package com.dbeaver.net.auth.aws;

import com.dbeaver.model.auth.SMAuthUtils;
import com.dbeaver.model.auth.SMSessionAuthCredentials;
import com.dbeaver.model.ui.UIServiceSSO;
import java.io.BufferedReader;
import java.io.IOException;
import java.net.URI;
import java.util.ArrayList;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.CompletableFuture;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.jkiss.code.NotNull;
import org.jkiss.code.Nullable;
import org.jkiss.dbeaver.DBException;
import org.jkiss.dbeaver.Log;
import org.jkiss.dbeaver.model.DBPDataSourceContainer;
import org.jkiss.dbeaver.model.auth.AuthProperty;
import org.jkiss.dbeaver.model.connection.DBPAuthInfo;
import org.jkiss.dbeaver.model.connection.DBPConnectionConfiguration;
import org.jkiss.dbeaver.model.exec.DBCException;
import org.jkiss.dbeaver.model.impl.auth.AuthModelDatabaseNativeCredentials;
import org.jkiss.dbeaver.model.meta.Property;
import org.jkiss.dbeaver.model.meta.SecureProperty;
import org.jkiss.dbeaver.model.runtime.DBRProgressMonitor;
import org.jkiss.dbeaver.runtime.DBWorkbench;
import org.jkiss.dbeaver.utils.RuntimeUtils;
import org.jkiss.utils.CommonUtils;
import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider;
import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.auth.StsAssumeRoleCredentialsProvider;
import software.amazon.awssdk.services.sts.auth.StsAssumeRoleWithWebIdentityCredentialsProvider;
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;
import software.amazon.awssdk.services.sts.model.AssumeRoleWithWebIdentityRequest;

/* loaded from: input_file:com/dbeaver/net/auth/aws/AuthModelAWSCredentials.class */
public class AuthModelAWSCredentials extends AuthModelDatabaseNativeCredentials implements SMSessionAuthCredentials {
    private static final String ROLE_SESSION_NAME = "dbeaver";
    public static final String AWS_AUTH_CONTEXT_TYPE = "aws";
    private String region;
    private String profileName;
    private String pluginName;
    private boolean defaultAwsCredentials;
    private boolean sessionCredentials;

    @SecureProperty
    private String awsAccessKey;

    @SecureProperty
    private String awsSecretKey;

    @SecureProperty
    private String awsSessionToken;
    private transient AwsCredentialsProvider awsCredentialsProvider;
    private String secretName;
    private boolean ssoOverCli;
    private boolean crossAccountAccess;
    private String awsAssumeAccountId;
    private String awsAssumeRoleName;
    private String awsExternalId;
    private transient Map<String, ?> attributes;
    private static final Log log = Log.getLog(AuthModelAWSCredentials.class);
    private static final Pattern AWS_CLI_LOGIN_OUTPUT = Pattern.compile("Attempting to automatically open the SSO authorization page in your default browser.\nIf the browser does not open or you wish to use a different device to authorize this request, open the following URL:\n\n^(.*?)$\n\nThen enter the code:\n\n^(.*?)$", 9);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/dbeaver/net/auth/aws/AuthModelAWSCredentials$CliCommand.class */
    public enum CliCommand {
        LOGIN("login"),
        LOGOUT("logout");

        private final String name;

        CliCommand(@NotNull String str) {
            this.name = str;
        }

        /* renamed from: values, reason: to resolve conflict with enum method */
        public static CliCommand[] valuesCustom() {
            CliCommand[] valuesCustom = values();
            int length = valuesCustom.length;
            CliCommand[] cliCommandArr = new CliCommand[length];
            System.arraycopy(valuesCustom, 0, cliCommandArr, 0, length);
            return cliCommandArr;
        }
    }

    public AuthModelAWSCredentials() {
        this.attributes = Collections.emptyMap();
    }

    public AuthModelAWSCredentials(AuthModelAWSCredentials authModelAWSCredentials) {
        this.attributes = Collections.emptyMap();
        this.region = authModelAWSCredentials.region;
        this.profileName = authModelAWSCredentials.profileName;
        this.pluginName = authModelAWSCredentials.pluginName;
        this.sessionCredentials = authModelAWSCredentials.sessionCredentials;
        this.defaultAwsCredentials = authModelAWSCredentials.defaultAwsCredentials;
        this.awsAccessKey = authModelAWSCredentials.awsAccessKey;
        this.awsSecretKey = authModelAWSCredentials.awsSecretKey;
        this.awsSessionToken = authModelAWSCredentials.awsSessionToken;
        this.ssoOverCli = authModelAWSCredentials.ssoOverCli;
        this.crossAccountAccess = authModelAWSCredentials.crossAccountAccess;
        this.awsAssumeAccountId = authModelAWSCredentials.awsAssumeAccountId;
        this.awsAssumeRoleName = authModelAWSCredentials.awsAssumeRoleName;
        this.awsExternalId = authModelAWSCredentials.awsExternalId;
        this.secretName = authModelAWSCredentials.secretName;
        this.attributes = new LinkedHashMap(authModelAWSCredentials.attributes);
        this.awsCredentialsProvider = authModelAWSCredentials.awsCredentialsProvider;
    }

