package io.kubernetes.client.util.credentials;

import com.amazonaws.DefaultRequest;
import com.amazonaws.auth.AWS4Signer;
import com.amazonaws.auth.AWSSessionCredentialsProvider;
import com.amazonaws.http.HttpMethodName;
import com.amazonaws.services.securitytoken.model.GetCallerIdentityRequest;
import com.amazonaws.util.RuntimeHttpUtils;
import io.kubernetes.client.openapi.ApiClient;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.time.Clock;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Base64;
import java.util.Date;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/kubernetes/client/util/credentials/EKSAuthentication.class */
public class EKSAuthentication implements Authentication {
    private static final Logger log = LoggerFactory.getLogger(EKSAuthentication.class);
    private static final int MAX_EXPIRY_SECONDS = 900;
    private final AWSSessionCredentialsProvider provider;
    private final String region;
    private final String clusterName;
    private final URI stsEndpoint;
    private final int expirySeconds;

    public EKSAuthentication(AWSSessionCredentialsProvider aWSSessionCredentialsProvider, String str, String str2) {
        this(aWSSessionCredentialsProvider, str, str2, MAX_EXPIRY_SECONDS);
    }

    public EKSAuthentication(AWSSessionCredentialsProvider aWSSessionCredentialsProvider, String str, String str2, int i) {
        this.provider = aWSSessionCredentialsProvider;
        this.region = str;
        this.clusterName = str2;
        this.expirySeconds = i > MAX_EXPIRY_SECONDS ? MAX_EXPIRY_SECONDS : i;
        this.stsEndpoint = URI.create("https://sts." + this.region + ".amazonaws.com");
    }

    @Override // io.kubernetes.client.util.credentials.Authentication
    public void provide(ApiClient apiClient) {
        DefaultRequest defaultRequest = new DefaultRequest(new GetCallerIdentityRequest(), "sts");
        defaultRequest.setResourcePath("/");
        defaultRequest.setEndpoint(this.stsEndpoint);
        defaultRequest.setHttpMethod(HttpMethodName.GET);
        defaultRequest.addParameter("Action", "GetCallerIdentity");
        defaultRequest.addParameter("Version", "2011-06-15");
        defaultRequest.addHeader("x-k8s-aws-id", this.clusterName);
        AWS4Signer aWS4Signer = new AWS4Signer();
        Date date = new Date(Clock.systemDefaultZone().millis() + 60000);
        aWS4Signer.setServiceName("sts");
        aWS4Signer.presignRequest(defaultRequest, this.provider.getCredentials(), date);
        String str = "k8s-aws-v1." + Base64.getUrlEncoder().withoutPadding().encodeToString(RuntimeHttpUtils.convertRequestToUrl(defaultRequest, true, false).toString().getBytes(StandardCharsets.UTF_8));
        apiClient.setApiKeyPrefix("Bearer");
        apiClient.setApiKey(str);
        log.info("Generated BEARER token for ApiClient, expiring at {}", Instant.now().plus(this.expirySeconds, (TemporalUnit) ChronoUnit.SECONDS));
    }
}
