package com.amazon.athena.jdbc.authentication;

import com.amazon.athena.jdbc.configuration.ConnectionParameter;
import com.amazon.athena.jdbc.configuration.ConnectionParameters;
import com.amazon.athena.jdbc.support.EndpointHelper;
import com.amazon.athena.jdbc.support.ProxyHelper;
import com.amazon.athena.logging.AthenaLogger;
import java.net.URI;
import java.time.Clock;
import java.util.Map;
import java.util.Optional;
import software.amazon.awssdk.auth.credentials.AnonymousCredentialsProvider;
import software.amazon.awssdk.auth.credentials.AwsCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.http.apache.ApacheHttpClient;
import software.amazon.awssdk.http.apache.ProxyConfiguration;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.StsClientBuilder;
import software.amazon.awssdk.services.sts.model.AssumeRoleWithWebIdentityRequest;
import software.amazon.awssdk.services.sts.model.AssumeRoleWithWebIdentityResponse;
import software.amazon.awssdk.services.sts.model.Credentials;

/* loaded from: input_file:com/amazon/athena/jdbc/authentication/JwtCredentialsProvider.class */
public class JwtCredentialsProvider implements AwsCredentialsProvider {
    private static final AthenaLogger logger = AthenaLogger.of(JwtCredentialsProvider.class);
    private static final int EXPIRATION_THRESHOLD_SECS = 180;
    private final String webIdentityToken;
    private final String roleArn;
    private final String roleSessionName;
    private final Region region;
    private final StsClientBuilder stsClientFactory;
    private final AssumeRoleWithWebIdentityRequest.Builder assumeRoleWithWebIdentityRequestFactory;
    private final Clock clock;
    private final Map<ConnectionParameter<?>, String> parameters;
    private AwsSessionCredentials credentials;

    /* loaded from: input_file:com/amazon/athena/jdbc/authentication/JwtCredentialsProvider$Builder.class */
    public static class Builder {
        private String webIdentityToken;
        private String roleArn;
        private String roleSessionName;
        private Region region;
        private StsClientBuilder stsClientFactory;
        private AssumeRoleWithWebIdentityRequest.Builder assumeRoleWithWebIdentityRequestFactory;
        private Clock clock;
        private Map<ConnectionParameter<?>, String> parameters;

        public Builder webIdentityToken(String str) {
            this.webIdentityToken = str;
            return this;
        }

        public Builder roleArn(String str) {
            this.roleArn = str;
            return this;
        }

        public Builder roleSessionName(String str) {
            this.roleSessionName = str;
            return this;
        }

        public Builder region(Region region) {
            this.region = region;
            return this;
        }

        Builder stsClientFactory(StsClientBuilder stsClientBuilder) {
            this.stsClientFactory = stsClientBuilder;
            return this;
        }

        Builder assumeRoleWithWebIdentityRequestFactory(AssumeRoleWithWebIdentityRequest.Builder builder) {
            this.assumeRoleWithWebIdentityRequestFactory = builder;
            return this;
        }

        Builder clock(Clock clock) {
            this.clock = clock;
            return this;
        }

        public Builder connectionParameters(Map<ConnectionParameter<?>, String> map) {
            this.parameters = map;
            return this;
        }

        public JwtCredentialsProvider build() {
            return new JwtCredentialsProvider(this.webIdentityToken, this.roleArn, this.roleSessionName, this.region, this.stsClientFactory, this.assumeRoleWithWebIdentityRequestFactory, this.clock, this.parameters);
        }
    }

    private JwtCredentialsProvider(String str, String str2, String str3, Region region, StsClientBuilder stsClientBuilder, AssumeRoleWithWebIdentityRequest.Builder builder, Clock clock, Map<ConnectionParameter<?>, String> map) {
        this.webIdentityToken = str;
        this.roleArn = str2;
        this.roleSessionName = str3;
        this.region = region;
        this.stsClientFactory = stsClientBuilder == null ? StsClient.builder() : stsClientBuilder;
        this.assumeRoleWithWebIdentityRequestFactory = builder == null ? AssumeRoleWithWebIdentityRequest.builder() : builder;
        this.clock = clock == null ? Clock.systemDefaultZone() : clock;
        this.parameters = map;
    }

    public static Builder builder() {
        return new Builder();
    }

    @Override // software.amazon.awssdk.auth.credentials.AwsCredentialsProvider
    public AwsCredentials resolveCredentials() {
        if (this.credentials == null || this.credentials.expirationTime().get().compareTo(this.clock.instant().plusSeconds(180L)) < 0) {
            this.credentials = obtainCredentialsFromSts();
        }
        return this.credentials;
    }

    private AwsSessionCredentials obtainCredentialsFromSts() {
        Optional<URI> stsEndpoint = getStsEndpoint();
        StsClientBuilder stsClientBuilder = this.stsClientFactory;
        stsClientBuilder.getClass();
        stsEndpoint.ifPresent(stsClientBuilder::endpointOverride);
        ProxyHelper.getSyncProxyConfiguration(this.parameters).ifPresent(proxyConfiguration -> {
        });
        StsClient build = ((StsClientBuilder) ((StsClientBuilder) this.stsClientFactory.region(this.region)).credentialsProvider((AwsCredentialsProvider) AnonymousCredentialsProvider.create())).mo1033build();
        AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest = (AssumeRoleWithWebIdentityRequest) this.assumeRoleWithWebIdentityRequestFactory.webIdentityToken(this.webIdentityToken).roleArn(this.roleArn).roleSessionName(this.roleSessionName).mo1033build();
        logger.debug("Obtaining credentials from STS", new Object[0]);
        logger.trace("Sending AssumeRoleWithWebIdentity request: {}", assumeRoleWithWebIdentityRequest);
        AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentity = build.assumeRoleWithWebIdentity(assumeRoleWithWebIdentityRequest);
        logger.info("Obtained credentials from STS", new Object[0]);
        Credentials credentials = assumeRoleWithWebIdentity.credentials();
        return AwsSessionCredentials.builder().accessKeyId(credentials.accessKeyId()).secretAccessKey(credentials.secretAccessKey()).sessionToken(credentials.sessionToken()).expirationTime(credentials.expiration()).mo1033build();
    }

    private Optional<URI> getStsEndpoint() {
        Optional<String> findValue = ConnectionParameters.STS_ENDPOINT_PARAMETER.findValue(this.parameters);
        return findValue.isPresent() ? EndpointHelper.constructEndpointUri(findValue.get(), "STS") : Optional.empty();
    }

    private ApacheHttpClient.Builder getHttpClientBuilder(ProxyConfiguration proxyConfiguration) {
        return ApacheHttpClient.builder().proxyConfiguration(proxyConfiguration);
    }
}