    @Property(hidden = true)
    public String getUserPassword() {
        return super.getUserPassword();
    }

    @AuthProperty(authContextType = "aws")
    @Property(hidden = true)
    public String getProfileName() {
        return this.profileName;
    }

    public void setProfileName(String str) {
        this.profileName = str;
    }

    @AuthProperty(authContextType = "aws")
    @Property(hidden = true)
    public String getPluginName() {
        return this.pluginName;
    }

    public void setPluginName(String str) {
        this.pluginName = str;
    }

    @Property(order = 2, nonSecuredProperty = true, required = true)
    public String getRegion() {
        return this.region;
    }

    public void setRegion(String str) {
        this.region = str;
    }

    @AuthProperty(authContextType = "aws")
    @Property(nonSecuredProperty = true)
    public boolean isDefaultAwsCredentials() {
        return this.defaultAwsCredentials;
    }

    public void setDefaultAwsCredentials(boolean z) {
        this.defaultAwsCredentials = z;
    }

    @Property(nonSecuredProperty = true)
    public boolean isSessionCredentials() {
        return this.sessionCredentials;
    }

    public void setSessionCredentials(boolean z) {
        this.sessionCredentials = z;
    }

    @AuthProperty(authContextType = "aws")
    @Property(order = 3)
    public String getAwsAccessKey() {
        return this.awsAccessKey;
    }

    public void setAwsAccessKey(String str) {
        this.awsAccessKey = str;
        this.awsCredentialsProvider = null;
    }

    @AuthProperty(authContextType = "aws")
    @Property(order = 4, password = true, keyName = AuthModelAWSConstants.AWS_SECRET_KEY)
    public String getAwsSecretKey() {
        return this.awsSecretKey;
    }

    public void setAwsSecretKey(String str) {
        this.awsSecretKey = str;
        this.awsCredentialsProvider = null;
    }

    @AuthProperty(authContextType = "aws")
    @Property(order = 5, password = true, keyName = AuthModelAWSConstants.AWS_SESSION_TOKEN)
    public String getAwsSessionToken() {
        return this.awsSessionToken;
    }

    public void setAwsSessionToken(String str) {
        this.awsSessionToken = str;
        this.awsCredentialsProvider = null;
    }

    public AwsCredentialsProvider getAwsCredentialsProvider() {
        return this.awsCredentialsProvider;
    }

    public void setAwsCredentialsProvider(AwsCredentialsProvider awsCredentialsProvider) {
        this.awsCredentialsProvider = awsCredentialsProvider;
        this.awsAccessKey = null;
        this.awsSecretKey = null;
        this.awsSessionToken = null;
    }

    public boolean isSsoOverCli() {
        return this.ssoOverCli;
    }

    public void setSsoOverCli(boolean z) {
        this.ssoOverCli = z;
    }

    @Property(order = 2147483646, nonSecuredProperty = true)
    public boolean isCrossAccountAccess() {
        return this.crossAccountAccess;
    }

    public void setCrossAccountAccess(boolean z) {
        this.crossAccountAccess = z;
    }

    @Property(order = 6, nonSecuredProperty = true)
    public String getAwsAssumeAccountId() {
        return this.awsAssumeAccountId;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setAwsAssumeAccountId(String str) {
        this.awsAssumeAccountId = str;
    }

    @Property(order = 7, nonSecuredProperty = true)
    public String getAwsAssumeRoleName() {
        return this.awsAssumeRoleName;
    }

    @Property(order = 8, nonSecuredProperty = true)
    public String getAwsExternalId() {
        return this.awsExternalId;
    }

    public void setAwsExternalId(String str) {
        this.awsExternalId = str;
    }

    public void setAwsAssumeRoleName(String str) {
        this.awsAssumeRoleName = str;
    }

    public AwsCredentialsProvider getAuthCredentialsProvider(@NotNull DBRProgressMonitor dBRProgressMonitor) throws DBException {
        return getAuthCredentialsProvider(dBRProgressMonitor, null);
    }

