package org.apache.ranger.audit.destination;

import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.services.logs.AWSLogs;
import com.amazonaws.services.logs.AWSLogsClientBuilder;
import com.amazonaws.services.logs.model.CreateLogStreamRequest;
import com.amazonaws.services.logs.model.InputLogEvent;
import com.amazonaws.services.logs.model.InvalidSequenceTokenException;
import com.amazonaws.services.logs.model.PutLogEventsRequest;
import java.util.Collection;
import java.util.Comparator;
import java.util.Properties;
import java.util.stream.Collectors;
import javax.annotation.concurrent.ThreadSafe;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.audit.model.AuditEventBase;
import org.apache.ranger.audit.model.AuthzAuditEvent;
import org.apache.ranger.audit.provider.MiscUtil;

@ThreadSafe
/* loaded from: input_file:org/apache/ranger/audit/destination/AmazonCloudWatchAuditDestination.class */
public class AmazonCloudWatchAuditDestination extends AuditDestination {
    private static Log LOG = LogFactory.getLog(AmazonCloudWatchAuditDestination.class);
    public static final String PROP_LOG_GROUP_NAME = "log_group";
    public static final String PROP_LOG_STREAM_PREFIX = "log_stream_prefix";
    public static final String CONFIG_PREFIX = "ranger.audit.amazon_cloudwatch";
    private static final String PROP_AWS_CUSTOM_CRED_PROVIDER = "credprovider";
    private String logStreamPrefix;
    private String logGroupName;
    private String logStreamName;
    private AWSLogs logsClient;
    private String sequenceToken;
    private String credsProviderClassName;

    @Override // org.apache.ranger.audit.destination.AuditDestination, org.apache.ranger.audit.provider.BaseAuditHandler, org.apache.ranger.audit.provider.AuditHandler
    public void init(Properties properties, String str) {
        LOG.info("init() called for AmazonCloudWatchAuditDestination");
        super.init(properties, str);
        this.logStreamPrefix = MiscUtil.getStringProperty(properties, str + "." + PROP_LOG_STREAM_PREFIX);
        this.logGroupName = MiscUtil.getStringProperty(properties, str + "." + PROP_LOG_GROUP_NAME);
        this.logStreamName = this.logStreamPrefix + MiscUtil.generateUniqueId();
        this.credsProviderClassName = MiscUtil.getStringProperty(properties, str + "." + PROP_AWS_CUSTOM_CRED_PROVIDER);
        this.logsClient = getClient();
        createLogStream();
        sendTestEvent();
    }

    @Override // org.apache.ranger.audit.destination.AuditDestination, org.apache.ranger.audit.provider.AuditHandler
    public void stop() {
        super.stop();
        logStatus();
    }

    @Override // org.apache.ranger.audit.provider.AuditHandler
    public synchronized boolean log(Collection<AuditEventBase> collection) {
        boolean z = false;
        try {
            this.sequenceToken = pushLogEvents(new PutLogEventsRequest().withLogEvents(toInputLogEvent(collection)).withLogGroupName(this.logGroupName).withLogStreamName(this.logStreamName).withSequenceToken(this.sequenceToken), false, getClient());
            addSuccessCount(collection.size());
            z = true;
        } catch (Throwable th) {
            addFailedCount(collection.size());
            LOG.error("Failed to send audit events", th);
        }
        return z;
    }

    private void sendTestEvent() {
        AuthzAuditEvent authzAuditEvent = new AuthzAuditEvent();
        authzAuditEvent.setAdditionalInfo(String.format("Starting Amazon CloudWatch Log Audit destination on %s", this.logStreamPrefix));
        pushLogEvents(new PutLogEventsRequest().withLogEvents(new InputLogEvent().withMessage(MiscUtil.stringify(authzAuditEvent)).withTimestamp(Long.valueOf(System.currentTimeMillis()))).withLogGroupName(this.logGroupName).withLogStreamName(this.logStreamName).withSequenceToken(this.sequenceToken), false, this.logsClient);
    }

    private String pushLogEvents(PutLogEventsRequest putLogEventsRequest, boolean z, AWSLogs aWSLogs) {
        try {
            return aWSLogs.putLogEvents(putLogEventsRequest).getNextSequenceToken();
        } catch (InvalidSequenceTokenException e) {
            if (z) {
                LOG.error("Unexpected invalid sequence token. Possible race condition occurred");
                throw e;
            }
            LOG.info("Invalid sequence token. Plugin possibly restarted. Updating the sequence token and retrying");
            putLogEventsRequest.setSequenceToken(e.getExpectedSequenceToken());
            return pushLogEvents(putLogEventsRequest, true, aWSLogs);
        }
    }

    @Override // org.apache.ranger.audit.destination.AuditDestination, org.apache.ranger.audit.provider.AuditHandler
    public void flush() {
    }

    static Collection<InputLogEvent> toInputLogEvent(Collection<AuditEventBase> collection) {
        return (Collection) collection.stream().map(auditEventBase -> {
            return new InputLogEvent().withMessage(MiscUtil.stringify(auditEventBase)).withTimestamp(Long.valueOf(auditEventBase.getEventTime().getTime()));
        }).sorted(Comparator.comparingLong((v0) -> {
            return v0.getTimestamp();
        })).collect(Collectors.toList());
    }

    private void createLogStream() {
        AWSLogs client = getClient();
        CreateLogStreamRequest withLogStreamName = new CreateLogStreamRequest().withLogGroupName(this.logGroupName).withLogStreamName(this.logStreamName);
        LOG.info(String.format("Creating Log Stream `%s` in Log Group `%s`", this.logStreamName, this.logGroupName));
        client.createLogStream(withLogStreamName);
    }

    private AWSLogs getClient() {
        if (this.logsClient == null) {
            synchronized (AmazonCloudWatchAuditDestination.class) {
                if (this.logsClient == null) {
                    this.logsClient = newClient();
                }
            }
        }
        return this.logsClient;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private AWSLogs newClient() {
        if (StringUtils.isBlank(this.credsProviderClassName)) {
            return AWSLogsClientBuilder.standard().build();
        }
        return ((AWSLogsClientBuilder) AWSLogsClientBuilder.standard().withCredentials(loadProvider(this.credsProviderClassName))).build();
    }

    private AWSCredentialsProvider loadProvider(String str) {
        LOG.info(String.format("Loading credentials provider: %s", str));
        try {
            return (AWSCredentialsProvider) Class.forName(str).newInstance();
        } catch (Exception e) {
            LOG.error("Failed to load credentials provider", e);
            throw new RuntimeException(e);
        }
    }
}
