package software.amazon.msk.auth.iam.internals;

import java.net.URI;
import java.time.Duration;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ExecutionException;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProviderChain;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.auth.credentials.ContainerCredentialsProvider;
import software.amazon.awssdk.auth.credentials.EnvironmentVariableCredentialsProvider;
import software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider;
import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider;
import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
import software.amazon.awssdk.auth.credentials.SystemPropertyCredentialsProvider;
import software.amazon.awssdk.auth.credentials.WebIdentityTokenFileCredentialsProvider;
import software.amazon.awssdk.core.exception.SdkClientException;
import software.amazon.awssdk.core.exception.SdkException;
import software.amazon.awssdk.core.retry.RetryPolicy;
import software.amazon.awssdk.core.retry.RetryPolicyContext;
import software.amazon.awssdk.core.retry.backoff.FullJitterBackoffStrategy;
import software.amazon.awssdk.core.retry.conditions.AndRetryCondition;
import software.amazon.awssdk.core.retry.conditions.MaxNumberOfRetriesCondition;
import software.amazon.awssdk.core.retry.conditions.RetryCondition;
import software.amazon.awssdk.core.retry.conditions.RetryOnExceptionsCondition;
import software.amazon.awssdk.endpoints.Endpoint;
import software.amazon.awssdk.profiles.ProfileFileSupplier;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.StsClientBuilder;
import software.amazon.awssdk.services.sts.auth.StsAssumeRoleCredentialsProvider;
import software.amazon.awssdk.services.sts.endpoints.StsEndpointParams;
import software.amazon.awssdk.services.sts.endpoints.StsEndpointProvider;
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;

/* loaded from: input_file:software/amazon/msk/auth/iam/internals/MSKCredentialProvider.class */
public class MSKCredentialProvider implements AwsCredentialsProvider, AutoCloseable {
    private static final String AWS_PROFILE_NAME_KEY = "awsProfileName";
    private static final String AWS_ROLE_ARN_KEY = "awsRoleArn";
    private static final String AWS_ROLE_EXTERNAL_ID = "awsRoleExternalId";
    private static final String AWS_ROLE_ACCESS_KEY_ID = "awsRoleAccessKeyId";
    private static final String AWS_ROLE_SECRET_ACCESS_KEY = "awsRoleSecretAccessKey";
    private static final String AWS_ROLE_SESSION_KEY = "awsRoleSessionName";
    private static final String AWS_ROLE_SESSION_TOKEN = "awsRoleSessionToken";
    private static final String AWS_STS_REGION = "awsStsRegion";
    private static final String AWS_DEBUG_CREDS_KEY = "awsDebugCreds";
    private static final String AWS_MAX_RETRIES = "awsMaxRetries";
    private static final String AWS_MAX_BACK_OFF_TIME_MS = "awsMaxBackOffTimeMs";
    private static final String GLOBAL_REGION = "aws-global";
    private static final int DEFAULT_MAX_RETRIES = 3;
    private static final int DEFAULT_MAX_BACK_OFF_TIME_MS = 5000;
    private final List<AutoCloseable> closeableProviders;
    private final AwsCredentialsProvider compositeDelegate;
    private final Boolean shouldDebugCreds;
    private final String stsRegion;
    private final RetryPolicy retryPolicy;
    private static final Logger log = LoggerFactory.getLogger(MSKCredentialProvider.class);
    private static final Duration BASE_DELAY = Duration.ofMillis(500);

