package io.trino.hdfs.s3;

import com.amazonaws.auth.BasicAWSCredentials;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.google.common.base.MoreObjects;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import io.trino.spi.security.ConnectorIdentity;
import java.net.URI;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.regex.Pattern;

/* loaded from: input_file:io/trino/hdfs/s3/S3SecurityMapping.class */
public class S3SecurityMapping {
    private final Predicate<String> user;
    private final Predicate<Collection<String>> group;
    private final Predicate<URI> prefix;
    private final Optional<String> iamRole;
    private final Set<String> allowedIamRoles;
    private final Optional<String> kmsKeyId;
    private final Set<String> allowedKmsKeyIds;
    private final Optional<BasicAWSCredentials> credentials;
    private final boolean useClusterDefault;
    private final Optional<String> endpoint;
    private final Optional<String> roleSessionName;

    @JsonCreator
    public S3SecurityMapping(@JsonProperty("user") Optional<Pattern> optional, @JsonProperty("group") Optional<Pattern> optional2, @JsonProperty("prefix") Optional<URI> optional3, @JsonProperty("iamRole") Optional<String> optional4, @JsonProperty("roleSessionName") Optional<String> optional5, @JsonProperty("allowedIamRoles") Optional<List<String>> optional6, @JsonProperty("kmsKeyId") Optional<String> optional7, @JsonProperty("allowedKmsKeyIds") Optional<List<String>> optional8, @JsonProperty("accessKey") Optional<String> optional9, @JsonProperty("secretKey") Optional<String> optional10, @JsonProperty("useClusterDefault") Optional<Boolean> optional11, @JsonProperty("endpoint") Optional<String> optional12) {
        this.user = (Predicate) optional.map(S3SecurityMapping::toPredicate).orElse(str -> {
            return true;
        });
        this.group = (Predicate) optional2.map(S3SecurityMapping::toPredicate).map(S3SecurityMapping::anyMatch).orElse(collection -> {
            return true;
        });
        this.prefix = (Predicate) optional3.map(S3SecurityMapping::prefixPredicate).orElse(uri -> {
            return true;
        });
        this.iamRole = (Optional) Objects.requireNonNull(optional4, "iamRole is null");
        this.roleSessionName = (Optional) Objects.requireNonNull(optional5, "roleSessionName is null");
        Preconditions.checkArgument((optional4.isEmpty() && optional5.isPresent()) ? false : true, "iamRole must be provided when roleSessionName is provided");
        this.allowedIamRoles = ImmutableSet.copyOf(optional6.orElse(ImmutableList.of()));
        this.kmsKeyId = (Optional) Objects.requireNonNull(optional7, "kmsKeyId is null");
        this.allowedKmsKeyIds = ImmutableSet.copyOf(optional8.orElse(ImmutableList.of()));
        Objects.requireNonNull(optional9, "accessKey is null");
        Objects.requireNonNull(optional10, "secretKey is null");
        Preconditions.checkArgument(optional9.isPresent() == optional10.isPresent(), "accessKey and secretKey must be provided together");
        this.credentials = optional9.map(str2 -> {
            return new BasicAWSCredentials(str2, (String) optional10.get());
        });
        this.useClusterDefault = optional11.orElse(false).booleanValue();
        Preconditions.checkArgument(this.useClusterDefault ^ (!this.allowedIamRoles.isEmpty() || optional4.isPresent() || this.credentials.isPresent()), "must either allow useClusterDefault role or provide role and/or credentials");
        Preconditions.checkArgument((this.useClusterDefault && this.kmsKeyId.isPresent()) ? false : true, "KMS key ID cannot be provided together with useClusterDefault");
        this.endpoint = (Optional) Objects.requireNonNull(optional12, "endpoint is null");
    }

    public boolean matches(ConnectorIdentity connectorIdentity, URI uri) {
        return this.user.test(connectorIdentity.getUser()) && this.group.test(connectorIdentity.getGroups()) && this.prefix.test(uri);
    }

    public Optional<String> getIamRole() {
        return this.iamRole;
    }

    public Set<String> getAllowedIamRoles() {
        return this.allowedIamRoles;
    }

    public Optional<String> getKmsKeyId() {
        return this.kmsKeyId;
    }

    public Set<String> getAllowedKmsKeyIds() {
        return this.allowedKmsKeyIds;
    }

    public Optional<BasicAWSCredentials> getCredentials() {
        return this.credentials;
    }

    public boolean isUseClusterDefault() {
        return this.useClusterDefault;
    }

    public Optional<String> getEndpoint() {
        return this.endpoint;
    }

    public Optional<String> getRoleSessionName() {
        return this.roleSessionName;
    }

    public String toString() {
        return MoreObjects.toStringHelper(this).add("user", this.user).add("group", this.group).add("prefix", this.prefix).add("iamRole", this.iamRole).add("roleSessionName", this.roleSessionName.orElse(null)).add("allowedIamRoles", this.allowedIamRoles).add("kmsKeyId", this.kmsKeyId).add("allowedKmsKeyIds", this.allowedKmsKeyIds).add("credentials", this.credentials).add("useClusterDefault", this.useClusterDefault).add("endpoint", this.endpoint.orElse(null)).toString();
    }

    private static Predicate<URI> prefixPredicate(URI uri) {
        Preconditions.checkArgument("s3".equals(uri.getScheme()), "prefix URI scheme is not 's3': %s", uri);
        Preconditions.checkArgument(uri.getQuery() == null, "prefix URI must not contain query: %s", uri);
        Preconditions.checkArgument(uri.getFragment() == null, "prefix URI must not contain fragment: %s", uri);
        return uri2 -> {
            return TrinoS3FileSystem.extractBucketName(uri).equals(TrinoS3FileSystem.extractBucketName(uri2)) && uri2.getPath().startsWith(uri.getPath());
        };
    }

    private static Predicate<String> toPredicate(Pattern pattern) {
        return str -> {
            return pattern.matcher(str).matches();
        };
    }

    private static <T> Predicate<Collection<T>> anyMatch(Predicate<T> predicate) {
        return collection -> {
            return collection.stream().anyMatch(predicate);
        };
    }
}
