package software.amazon.msk.auth.iam.internals;

import com.amazonaws.SdkBaseException;
import com.amazonaws.SdkClientException;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AWSCredentialsProviderChain;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper;
import com.amazonaws.auth.EnvironmentVariableCredentialsProvider;
import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider;
import com.amazonaws.auth.SystemPropertiesCredentialsProvider;
import com.amazonaws.auth.WebIdentityTokenCredentialsProvider;
import com.amazonaws.retry.PredefinedBackoffStrategies;
import com.amazonaws.retry.v2.AndRetryCondition;
import com.amazonaws.retry.v2.MaxNumberOfRetriesCondition;
import com.amazonaws.retry.v2.RetryOnExceptionsCondition;
import com.amazonaws.retry.v2.RetryPolicy;
import com.amazonaws.retry.v2.RetryPolicyContext;
import com.amazonaws.retry.v2.SimpleRetryPolicy;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.services.securitytoken.model.GetCallerIdentityRequest;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:software/amazon/msk/auth/iam/internals/MSKCredentialProvider.class */
public class MSKCredentialProvider implements AWSCredentialsProvider, AutoCloseable {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) MSKCredentialProvider.class);
    private static final String AWS_PROFILE_NAME_KEY = "awsProfileName";
    private static final String AWS_ROLE_ARN_KEY = "awsRoleArn";
    private static final String AWS_ROLE_EXTERNAL_ID = "awsRoleExternalId";
    private static final String AWS_ROLE_ACCESS_KEY_ID = "awsRoleAccessKeyId";
    private static final String AWS_ROLE_SECRET_ACCESS_KEY = "awsRoleSecretAccessKey";
    private static final String AWS_ROLE_SESSION_KEY = "awsRoleSessionName";
    private static final String AWS_ROLE_SESSION_TOKEN = "awsRoleSessionToken";
    private static final String AWS_STS_REGION = "awsStsRegion";
    private static final String AWS_DEBUG_CREDS_KEY = "awsDebugCreds";
    private static final String AWS_MAX_RETRIES = "awsMaxRetries";
    private static final String AWS_MAX_BACK_OFF_TIME_MS = "awsMaxBackOffTimeMs";
    private static final int DEFAULT_MAX_RETRIES = 3;
    private static final int DEFAULT_MAX_BACK_OFF_TIME_MS = 5000;
    private static final int BASE_DELAY = 500;
    private final List<AutoCloseable> closeableProviders;
    private final AWSCredentialsProvider compositeDelegate;
    private final Boolean shouldDebugCreds;
    private final String stsRegion;
    private final RetryPolicy retryPolicy;

    /* loaded from: input_file:software/amazon/msk/auth/iam/internals/MSKCredentialProvider$ProviderBuilder.class */
    public static class ProviderBuilder {
        private final Map<String, ?> optionsMap;

        public ProviderBuilder(Map<String, ?> map) {
            this.optionsMap = map;
            if (MSKCredentialProvider.log.isDebugEnabled()) {
                MSKCredentialProvider.log.debug("Number of options to configure credential provider {}", Integer.valueOf(map.size()));
            }
        }

        public List<AWSCredentialsProvider> getProviders() {
            ArrayList arrayList = new ArrayList();
            Optional<EnhancedProfileCredentialsProvider> profileProvider = getProfileProvider();
            arrayList.getClass();
            profileProvider.ifPresent((v1) -> {
                r1.add(v1);
            });
            Optional<STSAssumeRoleSessionCredentialsProvider> stsRoleProvider = getStsRoleProvider();
            arrayList.getClass();
            stsRoleProvider.ifPresent((v1) -> {
                r1.add(v1);
            });
            return arrayList;
        }

        public Boolean shouldDebugCreds() {
            return (Boolean) Optional.ofNullable(this.optionsMap.get(MSKCredentialProvider.AWS_DEBUG_CREDS_KEY)).map(obj -> {
                return Boolean.valueOf(obj.equals("true"));
            }).orElse(false);
        }

        public String getStsRegion() {
            return (String) Optional.ofNullable((String) this.optionsMap.get(MSKCredentialProvider.AWS_STS_REGION)).orElse("aws-global");
        }

        public int getMaxRetries() {
            return ((Integer) Optional.ofNullable(this.optionsMap.get(MSKCredentialProvider.AWS_MAX_RETRIES)).map(obj -> {
                return (String) obj;
            }).map(Integer::parseInt).orElse(3)).intValue();
        }

        public int getMaxBackOffTimeMs() {
            return ((Integer) Optional.ofNullable(this.optionsMap.get(MSKCredentialProvider.AWS_MAX_BACK_OFF_TIME_MS)).map(obj -> {
                return (String) obj;
            }).map(Integer::parseInt).orElse(5000)).intValue();
        }

        private Optional<EnhancedProfileCredentialsProvider> getProfileProvider() {
            return Optional.ofNullable(this.optionsMap.get(MSKCredentialProvider.AWS_PROFILE_NAME_KEY)).map(obj -> {
                if (MSKCredentialProvider.log.isDebugEnabled()) {
                    MSKCredentialProvider.log.debug("Profile name {}", obj);
                }
                return createEnhancedProfileCredentialsProvider((String) obj);
            });
        }

