package io.jenkins.plugins.pipeline_cloudwatch_logs;

import com.amazonaws.SdkBaseException;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AWSSessionCredentials;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.services.logs.AWSLogs;
import com.amazonaws.services.logs.AWSLogsClientBuilder;
import com.amazonaws.services.logs.model.CreateLogStreamRequest;
import com.amazonaws.services.logs.model.DescribeLogStreamsRequest;
import com.amazonaws.services.logs.model.DescribeLogStreamsResult;
import com.amazonaws.services.logs.model.GetLogEventsRequest;
import com.amazonaws.services.logs.model.InputLogEvent;
import com.amazonaws.services.logs.model.InvalidParameterException;
import com.amazonaws.services.logs.model.InvalidSequenceTokenException;
import com.amazonaws.services.logs.model.LogStream;
import com.amazonaws.services.logs.model.PutLogEventsRequest;
import com.amazonaws.services.logs.model.PutLogEventsResult;
import com.amazonaws.services.logs.model.RejectedLogEventsInfo;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
import com.amazonaws.services.securitytoken.model.Credentials;
import com.amazonaws.services.securitytoken.model.GetFederationTokenRequest;
import com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.Nullable;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.ExtensionList;
import hudson.Util;
import hudson.remoting.Channel;
import io.jenkins.plugins.aws.global_configuration.CredentialsAwsGlobalConfiguration;
import java.io.IOException;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ArrayBlockingQueue;
import java.util.concurrent.BlockingQueue;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.security.HMACConfidentialKey;
import jenkins.security.SlaveToMasterCallable;
import jenkins.util.JenkinsJVM;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:io/jenkins/plugins/pipeline_cloudwatch_logs/LogStreamState.class */
public abstract class LogStreamState {
    private static final Logger LOGGER;
    private static final Map<String, LogStreamState> states;
    private static final HMACConfidentialKey TOKENS;
    protected final String logGroupName;
    protected final String logStreamNameBase;

    @NonNull
    private final BlockingQueue<InputLogEvent> events;
    private long lastOffered;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/jenkins/plugins/pipeline_cloudwatch_logs/LogStreamState$AgentState.class */
    public static final class AgentState extends LogStreamState {

        @NonNull
        private final String token;

        @CheckForNull
        private AWSLogs client;

        @Nullable
        private String logStreamName;

        @NonNull
        private final Channel channel;

        AgentState(String str, String str2, String str3, Channel channel) {
            super(str, str2);
            this.token = str3;
            this.channel = channel;
            JenkinsJVM.checkNotJenkinsJVM();
        }

        @Override // io.jenkins.plugins.pipeline_cloudwatch_logs.LogStreamState
        protected String token() {
            return this.token;
        }

        @Override // io.jenkins.plugins.pipeline_cloudwatch_logs.LogStreamState
        protected synchronized AWSLogs client() throws IOException, InterruptedException {
            if (this.client == null) {
                Auth auth = (Auth) this.channel.call(new Authenticate(this.logGroupName, this.logStreamNameBase, this.token));
                this.client = auth.client();
                this.logStreamName = auth.logStreamName;
            }
            return this.client;
        }

        @Override // io.jenkins.plugins.pipeline_cloudwatch_logs.LogStreamState
        protected String logStreamName() throws IOException, InterruptedException {
            client();
            return this.logStreamName;
        }

        @Override // io.jenkins.plugins.pipeline_cloudwatch_logs.LogStreamState
        protected synchronized void ensureRunning() {
            if (this.client == null) {
                schedule();
            }
        }

        @Override // io.jenkins.plugins.pipeline_cloudwatch_logs.LogStreamState
        protected synchronized void shutDown() {
            if (this.client != null) {
                this.client.shutdown();
                this.client = null;
                try {
                    this.channel.callAsync(new NotifyShutdown(this.logGroupName, this.logStreamNameBase, this.token, this.logStreamName));
                } catch (Exception e) {
                    LogStreamState.LOGGER.log(Level.WARNING, (String) null, (Throwable) e);
                }
                this.logStreamName = null;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/jenkins/plugins/pipeline_cloudwatch_logs/LogStreamState$Auth.class */
    public static final class Auth implements Serializable {
        private static final long serialVersionUID = 1;

