package com.yahoo.athenz.instance.provider.impl;

import com.yahoo.athenz.auth.KeyStore;
import com.yahoo.athenz.common.server.util.config.ConfigManagerSingleton;
import com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigCsv;
import com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigLong;
import com.yahoo.athenz.instance.provider.InstanceConfirmation;
import com.yahoo.athenz.instance.provider.InstanceProvider;
import com.yahoo.athenz.instance.provider.ProviderResourceException;
import com.yahoo.rdl.JSON;
import com.yahoo.rdl.Struct;
import com.yahoo.rdl.Timestamp;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLContext;
import org.eclipse.jetty.util.StringUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.model.GetCallerIdentityRequest;
import software.amazon.awssdk.services.sts.model.GetCallerIdentityResponse;

/* loaded from: input_file:com/yahoo/athenz/instance/provider/impl/InstanceAWSProvider.class */
public class InstanceAWSProvider implements InstanceProvider {
    private static final Logger LOGGER = LoggerFactory.getLogger(InstanceAWSProvider.class);
    static final String ATTR_ACCOUNT_ID = "accountId";
    static final String ATTR_REGION = "region";
    static final String ATTR_PENDING_TIME = "pendingTime";
    static final String ATTR_INSTANCE_ID = "instanceId";
    static final String ATTR_PRIVATE_IP = "privateIp";
    static final String AWS_PROP_BOOT_TIME_OFFSET = "athenz.zts.aws_boot_time_offset";
    static final String AWS_PROP_DNS_SUFFIX = "athenz.zts.aws_dns_suffix";
    static final String AWS_PROP_REGION_NAME = "athenz.zts.aws_region_name";
    static final String AWS_PROP_EKS_DNS_SUFFIX = "athenz.zts.aws_eks_dns_suffix";
    static final String AWS_PROP_EKS_CLUSTER_NAMES = "athenz.zts.aws_eks_cluster_names";
    static final String AWS_PROP_CERT_VALIDITY_STS_ONLY = "athenz.zts.aws_cert_validity_sts_only";
    DynamicConfigLong bootTimeOffsetSeconds;
    DynamicConfigCsv eksClusterNames;
    long certValidityTime;
    String awsRegion;
    boolean supportRefresh = false;
    Set<String> dnsSuffixes = null;
    List<String> eksDnsSuffixes = null;
    InstanceAWSUtils awsUtils = null;

    public long getTimeOffsetInMilli() {
        return ((Long) this.bootTimeOffsetSeconds.get()).longValue() * 1000;
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceProvider.Scheme getProviderScheme() {
        return InstanceProvider.Scheme.CLASS;
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public void initialize(String str, String str2, SSLContext sSLContext, KeyStore keyStore) {
        this.awsUtils = new InstanceAWSUtils();
        this.bootTimeOffsetSeconds = new DynamicConfigLong(ConfigManagerSingleton.CONFIG_MANAGER, AWS_PROP_BOOT_TIME_OFFSET, Long.valueOf(TimeUnit.SECONDS.convert(5L, TimeUnit.MINUTES)));
        this.eksClusterNames = new DynamicConfigCsv(ConfigManagerSingleton.CONFIG_MANAGER, AWS_PROP_EKS_CLUSTER_NAMES, (String) null);
        this.dnsSuffixes = new HashSet();
        String property = System.getProperty(AWS_PROP_DNS_SUFFIX);
        if (StringUtil.isEmpty(property)) {
            LOGGER.error("AWS DNS Suffix not specified - no instance requests will be authorized");
        } else {
            this.dnsSuffixes.addAll(Arrays.asList(property.split(",")));
        }
        this.eksDnsSuffixes = InstanceUtils.processK8SDnsSuffixList(AWS_PROP_EKS_DNS_SUFFIX);
        this.certValidityTime = TimeUnit.MINUTES.convert(Integer.parseInt(System.getProperty(AWS_PROP_CERT_VALIDITY_STS_ONLY, "7")), TimeUnit.DAYS);
        this.awsRegion = System.getProperty(AWS_PROP_REGION_NAME);
    }

