package io.trino.filesystem.s3;

import com.google.common.base.Suppliers;
import com.google.common.base.Verify;
import com.google.inject.Inject;
import io.airlift.units.Duration;
import io.trino.filesystem.Location;
import io.trino.spi.security.AccessDeniedException;
import io.trino.spi.security.ConnectorIdentity;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:io/trino/filesystem/s3/S3SecurityMappingProvider.class */
public final class S3SecurityMappingProvider {
    private final Supplier<S3SecurityMappings> mappingsProvider;
    private final Optional<String> roleCredentialName;
    private final Optional<String> kmsKeyIdCredentialName;
    private final Optional<String> colonReplacement;

    @Inject
    public S3SecurityMappingProvider(S3SecurityMappingConfig s3SecurityMappingConfig, Supplier<S3SecurityMappings> supplier) {
        this(mappingsProvider(supplier, s3SecurityMappingConfig.getRefreshPeriod()), s3SecurityMappingConfig.getRoleCredentialName(), s3SecurityMappingConfig.getKmsKeyIdCredentialName(), s3SecurityMappingConfig.getColonReplacement());
    }

    public S3SecurityMappingProvider(Supplier<S3SecurityMappings> supplier, Optional<String> optional, Optional<String> optional2, Optional<String> optional3) {
        this.mappingsProvider = (Supplier) Objects.requireNonNull(supplier, "mappingsProvider is null");
        this.roleCredentialName = (Optional) Objects.requireNonNull(optional, "roleCredentialName is null");
        this.kmsKeyIdCredentialName = (Optional) Objects.requireNonNull(optional2, "kmsKeyIdCredentialName is null");
        this.colonReplacement = (Optional) Objects.requireNonNull(optional3, "colonReplacement is null");
    }

    public Optional<S3SecurityMappingResult> getMapping(ConnectorIdentity connectorIdentity, Location location) {
        S3SecurityMapping orElseThrow = this.mappingsProvider.get().getMapping(connectorIdentity, new S3Location(location)).orElseThrow(() -> {
            return new AccessDeniedException("No matching S3 security mapping");
        });
        return orElseThrow.useClusterDefault() ? Optional.empty() : Optional.of(new S3SecurityMappingResult(orElseThrow.credentials(), selectRole(orElseThrow, connectorIdentity), orElseThrow.roleSessionName().map(str -> {
            return str.replace("${USER}", connectorIdentity.getUser());
        }), selectKmsKeyId(orElseThrow, connectorIdentity), orElseThrow.endpoint(), orElseThrow.region()));
    }

    private Optional<String> selectRole(S3SecurityMapping s3SecurityMapping, ConnectorIdentity connectorIdentity) {
        Optional<String> roleFromExtraCredential = getRoleFromExtraCredential(connectorIdentity);
        if (roleFromExtraCredential.isEmpty()) {
            if (!s3SecurityMapping.allowedIamRoles().isEmpty() && s3SecurityMapping.iamRole().isEmpty()) {
                throw new AccessDeniedException("No S3 role selected and mapping has no default role");
            }
            Verify.verify(s3SecurityMapping.iamRole().isPresent() || s3SecurityMapping.credentials().isPresent(), "mapping must have role or credential", new Object[0]);
            return s3SecurityMapping.iamRole();
        }
        String str = roleFromExtraCredential.get();
        if (str.equals(s3SecurityMapping.iamRole().orElse(null)) || s3SecurityMapping.allowedIamRoles().contains(str)) {
            return roleFromExtraCredential;
        }
        throw new AccessDeniedException("Selected S3 role is not allowed: " + str);
    }

    private Optional<String> getRoleFromExtraCredential(ConnectorIdentity connectorIdentity) {
        return this.roleCredentialName.map(str -> {
            return (String) connectorIdentity.getExtraCredentials().get(str);
        }).map(str2 -> {
            return (String) this.colonReplacement.map(str2 -> {
                return str2.replace(str2, ":");
            }).orElse(str2);
        });
    }

    private Optional<String> selectKmsKeyId(S3SecurityMapping s3SecurityMapping, ConnectorIdentity connectorIdentity) {
        Optional<String> kmsKeyIdFromExtraCredential = getKmsKeyIdFromExtraCredential(connectorIdentity);
        if (kmsKeyIdFromExtraCredential.isEmpty()) {
            return s3SecurityMapping.kmsKeyId();
        }
        String str = kmsKeyIdFromExtraCredential.get();
        if (str.equals(s3SecurityMapping.kmsKeyId().orElse(null)) || s3SecurityMapping.allowedKmsKeyIds().contains(str) || s3SecurityMapping.allowedKmsKeyIds().contains("*")) {
            return kmsKeyIdFromExtraCredential;
        }
        throw new AccessDeniedException("Selected KMS Key ID is not allowed");
    }

    private Optional<String> getKmsKeyIdFromExtraCredential(ConnectorIdentity connectorIdentity) {
        return this.kmsKeyIdCredentialName.map(str -> {
            return (String) connectorIdentity.getExtraCredentials().get(str);
        });
    }

    private static Supplier<S3SecurityMappings> mappingsProvider(Supplier<S3SecurityMappings> supplier, Optional<Duration> optional) {
        return (Supplier) optional.map(duration -> {
            Objects.requireNonNull(supplier);
            return Suppliers.memoizeWithExpiration(supplier::get, duration.toMillis(), TimeUnit.MILLISECONDS);
        }).orElseGet(() -> {
            Objects.requireNonNull(supplier);
            return Suppliers.memoize(supplier::get);
        });
    }
}
