package software.amazon.awssdk.s3accessgrants.plugin;

import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ConcurrentHashMap;
import java.util.regex.Pattern;
import software.amazon.awssdk.annotations.NotNull;
import software.amazon.awssdk.core.exception.SdkServiceException;
import software.amazon.awssdk.identity.spi.AwsCredentialsIdentity;
import software.amazon.awssdk.identity.spi.IdentityProvider;
import software.amazon.awssdk.identity.spi.ResolveIdentityRequest;
import software.amazon.awssdk.metrics.MetricPublisher;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.s3accessgrants.cache.S3AccessGrantsCachedCredentialsProvider;
import software.amazon.awssdk.s3accessgrants.plugin.internal.S3AccessGrantsUtils;
import software.amazon.awssdk.services.s3control.S3ControlAsyncClient;
import software.amazon.awssdk.services.s3control.S3ControlAsyncClientBuilder;
import software.amazon.awssdk.services.s3control.model.Permission;
import software.amazon.awssdk.services.s3control.model.Privilege;
import software.amazon.awssdk.services.s3control.model.S3ControlException;
import software.amazon.awssdk.services.sts.StsAsyncClient;
import software.amazon.awssdk.services.sts.model.GetCallerIdentityResponse;
import software.amazon.awssdk.utils.Validate;

/* loaded from: input_file:software/amazon/awssdk/s3accessgrants/plugin/S3AccessGrantsIdentityProvider.class */
public class S3AccessGrantsIdentityProvider implements IdentityProvider<AwsCredentialsIdentity> {
    private final IdentityProvider<? extends AwsCredentialsIdentity> credentialsProvider;
    private final Privilege privilege;
    private final Boolean isCacheEnabled;
    private final S3ControlAsyncClientBuilder s3ControlBuilder;
    private final StsAsyncClient stsAsyncClient;
    private final S3AccessGrantsCachedCredentialsProvider cache;
    private final boolean enableFallback;
    private final MetricPublisher metricsPublisher;
    private final ConcurrentHashMap<Region, S3ControlAsyncClient> clientsCache;
    private AwsCredentialsIdentity cachedCredentials;
    private String cachedAccountId;
    private String CONTACT_TEAM_MESSAGE_TEMPLATE = "An internal exception has occurred. Valid %s was not passed to the %s. Please contact S3 access grants plugin team!";

    public S3AccessGrantsIdentityProvider(@NotNull IdentityProvider<? extends AwsCredentialsIdentity> identityProvider, @NotNull StsAsyncClient stsAsyncClient, @NotNull Privilege privilege, @NotNull Boolean bool, @NotNull S3ControlAsyncClientBuilder s3ControlAsyncClientBuilder, @NotNull S3AccessGrantsCachedCredentialsProvider s3AccessGrantsCachedCredentialsProvider, @NotNull boolean z, @NotNull MetricPublisher metricPublisher, @NotNull ConcurrentHashMap<Region, S3ControlAsyncClient> concurrentHashMap) {
        S3AccessGrantsUtils.argumentNotNull(identityProvider, "Expecting an Identity Provider to be specified while configuring S3Clients!");
        S3AccessGrantsUtils.argumentNotNull(stsAsyncClient, String.format(this.CONTACT_TEAM_MESSAGE_TEMPLATE, "sts client", "identity provider"));
        S3AccessGrantsUtils.argumentNotNull(concurrentHashMap, String.format(this.CONTACT_TEAM_MESSAGE_TEMPLATE, "client cache", "identity provider"));
        this.credentialsProvider = identityProvider;
        this.stsAsyncClient = stsAsyncClient;
        this.privilege = privilege;
        this.isCacheEnabled = bool;
        this.s3ControlBuilder = s3ControlAsyncClientBuilder;
        this.cache = s3AccessGrantsCachedCredentialsProvider;
        this.enableFallback = z;
        this.metricsPublisher = metricPublisher;
        this.clientsCache = concurrentHashMap;
    }

    public Class<AwsCredentialsIdentity> identityType() {
        return AwsCredentialsIdentity.class;
    }

