package in.neuw.aws.rolesanywhere.utils;

import com.fasterxml.jackson.databind.ObjectMapper;
import in.neuw.aws.rolesanywhere.credentials.models.AwsRolesAnyWhereRequesterDetails;
import in.neuw.aws.rolesanywhere.credentials.models.AwsRolesAnywhereSessionsRequest;
import in.neuw.aws.rolesanywhere.credentials.models.AwsRolesAnywhereSessionsResponse;
import in.neuw.aws.rolesanywhere.credentials.models.X509CertificateChain;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Map;
import java.util.TimeZone;
import java.util.TreeMap;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apache.http.entity.ContentType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import software.amazon.awssdk.http.HttpExecuteRequest;
import software.amazon.awssdk.http.HttpExecuteResponse;
import software.amazon.awssdk.http.SdkHttpClient;
import software.amazon.awssdk.http.SdkHttpFullRequest;
import software.amazon.awssdk.http.SdkHttpMethod;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.regions.ServiceEndpointKey;
import software.amazon.awssdk.regions.servicemetadata.RolesanywhereServiceMetadata;
import software.amazon.awssdk.utils.BinaryUtils;
import software.amazon.awssdk.utils.IoUtils;

/* loaded from: input_file:in/neuw/aws/rolesanywhere/utils/AwsX509SigningHelper.class */
public class AwsX509SigningHelper {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(AwsX509SigningHelper.class);
    private static final SimpleDateFormat dateTimeFormat = new SimpleDateFormat("yyyyMMdd'T'HHmmss'Z'");
    private static final SimpleDateFormat dateFormat = new SimpleDateFormat("yyyyMMdd");
    private static final String LINE_SEPARATOR = "\n";
    private static final String SEMI_COLON = ";";
    public static final String X_AMZ_X509 = "X-Amz-X509";
    public static final String X_AMZ_X509_CHAIN = "X-Amz-X509-Chain";
    private static final String SHA_256 = "SHA-256";
    public static final String SESSIONS_URI = "/sessions";
    public static final String ROLES_ANYWHERE_SERVICE = "rolesanywhere";
    public static final String AWS4_X509_PREFIX = "AWS4-X509-";
    public static final String AWS4_X509_SUFFIX = "-SHA256";
    public static final String CREDENTIAL_PREFIX = "Credential=";
    public static final String CREDENTIALS_DE_LIMITER = ", ";
    public static final String SIGNED_HEADERS_PREFIX = "SignedHeaders=";
    public static final String SIGNATURE_PREFIX = "Signature=";
    public static final String EMPTY_STRING = "";

    public static String getDateAndTime() {
        return dateTimeFormat.format(new Date());
    }

    public static String getDateAndTime(Date date) {
        return dateTimeFormat.format(date);
    }

    public static String getDate() {
        return dateFormat.format(new Date());
    }

    public static byte[] hash(String str) throws NoSuchAlgorithmException {
        return MessageDigest.getInstance(SHA_256).digest(str.getBytes(StandardCharsets.UTF_8));
    }

    public static String signedHeaders() {
        return "Content-Type;Host;X-Amz-Date;X-Amz-X509";
    }

    public static String signedHeadersWithChain() {
        return signedHeaders() + ";X-Amz-X509-Chain";
    }

    public static String canonicalRequest(Date date, String str, String str2, String str3, String str4, X509CertificateChain x509CertificateChain) throws NoSuchAlgorithmException, CertificateException, NoSuchProviderException {
        String buildCanonicalHeaders;
        String dateAndTime = getDateAndTime(date);
        StringBuilder sb = new StringBuilder();
        sb.append(str2).append(LINE_SEPARATOR).append(str3).append(LINE_SEPARATOR).append(EMPTY_STRING).append(LINE_SEPARATOR);
        if (x509CertificateChain.getIntermediateCACertificate() == null) {
            buildCanonicalHeaders = buildCanonicalHeaders(str, ContentType.APPLICATION_JSON.getMimeType(), dateAndTime, x509CertificateChain.getBase64EncodedCertificate());
            sb.append(buildCanonicalHeaders).append(LINE_SEPARATOR).append(signedHeaders().toLowerCase()).append(LINE_SEPARATOR);
        } else {
            buildCanonicalHeaders = buildCanonicalHeaders(str, ContentType.APPLICATION_JSON.getMimeType(), dateAndTime, CertAndKeyParserAndLoader.convertToBase64PEMString(x509CertificateChain.getLeafCertificate()), CertAndKeyParserAndLoader.convertToBase64PEMString(x509CertificateChain.getIntermediateCACertificate()));
            sb.append(buildCanonicalHeaders).append(LINE_SEPARATOR).append(signedHeadersWithChain().toLowerCase()).append(LINE_SEPARATOR);
        }
        log.debug("canonicalHeaders = {}", buildCanonicalHeaders);
        log.debug("sessions request = {}", str4);
        sb.append(hashContent(str4));
        return sb.toString();
    }

