package org.apereo.cas.aws;

import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.Parameter;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Optional;
import java.util.UUID;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.AuthenticationException;
import org.apereo.cas.authentication.AuthenticationResult;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.aws.AmazonSecurityTokenServiceProperties;
import org.apereo.cas.configuration.support.Beans;
import org.apereo.cas.rest.authentication.RestAuthenticationService;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.RegexUtils;
import org.apereo.cas.web.BaseCasRestActuatorEndpoint;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.boot.actuate.endpoint.annotation.Endpoint;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.util.MultiValueMap;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestParam;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.StsClientBuilder;
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;
import software.amazon.awssdk.services.sts.model.Credentials;
import software.amazon.awssdk.services.sts.model.GetSessionTokenRequest;

@Endpoint(id = "awsSts", enableByDefault = false)
/* loaded from: input_file:org/apereo/cas/aws/AmazonSecurityTokenServiceEndpoint.class */
public class AmazonSecurityTokenServiceEndpoint extends BaseCasRestActuatorEndpoint {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(AmazonSecurityTokenServiceEndpoint.class);
    private final ObjectProvider<RestAuthenticationService> restAuthenticationService;

    public AmazonSecurityTokenServiceEndpoint(ObjectProvider<CasConfigurationProperties> objectProvider, ConfigurableApplicationContext configurableApplicationContext, ObjectProvider<RestAuthenticationService> objectProvider2) {
        super((CasConfigurationProperties) objectProvider.getObject(), configurableApplicationContext);
        this.restAuthenticationService = objectProvider2;
    }

    private static ResponseEntity<String> createOutputResponse(AmazonSecurityTokenServiceProperties amazonSecurityTokenServiceProperties, Credentials credentials) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("aws_access_key_id", credentials.accessKeyId());
        linkedHashMap.put("aws_secret_access_key", credentials.secretAccessKey());
        linkedHashMap.put("aws_session_token", credentials.sessionToken());
        linkedHashMap.put("region", StringUtils.isBlank(amazonSecurityTokenServiceProperties.getRegion()) ? Region.AWS_GLOBAL.id() : Region.of(amazonSecurityTokenServiceProperties.getRegion()).id());
        StringBuilder sb = new StringBuilder("[default]\n");
        linkedHashMap.forEach((str, str2) -> {
            sb.append(String.format("%s=%s%n", str, str2));
        });
        return ResponseEntity.ok(sb.toString());
    }

    private static Optional<ResponseEntity<String>> authorizePrincipal(AmazonSecurityTokenServiceProperties amazonSecurityTokenServiceProperties, Principal principal) {
        if (StringUtils.isNotBlank(amazonSecurityTokenServiceProperties.getPrincipalAttributeName())) {
            if (!principal.getAttributes().containsKey(amazonSecurityTokenServiceProperties.getPrincipalAttributeName())) {
                LOGGER.error("Failed to locate authorization attribute for principal [{}]", principal);
                return Optional.of(ResponseEntity.status(HttpStatus.UNAUTHORIZED).body("Authorization failure"));
            }
            List list = (List) principal.getAttributes().get(amazonSecurityTokenServiceProperties.getPrincipalAttributeName());
            if (StringUtils.isNotBlank(amazonSecurityTokenServiceProperties.getPrincipalAttributeValue()) && list.stream().noneMatch(obj -> {
                return RegexUtils.find(amazonSecurityTokenServiceProperties.getPrincipalAttributeValue(), obj.toString());
            })) {
                LOGGER.error("Failed to locate authorization attribute value for principal [{}]", principal);
                return Optional.of(ResponseEntity.status(HttpStatus.UNAUTHORIZED).body("Authorization failure"));
            }
        }
        return Optional.empty();
    }

    @PostMapping
    @Operation(summary = "Fetch temporary credentials from Amazon Security Token Service", parameters = {@Parameter(name = "duration", description = "Duration of the temporary credentials"), @Parameter(name = "tokenCode", description = "MFA token code"), @Parameter(name = "profile", description = "AWS profile name"), @Parameter(name = "serialNumber", description = "MFA serial number"), @Parameter(name = "roleArn", description = "Role ARN"), @Parameter(name = "requestBody", description = "Request body"), @Parameter(name = "request", description = "Request"), @Parameter(name = "response", description = "Response")})
    public ResponseEntity<String> fetchCredentials(@RequestParam(value = "token", required = false) String str, @RequestParam(required = false) String str2, @RequestParam(required = false) String str3, @RequestParam(required = false) String str4, @RequestBody MultiValueMap<String, String> multiValueMap, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Throwable {
        try {
            AuthenticationResult authenticationResult = (AuthenticationResult) ((RestAuthenticationService) this.restAuthenticationService.getObject()).authenticate(multiValueMap, httpServletRequest, httpServletResponse).orElseThrow(AuthenticationException::new);
            AmazonSecurityTokenServiceProperties amazonSts = this.casProperties.getAmazonSts();
            Principal principal = authenticationResult.getAuthentication().getPrincipal();
            LOGGER.debug("Authenticated principal: [{}]", principal);
            Optional<ResponseEntity<String>> authorizePrincipal = authorizePrincipal(amazonSts, principal);
            if (authorizePrincipal.isPresent()) {
                return authorizePrincipal.get();
            }
            AwsCredentialsProvider chainingAWSCredentialsProvider = ChainingAWSCredentialsProvider.getInstance(amazonSts.getCredentialAccessKey(), amazonSts.getCredentialSecretKey(), amazonSts.getProfilePath(), (String) StringUtils.defaultIfBlank(str2, amazonSts.getProfileName()));
            StsClientBuilder builder = StsClient.builder();
            AmazonClientConfigurationBuilder.prepareSyncClientBuilder(builder, chainingAWSCredentialsProvider, amazonSts);
            StsClient stsClient = (StsClient) builder.build();
            String str5 = (String) StringUtils.defaultIfBlank((String) multiValueMap.getFirst("duration"), "PT15S");
            if (!amazonSts.isRbacEnabled()) {
                return createOutputResponse(amazonSts, stsClient.getSessionToken((GetSessionTokenRequest) GetSessionTokenRequest.builder().durationSeconds(Integer.valueOf(Long.valueOf(Beans.newDuration(str5).toSeconds()).intValue())).serialNumber(str3).tokenCode(str).build()).credentials());
            }
            List list = (List) principal.getAttributes().get(amazonSts.getPrincipalAttributeName());
            LOGGER.debug("Found roles [{}]", list);
            if (list.size() > 1) {
                if (StringUtils.isBlank(str4)) {
                    return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body("Found multiple roles and none is specified. Current roles: " + String.valueOf(list));
                }
                if (list.stream().noneMatch(obj -> {
                    return RegexUtils.find(str4, obj.toString());
                })) {
                    return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body("Specified role is not allowed. Current roles:" + String.valueOf(list));
                }
            }
            String str6 = (String) StringUtils.defaultIfBlank(str4, list.getFirst().toString());
            LOGGER.debug("Using role [{}]", str6);
            return createOutputResponse(amazonSts, stsClient.assumeRole((AssumeRoleRequest) AssumeRoleRequest.builder().durationSeconds(Integer.valueOf(Long.valueOf(Beans.newDuration(str5).toSeconds()).intValue())).roleArn(str6).roleSessionName(UUID.randomUUID().toString()).serialNumber(str3).tokenCode(str).build()).credentials());
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
            return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body("Authentication failed");
        }
    }
}
