package com.yahoo.jdisc.cloud.aws;

import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AWSSessionCredentials;
import com.yahoo.slime.Cursor;
import com.yahoo.slime.SlimeUtils;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.nio.file.Files;
import java.nio.file.Path;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.concurrent.atomic.AtomicReference;
import java.util.logging.Level;
import java.util.logging.Logger;

/* loaded from: input_file:com/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider.class */
public class VespaAwsCredentialsProvider implements AWSCredentialsProvider {
    private static final String DEFAULT_CREDENTIALS_PATH = "/opt/vespa/var/vespa/aws/credentials.json";
    private final AtomicReference<Credentials> credentials;
    private final Path credentialsPath;
    private final Clock clock;
    private static final Logger logger = Logger.getLogger(VespaAwsCredentialsProvider.class.getName());
    private static final Duration REFRESH_INTERVAL = Duration.ofMinutes(30);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider$Credentials.class */
    public static final class Credentials extends Record implements AWSSessionCredentials {
        private final String awsAccessKey;
        private final String awsSecretKey;
        private final String sessionToken;
        private final Instant expiry;

        Credentials(String str, String str2, String str3, Instant instant) {
            this.awsAccessKey = str;
            this.awsSecretKey = str2;
            this.sessionToken = str3;
            this.expiry = instant;
        }

        public String getSessionToken() {
            return this.sessionToken;
        }

        public String getAWSAccessKeyId() {
            return this.awsAccessKey;
        }

        public String getAWSSecretKey() {
            return this.awsSecretKey;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, Credentials.class), Credentials.class, "awsAccessKey;awsSecretKey;sessionToken;expiry", "FIELD:Lcom/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider$Credentials;->awsAccessKey:Ljava/lang/String;", "FIELD:Lcom/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider$Credentials;->awsSecretKey:Ljava/lang/String;", "FIELD:Lcom/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider$Credentials;->sessionToken:Ljava/lang/String;", "FIELD:Lcom/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider$Credentials;->expiry:Ljava/time/Instant;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, Credentials.class), Credentials.class, "awsAccessKey;awsSecretKey;sessionToken;expiry", "FIELD:Lcom/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider$Credentials;->awsAccessKey:Ljava/lang/String;", "FIELD:Lcom/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider$Credentials;->awsSecretKey:Ljava/lang/String;", "FIELD:Lcom/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider$Credentials;->sessionToken:Ljava/lang/String;", "FIELD:Lcom/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider$Credentials;->expiry:Ljava/time/Instant;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, Credentials.class, Object.class), Credentials.class, "awsAccessKey;awsSecretKey;sessionToken;expiry", "FIELD:Lcom/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider$Credentials;->awsAccessKey:Ljava/lang/String;", "FIELD:Lcom/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider$Credentials;->awsSecretKey:Ljava/lang/String;", "FIELD:Lcom/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider$Credentials;->sessionToken:Ljava/lang/String;", "FIELD:Lcom/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider$Credentials;->expiry:Ljava/time/Instant;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String awsAccessKey() {
            return this.awsAccessKey;
        }

        public String awsSecretKey() {
            return this.awsSecretKey;
        }

        public String sessionToken() {
            return this.sessionToken;
        }

        public Instant expiry() {
            return this.expiry;
        }
    }

    public VespaAwsCredentialsProvider() {
        this(Path.of(DEFAULT_CREDENTIALS_PATH, new String[0]), Clock.systemUTC());
    }

    VespaAwsCredentialsProvider(Path path, Clock clock) {
        this.credentials = new AtomicReference<>();
        this.credentialsPath = path;
        this.clock = clock;
        refresh();
    }

    public AWSCredentials getCredentials() {
        Credentials credentials = this.credentials.get();
        if (Duration.between(this.clock.instant(), credentials.expiry).compareTo(REFRESH_INTERVAL) < 0) {
            refresh();
            credentials = this.credentials.get();
        }
        return credentials;
    }

    public void refresh() {
        try {
            logger.log(Level.FINE, "Refreshing credentials from disk");
            this.credentials.set(readCredentials());
        } catch (Exception e) {
            throw new RuntimeException("Unable to get credentials. Please ensure cluster is configured as exclusive. See: https://cloud.vespa.ai/en/reference/services#nodes");
        }
    }

    private Credentials readCredentials() {
        Instant instant;
        try {
            Cursor cursor = SlimeUtils.jsonToSlime(Files.readAllBytes(this.credentialsPath)).get();
            String asString = cursor.field("awsAccessKey").asString();
            String asString2 = cursor.field("awsSecretKey").asString();
            String asString3 = cursor.field("sessionToken").asString();
            Instant plus = Instant.now().plus((TemporalAmount) Duration.ofHours(1L));
            try {
                instant = (Instant) SlimeUtils.optionalString(cursor.field("expiry")).map((v0) -> {
                    return Instant.parse(v0);
                }).orElse(plus);
            } catch (Exception e) {
                instant = plus;
                logger.warning("Unable to read expiry from credentials");
            }
            return new Credentials(asString, asString2, asString3, instant);
        } catch (IOException e2) {
            throw new UncheckedIOException(e2);
        }
    }
}
