package org.apache.iceberg.aws.lakeformation;

import java.util.Map;
import java.util.Objects;
import org.apache.iceberg.aws.AssumeRoleAwsClientFactory;
import org.apache.iceberg.aws.AwsProperties;
import org.apache.iceberg.aws.HttpClientProperties;
import org.apache.iceberg.aws.s3.S3FileIOProperties;
import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
import software.amazon.awssdk.auth.credentials.AwsCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.regions.PartitionMetadata;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.glue.model.GetTableRequest;
import software.amazon.awssdk.services.kms.KmsClient;
import software.amazon.awssdk.services.kms.KmsClientBuilder;
import software.amazon.awssdk.services.lakeformation.LakeFormationClient;
import software.amazon.awssdk.services.lakeformation.LakeFormationClientBuilder;
import software.amazon.awssdk.services.lakeformation.model.GetTemporaryGlueTableCredentialsRequest;
import software.amazon.awssdk.services.lakeformation.model.GetTemporaryGlueTableCredentialsResponse;
import software.amazon.awssdk.services.lakeformation.model.PermissionType;
import software.amazon.awssdk.services.s3.S3Client;
import software.amazon.awssdk.services.s3.S3ClientBuilder;

/* loaded from: input_file:org/apache/iceberg/aws/lakeformation/LakeFormationAwsClientFactory.class */
public class LakeFormationAwsClientFactory extends AssumeRoleAwsClientFactory {
    public static final String LF_AUTHORIZED_CALLER = "LakeFormationAuthorizedCaller";
    private String dbName;
    private String tableName;
    private String glueCatalogId;
    private String glueAccountId;

    /* loaded from: input_file:org/apache/iceberg/aws/lakeformation/LakeFormationAwsClientFactory$LakeFormationCredentialsProvider.class */
    static class LakeFormationCredentialsProvider implements AwsCredentialsProvider {
        private final LakeFormationClient client;
        private final String tableArn;

        LakeFormationCredentialsProvider(LakeFormationClient lakeFormationClient, String str) {
            this.client = lakeFormationClient;
            this.tableArn = str;
        }

        public AwsCredentials resolveCredentials() {
            GetTemporaryGlueTableCredentialsResponse temporaryGlueTableCredentials = this.client.getTemporaryGlueTableCredentials((GetTemporaryGlueTableCredentialsRequest) GetTemporaryGlueTableCredentialsRequest.builder().tableArn(this.tableArn).supportedPermissionTypes(new PermissionType[]{PermissionType.COLUMN_PERMISSION}).build());
            return AwsSessionCredentials.create(temporaryGlueTableCredentials.accessKeyId(), temporaryGlueTableCredentials.secretAccessKey(), temporaryGlueTableCredentials.sessionToken());
        }
    }

    @Override // org.apache.iceberg.aws.AssumeRoleAwsClientFactory, org.apache.iceberg.aws.AwsClientFactory
    public void initialize(Map<String, String> map) {
        super.initialize(map);
        Preconditions.checkArgument(awsProperties().stsClientAssumeRoleTags().stream().anyMatch(tag -> {
            return LF_AUTHORIZED_CALLER.equals(tag.key());
        }), "STS assume role session tag %s must be set using %s to use LakeFormation client factory", LF_AUTHORIZED_CALLER, AwsProperties.CLIENT_ASSUME_ROLE_TAGS_PREFIX);
        this.dbName = map.get(AwsProperties.LAKE_FORMATION_DB_NAME);
        this.tableName = map.get(AwsProperties.LAKE_FORMATION_TABLE_NAME);
        this.glueCatalogId = map.get(AwsProperties.GLUE_CATALOG_ID);
        this.glueAccountId = map.get(AwsProperties.GLUE_ACCOUNT_ID);
    }

    @Override // org.apache.iceberg.aws.AssumeRoleAwsClientFactory, org.apache.iceberg.aws.AwsClientFactory
    public S3Client s3() {
        if (!isTableRegisteredWithLakeFormation()) {
            return super.s3();
        }
        S3ClientBuilder builder = S3Client.builder();
        HttpClientProperties httpClientProperties = httpClientProperties();
        Objects.requireNonNull(httpClientProperties);
        S3ClientBuilder applyMutation = builder.applyMutation((v1) -> {
            r1.applyHttpClientConfigurations(v1);
        });
        S3FileIOProperties s3FileIOProperties = s3FileIOProperties();
        Objects.requireNonNull(s3FileIOProperties);
        S3ClientBuilder applyMutation2 = applyMutation.applyMutation(s3FileIOProperties::applyEndpointConfigurations);
        S3FileIOProperties s3FileIOProperties2 = s3FileIOProperties();
        Objects.requireNonNull(s3FileIOProperties2);
        return (S3Client) applyMutation2.applyMutation(s3FileIOProperties2::applyServiceConfigurations).credentialsProvider(new LakeFormationCredentialsProvider(lakeFormation(), buildTableArn())).region(Region.of(region())).build();
    }

    @Override // org.apache.iceberg.aws.AssumeRoleAwsClientFactory, org.apache.iceberg.aws.AwsClientFactory
    public KmsClient kms() {
        if (!isTableRegisteredWithLakeFormation()) {
            return super.kms();
        }
        KmsClientBuilder builder = KmsClient.builder();
        HttpClientProperties httpClientProperties = httpClientProperties();
        Objects.requireNonNull(httpClientProperties);
        return (KmsClient) builder.applyMutation((v1) -> {
            r1.applyHttpClientConfigurations(v1);
        }).credentialsProvider(new LakeFormationCredentialsProvider(lakeFormation(), buildTableArn())).region(Region.of(region())).build();
    }

    private boolean isTableRegisteredWithLakeFormation() {
        Preconditions.checkArgument((this.dbName == null || this.dbName.isEmpty()) ? false : true, "Database name can not be empty");
        Preconditions.checkArgument((this.tableName == null || this.tableName.isEmpty()) ? false : true, "Table name can not be empty");
        return glue().getTable((GetTableRequest) GetTableRequest.builder().catalogId(this.glueCatalogId).databaseName(this.dbName).name(this.tableName).build()).table().isRegisteredWithLakeFormation().booleanValue();
    }

    private String buildTableArn() {
        Preconditions.checkArgument((this.glueAccountId == null || this.glueAccountId.isEmpty()) ? false : true, "%s can not be empty", AwsProperties.GLUE_ACCOUNT_ID);
        return String.format("arn:%s:glue:%s:%s:table/%s/%s", PartitionMetadata.of(Region.of(region())).id(), region(), this.glueAccountId, this.dbName, this.tableName);
    }

    private LakeFormationClient lakeFormation() {
        LakeFormationClientBuilder applyMutation = LakeFormationClient.builder().applyMutation((v1) -> {
            applyAssumeRoleConfigurations(v1);
        });
        HttpClientProperties httpClientProperties = httpClientProperties();
        Objects.requireNonNull(httpClientProperties);
        return (LakeFormationClient) applyMutation.applyMutation((v1) -> {
            r1.applyHttpClientConfigurations(v1);
        }).build();
    }
}
