package software.amazon.awssdk.auth.credentials.internal;

import java.lang.reflect.InvocationTargetException;
import java.nio.file.Paths;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import software.amazon.awssdk.annotations.SdkInternalApi;
import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProviderChain;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.auth.credentials.ChildProfileCredentialsProviderFactory;
import software.amazon.awssdk.auth.credentials.ContainerCredentialsProvider;
import software.amazon.awssdk.auth.credentials.EnvironmentVariableCredentialsProvider;
import software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider;
import software.amazon.awssdk.auth.credentials.ProcessCredentialsProvider;
import software.amazon.awssdk.auth.credentials.ProfileCredentialsProviderFactory;
import software.amazon.awssdk.auth.credentials.ProfileProviderCredentialsContext;
import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
import software.amazon.awssdk.auth.credentials.SystemPropertyCredentialsProvider;
import software.amazon.awssdk.core.internal.util.ClassLoaderHelper;
import software.amazon.awssdk.profiles.Profile;
import software.amazon.awssdk.profiles.ProfileFile;
import software.amazon.awssdk.profiles.ProfileProperty;
import software.amazon.awssdk.profiles.internal.ProfileSection;
import software.amazon.awssdk.utils.Validate;

@SdkInternalApi
/* loaded from: input_file:software/amazon/awssdk/auth/credentials/internal/ProfileCredentialsUtils.class */
public final class ProfileCredentialsUtils {
    private static final String STS_PROFILE_CREDENTIALS_PROVIDER_FACTORY = "software.amazon.awssdk.services.sts.internal.StsProfileCredentialsProviderFactory";
    private static final String SSO_PROFILE_CREDENTIALS_PROVIDER_FACTORY = "software.amazon.awssdk.services.sso.auth.SsoProfileCredentialsProviderFactory";
    private final ProfileFile profileFile;
    private final Profile profile;
    private final String name;
    private final Map<String, String> properties;
    private final Function<String, Optional<Profile>> credentialsSourceResolver;

    public ProfileCredentialsUtils(ProfileFile profileFile, Profile profile, Function<String, Optional<Profile>> function) {
        this.profileFile = (ProfileFile) Validate.paramNotNull(profileFile, "profileFile");
        this.profile = (Profile) Validate.paramNotNull(profile, "profile");
        this.name = profile.name();
        this.properties = profile.properties();
        this.credentialsSourceResolver = function;
    }

    public Optional<AwsCredentialsProvider> credentialsProvider() {
        return credentialsProvider(new HashSet());
    }

    private Optional<AwsCredentialsProvider> credentialsProvider(Set<String> set) {
        if (this.properties.containsKey(ProfileProperty.ROLE_ARN) && this.properties.containsKey(ProfileProperty.WEB_IDENTITY_TOKEN_FILE)) {
            return Optional.ofNullable(roleAndWebIdentityTokenProfileCredentialsProvider());
        }
        if (this.properties.containsKey(ProfileProperty.SSO_ROLE_NAME) || this.properties.containsKey(ProfileProperty.SSO_ACCOUNT_ID) || this.properties.containsKey(ProfileProperty.SSO_REGION) || this.properties.containsKey(ProfileProperty.SSO_START_URL) || this.properties.containsKey(ProfileSection.SSO_SESSION.getPropertyKeyName())) {
            return Optional.ofNullable(ssoProfileCredentialsProvider());
        }
        if (this.properties.containsKey(ProfileProperty.ROLE_ARN)) {
            boolean containsKey = this.properties.containsKey(ProfileProperty.SOURCE_PROFILE);
            boolean containsKey2 = this.properties.containsKey(ProfileProperty.CREDENTIAL_SOURCE);
            Validate.validState((containsKey && containsKey2) ? false : true, "Invalid profile file: profile has both %s and %s.", ProfileProperty.SOURCE_PROFILE, ProfileProperty.CREDENTIAL_SOURCE);
            if (containsKey) {
                return Optional.ofNullable(roleAndSourceProfileBasedProfileCredentialsProvider(set));
            }
            if (containsKey2) {
                return Optional.ofNullable(roleAndCredentialSourceBasedProfileCredentialsProvider());
            }
        }
        return this.properties.containsKey(ProfileProperty.CREDENTIAL_PROCESS) ? Optional.ofNullable(credentialProcessCredentialsProvider()) : this.properties.containsKey(ProfileProperty.AWS_SESSION_TOKEN) ? Optional.of(sessionProfileCredentialsProvider()) : this.properties.containsKey(ProfileProperty.AWS_ACCESS_KEY_ID) ? Optional.of(basicProfileCredentialsProvider()) : Optional.empty();
    }

