package io.digdag.standards.operator.aws;

import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.auth.policy.Action;
import com.amazonaws.auth.policy.Policy;
import com.amazonaws.auth.policy.Resource;
import com.amazonaws.auth.policy.Statement;
import com.amazonaws.auth.policy.actions.DynamoDBv2Actions;
import com.amazonaws.auth.policy.actions.ElasticMapReduceActions;
import com.amazonaws.auth.policy.actions.S3Actions;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient;
import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
import com.amazonaws.services.securitytoken.model.Credentials;
import com.amazonaws.services.securitytoken.model.GetFederationTokenRequest;
import com.google.common.base.Preconditions;
import io.digdag.standards.operator.td.BaseTDOperator;
import java.util.ArrayList;
import java.util.List;

/* loaded from: input_file:io/digdag/standards/operator/aws/AWSSessionCredentialsFactory.class */
public class AWSSessionCredentialsFactory {
    private static final int DEFAULT_DURATION_SECONDS = 10800;
    private static final String DEFAULT_SESSION_NAME = "digdag-operator-session";
    private static final String URI_S3_PREFIX = "s3://";
    private static final String URI_DYNAMODB_PREFIX = "dynamodb://";
    private static final String URI_EMR_PREFIX = "emr://";
    private final String accessKeyId;
    private final String secretAccessKey;
    private final List<AcceptableUri> acceptableUris;
    private String roleArn;
    private String sessionName = DEFAULT_SESSION_NAME;
    private int durationSeconds = DEFAULT_DURATION_SECONDS;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.digdag.standards.operator.aws.AWSSessionCredentialsFactory$1, reason: invalid class name */
    /* loaded from: input_file:io/digdag/standards/operator/aws/AWSSessionCredentialsFactory$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$digdag$standards$operator$aws$AWSSessionCredentialsFactory$Mode = new int[Mode.values().length];

        static {
            try {
                $SwitchMap$io$digdag$standards$operator$aws$AWSSessionCredentialsFactory$Mode[Mode.READ.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$digdag$standards$operator$aws$AWSSessionCredentialsFactory$Mode[Mode.WRITE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* loaded from: input_file:io/digdag/standards/operator/aws/AWSSessionCredentialsFactory$AcceptableUri.class */
    public static class AcceptableUri {
        private final Mode mode;
        private final String uri;

        public AcceptableUri(Mode mode, String str) {
            this.mode = mode;
            this.uri = str;
        }
    }

    /* loaded from: input_file:io/digdag/standards/operator/aws/AWSSessionCredentialsFactory$Mode.class */
    public enum Mode {
        READ,
        WRITE
    }

    public AWSSessionCredentialsFactory(BasicAWSCredentials basicAWSCredentials, List<AcceptableUri> list) {
        Preconditions.checkNotNull(basicAWSCredentials);
        Preconditions.checkNotNull(basicAWSCredentials.getAWSAccessKeyId());
        Preconditions.checkNotNull(basicAWSCredentials.getAWSSecretKey());
        Preconditions.checkNotNull(list);
        this.accessKeyId = basicAWSCredentials.getAWSAccessKeyId();
        this.secretAccessKey = basicAWSCredentials.getAWSSecretKey();
        this.acceptableUris = list;
    }

    public AWSSessionCredentialsFactory withRoleArn(String str) {
        Preconditions.checkNotNull(str);
        this.roleArn = str;
        return this;
    }

    public AWSSessionCredentialsFactory withRoleSessionName(String str) {
        Preconditions.checkNotNull(str);
        this.sessionName = str;
        return this;
    }

    public AWSSessionCredentialsFactory withDurationSeconds(int i) {
        this.durationSeconds = i;
        return this;
    }

    public BasicSessionCredentials get() {
        BasicAWSCredentials basicAWSCredentials = new BasicAWSCredentials(this.accessKeyId, this.secretAccessKey);
        ArrayList arrayList = new ArrayList();
        this.acceptableUris.forEach(acceptableUri -> {
            Mode mode = acceptableUri.mode;
            String str = acceptableUri.uri;
            if (str.startsWith(URI_S3_PREFIX)) {
                String substring = str.substring(URI_S3_PREFIX.length());
                arrayList.add(new Statement(Statement.Effect.Allow).withActions(new Action[]{S3Actions.ListObjects}).withResources(new Resource[]{new Resource("arn:aws:s3:::" + substring.split("/", 2)[0])}));
                switch (AnonymousClass1.$SwitchMap$io$digdag$standards$operator$aws$AWSSessionCredentialsFactory$Mode[mode.ordinal()]) {
                    case BaseTDOperator.AUTH_MAX_RETRY_LIMIT /* 1 */:
                        arrayList.add(new Statement(Statement.Effect.Allow).withActions(new Action[]{S3Actions.GetObject}).withResources(new Resource[]{new Resource("arn:aws:s3:::" + substring + "*")}));
                        return;
                    case 2:
                        arrayList.add(new Statement(Statement.Effect.Allow).withActions(new Action[]{S3Actions.PutObject}).withResources(new Resource[]{new Resource("arn:aws:s3:::" + substring + "*")}));
                        return;
                    default:
                        return;
                }
            }
            if (!str.startsWith(URI_DYNAMODB_PREFIX)) {
                if (!str.startsWith(URI_EMR_PREFIX)) {
                    throw new IllegalArgumentException("Unexpected `uri`. uri=" + str);
                }
                arrayList.add(new Statement(Statement.Effect.Allow).withActions(new Action[]{ElasticMapReduceActions.AllElasticMapReduceActions}).withResources(new Resource[]{new Resource(String.format("arn:aws:elasticmapreduce:*:*:cluster/%s", str.substring(URI_EMR_PREFIX.length())))}));
                return;
            }
            String substring2 = str.substring(URI_DYNAMODB_PREFIX.length());
            arrayList.add(new Statement(Statement.Effect.Allow).withActions(new Action[]{DynamoDBv2Actions.DescribeTable}).withResources(new Resource[]{new Resource(String.format("arn:aws:dynamodb:*:*:table/%s", substring2))}));
            switch (AnonymousClass1.$SwitchMap$io$digdag$standards$operator$aws$AWSSessionCredentialsFactory$Mode[mode.ordinal()]) {
                case BaseTDOperator.AUTH_MAX_RETRY_LIMIT /* 1 */:
                    arrayList.add(new Statement(Statement.Effect.Allow).withActions(new Action[]{DynamoDBv2Actions.Scan}).withResources(new Resource[]{new Resource(String.format("arn:aws:dynamodb:*:*:table/%s", substring2))}));
                    return;
                case 2:
                default:
                    return;
            }
        });
        Policy policy = new Policy();
        policy.setStatements(arrayList);
        AWSSecurityTokenServiceClient aWSSecurityTokenServiceClient = new AWSSecurityTokenServiceClient(basicAWSCredentials);
        Credentials credentials = (this.roleArn == null || this.roleArn.isEmpty()) ? aWSSecurityTokenServiceClient.getFederationToken(new GetFederationTokenRequest().withDurationSeconds(Integer.valueOf(this.durationSeconds)).withName(this.sessionName).withPolicy(policy.toJson())).getCredentials() : aWSSecurityTokenServiceClient.assumeRole(new AssumeRoleRequest().withRoleArn(this.roleArn).withDurationSeconds(Integer.valueOf(this.durationSeconds)).withRoleSessionName(this.sessionName).withPolicy(policy.toJson())).getCredentials();
        return new BasicSessionCredentials(credentials.getAccessKeyId(), credentials.getSecretAccessKey(), credentials.getSessionToken());
    }
}
