package org.apache.iceberg.aws.s3;

import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
import org.apache.iceberg.relocated.com.google.common.base.Strings;
import org.apache.iceberg.rest.ErrorHandlers;
import org.apache.iceberg.rest.HTTPClient;
import org.apache.iceberg.rest.RESTClient;
import org.apache.iceberg.rest.auth.OAuth2Properties;
import org.apache.iceberg.rest.auth.OAuth2Util;
import org.apache.iceberg.rest.credentials.Credential;
import org.apache.iceberg.rest.responses.LoadCredentialsResponse;
import org.slf4j.Logger;
import software.amazon.awssdk.auth.credentials.AwsCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.utils.IoUtils;
import software.amazon.awssdk.utils.SdkAutoCloseable;
import software.amazon.awssdk.utils.cache.CachedSupplier;
import software.amazon.awssdk.utils.cache.RefreshResult;

/* loaded from: input_file:org/apache/iceberg/aws/s3/VendedCredentialsProvider.class */
public class VendedCredentialsProvider implements AwsCredentialsProvider, SdkAutoCloseable {
    public static final String URI = "credentials.uri";
    private volatile HTTPClient client;
    private final Map<String, String> properties;
    private final CachedSupplier<AwsCredentials> credentialCache;

    private VendedCredentialsProvider(Map<String, String> map) {
        Preconditions.checkArgument(null != map, "Invalid properties: null");
        Preconditions.checkArgument(null != map.get(URI), "Invalid URI: null");
        this.properties = map;
        this.credentialCache = CachedSupplier.builder(() -> {
            return credentialFromProperties().orElseGet(this::refreshCredential);
        }).cachedValueName(VendedCredentialsProvider.class.getName()).build();
    }

    public AwsCredentials resolveCredentials() {
        return (AwsCredentials) this.credentialCache.get();
    }

    public void close() {
        IoUtils.closeQuietly(this.client, (Logger) null);
        this.credentialCache.close();
    }

    public static VendedCredentialsProvider create(Map<String, String> map) {
        return new VendedCredentialsProvider(map);
    }

    private RESTClient httpClient() {
        if (null == this.client) {
            synchronized (this) {
                if (null == this.client) {
                    this.client = HTTPClient.builder(this.properties).uri(this.properties.get(URI)).build();
                }
            }
        }
        return this.client;
    }

    private LoadCredentialsResponse fetchCredentials() {
        return (LoadCredentialsResponse) httpClient().get(this.properties.get(URI), (Map<String, String>) null, LoadCredentialsResponse.class, OAuth2Util.authHeaders(this.properties.get(OAuth2Properties.TOKEN)), ErrorHandlers.defaultErrorHandler());
    }

    private Optional<RefreshResult<AwsCredentials>> credentialFromProperties() {
        String str = this.properties.get(S3FileIOProperties.ACCESS_KEY_ID);
        String str2 = this.properties.get(S3FileIOProperties.SECRET_ACCESS_KEY);
        String str3 = this.properties.get(S3FileIOProperties.SESSION_TOKEN);
        String str4 = this.properties.get("s3.session-token-expires-at-ms");
        if (Strings.isNullOrEmpty(str) || Strings.isNullOrEmpty(str2) || Strings.isNullOrEmpty(str3) || Strings.isNullOrEmpty(str4)) {
            return Optional.empty();
        }
        Instant ofEpochMilli = Instant.ofEpochMilli(Long.parseLong(str4));
        Instant minus = ofEpochMilli.minus(5L, (TemporalUnit) ChronoUnit.MINUTES);
        return Instant.now().isAfter(minus) ? Optional.empty() : Optional.of(RefreshResult.builder(AwsSessionCredentials.builder().accessKeyId(str).secretAccessKey(str2).sessionToken(str3).expirationTime(ofEpochMilli).build()).staleTime(ofEpochMilli).prefetchTime(minus).build());
    }

    private RefreshResult<AwsCredentials> refreshCredential() {
        List list = (List) fetchCredentials().credentials().stream().filter(credential -> {
            return credential.prefix().startsWith(S3FileIOProperties.SSE_TYPE_S3);
        }).collect(Collectors.toList());
        Preconditions.checkState(!list.isEmpty(), "Invalid S3 Credentials: empty");
        Preconditions.checkState(list.size() == 1, "Invalid S3 Credentials: only one S3 credential should exist");
        Credential credential2 = (Credential) list.get(0);
        checkCredential(credential2, S3FileIOProperties.ACCESS_KEY_ID);
        checkCredential(credential2, S3FileIOProperties.SECRET_ACCESS_KEY);
        checkCredential(credential2, S3FileIOProperties.SESSION_TOKEN);
        checkCredential(credential2, "s3.session-token-expires-at-ms");
        String str = credential2.config().get(S3FileIOProperties.ACCESS_KEY_ID);
        String str2 = credential2.config().get(S3FileIOProperties.SECRET_ACCESS_KEY);
        String str3 = credential2.config().get(S3FileIOProperties.SESSION_TOKEN);
        Instant ofEpochMilli = Instant.ofEpochMilli(Long.parseLong(credential2.config().get("s3.session-token-expires-at-ms")));
        return RefreshResult.builder(AwsSessionCredentials.builder().accessKeyId(str).secretAccessKey(str2).sessionToken(str3).expirationTime(ofEpochMilli).build()).staleTime(ofEpochMilli).prefetchTime(ofEpochMilli.minus(5L, (TemporalUnit) ChronoUnit.MINUTES)).build();
    }

    private void checkCredential(Credential credential, String str) {
        Preconditions.checkState(credential.config().containsKey(str), "Invalid S3 Credentials: %s not set", str);
    }
}
