package com.schibsted.security.strongbox.sdk.internal.access;

import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement;
import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder;
import com.amazonaws.services.identitymanagement.model.AttachGroupPolicyRequest;
import com.amazonaws.services.identitymanagement.model.AttachRolePolicyRequest;
import com.amazonaws.services.identitymanagement.model.AttachUserPolicyRequest;
import com.amazonaws.services.identitymanagement.model.CreatePolicyRequest;
import com.amazonaws.services.identitymanagement.model.DeletePolicyRequest;
import com.amazonaws.services.identitymanagement.model.DetachGroupPolicyRequest;
import com.amazonaws.services.identitymanagement.model.DetachRolePolicyRequest;
import com.amazonaws.services.identitymanagement.model.DetachUserPolicyRequest;
import com.amazonaws.services.identitymanagement.model.GetPolicyRequest;
import com.amazonaws.services.identitymanagement.model.ListEntitiesForPolicyRequest;
import com.amazonaws.services.identitymanagement.model.ListEntitiesForPolicyResult;
import com.amazonaws.services.identitymanagement.model.ListPoliciesRequest;
import com.amazonaws.services.identitymanagement.model.NoSuchEntityException;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.services.securitytoken.model.GetCallerIdentityRequest;
import com.schibsted.security.strongbox.sdk.exceptions.DoesNotExistException;
import com.schibsted.security.strongbox.sdk.exceptions.UnsupportedTypeException;
import com.schibsted.security.strongbox.sdk.internal.ClientConfigurationHelper;
import com.schibsted.security.strongbox.sdk.internal.IAMPolicyName;
import com.schibsted.security.strongbox.sdk.internal.RegionResolver;
import com.schibsted.security.strongbox.sdk.internal.encryption.KMSEncryptor;
import com.schibsted.security.strongbox.sdk.internal.kv4j.generated.Config;
import com.schibsted.security.strongbox.sdk.internal.kv4j.generated.Store;
import com.schibsted.security.strongbox.sdk.types.ClientConfiguration;
import com.schibsted.security.strongbox.sdk.types.Principal;
import com.schibsted.security.strongbox.sdk.types.PrincipalType;
import com.schibsted.security.strongbox.sdk.types.SecretsGroupIdentifier;
import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;

/* loaded from: input_file:com/schibsted/security/strongbox/sdk/internal/access/IAMPolicyManager.class */
public class IAMPolicyManager {
    public static final String PATH_PREFIX = "/strongbox/";
    private final AmazonIdentityManagement client;
    private final AWSCredentialsProvider awsCredentials;
    private final ClientConfiguration clientConfiguration;
    private Optional<String> account = Optional.empty();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.schibsted.security.strongbox.sdk.internal.access.IAMPolicyManager$1, reason: invalid class name */
    /* loaded from: input_file:com/schibsted/security/strongbox/sdk/internal/access/IAMPolicyManager$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$schibsted$security$strongbox$sdk$types$PrincipalType = new int[PrincipalType.values().length];

        static {
            try {
                $SwitchMap$com$schibsted$security$strongbox$sdk$types$PrincipalType[PrincipalType.ROLE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$schibsted$security$strongbox$sdk$types$PrincipalType[PrincipalType.USER.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$schibsted$security$strongbox$sdk$types$PrincipalType[PrincipalType.GROUP.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public IAMPolicyManager(AmazonIdentityManagement amazonIdentityManagement, AWSCredentialsProvider aWSCredentialsProvider, ClientConfiguration clientConfiguration) {
        this.awsCredentials = aWSCredentialsProvider;
        this.client = amazonIdentityManagement;
        this.clientConfiguration = clientConfiguration;
    }

    public static IAMPolicyManager fromCredentials(AWSCredentialsProvider aWSCredentialsProvider, ClientConfiguration clientConfiguration) {
        return new IAMPolicyManager((AmazonIdentityManagement) AmazonIdentityManagementClientBuilder.standard().withCredentials(aWSCredentialsProvider).withClientConfiguration(ClientConfigurationHelper.transformAndVerifyOrThrow(clientConfiguration)).withRegion(RegionResolver.getRegion()).build(), aWSCredentialsProvider, clientConfiguration);
    }