    /* loaded from: input_file:software/amazon/msk/auth/iam/internals/MSKCredentialProvider$ProviderBuilder.class */
    public static class ProviderBuilder {
        private final Map<String, ?> optionsMap;

        public ProviderBuilder(Map<String, ?> map) {
            this.optionsMap = map;
            if (MSKCredentialProvider.log.isDebugEnabled()) {
                MSKCredentialProvider.log.debug("Number of options to configure credential provider {}", Integer.valueOf(map.size()));
            }
        }

        public List<AwsCredentialsProvider> getProviders() {
            ArrayList arrayList = new ArrayList();
            Optional<ProfileCredentialsProvider> profileProvider = getProfileProvider();
            arrayList.getClass();
            profileProvider.ifPresent((v1) -> {
                r1.add(v1);
            });
            Optional<StsAssumeRoleCredentialsProvider> stsRoleProvider = getStsRoleProvider();
            arrayList.getClass();
            stsRoleProvider.ifPresent((v1) -> {
                r1.add(v1);
            });
            return arrayList;
        }

        public Boolean shouldDebugCreds() {
            return (Boolean) Optional.ofNullable(this.optionsMap.get(MSKCredentialProvider.AWS_DEBUG_CREDS_KEY)).map(obj -> {
                return Boolean.valueOf(obj.equals("true"));
            }).orElse(false);
        }

        public String getStsRegion() {
            return (String) Optional.ofNullable((String) this.optionsMap.get(MSKCredentialProvider.AWS_STS_REGION)).orElse(MSKCredentialProvider.GLOBAL_REGION);
        }

        public int getMaxRetries() {
            return ((Integer) Optional.ofNullable(this.optionsMap.get(MSKCredentialProvider.AWS_MAX_RETRIES)).map(obj -> {
                return (String) obj;
            }).map(Integer::parseInt).orElse(Integer.valueOf(MSKCredentialProvider.DEFAULT_MAX_RETRIES))).intValue();
        }

        public int getMaxBackOffTimeMs() {
            return ((Integer) Optional.ofNullable(this.optionsMap.get(MSKCredentialProvider.AWS_MAX_BACK_OFF_TIME_MS)).map(obj -> {
                return (String) obj;
            }).map(Integer::parseInt).orElse(Integer.valueOf(MSKCredentialProvider.DEFAULT_MAX_BACK_OFF_TIME_MS))).intValue();
        }

        public URI buildEndpointConfiguration(Region region) {
            try {
                return ((Endpoint) StsEndpointProvider.defaultProvider().resolveEndpoint(StsEndpointParams.builder().region(region).build()).get()).url();
            } catch (InterruptedException | ExecutionException e) {
                throw new RuntimeException(e);
            }
        }

        private StsClientBuilder getStsClientBuilder(Region region) {
            StsClientBuilder region2 = StsClient.builder().region(region);
            if (region != Region.AWS_GLOBAL) {
                region2.endpointOverride(buildEndpointConfiguration(region));
            }
            return region2;
        }

        private Optional<ProfileCredentialsProvider> getProfileProvider() {
            return Optional.ofNullable(this.optionsMap.get(MSKCredentialProvider.AWS_PROFILE_NAME_KEY)).map(obj -> {
                if (MSKCredentialProvider.log.isDebugEnabled()) {
                    MSKCredentialProvider.log.debug("Profile name {}", obj);
                }
                return createEnhancedProfileCredentialsProvider((String) obj);
            });
        }

        ProfileCredentialsProvider createEnhancedProfileCredentialsProvider(String str) {
            return ProfileCredentialsProvider.builder().profileName(str).profileFile(ProfileFileSupplier.defaultSupplier()).build();
        }

