package software.amazon.awssdk.services.ssooidc;

import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.function.Function;
import java.util.function.Supplier;
import software.amazon.awssdk.annotations.SdkPublicApi;
import software.amazon.awssdk.annotations.ThreadSafe;
import software.amazon.awssdk.auth.token.credentials.SdkToken;
import software.amazon.awssdk.auth.token.credentials.SdkTokenProvider;
import software.amazon.awssdk.awscore.exception.AwsServiceException;
import software.amazon.awssdk.awscore.internal.token.CachedTokenRefresher;
import software.amazon.awssdk.awscore.internal.token.TokenManager;
import software.amazon.awssdk.awscore.internal.token.TokenRefresher;
import software.amazon.awssdk.core.exception.SdkClientException;
import software.amazon.awssdk.core.exception.SdkException;
import software.amazon.awssdk.services.ssooidc.internal.OnDiskTokenManager;
import software.amazon.awssdk.services.ssooidc.internal.SsoOidcToken;
import software.amazon.awssdk.services.ssooidc.internal.SsoOidcTokenTransformer;
import software.amazon.awssdk.services.ssooidc.model.CreateTokenRequest;
import software.amazon.awssdk.utils.Logger;
import software.amazon.awssdk.utils.SdkAutoCloseable;
import software.amazon.awssdk.utils.Validate;

@ThreadSafe
@SdkPublicApi
/* loaded from: input_file:software/amazon/awssdk/services/ssooidc/SsoOidcTokenProvider.class */
public final class SsoOidcTokenProvider implements SdkTokenProvider, SdkAutoCloseable {
    private static final Duration DEFAULT_STALE_DURATION = Duration.ofMinutes(1);
    private static final Duration DEFAULT_PREFETCH_DURATION = Duration.ofMinutes(5);
    private static final Logger log = Logger.loggerFor(SsoOidcTokenProvider.class);
    private final TokenManager<SsoOidcToken> onDiskTokenManager;
    private final TokenRefresher<SsoOidcToken> tokenRefresher;
    private final SsoOidcClient ssoOidcClient;
    private final Duration staleTime;
    private final Duration prefetchTime;

    /* loaded from: input_file:software/amazon/awssdk/services/ssooidc/SsoOidcTokenProvider$Builder.class */
    public interface Builder {
        Builder sessionName(String str);

        Builder ssoOidcClient(SsoOidcClient ssoOidcClient);

        Builder staleTime(Duration duration);

        Builder prefetchTime(Duration duration);

        Builder asyncTokenUpdateEnabled(Boolean bool);

        SsoOidcTokenProvider build();
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:software/amazon/awssdk/services/ssooidc/SsoOidcTokenProvider$BuilderImpl.class */
    public static class BuilderImpl implements Builder {
        private String sessionName;
        private SsoOidcClient ssoOidcClient;
        private Duration staleTime;
        private Duration prefetchTime;
        private Boolean asyncTokenUpdateEnabled;

        private BuilderImpl() {
            this.asyncTokenUpdateEnabled = false;
        }

        @Override // software.amazon.awssdk.services.ssooidc.SsoOidcTokenProvider.Builder
        public Builder sessionName(String str) {
            this.sessionName = str;
            return this;
        }

        @Override // software.amazon.awssdk.services.ssooidc.SsoOidcTokenProvider.Builder
        public Builder ssoOidcClient(SsoOidcClient ssoOidcClient) {
            this.ssoOidcClient = ssoOidcClient;
            return this;
        }

        @Override // software.amazon.awssdk.services.ssooidc.SsoOidcTokenProvider.Builder
        public Builder staleTime(Duration duration) {
            this.staleTime = duration;
            return this;
        }

        @Override // software.amazon.awssdk.services.ssooidc.SsoOidcTokenProvider.Builder
        public Builder prefetchTime(Duration duration) {
            this.prefetchTime = duration;
            return this;
        }

        @Override // software.amazon.awssdk.services.ssooidc.SsoOidcTokenProvider.Builder
        public Builder asyncTokenUpdateEnabled(Boolean bool) {
            this.asyncTokenUpdateEnabled = bool;
            return this;
        }

