package org.gridgain.control.shade.awssdk.auth.credentials;

import java.io.IOException;
import java.net.InetAddress;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Predicate;
import org.gridgain.control.shade.awssdk.annotations.SdkPublicApi;
import org.gridgain.control.shade.awssdk.auth.credentials.HttpCredentialsProvider;
import org.gridgain.control.shade.awssdk.auth.credentials.internal.ContainerCredentialsRetryPolicy;
import org.gridgain.control.shade.awssdk.auth.credentials.internal.HttpCredentialsLoader;
import org.gridgain.control.shade.awssdk.core.SdkSystemSetting;
import org.gridgain.control.shade.awssdk.core.exception.SdkClientException;
import org.gridgain.control.shade.awssdk.core.util.SdkUserAgent;
import org.gridgain.control.shade.awssdk.regions.util.ResourcesEndpointProvider;
import org.gridgain.control.shade.awssdk.regions.util.ResourcesEndpointRetryPolicy;
import org.gridgain.control.shade.awssdk.utils.ComparableUtils;
import org.gridgain.control.shade.awssdk.utils.StringUtils;
import org.gridgain.control.shade.awssdk.utils.ToString;
import org.gridgain.control.shade.awssdk.utils.Validate;
import org.gridgain.control.shade.awssdk.utils.builder.CopyableBuilder;
import org.gridgain.control.shade.awssdk.utils.builder.ToCopyableBuilder;
import org.gridgain.control.shade.awssdk.utils.cache.CachedSupplier;
import org.gridgain.control.shade.awssdk.utils.cache.NonBlocking;
import org.gridgain.control.shade.awssdk.utils.cache.RefreshResult;
import org.gridgain.control.shade.springframework.http.HttpHeaders;

@SdkPublicApi
/* loaded from: input_file:org/gridgain/control/shade/awssdk/auth/credentials/ContainerCredentialsProvider.class */
public final class ContainerCredentialsProvider implements HttpCredentialsProvider, ToCopyableBuilder<Builder, ContainerCredentialsProvider> {
    private static final String HTTPS = "https";
    private final String endpoint;
    private final HttpCredentialsLoader httpCredentialsLoader;
    private final CachedSupplier<AwsCredentials> credentialsCache;
    private final Boolean asyncCredentialUpdateEnabled;
    private final String asyncThreadName;
    private static final Predicate<InetAddress> IS_LOOPBACK_ADDRESS = (v0) -> {
        return v0.isLoopbackAddress();
    };
    private static final Predicate<InetAddress> ALLOWED_HOSTS_RULES = IS_LOOPBACK_ADDRESS;
    private static final String ECS_CONTAINER_HOST = "169.254.170.2";
    private static final String EKS_CONTAINER_HOST_IPV4 = "169.254.170.23";
    private static final List<String> VALID_LOOP_BACK_IPV4 = Arrays.asList(ECS_CONTAINER_HOST, EKS_CONTAINER_HOST_IPV4);
    private static final String EKS_CONTAINER_HOST_IPV6 = "[fd00:ec2::23]";
    private static final List<String> VALID_LOOP_BACK_IPV6 = Arrays.asList(EKS_CONTAINER_HOST_IPV6);

    /* loaded from: input_file:org/gridgain/control/shade/awssdk/auth/credentials/ContainerCredentialsProvider$Builder.class */
    public interface Builder extends HttpCredentialsProvider.Builder<ContainerCredentialsProvider, Builder>, CopyableBuilder<Builder, ContainerCredentialsProvider> {
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/gridgain/control/shade/awssdk/auth/credentials/ContainerCredentialsProvider$BuilderImpl.class */
    public static final class BuilderImpl implements Builder {
        private String endpoint;
        private Boolean asyncCredentialUpdateEnabled;
        private String asyncThreadName;

        private BuilderImpl() {
            asyncThreadName("container-credentials-provider");
        }

        private BuilderImpl(ContainerCredentialsProvider containerCredentialsProvider) {
            this.endpoint = containerCredentialsProvider.endpoint;
            this.asyncCredentialUpdateEnabled = containerCredentialsProvider.asyncCredentialUpdateEnabled;
            this.asyncThreadName = containerCredentialsProvider.asyncThreadName;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.gridgain.control.shade.awssdk.auth.credentials.HttpCredentialsProvider.Builder
        public Builder endpoint(String str) {
            this.endpoint = str;
            return this;
        }

        public void setEndpoint(String str) {
            endpoint(str);
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.gridgain.control.shade.awssdk.auth.credentials.HttpCredentialsProvider.Builder
        public Builder asyncCredentialUpdateEnabled(Boolean bool) {
            this.asyncCredentialUpdateEnabled = bool;
            return this;
        }

        public void setAsyncCredentialUpdateEnabled(boolean z) {
            asyncCredentialUpdateEnabled(Boolean.valueOf(z));
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.gridgain.control.shade.awssdk.auth.credentials.HttpCredentialsProvider.Builder
        public Builder asyncThreadName(String str) {
            this.asyncThreadName = str;
            return this;
        }

        public void setAsyncThreadName(String str) {
            asyncThreadName(str);
        }

