package io.unitycatalog.server.service.credential.aws;

import io.unitycatalog.server.exception.BaseException;
import io.unitycatalog.server.exception.ErrorCode;
import io.unitycatalog.server.persist.utils.ServerPropertiesUtils;
import io.unitycatalog.server.service.credential.CredentialContext;
import java.time.Duration;
import java.util.Map;
import java.util.UUID;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.model.Credentials;

/* loaded from: input_file:io/unitycatalog/server/service/credential/aws/AwsCredentialVendor.class */
public class AwsCredentialVendor {
    private static final Logger LOGGER = LoggerFactory.getLogger(AwsCredentialVendor.class);
    private final Map<String, S3StorageConfig> s3Configurations = ServerPropertiesUtils.getInstance().getS3Configurations();

    public Credentials vendAwsCredentials(CredentialContext credentialContext) {
        S3StorageConfig s3StorageConfig = this.s3Configurations.get(credentialContext.getStorageBase());
        if (s3StorageConfig == null) {
            throw new BaseException(ErrorCode.FAILED_PRECONDITION, "S3 bucket configuration not found.");
        }
        if (s3StorageConfig.getSessionToken() != null && !s3StorageConfig.getSessionToken().isEmpty()) {
            return (Credentials) Credentials.builder().accessKeyId(s3StorageConfig.getAccessKey()).secretAccessKey(s3StorageConfig.getSecretKey()).sessionToken(s3StorageConfig.getSessionToken()).build();
        }
        StsClient stsClientForStorageConfig = getStsClientForStorageConfig(s3StorageConfig);
        String formatted = "uc-%s".formatted(UUID.randomUUID());
        String generatePolicy = AwsPolicyGenerator.generatePolicy(credentialContext.getPrivileges(), credentialContext.getLocations());
        return stsClientForStorageConfig.assumeRole(builder -> {
            builder.roleArn(s3StorageConfig.getAwsRoleArn()).policy(generatePolicy).roleSessionName(formatted).durationSeconds(Integer.valueOf((int) Duration.ofHours(1L).toSeconds()));
        }).credentials();
    }

    private StsClient getStsClientForStorageConfig(S3StorageConfig s3StorageConfig) {
        return (StsClient) StsClient.builder().credentialsProvider((s3StorageConfig.getSecretKey() == null || s3StorageConfig.getAccessKey().isEmpty()) ? DefaultCredentialsProvider.create() : StaticCredentialsProvider.create(AwsBasicCredentials.create(s3StorageConfig.getAccessKey(), s3StorageConfig.getSecretKey()))).region(Region.of(s3StorageConfig.getRegion())).build();
    }
}
