package org.clazzes.http.aws;

import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardOpenOption;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import org.clazzes.http.aws.kms.KMSService;

/* loaded from: input_file:org/clazzes/http/aws/AwsCredentialsManager.class */
public class AwsCredentialsManager {
    private static final Path credentialsLocation;
    private static final String defaultKey;
    private static final boolean useFipsEndpoint;
    private static Map<String, AwsCredentials> credentials;
    private static String defaultSection;
    private static Instant nextScan;
    private static final Logger log = Logger.getLogger(AwsCredentialsManager.class.getName());
    private static final Pattern PROFILE_RX = Pattern.compile("^[\\p{Alpha}][\\p{Alnum}_-]*$");
    private static final Set<String> securityServices = Set.of(KMSService.AWS_SERVICE);

    private static Instant loadCredentialsFromFile(Instant instant) {
        Instant instant2;
        Instant plus = instant.plus(1L, (TemporalUnit) ChronoUnit.MINUTES);
        try {
            log.info("Loading AWS credentials [" + credentialsLocation + "]...");
            credentials = AwsCredentials.readFromStream(Files.newInputStream(credentialsLocation, StandardOpenOption.READ));
            defaultSection = credentials.containsKey(defaultKey) ? defaultKey : null;
            if (defaultSection == null) {
                if (credentials.size() == 1) {
                    String next = credentials.keySet().iterator().next();
                    log.warning("AWS credentials from [" + credentialsLocation + "] contain no [" + defaultKey + "] section, using the only section [" + next + "] as default.");
                    defaultSection = next;
                } else {
                    log.warning("AWS credentials from [" + credentialsLocation + "] contain no [" + defaultKey + "] section and multiple sections, no default section available.");
                }
            }
            instant2 = instant.plus(1L, (TemporalUnit) ChronoUnit.DAYS);
            for (Map.Entry<String, AwsCredentials> entry : credentials.entrySet()) {
                AwsCredentials value = entry.getValue();
                if (value.x_security_token_expires != null) {
                    if (value.x_security_token_expires.isBefore(instant)) {
                        log.warning("Credentials for [" + entry.getKey() + "] have expired on [" + value.x_security_token_expires + "], will retry in a minute.");
                        instant2 = plus;
                    } else if (value.x_security_token_expires.isBefore(plus)) {
                        log.warning("Credentials for [" + entry.getKey() + "] will expired within the next minute at [" + value.x_security_token_expires + "], will retry in a minute.");
                        instant2 = plus;
                    } else if (value.x_security_token_expires.isBefore(instant2)) {
                        instant2 = value.x_security_token_expires;
                    }
                }
            }
            log.info("Loaded [" + credentials.size() + "] AWS credentials from [" + credentialsLocation + "], next scan will be at [" + instant2 + "].");
        } catch (Exception e) {
            log.log(Level.SEVERE, "Error loading AWS credentials from [" + credentialsLocation + "], will retry in a minute.", (Throwable) e);
            credentials = null;
            instant2 = plus;
        }
        return instant2;
    }

    private static Instant loadCredentialsFromAwsMetaData(Instant instant) {
        Instant instant2;
        URI uri;
        HttpClient newHttpClient;
        URI resolve;
        HttpResponse send;
        Instant plus = instant.plus(1L, (TemporalUnit) ChronoUnit.MINUTES);
        try {
            uri = new URI("http://169.254.169.254/latest/");
            newHttpClient = HttpClient.newHttpClient();
            resolve = uri.resolve("api/token");
            log.info("Fetching meta-data API token using [PUT " + resolve + "]");
            send = newHttpClient.send(HttpRequest.newBuilder(resolve).PUT(HttpRequest.BodyPublishers.noBody()).header("X-aws-ec2-metadata-token-ttl-seconds", "21600").build(), HttpResponse.BodyHandlers.ofString());
        } catch (Exception e) {
            log.log(Level.SEVERE, "Error loading AWS credentials from http://169.254.169.254/, will retry in a minute.", (Throwable) e);
            credentials = null;
            instant2 = plus;
        }
        if (send.statusCode() != 200) {
            throw new AwsResponseException("Error fetching API token using [PUT " + resolve + "]", (HttpResponse<String>) send);
        }
        String str = (String) send.body();
        if (log.isLoggable(Level.FINE)) {
            log.fine("API token using [PUT " + resolve + "] returned [" + str + "].");
        } else {
            log.info("Successfully fetched API token using [PUT " + resolve + "]");
        }
        URI resolve2 = uri.resolve("meta-data/placement/region");
        log.info("Fetching region using [GET " + resolve2 + "]");
        HttpResponse send2 = newHttpClient.send(HttpRequest.newBuilder(resolve2).header("X-aws-ec2-metadata-token", str).build(), HttpResponse.BodyHandlers.ofString());
        if (send2.statusCode() != 200) {
            throw new AwsResponseException("Error fetching region using [GET " + resolve2 + "]", (HttpResponse<String>) send2);
        }
        String str2 = (String) send2.body();
        log.info("[GET " + resolve2 + "] returned [" + str2 + "].");
        URI resolve3 = uri.resolve("meta-data/iam/security-credentials/");
        log.info("Fetching profile name from [GET " + resolve3 + "]");
        HttpResponse send3 = newHttpClient.send(HttpRequest.newBuilder(resolve3).header("X-aws-ec2-metadata-token", str).build(), HttpResponse.BodyHandlers.ofString());
        if (send3.statusCode() != 200) {
            throw new AwsResponseException("Error fetching profile name using [GET " + resolve3 + "]", (HttpResponse<String>) send3);
        }
        String str3 = (String) send3.body();
        if (!PROFILE_RX.matcher(str3).matches()) {
            throw new IllegalArgumentException("Invalid profile [" + str3 + "] specified.");
        }
        log.info("[GET " + resolve3 + "] returned [" + str3 + "].");
        URI resolve4 = uri.resolve("meta-data/iam/security-credentials/" + str3);
        log.info("Fetching credential from [GET " + resolve4 + "]");
        HttpResponse send4 = newHttpClient.send(HttpRequest.newBuilder(resolve4).header("X-aws-ec2-metadata-token", str).build(), HttpResponse.BodyHandlers.ofString());
        if (send4.statusCode() != 200) {
            throw new AwsResponseException("Error fetching credentials name using [GET " + resolve4 + "]", (HttpResponse<String>) send4);
        }
        Map<String, Object> parseObject = AwsJsonParser.parseObject((String) send4.body());
        instant2 = instant.plus(1L, (TemporalUnit) ChronoUnit.DAYS);
        AwsCredentials ofMetaData = AwsCredentials.ofMetaData(str2, parseObject);
        log.info("[GET " + resolve4 + "] returned [" + ofMetaData + "].");
        defaultSection = str3;
        credentials = Map.of(str3, ofMetaData);
        if (ofMetaData.x_security_token_expires != null) {
            if (ofMetaData.x_security_token_expires.isBefore(instant)) {
                log.warning("Credentials for [" + str3 + "] have expired on [" + ofMetaData.x_security_token_expires + "], will retry in a minute.");
                instant2 = plus;
            } else if (ofMetaData.x_security_token_expires.isBefore(plus)) {
                log.warning("Credentials for [" + str3 + "] will expired within the next minute at [" + ofMetaData.x_security_token_expires + "], will retry in a minute.");
                instant2 = plus;
            } else if (ofMetaData.x_security_token_expires.isBefore(instant2)) {
                instant2 = ofMetaData.x_security_token_expires;
            }
        }
        return instant2;
    }

