package io.trino.plugin.hive.s3;

import com.google.common.base.Suppliers;
import com.google.common.base.Verify;
import com.google.common.collect.ImmutableSet;
import com.google.common.hash.Hasher;
import com.google.common.hash.Hashing;
import io.airlift.log.Logger;
import io.trino.hdfs.DynamicConfigurationProvider;
import io.trino.hdfs.HdfsContext;
import io.trino.spi.security.AccessDeniedException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import javax.inject.Inject;
import org.apache.hadoop.conf.Configuration;

/* loaded from: input_file:io/trino/plugin/hive/s3/S3SecurityMappingConfigurationProvider.class */
public class S3SecurityMappingConfigurationProvider implements DynamicConfigurationProvider {
    private static final Logger log = Logger.get(S3SecurityMappingConfigurationProvider.class);
    private static final Set<String> SCHEMES = ImmutableSet.of("s3", "s3a", "s3n");
    private static final String ANY_KMS_KEY_ID = "*";
    private final Supplier<S3SecurityMappings> mappings;
    private final Optional<String> roleCredentialName;
    private final Optional<String> kmsKeyIdCredentialName;
    private final Optional<String> colonReplacement;

    @Inject
    public S3SecurityMappingConfigurationProvider(S3SecurityMappingConfig s3SecurityMappingConfig, S3SecurityMappingsProvider s3SecurityMappingsProvider) {
        this(getMappings(s3SecurityMappingConfig, s3SecurityMappingsProvider), s3SecurityMappingConfig.getRoleCredentialName(), s3SecurityMappingConfig.getKmsKeyIdCredentialName(), s3SecurityMappingConfig.getColonReplacement());
    }

    public S3SecurityMappingConfigurationProvider(Supplier<S3SecurityMappings> supplier, Optional<String> optional, Optional<String> optional2, Optional<String> optional3) {
        this.mappings = (Supplier) Objects.requireNonNull(supplier, "mappings is null");
        this.roleCredentialName = (Optional) Objects.requireNonNull(optional, "roleCredentialName is null");
        this.kmsKeyIdCredentialName = (Optional) Objects.requireNonNull(optional2, "kmsKeyIdCredentialName is null");
        this.colonReplacement = (Optional) Objects.requireNonNull(optional3, "colonReplacement is null");
    }

    private static Supplier<S3SecurityMappings> getMappings(S3SecurityMappingConfig s3SecurityMappingConfig, S3SecurityMappingsProvider s3SecurityMappingsProvider) {
        String orElseThrow = s3SecurityMappingConfig.getConfigFilePath().orElseThrow(() -> {
            return new IllegalArgumentException("config file not set");
        });
        if (!s3SecurityMappingConfig.getRefreshPeriod().isEmpty()) {
            return Suppliers.memoizeWithExpiration(() -> {
                log.info("Refreshing S3 security mapping configuration from %s", new Object[]{orElseThrow});
                return s3SecurityMappingsProvider.get();
            }, s3SecurityMappingConfig.getRefreshPeriod().get().toMillis(), TimeUnit.MILLISECONDS);
        }
        Objects.requireNonNull(s3SecurityMappingsProvider);
        return Suppliers.memoize(s3SecurityMappingsProvider::get);
    }