        private Optional<StsAssumeRoleCredentialsProvider> getStsRoleProvider() {
            return Optional.ofNullable(this.optionsMap.get(MSKCredentialProvider.AWS_ROLE_ARN_KEY)).map(obj -> {
                if (MSKCredentialProvider.log.isDebugEnabled()) {
                    MSKCredentialProvider.log.debug("Role ARN {}", obj);
                }
                String str = (String) Optional.ofNullable((String) this.optionsMap.get(MSKCredentialProvider.AWS_ROLE_SESSION_KEY)).orElse("aws-msk-iam-auth");
                String stsRegion = getStsRegion();
                String str2 = (String) this.optionsMap.getOrDefault(MSKCredentialProvider.AWS_ROLE_ACCESS_KEY_ID, null);
                String str3 = (String) this.optionsMap.getOrDefault(MSKCredentialProvider.AWS_ROLE_SECRET_ACCESS_KEY, null);
                String str4 = (String) this.optionsMap.getOrDefault(MSKCredentialProvider.AWS_ROLE_SESSION_TOKEN, null);
                String str5 = (String) this.optionsMap.getOrDefault(MSKCredentialProvider.AWS_ROLE_EXTERNAL_ID, null);
                if (str2 == null || str3 == null) {
                    return str5 != null ? createSTSRoleCredentialProvider((String) obj, str5, str, stsRegion) : createSTSRoleCredentialProvider((String) obj, str, stsRegion);
                }
                return createSTSRoleCredentialProvider((String) obj, str, stsRegion, (AwsCredentialsProvider) StaticCredentialsProvider.create(str4 != null ? AwsSessionCredentials.create(str2, str3, str4) : AwsBasicCredentials.create(str2, str3)));
            });
        }

        StsAssumeRoleCredentialsProvider createSTSRoleCredentialProvider(String str, String str2, String str3) {
            return StsAssumeRoleCredentialsProvider.builder().stsClient((StsClient) getStsClientBuilder(Region.of(str3)).build()).refreshRequest((AssumeRoleRequest) AssumeRoleRequest.builder().roleArn(str).roleSessionName(str2).build()).asyncCredentialUpdateEnabled(true).build();
        }

        StsAssumeRoleCredentialsProvider createSTSRoleCredentialProvider(String str, String str2, String str3, AwsCredentialsProvider awsCredentialsProvider) {
            return StsAssumeRoleCredentialsProvider.builder().stsClient((StsClient) getStsClientBuilder(Region.of(str3)).credentialsProvider(awsCredentialsProvider).build()).refreshRequest((AssumeRoleRequest) AssumeRoleRequest.builder().roleArn(str).roleSessionName(str2).build()).asyncCredentialUpdateEnabled(true).build();
        }

        StsAssumeRoleCredentialsProvider createSTSRoleCredentialProvider(String str, String str2, String str3, String str4) {
            return StsAssumeRoleCredentialsProvider.builder().stsClient((StsClient) getStsClientBuilder(Region.of(str4)).build()).refreshRequest((AssumeRoleRequest) AssumeRoleRequest.builder().externalId(str2).roleArn(str).roleSessionName(str3).build()).asyncCredentialUpdateEnabled(true).build();
        }
    }

    public MSKCredentialProvider(Map<String, ?> map) {
        this(new ProviderBuilder(map));
    }

    MSKCredentialProvider(ProviderBuilder providerBuilder) {
        this(providerBuilder.getProviders(), providerBuilder.shouldDebugCreds(), providerBuilder.getStsRegion(), providerBuilder.getMaxRetries(), providerBuilder.getMaxBackOffTimeMs());
    }

    MSKCredentialProvider(List<AwsCredentialsProvider> list, Boolean bool, String str, int i, int i2) {
        AwsCredentialsProviderChain.Builder builder = AwsCredentialsProviderChain.builder();
        builder.credentialsProviders(list);
        builder.addCredentialsProvider(getDefaultProvider());
        this.compositeDelegate = builder.build();
        this.closeableProviders = (List) list.stream().filter(awsCredentialsProvider -> {
            return awsCredentialsProvider instanceof AutoCloseable;
        }).map(awsCredentialsProvider2 -> {
            return (AutoCloseable) awsCredentialsProvider2;
        }).collect(Collectors.toList());
        this.shouldDebugCreds = bool;
        this.stsRegion = str;
        FullJitterBackoffStrategy build = FullJitterBackoffStrategy.builder().baseDelay(BASE_DELAY).maxBackoffTime(Duration.ofMillis(i2)).build();
        if (i > 0) {
            this.retryPolicy = RetryPolicy.builder().retryCondition(AndRetryCondition.create(new RetryCondition[]{RetryOnExceptionsCondition.create(new Class[]{SdkClientException.class}), MaxNumberOfRetriesCondition.create(i)})).backoffStrategy(build).build();
        } else {
            this.retryPolicy = RetryPolicy.builder().retryCondition(RetryCondition.none()).backoffStrategy(build).build();
        }
    }