    private AwsCredentialsProvider basicProfileCredentialsProvider() {
        requireProperties(ProfileProperty.AWS_ACCESS_KEY_ID, ProfileProperty.AWS_SECRET_ACCESS_KEY);
        return StaticCredentialsProvider.create(AwsBasicCredentials.builder().accessKeyId(this.properties.get(ProfileProperty.AWS_ACCESS_KEY_ID)).secretAccessKey(this.properties.get(ProfileProperty.AWS_SECRET_ACCESS_KEY)).accountId(this.properties.get(ProfileProperty.AWS_ACCOUNT_ID)).mo1151build());
    }

    private AwsCredentialsProvider sessionProfileCredentialsProvider() {
        requireProperties(ProfileProperty.AWS_ACCESS_KEY_ID, ProfileProperty.AWS_SECRET_ACCESS_KEY, ProfileProperty.AWS_SESSION_TOKEN);
        return StaticCredentialsProvider.create(AwsSessionCredentials.builder().accessKeyId(this.properties.get(ProfileProperty.AWS_ACCESS_KEY_ID)).secretAccessKey(this.properties.get(ProfileProperty.AWS_SECRET_ACCESS_KEY)).sessionToken(this.properties.get(ProfileProperty.AWS_SESSION_TOKEN)).accountId(this.properties.get(ProfileProperty.AWS_ACCOUNT_ID)).mo1151build());
    }

    private AwsCredentialsProvider credentialProcessCredentialsProvider() {
        requireProperties(ProfileProperty.CREDENTIAL_PROCESS);
        return ProcessCredentialsProvider.builder().command(this.properties.get(ProfileProperty.CREDENTIAL_PROCESS)).staticAccountId(this.properties.get(ProfileProperty.AWS_ACCOUNT_ID)).mo1151build();
    }

    private AwsCredentialsProvider ssoProfileCredentialsProvider() {
        validateRequiredPropertiesForSsoCredentialsProvider();
        return ssoCredentialsProviderFactory().create(ProfileProviderCredentialsContext.builder().profile(this.profile).profileFile(this.profileFile).build());
    }

    private void validateRequiredPropertiesForSsoCredentialsProvider() {
        requireProperties(ProfileProperty.SSO_ACCOUNT_ID, ProfileProperty.SSO_ROLE_NAME);
        if (this.properties.containsKey(ProfileSection.SSO_SESSION.getPropertyKeyName())) {
            return;
        }
        requireProperties(ProfileProperty.SSO_REGION, ProfileProperty.SSO_START_URL);
    }

    private AwsCredentialsProvider roleAndWebIdentityTokenProfileCredentialsProvider() {
        requireProperties(ProfileProperty.ROLE_ARN, ProfileProperty.WEB_IDENTITY_TOKEN_FILE);
        String str = this.properties.get(ProfileProperty.ROLE_ARN);
        return WebIdentityCredentialsUtils.factory().create(WebIdentityTokenCredentialProperties.builder().roleArn(str).roleSessionName(this.properties.get(ProfileProperty.ROLE_SESSION_NAME)).webIdentityTokenFile(Paths.get(this.properties.get(ProfileProperty.WEB_IDENTITY_TOKEN_FILE), new String[0])).build());
    }