    private static Instant loadCredentials(Instant instant) {
        return Files.exists(credentialsLocation, new LinkOption[0]) ? loadCredentialsFromFile(instant) : loadCredentialsFromAwsMetaData(instant);
    }

    public static AwsCredentials getDefaultCredentials() {
        return getCredentials(null);
    }

    protected static AwsCredentials getCredentialsUnlocked(String str) {
        if (credentials == null) {
            return null;
        }
        return credentials.get(str == null ? defaultSection : str);
    }

    public static AwsCredentials getCredentials(String str) {
        AwsCredentials credentialsUnlocked;
        Instant now = Instant.now();
        synchronized (AwsCredentialsManager.class) {
            if (nextScan == null) {
                try {
                    AwsCredentialsManager.class.wait(60000L);
                    if (nextScan == null) {
                        log.warning("Wait for concurrently loading credentials timed out after a minute.");
                        return null;
                    }
                    return getCredentialsUnlocked(str);
                } catch (InterruptedException e) {
                    log.warning("Wait for concurrently loading credentials has been interrupted.");
                    return null;
                }
            }
            if (!nextScan.isBefore(now)) {
                return getCredentialsUnlocked(str);
            }
            nextScan = null;
            Instant loadCredentials = loadCredentials(now);
            synchronized (AwsCredentialsManager.class) {
                nextScan = loadCredentials;
                AwsCredentialsManager.class.notifyAll();
                credentialsUnlocked = getCredentialsUnlocked(str);
            }
            return credentialsUnlocked;
        }
    }

    public static String getEndpointHost(String str, AwsCredentials awsCredentials) {
        if (awsCredentials == null) {
            throw new IllegalStateException("No AWS credentials found.");
        }
        return (securityServices.contains(str) && useFipsEndpoint) ? str + "-fips." + awsCredentials.region + ".amazonaws.com" : str + "." + awsCredentials.region + ".amazonaws.com";
    }

    static {
        Path path;
        String str = System.getenv("AWS_SHARED_CREDENTIALS_FILE");
        if (str == null) {
            path = Paths.get(System.getProperty("user.home"), ".aws", "credentials");
            log.info("Using AWS credentials from [" + path + "] set as [~/.aws/credentials]");
        } else {
            path = Paths.get(str, new String[0]);
            log.info("Using AWS credentials from [" + path + "] set by AWS_SHARED_CREDENTIALS_FILE");
        }
        credentialsLocation = path;
        String str2 = System.getenv("AWS_PROFILE");
        defaultKey = str2 == null ? "default" : str2;
        log.info("Using default AWS identity [" + defaultKey + "].");
        useFipsEndpoint = Boolean.parseBoolean(System.getenv("AWS_USE_FIPS_ENDPOINT"));
        if (useFipsEndpoint) {
            log.info("Will use FIPS endpoints for AWS security services " + securityServices + ".");
        } else {
            log.info("Will use non-FIPS endpoints for AWS security services " + securityServices + ".");
        }
        nextScan = loadCredentials(Instant.now());
    }
}
