package org.apache.hadoop.fs.s3a.auth.delegation;

import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSSessionCredentials;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import java.io.IOException;
import java.net.URI;
import java.time.OffsetDateTime;
import java.util.HashSet;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.s3a.AWSCredentialProviderList;
import org.apache.hadoop.fs.s3a.Constants;
import org.apache.hadoop.fs.s3a.Invoker;
import org.apache.hadoop.fs.s3a.S3ARetryPolicy;
import org.apache.hadoop.fs.s3a.S3AUtils;
import org.apache.hadoop.fs.s3a.auth.MarshalledCredentialBinding;
import org.apache.hadoop.fs.s3a.auth.MarshalledCredentialProvider;
import org.apache.hadoop.fs.s3a.auth.MarshalledCredentials;
import org.apache.hadoop.fs.s3a.auth.RoleModel;
import org.apache.hadoop.fs.s3a.auth.STSClientFactory;
import org.apache.hadoop.io.IOUtils;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.thirdparty.com.google.common.annotations.VisibleForTesting;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/fs/s3a/auth/delegation/SessionTokenBinding.class */
public class SessionTokenBinding extends AbstractDelegationTokenBinding {
    private static final String NAME = "SessionTokens/001";

    @VisibleForTesting
    public static final String CREDENTIALS_CONVERTED_TO_DELEGATION_TOKEN = "Existing session credentials converted to Delegation Token";
    public static final String SESSION_TOKEN = "Session Delegation Token";
    private Invoker invoker;
    private final AtomicBoolean stsInitAttempted;
    private Optional<STSClientFactory.STSClient> stsClient;
    private long duration;
    private boolean hasSessionCreds;
    private AWSCredentialProviderList parentAuthChain;
    private final AtomicBoolean forwardMessageLogged;
    private String endpoint;
    private String region;
    private Optional<OffsetDateTime> expirationDateTime;
    private Optional<SessionTokenIdentifier> tokenIdentifier;
    private static final Logger LOG = LoggerFactory.getLogger(SessionTokenBinding.class);
    public static final Invoker.Retried LOG_EVENT = (str, iOException, i, z) -> {
        LOG.info("{}: " + iOException, str);
        if (i == 1) {
            LOG.debug("{}: " + iOException, str, iOException);
        }
    };

    public SessionTokenBinding() {
        this(NAME, DelegationConstants.SESSION_TOKEN_KIND);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SessionTokenBinding(String str, Text text) {
        super(str, text);
        this.stsInitAttempted = new AtomicBoolean(false);
        this.stsClient = Optional.empty();
        this.forwardMessageLogged = new AtomicBoolean(false);
        this.tokenIdentifier = Optional.empty();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding
    public void serviceStart() throws Exception {
        super.serviceStart();
        Configuration config = getConfig();
        this.duration = config.getTimeDuration("fs.s3a.assumed.role.session.duration", "1h", TimeUnit.SECONDS);
        this.endpoint = config.getTrimmed("fs.s3a.assumed.role.sts.endpoint", "");
        this.region = config.getTrimmed("fs.s3a.assumed.role.sts.endpoint.region", "");
        this.parentAuthChain = S3AUtils.buildAWSProviderList(getCanonicalUri(), config, "fs.s3a.aws.credentials.provider", S3AUtils.STANDARD_AWS_PROVIDERS, new HashSet());
    }

    protected void serviceStop() throws Exception {
        super.serviceStop();
        synchronized (this) {
            this.stsClient.ifPresent((v0) -> {
                IOUtils.closeStream(v0);
            });
            this.stsClient = Optional.empty();
        }
    }

    @Override // org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding
    public AWSCredentialProviderList deployUnbonded() throws IOException {
        requireServiceStarted();
        return this.parentAuthChain;
    }

    protected Invoker getInvoker() {
        return this.invoker;
    }

    @Override // org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding
    public AWSCredentialProviderList bindToTokenIdentifier(AbstractS3ATokenIdentifier abstractS3ATokenIdentifier) throws IOException {
        SessionTokenIdentifier sessionTokenIdentifier = (SessionTokenIdentifier) convertTokenIdentifier(abstractS3ATokenIdentifier, SessionTokenIdentifier.class);
        setTokenIdentifier(Optional.of(sessionTokenIdentifier));
        MarshalledCredentials marshalledCredentials = sessionTokenIdentifier.getMarshalledCredentials();
        setExpirationDateTime(marshalledCredentials.getExpirationDateTime());
        return new AWSCredentialProviderList("Session Token Binding", new MarshalledCredentialProvider(SESSION_TOKEN, getStoreContext().getFsURI(), getConfig(), marshalledCredentials, MarshalledCredentials.CredentialTypeRequired.SessionOnly));
    }