    @Property(order = 9, nonSecuredProperty = true)
    public String getSecretName() {
        return this.secretName;
    }

    public void setSecretName(String str) {
        this.secretName = str;
    }

    public AwsCredentialsProvider getAuthCredentialsProvider(@NotNull DBRProgressMonitor dBRProgressMonitor, @Nullable DBPConnectionConfiguration dBPConnectionConfiguration) throws DBException {
        return getAuthCredentialsProvider(dBRProgressMonitor, dBPConnectionConfiguration, this.region);
    }

    public AwsCredentialsProvider getAuthCredentialsProvider(@NotNull DBRProgressMonitor dBRProgressMonitor, @Nullable DBPConnectionConfiguration dBPConnectionConfiguration, @Nullable String str) throws DBException {
        AwsCredentialsProvider resolveCredentialsProvider = resolveCredentialsProvider(dBRProgressMonitor, dBPConnectionConfiguration);
        if (this.ssoOverCli) {
            try {
                resolveCredentialsProvider.resolveCredentials();
            } catch (Throwable unused) {
                loginSSO(dBRProgressMonitor);
            }
        }
        return assumeAccountRole(dBRProgressMonitor, resolveCredentialsProvider, str, null);
    }

    /* JADX WARN: Finally extract failed */
    public AwsCredentialsProvider assumeAccountRole(@NotNull DBRProgressMonitor dBRProgressMonitor, @NotNull AwsCredentialsProvider awsCredentialsProvider, @Nullable String str, @Nullable String str2) throws DBException {
        String str3;
        if (this.crossAccountAccess) {
            if (CommonUtils.isEmpty(this.awsAssumeAccountId)) {
                throw new DBCException("AWS account ID must be specified for 3rd party account access");
            }
            if (CommonUtils.isEmpty(this.awsAssumeRoleName)) {
                throw new DBCException("AWS IAM role name must be specified when 3rd party IAM account is specified");
            }
        }
        if (!CommonUtils.isEmpty(this.awsAssumeRoleName)) {
            if (CommonUtils.isEmpty(str)) {
                throw new DBCException("AWS region must be specified when assume role name is specified");
            }
            dBRProgressMonitor.subTask("Assume AWS role");
            Throwable th = null;
            try {
                StsClient createStsClient = AWSIAMUtils.createStsClient(awsCredentialsProvider, Region.of(str));
                try {
                    if (this.awsAssumeRoleName.startsWith(getRoleArnPrefix(str))) {
                        str3 = this.awsAssumeRoleName;
                    } else {
                        String str4 = this.crossAccountAccess ? this.awsAssumeAccountId : null;
                        if (str4 == null) {
                            str4 = createStsClient.getCallerIdentity().account();
                        }
                        str3 = getRoleArnPrefix(str) + str4 + ":role/" + this.awsAssumeRoleName;
                    }
                    if (str2 != null) {
                        awsCredentialsProvider = StsAssumeRoleWithWebIdentityCredentialsProvider.builder().stsClient(createStsClient).refreshRequest((AssumeRoleWithWebIdentityRequest) AssumeRoleWithWebIdentityRequest.builder().roleArn(str3).webIdentityToken(str2).roleSessionName(ROLE_SESSION_NAME).build()).build();
                    } else {
                        AssumeRoleRequest.Builder roleSessionName = AssumeRoleRequest.builder().roleArn(str3).roleSessionName(ROLE_SESSION_NAME);
                        if (!CommonUtils.isEmpty(this.awsExternalId)) {
                            roleSessionName.externalId(this.awsExternalId);
                        }
                        awsCredentialsProvider = StsAssumeRoleCredentialsProvider.builder().stsClient(createStsClient).refreshRequest((AssumeRoleRequest) roleSessionName.build()).build();
                    }
                    if (createStsClient != null) {
                        createStsClient.close();
                    }
                } catch (Throwable th2) {
                    if (createStsClient != null) {
                        createStsClient.close();
                    }
                    throw th2;
                }
            } catch (Throwable th3) {
                if (0 == 0) {
                    th = th3;
                } else if (null != th3) {
                    th.addSuppressed(th3);
                }
                throw th;
            }
        }
        return awsCredentialsProvider;
    }

