package org.springframework.vault.authentication;

import com.amazonaws.DefaultRequest;
import com.amazonaws.auth.AWS4Signer;
import com.amazonaws.http.HttpMethodName;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.ByteArrayInputStream;
import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.util.Assert;
import org.springframework.util.Base64Utils;
import org.springframework.util.StringUtils;
import org.springframework.vault.VaultException;
import org.springframework.vault.client.VaultResponses;
import org.springframework.vault.support.VaultResponse;
import org.springframework.vault.support.VaultToken;
import org.springframework.web.client.HttpStatusCodeException;
import org.springframework.web.client.RestOperations;

/* loaded from: input_file:org/springframework/vault/authentication/AwsIamAuthentication.class */
public class AwsIamAuthentication implements ClientAuthentication {
    private static final Log logger = LogFactory.getLog(AwsIamAuthentication.class);
    private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
    private static final String REQUEST_BODY = "Action=GetCallerIdentity&Version=2011-06-15";
    private static final String REQUEST_BODY_BASE64_ENCODED = Base64Utils.encodeToString(REQUEST_BODY.getBytes());
    private final AwsIamAuthenticationOptions options;
    private final RestOperations vaultRestOperations;

    public AwsIamAuthentication(AwsIamAuthenticationOptions awsIamAuthenticationOptions, RestOperations restOperations) {
        Assert.notNull(awsIamAuthenticationOptions, "AwsIamAuthenticationOptions must not be null");
        Assert.notNull(restOperations, "Vault RestOperations must not be null");
        this.options = awsIamAuthenticationOptions;
        this.vaultRestOperations = restOperations;
    }

    @Override // org.springframework.vault.authentication.ClientAuthentication
    public VaultToken login() throws VaultException {
        return createTokenUsingAwsIam();
    }

    private VaultToken createTokenUsingAwsIam() {
        HashMap hashMap = new HashMap();
        hashMap.put("iam_http_request_method", "POST");
        hashMap.put("iam_request_url", Base64Utils.encodeToString(this.options.getEndpointUri().toString().getBytes()));
        hashMap.put("iam_request_body", REQUEST_BODY_BASE64_ENCODED);
        hashMap.put("iam_request_headers", Base64Utils.encodeToString(getSignedHeaders(this.options).getBytes()));
        if (!StringUtils.isEmpty(this.options.getRole())) {
            hashMap.put("role", this.options.getRole());
        }
        try {
            VaultResponse vaultResponse = (VaultResponse) this.vaultRestOperations.postForObject("auth/{mount}/login", hashMap, VaultResponse.class, new Object[]{this.options.getPath()});
            Assert.state((vaultResponse == null || vaultResponse.getAuth() == null) ? false : true, "Auth field must not be null");
            if (logger.isDebugEnabled()) {
                if (vaultResponse.getAuth().get("metadata") instanceof Map) {
                    Map map = (Map) vaultResponse.getAuth().get("metadata");
                    logger.debug(String.format("Login successful using AWS-IAM authentication for user id %s, ARN %s", map.get("client_user_id"), map.get("canonical_arn")));
                } else {
                    logger.debug("Login successful using AWS-IAM authentication");
                }
            }
            return LoginTokenUtil.from(vaultResponse.getAuth());
        } catch (HttpStatusCodeException e) {
            throw new VaultException(String.format("Cannot login using AWS-IAM: %s", VaultResponses.getError(e.getResponseBodyAsString())));
        }
    }

    private static String getSignedHeaders(AwsIamAuthenticationOptions awsIamAuthenticationOptions) {
        Map<String, String> createIamRequestHeaders = createIamRequestHeaders(awsIamAuthenticationOptions);
        AWS4Signer aWS4Signer = new AWS4Signer();
        DefaultRequest defaultRequest = new DefaultRequest("sts");
        defaultRequest.setContent(new ByteArrayInputStream(REQUEST_BODY.getBytes()));
        defaultRequest.setHeaders(createIamRequestHeaders);
        defaultRequest.setHttpMethod(HttpMethodName.POST);
        defaultRequest.setEndpoint(awsIamAuthenticationOptions.getEndpointUri());
        aWS4Signer.setServiceName(defaultRequest.getServiceName());
        aWS4Signer.sign(defaultRequest, awsIamAuthenticationOptions.getCredentialsProvider().getCredentials());
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        for (Map.Entry entry : defaultRequest.getHeaders().entrySet()) {
            linkedHashMap.put(entry.getKey(), Collections.singletonList(entry.getValue()));
        }
        try {
            return OBJECT_MAPPER.writeValueAsString(linkedHashMap);
        } catch (JsonProcessingException e) {
            throw new IllegalStateException("Cannot serialize headers to JSON", e);
        }
    }

    private static Map<String, String> createIamRequestHeaders(AwsIamAuthenticationOptions awsIamAuthenticationOptions) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("Content-Length", "" + REQUEST_BODY.length());
        linkedHashMap.put("Content-Type", "application/x-www-form-urlencoded");
        if (StringUtils.hasText(awsIamAuthenticationOptions.getServerName())) {
            linkedHashMap.put("X-Vault-AWS-IAM-Server-ID", awsIamAuthenticationOptions.getServerName());
        }
        return linkedHashMap;
    }
}