    public static String getAccount(AWSCredentialsProvider aWSCredentialsProvider, ClientConfiguration clientConfiguration) {
        return ((AWSSecurityTokenService) AWSSecurityTokenServiceClientBuilder.standard().withCredentials(aWSCredentialsProvider).withClientConfiguration(ClientConfigurationHelper.transformAndVerifyOrThrow(clientConfiguration)).withRegion(RegionResolver.getRegion()).build()).getCallerIdentity(new GetCallerIdentityRequest()).getAccount();
    }

    public String getAccount() {
        if (!this.account.isPresent()) {
            this.account = Optional.of(getAccount(this.awsCredentials, this.clientConfiguration));
        }
        return this.account.get();
    }

    public boolean adminPolicyExists(SecretsGroupIdentifier secretsGroupIdentifier) {
        return policyExists(getAdminPolicyArn(secretsGroupIdentifier));
    }

    public boolean readOnlyPolicyExists(SecretsGroupIdentifier secretsGroupIdentifier) {
        return policyExists(getReadOnlyArn(secretsGroupIdentifier));
    }

    private boolean policyExists(String str) {
        try {
            GetPolicyRequest getPolicyRequest = new GetPolicyRequest();
            getPolicyRequest.withPolicyArn(str);
            this.client.getPolicy(getPolicyRequest);
            return true;
        } catch (NoSuchEntityException e) {
            return false;
        }
    }

    public String getAdminPolicyArn(SecretsGroupIdentifier secretsGroupIdentifier) {
        return getArn(secretsGroupIdentifier, AccessLevel.ADMIN);
    }

    public String getReadOnlyArn(SecretsGroupIdentifier secretsGroupIdentifier) {
        return getArn(secretsGroupIdentifier, AccessLevel.READONLY);
    }

    public void attachAdmin(SecretsGroupIdentifier secretsGroupIdentifier, Principal principal) {
        attachPrincipalToPolicy(secretsGroupIdentifier, principal, AccessLevel.ADMIN);
    }

    public void attachReadOnly(SecretsGroupIdentifier secretsGroupIdentifier, Principal principal) {
        attachPrincipalToPolicy(secretsGroupIdentifier, principal, AccessLevel.READONLY);
    }

    public void detachAllPrincipals(SecretsGroupIdentifier secretsGroupIdentifier) {
        try {
            listAttachedAdmin(secretsGroupIdentifier).forEach(principal -> {
                detachAdmin(secretsGroupIdentifier, principal);
            });
        } catch (DoesNotExistException e) {
        }
        try {
            listAttachedReadOnly(secretsGroupIdentifier).forEach(principal2 -> {
                detachReadOnly(secretsGroupIdentifier, principal2);
            });
        } catch (DoesNotExistException e2) {
        }
    }

    public void detachAdmin(SecretsGroupIdentifier secretsGroupIdentifier, Principal principal) {
        detachPrincipal(secretsGroupIdentifier, principal, AccessLevel.ADMIN);
    }

    public void detachReadOnly(SecretsGroupIdentifier secretsGroupIdentifier, Principal principal) {
        detachPrincipal(secretsGroupIdentifier, principal, AccessLevel.READONLY);
    }

    private void detachPrincipal(SecretsGroupIdentifier secretsGroupIdentifier, Principal principal, AccessLevel accessLevel) {
        String arn = getArn(secretsGroupIdentifier, accessLevel);
        switch (AnonymousClass1.$SwitchMap$com$schibsted$security$strongbox$sdk$types$PrincipalType[principal.type.ordinal()]) {
            case 1:
                DetachRolePolicyRequest detachRolePolicyRequest = new DetachRolePolicyRequest();
                detachRolePolicyRequest.withPolicyArn(arn).withRoleName(principal.name);
                this.client.detachRolePolicy(detachRolePolicyRequest);
                return;
            case Config.VERSION /* 2 */:
                DetachUserPolicyRequest detachUserPolicyRequest = new DetachUserPolicyRequest();
                detachUserPolicyRequest.withPolicyArn(arn).withUserName(principal.name);
                this.client.detachUserPolicy(detachUserPolicyRequest);
                return;
            case Config.STATE /* 3 */:
                DetachGroupPolicyRequest detachGroupPolicyRequest = new DetachGroupPolicyRequest();
                detachGroupPolicyRequest.withPolicyArn(arn).withGroupName(principal.name);
                this.client.detachGroupPolicy(detachGroupPolicyRequest);
                return;
            default:
                throw new UnsupportedTypeException(principal.type.toString());
        }
    }

