package ai.tock.aws.secretmanager;

import ai.tock.aws.EnvConfig;
import ai.tock.aws.EnvConfigKt;
import ai.tock.shared.PropertiesKt;
import ai.tock.shared.security.SecretManagerProviderType;
import ai.tock.shared.security.SecretManagerService;
import ai.tock.shared.security.SecretManagerServiceKt;
import ai.tock.shared.security.credentials.AIProviderSecret;
import ai.tock.shared.security.key.AwsSecretKey;
import ai.tock.shared.security.key.SecretKey;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.services.secretsmanager.AWSSecretsManager;
import com.amazonaws.services.secretsmanager.AWSSecretsManagerClientBuilder;
import com.amazonaws.services.secretsmanager.model.AWSSecretsManagerException;
import com.amazonaws.services.secretsmanager.model.CreateSecretRequest;
import com.amazonaws.services.secretsmanager.model.DeleteSecretRequest;
import com.amazonaws.services.secretsmanager.model.GetSecretValueRequest;
import com.amazonaws.services.secretsmanager.model.GetSecretValueResult;
import com.amazonaws.services.secretsmanager.model.ResourceNotFoundException;
import com.amazonaws.services.secretsmanager.model.UpdateSecretRequest;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
import com.amazonaws.services.securitytoken.model.Credentials;
import com.fasterxml.jackson.module.kotlin.ExtensionsKt;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import kotlin.Metadata;
import kotlin.Unit;
import kotlin.jvm.functions.Function0;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.SourceDebugExtension;
import kotlin.text.Regex;
import kotlin.text.StringsKt;
import kotlinx.serialization.json.Json;
import mu.KLogger;
import mu.KotlinLogging;
import org.jetbrains.annotations.NotNull;

/* compiled from: AwsSecretManagerService.kt */
@Metadata(mv = {1, 9, 0}, k = 1, xi = 48, d1 = {"��p\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\u0010\u000e\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010��\n��\n\u0002\u0018\u0002\n\u0002\b\t\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u000b\n��\n\u0002\u0018\u0002\n��\u0018��2\u00020\u0001B\u0005¢\u0006\u0002\u0010\u0002J\u0018\u0010\u0013\u001a\u00020\u00142\u0006\u0010\u0015\u001a\u00020\t2\u0006\u0010\u0016\u001a\u00020\u0017H\u0016J\u0018\u0010\u0018\u001a\u00020\u00142\u0006\u0010\u0015\u001a\u00020\t2\u0006\u0010\u0019\u001a\u00020\u001aH\u0002J\u0010\u0010\u001b\u001a\u00020\u001c2\u0006\u0010\u0015\u001a\u00020\tH\u0016J\u0010\u0010\u001d\u001a\u00020\u00142\u0006\u0010\u0015\u001a\u00020\tH\u0016J \u0010\u001e\u001a\u00020\t2\u0006\u0010\u001f\u001a\u00020\t2\u0006\u0010 \u001a\u00020\t2\u0006\u0010!\u001a\u00020\tH\u0016J\u0010\u0010\"\u001a\u00020\u00172\u0006\u0010\u0015\u001a\u00020\tH\u0016J\u0010\u0010#\u001a\u00020\t2\u0006\u0010$\u001a\u00020\tH\u0002J\u0010\u0010%\u001a\u00020&2\u0006\u0010\u0015\u001a\u00020\tH\u0016J\b\u0010'\u001a\u00020(H\u0002J\b\u0010)\u001a\u00020\u000bH\u0002J\u0010\u0010*\u001a\u00020+2\u0006\u0010,\u001a\u00020-H\u0016R\u000e\u0010\u0003\u001a\u00020\u0004X\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\u0005\u001a\u00020\u0006X\u0082\u0004¢\u0006\u0002\n��R\u001a\u0010\u0007\u001a\u000e\u0012\u0004\u0012\u00020\t\u0012\u0004\u0012\u00020\t0\bX\u0082\u000e¢\u0006\u0002\n��R\u000e\u0010\n\u001a\u00020\u000bX\u0082\u000e¢\u0006\u0002\n��R\u0016\u0010\f\u001a\n \u000e*\u0004\u0018\u00010\r0\rX\u0082\u000e¢\u0006\u0002\n��R\u0014\u0010\u000f\u001a\u00020\u00108VX\u0096\u0004¢\u0006\u0006\u001a\u0004\b\u0011\u0010\u0012¨\u0006."}, d2 = {"Lai/tock/aws/secretmanager/AwsSecretManagerService;", "Lai/tock/shared/security/SecretManagerService;", "()V", "lockOnSecretCache", "Ljava/util/concurrent/locks/Lock;", "logger", "Lmu/KLogger;", "secretsCache", "Lcom/github/benmanes/caffeine/cache/Cache;", "", "secretsManagerClient", "Lcom/amazonaws/services/secretsmanager/AWSSecretsManager;", "stsClient", "Lcom/amazonaws/services/securitytoken/AWSSecurityTokenService;", "kotlin.jvm.PlatformType", "type", "Lai/tock/shared/security/SecretManagerProviderType;", "getType", "()Lai/tock/shared/security/SecretManagerProviderType;", "createOrUpdateAIProviderSecret", "", "secretName", "secretValue", "Lai/tock/shared/security/credentials/AIProviderSecret;", "createOrUpdateAWSSecret", "secretObject", "", "createSecretKeyInstance", "Lai/tock/shared/security/key/AwsSecretKey;", "deleteSecret", "generateSecretName", "namespace", "botId", "feature", "getAIProviderSecret", "getAWSSecret", "secretId", "getCredentials", "Lai/tock/shared/security/credentials/Credentials;", "getTemporaryCredentials", "Lcom/amazonaws/services/securitytoken/model/Credentials;", "initSecretsManagerWithNewCredentials", "isSecretTypeSupported", "", "secret", "Lai/tock/shared/security/key/SecretKey;", "tock-aws-tools"})
@SourceDebugExtension({"SMAP\nAwsSecretManagerService.kt\nKotlin\n*S Kotlin\n*F\n+ 1 AwsSecretManagerService.kt\nai/tock/aws/secretmanager/AwsSecretManagerService\n+ 2 Json.kt\nkotlinx/serialization/json/Json\n+ 3 _Strings.kt\nkotlin/text/StringsKt___StringsKt\n*L\n1#1,210:1\n96#2:211\n96#2:212\n434#3:213\n507#3,5:214\n*S KotlinDebug\n*F\n+ 1 AwsSecretManagerService.kt\nai/tock/aws/secretmanager/AwsSecretManagerService\n*L\n154#1:211\n157#1:212\n172#1:213\n172#1:214,5\n*E\n"})
/* loaded from: input_file:ai/tock/aws/secretmanager/AwsSecretManagerService.class */
public final class AwsSecretManagerService implements SecretManagerService {

