package org.graylog.integrations.aws;

import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import java.util.Locale;
import javax.annotation.Nullable;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.auth.StsAssumeRoleCredentialsProvider;
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;
import software.amazon.awssdk.services.sts.model.GetCallerIdentityRequest;

/* loaded from: input_file:org/graylog/integrations/aws/AWSAuthFactory.class */
public class AWSAuthFactory {
    private static final Logger LOG = LoggerFactory.getLogger(AWSAuthFactory.class);

    public static AwsCredentialsProvider create(boolean z, @Nullable String str, @Nullable String str2, @Nullable String str3, @Nullable String str4) {
        AwsCredentialsProvider cloudAwsCredentialsProvider = z ? getCloudAwsCredentialsProvider(str2, str3) : getAwsCredentialsProvider(str2, str3);
        if (Strings.isNullOrEmpty(str4) || Strings.isNullOrEmpty(str)) {
            return cloudAwsCredentialsProvider;
        }
        LOG.debug("Creating cross account assume role credentials");
        return buildStsCredentialsProvider(cloudAwsCredentialsProvider, str, str4, str2);
    }

    private static AwsCredentialsProvider getAwsCredentialsProvider(String str, String str2) {
        StaticCredentialsProvider create;
        if (Strings.isNullOrEmpty(str) || Strings.isNullOrEmpty(str2)) {
            LOG.debug("Using default authorization provider chain.");
            create = DefaultCredentialsProvider.create();
        } else {
            LOG.debug("Using explicitly provided key and secret.");
            create = StaticCredentialsProvider.create(AwsBasicCredentials.create(str, str2));
        }
        return create;
    }

    private static AwsCredentialsProvider getCloudAwsCredentialsProvider(String str, String str2) {
        Preconditions.checkArgument(StringUtils.isNotBlank(str), "Access key is required.");
        Preconditions.checkArgument(StringUtils.isNotBlank(str2), "Secret key is required.");
        return StaticCredentialsProvider.create(AwsBasicCredentials.create(str, str2));
    }

    private static AwsCredentialsProvider buildStsCredentialsProvider(AwsCredentialsProvider awsCredentialsProvider, String str, String str2, @Nullable String str3) {
        StsClient stsClient = (StsClient) StsClient.builder().region(Region.of(str)).credentialsProvider(awsCredentialsProvider).build();
        String format = str3 != null ? String.format(Locale.ROOT, "ACCESS_KEY_%s@ACCOUNT_%s", str3, stsClient.getCallerIdentity((GetCallerIdentityRequest) GetCallerIdentityRequest.builder().build()).account()) : String.format(Locale.ROOT, "ACCOUNT_%s", stsClient.getCallerIdentity((GetCallerIdentityRequest) GetCallerIdentityRequest.builder().build()).account());
        LOG.debug("Cross account role session name: " + format);
        return StsAssumeRoleCredentialsProvider.builder().refreshRequest((AssumeRoleRequest) AssumeRoleRequest.builder().roleSessionName(format).roleArn(str2).build()).stsClient(stsClient).build();
    }
}