    public void attachPrincipalToPolicy(SecretsGroupIdentifier secretsGroupIdentifier, Principal principal, AccessLevel accessLevel) {
        String arn = getArn(secretsGroupIdentifier, accessLevel);
        switch (AnonymousClass1.$SwitchMap$com$schibsted$security$strongbox$sdk$types$PrincipalType[principal.type.ordinal()]) {
            case 1:
                AttachRolePolicyRequest attachRolePolicyRequest = new AttachRolePolicyRequest();
                attachRolePolicyRequest.withPolicyArn(arn).withRoleName(principal.name);
                this.client.attachRolePolicy(attachRolePolicyRequest);
                return;
            case Config.VERSION /* 2 */:
                AttachUserPolicyRequest attachUserPolicyRequest = new AttachUserPolicyRequest();
                attachUserPolicyRequest.withPolicyArn(arn).withUserName(principal.name);
                this.client.attachUserPolicy(attachUserPolicyRequest);
                return;
            case Config.STATE /* 3 */:
                AttachGroupPolicyRequest attachGroupPolicyRequest = new AttachGroupPolicyRequest();
                attachGroupPolicyRequest.withPolicyArn(arn).withGroupName(principal.name);
                this.client.attachGroupPolicy(attachGroupPolicyRequest);
                return;
            default:
                throw new UnsupportedTypeException(principal.type.toString());
        }
    }

    public List<Principal> listAttachedAdmin(SecretsGroupIdentifier secretsGroupIdentifier) {
        return listEntities(secretsGroupIdentifier, AccessLevel.ADMIN);
    }

    public List<Principal> listAttachedReadOnly(SecretsGroupIdentifier secretsGroupIdentifier) {
        return listEntities(secretsGroupIdentifier, AccessLevel.READONLY);
    }

    private List<Principal> listEntities(SecretsGroupIdentifier secretsGroupIdentifier, AccessLevel accessLevel) {
        String arn = getArn(secretsGroupIdentifier, accessLevel);
        try {
            ListEntitiesForPolicyRequest listEntitiesForPolicyRequest = new ListEntitiesForPolicyRequest();
            listEntitiesForPolicyRequest.withPolicyArn(arn);
            ListEntitiesForPolicyResult listEntitiesForPolicy = this.client.listEntitiesForPolicy(listEntitiesForPolicyRequest);
            ArrayList arrayList = new ArrayList();
            List list = (List) listEntitiesForPolicy.getPolicyGroups().stream().map(policyGroup -> {
                return new Principal(PrincipalType.GROUP, policyGroup.getGroupName());
            }).collect(Collectors.toList());
            List list2 = (List) listEntitiesForPolicy.getPolicyUsers().stream().map(policyUser -> {
                return new Principal(PrincipalType.USER, policyUser.getUserName());
            }).collect(Collectors.toList());
            List list3 = (List) listEntitiesForPolicy.getPolicyRoles().stream().map(policyRole -> {
                return new Principal(PrincipalType.ROLE, policyRole.getRoleName());
            }).collect(Collectors.toList());
            arrayList.addAll(list);
            arrayList.addAll(list2);
            arrayList.addAll(list3);
            return arrayList;
        } catch (NoSuchEntityException e) {
            throw new DoesNotExistException(String.format("Could not find policy with ARN: '%s'", arn), e);
        }
    }

    public Set<SecretsGroupIdentifier> getSecretsGroupIdentifiers() {
        ListPoliciesRequest listPoliciesRequest = new ListPoliciesRequest();
        listPoliciesRequest.setMaxItems(1000);
        listPoliciesRequest.setPathPrefix(PATH_PREFIX);
        return (Set) this.client.listPolicies(listPoliciesRequest).getPolicies().stream().map(policy -> {
            return IAMPolicyName.fromString(policy.getPolicyName()).group;
        }).distinct().collect(Collectors.toSet());
    }

    private String getArn(SecretsGroupIdentifier secretsGroupIdentifier, AccessLevel accessLevel) {
        return String.format("arn:aws:iam::%s:policy%s%s", getAccount(), PATH_PREFIX, new IAMPolicyName(secretsGroupIdentifier, accessLevel).toString());
    }

    private String storeReadOnlyPolicyString(Store store) {
        Optional<String> awsReadOnlyPolicy = store.awsReadOnlyPolicy();
        return awsReadOnlyPolicy.isPresent() ? awsReadOnlyPolicy.get() : "";
    }

