package com.amazon.athena.jdbc.authentication.datazone;

import com.amazon.athena.jdbc.authentication.datazone.helpers.BrowserControlHelper;
import com.amazon.athena.jdbc.authentication.datazone.helpers.DataZoneHelper;
import com.amazon.athena.jdbc.authentication.datazone.helpers.SsoOidcHelper;
import com.amazon.athena.jdbc.authentication.datazone.httpserver.Server;
import com.amazon.athena.jdbc.authentication.utils.RandomString;
import com.amazon.athena.jdbc.support.AuthenticationException;
import com.amazon.athena.logging.AthenaLogger;
import java.io.IOException;
import java.net.URISyntaxException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.time.Instant;
import java.util.Base64;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.Future;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import org.apache.commons.codec.digest.MessageDigestAlgorithms;
import org.apache.http.NameValuePair;
import org.apache.http.client.utils.URIBuilder;
import software.amazon.awssdk.auth.credentials.AwsCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.ssooidc.model.RegisterClientResponse;
import software.amazon.awssdk.utils.ProxyConfigProvider;

/* loaded from: input_file:com/amazon/athena/jdbc/authentication/datazone/DataZoneIdcCredentialsProvider.class */
public class DataZoneIdcCredentialsProvider implements AwsCredentialsProvider {
    private final String domainId;
    private final String environmentId;
    private final String domainRegion;
    private final Region environmentRegion;
    private final String datazoneEndpoint;
    private final String identityCenterIssuerUrl;
    private final String cachedTokenKey;
    private final int idcResponseTimeout;
    private final boolean enableTokenCaching;
    private final SsoOidcHelper ssoOidcHelper;
    private final DataZoneHelper dataZoneHelper;
    private final BrowserControlHelper browserControlHelper;
    private final Server server;
    private final String datazoneScope;
    private AwsSessionCredentials credentials;
    private static final String OAUTH_CSRF_STATE_PARAMETER_NAME = "state";
    private static final String AUTH_CODE_PARAMETER_NAME = "code";
    private static final AthenaLogger logger = AthenaLogger.of(DataZoneIdcCredentialsProvider.class);
    private static final Map<String, RegisterClientResponse> registeredClientCache = new HashMap();
    private static final Map<String, String> tokenCache = new HashMap();

    public DataZoneIdcCredentialsProvider(String str, String str2, String str3, Region region, String str4, String str5, int i, boolean z, SsoOidcHelper ssoOidcHelper, DataZoneHelper dataZoneHelper, BrowserControlHelper browserControlHelper, Server server, String str6) {
        this.domainId = str;
        this.environmentId = str2;
        this.domainRegion = str3;
        this.environmentRegion = region;
        this.datazoneEndpoint = str4;
        this.identityCenterIssuerUrl = str5;
        this.idcResponseTimeout = i;
        this.enableTokenCaching = z;
        this.cachedTokenKey = str + str2;
        this.ssoOidcHelper = ssoOidcHelper;
        this.dataZoneHelper = dataZoneHelper;
        this.browserControlHelper = browserControlHelper;
        this.server = server;
        this.datazoneScope = str6;
    }

    @Override // software.amazon.awssdk.auth.credentials.AwsCredentialsProvider
    public AwsCredentials resolveCredentials() {
        if (this.credentials == null || this.credentials.expirationTime().get().isBefore(Instant.now())) {
            if (this.enableTokenCaching) {
                this.credentials = resolveCachedTokenCredentials();
            } else {
                tokenCache.remove(this.cachedTokenKey);
                this.credentials = getDataZoneCredentials();
            }
        }
        return this.credentials;
    }

    private AwsSessionCredentials resolveCachedTokenCredentials() {
        String str = tokenCache.get(this.cachedTokenKey);
        if (str == null) {
            return getDataZoneCredentials();
        }
        try {
            return this.dataZoneHelper.getEnvironmentCredentials(str);
        } catch (AuthenticationException e) {
            logger.info(String.format("Could not re-use cached access token: %s", e.getMessage()), new Object[0]);
            return getDataZoneCredentials();
        }
    }

    private AwsSessionCredentials getDataZoneCredentials() {
        RegisterClientResponse registeredClient = getRegisteredClient(this.identityCenterIssuerUrl);
        String generateCodeVerifier = generateCodeVerifier();
        String retrieveAccessToken = this.ssoOidcHelper.retrieveAccessToken(registeredClient, generateCodeVerifier, fetchAuthorizationToken(registeredClient, generateCodeChallenge(generateCodeVerifier)));
        if (this.enableTokenCaching) {
            tokenCache.put(this.cachedTokenKey, retrieveAccessToken);
        }
        AwsSessionCredentials environmentCredentials = this.dataZoneHelper.getEnvironmentCredentials(retrieveAccessToken);
        logger.trace("Retrieved DataZone Environment Credentials", new Object[0]);
        return AwsSessionCredentials.builder().accessKeyId(environmentCredentials.accessKeyId()).secretAccessKey(environmentCredentials.secretAccessKey()).sessionToken(environmentCredentials.sessionToken()).expirationTime(environmentCredentials.expirationTime().get()).mo1373build();
    }

