package com.dbeaver.net.auth.aws;

import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import com.google.gson.JsonSyntaxException;
import com.google.gson.reflect.TypeToken;
import java.lang.reflect.Type;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.time.Instant;
import java.time.ZoneId;
import java.time.format.DateTimeFormatter;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.TreeMap;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.jkiss.code.NotNull;
import org.jkiss.dbeaver.DBException;
import org.jkiss.dbeaver.Log;
import org.jkiss.dbeaver.model.DBPDataSource;
import org.jkiss.dbeaver.model.connection.DBPConnectionConfiguration;
import org.jkiss.dbeaver.model.data.json.JSONUtils;
import org.jkiss.dbeaver.model.exec.DBCException;
import org.jkiss.dbeaver.model.runtime.DBRInvoker;
import org.jkiss.dbeaver.model.runtime.DBRProgressMonitor;
import org.jkiss.utils.Base64;
import org.jkiss.utils.CommonUtils;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.signer.internal.SigningAlgorithm;
import software.amazon.awssdk.core.client.config.ClientOverrideConfiguration;
import software.amazon.awssdk.core.retry.RetryMode;
import software.amazon.awssdk.http.apache.ApacheHttpClient;
import software.amazon.awssdk.regions.PartitionMetadata;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest;
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueResponse;
import software.amazon.awssdk.services.sso.auth.ExpiredTokenException;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.utils.BinaryUtils;

/* loaded from: input_file:com/dbeaver/net/auth/aws/AWSIAMUtils.class */
public class AWSIAMUtils {
    private static final String algorithm = "AWS4-HMAC-SHA256";
    private static final String serviceName = "rds-db";
    private static final String expiryMinutes = "899";
    private static final Log log = Log.getLog(AWSIAMUtils.class);
    private static final Type SECRET_TYPE = new TypeToken<Map<String, String>>() { // from class: com.dbeaver.net.auth.aws.AWSIAMUtils.1
    }.getType();
    private static final DateTimeFormatter sdf0 = DateTimeFormatter.ofPattern("yyyyMMdd").withZone(ZoneId.of("UTC"));
    private static final DateTimeFormatter sdf = DateTimeFormatter.ofPattern("yyyyMMdd'T'HHmmss").withZone(ZoneId.of("UTC"));

    public static void initSecretAuthentication(@NotNull AuthModelAWSCredentials authModelAWSCredentials, @NotNull String str, @NotNull String str2, @NotNull AwsCredentialsProvider awsCredentialsProvider, @NotNull DBPDataSource dBPDataSource, DBPConnectionConfiguration dBPConnectionConfiguration) throws DBException {
        Map<String, String> readSecretValue = readSecretValue(str, str2, awsCredentialsProvider);
        String str3 = readSecretValue.get("password");
        if (str3 == null) {
            throw new DBException("Secret doesn't contain a password, please verify that your secret has the required field");
        }
        authModelAWSCredentials.setUserPassword(str3);
        String str4 = readSecretValue.get("username");
        if (str4 != null) {
            if (!str4.equals(authModelAWSCredentials.getUserName())) {
                log.warn("Expected username is different from actual: actual = " + str4 + ", expected = " + authModelAWSCredentials.getUserName());
            }
            authModelAWSCredentials.setUserName(str4);
        }
        boolean z = false;
        String str5 = readSecretValue.get("host");
        if (str5 != null && !str5.equals(dBPConnectionConfiguration.getHostName())) {
            log.warn("Expected host is different from actual: actual = " + str5 + ", expected = " + dBPConnectionConfiguration.getHostName());
            dBPConnectionConfiguration.setHostName(str5);
            z = true;
        }
        String str6 = readSecretValue.get("port");
        if (str6 != null && !str6.equals(dBPConnectionConfiguration.getHostPort())) {
            log.warn("Expected port is different from actual: actual = " + str5 + ", expected = " + dBPConnectionConfiguration.getHostName());
            dBPConnectionConfiguration.setHostPort(str6);
            z = true;
        }
        String str7 = readSecretValue.get("dbname");
        if (str7 != null && !str7.equals(dBPConnectionConfiguration.getHostPort())) {
            log.warn("Expected database is different from actual: actual = " + str7 + ", expected = " + dBPConnectionConfiguration.getDatabaseName());
            dBPConnectionConfiguration.setDatabaseName(str7);
            z = true;
        }
        if (z) {
            dBPConnectionConfiguration.setUrl(dBPDataSource.getContainer().getDriver().getConnectionURL(dBPConnectionConfiguration));
        }
    }

