package io.lakefs.auth;

import com.amazonaws.auth.AWSCredentialsProvider;
import io.lakefs.Constants;
import io.lakefs.FSConfiguration;
import io.lakefs.clients.sdk.ApiClient;
import io.lakefs.clients.sdk.AuthApi;
import io.lakefs.clients.sdk.model.AuthenticationToken;
import io.lakefs.clients.sdk.model.ExternalLoginInformation;
import java.io.IOException;
import java.net.URI;
import java.net.URL;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import org.apache.commons.codec.binary.Base64;
import org.apache.hadoop.conf.Configuration;

/* loaded from: input_file:io/lakefs/auth/AWSLakeFSTokenProvider.class */
public class AWSLakeFSTokenProvider implements LakeFSTokenProvider {
    STSGetCallerIdentityPresigner stsPresigner;
    AWSCredentialsProvider awsProvider;
    String stsEndpoint;
    Map<String, String> stsAdditionalHeaders;
    int stsExpirationInSeconds;
    ApiClient lakeFSApi;
    AuthenticationToken lakeFSAuthToken = null;
    Optional<Integer> lakeFSTokenTTLSeconds = Optional.empty();

    /* JADX INFO: Access modifiers changed from: package-private */
    public AWSLakeFSTokenProvider() {
    }

    public AWSLakeFSTokenProvider(AWSCredentialsProvider aWSCredentialsProvider, ApiClient apiClient, STSGetCallerIdentityPresigner sTSGetCallerIdentityPresigner, String str, Map<String, String> map, int i) {
        this.awsProvider = aWSCredentialsProvider;
        this.stsPresigner = sTSGetCallerIdentityPresigner;
        this.lakeFSApi = apiClient;
        this.stsEndpoint = str;
        this.stsAdditionalHeaders = map;
        this.stsExpirationInSeconds = i;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void initialize(AWSCredentialsProvider aWSCredentialsProvider, String str, Configuration configuration) throws IOException {
        this.awsProvider = aWSCredentialsProvider;
        this.stsEndpoint = FSConfiguration.get(configuration, str, Constants.TOKEN_AWS_STS_ENDPOINT);
        if (this.stsEndpoint == null) {
            throw new IOException("Missing sts endpoint");
        }
        this.stsExpirationInSeconds = FSConfiguration.getInt(configuration, str, Constants.TOKEN_AWS_CREDENTIALS_PROVIDER_TOKEN_DURATION_SECONDS, 60);
        this.stsPresigner = new GetCallerIdentityV4Presigner();
        this.lakeFSApi = io.lakefs.clients.sdk.Configuration.getDefaultApiClient();
        this.lakeFSApi.addDefaultHeader("X-Lakefs-Client", "lakefs-hadoopfs/" + getClass().getPackage().getImplementationVersion());
        String str2 = FSConfiguration.get(configuration, str, Constants.ENDPOINT_KEY_SUFFIX, Constants.DEFAULT_CLIENT_ENDPOINT);
        if (str2.endsWith(Constants.SEPARATOR)) {
            str2 = str2.substring(0, str2.length() - 1);
        }
        String str3 = FSConfiguration.get(configuration, str, Constants.SESSION_ID);
        if (str3 != null) {
            this.lakeFSApi.addDefaultCookie("sessionId", str3);
        }
        this.lakeFSApi.setBasePath(str2);
        int i = FSConfiguration.getInt(configuration, str, Constants.LAKEFS_AUTH_TOKEN_TTL_KEY_SUFFIX, -1);
        if (i != -1) {
            this.lakeFSTokenTTLSeconds = Optional.of(Integer.valueOf(i));
        }
        Map<String, String> map = FSConfiguration.getMap(configuration, str, Constants.TOKEN_AWS_CREDENTIALS_PROVIDER_ADDITIONAL_HEADERS);
        if (map == null) {
            map = new HashMap<String, String>() { // from class: io.lakefs.auth.AWSLakeFSTokenProvider.1
                {
                    put(Constants.DEFAULT_AUTH_PROVIDER_SERVER_ID_HEADER, new URL(AWSLakeFSTokenProvider.this.lakeFSApi.getBasePath()).getHost());
                }
            };
            map.put(Constants.DEFAULT_AUTH_PROVIDER_SERVER_ID_HEADER, new URL(str2).getHost());
        }
        this.stsAdditionalHeaders = map;
    }

    @Override // io.lakefs.auth.LakeFSTokenProvider
    public String getToken() {
        if (needsNewToken()) {
            refresh();
        }
        return this.lakeFSAuthToken.getToken();
    }

    private boolean needsNewToken() {
        return this.lakeFSAuthToken == null || this.lakeFSAuthToken.getTokenExpiration().longValue() < System.currentTimeMillis();
    }

    public GeneratePresignGetCallerIdentityResponse newPresignedRequest() throws Exception {
        return this.stsPresigner.presignRequest(new GeneratePresignGetCallerIdentityRequest(new URI(this.stsEndpoint), this.awsProvider.getCredentials(), this.stsAdditionalHeaders, this.stsExpirationInSeconds));
    }

    public String newPresignedGetCallerIdentityToken() throws Exception {
        GeneratePresignGetCallerIdentityResponse newPresignedRequest = newPresignedRequest();
        return Base64.encodeBase64String(new LakeFSExternalPrincipalIdentityRequest(newPresignedRequest.getHTTPMethod(), newPresignedRequest.getHost(), newPresignedRequest.getRegion(), newPresignedRequest.getAction(), newPresignedRequest.getDate(), newPresignedRequest.getExpires(), newPresignedRequest.getAccessKeyId(), newPresignedRequest.getSignature(), Arrays.asList(newPresignedRequest.getSignedHeadersParam().split(";")), newPresignedRequest.getVersion(), newPresignedRequest.getAlgorithm(), newPresignedRequest.getSecurityToken()).toJSON().getBytes());
    }

    private void newToken() throws Exception {
        String newPresignedGetCallerIdentityToken = newPresignedGetCallerIdentityToken();
        ExternalLoginInformation externalLoginInformation = new ExternalLoginInformation();
        Optional<Integer> optional = this.lakeFSTokenTTLSeconds;
        externalLoginInformation.getClass();
        optional.ifPresent(externalLoginInformation::setTokenExpirationDuration);
        externalLoginInformation.setIdentityRequest(new IdentityRequestRequestWrapper(newPresignedGetCallerIdentityToken));
        this.lakeFSAuthToken = new AuthApi(this.lakeFSApi).externalPrincipalLogin().externalLoginInformation(externalLoginInformation).execute();
    }

    @Override // io.lakefs.auth.LakeFSTokenProvider
    public void refresh() {
        synchronized (this) {
            try {
                newToken();
            } catch (Exception e) {
                throw new RuntimeException("Failed to refresh token", e);
            }
        }
    }
}
