package org.graylog.aws.auth;

import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.services.securitytoken.model.GetCallerIdentityRequest;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import javax.annotation.Nullable;
import org.apache.commons.lang3.StringUtils;
import org.graylog.aws.config.AWSPluginConfiguration;
import org.graylog2.Configuration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/graylog/aws/auth/AWSAuthProvider.class */
public class AWSAuthProvider implements AWSCredentialsProvider {
    private static final Logger LOG = LoggerFactory.getLogger(AWSAuthProvider.class);
    private final Configuration configuration;
    private final AWSCredentialsProvider credentials;

    public AWSAuthProvider(Configuration configuration, AWSPluginConfiguration aWSPluginConfiguration) {
        this(configuration, aWSPluginConfiguration, null, null, null, null);
    }

    public AWSAuthProvider(Configuration configuration, AWSPluginConfiguration aWSPluginConfiguration, @Nullable String str, @Nullable String str2, @Nullable String str3, @Nullable String str4) {
        this.configuration = configuration;
        this.credentials = resolveAuthentication(aWSPluginConfiguration, str, str2, str3, str4);
    }

    private AWSCredentialsProvider resolveAuthentication(AWSPluginConfiguration aWSPluginConfiguration, @Nullable String str, @Nullable String str2, @Nullable String str3, @Nullable String str4) {
        AWSCredentialsProvider cloudAwsCredentialsProvider = this.configuration.isCloud() ? getCloudAwsCredentialsProvider(str, str2) : getStdAwsCredentialsProvider(aWSPluginConfiguration, str, str2);
        if (Strings.isNullOrEmpty(str4) || Strings.isNullOrEmpty(str3)) {
            return cloudAwsCredentialsProvider;
        }
        LOG.debug("Creating cross account assume role credentials");
        return getSTSCredentialsProvider(cloudAwsCredentialsProvider, str3, str4);
    }

    private AWSCredentialsProvider getStdAwsCredentialsProvider(AWSPluginConfiguration aWSPluginConfiguration, String str, String str2) {
        AWSStaticCredentialsProvider defaultAWSCredentialsProviderChain;
        if (!Strings.isNullOrEmpty(str) && !Strings.isNullOrEmpty(str2)) {
            defaultAWSCredentialsProviderChain = new AWSStaticCredentialsProvider(new BasicAWSCredentials(str, str2));
            LOG.debug("Using input specific config");
        } else if (Strings.isNullOrEmpty(aWSPluginConfiguration.accessKey()) || Strings.isNullOrEmpty(aWSPluginConfiguration.secretKey(this.configuration.getPasswordSecret()))) {
            defaultAWSCredentialsProviderChain = new DefaultAWSCredentialsProviderChain();
            LOG.debug("Using Default Provider Chain");
        } else {
            defaultAWSCredentialsProviderChain = new AWSStaticCredentialsProvider(new BasicAWSCredentials(aWSPluginConfiguration.accessKey(), aWSPluginConfiguration.secretKey(this.configuration.getPasswordSecret())));
            LOG.debug("Using AWS Plugin config");
        }
        return defaultAWSCredentialsProviderChain;
    }

    private AWSCredentialsProvider getCloudAwsCredentialsProvider(String str, String str2) {
        Preconditions.checkArgument(StringUtils.isNotBlank(str), "Access key is required.");
        Preconditions.checkArgument(StringUtils.isNotBlank(str2), "Secret key is required.");
        return new AWSStaticCredentialsProvider(new BasicAWSCredentials(str, str2));
    }

    private AWSCredentialsProvider getSTSCredentialsProvider(AWSCredentialsProvider aWSCredentialsProvider, String str, String str2) {
        AWSSecurityTokenService aWSSecurityTokenService = (AWSSecurityTokenService) AWSSecurityTokenServiceClientBuilder.standard().withRegion(str).withCredentials(aWSCredentialsProvider).build();
        String f = org.graylog2.shared.utilities.StringUtils.f("API_KEY_%s@ACCOUNT_%s", aWSCredentialsProvider.getCredentials().getAWSAccessKeyId(), aWSSecurityTokenService.getCallerIdentity(new GetCallerIdentityRequest()).getAccount());
        LOG.debug("Cross account role session name: " + f);
        return new STSAssumeRoleSessionCredentialsProvider.Builder(str2, f).withStsClient(aWSSecurityTokenService).build();
    }

    public AWSCredentials getCredentials() {
        return this.credentials.getCredentials();
    }

    public void refresh() {
        this.credentials.refresh();
    }
}
