package io.aiven.kafka.connect.s3.config;

import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;

/* loaded from: input_file:io/aiven/kafka/connect/s3/config/AwsCredentialProviderFactory.class */
public class AwsCredentialProviderFactory {
    public AWSCredentialsProvider getProvider(S3SinkConfig s3SinkConfig) {
        return s3SinkConfig.hasAwsStsRole() ? getStsProvider(s3SinkConfig) : getBasicAwsCredentialsProvider(s3SinkConfig);
    }

    private AWSCredentialsProvider getStsProvider(S3SinkConfig s3SinkConfig) {
        AwsStsRole stsRole = s3SinkConfig.getStsRole();
        return new STSAssumeRoleSessionCredentialsProvider.Builder(stsRole.getArn(), stsRole.getSessionName()).withStsClient(securityTokenService(s3SinkConfig)).withExternalId(stsRole.getExternalId()).withRoleSessionDurationSeconds(stsRole.getSessionDurationSeconds()).build();
    }

    private AWSSecurityTokenService securityTokenService(S3SinkConfig s3SinkConfig) {
        if (!s3SinkConfig.hasStsEndpointConfig()) {
            return AWSSecurityTokenServiceClientBuilder.defaultClient();
        }
        AwsStsEndpointConfig stsEndpointConfig = s3SinkConfig.getStsEndpointConfig();
        AwsClientBuilder.EndpointConfiguration endpointConfiguration = new AwsClientBuilder.EndpointConfiguration(stsEndpointConfig.getServiceEndpoint(), stsEndpointConfig.getSigningRegion());
        AWSSecurityTokenServiceClientBuilder standard = AWSSecurityTokenServiceClientBuilder.standard();
        standard.setEndpointConfiguration(endpointConfiguration);
        return (AWSSecurityTokenService) standard.build();
    }

    private AWSCredentialsProvider getBasicAwsCredentialsProvider(S3SinkConfig s3SinkConfig) {
        AwsAccessSecret awsCredentials = s3SinkConfig.getAwsCredentials();
        return new AWSStaticCredentialsProvider(new BasicAWSCredentials(awsCredentials.getAccessKeyId().value(), awsCredentials.getSecretAccessKey().value()));
    }
}