    /* JADX WARN: Finally extract failed */
    @NotNull
    public static Map<String, String> readSecretValue(@NotNull String str, @NotNull String str2, @NotNull AwsCredentialsProvider awsCredentialsProvider) throws DBException {
        Throwable th = null;
        try {
            SecretsManagerClient secretsManagerClient = (SecretsManagerClient) SecretsManagerClient.builder().region(Region.of(str)).credentialsProvider(awsCredentialsProvider).build();
            try {
                GetSecretValueResponse secretValue = secretsManagerClient.getSecretValue((GetSecretValueRequest) GetSecretValueRequest.builder().secretId(str2).build());
                String secretString = secretValue.secretString() != null ? secretValue.secretString() : new String(Base64.decode(secretValue.secretBinary().asUtf8String()));
                if (secretsManagerClient != null) {
                    secretsManagerClient.close();
                }
                try {
                    return (Map) new Gson().fromJson(secretString, SECRET_TYPE);
                } catch (JsonSyntaxException unused) {
                    if (secretString.contains("\n")) {
                        throw new DBException("The secret value must be in JSON or plaintext format.");
                    }
                    return Map.of("password", secretString);
                }
            } catch (Throwable th2) {
                if (secretsManagerClient != null) {
                    secretsManagerClient.close();
                }
                throw th2;
            }
        } catch (Throwable th3) {
            if (0 == 0) {
                th = th3;
            } else if (null != th3) {
                th.addSuppressed(th3);
            }
            throw th;
        }
    }

    public static String generateIamPassword(String str, String str2, int i, String str3, String str4, String str5) throws DBCException {
        Instant now = Instant.now();
        String format = sdf.format(now);
        String format2 = sdf0.format(now);
        List<String> prepareStrings = prepareStrings(str3, str4, format2, format, str, expiryMinutes, str2, Integer.toString(i));
        return appendSignature(prepareStrings.get(0), BinaryUtils.toHex(calculateSignature(createStringToSign(format, prepareStrings.get(1), str4, format2, str), newSigningKey(str5, format2, str, serviceName))));
    }

    private static List<String> prepareStrings(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8) throws DBCException {
        TreeMap treeMap = new TreeMap();
        treeMap.put("Action", "connect");
        treeMap.put("DBUser", str);
        treeMap.put("X-Amz-Algorithm", algorithm);
        treeMap.put("X-Amz-Credential", str2 + "%2F" + str3 + "%2F" + str5 + "%2Frds-db%2Faws4_request");
        treeMap.put("X-Amz-Date", str4);
        treeMap.put("X-Amz-Expires", str6);
        treeMap.put("X-Amz-SignedHeaders", "host");
        String str9 = "";
        while (!treeMap.isEmpty()) {
            String str10 = (String) treeMap.firstKey();
            str9 = str9 + str10 + "=" + ((String) treeMap.remove(str10));
            if (!str10.equals("X-Amz-SignedHeaders")) {
                str9 = str9 + "&";
            }
        }
        return Arrays.asList(str7 + ":" + str8 + "/?" + str9, "GET\n/\n" + str9 + "\n" + ("host:" + str7 + ":" + str8 + "\n") + "\nhost\n" + BinaryUtils.toHex(hash("")));
    }

    private static byte[] hash(String str) throws DBCException {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            messageDigest.update(str.getBytes("UTF8"));
            return messageDigest.digest();
        } catch (Exception e) {
            throw new DBCException("Unable to compute hash while signing request: " + e.getMessage(), e);
        }
    }

    private static String createStringToSign(String str, String str2, String str3, String str4, String str5) throws DBCException {
        return "AWS4-HMAC-SHA256\n" + str + "\n" + (str4 + "/" + str5 + "/rds-db/aws4_request") + "\n" + BinaryUtils.toHex(hash(str2));
    }

