package io.jenkins.plugins.aws.global_configuration;

import com.cloudbees.jenkins.plugins.awscredentials.AmazonWebServicesCredentials;
import com.cloudbees.plugins.credentials.CredentialsMatchers;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.Extension;
import hudson.ExtensionList;
import hudson.Util;
import hudson.model.Failure;
import hudson.security.ACL;
import hudson.util.FormValidation;
import hudson.util.ListBoxModel;
import java.io.IOException;
import java.util.Collections;
import java.util.Optional;
import jenkins.model.Jenkins;
import org.apache.commons.lang.StringUtils;
import org.jenkinsci.Symbol;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.interceptor.RequirePOST;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.regions.RegionMetadata;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.StsClientBuilder;
import software.amazon.awssdk.services.sts.model.Credentials;
import software.amazon.awssdk.services.sts.model.GetSessionTokenRequest;

@Extension
@Symbol({"awsCredentials"})
/* loaded from: input_file:WEB-INF/lib/aws-global-configuration.jar:io/jenkins/plugins/aws/global_configuration/CredentialsAwsGlobalConfiguration.class */
public final class CredentialsAwsGlobalConfiguration extends AbstractAwsGlobalConfiguration {
    private static int SESSION_DURATION = Integer.getInteger(CredentialsAwsGlobalConfiguration.class.getName() + ".sessionDuration", 3600).intValue();
    private String region;
    private String credentialsId;

    public CredentialsAwsGlobalConfiguration() {
        load();
    }

    @Restricted({NoExternalUse.class})
    protected CredentialsAwsGlobalConfiguration(boolean z) {
    }

    public String getRegion() {
        return this.region;
    }

    @DataBoundSetter
    public void setRegion(String str) {
        this.region = Util.fixEmpty(str);
        checkValue(doCheckRegion(str));
        save();
    }

    @CheckForNull
    public String getCredentialsId() {
        return this.credentialsId;
    }

    @DataBoundSetter
    public void setCredentialsId(@CheckForNull String str) {
        this.credentialsId = StringUtils.defaultIfBlank(str, (String) null);
        save();
    }

    @CheckForNull
    public AmazonWebServicesCredentials getCredentials() {
        if (this.credentialsId != null) {
            return getCredentials(this.credentialsId);
        }
        return null;
    }

    @CheckForNull
    public AmazonWebServicesCredentials getCredentials(@NonNull String str) {
        Optional findFirst = CredentialsProvider.lookupCredentials(AmazonWebServicesCredentials.class, Jenkins.get(), ACL.SYSTEM, Collections.emptyList()).stream().filter(amazonWebServicesCredentials -> {
            return amazonWebServicesCredentials.getId().equals(str);
        }).findFirst();
        if (findFirst.isPresent()) {
            return (AmazonWebServicesCredentials) findFirst.get();
        }
        return null;
    }

    private AwsSessionCredentials sessionCredentialsFromKeyAndSecret(String str, @NonNull AmazonWebServicesCredentials amazonWebServicesCredentials) {
        AwsSessionCredentials resolveCredentials = amazonWebServicesCredentials.resolveCredentials();
        if (resolveCredentials instanceof AwsSessionCredentials) {
            return resolveCredentials;
        }
        Credentials sessionCredentials = getSessionCredentials(StaticCredentialsProvider.create(resolveCredentials), str);
        return AwsSessionCredentials.create(sessionCredentials.accessKeyId(), sessionCredentials.secretAccessKey(), sessionCredentials.sessionToken());
    }

    private Credentials getSessionCredentials(AwsCredentialsProvider awsCredentialsProvider, String str) {
        StsClientBuilder credentialsProvider = StsClient.builder().credentialsProvider(awsCredentialsProvider);
        if (str != null) {
            credentialsProvider.region(Region.of(str));
        }
        return ((StsClient) credentialsProvider.build()).getSessionToken((GetSessionTokenRequest) GetSessionTokenRequest.builder().durationSeconds(Integer.valueOf(getSessionDuration())).build()).credentials();
    }

    private AwsSessionCredentials sessionCredentialsFromInstanceProfile() throws IOException {
        AwsSessionCredentials resolveCredentials = DefaultCredentialsProvider.create().resolveCredentials();
        if (resolveCredentials instanceof AwsSessionCredentials) {
            return resolveCredentials;
        }
        throw new IOException("No valid session credentials");
    }

    public AwsSessionCredentials sessionCredentials(String str, String str2) throws IOException {
        AmazonWebServicesCredentials credentials = StringUtils.isNotBlank(str2) ? getCredentials(str2) : null;
        return credentials != null ? sessionCredentialsFromKeyAndSecret(str, credentials) : sessionCredentialsFromInstanceProfile();
    }

    private void checkValue(@NonNull FormValidation formValidation) {
        if (formValidation.kind == FormValidation.Kind.ERROR) {
            throw new Failure(formValidation.getMessage());
        }
    }

    public int getSessionDuration() {
        return SESSION_DURATION;
    }

    @NonNull
    public String getDisplayName() {
        return "Amazon S3 Bucket Access settings";
    }

    @NonNull
    public static CredentialsAwsGlobalConfiguration get() {
        return (CredentialsAwsGlobalConfiguration) ExtensionList.lookupSingleton(CredentialsAwsGlobalConfiguration.class);
    }

    public ListBoxModel doFillRegionItems() {
        ListBoxModel listBoxModel = new ListBoxModel();
        listBoxModel.add("Auto", "");
        for (Region region : Region.regions()) {
            RegionMetadata of = RegionMetadata.of(region);
            listBoxModel.add(of != null ? of.description() : region.id(), region.id());
        }
        return listBoxModel;
    }

    @RequirePOST
    public ListBoxModel doFillCredentialsIdItems() {
        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
        ListBoxModel listBoxModel = new ListBoxModel();
        listBoxModel.add("IAM instance Profile/user AWS configuration", "");
        listBoxModel.addAll(CredentialsProvider.listCredentials(AmazonWebServicesCredentials.class, Jenkins.get(), ACL.SYSTEM, Collections.emptyList(), CredentialsMatchers.instanceOf(AmazonWebServicesCredentials.class)));
        return listBoxModel;
    }

    public FormValidation doCheckRegion(@QueryParameter String str) {
        return (StringUtils.isNotBlank(str) && Region.regions().stream().noneMatch(region -> {
            return region.id().equals(str);
        })) ? FormValidation.error("Region is not valid") : FormValidation.ok();
    }
}