        @CheckForNull
        final String accessKeyId;

        @Nullable
        final String secretAccessKey;

        @Nullable
        final String sessionToken;

        @CheckForNull
        final String region;

        @NonNull
        final String logStreamName;

        @SuppressFBWarnings(value = {"SE_TRANSIENT_FIELD_NOT_RESTORED"}, justification = "only used in validation")
        final transient boolean restricted;

        Auth(Credentials credentials, String str, String str2) {
            this(credentials.getAccessKeyId(), credentials.getSecretAccessKey(), credentials.getSessionToken(), str, str2, true);
        }

        Auth(AWSSessionCredentials aWSSessionCredentials, String str, String str2) {
            this(aWSSessionCredentials.getAWSAccessKeyId(), aWSSessionCredentials.getAWSSecretKey(), aWSSessionCredentials.getSessionToken(), str, str2, false);
        }

        Auth(String str, String str2) {
            this(null, null, null, str, str2, false);
        }

        private Auth(String str, String str2, String str3, String str4, String str5, boolean z) {
            this.accessKeyId = str;
            this.secretAccessKey = str2;
            this.sessionToken = str3;
            this.region = str4;
            this.logStreamName = str5;
            this.restricted = z;
        }

        AWSLogs client() {
            AWSLogsClientBuilder aWSLogsClientBuilder;
            if (this.accessKeyId != null) {
                aWSLogsClientBuilder = AWSLogsClientBuilder.standard();
                if (this.region != null) {
                    aWSLogsClientBuilder = (AWSLogsClientBuilder) aWSLogsClientBuilder.withRegion(this.region);
                }
                aWSLogsClientBuilder.withCredentials(new AWSStaticCredentialsProvider(new BasicSessionCredentials(this.accessKeyId, this.secretAccessKey, this.sessionToken)));
            } else {
                try {
                    aWSLogsClientBuilder = CloudWatchAwsGlobalConfiguration.getAWSLogsClientBuilder(this.region, null);
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            }
            return (AWSLogs) aWSLogsClientBuilder.build();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/jenkins/plugins/pipeline_cloudwatch_logs/LogStreamState$Authenticate.class */
    public static final class Authenticate extends SecuredCallable<Auth, IOException> {
        private static final long serialVersionUID = 1;

        Authenticate(String str, String str2, String str3) {
            super(str, str2, str3);
        }

        /* JADX INFO: Access modifiers changed from: protected */
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // io.jenkins.plugins.pipeline_cloudwatch_logs.LogStreamState.SecuredCallable
        public Auth doCall(MasterState masterState) throws IOException {
            Auth authenticate = masterState.authenticate();
            masterState.create(authenticate.logStreamName);
            return authenticate;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/jenkins/plugins/pipeline_cloudwatch_logs/LogStreamState$MasterState.class */
    public static final class MasterState extends LogStreamState {

        @CheckForNull
        private AWSLogs client;
        private final Set<String> agentLogStreamNames;

        private MasterState(String str, String str2) {
            super(str, str2);
            this.agentLogStreamNames = new HashSet();
            JenkinsJVM.checkJenkinsJVM();
        }

        @Override // io.jenkins.plugins.pipeline_cloudwatch_logs.LogStreamState
        protected String token() {
            return LogStreamState.TOKENS.mac(LogStreamState.key(this.logGroupName, this.logStreamNameBase));
        }

        @Override // io.jenkins.plugins.pipeline_cloudwatch_logs.LogStreamState
        protected synchronized AWSLogs client() throws IOException {
            if (this.client == null) {
                this.client = (AWSLogs) ((CloudWatchAwsGlobalConfiguration) ExtensionList.lookupSingleton(CloudWatchAwsGlobalConfiguration.class)).getAWSLogsClientBuilder().build();
            }
            return this.client;
        }

        @Override // io.jenkins.plugins.pipeline_cloudwatch_logs.LogStreamState
        protected String logStreamName() {
            return this.logStreamNameBase + "@master";
        }

        @Override // io.jenkins.plugins.pipeline_cloudwatch_logs.LogStreamState
        protected void ensureRunning() throws IOException {
            boolean z;
            synchronized (this) {
                z = this.client == null;
            }
            if (z) {
                create(logStreamName());
                schedule();
            }
        }

