package io.jenkins.plugins.aws.global_configuration;

import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AWSSessionCredentials;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.services.securitytoken.model.Credentials;
import com.amazonaws.services.securitytoken.model.GetSessionTokenRequest;
import com.cloudbees.jenkins.plugins.awscredentials.AmazonWebServicesCredentials;
import com.cloudbees.plugins.credentials.CredentialsMatchers;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.Extension;
import hudson.ExtensionList;
import hudson.Util;
import hudson.model.Failure;
import hudson.security.ACL;
import hudson.util.FormValidation;
import hudson.util.ListBoxModel;
import java.io.IOException;
import java.util.Collections;
import java.util.Optional;
import javax.annotation.Nonnull;
import jenkins.model.Jenkins;
import org.apache.commons.lang.StringUtils;
import org.jenkinsci.Symbol;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.interceptor.RequirePOST;

@Extension
@Symbol({"awsCredentials"})
/* loaded from: input_file:io/jenkins/plugins/aws/global_configuration/CredentialsAwsGlobalConfiguration.class */
public class CredentialsAwsGlobalConfiguration extends AbstractAwsGlobalConfiguration {
    private static int SESSION_DURATION = Integer.getInteger(CredentialsAwsGlobalConfiguration.class.getName() + ".sessionDuration", 3600).intValue();
    private String region;
    private String credentialsId;

    public CredentialsAwsGlobalConfiguration() {
        load();
    }

    @Restricted({NoExternalUse.class})
    protected CredentialsAwsGlobalConfiguration(boolean z) {
    }

    public String getRegion() {
        return this.region;
    }

    @DataBoundSetter
    public void setRegion(String str) {
        this.region = Util.fixEmpty(str);
        checkValue(doCheckRegion(str));
        save();
    }

    public String getCredentialsId() {
        return this.credentialsId;
    }

    @DataBoundSetter
    public void setCredentialsId(String str) {
        this.credentialsId = StringUtils.defaultIfBlank(str, (String) null);
        save();
    }

    public AmazonWebServicesCredentials getCredentials() {
        return getCredentials(this.credentialsId);
    }

    public AmazonWebServicesCredentials getCredentials(String str) {
        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
        Optional findFirst = CredentialsProvider.lookupCredentials(AmazonWebServicesCredentials.class, Jenkins.get(), ACL.SYSTEM, Collections.emptyList()).stream().filter(amazonWebServicesCredentials -> {
            return amazonWebServicesCredentials.getId().equals(str);
        }).findFirst();
        if (findFirst.isPresent()) {
            return (AmazonWebServicesCredentials) findFirst.get();
        }
        return null;
    }

    private boolean hasCredentialsConfigured(String str) {
        return StringUtils.isNotBlank(str) && getCredentials(str) != null;
    }

    private AWSSessionCredentials sessionCredentialsFromKeyAndSecret(String str, String str2) {
        AWSSessionCredentials credentials = getCredentials(str2).getCredentials();
        if (credentials instanceof AWSSessionCredentials) {
            return credentials;
        }
        Credentials sessionCredentials = getSessionCredentials(new AWSStaticCredentialsProvider(credentials), str);
        return new BasicSessionCredentials(sessionCredentials.getAccessKeyId(), sessionCredentials.getSecretAccessKey(), sessionCredentials.getSessionToken());
    }

    private Credentials getSessionCredentials(AWSCredentialsProvider aWSCredentialsProvider, String str) {
        AWSSecurityTokenServiceClientBuilder withCredentials = AWSSecurityTokenServiceClientBuilder.standard().withCredentials(aWSCredentialsProvider);
        if (str != null) {
            withCredentials.withRegion(str);
        }
        return ((AWSSecurityTokenService) withCredentials.build()).getSessionToken(new GetSessionTokenRequest().withDurationSeconds(Integer.valueOf(getSessionDuration()))).getCredentials();
    }

    private AWSSessionCredentials sessionCredentialsFromInstanceProfile(@Nonnull AwsClientBuilder<?, ?> awsClientBuilder) throws IOException {
        AWSCredentialsProvider credentials = awsClientBuilder.getCredentials();
        if (credentials == null) {
            throw new IOException("This client builder has no associated credentials");
        }
        AWSSessionCredentials credentials2 = credentials.getCredentials();
        if (credentials2 == null) {
            throw new IOException("Unable to get credentials from environment");
        }
        if (credentials2 instanceof AWSSessionCredentials) {
            return credentials2;
        }
        throw new IOException("No valid session credentials");
    }

    @Deprecated
    public AWSSessionCredentials sessionCredentials(@Nonnull AwsClientBuilder<?, ?> awsClientBuilder) throws IOException {
        return sessionCredentials(awsClientBuilder, getRegion(), getCredentialsId());
    }

    public AWSSessionCredentials sessionCredentials(@Nonnull AwsClientBuilder<?, ?> awsClientBuilder, String str, String str2) throws IOException {
        return hasCredentialsConfigured(str2) ? sessionCredentialsFromKeyAndSecret(str, str2) : sessionCredentialsFromInstanceProfile(awsClientBuilder);
    }

    private void checkValue(@NonNull FormValidation formValidation) {
        if (formValidation.kind == FormValidation.Kind.ERROR) {
            throw new Failure(formValidation.getMessage());
        }
    }

    public int getSessionDuration() {
        return SESSION_DURATION;
    }

    @Nonnull
    public String getDisplayName() {
        return "Amazon S3 Bucket Access settings";
    }

    @Nonnull
    public static CredentialsAwsGlobalConfiguration get() {
        return (CredentialsAwsGlobalConfiguration) ExtensionList.lookupSingleton(CredentialsAwsGlobalConfiguration.class);
    }

    public ListBoxModel doFillRegionItems() {
        ListBoxModel listBoxModel = new ListBoxModel();
        listBoxModel.add("Auto", "");
        for (Regions regions : Regions.values()) {
            listBoxModel.add(regions.getDescription(), regions.getName());
        }
        return listBoxModel;
    }

    @RequirePOST
    public ListBoxModel doFillCredentialsIdItems() {
        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
        ListBoxModel listBoxModel = new ListBoxModel();
        listBoxModel.add("IAM instance Profile/user AWS configuration", "");
        listBoxModel.addAll(CredentialsProvider.listCredentials(AmazonWebServicesCredentials.class, Jenkins.get(), ACL.SYSTEM, Collections.emptyList(), CredentialsMatchers.instanceOf(AmazonWebServicesCredentials.class)));
        return listBoxModel;
    }

    public FormValidation doCheckRegion(@QueryParameter String str) {
        if (StringUtils.isNotBlank(str)) {
            try {
                Regions.fromName(str);
            } catch (IllegalArgumentException e) {
                return FormValidation.error("Region is not valid");
            }
        }
        return FormValidation.ok();
    }
}
