package org.graylog.integrations.aws.resources;

import com.codahale.metrics.annotation.Timed;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import io.swagger.annotations.ApiParam;
import jakarta.inject.Inject;
import jakarta.validation.Valid;
import jakarta.validation.constraints.NotNull;
import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import org.apache.shiro.authz.annotation.RequiresAuthentication;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.graylog.integrations.audit.IntegrationsAuditEventTypes;
import org.graylog.integrations.aws.AWSPermissions;
import org.graylog.integrations.aws.resources.requests.CreateLogSubscriptionRequest;
import org.graylog.integrations.aws.resources.requests.CreateRolePermissionRequest;
import org.graylog.integrations.aws.resources.requests.KinesisNewStreamRequest;
import org.graylog.integrations.aws.resources.responses.CreateLogSubscriptionResponse;
import org.graylog.integrations.aws.resources.responses.CreateRolePermissionResponse;
import org.graylog.integrations.aws.resources.responses.KinesisNewStreamResponse;
import org.graylog.integrations.aws.service.CloudWatchService;
import org.graylog.integrations.aws.service.KinesisService;
import org.graylog2.audit.jersey.AuditEvent;
import org.graylog2.plugin.rest.PluginRestResource;
import org.graylog2.rest.MoreMediaTypes;
import org.graylog2.shared.rest.resources.RestResource;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Api(value = "AWSKinesisAuto", description = "AWS Kinesis auto-setup")
@RequiresAuthentication
@Produces({MoreMediaTypes.APPLICATION_JSON})
@Path("/aws/kinesis/auto_setup")
@Consumes({MoreMediaTypes.APPLICATION_JSON})
/* loaded from: input_file:org/graylog/integrations/aws/resources/KinesisSetupResource.class */
public class KinesisSetupResource extends RestResource implements PluginRestResource {
    private static final Logger LOG = LoggerFactory.getLogger(KinesisSetupResource.class);
    private KinesisService kinesisService;
    private CloudWatchService cloudWatchService;

    @Inject
    public KinesisSetupResource(CloudWatchService cloudWatchService, KinesisService kinesisService) {
        this.cloudWatchService = cloudWatchService;
        this.kinesisService = kinesisService;
    }

    @RequiresPermissions({AWSPermissions.AWS_READ})
    @Timed
    @AuditEvent(type = IntegrationsAuditEventTypes.KINESIS_SETUP_CREATE_STREAM)
    @ApiOperation("Step 1: Attempt to create a new kinesis stream and wait for it to be ready.")
    @POST
    @Path("/create_stream")
    public KinesisNewStreamResponse createNewKinesisStream(@Valid @NotNull @ApiParam(name = "JSON body", required = true) KinesisNewStreamRequest kinesisNewStreamRequest) {
        LOG.info("User [{}] agreed to the Kinesis auto-setup, which will create a Kinesis stream [{}], role/policy, and a CloudWatch log group subscription. This has been recorded, as the listed user has accepted the responsibility in associated potentially incurring cost(s).", getCurrentUser().getId(), kinesisNewStreamRequest.streamName());
        return this.kinesisService.createNewKinesisStream(kinesisNewStreamRequest);
    }

    @RequiresPermissions({AWSPermissions.AWS_READ})
    @Timed
    @AuditEvent(type = IntegrationsAuditEventTypes.KINESIS_SETUP_CREATE_POLICY)
    @ApiOperation("Step 2: Create AWS IAM policy needed for CloudWatch to write logs to Kinesis")
    @POST
    @Path("/create_subscription_policy")
    public CreateRolePermissionResponse autoKinesisPermissions(@Valid @NotNull @ApiParam(name = "JSON body", required = true) CreateRolePermissionRequest createRolePermissionRequest) {
        return this.kinesisService.autoKinesisPermissions(createRolePermissionRequest);
    }

    @RequiresPermissions({AWSPermissions.AWS_READ})
    @Timed
    @AuditEvent(type = IntegrationsAuditEventTypes.KINESIS_SETUP_CREATE_SUBSCRIPTION)
    @ApiOperation("Step 3: Subscribe a Kinesis stream to a CloudWatch log group")
    @POST
    @Path("/create_subscription")
    public CreateLogSubscriptionResponse createSubscription(@Valid @NotNull @ApiParam(name = "JSON body", required = true) CreateLogSubscriptionRequest createLogSubscriptionRequest) {
        return this.cloudWatchService.addSubscriptionFilter(createLogSubscriptionRequest);
    }
}
