package com.cloudbees.jenkins.plugins.awscredentials;

import com.amazonaws.AmazonClientException;
import com.amazonaws.AmazonServiceException;
import com.amazonaws.ClientConfiguration;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.services.ec2.AmazonEC2Client;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
import com.amazonaws.services.securitytoken.model.AssumeRoleResult;
import com.cloudbees.plugins.credentials.CredentialsDescriptor;
import com.cloudbees.plugins.credentials.CredentialsScope;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.Extension;
import hudson.ProxyConfiguration;
import hudson.Util;
import hudson.util.FormValidation;
import hudson.util.Secret;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.model.Jenkins;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;

/* loaded from: input_file:WEB-INF/lib/aws-credentials.jar:com/cloudbees/jenkins/plugins/awscredentials/AWSCredentialsImpl.class */
public class AWSCredentialsImpl extends BaseAmazonWebServicesCredentials implements AmazonWebServicesCredentials {
    private static final long serialVersionUID = -3167989896315282034L;
    private static final Logger LOGGER = Logger.getLogger(BaseAmazonWebServicesCredentials.class.getName());
    public static final Integer STS_CREDENTIALS_DURATION_SECONDS = 3600;
    private final String accessKey;
    private final Secret secretKey;
    private final String iamRoleArn;
    private final String iamMfaSerialNumber;
    private volatile Integer stsTokenDuration;

    @Extension
    /* loaded from: input_file:WEB-INF/lib/aws-credentials.jar:com/cloudbees/jenkins/plugins/awscredentials/AWSCredentialsImpl$DescriptorImpl.class */
    public static class DescriptorImpl extends CredentialsDescriptor {
        public static final Integer DEFAULT_STS_TOKEN_DURATION = AWSCredentialsImpl.STS_CREDENTIALS_DURATION_SECONDS;

        public String getDisplayName() {
            return Messages.AWSCredentialsImpl_DisplayName();
        }

        public FormValidation doCheckSecretKey(@QueryParameter("accessKey") String str, @QueryParameter("iamRoleArn") String str2, @QueryParameter("iamMfaSerialNumber") String str3, @QueryParameter("iamMfaToken") String str4, @QueryParameter("stsTokenDuration") Integer num, @QueryParameter String str5) {
            if (StringUtils.isBlank(str) && StringUtils.isBlank(str5)) {
                return FormValidation.ok();
            }
            if (StringUtils.isBlank(str)) {
                return FormValidation.error(Messages.AWSCredentialsImpl_SpecifyAccessKeyId());
            }
            if (StringUtils.isBlank(str5)) {
                return FormValidation.error(Messages.AWSCredentialsImpl_SpecifySecretAccessKey());
            }
            ProxyConfiguration proxyConfiguration = Jenkins.getActiveInstance().proxy;
            ClientConfiguration clientConfiguration = new ClientConfiguration();
            if (proxyConfiguration != null) {
                clientConfiguration.setProxyHost(proxyConfiguration.name);
                clientConfiguration.setProxyPort(proxyConfiguration.port);
                clientConfiguration.setProxyUsername(proxyConfiguration.getUserName());
                clientConfiguration.setProxyPassword(proxyConfiguration.getPassword());
            }
            AWSCredentials basicAWSCredentials = new BasicAWSCredentials(str, Secret.fromString(str5).getPlainText());
            if (!StringUtils.isBlank(str2)) {
                AssumeRoleRequest withDurationSeconds = AWSCredentialsImpl.createAssumeRoleRequest(str2).withDurationSeconds(num);
                if (!StringUtils.isBlank(str3)) {
                    if (StringUtils.isBlank(str4)) {
                        return FormValidation.error(Messages.AWSCredentialsImpl_SpecifyMFAToken());
                    }
                    withDurationSeconds = withDurationSeconds.withSerialNumber(str3).withTokenCode(str4);
                }
                try {
                    AssumeRoleResult assumeRole = new AWSSecurityTokenServiceClient(basicAWSCredentials).assumeRole(withDurationSeconds);
                    basicAWSCredentials = new BasicSessionCredentials(assumeRole.getCredentials().getAccessKeyId(), assumeRole.getCredentials().getSecretAccessKey(), assumeRole.getCredentials().getSessionToken());
                } catch (AmazonServiceException e) {
                    AWSCredentialsImpl.LOGGER.log(Level.WARNING, "Unable to assume role [" + str2 + "] with request [" + withDurationSeconds + "]", e);
                    return FormValidation.error(Messages.AWSCredentialsImpl_NotAbleToAssumeRole() + " Check the Jenkins log for more details");
                }
            }
            try {
                return FormValidation.ok(Messages.AWSCredentialsImpl_CredentialsValidWithAccessToNZones(Integer.valueOf(new AmazonEC2Client(basicAWSCredentials, clientConfiguration).describeAvailabilityZones().getAvailabilityZones().size())));
            } catch (AmazonServiceException e2) {
                return 401 == e2.getStatusCode() ? FormValidation.warning(Messages.AWSCredentialsImpl_CredentialsInValid(e2.getMessage())) : 403 == e2.getStatusCode() ? FormValidation.ok(Messages.AWSCredentialsImpl_CredentialsValidWithoutAccessToAwsServiceInZone(e2.getServiceName(), "us-east-1", e2.getErrorMessage() + " (" + e2.getErrorCode() + ")")) : FormValidation.error(e2.getMessage());
            } catch (AmazonClientException e3) {
                return FormValidation.error(e3.getMessage());
            }
        }
    }

