package com.amazonaws.s3accessgrants.cache;

import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.s3accessgrants.cache.internal.S3AccessGrantsCacheConstants;
import com.amazonaws.services.s3control.AWSS3Control;
import com.amazonaws.services.s3control.model.AWSS3ControlException;
import com.amazonaws.services.s3control.model.Credentials;
import com.amazonaws.services.s3control.model.GetDataAccessRequest;
import com.amazonaws.services.s3control.model.GetDataAccessResult;
import com.amazonaws.services.s3control.model.Permission;
import com.amazonaws.services.s3control.model.Privilege;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.github.benmanes.caffeine.cache.Expiry;
import java.time.Instant;
import java.util.concurrent.TimeUnit;
import javax.validation.constraints.NotNull;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:com/amazonaws/s3accessgrants/cache/S3AccessGrantsCache.class */
public class S3AccessGrantsCache {
    private Cache<CacheKey, AWSCredentials> cache;
    private int maxCacheSize;
    private final S3AccessGrantsCachedAccountIdResolver s3AccessGrantsCachedAccountIdResolver;
    private final int cacheExpirationTimePercentage;
    private static final Log logger = LogFactory.getLog(S3AccessGrantsCache.class);
    private int duration;

    /* loaded from: input_file:com/amazonaws/s3accessgrants/cache/S3AccessGrantsCache$Builder.class */
    public interface Builder {
        S3AccessGrantsCache build();

        S3AccessGrantsCache buildWithAccountIdResolver();

        Builder s3ControlClient(AWSS3Control aWSS3Control);

        Builder maxCacheSize(int i);

        Builder cacheExpirationTimePercentage(int i);

        Builder s3AccessGrantsCachedAccountIdResolver(S3AccessGrantsCachedAccountIdResolver s3AccessGrantsCachedAccountIdResolver);

        Builder duration(int i);
    }

    /* loaded from: input_file:com/amazonaws/s3accessgrants/cache/S3AccessGrantsCache$BuilderImpl.class */
    static final class BuilderImpl implements Builder {
        private AWSS3Control s3ControlClient;
        private int maxCacheSize;
        private S3AccessGrantsCachedAccountIdResolver s3AccessGrantsCachedAccountIdResolver;
        private int cacheExpirationTimePercentage;
        private int duration;

        private BuilderImpl() {
            this.maxCacheSize = S3AccessGrantsCacheConstants.DEFAULT_ACCESS_GRANTS_MAX_CACHE_SIZE;
        }

        @Override // com.amazonaws.s3accessgrants.cache.S3AccessGrantsCache.Builder
        public S3AccessGrantsCache build() {
            return new S3AccessGrantsCache(S3AccessGrantsCachedAccountIdResolver.builder().build(), this.maxCacheSize, this.cacheExpirationTimePercentage, this.duration);
        }

        @Override // com.amazonaws.s3accessgrants.cache.S3AccessGrantsCache.Builder
        public S3AccessGrantsCache buildWithAccountIdResolver() {
            return new S3AccessGrantsCache(this.s3AccessGrantsCachedAccountIdResolver, this.maxCacheSize, this.cacheExpirationTimePercentage, this.duration);
        }

        @Override // com.amazonaws.s3accessgrants.cache.S3AccessGrantsCache.Builder
        public Builder s3ControlClient(AWSS3Control aWSS3Control) {
            this.s3ControlClient = aWSS3Control;
            return this;
        }

        @Override // com.amazonaws.s3accessgrants.cache.S3AccessGrantsCache.Builder
        public Builder maxCacheSize(int i) {
            this.maxCacheSize = i;
            return this;
        }

        @Override // com.amazonaws.s3accessgrants.cache.S3AccessGrantsCache.Builder
        public Builder cacheExpirationTimePercentage(int i) {
            this.cacheExpirationTimePercentage = i;
            return this;
        }

