package org.projectnessie.catalog.files.s3;

import com.google.common.base.Preconditions;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalAmount;
import java.time.temporal.TemporalUnit;
import java.util.Optional;
import org.projectnessie.catalog.files.api.StorageLocations;
import org.projectnessie.catalog.files.config.S3BucketOptions;
import org.projectnessie.catalog.files.config.S3Iam;
import software.amazon.awssdk.auth.credentials.AwsCredentials;

/* loaded from: input_file:org/projectnessie/catalog/files/s3/S3CredentialsResolver.class */
public class S3CredentialsResolver {
    private final Clock clock;
    private final S3Sessions sessions;

    public S3CredentialsResolver(Clock clock, S3Sessions s3Sessions) {
        this.clock = clock;
        this.sessions = s3Sessions;
    }

    public S3Credentials resolveSessionCredentials(S3BucketOptions s3BucketOptions, StorageLocations storageLocations) {
        AwsCredentials resolveCredentials = this.sessions.assumeRoleForClient(s3BucketOptions, storageLocations).resolveCredentials();
        Optional expirationTime = resolveCredentials.expirationTime();
        if (expirationTime.isPresent()) {
            Instant instant = this.clock.instant();
            Duration minSessionCredentialValidityPeriod = ((S3Iam) s3BucketOptions.getEnabledClientIam().orElseThrow(() -> {
                return new IllegalStateException("client IAM not enabled");
            })).minSessionCredentialValidityPeriod();
            Preconditions.checkArgument(!instant.plus((TemporalAmount) minSessionCredentialValidityPeriod).truncatedTo(ChronoUnit.SECONDS).minus(1L, (TemporalUnit) ChronoUnit.SECONDS).isAfter((Instant) expirationTime.get()), "Provided credentials expire (%s) before the expected session end (now: %s, duration: %s)", expirationTime.get(), instant, minSessionCredentialValidityPeriod);
        }
        return new S3Credentials(resolveCredentials);
    }
}
