package com.cloudbees.jenkins.plugins.awscredentials;

import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSSessionCredentials;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.BasicSessionCredentials;
import com.cloudbees.plugins.credentials.CredentialsDescriptor;
import com.cloudbees.plugins.credentials.CredentialsScope;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.Extension;
import hudson.ProxyConfiguration;
import hudson.Util;
import hudson.util.FormValidation;
import hudson.util.Secret;
import java.net.URI;
import java.util.Objects;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.model.Jenkins;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.verb.POST;
import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
import software.amazon.awssdk.awscore.exception.AwsServiceException;
import software.amazon.awssdk.core.exception.SdkException;
import software.amazon.awssdk.http.SdkHttpClient;
import software.amazon.awssdk.http.apache.ApacheHttpClient;
import software.amazon.awssdk.http.apache.ProxyConfiguration;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.regions.providers.DefaultAwsRegionProviderChain;
import software.amazon.awssdk.services.ec2.Ec2Client;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.StsClientBuilder;
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;
import software.amazon.awssdk.services.sts.model.AssumeRoleResponse;

/* loaded from: input_file:com/cloudbees/jenkins/plugins/awscredentials/AWSCredentialsImpl.class */
public class AWSCredentialsImpl extends BaseAmazonWebServicesCredentials {
    private static final long serialVersionUID = -3167989896315282034L;
    private static final Logger LOGGER = Logger.getLogger(BaseAmazonWebServicesCredentials.class.getName());
    public static final int STS_CREDENTIALS_DURATION_SECONDS = 3600;
    private final String accessKey;
    private final Secret secretKey;
    private final String iamRoleArn;
    private final String iamExternalId;
    private final String iamMfaSerialNumber;
    private volatile Integer stsTokenDuration;

    @Extension
    /* loaded from: input_file:com/cloudbees/jenkins/plugins/awscredentials/AWSCredentialsImpl$DescriptorImpl.class */
    public static class DescriptorImpl extends CredentialsDescriptor {
        public static final Integer DEFAULT_STS_TOKEN_DURATION = Integer.valueOf(AWSCredentialsImpl.STS_CREDENTIALS_DURATION_SECONDS);

        public String getDisplayName() {
            return Messages.AWSCredentialsImpl_DisplayName();
        }

        @POST
        public FormValidation doCheckSecretKey(@QueryParameter("accessKey") String str, @QueryParameter("iamRoleArn") String str2, @QueryParameter("iamExternalId") String str3, @QueryParameter("iamMfaSerialNumber") String str4, @QueryParameter("iamMfaToken") String str5, @QueryParameter("stsTokenDuration") Integer num, @QueryParameter String str6) {
            if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
                return FormValidation.ok();
            }
            if (StringUtils.isBlank(str) && StringUtils.isBlank(str6)) {
                return FormValidation.ok();
            }
            if (StringUtils.isBlank(str)) {
                return FormValidation.error(Messages.AWSCredentialsImpl_SpecifyAccessKeyId());
            }
            if (StringUtils.isBlank(str6)) {
                return FormValidation.error(Messages.AWSCredentialsImpl_SpecifySecretAccessKey());
            }
            AwsCredentials create = AwsBasicCredentials.create(str, Secret.fromString(str6).getPlainText());
            if (!StringUtils.isBlank(str2)) {
                AssumeRoleRequest.Builder durationSeconds = AWSCredentialsImpl.createAssumeRoleRequest(str2, str3).durationSeconds(num);
                if (!StringUtils.isBlank(str4)) {
                    if (StringUtils.isBlank(str5)) {
                        return FormValidation.error(Messages.AWSCredentialsImpl_SpecifyMFAToken());
                    }
                    durationSeconds = durationSeconds.serialNumber(str4).tokenCode(str5);
                }
                try {
                    AssumeRoleResponse assumeRole = AWSCredentialsImpl.getStsClient(create).assumeRole((AssumeRoleRequest) durationSeconds.build());
                    create = AwsSessionCredentials.create(assumeRole.credentials().accessKeyId(), assumeRole.credentials().secretAccessKey(), assumeRole.credentials().sessionToken());
                } catch (RuntimeException e) {
                    AWSCredentialsImpl.LOGGER.log(Level.WARNING, "Unable to assume role [" + str2 + "] with request [" + durationSeconds + "]", (Throwable) e);
                    return FormValidation.error(Messages.AWSCredentialsImpl_NotAbleToAssumeRole() + " Check the Jenkins log for more details");
                }
            }
            try {
                return FormValidation.ok(Messages.AWSCredentialsImpl_CredentialsValidWithAccessToNZones(Integer.valueOf(((Ec2Client) Ec2Client.builder().credentialsProvider(StaticCredentialsProvider.create(create)).httpClient(AWSCredentialsImpl.getHttpClient()).build()).describeAvailabilityZones().availabilityZones().size())));
            } catch (AwsServiceException e2) {
                return 401 == e2.awsErrorDetails().sdkHttpResponse().statusCode() ? FormValidation.warning(Messages.AWSCredentialsImpl_CredentialsInValid(e2.getMessage())) : 403 == e2.awsErrorDetails().sdkHttpResponse().statusCode() ? FormValidation.ok(Messages.AWSCredentialsImpl_CredentialsValidWithoutAccessToAwsServiceInZone(e2.awsErrorDetails().serviceName(), "us-east-1", e2.awsErrorDetails().errorMessage() + " (" + e2.awsErrorDetails().errorCode() + ")")) : FormValidation.error(e2.getMessage());
            } catch (SdkException e3) {
                return FormValidation.error(e3.getMessage());
            }
        }
    }

