package com.yahoo.jdisc.cloud.aws;

import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagement;
import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient;
import com.amazonaws.services.simplesystemsmanagement.model.GetParametersRequest;
import com.amazonaws.services.simplesystemsmanagement.model.GetParametersResult;
import com.amazonaws.services.simplesystemsmanagement.model.Parameter;
import com.google.inject.Inject;
import com.yahoo.component.AbstractComponent;
import com.yahoo.container.jdisc.secretstore.SecretNotFoundException;
import com.yahoo.container.jdisc.secretstore.SecretStore;
import com.yahoo.container.jdisc.secretstore.SecretStoreConfig;
import com.yahoo.slime.Cursor;
import com.yahoo.slime.Slime;
import java.util.List;
import java.util.stream.Collectors;

/* loaded from: input_file:com/yahoo/jdisc/cloud/aws/AwsParameterStore.class */
public class AwsParameterStore extends AbstractComponent implements SecretStore {
    private final VespaAwsCredentialsProvider credentialsProvider;
    private final List<AwsSettings> configuredStores;

    /* loaded from: input_file:com/yahoo/jdisc/cloud/aws/AwsParameterStore$AwsSettings.class */
    public static class AwsSettings {
        String name;
        String role;
        String awsId;
        String externalId;
        String region;

        AwsSettings(String str, String str2, String str3, String str4, String str5) {
            this.name = validate(str, "name");
            this.role = validate(str2, "role");
            this.awsId = validate(str3, "awsId");
            this.externalId = validate(str4, "externalId");
            this.region = validate(str5, "region");
        }

        public String getName() {
            return this.name;
        }

        public String getRole() {
            return this.role;
        }

        public String getAwsId() {
            return this.awsId;
        }

        public String getExternalId() {
            return this.externalId;
        }

        public String getRegion() {
            return this.region;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public static AwsSettings fromSlime(Slime slime) {
            Cursor cursor = slime.get();
            return new AwsSettings(cursor.field("name").asString(), cursor.field("role").asString(), cursor.field("awsId").asString(), cursor.field("externalId").asString(), cursor.field("region").asString());
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void toSlime(Cursor cursor) {
            cursor.setString("name", this.name);
            cursor.setString("role", this.role);
            cursor.setString("awsId", this.awsId);
            cursor.setString("externalId", "*****");
            cursor.setString("region", this.region);
        }

        static String validate(String str, String str2) {
            if (str == null || str.isBlank()) {
                throw new IllegalArgumentException("Config parameter '" + str2 + "' was blank or empty");
            }
            return str;
        }
    }

    @Inject
    public AwsParameterStore(SecretStoreConfig secretStoreConfig) {
        this(translateConfig(secretStoreConfig));
    }

    public AwsParameterStore(List<AwsSettings> list) {
        this.configuredStores = list;
        this.credentialsProvider = new VespaAwsCredentialsProvider();
    }

    public String getSecret(String str) {
        for (AwsSettings awsSettings : this.configuredStores) {
            GetParametersResult parameters = ((AWSSimpleSystemsManagement) AWSSimpleSystemsManagementClient.builder().withCredentials(new STSAssumeRoleSessionCredentialsProvider.Builder(toRoleArn(awsSettings.getAwsId(), awsSettings.getRole()), "vespa").withExternalId(awsSettings.getExternalId()).withStsClient((AWSSecurityTokenService) AWSSecurityTokenServiceClientBuilder.standard().withRegion(Regions.DEFAULT_REGION).withCredentials(this.credentialsProvider).build()).build()).withRegion(awsSettings.getRegion()).build()).getParameters(new GetParametersRequest().withNames(new String[]{str}).withWithDecryption(true));
            int size = parameters.getParameters().size();
            if (size == 1) {
                return ((Parameter) parameters.getParameters().get(0)).getValue();
            }
            if (size > 1) {
                throw new RuntimeException("Found too many parameters, expected 1, but found " + size);
            }
        }
        throw new SecretNotFoundException("Could not find secret " + str + " in any configured secret store");
    }

    public String getSecret(String str, int i) {
        return getSecret(str);
    }

    private String toRoleArn(String str, String str2) {
        return "arn:aws:iam::" + str + ":role/" + str2;
    }

    private static List<AwsSettings> translateConfig(SecretStoreConfig secretStoreConfig) {
        return (List) secretStoreConfig.awsParameterStores().stream().map(awsParameterStores -> {
            return new AwsSettings(awsParameterStores.name(), awsParameterStores.role(), awsParameterStores.awsId(), awsParameterStores.externalId(), awsParameterStores.region());
        }).collect(Collectors.toList());
    }
}