    public void updateConfiguration(Configuration configuration, HdfsContext hdfsContext, URI uri) {
        if (SCHEMES.contains(uri.getScheme())) {
            S3SecurityMapping orElseThrow = this.mappings.get().getMapping(hdfsContext.getIdentity(), uri).orElseThrow(() -> {
                return new AccessDeniedException("No matching S3 security mapping");
            });
            if (orElseThrow.isUseClusterDefault()) {
                return;
            }
            Hasher newHasher = Hashing.sha256().newHasher();
            orElseThrow.getCredentials().ifPresent(basicAWSCredentials -> {
                configuration.set(TrinoS3FileSystem.S3_ACCESS_KEY, basicAWSCredentials.getAWSAccessKeyId());
                configuration.set(TrinoS3FileSystem.S3_SECRET_KEY, basicAWSCredentials.getAWSSecretKey());
                newHasher.putString(basicAWSCredentials.getAWSAccessKeyId(), StandardCharsets.UTF_8);
                newHasher.putString(basicAWSCredentials.getAWSSecretKey(), StandardCharsets.UTF_8);
            });
            selectRole(orElseThrow, hdfsContext).ifPresent(str -> {
                configuration.set(TrinoS3FileSystem.S3_IAM_ROLE, str);
                newHasher.putString(str, StandardCharsets.UTF_8);
            });
            selectKmsKeyId(orElseThrow, hdfsContext).ifPresent(str2 -> {
                configuration.set(TrinoS3FileSystem.S3_KMS_KEY_ID, str2);
                newHasher.putString("trino.s3.kms-key-id:" + str2, StandardCharsets.UTF_8);
            });
            orElseThrow.getEndpoint().ifPresent(str3 -> {
                configuration.set(TrinoS3FileSystem.S3_ENDPOINT, str3);
                newHasher.putString(str3, StandardCharsets.UTF_8);
            });
            orElseThrow.getRoleSessionName().ifPresent(str4 -> {
                configuration.set(TrinoS3FileSystem.S3_ROLE_SESSION_NAME, str4.replace("${USER}", hdfsContext.getIdentity().getUser()));
                newHasher.putString(str4, StandardCharsets.UTF_8);
            });
            DynamicConfigurationProvider.setCacheKey(configuration, newHasher.hash().toString());
        }
    }

    private Optional<String> selectRole(S3SecurityMapping s3SecurityMapping, HdfsContext hdfsContext) {
        Optional<String> roleFromExtraCredential = getRoleFromExtraCredential(hdfsContext);
        if (roleFromExtraCredential.isEmpty()) {
            if (!s3SecurityMapping.getAllowedIamRoles().isEmpty() && s3SecurityMapping.getIamRole().isEmpty()) {
                throw new AccessDeniedException("No S3 role selected and mapping has no default role");
            }
            Verify.verify(s3SecurityMapping.getIamRole().isPresent() || s3SecurityMapping.getCredentials().isPresent(), "mapping must have role or credential", new Object[0]);
            return s3SecurityMapping.getIamRole();
        }
        String str = roleFromExtraCredential.get();
        if (str.equals(s3SecurityMapping.getIamRole().orElse(null)) || s3SecurityMapping.getAllowedIamRoles().contains(str)) {
            return roleFromExtraCredential;
        }
        throw new AccessDeniedException("Selected S3 role is not allowed: " + str);
    }

    private Optional<String> getRoleFromExtraCredential(HdfsContext hdfsContext) {
        Optional map = this.roleCredentialName.map(str -> {
            return (String) hdfsContext.getIdentity().getExtraCredentials().get(str);
        });
        return this.colonReplacement.isPresent() ? map.map(str2 -> {
            return str2.replace(this.colonReplacement.get(), ":");
        }) : map;
    }

    private Optional<String> selectKmsKeyId(S3SecurityMapping s3SecurityMapping, HdfsContext hdfsContext) {
        Optional<String> kmsKeyIdFromExtraCredential = getKmsKeyIdFromExtraCredential(hdfsContext);
        if (kmsKeyIdFromExtraCredential.isEmpty()) {
            return s3SecurityMapping.getKmsKeyId();
        }
        String str = kmsKeyIdFromExtraCredential.get();
        if (str.equals(s3SecurityMapping.getKmsKeyId().orElse(null)) || s3SecurityMapping.getAllowedKmsKeyIds().contains(str) || s3SecurityMapping.getAllowedKmsKeyIds().contains(ANY_KMS_KEY_ID)) {
            return kmsKeyIdFromExtraCredential;
        }
        throw new AccessDeniedException("Selected KMS Key ID is not allowed");
    }

    private Optional<String> getKmsKeyIdFromExtraCredential(HdfsContext hdfsContext) {
        return this.kmsKeyIdCredentialName.map(str -> {
            return (String) hdfsContext.getIdentity().getExtraCredentials().get(str);
        });
    }
}
