package io.trino.aws.proxy.server.rest;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.dataformat.xml.XmlMapper;
import com.google.common.collect.ImmutableMap;
import com.google.inject.Inject;
import io.airlift.log.Logger;
import io.trino.aws.proxy.server.rest.AssumeRoleResponse;
import io.trino.aws.proxy.server.rest.ResourceSecurity;
import io.trino.aws.proxy.spi.credentials.AssumedRoleProvider;
import io.trino.aws.proxy.spi.credentials.EmulatedAssumedRole;
import io.trino.aws.proxy.spi.rest.Request;
import io.trino.aws.proxy.spi.signing.SigningMetadata;
import io.trino.aws.proxy.spi.util.AwsTimestamp;
import io.trino.aws.proxy.spi.util.MultiMap;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import org.glassfish.jersey.uri.UriComponent;

@ResourceSecurity(ResourceSecurity.Sts.class)
/* loaded from: input_file:io/trino/aws/proxy/server/rest/TrinoStsResource.class */
public class TrinoStsResource {
    private static final Logger log = Logger.get(TrinoStsResource.class);
    private final AssumedRoleProvider assumedRoleProvider;
    private final XmlMapper xmlMapper;

    @Inject
    public TrinoStsResource(AssumedRoleProvider assumedRoleProvider, XmlMapper xmlMapper) {
        this.assumedRoleProvider = (AssumedRoleProvider) Objects.requireNonNull(assumedRoleProvider, "assumedRoleProvider is null");
        this.xmlMapper = (XmlMapper) Objects.requireNonNull(xmlMapper, "xmlMapper is null");
    }

    @POST
    public Response post(@Context Request request, @Context SigningMetadata signingMetadata, @Context RequestLoggingSession requestLoggingSession) {
        Map<String, String> deserializeRequest = deserializeRequest(request.requestQueryParameters(), request.requestContent().standardBytes());
        String str = (String) Optional.ofNullable(deserializeRequest.get("Action")).orElse("");
        boolean z = -1;
        switch (str.hashCode()) {
            case 947538274:
                if (str.equals("AssumeRole")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return assumeRole(request.requestAuthorization().region(), signingMetadata, deserializeRequest, requestLoggingSession);
            default:
                log.debug("Request missing \"Action\". Arguments: %s", new Object[]{deserializeRequest});
                requestLoggingSession.logError("request.action.unsupported", deserializeRequest);
                return Response.status(Response.Status.BAD_REQUEST).build();
        }
    }

    private Response assumeRole(String str, SigningMetadata signingMetadata, Map<String, String> map, RequestLoggingSession requestLoggingSession) {
        String str2 = map.get("RoleArn");
        if (str2 == null) {
            log.debug("Request missing \"RoleArn\". Arguments: %s", new Object[]{map});
            requestLoggingSession.logError("request.role-arn.missing", map);
            return Response.status(Response.Status.BAD_REQUEST).build();
        }
        EmulatedAssumedRole emulatedAssumedRole = (EmulatedAssumedRole) this.assumedRoleProvider.assumeEmulatedRole(signingMetadata.credentials().emulated(), str, str2, Optional.ofNullable(map.get("ExternalId")), Optional.ofNullable(map.get("RoleSessionName")), Optional.ofNullable(map.get("DurationSeconds")).map(TrinoStsResource::mapToInt)).orElseThrow(() -> {
            log.debug("Assume role failed. Arguments: %s", new Object[]{map});
            requestLoggingSession.logError("request.assume-role.failure", map);
            return new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).build());
        });
        AssumeRoleResponse.AssumeRoleResult assumeRoleResult = new AssumeRoleResponse.AssumeRoleResult(new AssumeRoleResponse.AssumedRoleUser(emulatedAssumedRole.arn(), emulatedAssumedRole.roleId()), new AssumeRoleResponse.Credentials(emulatedAssumedRole.emulatedCredential().accessKey(), emulatedAssumedRole.emulatedCredential().secretKey(), (String) emulatedAssumedRole.emulatedCredential().session().orElseThrow(() -> {
            log.debug("Assume role returned an illegal response - no session was created. Arguments: %s", new Object[]{map});
            requestLoggingSession.logError("request.assume-role.illegal-response", map);
            return new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).build());
        }), AwsTimestamp.toResponseFormat(emulatedAssumedRole.expiration())));
        try {
            String writeValueAsString = this.xmlMapper.writeValueAsString(new AssumeRoleResponse(assumeRoleResult));
            requestLoggingSession.logProperty("response.assume-role.arn", assumeRoleResult.assumedRoleUser().arn());
            requestLoggingSession.logProperty("response.assume-role.role-id", assumeRoleResult.assumedRoleUser().assumedRoleId());
            requestLoggingSession.logProperty("response.assume-role.access-key", assumeRoleResult.credentials().accessKeyId());
            requestLoggingSession.logProperty("response.assume-role.expiration", assumeRoleResult.credentials().expiration());
            return Response.ok(writeValueAsString, MediaType.APPLICATION_XML_TYPE).build();
        } catch (JsonProcessingException e) {
            throw new WebApplicationException(e, Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    private static int mapToInt(String str) {
        try {
            return Integer.parseInt(str);
        } catch (NumberFormatException e) {
            log.debug("Invalid int value received: %s", new Object[]{str});
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).build());
        }
    }

    private Map<String, String> deserializeRequest(MultiMap multiMap, Optional<byte[]> optional) {
        return (Map) ((Stream) optional.map(bArr -> {
            return UriComponent.decodeQuery(new String(bArr, StandardCharsets.UTF_8), true).entrySet().stream();
        }).orElseGet(() -> {
            return multiMap.entrySet().stream();
        })).filter(entry -> {
            return !((List) entry.getValue()).isEmpty();
        }).map(entry2 -> {
            return Map.entry((String) entry2.getKey(), (String) ((List) entry2.getValue()).getFirst());
        }).collect(ImmutableMap.toImmutableMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
    }
}
