package com.amazon.athena.jdbc.authentication.datazone.helpers;

import com.amazon.athena.jdbc.support.AuthenticationException;
import com.amazon.athena.logging.AthenaLogger;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Optional;
import java.util.function.Function;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.StringEntity;
import org.apache.http.util.EntityUtils;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
import software.amazon.awssdk.protocols.jsoncore.JsonNode;
import software.amazon.awssdk.protocols.jsoncore.JsonNodeParser;
import software.amazon.awssdk.services.datazone.DataZoneClient;
import software.amazon.awssdk.services.datazone.model.GetEnvironmentCredentialsRequest;
import software.amazon.awssdk.services.datazone.model.GetEnvironmentCredentialsResponse;

/* loaded from: input_file:com/amazon/athena/jdbc/authentication/datazone/helpers/DataZoneHelper.class */
public class DataZoneHelper {
    private static final AthenaLogger logger = AthenaLogger.of(DataZoneHelper.class);
    private final String domainId;
    private final String environmentId;
    private final String region;
    private final String endpoint;
    private final HttpClient httpClient;
    private final Function<AwsCredentialsProvider, DataZoneClient> dataZoneClientFactory;
    private final JsonNodeParser jsonNodeParser = JsonNodeParser.create();

    public DataZoneHelper(String str, String str2, String str3, String str4, HttpClient httpClient, Function<AwsCredentialsProvider, DataZoneClient> function) {
        this.domainId = str;
        this.environmentId = str2;
        this.region = str3;
        this.endpoint = str4;
        this.httpClient = httpClient;
        this.dataZoneClientFactory = function;
    }

    public AwsSessionCredentials getEnvironmentCredentials(String str) {
        StaticCredentialsProvider create = StaticCredentialsProvider.create(getAssumedDomainExecutionRole(str));
        GetEnvironmentCredentialsRequest getEnvironmentCredentialsRequest = (GetEnvironmentCredentialsRequest) GetEnvironmentCredentialsRequest.builder().domainIdentifier(this.domainId).environmentIdentifier(this.environmentId).mo1373build();
        logger.info(String.format("Retrieving DataZone Environment Credentials for domain: %s, environment: %s", this.domainId, this.environmentId), new Object[0]);
        DataZoneClient apply = this.dataZoneClientFactory.apply(create);
        Throwable th = null;
        try {
            try {
                GetEnvironmentCredentialsResponse environmentCredentials = apply.getEnvironmentCredentials(getEnvironmentCredentialsRequest);
                AwsSessionCredentials mo1373build = AwsSessionCredentials.builder().accessKeyId(environmentCredentials.accessKeyId()).secretAccessKey(environmentCredentials.secretAccessKey()).sessionToken(environmentCredentials.sessionToken()).expirationTime(environmentCredentials.expiration()).mo1373build();
                if (apply != null) {
                    if (0 != 0) {
                        try {
                            apply.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        apply.close();
                    }
                }
                return mo1373build;
            } finally {
            }
        } catch (Throwable th3) {
            if (apply != null) {
                if (th != null) {
                    try {
                        apply.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    apply.close();
                }
            }
            throw th3;
        }
    }

    private AwsSessionCredentials getAssumedDomainExecutionRole(String str) {
        logger.trace("Retrieving DataZone Domain Execution Role Credentials...", new Object[0]);
        String callRedeemAccessTokenWithHttp = callRedeemAccessTokenWithHttp(str);
        logger.trace("Successfully Retrieved Domain Execution Role Credentials from Amazon DataZone", new Object[0]);
        return parseCredentialsFromResponse(callRedeemAccessTokenWithHttp);
    }

    private String callRedeemAccessTokenWithHttp(String str) {
        try {
            try {
                return EntityUtils.toString(this.httpClient.execute(createHttpPostFromPayload(String.format("{\"domainId\":\"%s\",\"accessToken\":\"%s\"}", this.domainId, str))).getEntity());
            } catch (IOException e) {
                logger.debug("Failed to parse RedeemAccessToken response string from HTTP Entity", new Object[0]);
                throw new AuthenticationException(e.getMessage());
            }
        } catch (IOException e2) {
            logger.debug("Failed to call RedeemAccessToken", new Object[0]);
            throw new AuthenticationException(e2.getMessage());
        }
    }

    private HttpPost createHttpPostFromPayload(String str) {
        HttpPost httpPost = new HttpPost(this.endpoint + "/sso/redeem-token");
        httpPost.setEntity(new StringEntity(str, StandardCharsets.UTF_8));
        return httpPost;
    }

    private AwsSessionCredentials parseCredentialsFromResponse(String str) {
        JsonNode parse = this.jsonNodeParser.parse(str);
        return (AwsSessionCredentials) parse.field("credentials").map((v0) -> {
            return v0.asObject();
        }).map(map -> {
            return AwsSessionCredentials.create(((JsonNode) map.get("accessKeyId")).asString(), ((JsonNode) map.get("secretAccessKey")).asString(), ((JsonNode) map.get("sessionToken")).asString());
        }).orElseThrow(() -> {
            return createRedeemAccessTokenException(parse);
        });
    }

    private AuthenticationException createRedeemAccessTokenException(JsonNode jsonNode) {
        Optional<JsonNode> field = jsonNode.field("message");
        if (field.isPresent()) {
            logger.info("Error occurred calling RedeemAccessToken: " + field.get().asString(), new Object[0]);
            return new AuthenticationException(String.format("Failed to retrieve DataZone domain execution role credentials: %s", field.get().asString()));
        }
        logger.info("Unable to determine error from RedeemAccessToken", new Object[0]);
        return new AuthenticationException("Unrecognized error while retrieving DataZone domain execution role credentials");
    }
}