        @Override // com.amazonaws.s3accessgrants.cache.S3AccessGrantsCache.Builder
        public Builder s3AccessGrantsCachedAccountIdResolver(S3AccessGrantsCachedAccountIdResolver s3AccessGrantsCachedAccountIdResolver) {
            this.s3AccessGrantsCachedAccountIdResolver = s3AccessGrantsCachedAccountIdResolver;
            return this;
        }

        @Override // com.amazonaws.s3accessgrants.cache.S3AccessGrantsCache.Builder
        public Builder duration(int i) {
            this.duration = i;
            return this;
        }
    }

    /* loaded from: input_file:com/amazonaws/s3accessgrants/cache/S3AccessGrantsCache$CustomCacheExpiry.class */
    private static class CustomCacheExpiry<K, V> implements Expiry<K, V> {
        private CustomCacheExpiry() {
        }

        public long expireAfterCreate(K k, V v, long j) {
            return Long.MIN_VALUE;
        }

        public long expireAfterUpdate(K k, V v, long j, long j2) {
            return j2;
        }

        public long expireAfterRead(K k, V v, long j, long j2) {
            return j2;
        }
    }

    private S3AccessGrantsCache(S3AccessGrantsCachedAccountIdResolver s3AccessGrantsCachedAccountIdResolver, int i, int i2, int i3) {
        this.s3AccessGrantsCachedAccountIdResolver = s3AccessGrantsCachedAccountIdResolver;
        this.cacheExpirationTimePercentage = i2;
        this.maxCacheSize = i;
        this.duration = i3;
        this.cache = Caffeine.newBuilder().maximumSize(i).expireAfter(new CustomCacheExpiry()).recordStats().build();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static Builder builder() {
        return new BuilderImpl();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AWSCredentials getCredentials(AWSS3Control aWSS3Control, CacheKey cacheKey, String str, S3AccessGrantsAccessDeniedCache s3AccessGrantsAccessDeniedCache) throws AWSS3ControlException {
        logger.debug("Fetching credentials from Access Grants for s3Prefix: " + cacheKey.s3Prefix);
        AWSCredentials searchKeyInCacheAtPrefixLevel = searchKeyInCacheAtPrefixLevel(cacheKey);
        if (searchKeyInCacheAtPrefixLevel == null && (cacheKey.permission == Permission.READ || cacheKey.permission == Permission.WRITE)) {
            searchKeyInCacheAtPrefixLevel = searchKeyInCacheAtPrefixLevel(cacheKey.toBuilder().permission(Permission.READWRITE).build());
        }
        if (searchKeyInCacheAtPrefixLevel == null) {
            searchKeyInCacheAtPrefixLevel = searchKeyInCacheAtCharacterLevel(cacheKey);
        }
        if (searchKeyInCacheAtPrefixLevel == null && (cacheKey.permission == Permission.READ || cacheKey.permission == Permission.WRITE)) {
            searchKeyInCacheAtPrefixLevel = searchKeyInCacheAtCharacterLevel(cacheKey.toBuilder().permission(Permission.READWRITE).build());
        }
        if (searchKeyInCacheAtPrefixLevel != null) {
            return searchKeyInCacheAtPrefixLevel;
        }
        try {
            logger.debug("Credentials not available in the cache. Fetching credentials from Access Grants service.");
            GetDataAccessResult credentialsFromService = getCredentialsFromService(aWSS3Control, cacheKey, str, this.duration);
            Credentials credentials = credentialsFromService.getCredentials();
            long ttl = getTTL(credentials.getExpiration().toInstant());
            BasicSessionCredentials basicSessionCredentials = new BasicSessionCredentials(credentials.getAccessKeyId(), credentials.getSecretAccessKey(), credentials.getSessionToken());
            String matchedGrantTarget = credentialsFromService.getMatchedGrantTarget();
            if (matchedGrantTarget.endsWith("*")) {
                putValueInCache(cacheKey.toBuilder().s3Prefix(processMatchedGrantTarget(matchedGrantTarget)).build(), basicSessionCredentials, ttl);
            }
            logger.debug("Successfully retrieved the credentials from Access Grants service");
            return basicSessionCredentials;
        } catch (AWSS3ControlException e) {
            logger.error("Exception occurred while fetching the credentials: " + e);
            if (e.getStatusCode() == 403) {
                logger.debug("Caching the Access Denied request.");
                s3AccessGrantsAccessDeniedCache.putValueInCache(cacheKey, e);
            }
            throw e;
        }
    }

