package org.apache.knox.gateway.service.idbroker.aws;

import com.amazonaws.SdkClientException;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.InstanceProfileCredentialsProvider;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.regions.AwsRegionProviderChain;
import com.amazonaws.regions.DefaultAwsRegionProviderChain;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException;
import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
import com.amazonaws.services.securitytoken.model.AssumeRoleResult;
import com.amazonaws.services.securitytoken.model.AssumedRoleUser;
import com.amazonaws.services.securitytoken.model.Credentials;
import com.amazonaws.services.securitytoken.model.GetCallerIdentityRequest;
import com.amazonaws.services.securitytoken.model.GetCallerIdentityResult;
import com.amazonaws.services.securitytoken.model.MalformedPolicyDocumentException;
import com.amazonaws.services.securitytoken.model.PackedPolicyTooLargeException;
import com.amazonaws.services.securitytoken.model.RegionDisabledException;
import java.util.HashMap;
import java.util.Locale;
import java.util.Properties;
import java.util.concurrent.ExecutionException;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import org.apache.commons.lang3.SerializationUtils;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.service.idbroker.AbstractKnoxCloudCredentialsClient;
import org.apache.knox.gateway.service.idbroker.CloudClientConfiguration;
import org.apache.knox.gateway.service.idbroker.IdentityBrokerConfigException;
import org.apache.knox.gateway.service.idbroker.IdentityBrokerResource;
import org.apache.knox.gateway.services.security.AliasServiceException;
import org.apache.knox.gateway.services.security.EncryptionResult;
import org.apache.knox.gateway.util.JsonUtils;

/* loaded from: input_file:org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.class */
public class KnoxAWSClient extends AbstractKnoxCloudCredentialsClient {
    private static final String NAME = "AWS";
    private static final String CAB_SESSION_NAME_PREFIX = "CAB-SESSION-";
    private static final String AWS_REGION_PROPERTY = "aws.region.name";
    private static final AWSClientMessages LOG = (AWSClientMessages) MessagesFactory.get(AWSClientMessages.class);
    private static final AwsRegionProviderChain DEFAULT_AWS_REGION_PROVIDER_CHAIN = new DefaultAwsRegionProviderChain();
    private AWSSecurityTokenService stsClient;
    private String stsClientIdentity;
    protected String regionName;
    protected int tokenLifetime = 3600;

    /* loaded from: input_file:org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient$AliasServiceAWSCredentialsProvider.class */
    private class AliasServiceAWSCredentialsProvider implements AWSCredentialsProvider {
        static final String KEY_ALIAS_NAME = "aws.credentials.key";
        static final String SECRET_ALIAS_NAME = "aws.credentials.secret";

        private AliasServiceAWSCredentialsProvider() {
        }

        public AWSCredentials getCredentials() {
            final String clusterAliasValue = getClusterAliasValue(KEY_ALIAS_NAME);
            final String clusterAliasValue2 = getClusterAliasValue(SECRET_ALIAS_NAME);
            if (clusterAliasValue == null || clusterAliasValue2 == null) {
                return null;
            }
            return new AWSCredentials() { // from class: org.apache.knox.gateway.service.idbroker.aws.KnoxAWSClient.AliasServiceAWSCredentialsProvider.1
                public String getAWSAccessKeyId() {
                    return clusterAliasValue;
                }

                public String getAWSSecretKey() {
                    return clusterAliasValue2;
                }
            };
        }

        private String getClusterAliasValue(String str) {
            String str2 = null;
            try {
                char[] passwordFromAliasForCluster = KnoxAWSClient.this.aliasService.getPasswordFromAliasForCluster(KnoxAWSClient.this.topologyName, str);
                if (passwordFromAliasForCluster == null) {
                    KnoxAWSClient.LOG.aliasConfigurationError(str);
                } else {
                    str2 = new String(passwordFromAliasForCluster);
                }
            } catch (AliasServiceException e) {
                KnoxAWSClient.LOG.logException(e);
            }
            return str2;
        }

        public void refresh() {
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient$KnoxAWSCredentialsProviderList.class */
    public class KnoxAWSCredentialsProviderList implements AWSCredentialsProvider {
        AWSCredentialsProvider aliasCredsProvider;
        AWSCredentialsProvider ipCredsProvider;
        AWSCredentialsProvider credsProvider;

        private KnoxAWSCredentialsProviderList() {
            this.aliasCredsProvider = new AliasServiceAWSCredentialsProvider();
            this.ipCredsProvider = new InstanceProfileCredentialsProvider(true);
        }

        public AWSCredentials getCredentials() {
            this.credsProvider = this.aliasCredsProvider;
            AWSCredentials credentials = this.credsProvider.getCredentials();
            if (credentials == null) {
                this.credsProvider = this.ipCredsProvider;
                try {
                    credentials = this.credsProvider.getCredentials();
                } catch (Exception e) {
                    KnoxAWSClient.LOG.cabConfigurationError(e.getMessage());
                }
            }
            if (credentials == null) {
                throw new RuntimeException(new IdentityBrokerConfigException("Missing required credential provisioning for Cloud Access Broker. It is expected that keys and secrets be provisioned as aliases or that Cloud Access Broker be running on a node with an Instance Profile attached."));
            }
            return credentials;
        }

        public void refresh() {
            if (this.credsProvider != null) {
                this.credsProvider.refresh();
            }
        }
    }

    private AWSSecurityTokenService getSTSClient() {
        if (this.stsClient == null) {
            AWSSecurityTokenServiceClientBuilder withCredentials = AWSSecurityTokenServiceClientBuilder.standard().withCredentials(new KnoxAWSCredentialsProviderList());
            Regions region = getRegion();
            if (region != null) {
                withCredentials.withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(String.format(Locale.ROOT, "https://sts.%s.amazonaws.com", region.getName()), region.getName()));
            } else {
                withCredentials.withRegion(Regions.US_EAST_1);
            }
            this.stsClient = (AWSSecurityTokenService) withCredentials.build();
        }
        return this.stsClient;
    }

