package ai.tock.aws.secretmanager.dao;

import ai.tock.aws.EnvConfig;
import ai.tock.aws.EnvConfigKt;
import ai.tock.aws.utils.UtilsKt;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.services.secretsmanager.AWSSecretsManager;
import com.amazonaws.services.secretsmanager.AWSSecretsManagerClientBuilder;
import com.amazonaws.services.secretsmanager.model.AWSSecretsManagerException;
import com.amazonaws.services.secretsmanager.model.CreateSecretRequest;
import com.amazonaws.services.secretsmanager.model.CreateSecretResult;
import com.amazonaws.services.secretsmanager.model.GetSecretValueRequest;
import com.amazonaws.services.secretsmanager.model.GetSecretValueResult;
import com.amazonaws.services.secretsmanager.model.ResourceNotFoundException;
import com.amazonaws.services.secretsmanager.model.UpdateSecretRequest;
import com.amazonaws.services.secretsmanager.model.UpdateSecretResult;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
import com.amazonaws.services.securitytoken.model.Credentials;
import com.fasterxml.jackson.module.kotlin.ExtensionsKt;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import kotlin.Metadata;
import kotlin.Unit;
import kotlin.jvm.functions.Function1;
import kotlin.jvm.internal.Intrinsics;
import mu.KLogger;
import mu.KotlinLogging;
import org.jetbrains.annotations.NotNull;

/* compiled from: SecretAWSDAO.kt */
@Metadata(mv = {2, 0, 0}, k = 1, xi = 48, d1 = {"��@\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\u0010\u000e\n\u0002\b\u0004\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010��\n��\u0018��2\u00020\u0001B\u0007¢\u0006\u0004\b\u0002\u0010\u0003J\u0010\u0010\u0011\u001a\u00020\u00102\u0006\u0010\u0012\u001a\u00020\u0010H\u0016J\b\u0010\u0013\u001a\u00020\tH\u0002J\b\u0010\u0014\u001a\u00020\u0015H\u0002J\u0018\u0010\u0016\u001a\u00020\u00102\u0006\u0010\u0017\u001a\u00020\u00102\u0006\u0010\u0018\u001a\u00020\u0019H\u0016R\u0018\u0010\u0004\u001a\n \u0006*\u0004\u0018\u00010\u00050\u0005X\u0082\u000e¢\u0006\u0004\n\u0002\u0010\u0007R\u000e\u0010\b\u001a\u00020\tX\u0082\u000e¢\u0006\u0002\n��R\u000e\u0010\n\u001a\u00020\u000bX\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\f\u001a\u00020\rX\u0082\u0004¢\u0006\u0002\n��R\u001a\u0010\u000e\u001a\u000e\u0012\u0004\u0012\u00020\u0010\u0012\u0004\u0012\u00020\u00100\u000fX\u0082\u000e¢\u0006\u0002\n��¨\u0006\u001a"}, d2 = {"Lai/tock/aws/secretmanager/dao/SecretAWSDAO;", "Lai/tock/aws/secretmanager/dao/SecretDAO;", "<init>", "()V", "stsClient", "Lcom/amazonaws/services/securitytoken/AWSSecurityTokenService;", "kotlin.jvm.PlatformType", "Lcom/amazonaws/services/securitytoken/AWSSecurityTokenService;", "secretsManagerClient", "Lcom/amazonaws/services/secretsmanager/AWSSecretsManager;", "logger", "Lmu/KLogger;", "lockOnSecretCache", "Ljava/util/concurrent/locks/Lock;", "secretsCache", "Lcom/github/benmanes/caffeine/cache/Cache;", "", "getSecret", "secretId", "initSecretsManagerWithNewCredentials", "getTemporaryCredentials", "Lcom/amazonaws/services/securitytoken/model/Credentials;", "createOrUpdateSecret", "secretName", "secretObject", "", "tock-aws-tools"})
/* loaded from: input_file:ai/tock/aws/secretmanager/dao/SecretAWSDAO.class */
public final class SecretAWSDAO implements SecretDAO {

    @NotNull
    private AWSSecretsManager secretsManagerClient;

    @NotNull
    private Cache<String, String> secretsCache;
    private AWSSecurityTokenService stsClient = (AWSSecurityTokenService) AWSSecurityTokenServiceClientBuilder.standard().build();

    @NotNull
    private final KLogger logger = KotlinLogging.INSTANCE.logger(SecretAWSDAO::logger$lambda$0);

    @NotNull
    private final Lock lockOnSecretCache = new ReentrantLock();

    public SecretAWSDAO() {
        Cache<String, String> build = Caffeine.newBuilder().expireAfterWrite(10L, TimeUnit.MINUTES).maximumSize(100L).build();
        Intrinsics.checkNotNullExpressionValue(build, "build(...)");
        this.secretsCache = build;
        this.secretsManagerClient = initSecretsManagerWithNewCredentials();
    }