    long getTTL(Instant instant) {
        return ((float) (instant.getEpochSecond() - Instant.now().getEpochSecond())) * (this.cacheExpirationTimePercentage / 100.0f);
    }

    private GetDataAccessResult getCredentialsFromService(@NotNull AWSS3Control aWSS3Control, CacheKey cacheKey, String str, int i) throws AWSS3ControlException {
        if (aWSS3Control == null) {
            throw new IllegalArgumentException("S3ControlClient is required");
        }
        String resolve = this.s3AccessGrantsCachedAccountIdResolver.resolve(aWSS3Control, str, cacheKey.s3Prefix);
        logger.debug("Fetching credentials from Access Grants for accountId: " + resolve + ", s3Prefix: " + cacheKey.s3Prefix + ", permission: " + cacheKey.permission + ", privilege: " + Privilege.Default);
        return aWSS3Control.getDataAccess(new GetDataAccessRequest().withAccountId(resolve).withTarget(cacheKey.s3Prefix).withPermission(cacheKey.permission).withPrivilege(Privilege.Default).withDurationSeconds(Integer.valueOf(i)));
    }

    private AWSCredentials searchKeyInCacheAtPrefixLevel(CacheKey cacheKey) {
        String str = cacheKey.s3Prefix;
        while (true) {
            String str2 = str;
            if (str2.equals("s3:")) {
                return null;
            }
            AWSCredentials aWSCredentials = (AWSCredentials) this.cache.getIfPresent(cacheKey.toBuilder().s3Prefix(str2).build());
            if (aWSCredentials != null) {
                logger.debug("Successfully retrieved credentials from the cache.");
                return aWSCredentials;
            }
            str = getNextPrefix(str2);
        }
    }

    private AWSCredentials searchKeyInCacheAtCharacterLevel(CacheKey cacheKey) {
        String str = cacheKey.s3Prefix;
        while (true) {
            String str2 = str;
            if (str2.equals("s3://")) {
                return null;
            }
            AWSCredentials aWSCredentials = (AWSCredentials) this.cache.getIfPresent(cacheKey.toBuilder().s3Prefix(str2 + "*").build());
            if (aWSCredentials != null) {
                logger.debug("Successfully retrieved credentials from the cache.");
                return aWSCredentials;
            }
            str = getNextPrefixByChar(str2);
        }
    }

    void putValueInCache(CacheKey cacheKey, AWSCredentials aWSCredentials, long j) {
        logger.debug("Caching the credentials for s3Prefix:" + cacheKey.s3Prefix + " and permission: " + cacheKey.permission);
        this.cache.put(cacheKey, aWSCredentials);
        this.cache.policy().expireVariably().ifPresent(varExpiration -> {
            varExpiration.setExpiresAfter(cacheKey, j, TimeUnit.SECONDS);
        });
    }

    private String getNextPrefix(String str) {
        return str.substring(0, str.lastIndexOf("/"));
    }

    private String getNextPrefixByChar(String str) {
        return str.substring(0, str.length() - 1);
    }

    String processMatchedGrantTarget(String str) {
        return str.substring(str.length() - 2).equals("/*") ? str.substring(0, str.length() - 2) : str;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void invalidateCache() {
        this.cache.invalidateAll();
    }

    public Cache getCache() {
        return this.cache;
    }
}
