package io.trino.aws.proxy.server.credentials;

import com.google.inject.Inject;
import io.airlift.http.server.testing.TestingHttpServer;
import io.trino.aws.proxy.server.TrinoAwsProxyConfig;
import io.trino.aws.proxy.server.testing.TestingCredentialsRolesProvider;
import io.trino.aws.proxy.server.testing.TestingUtil;
import io.trino.aws.proxy.server.testing.harness.TrinoAwsProxyTest;
import io.trino.aws.proxy.spi.credentials.Credentials;
import io.trino.aws.proxy.spi.credentials.EmulatedAssumedRole;
import java.net.URI;
import java.util.Objects;
import java.util.Optional;
import org.assertj.core.api.Assertions;
import org.assertj.core.api.InstanceOfAssertFactories;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Test;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.services.s3.S3Client;
import software.amazon.awssdk.services.s3.model.S3Exception;

@TrinoAwsProxyTest
/* loaded from: input_file:io/trino/aws/proxy/server/credentials/TestAssumingRoles.class */
public class TestAssumingRoles {
    private static final String ARN = "test-arn";
    private final TestingCredentialsRolesProvider credentialsController;
    private final URI localS3URI;
    private final Credentials testingCredentials;

    @Inject
    public TestAssumingRoles(TestingCredentialsRolesProvider testingCredentialsRolesProvider, TestingHttpServer testingHttpServer, @TestingUtil.ForTesting Credentials credentials, TrinoAwsProxyConfig trinoAwsProxyConfig) {
        this.credentialsController = (TestingCredentialsRolesProvider) Objects.requireNonNull(testingCredentialsRolesProvider, "credentialsController is null");
        this.testingCredentials = (Credentials) Objects.requireNonNull(credentials, "testingCredentials is null");
        this.localS3URI = testingHttpServer.getBaseUrl().resolve(trinoAwsProxyConfig.getS3Path());
    }

    @AfterEach
    public void reset() {
        this.credentialsController.resetAssumedRoles();
    }

    @Test
    public void testStsSession() {
        EmulatedAssumedRole orElseThrow = this.credentialsController.assumeEmulatedRole(this.testingCredentials.emulated(), "us-east-1", ARN, Optional.empty(), Optional.empty(), Optional.empty()).orElseThrow(() -> {
            return new RuntimeException("Failed to assume role");
        });
        S3Client s3Client = (S3Client) TestingUtil.clientBuilder(this.localS3URI).credentialsProvider(() -> {
            return AwsSessionCredentials.create(orElseThrow.emulatedCredential().accessKey(), orElseThrow.emulatedCredential().secretKey(), (String) orElseThrow.emulatedCredential().session().orElseThrow());
        }).build();
        try {
            Assertions.assertThat(s3Client.listBuckets().buckets()).isEmpty();
            this.credentialsController.resetAssumedRoles();
            Objects.requireNonNull(s3Client);
            Assertions.assertThatThrownBy(s3Client::listBuckets).asInstanceOf(InstanceOfAssertFactories.type(S3Exception.class)).extracting((v0) -> {
                return v0.statusCode();
            }).isEqualTo(401);
            if (s3Client != null) {
                s3Client.close();
            }
        } catch (Throwable th) {
            if (s3Client != null) {
                try {
                    s3Client.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }
}