    @Override // ai.tock.aws.secretmanager.dao.SecretDAO
    @NotNull
    public String getSecret(@NotNull String str) {
        GetSecretValueResult secretValue;
        Intrinsics.checkNotNullParameter(str, "secretId");
        Lock lock = this.lockOnSecretCache;
        lock.lock();
        try {
            String str2 = (String) this.secretsCache.getIfPresent(str);
            if (str2 != null) {
                return str2;
            }
            GetSecretValueRequest withVersionStage = new GetSecretValueRequest().withSecretId(str).withVersionStage(UtilsKt.property(EnvConfigKt.AWS_SECRET_VERSION, "AWSCURRENT"));
            try {
                secretValue = this.secretsManagerClient.getSecretValue(withVersionStage);
            } catch (AWSSecretsManagerException e) {
                if (!Intrinsics.areEqual(e.getErrorCode(), "ExpiredTokenException")) {
                    throw e;
                }
                this.logger.debug(SecretAWSDAO::getSecret$lambda$3$lambda$1);
                this.secretsManagerClient = initSecretsManagerWithNewCredentials();
                secretValue = this.secretsManagerClient.getSecretValue(withVersionStage);
            }
            String secretString = secretValue.getSecretString();
            this.secretsCache.put(str, secretString);
            Intrinsics.checkNotNull(secretString);
            lock.unlock();
            return secretString;
        } finally {
            lock.unlock();
        }
    }

    private final AWSSecretsManager initSecretsManagerWithNewCredentials() {
        if (!UtilsKt.booleanProperty$default(EnvConfigKt.AWS_ASSUMED_ROLE_PROPERTY, false, 2, null)) {
            Object build = AWSSecretsManagerClientBuilder.standard().build();
            Intrinsics.checkNotNullExpressionValue(build, "build(...)");
            return (AWSSecretsManager) build;
        }
        Credentials temporaryCredentials = getTemporaryCredentials();
        Object build2 = AWSSecretsManagerClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(new BasicSessionCredentials(temporaryCredentials.getAccessKeyId(), temporaryCredentials.getSecretAccessKey(), temporaryCredentials.getSessionToken()))).build();
        Intrinsics.checkNotNullExpressionValue(build2, "build(...)");
        return (AWSSecretsManager) build2;
    }

    private final Credentials getTemporaryCredentials() {
        Credentials credentials = this.stsClient.assumeRole(new AssumeRoleRequest().withRoleArn(EnvConfig.INSTANCE.getAwsSecretManagerAssumedRole()).withRoleSessionName(EnvConfig.INSTANCE.getAwsAssumedRoleSessionName()).withDurationSeconds(900)).getCredentials();
        Intrinsics.checkNotNullExpressionValue(credentials, "getCredentials(...)");
        return credentials;
    }

    @Override // ai.tock.aws.secretmanager.dao.SecretDAO
    @NotNull
    public String createOrUpdateSecret(@NotNull String str, @NotNull Object obj) {
        Intrinsics.checkNotNullParameter(str, "secretName");
        Intrinsics.checkNotNullParameter(obj, "secretObject");
        String writeValueAsString = ExtensionsKt.jacksonObjectMapper$default((Function1) null, 1, (Object) null).writeValueAsString(obj);
        try {
            UpdateSecretResult updateSecret = this.secretsManagerClient.updateSecret(new UpdateSecretRequest().withSecretId(str).withSecretString(writeValueAsString));
            Intrinsics.checkNotNullExpressionValue(updateSecret, "updateSecret(...)");
            this.logger.info(() -> {
                return createOrUpdateSecret$lambda$5(r1);
            });
            String arn = updateSecret.getARN();
            Intrinsics.checkNotNullExpressionValue(arn, "getARN(...)");
            return arn;
        } catch (ResourceNotFoundException e) {
            this.logger.info(() -> {
                return createOrUpdateSecret$lambda$6(r1);
            });
            CreateSecretResult createSecret = this.secretsManagerClient.createSecret(new CreateSecretRequest().withName(str).withSecretString(writeValueAsString).withDescription("Created from Tock."));
            Intrinsics.checkNotNullExpressionValue(createSecret, "createSecret(...)");
            this.logger.info(() -> {
                return createOrUpdateSecret$lambda$7(r1);
            });
            String arn2 = createSecret.getARN();
            Intrinsics.checkNotNullExpressionValue(arn2, "getARN(...)");
            return arn2;
        }
    }

    private static final Unit logger$lambda$0() {
        return Unit.INSTANCE;
    }

    private static final Object getSecret$lambda$3$lambda$1() {
        return "Refresh secret cache with new temporary credentials";
    }

    private static final Object createOrUpdateSecret$lambda$5(String str) {
        Intrinsics.checkNotNullParameter(str, "$secretName");
        return "The secret '" + str + "' already exists, so it has been updated with a new value.";
    }

    private static final Object createOrUpdateSecret$lambda$6(String str) {
        Intrinsics.checkNotNullParameter(str, "$secretName");
        return "The secret '" + str + "' does not yet exist.";
    }

    private static final Object createOrUpdateSecret$lambda$7(String str) {
        Intrinsics.checkNotNullParameter(str, "$secretName");
        return "The secret '" + str + "' has been created with the value.";
    }
}