    public AWSCredentialsImpl(@CheckForNull CredentialsScope credentialsScope, @CheckForNull String str, @CheckForNull String str2, @CheckForNull String str3, @CheckForNull String str4) {
        this(credentialsScope, str, str2, str3, str4, null, null);
    }

    @DataBoundConstructor
    public AWSCredentialsImpl(@CheckForNull CredentialsScope credentialsScope, @CheckForNull String str, @CheckForNull String str2, @CheckForNull String str3, @CheckForNull String str4, @CheckForNull String str5, @CheckForNull String str6) {
        super(credentialsScope, str, str4);
        this.accessKey = Util.fixNull(str2);
        this.secretKey = Secret.fromString(str3);
        this.iamRoleArn = Util.fixNull(str5);
        this.iamMfaSerialNumber = Util.fixNull(str6);
    }

    public String getAccessKey() {
        return this.accessKey;
    }

    public Secret getSecretKey() {
        return this.secretKey;
    }

    public String getIamRoleArn() {
        return this.iamRoleArn;
    }

    public String getIamMfaSerialNumber() {
        return this.iamMfaSerialNumber;
    }

    @NonNull
    public Integer getStsTokenDuration() {
        return this.stsTokenDuration == null ? STS_CREDENTIALS_DURATION_SECONDS : this.stsTokenDuration;
    }

    @DataBoundSetter
    public void setStsTokenDuration(Integer num) {
        this.stsTokenDuration = (num == null || num.equals(STS_CREDENTIALS_DURATION_SECONDS)) ? null : num;
    }

    public boolean requiresToken() {
        return !StringUtils.isBlank(this.iamMfaSerialNumber);
    }

    public AWSCredentials getCredentials() {
        BasicAWSCredentials basicAWSCredentials = new BasicAWSCredentials(this.accessKey, this.secretKey.getPlainText());
        if (StringUtils.isBlank(this.iamRoleArn)) {
            return basicAWSCredentials;
        }
        AssumeRoleResult assumeRole = ((StringUtils.isBlank(this.accessKey) && StringUtils.isBlank(this.secretKey.getPlainText())) ? AWSSecurityTokenServiceClientBuilder.defaultClient() : (AWSSecurityTokenService) AWSSecurityTokenServiceClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(basicAWSCredentials)).build()).assumeRole(createAssumeRoleRequest(this.iamRoleArn).withDurationSeconds(getStsTokenDuration()));
        return new BasicSessionCredentials(assumeRole.getCredentials().getAccessKeyId(), assumeRole.getCredentials().getSecretAccessKey(), assumeRole.getCredentials().getSessionToken());
    }

    @Override // com.cloudbees.jenkins.plugins.awscredentials.AmazonWebServicesCredentials
    public AWSCredentials getCredentials(String str) {
        BasicAWSCredentials basicAWSCredentials = new BasicAWSCredentials(this.accessKey, this.secretKey.getPlainText());
        AssumeRoleResult assumeRole = new AWSSecurityTokenServiceClient(basicAWSCredentials).assumeRole(createAssumeRoleRequest(this.iamRoleArn).withSerialNumber(this.iamMfaSerialNumber).withTokenCode(str).withDurationSeconds(getStsTokenDuration()));
        return new BasicSessionCredentials(assumeRole.getCredentials().getAccessKeyId(), assumeRole.getCredentials().getSecretAccessKey(), assumeRole.getCredentials().getSessionToken());
    }

    public void refresh() {
    }

    @Override // com.cloudbees.jenkins.plugins.awscredentials.AmazonWebServicesCredentials
    public String getDisplayName() {
        return StringUtils.isBlank(this.iamRoleArn) ? this.accessKey : this.accessKey + ":" + this.iamRoleArn;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static AssumeRoleRequest createAssumeRoleRequest(String str) {
        return new AssumeRoleRequest().withRoleArn(str).withRoleSessionName(Jenkins.getActiveInstance().getDisplayName());
    }
}