    @NotNull
    private String getRoleArnPrefix(@NotNull String str) {
        return "arn:" + AWSIAMUtils.getArnPartition(str) + ":iam::";
    }

    private AwsCredentialsProvider resolveCredentialsProvider(@NotNull DBRProgressMonitor dBRProgressMonitor, @Nullable DBPConnectionConfiguration dBPConnectionConfiguration) throws DBException {
        DBPAuthInfo dBPAuthInfo;
        ProfileCredentialsProvider create;
        if (this.awsCredentialsProvider != null) {
            return this.awsCredentialsProvider;
        }
        if (!CommonUtils.isEmpty(this.profileName)) {
            dBRProgressMonitor.subTask("Read AWS profiles");
            if (CommonUtils.isEmpty(this.profileName)) {
                throw new DBCException("AWS profile name must be specified");
            }
            create = ProfileCredentialsProvider.builder().profileName(this.profileName).build();
        } else if (this.defaultAwsCredentials) {
            create = DefaultCredentialsProvider.builder().reuseLastProviderEnabled(false).build();
        } else {
            if (this.sessionCredentials && CommonUtils.isEmpty(this.awsAccessKey) && !SMAuthUtils.updateSessionCredentialsFromSession(dBRProgressMonitor, "aws", "AWS", this)) {
                throw new DBCException("AWS session credentials are missing");
            }
            String str = this.awsAccessKey;
            String str2 = this.awsSecretKey;
            String str3 = this.awsSessionToken;
            if (dBPConnectionConfiguration != null) {
                if (CommonUtils.isEmpty(str)) {
                    str = dBPConnectionConfiguration.getUserName();
                }
                if (CommonUtils.isEmpty(str2)) {
                    str2 = dBPConnectionConfiguration.getUserPassword();
                }
            }
            if (CommonUtils.isEmpty(str) || CommonUtils.isEmpty(str2)) {
                dBRProgressMonitor.subTask("Acquire secret credentials in interactive mode");
                try {
                    dBPAuthInfo = DBWorkbench.getPlatformUI().promptUserCredentials("Enter access key and secret key", (String) null, "Access Key", str, "Secret Key", str2, false, false);
                } catch (Exception e) {
                    dBPAuthInfo = null;
                    log.error(e);
                }
                if (dBPAuthInfo != null) {
                    str = dBPAuthInfo.getUserName();
                    str2 = dBPAuthInfo.getUserPassword();
                }
                if (CommonUtils.isEmpty(str) || CommonUtils.isEmpty(str2)) {
                    throw new DBCException("AWS access key and secret key must be specified");
                }
            }
            create = StaticCredentialsProvider.create(CommonUtils.isEmpty(str3) ? AwsBasicCredentials.create(str, str2) : AwsSessionCredentials.create(str, str2, str3));
        }
        this.awsCredentialsProvider = create;
        return create;
    }

    private void loginSSO(@NotNull DBRProgressMonitor dBRProgressMonitor) throws DBCException {
        dBRProgressMonitor.subTask("Perform SSO login using AWS CLI");
        executeCLI(dBRProgressMonitor, CliCommand.LOGIN);
        dBRProgressMonitor.subTask("SSO login finished");
    }

    private void logoutSSO(@NotNull DBRProgressMonitor dBRProgressMonitor) throws DBCException {
        dBRProgressMonitor.subTask("Perform SSO logout using AWS CLI");
        executeCLI(dBRProgressMonitor, CliCommand.LOGOUT);
        dBRProgressMonitor.subTask("SSO logout finished");
    }

    private void executeCLI(@NotNull DBRProgressMonitor dBRProgressMonitor, @NotNull CliCommand cliCommand) throws DBCException {
        CompletableFuture<Void> completableFuture = new CompletableFuture<>();
        try {
            try {
                executeCLI(dBRProgressMonitor, cliCommand, completableFuture);
            } catch (IOException unused) {
                throw new DBCException("Unexpected error while running AWS CLI");
            }
        } finally {
            completableFuture.complete(null);
        }
    }