    public static String hashContent(String str) throws NoSuchAlgorithmException {
        return BinaryUtils.toHex(hash(str));
    }

    public static Map<String, String> canonicalHeaders(String str, String str2, String str3, String str4) {
        TreeMap treeMap = new TreeMap();
        treeMap.put("Content-Type".toLowerCase(), str2);
        treeMap.put("Host".toLowerCase(), str);
        treeMap.put("X-Amz-Date".toLowerCase(), str3);
        treeMap.put(X_AMZ_X509.toLowerCase(), str4);
        return treeMap;
    }

    public static String buildCanonicalHeaders(String str, String str2, String str3, String str4) {
        return ((String) canonicalHeaders(str, str2, str3, str4).entrySet().stream().map(entry -> {
            return ((String) entry.getKey()) + ":" + ((String) entry.getValue());
        }).collect(Collectors.joining(LINE_SEPARATOR))) + "\n";
    }

    public static String buildCanonicalHeaders(String str, String str2, String str3, String str4, String str5) {
        Map<String, String> canonicalHeaders = canonicalHeaders(str, str2, str3, str4);
        canonicalHeaders.put(X_AMZ_X509_CHAIN.toLowerCase(), str5);
        return ((String) canonicalHeaders.entrySet().stream().map(entry -> {
            return ((String) entry.getKey()) + ":" + ((String) entry.getValue());
        }).collect(Collectors.joining(LINE_SEPARATOR))) + "\n";
    }

    public static AwsRolesAnywhereSessionsRequest awsRolesAnywhereSessionsRequest(String str, String str2, String str3, Integer num) {
        return new AwsRolesAnywhereSessionsRequest().setRoleArn(str).setProfileArn(str2).setTrustAnchorArn(str3).setDurationSeconds(num);
    }

    public static String resolveHostBasedOnRegion(Region region) {
        return new RolesanywhereServiceMetadata().endpointFor(ServiceEndpointKey.builder().region(region).build()).getPath();
    }

    public static String resolveHostEndpoint(Region region) {
        return "https://" + resolveHostBasedOnRegion(region);
    }

    public static String resolveAwsAlgorithm(PrivateKey privateKey) {
        return "AWS4-X509-" + CertAndKeyParserAndLoader.resolveAndValidateAlgorithm(privateKey) + "-SHA256";
    }

    public static String credentialScope(Region region) {
        String str = getDate() + "/" + region.id() + "/rolesanywhere/aws4_request";
        log.debug("credentialScope: {}", str);
        return str;
    }

    public static String contentToSign(Region region, String str, String str2) throws IOException, NoSuchAlgorithmException {
        log.debug("canonicalRequest: \n{}", str2);
        return str + "\n" + getDateAndTime() + "\n" + credentialScope(region) + "\n" + hashContent(str2);
    }

    public static String sign(String str, PrivateKey privateKey) throws NoSuchAlgorithmException, SignatureException, InvalidKeyException {
        Signature signature = Signature.getInstance(CertAndKeyParserAndLoader.resolveSignatureAlgorithm(privateKey));
        signature.initSign(privateKey);
        signature.update(str.getBytes(StandardCharsets.UTF_8));
        return BinaryUtils.toHex(signature.sign());
    }

    public static String awsSignedAuthHeader(Region region, String str, String str2, String str3, X509Certificate x509Certificate, PrivateKey privateKey) throws InvalidKeySpecException, IOException, NoSuchAlgorithmException, SignatureException, NoSuchProviderException, InvalidKeyException {
        String str4 = x509Certificate.getSerialNumber().toString() + "/" + credentialScope(region);
        String sign = sign(str, privateKey);
        StringBuilder sb = new StringBuilder();
        sb.append(str2).append(" ").append(CREDENTIAL_PREFIX).append(str4).append(CREDENTIALS_DE_LIMITER).append(SIGNED_HEADERS_PREFIX).append(str3).append(CREDENTIALS_DE_LIMITER).append(SIGNATURE_PREFIX).append(sign);
        return sb.toString();
    }