    @NotNull
    private AWSSecretsManager secretsManagerClient;

    @NotNull
    private Cache<String, String> secretsCache;
    private AWSSecurityTokenService stsClient = (AWSSecurityTokenService) AWSSecurityTokenServiceClientBuilder.standard().build();

    @NotNull
    private final KLogger logger = KotlinLogging.INSTANCE.logger(new Function0<Unit>() { // from class: ai.tock.aws.secretmanager.AwsSecretManagerService$logger$1
        public final void invoke() {
        }

        /* renamed from: invoke, reason: collision with other method in class */
        public /* bridge */ /* synthetic */ Object m7invoke() {
            invoke();
            return Unit.INSTANCE;
        }
    });

    @NotNull
    private final Lock lockOnSecretCache = new ReentrantLock();

    public AwsSecretManagerService() {
        Cache<String, String> build = Caffeine.newBuilder().expireAfterWrite(10L, TimeUnit.MINUTES).maximumSize(100L).build();
        Intrinsics.checkNotNullExpressionValue(build, "build(...)");
        this.secretsCache = build;
        this.secretsManagerClient = initSecretsManagerWithNewCredentials();
    }

    @NotNull
    public SecretManagerProviderType getType() {
        return SecretManagerProviderType.AWS_SECRETS_MANAGER;
    }