        @Override // software.amazon.awssdk.services.ssooidc.SsoOidcTokenProvider.Builder
        public SsoOidcTokenProvider build() {
            return new SsoOidcTokenProvider(this);
        }
    }

    private SsoOidcTokenProvider(BuilderImpl builderImpl) {
        Validate.paramNotNull(builderImpl.sessionName, "sessionName");
        Validate.paramNotNull(builderImpl.ssoOidcClient, "ssoOidcClient");
        this.ssoOidcClient = builderImpl.ssoOidcClient;
        this.staleTime = builderImpl.staleTime == null ? DEFAULT_STALE_DURATION : builderImpl.staleTime;
        this.prefetchTime = builderImpl.prefetchTime == null ? DEFAULT_PREFETCH_DURATION : builderImpl.prefetchTime;
        this.onDiskTokenManager = OnDiskTokenManager.create(builderImpl.sessionName);
        this.tokenRefresher = CachedTokenRefresher.builder().tokenRetriever(getDefaultSsoTokenRetriever(this.ssoOidcClient, this.onDiskTokenManager, this.staleTime, this.prefetchTime)).exceptionHandler(exceptionHandler()).prefetchTime(this.prefetchTime).staleDuration(this.staleTime).asyncRefreshEnabled(builderImpl.asyncTokenUpdateEnabled).build();
    }

    private Function<SdkException, SsoOidcToken> exceptionHandler() {
        return sdkException -> {
            if (!(sdkException instanceof AwsServiceException)) {
                throw sdkException;
            }
            log.warn(() -> {
                return "Failed to fetch token.";
            }, sdkException);
            return (SsoOidcToken) this.onDiskTokenManager.loadToken().orElseThrow(() -> {
                return SdkClientException.create("Unable to load SSO token");
            });
        };
    }

    public SdkToken resolveToken() {
        SsoOidcToken ssoOidcToken = (SsoOidcToken) this.tokenRefresher.refreshIfStaleAndFetch();
        if (isExpired(ssoOidcToken)) {
            throw SdkClientException.create("Token is expired");
        }
        return ssoOidcToken;
    }

    public static Builder builder() {
        return new BuilderImpl();
    }

    public void close() {
        this.tokenRefresher.close();
    }

    private boolean isExpired(SsoOidcToken ssoOidcToken) {
        return Instant.now().isAfter(ssoOidcToken.expirationTime().get());
    }

    private static boolean isWithinRefreshWindow(SsoOidcToken ssoOidcToken, Duration duration) {
        return ssoOidcToken.expirationTime().get().isAfter(Instant.now().plus((TemporalAmount) duration));
    }

    private static void validateToken(SsoOidcToken ssoOidcToken) {
        Validate.notNull(ssoOidcToken.token(), "token cannot be null", new Object[0]);
        Validate.notNull(ssoOidcToken.expirationTime(), "expirationTime cannot be null", new Object[0]);
    }

    private static Supplier<SsoOidcToken> getDefaultSsoTokenRetriever(SsoOidcClient ssoOidcClient, TokenManager<SsoOidcToken> tokenManager, Duration duration, Duration duration2) {
        return () -> {
            SsoOidcToken ssoOidcToken = (SsoOidcToken) tokenManager.loadToken().orElseThrow(() -> {
                return SdkClientException.create("Unable to load SSO token");
            });
            validateToken(ssoOidcToken);
            if (isWithinRefreshWindow(ssoOidcToken, duration) && isWithinRefreshWindow(ssoOidcToken, duration2)) {
                return ssoOidcToken;
            }
            SsoOidcToken transform = SsoOidcTokenTransformer.create(ssoOidcToken).transform(ssoOidcClient.createToken((CreateTokenRequest) CreateTokenRequest.builder().grantType("refresh_token").clientId(ssoOidcToken.clientId()).clientSecret(ssoOidcToken.clientSecret()).refreshToken(ssoOidcToken.refreshToken()).m36build()));
            tokenManager.storeToken(transform);
            return transform;
        };
    }
}