    @Override // org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding
    public String getDescription() {
        return String.format("%s token binding for user %s, with STS endpoint \"%s\", region \"%s\" and token duration %d:%02d", bindingName(), getOwner().getShortUserName(), this.endpoint, this.region, Long.valueOf(TimeUnit.SECONDS.toMinutes(this.duration)), Long.valueOf(this.duration % 60));
    }

    protected String bindingName() {
        return "Session";
    }

    @Override // org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding
    public String getUserAgentField() {
        return this.tokenIdentifier.isPresent() ? "; session ID " + this.tokenIdentifier.get().getUuid() : "";
    }

    private synchronized Optional<STSClientFactory.STSClient> maybeInitSTS() throws IOException {
        if (this.stsInitAttempted.getAndSet(true)) {
            return this.stsClient;
        }
        Configuration config = getConfig();
        URI canonicalUri = getCanonicalUri();
        this.hasSessionCreds = ((AWSCredentials) Invoker.once("get credentials", "", () -> {
            return this.parentAuthChain.getCredentials();
        })) instanceof AWSSessionCredentials;
        if (this.hasSessionCreds) {
            LOG.debug("Parent-provided session credentials will be propagated");
            this.stsClient = Optional.empty();
        } else {
            LOG.debug("Creating STS client for {}", getDescription());
            this.invoker = new Invoker(new S3ARetryPolicy(config), LOG_EVENT);
            this.stsClient = Optional.of(STSClientFactory.createClientConnection((AWSSecurityTokenService) STSClientFactory.builder(this.parentAuthChain, S3AUtils.createAwsConf(config, canonicalUri.getHost(), Constants.AWS_SERVICE_IDENTIFIER_STS), this.endpoint, this.region).build(), this.invoker));
        }
        return this.stsClient;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Optional<STSClientFactory.STSClient> prepareSTSClient() throws IOException {
        return maybeInitSTS();
    }

    public long getDuration() {
        return this.duration;
    }

    @Override // org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding
    public SessionTokenIdentifier createTokenIdentifier(Optional<RoleModel.Policy> optional, EncryptionSecrets encryptionSecrets, Text text) throws IOException {
        MarshalledCredentials fromAWSCredentials;
        requireServiceStarted();
        String createDefaultOriginMessage = AbstractS3ATokenIdentifier.createDefaultOriginMessage();
        Optional<STSClientFactory.STSClient> prepareSTSClient = prepareSTSClient();
        if (prepareSTSClient.isPresent()) {
            fromAWSCredentials = MarshalledCredentialBinding.fromSTSCredentials(prepareSTSClient.get().requestSessionCredentials(this.duration, TimeUnit.SECONDS));
        } else {
            if (!this.forwardMessageLogged.getAndSet(true)) {
                LOG.warn("Forwarding existing session credentials to {} -duration unknown", getCanonicalUri());
            }
            createDefaultOriginMessage = createDefaultOriginMessage + " Existing session credentials converted to Delegation Token";
            AWSSessionCredentials credentials = this.parentAuthChain.getCredentials();
            if (!(credentials instanceof AWSSessionCredentials)) {
                throw new DelegationTokenIOException("AWS Authentication chain is no longer supplying session secrets");
            }
            fromAWSCredentials = MarshalledCredentialBinding.fromAWSCredentials(credentials);
        }
        return new SessionTokenIdentifier(getKind(), getOwnerText(), text, getCanonicalUri(), fromAWSCredentials, encryptionSecrets, createDefaultOriginMessage);
    }

    @Override // org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding
    public SessionTokenIdentifier createEmptyIdentifier() {
        return new SessionTokenIdentifier();
    }

    protected Optional<OffsetDateTime> getExpirationDateTime() {
        return this.expirationDateTime;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setExpirationDateTime(Optional<OffsetDateTime> optional) {
        this.expirationDateTime = optional;
    }

    protected Optional<SessionTokenIdentifier> getTokenIdentifier() {
        return this.tokenIdentifier;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setTokenIdentifier(Optional<SessionTokenIdentifier> optional) {
        this.tokenIdentifier = optional;
    }

    @Override // org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding
    public /* bridge */ /* synthetic */ AbstractS3ATokenIdentifier createTokenIdentifier(Optional optional, EncryptionSecrets encryptionSecrets, Text text) throws IOException {
        return createTokenIdentifier((Optional<RoleModel.Policy>) optional, encryptionSecrets, text);
    }
}