    private final String getAWSSecret(String str) {
        GetSecretValueResult getSecretValueResult;
        Lock lock = this.lockOnSecretCache;
        lock.lock();
        try {
            String str2 = (String) this.secretsCache.getIfPresent(str);
            if (str2 != null) {
                return str2;
            }
            GetSecretValueRequest withVersionStage = new GetSecretValueRequest().withSecretId(str).withVersionStage(PropertiesKt.property(EnvConfigKt.AWS_SECRET_VERSION, "AWSCURRENT"));
            try {
                GetSecretValueResult secretValue = this.secretsManagerClient.getSecretValue(withVersionStage);
                Intrinsics.checkNotNullExpressionValue(secretValue, "getSecretValue(...)");
                getSecretValueResult = secretValue;
            } catch (AWSSecretsManagerException e) {
                if (!Intrinsics.areEqual(e.getErrorCode(), "ExpiredTokenException")) {
                    throw e;
                }
                this.logger.debug(new Function0<Object>() { // from class: ai.tock.aws.secretmanager.AwsSecretManagerService$getAWSSecret$1$1
                    public final Object invoke() {
                        return "Refresh secret cache with new temporary credentials";
                    }
                });
                this.secretsManagerClient = initSecretsManagerWithNewCredentials();
                GetSecretValueResult secretValue2 = this.secretsManagerClient.getSecretValue(withVersionStage);
                Intrinsics.checkNotNullExpressionValue(secretValue2, "getSecretValue(...)");
                getSecretValueResult = secretValue2;
            }
            String secretString = getSecretValueResult.getSecretString();
            this.secretsCache.put(str, secretString);
            Intrinsics.checkNotNull(secretString);
            lock.unlock();
            return secretString;
        } finally {
            lock.unlock();
        }
    }

    private final AWSSecretsManager initSecretsManagerWithNewCredentials() {
        if (!PropertiesKt.booleanProperty(EnvConfigKt.AWS_ASSUMED_ROLE_PROPERTY, false)) {
            Object build = AWSSecretsManagerClientBuilder.standard().build();
            Intrinsics.checkNotNullExpressionValue(build, "build(...)");
            return (AWSSecretsManager) build;
        }
        Credentials temporaryCredentials = getTemporaryCredentials();
        Object build2 = AWSSecretsManagerClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(new BasicSessionCredentials(temporaryCredentials.getAccessKeyId(), temporaryCredentials.getSecretAccessKey(), temporaryCredentials.getSessionToken()))).build();
        Intrinsics.checkNotNullExpressionValue(build2, "build(...)");
        return (AWSSecretsManager) build2;
    }

    private final Credentials getTemporaryCredentials() {
        Credentials credentials = this.stsClient.assumeRole(new AssumeRoleRequest().withRoleArn(EnvConfig.INSTANCE.getAwsSecretManagerAssumedRole()).withRoleSessionName(EnvConfig.INSTANCE.getAwsAssumedRoleSessionName()).withDurationSeconds(900)).getCredentials();
        Intrinsics.checkNotNullExpressionValue(credentials, "getCredentials(...)");
        return credentials;
    }

    private final void createOrUpdateAWSSecret(final String str, Object obj) {
        String writeValueAsString = ExtensionsKt.jacksonObjectMapper().writeValueAsString(obj);
        try {
            this.secretsManagerClient.updateSecret(new UpdateSecretRequest().withSecretId(str).withSecretString(writeValueAsString));
            this.logger.info(new Function0<Object>() { // from class: ai.tock.aws.secretmanager.AwsSecretManagerService$createOrUpdateAWSSecret$1
                /* JADX INFO: Access modifiers changed from: package-private */
                /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
                {
                    super(0);
                }

                public final Object invoke() {
                    return "The secret '" + str + "' already exists, so it has been updated with a new value.";
                }
            });
        } catch (ResourceNotFoundException e) {
            this.logger.info(new Function0<Object>() { // from class: ai.tock.aws.secretmanager.AwsSecretManagerService$createOrUpdateAWSSecret$2
                /* JADX INFO: Access modifiers changed from: package-private */
                /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
                {
                    super(0);
                }

                public final Object invoke() {
                    return "The secret '" + str + "' does not yet exist.";
                }
            });
            this.secretsManagerClient.createSecret(new CreateSecretRequest().withName(str).withSecretString(writeValueAsString).withDescription("Created from Tock."));
            this.logger.info(new Function0<Object>() { // from class: ai.tock.aws.secretmanager.AwsSecretManagerService$createOrUpdateAWSSecret$3
                /* JADX INFO: Access modifiers changed from: package-private */
                /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
                {
                    super(0);
                }

                public final Object invoke() {
                    return "The secret '" + str + "' has been created with the value.";
                }
            });
        }
    }

    @NotNull
    public ai.tock.shared.security.credentials.Credentials getCredentials(@NotNull String str) {
        Intrinsics.checkNotNullParameter(str, "secretName");
        Json json = Json.Default;
        String aWSSecret = getAWSSecret(str);
        json.getSerializersModule();
        return (ai.tock.shared.security.credentials.Credentials) json.decodeFromString(ai.tock.shared.security.credentials.Credentials.Companion.serializer(), aWSSecret);
    }