        @Override // io.jenkins.plugins.pipeline_cloudwatch_logs.LogStreamState
        protected synchronized void shutDown() {
            if (this.client != null) {
                this.client.shutdown();
                this.client = null;
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void create(String str) throws IOException {
            AWSLogs client = client();
            boolean z = false;
            String str2 = null;
            do {
                DescribeLogStreamsResult describeLogStreams = client.describeLogStreams(new DescribeLogStreamsRequest(this.logGroupName).withLogStreamNamePrefix(str).withNextToken(str2));
                Iterator it = describeLogStreams.getLogStreams().iterator();
                while (it.hasNext()) {
                    if (((LogStream) it.next()).getLogStreamName().equals(str)) {
                        z = true;
                    }
                }
                str2 = describeLogStreams.getNextToken();
                if (z) {
                    break;
                }
            } while (str2 != null);
            if (z) {
                return;
            }
            LogStreamState.LOGGER.log(Level.FINE, "Creating {0}", str);
            client.createLogStream(new CreateLogStreamRequest(this.logGroupName, str));
        }

        Auth authenticate() throws IOException {
            String str;
            AWSSecurityTokenServiceClientBuilder standard = AWSSecurityTokenServiceClientBuilder.standard();
            CredentialsAwsGlobalConfiguration credentialsAwsGlobalConfiguration = CredentialsAwsGlobalConfiguration.get();
            String region = credentialsAwsGlobalConfiguration.getRegion();
            if (region != null) {
                standard = (AWSSecurityTokenServiceClientBuilder) standard.withRegion(region);
            }
            AWSCredentialsImpl credentials = credentialsAwsGlobalConfiguration.getCredentials();
            if (credentials != null) {
                standard.withCredentials(new AWSStaticCredentialsProvider(credentials.getCredentials()));
            }
            AWSCredentialsProvider credentials2 = standard.getCredentials();
            AWSCredentials credentials3 = credentials2 != null ? credentials2.getCredentials() : null;
            synchronized (this.agentLogStreamNames) {
                int i = 1;
                while (true) {
                    str = this.logStreamNameBase + "@agent" + i;
                    if (this.agentLogStreamNames.add(str)) {
                        break;
                    }
                    i++;
                }
            }
            if (!(credentials3 instanceof AWSSessionCredentials)) {
                return credentials3 == null ? new Auth(region, str) : getFederationToken(standard, region, str);
            }
            String str2 = null;
            if (credentials instanceof AWSCredentialsImpl) {
                str2 = Util.fixEmpty(credentials.getIamRoleArn());
            }
            return str2 != null ? assumeRole(str2, region, str) : new Auth((AWSSessionCredentials) credentials3, region, str);
        }

        private Auth assumeRole(String str, String str2, String str3) {
            AWSSecurityTokenServiceClientBuilder standard = AWSSecurityTokenServiceClientBuilder.standard();
            if (str2 != null) {
                standard = (AWSSecurityTokenServiceClientBuilder) standard.withRegion(str2);
            }
            Auth auth = new Auth(((AWSSecurityTokenService) standard.build()).assumeRole(new AssumeRoleRequest().withRoleArn(str).withRoleSessionName("CloudWatchSender").withPolicy(policy(str3))).getCredentials(), str2, str3);
            LogStreamState.LOGGER.log(Level.FINE, "AssumeRole succeeded; using {0}", auth.accessKeyId);
            return auth;
        }

        private Auth getFederationToken(AWSSecurityTokenServiceClientBuilder aWSSecurityTokenServiceClientBuilder, String str, String str2) {
            Auth auth = new Auth(((AWSSecurityTokenService) aWSSecurityTokenServiceClientBuilder.build()).getFederationToken(new GetFederationTokenRequest().withName("CloudWatchSender").withPolicy(policy(str2))).getCredentials(), str, str2);
            LogStreamState.LOGGER.log(Level.FINE, "GetFederationToken succeeded; using {0}", auth.accessKeyId);
            return auth;
        }

        private String policy(String str) {
            return "{\"Version\": \"2012-10-17\", \"Statement\": [{\"Effect\": \"Allow\", \"Action\": [\"logs:PutLogEvents\", \"logs:GetLogEvents\"], \"Resource\": [\"arn:aws:logs:*:*:log-group:" + this.logGroupName + ":log-stream:" + str + "\"]}]}";
        }

        void notifyShutdown(String str) {
            synchronized (this.agentLogStreamNames) {
                this.agentLogStreamNames.remove(str);
            }
        }
    }

