package com.schibsted.security.strongbox.sdk.internal.config.credentials;

import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
import com.amazonaws.services.securitytoken.model.AssumeRoleResult;
import com.amazonaws.services.securitytoken.model.Credentials;
import com.schibsted.security.strongbox.sdk.internal.ClientConfigurationHelper;
import com.schibsted.security.strongbox.sdk.internal.RegionResolver;
import com.schibsted.security.strongbox.sdk.internal.config.AWSConfigPropertyKey;
import com.schibsted.security.strongbox.sdk.internal.config.ConfigProviderChain;
import com.schibsted.security.strongbox.sdk.types.ClientConfiguration;
import com.schibsted.security.strongbox.sdk.types.ProfileIdentifier;
import com.schibsted.security.strongbox.sdk.types.arn.RoleARN;
import java.time.ZoneId;
import java.time.ZonedDateTime;
import java.util.Optional;
import java.util.function.Supplier;

/* loaded from: input_file:com/schibsted/security/strongbox/sdk/internal/config/credentials/ProfileCredentialProvider.class */
public class ProfileCredentialProvider implements AWSCredentialsProvider {
    private ClientConfiguration clientConfiguration;
    private ProfileIdentifier profile;
    private Supplier<MFAToken> mfaTokenSupplier;

    public ProfileCredentialProvider(ClientConfiguration clientConfiguration, ProfileIdentifier profileIdentifier, Supplier<MFAToken> supplier) {
        this.clientConfiguration = clientConfiguration;
        this.profile = profileIdentifier;
        this.mfaTokenSupplier = supplier;
    }

    public AWSCredentials getCredentials() {
        return getCredentialsFromProfile(this.profile);
    }

    public void refresh() {
    }

    private AWSCredentials getCredentialsFromProfile(ProfileIdentifier profileIdentifier) {
        ConfigProviderChain configProviderChain = new ConfigProviderChain();
        if (!configProviderChain.hasConfig()) {
            throw new IllegalStateException("When using '--profile', an AWS credentials or config file must be present");
        }
        Optional<RoleARN> roleArn = configProviderChain.getRoleArn(profileIdentifier);
        return roleArn.isPresent() ? assumeRole(this.clientConfiguration, configProviderChain, profileIdentifier, roleArn.get()) : getStaticCredentials(configProviderChain, profileIdentifier);
    }

    private AWSCredentials assumeRole(ClientConfiguration clientConfiguration, ConfigProviderChain configProviderChain, ProfileIdentifier profileIdentifier, RoleARN roleARN) {
        Optional<ProfileIdentifier> sourceProfile = configProviderChain.getSourceProfile(profileIdentifier);
        if (!sourceProfile.isPresent()) {
            throw new IllegalStateException(String.format("'%s' must be specified when using '%s' for profile '%s'", AWSConfigPropertyKey.SOURCE_PROFILE, AWSConfigPropertyKey.ROLE_ARN, profileIdentifier.name));
        }
        SessionCache sessionCache = new SessionCache(profileIdentifier, roleARN);
        Optional<BasicSessionCredentials> load = sessionCache.load();
        if (load.isPresent()) {
            return load.get();
        }
        AWSSecurityTokenService aWSSecurityTokenService = (AWSSecurityTokenService) AWSSecurityTokenServiceClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(getStaticCredentials(configProviderChain, sourceProfile.get()))).withClientConfiguration(ClientConfigurationHelper.transformAndVerifyOrThrow(clientConfiguration)).withRegion(RegionResolver.getRegion()).build();
        String format = String.format("strongbox-cli-session-%s", Long.valueOf(ZonedDateTime.now().toEpochSecond()));
        AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest();
        assumeRoleRequest.withRoleArn(roleARN.toArn()).withRoleSessionName(format);
        Optional<String> mFASerial = configProviderChain.getMFASerial(profileIdentifier);
        if (mFASerial.isPresent()) {
            assumeRoleRequest.withSerialNumber(mFASerial.get()).withTokenCode(this.mfaTokenSupplier.get().value);
        }
        AssumeRoleResult assumeRole = aWSSecurityTokenService.assumeRole(assumeRoleRequest);
        Credentials credentials = assumeRole.getCredentials();
        BasicSessionCredentials basicSessionCredentials = new BasicSessionCredentials(credentials.getAccessKeyId(), credentials.getSecretAccessKey(), credentials.getSessionToken());
        sessionCache.save(assumeRole.getAssumedRoleUser(), basicSessionCredentials, ZonedDateTime.ofInstant(credentials.getExpiration().toInstant(), ZoneId.of("UTC")));
        return basicSessionCredentials;
    }

    private AWSCredentials getStaticCredentials(ConfigProviderChain configProviderChain, ProfileIdentifier profileIdentifier) {
        return new BasicAWSCredentials(configProviderChain.getAWSAccessKeyIdOrThrow(profileIdentifier), configProviderChain.getAWSSecretKeyOrThrow(profileIdentifier));
    }
}