    @NotNull
    public AIProviderSecret getAIProviderSecret(@NotNull String str) {
        Intrinsics.checkNotNullParameter(str, "secretName");
        Json json = Json.Default;
        String aWSSecret = getAWSSecret(str);
        json.getSerializersModule();
        return (AIProviderSecret) json.decodeFromString(AIProviderSecret.Companion.serializer(), aWSSecret);
    }

    public void createOrUpdateAIProviderSecret(@NotNull String str, @NotNull AIProviderSecret aIProviderSecret) {
        Intrinsics.checkNotNullParameter(str, "secretName");
        Intrinsics.checkNotNullParameter(aIProviderSecret, "secretValue");
        createOrUpdateAWSSecret(str, aIProviderSecret);
    }

    @NotNull
    public String generateSecretName(@NotNull String str, @NotNull String str2, @NotNull String str3) {
        Intrinsics.checkNotNullParameter(str, "namespace");
        Intrinsics.checkNotNullParameter(str2, "botId");
        Intrinsics.checkNotNullParameter(str3, "feature");
        String replace$default = StringsKt.replace$default(StringsKt.replace$default("/" + SecretManagerServiceKt.getGenAISecretPrefix() + "/" + str + "/" + str2 + "/" + str3, '_', '-', false, 4, (Object) null), ' ', '-', false, 4, (Object) null);
        StringBuilder sb = new StringBuilder();
        int length = replace$default.length();
        for (int i = 0; i < length; i++) {
            char charAt = replace$default.charAt(i);
            if (StringsKt.contains$default("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789/_+=.@-", charAt, false, 2, (Object) null)) {
                sb.append(charAt);
            }
        }
        String sb2 = sb.toString();
        if (sb2.length() > 512) {
            String substring = sb2.substring(0, 512);
            Intrinsics.checkNotNullExpressionValue(substring, "substring(...)");
            sb2 = substring;
        }
        Regex regex = new Regex("-.{6}$");
        if (sb2.length() > 7 && regex.containsMatchIn(sb2)) {
            String substring2 = sb2.substring(0, sb2.length() - 7);
            Intrinsics.checkNotNullExpressionValue(substring2, "substring(...)");
            sb2 = substring2;
        }
        if (sb2.length() == 0) {
            throw new IllegalArgumentException("Normalized AWS secret name must be at least one character long.");
        }
        return sb2;
    }

    @NotNull
    /* renamed from: createSecretKeyInstance, reason: merged with bridge method [inline-methods] */
    public AwsSecretKey m4createSecretKeyInstance(@NotNull String str) {
        Intrinsics.checkNotNullParameter(str, "secretName");
        return new AwsSecretKey(str);
    }

    public boolean isSecretTypeSupported(@NotNull SecretKey secretKey) {
        Intrinsics.checkNotNullParameter(secretKey, "secret");
        return secretKey instanceof AwsSecretKey;
    }

    public void deleteSecret(@NotNull final String str) {
        Intrinsics.checkNotNullParameter(str, "secretName");
        try {
            this.secretsManagerClient.deleteSecret(new DeleteSecretRequest().withSecretId(str).withForceDeleteWithoutRecovery(true));
            this.logger.info(new Function0<Object>() { // from class: ai.tock.aws.secretmanager.AwsSecretManagerService$deleteSecret$1
                /* JADX INFO: Access modifiers changed from: package-private */
                /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
                {
                    super(0);
                }

                public final Object invoke() {
                    return "The secret '" + str + "' has been successfully deleted.";
                }
            });
        } catch (Exception e) {
            this.logger.error(e, new Function0<Object>() { // from class: ai.tock.aws.secretmanager.AwsSecretManagerService$deleteSecret$2
                /* JADX INFO: Access modifiers changed from: package-private */
                /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
                {
                    super(0);
                }

                public final Object invoke() {
                    return "Failed to delete the secret '" + str + "'.";
                }
            });
            throw e;
        }
    }

    @NotNull
    public SecretKey createOrUpdateSecretKey(@NotNull String str, @NotNull String str2, @NotNull String str3, @NotNull String str4) {
        return SecretManagerService.DefaultImpls.createOrUpdateSecretKey(this, str, str2, str3, str4);
    }
}
