package gobblin.aws;

import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient;
import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
import com.amazonaws.services.securitytoken.model.AssumeRoleResult;
import com.google.common.base.Optional;
import com.google.common.base.Throwables;
import com.google.common.util.concurrent.AbstractIdleService;
import com.typesafe.config.Config;
import gobblin.annotation.Alpha;
import gobblin.util.ExecutorsUtils;
import java.io.IOException;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Alpha
/* loaded from: input_file:gobblin/aws/AWSClusterSecurityManager.class */
public class AWSClusterSecurityManager extends AbstractIdleService {
    private static final Logger LOGGER = LoggerFactory.getLogger(AWSClusterSecurityManager.class);
    private final Config config;
    private volatile String serviceAccessKey;
    private volatile String serviceSecretKey;
    private volatile boolean clientAssumeRole;
    private volatile String clientRoleArn;
    private volatile String clientExternalId;
    private volatile String clientSessionId;
    private volatile long lastRefreshTimeInMillis;
    private volatile BasicAWSCredentials basicAWSCredentials;
    private volatile BasicSessionCredentials basicSessionCredentials;
    private final long refreshIntervalInMinutes;
    private final ScheduledExecutorService loginExecutor = Executors.newSingleThreadScheduledExecutor(ExecutorsUtils.newThreadFactory(Optional.of(LOGGER), Optional.of("LoginExecutor")));

    public AWSClusterSecurityManager(Config config) {
        this.config = config;
        this.refreshIntervalInMinutes = config.getLong(GobblinAWSConfigurationKeys.CREDENTIALS_REFRESH_INTERVAL);
    }

    private void fetchLoginConfiguration() {
        this.serviceAccessKey = this.config.getString(GobblinAWSConfigurationKeys.SERVICE_ACCESS_KEY);
        this.serviceSecretKey = this.config.getString(GobblinAWSConfigurationKeys.SERVICE_SECRET_KEY);
        this.clientAssumeRole = this.config.getBoolean(GobblinAWSConfigurationKeys.CLIENT_ASSUME_ROLE_KEY);
        if (this.clientAssumeRole) {
            this.clientRoleArn = this.config.getString(GobblinAWSConfigurationKeys.CLIENT_ROLE_ARN_KEY);
            this.clientExternalId = this.config.getString(GobblinAWSConfigurationKeys.CLIENT_EXTERNAL_ID_KEY);
            this.clientSessionId = this.config.getString(GobblinAWSConfigurationKeys.CLIENT_SESSION_ID_KEY);
        }
    }

    protected void startUp() throws Exception {
        LOGGER.info("Starting the " + AWSClusterSecurityManager.class.getSimpleName());
        LOGGER.info(String.format("Scheduling the credentials refresh task with an interval of %d minute(s)", Long.valueOf(this.refreshIntervalInMinutes)));
        this.loginExecutor.scheduleAtFixedRate(new Runnable() { // from class: gobblin.aws.AWSClusterSecurityManager.1
            @Override // java.lang.Runnable
            public void run() {
                try {
                    AWSClusterSecurityManager.this.login();
                } catch (IOException e) {
                    AWSClusterSecurityManager.LOGGER.error("Failed to login", e);
                    throw Throwables.propagate(e);
                }
            }
        }, 0L, this.refreshIntervalInMinutes, TimeUnit.MINUTES);
    }

    protected void shutDown() throws Exception {
        GobblinAWSUtils.shutdownExecutorService(getClass(), this.loginExecutor, LOGGER);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void login() throws IOException {
        fetchLoginConfiguration();
        this.basicAWSCredentials = new BasicAWSCredentials(this.serviceAccessKey, this.serviceSecretKey);
        if (this.clientAssumeRole) {
            AssumeRoleResult assumeRole = new AWSSecurityTokenServiceClient(this.basicAWSCredentials).assumeRole(new AssumeRoleRequest().withRoleSessionName(this.clientSessionId).withExternalId(this.clientExternalId).withRoleArn(this.clientRoleArn));
            this.basicSessionCredentials = new BasicSessionCredentials(assumeRole.getCredentials().getAccessKeyId(), assumeRole.getCredentials().getSecretAccessKey(), assumeRole.getCredentials().getSessionToken());
        }
        this.lastRefreshTimeInMillis = System.currentTimeMillis();
    }

    public long getLastRefreshTimeInMillis() {
        return this.lastRefreshTimeInMillis;
    }

    public boolean isAssumeRoleEnabled() {
        return this.clientAssumeRole;
    }

    public BasicAWSCredentials getBasicAWSCredentials() {
        return this.basicAWSCredentials;
    }

    public BasicSessionCredentials getBasicSessionCredentials() {
        if (this.clientAssumeRole) {
            return this.basicSessionCredentials;
        }
        throw new IllegalStateException("AWS Security manager is not configured to run on behalf of another AWS user. Use getBasicAWSCredentials() instead");
    }
}