        EnhancedProfileCredentialsProvider createEnhancedProfileCredentialsProvider(String str) {
            return new EnhancedProfileCredentialsProvider(str);
        }

        private Optional<STSAssumeRoleSessionCredentialsProvider> getStsRoleProvider() {
            return Optional.ofNullable(this.optionsMap.get(MSKCredentialProvider.AWS_ROLE_ARN_KEY)).map(obj -> {
                if (MSKCredentialProvider.log.isDebugEnabled()) {
                    MSKCredentialProvider.log.debug("Role ARN {}", obj);
                }
                String str = (String) Optional.ofNullable((String) this.optionsMap.get(MSKCredentialProvider.AWS_ROLE_SESSION_KEY)).orElse("aws-msk-iam-auth");
                String stsRegion = getStsRegion();
                String str2 = (String) this.optionsMap.getOrDefault(MSKCredentialProvider.AWS_ROLE_ACCESS_KEY_ID, null);
                String str3 = (String) this.optionsMap.getOrDefault(MSKCredentialProvider.AWS_ROLE_SECRET_ACCESS_KEY, null);
                String str4 = (String) this.optionsMap.getOrDefault(MSKCredentialProvider.AWS_ROLE_SESSION_TOKEN, null);
                String str5 = (String) this.optionsMap.getOrDefault(MSKCredentialProvider.AWS_ROLE_EXTERNAL_ID, null);
                if (str2 == null || str3 == null) {
                    return str5 != null ? createSTSRoleCredentialProvider((String) obj, str5, str, stsRegion) : createSTSRoleCredentialProvider((String) obj, str, stsRegion);
                }
                return createSTSRoleCredentialProvider((String) obj, str, stsRegion, new AWSStaticCredentialsProvider(str4 != null ? new BasicSessionCredentials(str2, str3, str4) : new BasicAWSCredentials(str2, str3)));
            });
        }

        /* JADX WARN: Multi-variable type inference failed */
        STSAssumeRoleSessionCredentialsProvider createSTSRoleCredentialProvider(String str, String str2, String str3) {
            return new STSAssumeRoleSessionCredentialsProvider.Builder(str, str2).withStsClient(((AWSSecurityTokenServiceClientBuilder) AWSSecurityTokenServiceClientBuilder.standard().withRegion(str3)).build()).build();
        }

        /* JADX WARN: Multi-variable type inference failed */
        STSAssumeRoleSessionCredentialsProvider createSTSRoleCredentialProvider(String str, String str2, String str3, AWSCredentialsProvider aWSCredentialsProvider) {
            return new STSAssumeRoleSessionCredentialsProvider.Builder(str, str2).withStsClient(((AWSSecurityTokenServiceClientBuilder) ((AWSSecurityTokenServiceClientBuilder) AWSSecurityTokenServiceClientBuilder.standard().withRegion(str3)).withCredentials(aWSCredentialsProvider)).build()).build();
        }

        /* JADX WARN: Multi-variable type inference failed */
        STSAssumeRoleSessionCredentialsProvider createSTSRoleCredentialProvider(String str, String str2, String str3, String str4) {
            return new STSAssumeRoleSessionCredentialsProvider.Builder(str, str3).withStsClient(((AWSSecurityTokenServiceClientBuilder) AWSSecurityTokenServiceClientBuilder.standard().withRegion(str4)).build()).withExternalId(str2).build();
        }
    }

    public MSKCredentialProvider(Map<String, ?> map) {
        this(new ProviderBuilder(map));
    }

    MSKCredentialProvider(ProviderBuilder providerBuilder) {
        this(providerBuilder.getProviders(), providerBuilder.shouldDebugCreds(), providerBuilder.getStsRegion(), providerBuilder.getMaxRetries(), providerBuilder.getMaxBackOffTimeMs());
    }