    /* JADX WARN: Finally extract failed */
    private void executeCLI(@NotNull DBRProgressMonitor dBRProgressMonitor, @NotNull CliCommand cliCommand, @NotNull CompletableFuture<Void> completableFuture) throws DBCException, IOException {
        Throwable th;
        List<String> buildCliArgs = buildCliArgs(cliCommand);
        log.debug("Perform " + String.valueOf(cliCommand) + " using AWS CLI - " + String.valueOf(buildCliArgs));
        try {
            Process start = new ProcessBuilder(new String[0]).command(buildCliArgs).start();
            UIServiceSSO uIServiceSSO = (UIServiceSSO) DBWorkbench.getService(UIServiceSSO.class);
            if (uIServiceSSO != null && cliCommand == CliCommand.LOGIN) {
                try {
                    Matcher matcher = AWS_CLI_LOGIN_OUTPUT.matcher((String) start.inputReader().lines().limit(8L).collect(Collectors.joining("\n")));
                    if (matcher.find()) {
                        uIServiceSSO.showSingleSignOnPopup(URI.create(matcher.group(1)), matcher.group(2), completableFuture);
                    }
                } catch (Exception e) {
                    log.error("Unable to retrieve SSO information from the CLI", e);
                }
            }
            while (start.isAlive()) {
                if (dBRProgressMonitor.isCanceled() || completableFuture.isCancelled()) {
                    start.destroy();
                    throw new DBCException("AWS SSO initialization has been canceled");
                }
                RuntimeUtils.pause(50);
            }
            int exitValue = start.exitValue();
            if (exitValue == 0) {
                return;
            }
            Throwable th2 = null;
            try {
                BufferedReader inputReader = start.inputReader();
                try {
                    String str = (String) inputReader.lines().collect(Collectors.joining(System.lineSeparator()));
                    if (!str.isEmpty()) {
                        log.debug("AWS SSO login info message:\n" + str);
                    }
                    if (inputReader != null) {
                        inputReader.close();
                    }
                    th2 = null;
                    try {
                        BufferedReader errorReader = start.errorReader();
                        try {
                            String str2 = (String) errorReader.lines().collect(Collectors.joining(System.lineSeparator()));
                            if (!str2.isEmpty()) {
                                throw new DBCException("AWS SSO login failed: " + str2);
                            }
                            throw new DBCException("AWS SSO login failed with status code " + exitValue);
                        } catch (Throwable th3) {
                            if (errorReader != null) {
                                errorReader.close();
                            }
                            throw th3;
                        }
                    } finally {
                    }
                } catch (Throwable th4) {
                    if (inputReader != null) {
                        inputReader.close();
                    }
                    throw th4;
                }
            } finally {
            }
        } catch (Exception e2) {
            throw new DBCException("Can't start AWS CLI. Is it installed on the local machine?", e2);
        }
    }

    @NotNull
    private List<String> buildCliArgs(@NotNull CliCommand cliCommand) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(getAwsCliExecutablePath());
        arrayList.add("sso");
        arrayList.add(cliCommand.name);
        if (!CommonUtils.isEmpty(this.profileName)) {
            arrayList.add("--profile");
            arrayList.add(this.profileName);
        }
        return arrayList;
    }

    public boolean refreshSession(DBRProgressMonitor dBRProgressMonitor, DBPDataSourceContainer dBPDataSourceContainer) throws DBException {
        if (this.sessionCredentials) {
            SMAuthUtils.updateSessionCredentialsFromSession(dBRProgressMonitor, "aws", "AWS", this);
            return true;
        }
        boolean z = this.ssoOverCli;
        if (!z && (this.awsCredentialsProvider instanceof ProfileCredentialsProvider)) {
            try {
                this.awsCredentialsProvider.resolveCredentials();
            } catch (Exception e) {
                if (!AWSIAMUtils.isTokenExpiredError(e)) {
                    throw e;
                }
                z = true;
            }
        }
        if (!z) {
            return false;
        }
        this.awsCredentialsProvider = null;
        loginSSO(dBRProgressMonitor);
        return true;
    }

    public boolean closeSession(DBRProgressMonitor dBRProgressMonitor) throws DBCException {
        if (!this.ssoOverCli) {
            return false;
        }
        logoutSSO(dBRProgressMonitor);
        return true;
    }

    @NotNull
    public static String getAwsCliExecutablePath() {
        String string = AuthModelAWSPreferences.getPreferences().getString(AuthModelAWSPreferences.AWS_CLI_EXECUTABLE);
        return CommonUtils.isEmpty(string) ? "aws" : string;
    }

    public Map<String, ?> getAttributes() {
        return this.attributes;
    }

    public void setAttributes(Map<String, ?> map) {
        this.attributes = map;
    }

    public Object getAttribute(String str) {
        if (this.attributes == null) {
            return null;
        }
        return this.attributes.get(str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void resetSettings() {
        this.sessionCredentials = false;
        this.defaultAwsCredentials = false;
        this.profileName = null;
        this.awsAccessKey = null;
        this.awsSecretKey = null;
        this.awsSessionToken = null;
        this.secretName = null;
        this.pluginName = null;
        this.awsAssumeAccountId = null;
        this.awsAssumeRoleName = null;
    }
}