    private static byte[] calculateSignature(String str, byte[] bArr) throws DBCException {
        return sign(str.getBytes(Charset.forName("UTF-8")), bArr, SigningAlgorithm.HmacSHA256);
    }

    private static byte[] sign(byte[] bArr, byte[] bArr2, SigningAlgorithm signingAlgorithm) throws DBCException {
        try {
            Mac mac = signingAlgorithm.getMac();
            mac.init(new SecretKeySpec(bArr2, signingAlgorithm.toString()));
            return mac.doFinal(bArr);
        } catch (Exception e) {
            throw new DBCException("Unable to calculate a request signature: " + e.getMessage(), e);
        }
    }

    private static byte[] sign(String str, byte[] bArr, SigningAlgorithm signingAlgorithm) throws DBCException {
        try {
            return sign(str.getBytes(StandardCharsets.UTF_8), bArr, signingAlgorithm);
        } catch (Exception e) {
            throw new DBCException("Unable to calculate a request signature: " + e.getMessage(), e);
        }
    }

    private static byte[] newSigningKey(String str, String str2, String str3, String str4) throws DBCException {
        return sign("aws4_request", sign(str4, sign(str3, sign(str2, ("AWS4" + str).getBytes(Charset.forName("UTF-8")), SigningAlgorithm.HmacSHA256), SigningAlgorithm.HmacSHA256), SigningAlgorithm.HmacSHA256), SigningAlgorithm.HmacSHA256);
    }

    private static String appendSignature(String str, String str2) {
        return str + "&X-Amz-Signature=" + str2;
    }

    public static void updateCredentialsFromSessionData(@NotNull Map<String, Object> map, @NotNull AuthModelAWSCredentials authModelAWSCredentials) {
        Map objectOrNull = JSONUtils.getObjectOrNull(map, AuthModelAWSConstants.AUTH_AWS_CREDENTIALS);
        if (CommonUtils.isEmpty(objectOrNull)) {
            return;
        }
        log.debug("Use AWS credentials from current session");
        boolean isSessionCredentials = authModelAWSCredentials.isSessionCredentials();
        authModelAWSCredentials.resetSettings();
        Gson create = new GsonBuilder().registerTypeAdapter(AuthModelAWSCredentials.class, type -> {
            return authModelAWSCredentials;
        }).create();
        create.fromJson(create.toJsonTree(objectOrNull), AuthModelAWSCredentials.class);
        authModelAWSCredentials.setSessionCredentials(isSessionCredentials);
    }

    public static StsClient createStsClient(@NotNull AwsCredentialsProvider awsCredentialsProvider, @NotNull Region region) {
        return (StsClient) StsClient.builder().region(region).httpClient(ApacheHttpClient.builder().maxConnections(500).build()).overrideConfiguration((ClientOverrideConfiguration) ClientOverrideConfiguration.builder().retryPolicy(RetryMode.ADAPTIVE).build()).credentialsProvider(awsCredentialsProvider).build();
    }

    public static <T> T tryExecuteRecover(DBRProgressMonitor dBRProgressMonitor, AuthModelAWSCredentials authModelAWSCredentials, DBRInvoker<T> dBRInvoker) throws DBException {
        try {
            return (T) dBRInvoker.invoke();
        } catch (Exception e) {
            if (!isTokenExpiredError(e)) {
                throw e;
            }
            authModelAWSCredentials.refreshSession(dBRProgressMonitor, null);
            return (T) dBRInvoker.invoke();
        }
    }

    public static boolean isTokenExpiredError(Exception exc) {
        String lowerCase = CommonUtils.notEmpty(exc.getMessage()).toLowerCase();
        return (exc instanceof ExpiredTokenException) || lowerCase.contains("token is expired") || lowerCase.contains("token has expired") || lowerCase.contains("token included in the request is expired");
    }

    @NotNull
    public static String getArnPartition(@NotNull String str) {
        return PartitionMetadata.of(Region.of(str)).id();
    }
}