    protected AwsCredentialsProvider getDefaultProvider() {
        return AwsCredentialsProviderChain.of(new AwsCredentialsProvider[]{EnvironmentVariableCredentialsProvider.create(), SystemPropertyCredentialsProvider.create(), WebIdentityTokenFileCredentialsProvider.builder().asyncCredentialUpdateEnabled(true).build(), ProfileCredentialsProvider.builder().profileFile(ProfileFileSupplier.defaultSupplier()).build(), ContainerCredentialsProvider.builder().asyncCredentialUpdateEnabled(true).build(), InstanceProfileCredentialsProvider.builder().asyncCredentialUpdateEnabled(true).build()});
    }

    public AwsCredentials resolveCredentials() {
        AwsCredentials loadCredentialsWithRetry = loadCredentialsWithRetry();
        if (loadCredentialsWithRetry != null && this.shouldDebugCreds.booleanValue() && log.isDebugEnabled()) {
            logCallerIdentity(loadCredentialsWithRetry);
        }
        return loadCredentialsWithRetry;
    }

    private AwsCredentials loadCredentialsWithRetry() {
        RetryPolicyContext build = RetryPolicyContext.builder().build();
        boolean z = true;
        while (z) {
            try {
                try {
                    AwsCredentials resolveCredentials = this.compositeDelegate.resolveCredentials();
                    if (resolveCredentials != null) {
                        return resolveCredentials;
                    }
                    throw SdkClientException.create("Composite delegate returned empty credentials.");
                    break;
                } catch (SdkException e) {
                    log.warn("Exception loading credentials. Retry Attempts: {}", Integer.valueOf(build.retriesAttempted()), e);
                    RetryPolicyContext createRetryPolicyContext = createRetryPolicyContext(e, build.retriesAttempted());
                    z = this.retryPolicy.retryCondition().shouldRetry(createRetryPolicyContext);
                    if (!z) {
                        throw e;
                    }
                    Thread.sleep(this.retryPolicy.backoffStrategy().computeDelayBeforeNextRetry(createRetryPolicyContext).toMillis());
                    build = createRetryPolicyContext(createRetryPolicyContext.exception(), createRetryPolicyContext.retriesAttempted() + 1);
                }
            } catch (InterruptedException e2) {
                Thread.currentThread().interrupt();
                throw new RuntimeException("Interrupted while waiting for credentials.", e2);
            }
        }
        throw SdkClientException.create("loadCredentialsWithRetry in unexpected location " + build.totalRequests(), build.exception());
    }

    private RetryPolicyContext createRetryPolicyContext(SdkException sdkException, int i) {
        return RetryPolicyContext.builder().exception(sdkException).retriesAttempted(i).build();
    }

    private void logCallerIdentity(AwsCredentials awsCredentials) {
        try {
            log.debug("The identity of the credentials is {}", getStsClientForDebuggingCreds(awsCredentials).getCallerIdentity().toString());
        } catch (Exception e) {
            log.warn("Error identifying caller identity. If this is not transient, does this application haveaccess to AWS STS?", e);
        }
    }

    StsClient getStsClientForDebuggingCreds(AwsCredentials awsCredentials) {
        return (StsClient) StsClient.builder().credentialsProvider(StaticCredentialsProvider.create(awsCredentials)).region(Region.of(this.stsRegion)).build();
    }

    @Override // java.lang.AutoCloseable
    public void close() {
        this.closeableProviders.stream().forEach(autoCloseable -> {
            try {
                autoCloseable.close();
            } catch (Exception e) {
                log.warn("Error closing credential provider", e);
            }
        });
    }

    Boolean getShouldDebugCreds() {
        return this.shouldDebugCreds;
    }
}