    private String storeAdminPolicyString(Store store) {
        Optional<String> awsAdminPolicy = store.awsAdminPolicy();
        return awsAdminPolicy.isPresent() ? awsAdminPolicy.get() : "";
    }

    public String createAdminPolicy(SecretsGroupIdentifier secretsGroupIdentifier, KMSEncryptor kMSEncryptor, Store store) {
        return createPolicy(secretsGroupIdentifier, AccessLevel.ADMIN, "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n" + kMSEncryptor.awsAdminPolicy().get() + ",\n" + storeAdminPolicyString(store) + ",\n" + listAllPolicies() + ",\n" + getPolicyInfo(secretsGroupIdentifier) + ",\n" + managePolicies(secretsGroupIdentifier) + "\n  ]\n}");
    }

    public String createReadOnlyPolicy(SecretsGroupIdentifier secretsGroupIdentifier, KMSEncryptor kMSEncryptor, Store store) {
        return createPolicy(secretsGroupIdentifier, AccessLevel.READONLY, "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n" + storeReadOnlyPolicyString(store) + ",\n" + kMSEncryptor.awsReadOnlyPolicy().get() + "\n  ]\n}");
    }

    private String listAllPolicies() {
        return "    {\n        \"Sid\": \"IAMListAllPolicies\",\n        \"Effect\": \"Allow\",\n        \"Action\": [\n            \"iam:ListPolicies\"\n        ],\n        \"Resource\": \"arn:aws:iam::" + getAccount() + ":policy" + PATH_PREFIX + "\"\n    }";
    }

    private String getPolicyInfo(SecretsGroupIdentifier secretsGroupIdentifier) {
        return "    {\n        \"Sid\": \"IAMSecretGroupPolicies\",\n        \"Effect\": \"Allow\",\n        \"Action\": [\n            \"iam:ListEntitiesForPolicy\",\n            \"iam:GetPolicy\"\n        ],\n        \"Resource\": [\n            \"" + getAdminPolicyArn(secretsGroupIdentifier) + "\",\n            \"" + getReadOnlyArn(secretsGroupIdentifier) + "\"\n        ]\n    }";
    }

    private String managePolicies(SecretsGroupIdentifier secretsGroupIdentifier) {
        return "    {\n        \"Sid\": \"IAMManagePolicies\",\n        \"Effect\": \"Allow\",\n        \"Action\": [\n            \"iam:AttachRolePolicy\",\n            \"iam:AttachGroupPolicy\",\n            \"iam:AttachUserPolicy\",\n            \"iam:DetachRolePolicy\",\n            \"iam:DetachGroupPolicy\",\n            \"iam:DetachUserPolicy\"\n        ],\n        \"Resource\": \"*\",\n        \"Condition\": {\n            \"ArnEquals\": {\n                \"iam:PolicyArn\": [\n                    \"" + getAdminPolicyArn(secretsGroupIdentifier) + "\",\n                    \"" + getReadOnlyArn(secretsGroupIdentifier) + "\"\n                ]\n            }\n        }\n    }";
    }

    private String createPolicy(SecretsGroupIdentifier secretsGroupIdentifier, AccessLevel accessLevel, String str) {
        IAMPolicyName iAMPolicyName = new IAMPolicyName(secretsGroupIdentifier, accessLevel);
        String str2 = "This policy is managed by Strongbox. This policy grants " + accessLevel.toString() + " permissions.";
        CreatePolicyRequest createPolicyRequest = new CreatePolicyRequest();
        createPolicyRequest.withPolicyName(iAMPolicyName.toString()).withDescription(str2).withPolicyDocument(str).withPath(PATH_PREFIX);
        return this.client.createPolicy(createPolicyRequest).getPolicy().getArn();
    }

    public void deleteAdminPolicy(SecretsGroupIdentifier secretsGroupIdentifier) {
        deletePolicy(secretsGroupIdentifier, AccessLevel.ADMIN);
    }

    public void deleteReadonlyPolicy(SecretsGroupIdentifier secretsGroupIdentifier) {
        deletePolicy(secretsGroupIdentifier, AccessLevel.READONLY);
    }

    private void deletePolicy(SecretsGroupIdentifier secretsGroupIdentifier, AccessLevel accessLevel) {
        String arn = getArn(secretsGroupIdentifier, accessLevel);
        DeletePolicyRequest deletePolicyRequest = new DeletePolicyRequest();
        deletePolicyRequest.withPolicyArn(arn);
        this.client.deletePolicy(deletePolicyRequest);
    }
}