    public static AwsRolesAnywhereSessionsResponse getIamRolesAnywhereSessions(AwsRolesAnywhereSessionsRequest awsRolesAnywhereSessionsRequest, AwsRolesAnyWhereRequesterDetails awsRolesAnyWhereRequesterDetails, SdkHttpClient sdkHttpClient, ObjectMapper objectMapper) {
        try {
            String writeValueAsString = objectMapper.writeValueAsString(awsRolesAnywhereSessionsRequest);
            Region region = awsRolesAnyWhereRequesterDetails.getRegion();
            String resolveHostBasedOnRegion = resolveHostBasedOnRegion(region);
            X509CertificateChain resolveCertificateChain = CertAndKeyParserAndLoader.resolveCertificateChain(awsRolesAnyWhereRequesterDetails.getEncodedX509Certificate());
            log.debug("request: {}", writeValueAsString);
            String canonicalRequest = canonicalRequest(new Date(), resolveHostBasedOnRegion, SdkHttpMethod.POST.name(), SESSIONS_URI, writeValueAsString, resolveCertificateChain);
            String resolveAwsAlgorithm = resolveAwsAlgorithm(awsRolesAnyWhereRequesterDetails.getPrivateKey());
            HttpExecuteResponse executeHttpRequest = executeHttpRequest(awsRolesAnywhereSessionsRequest, sdkHttpClient, awsRolesAnyWhereRequesterDetails, contentToSign(region, resolveAwsAlgorithm, canonicalRequest), resolveAwsAlgorithm);
            log.debug("Status Code is {} for AWS roles anywhere session endpoint", Integer.valueOf(executeHttpRequest.httpResponse().statusCode()));
            if (!executeHttpRequest.responseBody().isPresent()) {
                log.error("Error reading response body for AWS roles anywhere sessions endpoint: NO response body");
                throw new RuntimeException("Error reading response body for AWS roles anywhere sessions endpoint");
            }
            try {
                InputStream inputStream = (InputStream) executeHttpRequest.responseBody().get();
                try {
                    String utf8String = IoUtils.toUtf8String(inputStream);
                    log.debug("Response Body from AWS roles anywhere sessions endpoint: {}", utf8String);
                    AwsRolesAnywhereSessionsResponse awsRolesAnywhereSessionsResponse = (AwsRolesAnywhereSessionsResponse) objectMapper.readValue(utf8String, AwsRolesAnywhereSessionsResponse.class);
                    if (inputStream != null) {
                        inputStream.close();
                    }
                    return awsRolesAnywhereSessionsResponse;
                } catch (Throwable th) {
                    if (inputStream != null) {
                        try {
                            inputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (IOException e) {
                log.error("Error reading response body for AWS roles anywhere sessions endpoint: {}", e.getMessage());
                throw new RuntimeException("Error reading response body for AWS roles anywhere sessions endpoint");
            }
        } catch (IOException | NoSuchAlgorithmException | NoSuchProviderException | CertificateException e2) {
            throw new RuntimeException(e2);
        }
    }

    private static HttpExecuteResponse executeHttpRequest(AwsRolesAnywhereSessionsRequest awsRolesAnywhereSessionsRequest, SdkHttpClient sdkHttpClient, AwsRolesAnyWhereRequesterDetails awsRolesAnyWhereRequesterDetails, String str, String str2) {
        String awsSignedAuthHeader;
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(new ObjectMapper().writeValueAsString(awsRolesAnywhereSessionsRequest).getBytes(StandardCharsets.UTF_8));
        SdkHttpFullRequest.Builder putHeader = SdkHttpFullRequest.builder().uri("https://" + resolveHostBasedOnRegion(awsRolesAnyWhereRequesterDetails.getRegion()) + "/sessions").method(SdkHttpMethod.POST).putHeader("Content-Type", ContentType.APPLICATION_JSON.getMimeType()).putHeader(X_AMZ_X509, CertAndKeyParserAndLoader.convertToBase64PEMString(awsRolesAnyWhereRequesterDetails.getCertificateChain().getLeafCertificate())).putHeader("X-Amz-Date", getDateAndTime());
        X509Certificate leafCertificate = awsRolesAnyWhereRequesterDetails.getCertificateChain().getLeafCertificate();
        PrivateKey privateKey = awsRolesAnyWhereRequesterDetails.getPrivateKey();
        if (awsRolesAnyWhereRequesterDetails.getCertificateChain().getIntermediateCACertificate() != null) {
            awsSignedAuthHeader = awsSignedAuthHeader(awsRolesAnyWhereRequesterDetails.getRegion(), str, str2, signedHeadersWithChain(), leafCertificate, privateKey);
            putHeader.putHeader(X_AMZ_X509_CHAIN, CertAndKeyParserAndLoader.convertToBase64PEMString(awsRolesAnyWhereRequesterDetails.getCertificateChain().getIntermediateCACertificate())).putHeader("Authorization", awsSignedAuthHeader);
        } else {
            awsSignedAuthHeader = awsSignedAuthHeader(awsRolesAnyWhereRequesterDetails.getRegion(), str, str2, signedHeaders(), leafCertificate, privateKey);
            putHeader.putHeader("Authorization", awsSignedAuthHeader);
        }
        HttpExecuteResponse call = sdkHttpClient.prepareRequest(HttpExecuteRequest.builder().request(putHeader.build()).contentStreamProvider(() -> {
            return byteArrayInputStream;
        }).build()).call();
        log.debug("authHeader: {}", awsSignedAuthHeader);
        return call;
    }

    static {
        dateTimeFormat.setTimeZone(TimeZone.getTimeZone("UTC"));
        dateFormat.setTimeZone(TimeZone.getTimeZone("UTC"));
    }
}