    @Override // org.apache.knox.gateway.service.idbroker.AbstractKnoxCloudCredentialsClient, org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient
    public void init(Properties properties) {
        super.init(properties);
        this.regionName = properties.getProperty(AWS_REGION_PROPERTY);
        String property = properties.getProperty("token.lifetime");
        if (property == null || property.isEmpty()) {
            return;
        }
        try {
            this.tokenLifetime = Integer.parseInt(property);
        } catch (NumberFormatException e) {
            throw new IllegalArgumentException("token.lifetime configuration property value must be an integer.");
        }
    }

    private String getClientIdentity() {
        GetCallerIdentityResult callerIdentity;
        if (this.stsClientIdentity == null && (callerIdentity = this.stsClient.getCallerIdentity(new GetCallerIdentityRequest())) != null) {
            this.stsClientIdentity = callerIdentity.getArn();
        }
        return this.stsClientIdentity != null ? this.stsClientIdentity : "Undetermined";
    }

    @Override // org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient
    public Object getCredentials() {
        return getCredentialsForRole(getRole());
    }

    @Override // org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient
    public Object getCredentialsForRole(String str) {
        return convertToJSON(getAssumeRoleResultCached(getConfigProvider().getConfig(), str));
    }

    private AssumeRoleResult getAssumeRoleResultCached(CloudClientConfiguration cloudClientConfiguration, String str) {
        try {
            EncryptionResult encryptionResult = (EncryptionResult) this.credentialCache.get(str, () -> {
                return this.cryptoService.encryptForCluster(this.topologyName, IdentityBrokerResource.CREDENTIAL_CACHE_ALIAS, SerializationUtils.serialize(getAssumeRoleResult(cloudClientConfiguration, str)));
            });
            return (AssumeRoleResult) SerializationUtils.deserialize(this.cryptoService.decryptForCluster(this.topologyName, IdentityBrokerResource.CREDENTIAL_CACHE_ALIAS, encryptionResult.cipher, encryptionResult.iv, encryptionResult.salt));
        } catch (ExecutionException e) {
            LOG.cacheException(str, e.toString());
            throw new WebApplicationException(Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    private AssumeRoleResult getAssumeRoleResult(CloudClientConfiguration cloudClientConfiguration, String str) {
        String message;
        try {
            return getSTSClient().assumeRole(new AssumeRoleRequest().withRoleSessionName(generateRoleSessionName()).withRoleArn(str).withDurationSeconds(Integer.valueOf(this.tokenLifetime)));
        } catch (RuntimeException e) {
            Throwable cause = e.getCause();
            if (cause == null || !IdentityBrokerConfigException.class.isAssignableFrom(cause.getClass())) {
                message = e.getMessage();
                LOG.logException(e);
            } else {
                message = cause.getMessage();
                LOG.cabConfigurationError(cause.getMessage());
            }
            throw new WebApplicationException(Response.serverError().entity(String.format(Locale.getDefault(), "{ \"error\": \"%s\" }", message)).build());
        } catch (MalformedPolicyDocumentException | PackedPolicyTooLargeException | RegionDisabledException e2) {
            throw new WebApplicationException(Response.status(e2.getStatusCode()).entity(String.format(Locale.getDefault(), "{ \"error\": \"Cloud Access Broker (%s) could not assume the resolved role %s: %s\" }", getClientIdentity(), str, e2.getMessage())).build());
        } catch (AWSSecurityTokenServiceException e3) {
            String clientIdentity = getClientIdentity();
            LOG.assumeRoleDisallowed(clientIdentity, str, e3.getMessage());
            throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(String.format(Locale.getDefault(), "{ \"error\": \"Cloud Access Broker (%s) is not permitted to assume the resolved role %s\" }", clientIdentity, str)).build());
        }
    }

    private String generateRoleSessionName() {
        return CAB_SESSION_NAME_PREFIX + System.currentTimeMillis();
    }

    private Regions getRegion() {
        Regions regions = null;
        if (this.regionName != null) {
            regions = Regions.fromName(this.regionName);
        }
        if (regions == null) {
            try {
                String region = DEFAULT_AWS_REGION_PROVIDER_CHAIN.getRegion();
                if (region != null) {
                    regions = Regions.fromName(region);
                }
            } catch (SdkClientException e) {
            }
        }
        return regions;
    }

    @Override // org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient
    public String getName() {
        return NAME;
    }

    private String convertToJSON(AssumeRoleResult assumeRoleResult) {
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        Credentials credentials = assumeRoleResult.getCredentials();
        hashMap2.put("AccessKeyId", credentials.getAccessKeyId());
        hashMap2.put("SecretAccessKey", credentials.getSecretAccessKey());
        hashMap2.put("SessionToken", credentials.getSessionToken());
        hashMap2.put("Expiration", credentials.getExpiration());
        hashMap.put("Credentials", hashMap2);
        HashMap hashMap3 = new HashMap();
        AssumedRoleUser assumedRoleUser = assumeRoleResult.getAssumedRoleUser();
        hashMap3.put("AssumedRole", assumedRoleUser.getAssumedRoleId());
        hashMap3.put("Arn", assumedRoleUser.getArn());
        hashMap.put("AssumedRoleUser", hashMap3);
        return JsonUtils.renderAsJsonString(hashMap);
    }
}