    /* loaded from: input_file:io/jenkins/plugins/pipeline_cloudwatch_logs/LogStreamState$NotifyShutdown.class */
    private static final class NotifyShutdown extends SecuredCallable<Void, RuntimeException> {
        private static final long serialVersionUID = 1;
        private final String agentLogStreamName;

        NotifyShutdown(String str, String str2, String str3, String str4) {
            super(str, str2, str3);
            this.agentLogStreamName = str4;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // io.jenkins.plugins.pipeline_cloudwatch_logs.LogStreamState.SecuredCallable
        public Void doCall(MasterState masterState) {
            if (!this.agentLogStreamName.startsWith(this.logStreamNameBase + "@")) {
                throw new SecurityException();
            }
            masterState.notifyShutdown(this.agentLogStreamName);
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/jenkins/plugins/pipeline_cloudwatch_logs/LogStreamState$SecuredCallable.class */
    public static abstract class SecuredCallable<V, T extends Throwable> extends SlaveToMasterCallable<V, T> {
        private static final long serialVersionUID = 1;
        protected final String logGroupName;
        protected final String logStreamNameBase;
        private final String token;

        protected SecuredCallable(String str, String str2, String str3) {
            this.logGroupName = str;
            this.logStreamNameBase = str2;
            this.token = str3;
        }

        public V call() throws Throwable {
            MasterState masterState = (MasterState) LogStreamState.onMaster(this.logGroupName, this.logStreamNameBase);
            if (LogStreamState.TOKENS.checkMac(LogStreamState.key(this.logGroupName, this.logStreamNameBase), this.token)) {
                return doCall(masterState);
            }
            throw new SecurityException();
        }

        protected abstract V doCall(MasterState masterState) throws Throwable;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String key(String str, String str2) {
        return str + "#" + str2;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static LogStreamState onMaster(String str, String str2) {
        return states.computeIfAbsent(key(str, str2), str3 -> {
            return new MasterState(str, str2);
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static LogStreamState onAgent(String str, String str2, String str3, Channel channel) {
        return states.computeIfAbsent(key(str, str2), str4 -> {
            return new AgentState(str, str2, str3, channel);
        });
    }

    private LogStreamState(String str, String str2) {
        this.events = new ArrayBlockingQueue(10000);
        this.logGroupName = str;
        this.logStreamNameBase = str2;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @CheckForNull
    public static String validate(@NonNull String str) throws IOException {
        Auth authenticate = ((MasterState) onMaster(str, "__example__")).authenticate();
        if (authenticate.restricted) {
            return null;
        }
        return authenticate.accessKeyId != null ? "Giving up on limiting session credentials to a policy; using " + authenticate.accessKeyId + " as is" : "No AWS credentials to be found, giving up on limiting to a policy";
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @NonNull
    public abstract String token();

    @NonNull
    protected abstract AWSLogs client() throws IOException, InterruptedException;

    @NonNull
    protected abstract String logStreamName() throws IOException, InterruptedException;

    protected abstract void ensureRunning() throws IOException;

    protected abstract void shutDown();

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean offer(InputLogEvent inputLogEvent) throws IOException, InterruptedException {
        ensureRunning();
        this.lastOffered = Math.max(this.lastOffered, inputLogEvent.getTimestamp().longValue());
        return this.events.offer(inputLogEvent, 1L, TimeUnit.MINUTES);
    }

    protected void schedule() {
        new Thread(this::process, "CloudWatch Logs delivery: " + this.logGroupName + "/" + this.logStreamNameBase).start();
    }

