package org.apache.hadoop.fs.s3a.auth;

import java.io.Closeable;
import java.io.IOException;
import java.net.URI;
import java.util.Arrays;
import java.util.Locale;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import javax.annotation.Nullable;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.classification.VisibleForTesting;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.PathIOException;
import org.apache.hadoop.fs.s3a.AWSCredentialProviderList;
import org.apache.hadoop.fs.s3a.Constants;
import org.apache.hadoop.fs.s3a.CredentialInitializationException;
import org.apache.hadoop.fs.s3a.Invoker;
import org.apache.hadoop.fs.s3a.S3ARetryPolicy;
import org.apache.hadoop.fs.s3a.S3AUtils;
import org.apache.hadoop.fs.s3a.SimpleAWSCredentialsProvider;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.util.Sets;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import software.amazon.awssdk.auth.credentials.AwsCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.EnvironmentVariableCredentialsProvider;
import software.amazon.awssdk.core.exception.SdkClientException;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.auth.StsAssumeRoleCredentialsProvider;
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;

@InterfaceAudience.Public
@InterfaceStability.Evolving
/* loaded from: input_file:org/apache/hadoop/fs/s3a/auth/AssumedRoleCredentialProvider.class */
public final class AssumedRoleCredentialProvider implements AwsCredentialsProvider, Closeable {
    private static final Logger LOG = LoggerFactory.getLogger(AssumedRoleCredentialProvider.class);
    public static final String NAME = "org.apache.hadoop.fs.s3a.auth.AssumedRoleCredentialProvider";
    public static final String E_NO_ROLE = "Unset property fs.s3a.assumed.role.arn";
    private final StsAssumeRoleCredentialsProvider stsProvider;
    private final String sessionName;
    private final long duration;
    private final String arn;
    private final AWSCredentialProviderList credentialsToSTS;
    private final Invoker invoker;
    private final StsClient stsClient;

    public AssumedRoleCredentialProvider(@Nullable URI uri, Configuration configuration) throws IOException {
        this.arn = configuration.getTrimmed("fs.s3a.assumed.role.arn", "");
        if (StringUtils.isEmpty(this.arn)) {
            throw new PathIOException(String.valueOf(uri), E_NO_ROLE);
        }
        this.credentialsToSTS = CredentialProviderListFactory.buildAWSProviderList(uri, configuration, Constants.ASSUMED_ROLE_CREDENTIALS_PROVIDER, Arrays.asList(SimpleAWSCredentialsProvider.class, EnvironmentVariableCredentialsProvider.class), Sets.newHashSet(new Class[]{getClass()}));
        LOG.debug("Credentials used to obtain role credentials: {}", this.credentialsToSTS);
        this.sessionName = configuration.getTrimmed(Constants.ASSUMED_ROLE_SESSION_NAME, buildSessionName());
        this.duration = configuration.getTimeDuration("fs.s3a.assumed.role.session.duration", "1h", TimeUnit.SECONDS);
        String trimmed = configuration.getTrimmed(Constants.ASSUMED_ROLE_POLICY, "");
        String trimmed2 = configuration.getTrimmed(Constants.ASSUMED_ROLE_EXTERNAL_ID, "");
        LOG.debug("{}", this);
        AssumeRoleRequest.Builder durationSeconds = AssumeRoleRequest.builder().roleArn(this.arn).roleSessionName(this.sessionName).durationSeconds(Integer.valueOf((int) this.duration));
        if (StringUtils.isNotEmpty(trimmed2)) {
            durationSeconds.externalId(trimmed2);
        }
        if (StringUtils.isNotEmpty(trimmed)) {
            LOG.debug("Scope down policy {}", trimmed);
            durationSeconds.policy(trimmed);
        }
        this.stsClient = (StsClient) STSClientFactory.builder(configuration, uri != null ? uri.getHost() : "", this.credentialsToSTS, configuration.getTrimmed("fs.s3a.assumed.role.sts.endpoint", ""), configuration.getTrimmed("fs.s3a.assumed.role.sts.endpoint.region", "")).build();
        this.stsProvider = StsAssumeRoleCredentialsProvider.builder().refreshRequest((AssumeRoleRequest) durationSeconds.build()).stsClient(this.stsClient).build();
        this.invoker = new Invoker(new S3ARetryPolicy(configuration), (v1, v2, v3, v4) -> {
            operationRetried(v1, v2, v3, v4);
        });
        resolveCredentials();
    }

    public AwsCredentials resolveCredentials() {
        try {
            Invoker invoker = this.invoker;
            StsAssumeRoleCredentialsProvider stsAssumeRoleCredentialsProvider = this.stsProvider;
            Objects.requireNonNull(stsAssumeRoleCredentialsProvider);
            return (AwsCredentials) invoker.retryUntranslated("resolveCredentials", true, stsAssumeRoleCredentialsProvider::resolveCredentials);
        } catch (SdkClientException e) {
            LOG.error("Failed to resolve credentials for role {}", this.arn, e);
            throw e;
        } catch (IOException e2) {
            throw new CredentialInitializationException("getCredentials failed: " + e2, e2);
        }
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        S3AUtils.closeAutocloseables(LOG, this.stsProvider, this.credentialsToSTS, this.stsClient);
    }

    public String toString() {
        return "AssumedRoleCredentialProvider{role='" + this.arn + "', session'" + this.sessionName + "', duration=" + this.duration + '}';
    }

    static String buildSessionName() throws IOException {
        return sanitize(UserGroupInformation.getCurrentUser().getShortUserName());
    }

    @VisibleForTesting
    static String sanitize(String str) {
        StringBuilder sb = new StringBuilder(str.length());
        for (char c : str.toCharArray()) {
            if ("abcdefghijklmnopqrstuvwxyz0123456789,.@-".contains(Character.toString(c).toLowerCase(Locale.ENGLISH))) {
                sb.append(c);
            } else {
                sb.append('-');
            }
        }
        return sb.toString();
    }

    public void operationRetried(String str, Exception exc, int i, boolean z) {
        if (i == 0) {
            LOG.info("Retried {}", str);
        }
    }
}