    private AwsCredentialsProvider roleAndSourceProfileBasedProfileCredentialsProvider(Set<String> set) {
        requireProperties(ProfileProperty.SOURCE_PROFILE);
        Validate.validState(!set.contains(this.name), "Invalid profile file: Circular relationship detected with profiles %s.", set);
        Validate.validState(this.credentialsSourceResolver != null, "The profile '%s' must be configured with a source profile in order to use assumed roles.", this.name);
        set.add(this.name);
        return stsCredentialsProviderFactory().create((AwsCredentialsProvider) this.credentialsSourceResolver.apply(this.properties.get(ProfileProperty.SOURCE_PROFILE)).flatMap(profile -> {
            return new ProfileCredentialsUtils(this.profileFile, profile, this.credentialsSourceResolver).credentialsProvider(set);
        }).orElseThrow(this::noSourceCredentialsException), this.profile);
    }

    private AwsCredentialsProvider roleAndCredentialSourceBasedProfileCredentialsProvider() {
        requireProperties(ProfileProperty.CREDENTIAL_SOURCE);
        return stsCredentialsProviderFactory().create(credentialSourceCredentialProvider(CredentialSourceType.parse(this.properties.get(ProfileProperty.CREDENTIAL_SOURCE))), this.profile);
    }

    private AwsCredentialsProvider credentialSourceCredentialProvider(CredentialSourceType credentialSourceType) {
        switch (credentialSourceType) {
            case ECS_CONTAINER:
                return ContainerCredentialsProvider.builder().mo1151build();
            case EC2_INSTANCE_METADATA:
                return InstanceProfileCredentialsProvider.builder().profileFile(this.profileFile).profileName(this.name).mo1151build();
            case ENVIRONMENT:
                return AwsCredentialsProviderChain.builder().addCredentialsProvider((AwsCredentialsProvider) SystemPropertyCredentialsProvider.create()).addCredentialsProvider((AwsCredentialsProvider) EnvironmentVariableCredentialsProvider.create()).mo1151build();
            default:
                throw noSourceCredentialsException();
        }
    }

    private void requireProperties(String... strArr) {
        Arrays.stream(strArr).forEach(str -> {
            Validate.isTrue(this.properties.containsKey(str), "Profile property '%s' was not configured for '%s'.", str, this.name);
        });
    }

    private IllegalStateException noSourceCredentialsException() {
        return new IllegalStateException(String.format("The source profile of '%s' was configured to be '%s', but that source profile has no credentials configured.", this.name, this.properties.get(ProfileProperty.SOURCE_PROFILE)));
    }

    private ChildProfileCredentialsProviderFactory stsCredentialsProviderFactory() {
        try {
            return (ChildProfileCredentialsProviderFactory) ClassLoaderHelper.loadClass(STS_PROFILE_CREDENTIALS_PROVIDER_FACTORY, getClass()).getConstructor(new Class[0]).newInstance(new Object[0]);
        } catch (ClassNotFoundException e) {
            throw new IllegalStateException("To use assumed roles in the '" + this.name + "' profile, the 'sts' service module must be on the class path.", e);
        } catch (IllegalAccessException | InstantiationException | NoSuchMethodException | InvocationTargetException e2) {
            throw new IllegalStateException("Failed to create the '" + this.name + "' profile credentials provider.", e2);
        }
    }

    private ProfileCredentialsProviderFactory ssoCredentialsProviderFactory() {
        try {
            return (ProfileCredentialsProviderFactory) ClassLoaderHelper.loadClass(SSO_PROFILE_CREDENTIALS_PROVIDER_FACTORY, getClass()).getConstructor(new Class[0]).newInstance(new Object[0]);
        } catch (ClassNotFoundException e) {
            throw new IllegalStateException("To use Sso related properties in the '" + this.name + "' profile, the 'sso' service module must be on the class path.", e);
        } catch (IllegalAccessException | InstantiationException | NoSuchMethodException | InvocationTargetException e2) {
            throw new IllegalStateException("Failed to create the '" + this.name + "' profile credentials provider.", e2);
        }
    }
}