    private RegisterClientResponse getRegisteredClient(String str) {
        String str2 = this.domainId + this.environmentId + str;
        RegisterClientResponse registerClientResponse = registeredClientCache.get(str2);
        if (isCachedClientValid(registerClientResponse)) {
            logger.trace("Registered client is cached, using previously registered client", new Object[0]);
            return registerClientResponse;
        }
        logger.trace("Registering a new Identity Center client", new Object[0]);
        RegisterClientResponse registerClient = this.ssoOidcHelper.registerClient(str);
        registeredClientCache.put(str2, registerClient);
        return registerClient;
    }

    private boolean isCachedClientValid(RegisterClientResponse registerClientResponse) {
        return (registerClientResponse == null || registerClientResponse.clientSecretExpiresAt() == null || System.currentTimeMillis() >= registerClientResponse.clientSecretExpiresAt().longValue() * 1000) ? false : true;
    }

    private static String generateCodeVerifier() {
        byte[] bArr = new byte[32];
        new SecureRandom().nextBytes(bArr);
        return Base64.getUrlEncoder().withoutPadding().encodeToString(bArr);
    }

    private static String generateCodeChallenge(String str) {
        try {
            return Base64.getUrlEncoder().withoutPadding().encodeToString(MessageDigest.getInstance(MessageDigestAlgorithms.SHA_256).digest(str.getBytes()));
        } catch (NoSuchAlgorithmException e) {
            throw new AuthenticationException("Unable to generate code challenge", e);
        }
    }

    private String fetchAuthorizationToken(RegisterClientResponse registerClientResponse, String str) {
        String generateRandomString = RandomString.generateRandomString(10);
        Future<List<NameValuePair>> listenForResponse = this.server.listenForResponse();
        try {
            try {
                try {
                    try {
                        try {
                            this.browserControlHelper.launchBrowser(new URIBuilder().setScheme(ProxyConfigProvider.HTTPS).setPath(String.format("//oidc.%s.amazonaws.com/authorize", this.domainRegion)).addParameter("response_type", AUTH_CODE_PARAMETER_NAME).addParameter("client_id", registerClientResponse.clientId()).addParameter("redirect_uri", "http://127.0.0.1:" + this.server.getListenPort()).addParameter("scopes", this.datazoneScope).addParameter(OAUTH_CSRF_STATE_PARAMETER_NAME, generateRandomString).addParameter("code_challenge", str).addParameter("code_challenge_method", "S256").build());
                            List<NameValuePair> list = listenForResponse.get(this.idcResponseTimeout, TimeUnit.SECONDS);
                            String orElseThrow = findValueInNameValuePairs(OAUTH_CSRF_STATE_PARAMETER_NAME, list).orElseThrow(() -> {
                                return new AuthenticationException("State is not found in the response");
                            });
                            if (!orElseThrow.equals(generateRandomString)) {
                                throw new AuthenticationException("State " + orElseThrow + " does not match the outgoing state " + generateRandomString);
                            }
                            String orElseThrow2 = findValueInNameValuePairs(AUTH_CODE_PARAMETER_NAME, list).filter(str2 -> {
                                return !str2.isEmpty();
                            }).orElseThrow(() -> {
                                return new AuthenticationException("Authorization code is not found or empty");
                            });
                            logger.trace("Shutdown listening server", new Object[0]);
                            this.server.shutdownServer();
                            return orElseThrow2;
                        } catch (InterruptedException e) {
                            Thread.currentThread().interrupt();
                            logger.debug("Main thread got interrupted: {}", e.getMessage());
                            throw new AuthenticationException("Main thread got interrupted", e);
                        }
                    } catch (ExecutionException e2) {
                        logger.debug("Server thread threw an exception: {}", e2.getMessage());
                        throw new AuthenticationException(e2.getMessage());
                    }
                } catch (IOException | URISyntaxException e3) {
                    logger.debug("Server thread threw an exception: {}", e3.getMessage());
                    throw new AuthenticationException(e3.getMessage());
                }
            } catch (TimeoutException e4) {
                listenForResponse.cancel(true);
                throw new AuthenticationException("Timeout while fetching authorization code", e4);
            }
        } catch (Throwable th) {
            logger.trace("Shutdown listening server", new Object[0]);
            this.server.shutdownServer();
            throw th;
        }
    }

    private Optional<String> findValueInNameValuePairs(String str, List<NameValuePair> list) {
        for (NameValuePair nameValuePair : list) {
            if (str.equals(nameValuePair.getName())) {
                return Optional.of(nameValuePair.getValue());
            }
        }
        return Optional.empty();
    }
}
