package com.netflix.spinnaker.clouddriver.lambda.provider.agent;

import com.amazonaws.regions.Regions;
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement;
import com.amazonaws.services.identitymanagement.model.ListRolesRequest;
import com.amazonaws.services.identitymanagement.model.ListRolesResult;
import com.amazonaws.services.identitymanagement.model.Role;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.netflix.spinnaker.cats.agent.AgentDataType;
import com.netflix.spinnaker.cats.agent.CacheResult;
import com.netflix.spinnaker.cats.agent.CachingAgent;
import com.netflix.spinnaker.cats.agent.DefaultCacheResult;
import com.netflix.spinnaker.cats.cache.CacheData;
import com.netflix.spinnaker.cats.cache.DefaultCacheData;
import com.netflix.spinnaker.cats.provider.ProviderCache;
import com.netflix.spinnaker.clouddriver.aws.provider.AwsProvider;
import com.netflix.spinnaker.clouddriver.aws.security.AmazonClientProvider;
import com.netflix.spinnaker.clouddriver.aws.security.NetflixAmazonCredentials;
import com.netflix.spinnaker.clouddriver.cache.CustomScheduledAgent;
import com.netflix.spinnaker.clouddriver.lambda.cache.Keys;
import com.netflix.spinnaker.clouddriver.lambda.cache.model.IamRole;
import java.io.IOException;
import java.net.URLDecoder;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/netflix/spinnaker/clouddriver/lambda/provider/agent/IamRoleCachingAgent.class */
public class IamRoleCachingAgent implements CachingAgent, CustomScheduledAgent {
    private static final long POLL_INTERVAL_MILLIS = TimeUnit.MINUTES.toMillis(30);
    private static final long DEFAULT_TIMEOUT_MILLIS = TimeUnit.MINUTES.toMillis(5);
    private final Logger log = LoggerFactory.getLogger(getClass());
    private final Collection<AgentDataType> types = Collections.singletonList(AgentDataType.Authority.AUTHORITATIVE.forType(Keys.Namespace.IAM_ROLE.toString()));
    private final ObjectMapper objectMapper;
    private AmazonClientProvider amazonClientProvider;
    private NetflixAmazonCredentials account;
    private String accountName;

    /* JADX INFO: Access modifiers changed from: package-private */
    public IamRoleCachingAgent(ObjectMapper objectMapper, NetflixAmazonCredentials netflixAmazonCredentials, AmazonClientProvider amazonClientProvider) {
        this.objectMapper = objectMapper;
        this.account = netflixAmazonCredentials;
        this.accountName = netflixAmazonCredentials.getName();
        this.amazonClientProvider = amazonClientProvider;
    }

    public String getAgentType() {
        return this.accountName + "/" + getClass().getSimpleName();
    }

    public String getProviderName() {
        return AwsProvider.PROVIDER_NAME;
    }

    public Collection<AgentDataType> getProvidedDataTypes() {
        return this.types;
    }

    public long getPollIntervalMillis() {
        return POLL_INTERVAL_MILLIS;
    }

    public long getTimeoutMillis() {
        return DEFAULT_TIMEOUT_MILLIS;
    }

    public CacheResult loadData(ProviderCache providerCache) {
        Map<String, Collection<CacheData>> generateFreshData = generateFreshData(fetchIamRoles(this.amazonClientProvider.getIam(this.account, Regions.DEFAULT_REGION.getName(), false), this.accountName));
        Map<String, Collection<String>> computeEvictableData = computeEvictableData(generateFreshData.get(Keys.Namespace.IAM_ROLE.toString()), (Set) providerCache.getAll(Keys.Namespace.IAM_ROLE.toString()).stream().map((v0) -> {
            return v0.getId();
        }).filter(this::keyAccountFilter).collect(Collectors.toSet()));
        logUpcomingActions(generateFreshData, computeEvictableData);
        return new DefaultCacheResult(generateFreshData, computeEvictableData);
    }