    public CompletableFuture<? extends AwsCredentialsIdentity> resolveIdentity(ResolveIdentityRequest resolveIdentityRequest) {
        CompletableFuture<? extends AwsCredentialsIdentity> credentialsFromCache;
        if (resolveIdentityRequest != null) {
            try {
                if (resolveIdentityRequest.property(S3AccessGrantsUtils.AUTH_EXCEPTIONS_PROPERTY) != null) {
                    throw ((SdkServiceException) resolveIdentityRequest.property(S3AccessGrantsUtils.AUTH_EXCEPTIONS_PROPERTY));
                }
            } catch (SdkServiceException e) {
                unwrapAndBuildException(e);
                if (shouldFallbackToDefaultCredentialsForThisCase(e.statusCode(), e.getCause()).booleanValue()) {
                    return this.credentialsProvider.resolveIdentity(resolveIdentityRequest);
                }
                throw e;
            }
        }
        CompletableFuture<? extends AwsCredentialsIdentity> resolveIdentity = this.credentialsProvider.resolveIdentity(resolveIdentityRequest);
        validateRequestParameters(resolveIdentityRequest, this.privilege, this.isCacheEnabled);
        String callerAccountID = getCallerAccountID(resolveIdentity);
        String obj = resolveIdentityRequest.property(S3AccessGrantsUtils.PREFIX_PROPERTY).toString();
        Permission fromValue = Permission.fromValue(resolveIdentityRequest.property(S3AccessGrantsUtils.PERMISSION_PROPERTY).toString());
        Region of = Region.of(resolveIdentityRequest.property(S3AccessGrantsUtils.BUCKET_LOCATION_PROPERTY).toString());
        S3AccessGrantsUtils.logger.debug(() -> {
            return " Call access grants with the following request params! ";
        });
        S3AccessGrantsUtils.logger.debug(() -> {
            return " S3Prefix : " + obj;
        });
        S3AccessGrantsUtils.logger.debug(() -> {
            return " caller accountID : " + callerAccountID;
        });
        S3AccessGrantsUtils.logger.debug(() -> {
            return " permission : " + fromValue;
        });
        S3AccessGrantsUtils.logger.debug(() -> {
            return " bucket region : " + of;
        });
        if (this.clientsCache.containsKey(of)) {
            credentialsFromCache = getCredentialsFromCache(resolveIdentity.join(), fromValue, obj, callerAccountID, this.clientsCache.get(of));
        } else {
            S3ControlAsyncClient s3ControlAsyncClient = (S3ControlAsyncClient) this.s3ControlBuilder.region(of).build();
            this.clientsCache.put(of, s3ControlAsyncClient);
            credentialsFromCache = getCredentialsFromCache(resolveIdentity.join(), fromValue, obj, callerAccountID, s3ControlAsyncClient);
        }
        return credentialsFromCache;
    }

    CompletableFuture<? extends AwsCredentialsIdentity> getCredentialsFromCache(AwsCredentialsIdentity awsCredentialsIdentity, Permission permission, String str, String str2, S3ControlAsyncClient s3ControlAsyncClient) {
        try {
            try {
                CompletableFuture<AwsCredentialsIdentity> exceptionally = this.cache.getDataAccess(awsCredentialsIdentity, permission, str, str2, s3ControlAsyncClient).exceptionally(th -> {
                    SdkServiceException unwrapAndBuildException = unwrapAndBuildException(th);
                    if (shouldFallbackToDefaultCredentialsForThisCase(unwrapAndBuildException.statusCode(), unwrapAndBuildException).booleanValue()) {
                        return awsCredentialsIdentity;
                    }
                    throw unwrapAndBuildException;
                });
                if (this.metricsPublisher != null) {
                    publishMetrics();
                }
                return exceptionally;
            } catch (Exception e) {
                SdkServiceException unwrapAndBuildException = unwrapAndBuildException(e);
                if (!shouldFallbackToDefaultCredentialsForThisCase(unwrapAndBuildException.statusCode(), unwrapAndBuildException).booleanValue()) {
                    throw unwrapAndBuildException;
                }
                CompletableFuture<? extends AwsCredentialsIdentity> supplyAsync = CompletableFuture.supplyAsync(() -> {
                    return awsCredentialsIdentity;
                });
                if (this.metricsPublisher != null) {
                    publishMetrics();
                }
                return supplyAsync;
            }
        } catch (Throwable th2) {
            if (this.metricsPublisher != null) {
                publishMetrics();
            }
            throw th2;
        }
    }

