package org.apache.ranger.audit.destination;

import com.amazonaws.services.logs.AWSLogs;
import com.amazonaws.services.logs.AWSLogsClientBuilder;
import com.amazonaws.services.logs.model.CreateLogStreamRequest;
import com.amazonaws.services.logs.model.InputLogEvent;
import com.amazonaws.services.logs.model.InvalidSequenceTokenException;
import com.amazonaws.services.logs.model.PutLogEventsRequest;
import com.amazonaws.services.logs.model.ResourceNotFoundException;
import java.util.Collection;
import java.util.Comparator;
import java.util.Properties;
import java.util.stream.Collectors;
import javax.annotation.concurrent.ThreadSafe;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.audit.model.AuditEventBase;
import org.apache.ranger.audit.provider.MiscUtil;

@ThreadSafe
/* loaded from: input_file:org/apache/ranger/audit/destination/AmazonCloudWatchAuditDestination.class */
public class AmazonCloudWatchAuditDestination extends AuditDestination {
    private static Log LOG = LogFactory.getLog(AmazonCloudWatchAuditDestination.class);
    public static final String PROP_LOG_GROUP_NAME = "log_group";
    public static final String PROP_LOG_STREAM_PREFIX = "log_stream_prefix";
    public static final String CONFIG_PREFIX = "ranger.audit.amazon_cloudwatch";
    public static final String PROP_REGION = "region";
    private String logGroupName;
    private String logStreamName;
    private AWSLogs logsClient;
    private String sequenceToken;
    private String regionName;

    @Override // org.apache.ranger.audit.destination.AuditDestination, org.apache.ranger.audit.provider.BaseAuditHandler, org.apache.ranger.audit.provider.AuditHandler
    public void init(Properties properties, String str) {
        LOG.info("init() called for CloudWatchAuditDestination");
        super.init(properties, str);
        this.logGroupName = MiscUtil.getStringProperty(properties, str + "." + PROP_LOG_GROUP_NAME, "ranger_audits");
        this.logStreamName = MiscUtil.getStringProperty(properties, str + "." + PROP_LOG_STREAM_PREFIX) + MiscUtil.generateUniqueId();
        this.regionName = MiscUtil.getStringProperty(properties, str + "." + PROP_REGION);
        this.logsClient = getClient();
        createLogStream();
    }

    @Override // org.apache.ranger.audit.destination.AuditDestination, org.apache.ranger.audit.provider.AuditHandler
    public void stop() {
        super.stop();
        logStatus();
    }

    @Override // org.apache.ranger.audit.provider.AuditHandler
    public synchronized boolean log(Collection<AuditEventBase> collection) {
        boolean z = false;
        AWSLogs client = getClient();
        PutLogEventsRequest withLogStreamName = new PutLogEventsRequest().withLogEvents(toInputLogEvent(collection)).withLogGroupName(this.logGroupName).withLogStreamName(this.logStreamName);
        if (StringUtils.isNotBlank(this.sequenceToken)) {
            withLogStreamName.setSequenceToken(this.sequenceToken);
        }
        try {
            this.sequenceToken = pushLogEvents(withLogStreamName, false, client);
            addSuccessCount(collection.size());
            z = true;
        } catch (Throwable th) {
            addFailedCount(collection.size());
            LOG.error("Failed to send audit events", th);
        }
        return z;
    }

    private String pushLogEvents(PutLogEventsRequest putLogEventsRequest, boolean z, AWSLogs aWSLogs) {
        try {
            return aWSLogs.putLogEvents(putLogEventsRequest).getNextSequenceToken();
        } catch (ResourceNotFoundException e) {
            if (z) {
                throw e;
            }
            createLogStream();
            return pushLogEvents(putLogEventsRequest, true, aWSLogs);
        } catch (InvalidSequenceTokenException e2) {
            if (z) {
                LOG.error("Unexpected invalid sequence token. Possible race condition occurred");
                throw e2;
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Invalid sequence token. Plugin possibly restarted. Updating the sequence token and retrying");
            }
            putLogEventsRequest.setSequenceToken(e2.getExpectedSequenceToken());
            return pushLogEvents(putLogEventsRequest, true, aWSLogs);
        }
    }

    @Override // org.apache.ranger.audit.destination.AuditDestination, org.apache.ranger.audit.provider.AuditHandler
    public void flush() {
    }

    static Collection<InputLogEvent> toInputLogEvent(Collection<AuditEventBase> collection) {
        return (Collection) collection.stream().map(auditEventBase -> {
            return new InputLogEvent().withMessage(MiscUtil.stringify(auditEventBase)).withTimestamp(Long.valueOf(auditEventBase.getEventTime().getTime()));
        }).sorted(Comparator.comparingLong((v0) -> {
            return v0.getTimestamp();
        })).collect(Collectors.toList());
    }

    private void createLogStream() {
        AWSLogs client = getClient();
        CreateLogStreamRequest withLogStreamName = new CreateLogStreamRequest().withLogGroupName(this.logGroupName).withLogStreamName(this.logStreamName);
        LOG.info(String.format("Creating Log Stream `%s` in Log Group `%s`", this.logStreamName, this.logGroupName));
        client.createLogStream(withLogStreamName);
    }

    private AWSLogs getClient() {
        if (this.logsClient == null) {
            synchronized (AmazonCloudWatchAuditDestination.class) {
                if (this.logsClient == null) {
                    this.logsClient = newClient();
                }
            }
        }
        return this.logsClient;
    }

    private AWSLogs newClient() {
        return StringUtils.isBlank(this.regionName) ? (AWSLogs) AWSLogsClientBuilder.standard().build() : (AWSLogs) AWSLogsClientBuilder.standard().withRegion(this.regionName).build();
    }
}
