package org.apache.hadoop.fs.s3a.auth.delegation;

import java.io.IOException;
import java.util.Optional;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.s3a.AWSCredentialProviderList;
import org.apache.hadoop.fs.s3a.auth.MarshalledCredentialBinding;
import org.apache.hadoop.fs.s3a.auth.MarshalledCredentialProvider;
import org.apache.hadoop.fs.s3a.auth.MarshalledCredentials;
import org.apache.hadoop.fs.s3a.auth.RoleModel;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.thirdparty.com.google.common.annotations.VisibleForTesting;
import org.apache.hadoop.thirdparty.com.google.common.base.Preconditions;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:paimon-plugin-s3.jar:org/apache/hadoop/fs/s3a/auth/delegation/RoleTokenBinding.class */
public class RoleTokenBinding extends SessionTokenBinding {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) RoleTokenBinding.class);
    private static final RoleModel MODEL = new RoleModel();
    private static final String NAME = "RoleCredentials/001";

    @VisibleForTesting
    public static final String E_NO_ARN = "No role ARN defined in fs.s3a.assumed.role.arn";
    public static final String COMPONENT = "Role Delegation Token";
    private String roleArn;

    public RoleTokenBinding() {
        super(NAME, DelegationConstants.ROLE_TOKEN_KIND);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.hadoop.fs.s3a.auth.delegation.AbstractDTService, org.apache.hadoop.service.AbstractService
    public void serviceInit(Configuration configuration) throws Exception {
        super.serviceInit(configuration);
        this.roleArn = getConfig().getTrimmed("fs.s3a.assumed.role.arn", "");
    }

    @Override // org.apache.hadoop.fs.s3a.auth.delegation.SessionTokenBinding, org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding
    public AWSCredentialProviderList bindToTokenIdentifier(AbstractS3ATokenIdentifier abstractS3ATokenIdentifier) throws IOException {
        RoleTokenIdentifier roleTokenIdentifier = (RoleTokenIdentifier) convertTokenIdentifier(abstractS3ATokenIdentifier, RoleTokenIdentifier.class);
        setTokenIdentifier(Optional.of(roleTokenIdentifier));
        MarshalledCredentials marshalledCredentials = roleTokenIdentifier.getMarshalledCredentials();
        setExpirationDateTime(marshalledCredentials.getExpirationDateTime());
        return new AWSCredentialProviderList("Role Token Binding", new MarshalledCredentialProvider(COMPONENT, getStoreContext().getFsURI(), getConfig(), marshalledCredentials, MarshalledCredentials.CredentialTypeRequired.SessionOnly));
    }

    @Override // org.apache.hadoop.fs.s3a.auth.delegation.SessionTokenBinding, org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding
    public RoleTokenIdentifier createTokenIdentifier(Optional<RoleModel.Policy> optional, EncryptionSecrets encryptionSecrets, Text text) throws IOException {
        requireServiceStarted();
        Preconditions.checkState(!this.roleArn.isEmpty(), E_NO_ARN);
        return new RoleTokenIdentifier(getCanonicalUri(), getOwnerText(), text, MarshalledCredentialBinding.fromSTSCredentials(prepareSTSClient().orElseThrow(() -> {
            LOG.error("Cannot issue delegation tokens because the credential providers listed in fs.s3a.aws.credentials.provider are returning session tokens");
            return new DelegationTokenIOException(DelegationConstants.E_NO_SESSION_TOKENS_FOR_ROLE_BINDING);
        }).requestRole(this.roleArn, UUID.randomUUID().toString(), optional.isPresent() ? MODEL.toJson(optional.get()) : "", getDuration(), TimeUnit.SECONDS)), encryptionSecrets, AbstractS3ATokenIdentifier.createDefaultOriginMessage() + " Role ARN=" + this.roleArn);
    }

    @Override // org.apache.hadoop.fs.s3a.auth.delegation.SessionTokenBinding, org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding
    public RoleTokenIdentifier createEmptyIdentifier() {
        return new RoleTokenIdentifier();
    }

    @Override // org.apache.hadoop.fs.s3a.auth.delegation.SessionTokenBinding, org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding
    public String getDescription() {
        return super.getDescription() + " Role ARN=" + (this.roleArn.isEmpty() ? "(none)" : '\"' + this.roleArn + '\"');
    }

    @Override // org.apache.hadoop.fs.s3a.auth.delegation.SessionTokenBinding
    protected String bindingName() {
        return "Role";
    }

    @Override // org.apache.hadoop.fs.s3a.auth.delegation.SessionTokenBinding, org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding
    public /* bridge */ /* synthetic */ SessionTokenIdentifier createTokenIdentifier(Optional optional, EncryptionSecrets encryptionSecrets, Text text) throws IOException {
        return createTokenIdentifier((Optional<RoleModel.Policy>) optional, encryptionSecrets, text);
    }

    @Override // org.apache.hadoop.fs.s3a.auth.delegation.SessionTokenBinding, org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding
    public /* bridge */ /* synthetic */ AbstractS3ATokenIdentifier createTokenIdentifier(Optional optional, EncryptionSecrets encryptionSecrets, Text text) throws IOException {
        return createTokenIdentifier((Optional<RoleModel.Policy>) optional, encryptionSecrets, text);
    }
}
