package com.datapipe.jenkins.vault;

import com.amazonaws.DefaultRequest;
import com.amazonaws.auth.AWS4Signer;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider;
import com.amazonaws.http.HttpMethodName;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.util.RuntimeHttpUtils;
import com.bettercloud.vault.VaultException;
import com.bettercloud.vault.api.Auth;
import com.bettercloud.vault.json.JsonArray;
import com.bettercloud.vault.json.JsonObject;
import com.datapipe.jenkins.vault.exception.VaultPluginException;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.Util;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.StringUtils;

/* loaded from: input_file:com/datapipe/jenkins/vault/AwsHelper.class */
public class AwsHelper {
    private static final Logger LOGGER = Logger.getLogger(AwsHelper.class.getName());

    /* loaded from: input_file:com/datapipe/jenkins/vault/AwsHelper$EncodedIdentityRequest.class */
    private static class EncodedIdentityRequest {

        @NonNull
        public final String encodedHeaders;

        @NonNull
        public final String encodedBody;

        @NonNull
        public final String encodedUrl;
        private static final String data = "Action=GetCallerIdentity&Version=2011-06-15";
        private static final String endpoint = "https://sts.amazonaws.com";
        private static final String vault_session_name = "vault-jenkins";

        EncodedIdentityRequest(@CheckForNull AWSCredentials aWSCredentials, @CheckForNull String str, @CheckForNull String str2) throws IOException, URISyntaxException {
            AwsHelper.LOGGER.fine("Creating GetCallerIdentity request");
            DefaultRequest defaultRequest = new DefaultRequest("sts");
            defaultRequest.addHeader("Content-Type", "application/x-www-form-urlencoded; charset=utf-8");
            if (StringUtils.isNotEmpty(str2)) {
                defaultRequest.addHeader("X-Vault-AWS-IAM-Server-ID", str2);
            }
            defaultRequest.setContent(new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)));
            defaultRequest.setHttpMethod(HttpMethodName.POST);
            defaultRequest.setEndpoint(new URI(endpoint));
            if (aWSCredentials == null) {
                AwsHelper.LOGGER.fine("Acquiring AWS credentials");
                aWSCredentials = (str == null || str.isEmpty()) ? new DefaultAWSCredentialsProviderChain().getCredentials() : new STSAssumeRoleSessionCredentialsProvider.Builder(str, vault_session_name).withStsClient((AWSSecurityTokenService) AWSSecurityTokenServiceClientBuilder.standard().withCredentials(new DefaultAWSCredentialsProviderChain()).build()).build().getCredentials();
                AwsHelper.LOGGER.log(Level.FINER, "AWS Access Key ID: {0}", aWSCredentials.getAWSAccessKeyId());
            }
            AwsHelper.LOGGER.fine("Signing GetCallerIdentity request");
            AWS4Signer aWS4Signer = new AWS4Signer();
            aWS4Signer.setServiceName(defaultRequest.getServiceName());
            aWS4Signer.sign(defaultRequest, aWSCredentials);
            Base64.Encoder encoder = Base64.getEncoder();
            JsonObject jsonObject = new JsonObject();
            for (Map.Entry<String, String> entry : getHeadersMap(defaultRequest).entrySet()) {
                JsonArray jsonArray = new JsonArray();
                jsonArray.add(entry.getValue());
                jsonObject.add(entry.getKey(), jsonArray);
            }
            this.encodedHeaders = encoder.encodeToString(jsonObject.toString().getBytes(StandardCharsets.UTF_8));
            this.encodedBody = encoder.encodeToString(IOUtils.toByteArray(defaultRequest.getContent()));
            this.encodedUrl = encoder.encodeToString(RuntimeHttpUtils.convertRequestToUrl(defaultRequest, true, true).toString().getBytes(StandardCharsets.UTF_8));
        }

        private static Map<String, String> getHeadersMap(DefaultRequest defaultRequest) {
            return defaultRequest.getHeaders();
        }
    }

    @NonNull
    public static String getToken(@NonNull Auth auth, @CheckForNull AWSCredentials aWSCredentials, @CheckForNull String str, @CheckForNull String str2, @CheckForNull String str3, @CheckForNull String str4) throws VaultPluginException {
        try {
            EncodedIdentityRequest encodedIdentityRequest = new EncodedIdentityRequest(aWSCredentials, str2, str3);
            try {
                return auth.loginByAwsIam(Util.fixEmptyAndTrim(str), encodedIdentityRequest.encodedUrl, encodedIdentityRequest.encodedBody, encodedIdentityRequest.encodedHeaders, Util.fixEmptyAndTrim(str4)).getAuthClientToken();
            } catch (VaultException e) {
                throw new VaultPluginException("could not log in into vault", e);
            }
        } catch (IOException | URISyntaxException e2) {
            throw new VaultPluginException("could not get IAM request from AWS metadata", e2);
        }
    }
}