    public AWSCredentialsImpl(@CheckForNull CredentialsScope credentialsScope, @CheckForNull String str, @CheckForNull String str2, @CheckForNull String str3, @CheckForNull String str4) {
        this(credentialsScope, str, str2, str3, str4, null, null, null);
    }

    public AWSCredentialsImpl(@CheckForNull CredentialsScope credentialsScope, @CheckForNull String str, @CheckForNull String str2, @CheckForNull String str3, @CheckForNull String str4, @CheckForNull String str5, @CheckForNull String str6) {
        this(credentialsScope, str, str2, str3, str4, str5, str6, null);
    }

    @DataBoundConstructor
    public AWSCredentialsImpl(@CheckForNull CredentialsScope credentialsScope, @CheckForNull String str, @CheckForNull String str2, @CheckForNull String str3, @CheckForNull String str4, @CheckForNull String str5, @CheckForNull String str6, String str7) {
        super(credentialsScope, str, str4);
        this.accessKey = Util.fixNull(str2);
        this.secretKey = Secret.fromString(str3);
        this.iamRoleArn = Util.fixNull(str5);
        this.iamExternalId = Util.fixNull(str7);
        this.iamMfaSerialNumber = Util.fixNull(str6);
    }

    public String getAccessKey() {
        return this.accessKey;
    }

    public Secret getSecretKey() {
        return this.secretKey;
    }

    public String getIamRoleArn() {
        return this.iamRoleArn;
    }

    public String getIamExternalId() {
        return this.iamExternalId;
    }

    public String getIamMfaSerialNumber() {
        return this.iamMfaSerialNumber;
    }

    @NonNull
    public Integer getStsTokenDuration() {
        return this.stsTokenDuration == null ? DescriptorImpl.DEFAULT_STS_TOKEN_DURATION : this.stsTokenDuration;
    }

    @DataBoundSetter
    public void setStsTokenDuration(Integer num) {
        this.stsTokenDuration = (num == null || num.equals(DescriptorImpl.DEFAULT_STS_TOKEN_DURATION)) ? null : num;
    }

    public boolean requiresToken() {
        return !StringUtils.isBlank(this.iamMfaSerialNumber);
    }

    public AwsCredentials resolveCredentials() {
        if (StringUtils.isBlank(this.iamRoleArn)) {
            return AwsBasicCredentials.create(this.accessKey, this.secretKey.getPlainText());
        }
        AssumeRoleResponse assumeRole = buildStsClient((StringUtils.isBlank(this.accessKey) && StringUtils.isBlank(this.secretKey.getPlainText())) ? null : StaticCredentialsProvider.create(AwsBasicCredentials.create(this.accessKey, this.secretKey.getPlainText()))).assumeRole((AssumeRoleRequest) createAssumeRoleRequest(this.iamRoleArn, this.iamExternalId).durationSeconds(getStsTokenDuration()).build());
        return AwsSessionCredentials.create(assumeRole.credentials().accessKeyId(), assumeRole.credentials().secretAccessKey(), assumeRole.credentials().sessionToken());
    }

    private static Region determineClientRegion() {
        Region region = null;
        try {
            region = new DefaultAwsRegionProviderChain().getRegion();
        } catch (RuntimeException e) {
            LOGGER.log(Level.WARNING, "Could not find default region using SDK lookup.", (Throwable) e);
        }
        if (region == null) {
            region = Region.US_WEST_2;
        }
        return region;
    }

