, str.lastIndexOf("/"));
    }

    private String getNextPrefixByChar(String str) {
        return str.substring(0, str.length() - 1);
    }

    @VisibleForTesting
    String processMatchedGrantTarget(String str) {
        return str.substring(str.length() - 2).equals("/*") ? str.substring(0, str.length() - 2) : str;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CacheStats getCacheStats() {
        return this.cache.synchronous().stats();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    public void invalidateCache() {
        this.cache.synchronous().invalidateAll();
    }
}
