package com.yahoo.athenz.instance.provider.impl;

import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement;
import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder;
import com.amazonaws.services.identitymanagement.model.ListOpenIDConnectProvidersRequest;
import com.amazonaws.services.identitymanagement.model.OpenIDConnectProviderListEntry;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
import com.amazonaws.services.securitytoken.model.AssumeRoleResult;
import com.yahoo.athenz.common.server.util.config.ConfigManagerSingleton;
import com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigCsv;
import com.yahoo.athenz.instance.provider.InstanceConfirmation;
import com.yahoo.athenz.instance.provider.InstanceProvider;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import org.eclipse.jetty.util.StringUtil;

/* loaded from: input_file:com/yahoo/athenz/instance/provider/impl/DefaultAWSElasticKubernetesServiceValidator.class */
public class DefaultAWSElasticKubernetesServiceValidator extends CommonKubernetesDistributionValidator {
    private static final DefaultAWSElasticKubernetesServiceValidator INSTANCE = new DefaultAWSElasticKubernetesServiceValidator();
    static final String AWS_EKS_OIDC_ISSUER_REGEX = "oidc\\.eks\\.[a-z0-9-]+\\.amazonaws\\.com";
    private static final Pattern AWS_EKS_OIDC_ISSUER_PATTERN = Pattern.compile(AWS_EKS_OIDC_ISSUER_REGEX);
    private static final String ZTS_PROP_K8S_PROVIDER_ATTESTATION_AWS_ASSUME_ROLE_NAME = "athenz.zts.k8s_provider_attestation_aws_assume_role_name";
    private static final String ASSUME_ROLE_NAME = System.getProperty(ZTS_PROP_K8S_PROVIDER_ATTESTATION_AWS_ASSUME_ROLE_NAME, "oidc-issuers-reader");
    AWSSecurityTokenService stsClient;
    String serverRegion;
    Set<String> awsDNSSuffixes = new HashSet();
    List<String> eksDnsSuffixes;
    DynamicConfigCsv eksClusterNames;

    public static DefaultAWSElasticKubernetesServiceValidator getInstance() {
        return INSTANCE;
    }

    private DefaultAWSElasticKubernetesServiceValidator() {
    }

    @Override // com.yahoo.athenz.instance.provider.impl.CommonKubernetesDistributionValidator, com.yahoo.athenz.instance.provider.KubernetesDistributionValidator
    public void initialize() {
        super.initialize();
        this.serverRegion = System.getProperty("athenz.zts.aws_region_name");
        this.stsClient = (AWSSecurityTokenService) AWSSecurityTokenServiceClientBuilder.standard().withRegion(this.serverRegion).withCredentials(DefaultAWSCredentialsProviderChain.getInstance()).build();
        String property = System.getProperty("athenz.zts.aws_dns_suffix");
        if (!StringUtil.isEmpty(property)) {
            this.awsDNSSuffixes.addAll(Arrays.asList(property.split(",")));
        }
        this.eksDnsSuffixes = InstanceUtils.processK8SDnsSuffixList("athenz.zts.aws_eks_dns_suffix");
        this.eksClusterNames = new DynamicConfigCsv(ConfigManagerSingleton.CONFIG_MANAGER, "athenz.zts.aws_eks_cluster_names", (String) null);
    }

    @Override // com.yahoo.athenz.instance.provider.KubernetesDistributionValidator
    public String validateIssuer(InstanceConfirmation instanceConfirmation, IdTokenAttestationData idTokenAttestationData, StringBuilder sb) {
        String extractURLDomainName;
        String issuerFromToken = getIssuerFromToken(idTokenAttestationData, sb);
        if (!StringUtil.isEmpty(issuerFromToken) && (extractURLDomainName = InstanceUtils.extractURLDomainName(issuerFromToken)) != null && AWS_EKS_OIDC_ISSUER_PATTERN.matcher(extractURLDomainName).matches() && verifyIssuerPresenceInDomainAWSAccount(issuerFromToken, instanceConfirmation.getAttributes().get(InstanceProvider.ZTS_INSTANCE_AWS_ACCOUNT))) {
            return issuerFromToken;
        }
        return null;
    }

    boolean verifyIssuerPresenceInDomainAWSAccount(String str, String str2) {
        boolean z = false;
        AssumeRoleResult assumeRole = this.stsClient.assumeRole(new AssumeRoleRequest().withRoleArn(String.format("arn:aws:iam::%s:role/%s", str2, ASSUME_ROLE_NAME)).withRoleSessionName(ASSUME_ROLE_NAME + "-Session"));
        List openIDConnectProviderList = ((AmazonIdentityManagement) AmazonIdentityManagementClientBuilder.standard().withRegion(this.serverRegion).withCredentials(new AWSStaticCredentialsProvider(new BasicSessionCredentials(assumeRole.getCredentials().getAccessKeyId(), assumeRole.getCredentials().getSecretAccessKey(), assumeRole.getCredentials().getSessionToken()))).build()).listOpenIDConnectProviders(new ListOpenIDConnectProvidersRequest()).getOpenIDConnectProviderList();
        if (openIDConnectProviderList != null) {
            String replaceFirst = str.replaceFirst("^https://", "");
            Iterator it = openIDConnectProviderList.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                OpenIDConnectProviderListEntry openIDConnectProviderListEntry = (OpenIDConnectProviderListEntry) it.next();
                if (openIDConnectProviderListEntry != null && openIDConnectProviderListEntry.getArn() != null && openIDConnectProviderListEntry.getArn().endsWith(replaceFirst)) {
                    z = true;
                    break;
                }
            }
        }
        return z;
    }

    @Override // com.yahoo.athenz.instance.provider.KubernetesDistributionValidator
    public boolean validateSanDNSEntries(InstanceConfirmation instanceConfirmation, StringBuilder sb) {
        StringBuilder sb2 = new StringBuilder(256);
        Map<String, String> attributes = instanceConfirmation.getAttributes();
        if (StringUtil.isEmpty(InstanceUtils.getInstanceProperty(attributes, InstanceProvider.ZTS_INSTANCE_AWS_ACCOUNT))) {
            sb.append("Unable to find AWS account number");
            return false;
        }
        if (InstanceUtils.validateCertRequestSanDnsNames(attributes, instanceConfirmation.getDomain(), instanceConfirmation.getService(), this.awsDNSSuffixes, this.eksDnsSuffixes, this.eksClusterNames.getStringsList(), true, sb2)) {
            return true;
        }
        sb.append("Unable to validate certificate request hostnames");
        return false;
    }
}
