package org.projectnessie.catalog.files.s3;

import com.github.benmanes.caffeine.cache.Caffeine;
import com.github.benmanes.caffeine.cache.Expiry;
import com.github.benmanes.caffeine.cache.LoadingCache;
import com.github.benmanes.caffeine.cache.Scheduler;
import com.google.common.annotations.VisibleForTesting;
import io.micrometer.core.instrument.MeterRegistry;
import jakarta.annotation.Nonnull;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.function.LongSupplier;
import org.projectnessie.catalog.files.api.StorageLocations;
import org.projectnessie.catalog.files.config.S3BucketOptions;
import org.projectnessie.catalog.files.config.S3ClientIam;
import org.projectnessie.catalog.files.config.S3ServerIam;
import org.projectnessie.catalog.files.config.S3StsCache;
import org.projectnessie.catalog.secrets.SecretsProvider;
import org.projectnessie.nessie.immutables.NessieImmutable;
import software.amazon.awssdk.services.sts.model.Credentials;

/* loaded from: input_file:org/projectnessie/catalog/files/s3/StsCredentialsManager.class */
public class StsCredentialsManager {
    public static final String CACHE_NAME = "sts-sessions";
    private final LoadingCache<SessionKey, Credentials> sessions;
    private final Duration expiryReduction;
    private final StsCredentialsFetcher credentialsFetcher;

    @NessieImmutable
    /* loaded from: input_file:org/projectnessie/catalog/files/s3/StsCredentialsManager$SessionKey.class */
    interface SessionKey {
        String repositoryId();

        S3BucketOptions bucketOptions();
    }

    /* loaded from: input_file:org/projectnessie/catalog/files/s3/StsCredentialsManager$StsSessionsExpiry.class */
    private class StsSessionsExpiry implements Expiry<SessionKey, Credentials> {
        private StsSessionsExpiry() {
        }

        public long expireAfterCreate(@Nonnull SessionKey sessionKey, @Nonnull Credentials credentials, long j) {
            Instant expiration = credentials.expiration();
            Instant ofEpochMilli = Instant.ofEpochMilli(TimeUnit.NANOSECONDS.toMillis(j) + StsCredentialsManager.this.expiryReduction.toMillis());
            return TimeUnit.MILLISECONDS.toNanos(expiration.isBefore(ofEpochMilli) ? 0L : ofEpochMilli.until(expiration, ChronoUnit.MILLIS));
        }

        public long expireAfterUpdate(@Nonnull SessionKey sessionKey, @Nonnull Credentials credentials, long j, long j2) {
            return j2;
        }

        public long expireAfterRead(@Nonnull SessionKey sessionKey, @Nonnull Credentials credentials, long j, long j2) {
            return j2;
        }
    }

    public StsCredentialsManager(S3StsCache s3StsCache, StsClientsPool stsClientsPool, SecretsProvider secretsProvider, MeterRegistry meterRegistry) {
        this(s3StsCache.effectiveSessionCacheMaxSize(), s3StsCache.effectiveSessionGracePeriod(), new StsCredentialsFetcherImpl(stsClientsPool, secretsProvider), System::currentTimeMillis, Optional.ofNullable(meterRegistry));
    }

    @VisibleForTesting
    StsCredentialsManager(int i, Duration duration, StsCredentialsFetcher stsCredentialsFetcher, LongSupplier longSupplier, Optional<MeterRegistry> optional) {
        this.credentialsFetcher = stsCredentialsFetcher;
        this.expiryReduction = duration;
        this.sessions = Caffeine.newBuilder().scheduler(Scheduler.systemScheduler()).ticker(() -> {
            return TimeUnit.MILLISECONDS.toNanos(longSupplier.getAsLong());
        }).maximumSize(i).recordStats(() -> {
            return CacheMetrics.statsCounter(optional, CACHE_NAME, i);
        }).expireAfter(new StsSessionsExpiry()).build(sessionKey -> {
            return loadServerSessionCredentials(sessionKey.bucketOptions());
        });
    }

    private Credentials loadServerSessionCredentials(S3BucketOptions s3BucketOptions) {
        return this.credentialsFetcher.fetchCredentialsForServer(s3BucketOptions, (S3ServerIam) s3BucketOptions.getEnabledServerIam().orElseThrow(() -> {
            return new IllegalStateException("server IAM not enabled");
        }));
    }

    public Credentials sessionCredentialsForClient(S3BucketOptions s3BucketOptions, StorageLocations storageLocations) {
        return this.credentialsFetcher.fetchCredentialsForClient(s3BucketOptions, (S3ClientIam) s3BucketOptions.getEnabledClientIam().orElseThrow(() -> {
            return new IllegalStateException("client IAM not enabled");
        }), Optional.ofNullable(storageLocations));
    }

    public Credentials sessionCredentialsForServer(String str, S3BucketOptions s3BucketOptions) {
        return (Credentials) this.sessions.get(ImmutableSessionKey.builder().repositoryId(str).bucketOptions(s3BucketOptions).build());
    }
}