    private void publishMetrics() {
        try {
            this.metricsPublisher.publish(this.cache.getAccessGrantsMetrics().collect());
            this.metricsPublisher.close();
        } catch (Exception e) {
            S3AccessGrantsUtils.logger.warn(() -> {
                return "Something went wrong while publishing metrics using the metrics publisher. Please contact S3 access grants plugin team!";
            });
            S3AccessGrantsUtils.logger.warn(() -> {
                return "cause for metrics publisher error : " + e.getMessage();
            });
        }
    }

    private void validateRequestParameters(ResolveIdentityRequest resolveIdentityRequest, Privilege privilege, Boolean bool) {
        S3AccessGrantsUtils.logger.debug(() -> {
            return "Validating the request parameters before sending a request to S3 Access grants!";
        });
        S3AccessGrantsUtils.argumentNotNull(resolveIdentityRequest, String.format(this.CONTACT_TEAM_MESSAGE_TEMPLATE, "request", "identity provider"));
        S3AccessGrantsUtils.argumentNotNull(privilege, String.format(this.CONTACT_TEAM_MESSAGE_TEMPLATE, "privilege", "identity provider"));
        S3AccessGrantsUtils.argumentNotNull(bool, String.format(this.CONTACT_TEAM_MESSAGE_TEMPLATE, "cache setting", "identity provider"));
        Pattern compile = Pattern.compile("s3://[a-z0-9.-]*");
        S3AccessGrantsUtils.argumentNotNull(resolveIdentityRequest.property(S3AccessGrantsUtils.PREFIX_PROPERTY), String.format(this.CONTACT_TEAM_MESSAGE_TEMPLATE, "S3Prefix", "identity provider"));
        Validate.isTrue(compile.matcher(resolveIdentityRequest.property(S3AccessGrantsUtils.PREFIX_PROPERTY).toString()).find(), String.format(this.CONTACT_TEAM_MESSAGE_TEMPLATE, "S3Prefix", "identity provider"), new Object[0]);
        S3AccessGrantsUtils.argumentNotNull(resolveIdentityRequest.property(S3AccessGrantsUtils.BUCKET_LOCATION_PROPERTY), String.format(this.CONTACT_TEAM_MESSAGE_TEMPLATE, "request region", "identity provider"));
        S3AccessGrantsUtils.argumentNotNull(resolveIdentityRequest.property(S3AccessGrantsUtils.PERMISSION_PROPERTY), String.format(this.CONTACT_TEAM_MESSAGE_TEMPLATE, "permission", "identity provider"));
        S3AccessGrantsUtils.logger.debug(() -> {
            return "Validation Complete. The request parameters can be forwarded to S3 Access grants!";
        });
    }

    private SdkServiceException unwrapAndBuildException(Throwable th) {
        while (th.getCause() != null) {
            th = th.getCause();
        }
        if (!(th instanceof S3ControlException)) {
            return SdkServiceException.builder().message(th.getMessage()).cause(th).build();
        }
        S3ControlException s3ControlException = (S3ControlException) th;
        return SdkServiceException.builder().statusCode(s3ControlException.statusCode()).message(s3ControlException.getMessage()).cause(th).build();
    }

    Boolean shouldFallbackToDefaultCredentialsForThisCase(int i, Throwable th) {
        if (this.enableFallback) {
            S3AccessGrantsUtils.logger.debug(() -> {
                return " Fall back enabled on the plugin! falling back to evaluate permission through policies!";
            });
            return true;
        }
        if (i == 404 && (th instanceof UnsupportedOperationException)) {
            S3AccessGrantsUtils.logger.debug(() -> {
                return " Operation not supported by S3 access grants! fall back to evaluate permission through policies!";
            });
            return true;
        }
        S3AccessGrantsUtils.logger.error(() -> {
            return " Fall back not enabled! An attempt will not be made to evaluate permissions through policies! " + th.getMessage();
        });
        return false;
    }

    String getCallerAccountID(CompletableFuture<? extends AwsCredentialsIdentity> completableFuture) {
        AwsCredentialsIdentity join = completableFuture.join();
        if (join.equals(this.cachedCredentials)) {
            S3AccessGrantsUtils.logger.debug(() -> {
                return "caller account cached, avoiding sending requests to STS";
            });
            return this.cachedAccountId;
        }
        S3AccessGrantsUtils.logger.debug(() -> {
            return "caller account not cached, requesting STS to fetch caller accountID!";
        });
        this.cachedAccountId = ((GetCallerIdentityResponse) this.stsAsyncClient.getCallerIdentity().join()).account();
        this.cachedCredentials = join;
        return this.cachedAccountId;
    }
}