        @Override // org.gridgain.control.shade.awssdk.utils.builder.SdkBuilder, org.gridgain.control.shade.awssdk.utils.builder.Buildable
        /* renamed from: build */
        public ContainerCredentialsProvider mo272build() {
            return new ContainerCredentialsProvider(this);
        }
    }

    /* loaded from: input_file:org/gridgain/control/shade/awssdk/auth/credentials/ContainerCredentialsProvider$ContainerCredentialsEndpointProvider.class */
    static final class ContainerCredentialsEndpointProvider implements ResourcesEndpointProvider {
        private final String endpoint;

        ContainerCredentialsEndpointProvider(String str) {
            this.endpoint = str;
        }

        @Override // org.gridgain.control.shade.awssdk.regions.util.ResourcesEndpointProvider
        public URI endpoint() throws IOException {
            if (!SdkSystemSetting.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI.getStringValue().isPresent() && !SdkSystemSetting.AWS_CONTAINER_CREDENTIALS_FULL_URI.getStringValue().isPresent()) {
                throw SdkClientException.builder().message(String.format("Cannot fetch credentials from container - neither %s or %s environment variables are set.", SdkSystemSetting.AWS_CONTAINER_CREDENTIALS_FULL_URI.environmentVariable(), SdkSystemSetting.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI.environmentVariable())).mo272build();
            }
            try {
                URI uri = (URI) SdkSystemSetting.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI.getStringValue().map(this::createUri).orElseGet(() -> {
                    return URI.create(SdkSystemSetting.AWS_CONTAINER_CREDENTIALS_FULL_URI.getStringValueOrThrow());
                });
                validateURI(uri);
                return uri;
            } catch (SdkClientException e) {
                throw e;
            } catch (Exception e2) {
                throw SdkClientException.builder().message("Unable to fetch credentials from container.").cause((Throwable) e2).mo272build();
            }
        }

        @Override // org.gridgain.control.shade.awssdk.regions.util.ResourcesEndpointProvider
        public ResourcesEndpointRetryPolicy retryPolicy() {
            return new ContainerCredentialsRetryPolicy();
        }

        @Override // org.gridgain.control.shade.awssdk.regions.util.ResourcesEndpointProvider
        public Map<String, String> headers() {
            HashMap hashMap = new HashMap();
            hashMap.put(HttpHeaders.USER_AGENT, SdkUserAgent.create().userAgent());
            getTokenValue().filter((v0) -> {
                return StringUtils.isNotBlank(v0);
            }).ifPresent(str -> {
                hashMap.put("Authorization", str);
            });
            return hashMap;
        }

        private Optional<String> getTokenValue() {
            return SdkSystemSetting.AWS_CONTAINER_AUTHORIZATION_TOKEN.getStringValue().isPresent() ? SdkSystemSetting.AWS_CONTAINER_AUTHORIZATION_TOKEN.getStringValue() : SdkSystemSetting.AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE.getStringValue().map(this::readToken);
        }

        private String readToken(String str) {
            Path path = Paths.get(str, new String[0]);
            try {
                return new String(Files.readAllBytes(path), StandardCharsets.UTF_8);
            } catch (IOException e) {
                throw SdkClientException.create(String.format("Failed to read %s.", path.toAbsolutePath()), (Throwable) e);
            }
        }

        private URI createUri(String str) {
            return URI.create((this.endpoint != null ? this.endpoint : SdkSystemSetting.AWS_CONTAINER_SERVICE_ENDPOINT.getStringValueOrThrow()) + str);
        }

        private URI validateURI(URI uri) {
            if (isHttps(uri) || isAllowedHost(uri.getHost())) {
                return uri;
            }
            throw SdkClientException.builder().message(String.format("The full URI (%s) contained within environment variable %s has an invalid host. Host should resolve to a loopback address or have the full URI be HTTPS.", uri, SdkSystemSetting.AWS_CONTAINER_CREDENTIALS_FULL_URI.environmentVariable())).mo272build();
        }

        private boolean isHttps(URI uri) {
            return Objects.equals("https", uri.getScheme());
        }

        /* JADX WARN: Code restructure failed: missing block: B:7:0x0021, code lost:
        