    MSKCredentialProvider(List<AWSCredentialsProvider> list, Boolean bool, String str, int i, int i2) {
        ArrayList arrayList = new ArrayList(list);
        arrayList.add(getDefaultProvider());
        this.compositeDelegate = new AWSCredentialsProviderChain(arrayList);
        this.closeableProviders = (List) list.stream().filter(aWSCredentialsProvider -> {
            return aWSCredentialsProvider instanceof AutoCloseable;
        }).map(aWSCredentialsProvider2 -> {
            return (AutoCloseable) aWSCredentialsProvider2;
        }).collect(Collectors.toList());
        this.shouldDebugCreds = bool;
        this.stsRegion = str;
        if (i > 0) {
            this.retryPolicy = new SimpleRetryPolicy(new AndRetryCondition(new RetryOnExceptionsCondition(Collections.singletonList(SdkClientException.class)), new MaxNumberOfRetriesCondition(i)), new PredefinedBackoffStrategies.FullJitterBackoffStrategy(500, i2));
        } else {
            this.retryPolicy = new SimpleRetryPolicy(retryPolicyContext -> {
                return false;
            }, new PredefinedBackoffStrategies.FullJitterBackoffStrategy(500, i2));
        }
    }

    protected AWSCredentialsProviderChain getDefaultProvider() {
        return new AWSCredentialsProviderChain(new EnvironmentVariableCredentialsProvider(), new SystemPropertiesCredentialsProvider(), WebIdentityTokenCredentialsProvider.create(), new EnhancedProfileCredentialsProvider(), new EC2ContainerCredentialsProviderWrapper());
    }

    @Override // com.amazonaws.auth.AWSCredentialsProvider
    public AWSCredentials getCredentials() {
        AWSCredentials loadCredentialsWithRetry = loadCredentialsWithRetry();
        if (loadCredentialsWithRetry != null && this.shouldDebugCreds.booleanValue() && log.isDebugEnabled()) {
            logCallerIdentity(loadCredentialsWithRetry);
        }
        return loadCredentialsWithRetry;
    }

    private AWSCredentials loadCredentialsWithRetry() {
        RetryPolicyContext build = RetryPolicyContext.builder().build();
        boolean z = true;
        while (z) {
            try {
                try {
                    AWSCredentials credentials = this.compositeDelegate.getCredentials();
                    if (credentials != null) {
                        return credentials;
                    }
                    throw new SdkClientException("Composite delegate returned empty credentials.");
                    break;
                } catch (SdkBaseException e) {
                    log.warn("Exception loading credentials. Retry Attempts: {}", Integer.valueOf(build.retriesAttempted()), e);
                    RetryPolicyContext createRetryPolicyContext = createRetryPolicyContext(e, build.retriesAttempted());
                    z = this.retryPolicy.shouldRetry(createRetryPolicyContext);
                    if (!z) {
                        throw e;
                    }
                    Thread.sleep(this.retryPolicy.computeDelayBeforeNextRetry(createRetryPolicyContext));
                    build = createRetryPolicyContext(createRetryPolicyContext.exception(), createRetryPolicyContext.retriesAttempted() + 1);
                }
            } catch (InterruptedException e2) {
                Thread.currentThread().interrupt();
                throw new RuntimeException("Interrupted while waiting for credentials.", e2);
            }
        }
        throw new SdkClientException("loadCredentialsWithRetry in unexpected location " + build.totalRequests(), build.exception());
    }

    private RetryPolicyContext createRetryPolicyContext(SdkBaseException sdkBaseException, int i) {
        return RetryPolicyContext.builder().exception(sdkBaseException).retriesAttempted(i).build();
    }

    private void logCallerIdentity(AWSCredentials aWSCredentials) {
        try {
            log.debug("The identity of the credentials is {}", getStsClientForDebuggingCreds(aWSCredentials).getCallerIdentity(new GetCallerIdentityRequest()).toString());
        } catch (Exception e) {
            log.warn("Error identifying caller identity. If this is not transient, does this application haveaccess to AWS STS?", (Throwable) e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    AWSSecurityTokenService getStsClientForDebuggingCreds(final AWSCredentials aWSCredentials) {
        return ((AWSSecurityTokenServiceClientBuilder) ((AWSSecurityTokenServiceClientBuilder) AWSSecurityTokenServiceClientBuilder.standard().withRegion(this.stsRegion)).withCredentials(new AWSCredentialsProvider() { // from class: software.amazon.msk.auth.iam.internals.MSKCredentialProvider.1
            @Override // com.amazonaws.auth.AWSCredentialsProvider
            public AWSCredentials getCredentials() {
                return aWSCredentials;
            }

            @Override // com.amazonaws.auth.AWSCredentialsProvider
            public void refresh() {
            }
        })).build();
    }

    @Override // com.amazonaws.auth.AWSCredentialsProvider
    public void refresh() {
        this.compositeDelegate.refresh();
    }

    @Override // java.lang.AutoCloseable
    public void close() {
        this.closeableProviders.stream().forEach(autoCloseable -> {
            try {
                autoCloseable.close();
            } catch (Exception e) {
                log.warn("Error closing credential provider", (Throwable) e);
            }
        });
    }

    Boolean getShouldDebugCreds() {
        return this.shouldDebugCreds;
    }
}
