package org.graylog.integrations.aws;

import com.google.common.base.Preconditions;
import jakarta.inject.Inject;
import java.net.URI;
import java.util.Optional;
import org.apache.commons.lang3.StringUtils;
import org.graylog.integrations.aws.resources.requests.AWSRequest;
import org.graylog2.Configuration;
import org.graylog2.security.encryption.EncryptedValue;
import org.graylog2.security.encryption.EncryptedValueService;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.awscore.client.builder.AwsClientBuilder;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.cloudwatchlogs.CloudWatchLogsClient;
import software.amazon.awssdk.services.cloudwatchlogs.CloudWatchLogsClientBuilder;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.IamClientBuilder;
import software.amazon.awssdk.services.kinesis.KinesisClient;
import software.amazon.awssdk.services.kinesis.KinesisClientBuilder;

/* loaded from: input_file:org/graylog/integrations/aws/AWSClientBuilderUtil.class */
public class AWSClientBuilderUtil {
    private final EncryptedValueService encryptedValueService;
    private final Configuration configuration;

    @Inject
    public AWSClientBuilderUtil(EncryptedValueService encryptedValueService, Configuration configuration) {
        this.encryptedValueService = encryptedValueService;
        this.configuration = configuration;
    }

    public AwsCredentialsProvider createCredentialsProvider(AWSRequest aWSRequest) {
        return AWSAuthFactory.create(this.configuration.isCloud(), aWSRequest.region(), aWSRequest.awsAccessKeyId(), decryptSecretAccessKey(aWSRequest.awsSecretAccessKey()), aWSRequest.assumeRoleArn());
    }

    public void initializeBuilder(AwsClientBuilder awsClientBuilder, String str, Region region, AwsCredentialsProvider awsCredentialsProvider) {
        awsClientBuilder.region(region);
        awsClientBuilder.credentialsProvider(awsCredentialsProvider);
        if (StringUtils.isNotEmpty(str)) {
            awsClientBuilder.endpointOverride(URI.create(str));
        }
    }

    public CloudWatchLogsClient buildClient(CloudWatchLogsClientBuilder cloudWatchLogsClientBuilder, AWSRequest aWSRequest) {
        Preconditions.checkNotNull(aWSRequest.region(), "An AWS region is required.");
        initializeBuilder(cloudWatchLogsClientBuilder, aWSRequest.cloudwatchEndpoint(), Region.of(aWSRequest.region()), createCredentialsProvider(aWSRequest));
        return (CloudWatchLogsClient) cloudWatchLogsClientBuilder.build();
    }

    public KinesisClient buildClient(KinesisClientBuilder kinesisClientBuilder, AWSRequest aWSRequest) {
        initializeBuilder(kinesisClientBuilder, aWSRequest.kinesisEndpoint(), Region.of(aWSRequest.region()), createCredentialsProvider(aWSRequest));
        return (KinesisClient) kinesisClientBuilder.build();
    }

    public IamClient buildClient(IamClientBuilder iamClientBuilder, AWSRequest aWSRequest) {
        Region region = Region.AWS_GLOBAL;
        if (aWSRequest.region().contains("gov")) {
            region = Region.AWS_US_GOV_GLOBAL;
        }
        initializeBuilder(iamClientBuilder, aWSRequest.iamEndpoint(), region, createCredentialsProvider(aWSRequest));
        return (IamClient) iamClientBuilder.build();
    }

    private String decryptSecretAccessKey(EncryptedValue encryptedValue) {
        return this.encryptedValueService.decrypt((EncryptedValue) Optional.ofNullable(encryptedValue).orElse(EncryptedValue.createUnset()));
    }
}
