package com.amazon.athena.jdbc.authentication;

import com.amazon.athena.logging.AthenaLogger;
import java.time.Clock;
import java.util.Optional;
import software.amazon.awssdk.auth.credentials.AwsCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.model.AssumeRoleWithWebIdentityRequest;
import software.amazon.awssdk.services.sts.model.AssumeRoleWithWebIdentityResponse;
import software.amazon.awssdk.services.sts.model.Credentials;

/* loaded from: input_file:com/amazon/athena/jdbc/authentication/JwtCredentialsProvider.class */
public class JwtCredentialsProvider implements AwsCredentialsProvider {
    private static final AthenaLogger logger = AthenaLogger.of(JwtCredentialsProvider.class);
    private static final int EXPIRATION_THRESHOLD_SECS = 180;
    private final String webIdentityToken;
    private final String roleArn;
    private final String roleSessionName;
    private final Integer roleSessionDuration;
    private final StsClient stsClient;
    private final Clock clock;
    private AwsSessionCredentials credentials;

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtCredentialsProvider(String str, String str2, String str3, Integer num, StsClient stsClient) {
        this(str, str2, str3, num, stsClient, Clock.systemDefaultZone());
    }

    JwtCredentialsProvider(String str, String str2, String str3, Integer num, StsClient stsClient, Clock clock) {
        this.webIdentityToken = str;
        this.roleArn = str2;
        this.roleSessionName = str3;
        this.roleSessionDuration = num;
        this.stsClient = stsClient;
        this.clock = clock;
    }

    @Override // software.amazon.awssdk.auth.credentials.AwsCredentialsProvider
    public AwsCredentials resolveCredentials() {
        if (((Boolean) Optional.ofNullable(this.credentials).flatMap(awsSessionCredentials -> {
            return awsSessionCredentials.expirationTime().map(instant -> {
                return Boolean.valueOf(instant.compareTo(this.clock.instant().plusSeconds(180L)) < 0);
            });
        }).orElse(true)).booleanValue()) {
            this.credentials = obtainCredentialsFromSts();
        }
        return this.credentials;
    }

    private AwsSessionCredentials obtainCredentialsFromSts() {
        AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest = (AssumeRoleWithWebIdentityRequest) AssumeRoleWithWebIdentityRequest.builder().webIdentityToken(this.webIdentityToken).roleArn(this.roleArn).roleSessionName(this.roleSessionName).durationSeconds(this.roleSessionDuration).mo1354build();
        logger.debug("Obtaining credentials from STS", new Object[0]);
        logger.trace("Sending AssumeRoleWithWebIdentity request: {}", assumeRoleWithWebIdentityRequest);
        AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentity = this.stsClient.assumeRoleWithWebIdentity(assumeRoleWithWebIdentityRequest);
        logger.info("Obtained credentials from STS", new Object[0]);
        Credentials credentials = assumeRoleWithWebIdentity.credentials();
        return AwsSessionCredentials.builder().accessKeyId(credentials.accessKeyId()).secretAccessKey(credentials.secretAccessKey()).sessionToken(credentials.sessionToken()).expirationTime(credentials.expiration()).mo1354build();
    }
}