    @Override // com.cloudbees.jenkins.plugins.awscredentials.AmazonWebServicesCredentials
    public AwsCredentials resolveCredentials(String str) {
        AssumeRoleResponse assumeRole = getStsClient(AwsBasicCredentials.create(this.accessKey, this.secretKey.getPlainText())).assumeRole((AssumeRoleRequest) createAssumeRoleRequest(this.iamRoleArn, this.iamExternalId).serialNumber(this.iamMfaSerialNumber).tokenCode(str).durationSeconds(getStsTokenDuration()).build());
        return AwsSessionCredentials.create(assumeRole.credentials().accessKeyId(), assumeRole.credentials().secretAccessKey(), assumeRole.credentials().sessionToken());
    }

    @Deprecated
    public AWSCredentials getCredentials() {
        return fromAwsCredentials(resolveCredentials());
    }

    @Override // com.cloudbees.jenkins.plugins.awscredentials.AmazonWebServicesCredentials
    @Deprecated
    public AWSCredentials getCredentials(String str) {
        return fromAwsCredentials(resolveCredentials(str));
    }

    private static AWSCredentials fromAwsCredentials(AwsCredentials awsCredentials) {
        Objects.requireNonNull(awsCredentials);
        return awsCredentials instanceof AwsSessionCredentials ? fromAwsSessionCredentials((AwsSessionCredentials) awsCredentials) : new BasicAWSCredentials(awsCredentials.accessKeyId(), awsCredentials.secretAccessKey(), (String) awsCredentials.accountId().orElse(null), (String) awsCredentials.providerName().orElse(null));
    }

    private static AWSSessionCredentials fromAwsSessionCredentials(AwsSessionCredentials awsSessionCredentials) {
        Objects.requireNonNull(awsSessionCredentials);
        return new BasicSessionCredentials(awsSessionCredentials.accessKeyId(), awsSessionCredentials.secretAccessKey(), awsSessionCredentials.sessionToken(), (String) awsSessionCredentials.accountId().orElse(null), (String) awsSessionCredentials.providerName().orElse(null));
    }

    @Deprecated
    public void refresh() {
    }

    @Override // com.cloudbees.jenkins.plugins.awscredentials.AmazonWebServicesCredentials
    public String getDisplayName() {
        return StringUtils.isBlank(this.iamRoleArn) ? this.accessKey : this.accessKey + ":" + this.iamRoleArn;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static StsClient buildStsClient(AwsCredentialsProvider awsCredentialsProvider) {
        StsClientBuilder httpClient = StsClient.builder().region(determineClientRegion()).httpClient(getHttpClient());
        if (awsCredentialsProvider != null) {
            httpClient = (StsClientBuilder) httpClient.credentialsProvider(awsCredentialsProvider);
        }
        return (StsClient) httpClient.build();
    }

    private static AssumeRoleRequest.Builder createAssumeRoleRequest(String str, String str2) {
        AssumeRoleRequest.Builder roleSessionName = AssumeRoleRequest.builder().roleArn(str).roleSessionName("Jenkins");
        return (str2 == null || str2.isEmpty()) ? roleSessionName : roleSessionName.externalId(str2);
    }

    private static StsClient getStsClient(AwsCredentials awsCredentials) {
        return (StsClient) StsClient.builder().region(determineClientRegion()).credentialsProvider(StaticCredentialsProvider.create(awsCredentials)).httpClient(getHttpClient()).build();
    }

    private static SdkHttpClient getHttpClient() {
        Jenkins instanceOrNull = Jenkins.getInstanceOrNull();
        ProxyConfiguration proxyConfiguration = instanceOrNull != null ? instanceOrNull.proxy : null;
        ApacheHttpClient.Builder builder = ApacheHttpClient.builder();
        if (proxyConfiguration != null && proxyConfiguration.name != null && !proxyConfiguration.name.isEmpty()) {
            ProxyConfiguration.Builder endpoint = software.amazon.awssdk.http.apache.ProxyConfiguration.builder().endpoint(URI.create(String.format("http://%s:%s", proxyConfiguration.name, Integer.valueOf(proxyConfiguration.port))));
            if (proxyConfiguration.getUserName() != null) {
                endpoint.username(proxyConfiguration.getUserName());
                endpoint.password(Secret.toString(proxyConfiguration.getSecretPassword()));
            }
            builder.proxyConfiguration((software.amazon.awssdk.http.apache.ProxyConfiguration) endpoint.build());
        }
        return builder.build();
    }
}