    private void logUpcomingActions(Map<String, Collection<CacheData>> map, Map<String, Collection<String>> map2) {
        this.log.info(String.format("Caching %s IAM roles in %s for account %s", Integer.valueOf(map.get(Keys.Namespace.IAM_ROLE.toString()).size()), getAgentType(), this.accountName));
        if (map2.get(Keys.Namespace.IAM_ROLE.toString()).size() > 0) {
            this.log.info(String.format("Evicting %s IAM roles in %s for account %s", Integer.valueOf(map2.get(Keys.Namespace.IAM_ROLE.toString()).size()), getAgentType(), this.accountName));
        }
    }

    private Map<String, Collection<String>> computeEvictableData(Collection<CacheData> collection, Collection<String> collection2) {
        Set set = (Set) collection.stream().map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toSet());
        HashSet hashSet = new HashSet();
        for (String str : collection2) {
            if (!set.contains(str)) {
                hashSet.add(str);
            }
        }
        HashMap hashMap = new HashMap();
        hashMap.put(Keys.Namespace.IAM_ROLE.toString(), hashSet);
        return hashMap;
    }

    private Map<String, Collection<CacheData>> generateFreshData(Set<IamRole> set) {
        HashSet hashSet = new HashSet();
        HashMap hashMap = new HashMap();
        for (IamRole iamRole : set) {
            hashSet.add(new DefaultCacheData(Keys.getIamRoleKey(this.accountName, iamRole.getName()), convertIamRoleToAttributes(iamRole), Collections.emptyMap()));
        }
        hashMap.put(Keys.Namespace.IAM_ROLE.toString(), hashSet);
        return hashMap;
    }

    private Set<IamRole> fetchIamRoles(AmazonIdentityManagement amazonIdentityManagement, String str) {
        HashSet hashSet = new HashSet();
        String str2 = null;
        do {
            ListRolesRequest listRolesRequest = new ListRolesRequest();
            if (str2 != null) {
                listRolesRequest.setMarker(str2);
            }
            ListRolesResult listRoles = amazonIdentityManagement.listRoles(listRolesRequest);
            for (Role role : listRoles.getRoles()) {
                hashSet.add(new IamRole(role.getArn(), role.getRoleName(), str, getTrustedEntities(role.getAssumeRolePolicyDocument())));
            }
            str2 = listRoles.isTruncated().booleanValue() ? listRoles.getMarker() : null;
            if (str2 == null) {
                break;
            }
        } while (str2.length() != 0);
        return hashSet;
    }

    private boolean keyAccountFilter(String str) {
        Map<String, String> parse = Keys.parse(str);
        return parse != null && parse.get("account").equals(this.accountName);
    }

    private Set<IamTrustRelationship> getTrustedEntities(String str) {
        HashSet hashSet = new HashSet();
        try {
            for (Map map : (List) ((Map) this.objectMapper.readValue(URLDecoder.decode(str), Map.class)).get("Statement")) {
                if ("sts:AssumeRole".equals(map.get("Action"))) {
                    for (Map.Entry entry : ((Map) map.get("Principal")).entrySet()) {
                        if (entry.getValue() instanceof List) {
                            ((List) entry.getValue()).stream().forEach(obj -> {
                                hashSet.add(new IamTrustRelationship((String) entry.getKey(), obj.toString()));
                            });
                        } else {
                            hashSet.add(new IamTrustRelationship((String) entry.getKey(), entry.getValue().toString()));
                        }
                    }
                }
            }
        } catch (IOException e) {
            this.log.error("Unable to extract trusted entities (policyDocument: {})", str, e);
        }
        return hashSet;
    }

    private static Map<String, Object> convertIamRoleToAttributes(IamRole iamRole) {
        HashMap hashMap = new HashMap();
        hashMap.put("name", iamRole.getName());
        hashMap.put("accountName", iamRole.getAccountName());
        hashMap.put("arn", iamRole.getId());
        hashMap.put("trustRelationships", iamRole.m2getTrustRelationships());
        return hashMap;
    }
}