    private void process() {
        RejectedLogEventsInfo rejectedLogEventsInfo;
        try {
            String logStreamName = logStreamName();
            AWSLogs client = client();
            String str = null;
            while (true) {
                ArrayList arrayList = new ArrayList();
                if (this.events.drainTo(arrayList) != 0) {
                    if (!$assertionsDisabled && arrayList.isEmpty()) {
                        break;
                    }
                    arrayList.sort(Comparator.comparing((v0) -> {
                        return v0.getTimestamp();
                    }));
                    while (true) {
                        try {
                            PutLogEventsResult putLogEvents = client.putLogEvents(new PutLogEventsRequest().withLogGroupName(this.logGroupName).withLogStreamName(logStreamName).withSequenceToken(str).withLogEvents(arrayList));
                            str = putLogEvents.getNextSequenceToken();
                            rejectedLogEventsInfo = putLogEvents.getRejectedLogEventsInfo();
                            break;
                        } catch (SdkBaseException e) {
                            LOGGER.log(Level.FINE, "retrying", e);
                            try {
                                Thread.sleep(1000L);
                            } catch (InterruptedException e2) {
                                LOGGER.log(Level.WARNING, (String) null, (Throwable) e2);
                            }
                        } catch (InvalidSequenceTokenException e3) {
                            LOGGER.fine("Recovering from InvalidSequenceTokenException");
                            str = e3.getExpectedSequenceToken();
                        } catch (InvalidParameterException e4) {
                            LOGGER.log(Level.WARNING, (String) null, e4);
                            shutDown();
                            return;
                        } catch (RuntimeException e5) {
                            LOGGER.log(Level.WARNING, "giving up on this stream", (Throwable) e5);
                            shutDown();
                            return;
                        }
                    }
                    if (rejectedLogEventsInfo != null) {
                        LOGGER.log(Level.WARNING, "Rejected some log events: {0}", rejectedLogEventsInfo);
                    }
                    LOGGER.log(Level.FINER, "sent {0} events @{1} from {2}", new Object[]{Integer.valueOf(arrayList.size()), ((InputLogEvent) arrayList.get(arrayList.size() - 1)).getTimestamp(), logStreamName});
                } else {
                    LOGGER.log(Level.FINEST, "waiting for events from {0}", new Object[]{logStreamName});
                    try {
                        Thread.sleep(200L);
                    } catch (InterruptedException e6) {
                        LOGGER.log(Level.WARNING, (String) null, (Throwable) e6);
                    }
                }
            }
            throw new AssertionError();
        } catch (Exception e7) {
            LOGGER.log(Level.WARNING, (String) null, (Throwable) e7);
            shutDown();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void flush() throws IOException {
        LOGGER.log(Level.FINE, "flushing {0}", this.logStreamNameBase);
        long nanoTime = System.nanoTime();
        while (System.nanoTime() - nanoTime < TimeUnit.MINUTES.toNanos(1L)) {
            try {
                if (this.events.isEmpty()) {
                    if (this.lastOffered <= 0) {
                        LOGGER.log(Level.FINER, "no events delivered in {0}", this.logStreamNameBase);
                        return;
                    }
                    LOGGER.log(Level.FINER, "all events up to {0} delivered in {1}; confirming receipt", new Object[]{Long.valueOf(this.lastOffered), this.logStreamNameBase});
                    String logStreamName = logStreamName();
                    if (!client().getLogEvents(new GetLogEventsRequest(this.logGroupName, logStreamName).withLimit(1).withStartTime(Long.valueOf(this.lastOffered))).getEvents().isEmpty()) {
                        LOGGER.log(Level.FINER, "confirmed event delivery in {0} with timestamp={1}", new Object[]{logStreamName, Long.valueOf(this.lastOffered)});
                        return;
                    }
                    LOGGER.log(Level.FINER, "delivered an event in {0} with timestamp={1} but it has not yet been received", new Object[]{logStreamName, Long.valueOf(this.lastOffered)});
                }
                Thread.sleep(100L);
            } catch (IOException e) {
                LOGGER.log(Level.FINER, (String) null, (Throwable) e);
                throw e;
            } catch (Exception e2) {
                LOGGER.log(Level.FINER, (String) null, (Throwable) e2);
                throw new IOException(e2);
            }
        }
        throw new IOException("there are still unflushed log events");
    }

    static {
        $assertionsDisabled = !LogStreamState.class.desiredAssertionStatus();
        LOGGER = Logger.getLogger(LogStreamState.class.getName());
        states = new ConcurrentHashMap();
        TOKENS = new HMACConfidentialKey(MasterState.class, "TOKENS");
    }
}