            if (isMetadataServiceEndpoint(r8) != false) goto L8;
         */
        /*
            Code decompiled incorrectly, please refer to instructions dump.
            To view partially-correct add '--show-bad-code' argument
        */
        private boolean isAllowedHost(java.lang.String r8) {
            /*
                r7 = this;
                r0 = r8
                java.net.InetAddress[] r0 = java.net.InetAddress.getAllByName(r0)     // Catch: java.net.UnknownHostException -> L2a
                r9 = r0
                r0 = r9
                int r0 = r0.length     // Catch: java.net.UnknownHostException -> L2a
                if (r0 <= 0) goto L28
                r0 = r9
                java.util.stream.Stream r0 = java.util.Arrays.stream(r0)     // Catch: java.net.UnknownHostException -> L2a
                r1 = r7
                boolean r1 = r1::matchesAllowedHostRules     // Catch: java.net.UnknownHostException -> L2a
                boolean r0 = r0.allMatch(r1)     // Catch: java.net.UnknownHostException -> L2a
                if (r0 != 0) goto L24
                r0 = r7
                r1 = r8
                boolean r0 = r0.isMetadataServiceEndpoint(r1)     // Catch: java.net.UnknownHostException -> L2a
                if (r0 == 0) goto L28
            L24:
                r0 = 1
                goto L29
            L28:
                r0 = 0
            L29:
                return r0
            L2a:
                r9 = move-exception
                org.gridgain.control.shade.awssdk.core.exception.SdkClientException$Builder r0 = org.gridgain.control.shade.awssdk.core.exception.SdkClientException.builder()
                r1 = r9
                org.gridgain.control.shade.awssdk.core.exception.SdkClientException$Builder r0 = r0.cause(r1)
                java.lang.String r1 = "host (%s) could not be resolved to an IP address."
                r2 = 1
                java.lang.Object[] r2 = new java.lang.Object[r2]
                r3 = r2
                r4 = 0
                r5 = r8
                r3[r4] = r5
                java.lang.String r1 = java.lang.String.format(r1, r2)
                org.gridgain.control.shade.awssdk.core.exception.SdkClientException$Builder r0 = r0.message(r1)
                org.gridgain.control.shade.awssdk.core.exception.SdkClientException r0 = r0.mo272build()
                throw r0
            */
            throw new UnsupportedOperationException("Method not decompiled: org.gridgain.control.shade.awssdk.auth.credentials.ContainerCredentialsProvider.ContainerCredentialsEndpointProvider.isAllowedHost(java.lang.String):boolean");
        }

        private boolean matchesAllowedHostRules(InetAddress inetAddress) {
            return ContainerCredentialsProvider.ALLOWED_HOSTS_RULES.test(inetAddress);
        }

        public boolean isMetadataServiceEndpoint(String str) {
            return "IPV6".equalsIgnoreCase(SdkSystemSetting.AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE.getStringValueOrThrow()) ? ContainerCredentialsProvider.VALID_LOOP_BACK_IPV6.contains(str) : ContainerCredentialsProvider.VALID_LOOP_BACK_IPV4.contains(str);
        }
    }

    private ContainerCredentialsProvider(BuilderImpl builderImpl) {
        this.endpoint = builderImpl.endpoint;
        this.asyncCredentialUpdateEnabled = builderImpl.asyncCredentialUpdateEnabled;
        this.asyncThreadName = builderImpl.asyncThreadName;
        this.httpCredentialsLoader = HttpCredentialsLoader.create();
        if (!Boolean.TRUE.equals(builderImpl.asyncCredentialUpdateEnabled)) {
            this.credentialsCache = CachedSupplier.builder(this::refreshCredentials).cachedValueName(toString()).build();
        } else {
            Validate.paramNotBlank(builderImpl.asyncThreadName, "asyncThreadName");
            this.credentialsCache = CachedSupplier.builder(this::refreshCredentials).cachedValueName(toString()).prefetchStrategy(new NonBlocking(builderImpl.asyncThreadName)).build();
        }
    }

    public static Builder builder() {
        return new BuilderImpl();
    }

    public String toString() {
        return ToString.create("ContainerCredentialsProvider");
    }

    private RefreshResult<AwsCredentials> refreshCredentials() {
        HttpCredentialsLoader.LoadedCredentials loadCredentials = this.httpCredentialsLoader.loadCredentials(new ContainerCredentialsEndpointProvider(this.endpoint));
        Instant orElse = loadCredentials.getExpiration().orElse(null);
        return RefreshResult.builder(loadCredentials.getAwsCredentials()).staleTime(staleTime(orElse)).prefetchTime(prefetchTime(orElse)).mo272build();
    }

    private Instant staleTime(Instant instant) {
        if (instant == null) {
            return null;
        }
        return instant.minus(1L, (TemporalUnit) ChronoUnit.MINUTES);
    }

    private Instant prefetchTime(Instant instant) {
        Instant plus = Instant.now().plus(1L, (TemporalUnit) ChronoUnit.HOURS);
        return instant == null ? plus : (Instant) ComparableUtils.minimum(plus, instant.minus(15L, (TemporalUnit) ChronoUnit.MINUTES));
    }

    @Override // org.gridgain.control.shade.awssdk.auth.credentials.AwsCredentialsProvider
    public AwsCredentials resolveCredentials() {
        return this.credentialsCache.get();
    }

    @Override // org.gridgain.control.shade.awssdk.utils.SdkAutoCloseable, java.lang.AutoCloseable
    public void close() {
        this.credentialsCache.close();
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.gridgain.control.shade.awssdk.utils.builder.ToCopyableBuilder
    /* renamed from: toBuilder */
    public Builder mo902toBuilder() {
        return new BuilderImpl();
    }
}