    protected Set<String> getDnsSuffixes() {
        return this.dnsSuffixes;
    }

    protected List<String> getEksDnsSuffixes() {
        return this.eksDnsSuffixes;
    }

    protected List<String> getEksClusterNames() {
        return this.eksClusterNames.getStringsList();
    }

    public ProviderResourceException error(String str) {
        return error(ProviderResourceException.FORBIDDEN, str);
    }

    public ProviderResourceException error(int i, String str) {
        LOGGER.error(str);
        return new ProviderResourceException(i, str);
    }

    boolean validateAWSAccount(String str, String str2, StringBuilder sb) {
        if (str.equalsIgnoreCase(str2)) {
            return true;
        }
        LOGGER.error("ZTS AWS Domain Lookup account id: {}", str);
        sb.append("mismatch between account values - instance document: ").append(str2);
        return false;
    }

    boolean validateAWSProvider(String str, String str2, StringBuilder sb) {
        if (str2 == null) {
            sb.append("no region provided in instance document");
            return false;
        }
        if (str.endsWith("." + str2)) {
            return true;
        }
        sb.append("provider ").append(str).append(" does not end with expected suffix ").append(str2);
        return false;
    }

    boolean validateAWSInstanceId(String str, String str2, StringBuilder sb) {
        if (str.equalsIgnoreCase(str2)) {
            return true;
        }
        sb.append("mismatch between instance-id values: request: ").append(str).append(" vs. instance document: ").append(str2);
        return false;
    }

    protected boolean validateAWSDocument(String str, AWSAttestationData aWSAttestationData, String str2, String str3, boolean z, StringBuilder sb, StringBuilder sb2) {
        String document = aWSAttestationData.getDocument();
        if (!this.awsUtils.validateAWSSignature(document, aWSAttestationData.getSignature(), sb2)) {
            return false;
        }
        Struct struct = (Struct) JSON.fromString(document, Struct.class);
        if (struct == null) {
            sb2.append("Unable to parse identity document");
            LOGGER.error("Identity Document: {}", document);
            return false;
        }
        if (!validateAWSProvider(str, struct.getString(ATTR_REGION), sb2) || !validateAWSAccount(str2, struct.getString(ATTR_ACCOUNT_ID), sb2) || !validateAWSInstanceId(str3, getInstanceId(aWSAttestationData, struct, str3), sb2)) {
            return false;
        }
        String string = struct.getString(ATTR_PRIVATE_IP);
        if (string != null) {
            sb.append(string);
        }
        return !z || validateInstanceBootTime(struct, sb2);
    }

    protected String getInstanceId(AWSAttestationData aWSAttestationData, Struct struct, String str) {
        return struct.getString("instanceId");
    }

    private boolean validateInstanceBootTime(Struct struct, StringBuilder sb) {
        if (getTimeOffsetInMilli() <= 0) {
            return true;
        }
        Timestamp fromString = Timestamp.fromString(struct.getString(ATTR_PENDING_TIME));
        if (fromString.millis() >= System.currentTimeMillis() - getTimeOffsetInMilli()) {
            return true;
        }
        sb.append("Instance boot time is not recent enough: ");
        sb.append(fromString);
        return false;
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceConfirmation confirmInstance(InstanceConfirmation instanceConfirmation) throws ProviderResourceException {
        AWSAttestationData aWSAttestationData = (AWSAttestationData) JSON.fromString(instanceConfirmation.getAttestationData(), AWSAttestationData.class);
        Map<String, String> attributes = instanceConfirmation.getAttributes();
        String domain = instanceConfirmation.getDomain();
        String service = instanceConfirmation.getService();
        String instanceProperty = InstanceUtils.getInstanceProperty(attributes, InstanceProvider.ZTS_INSTANCE_AWS_ACCOUNT);
        if (StringUtil.isEmpty(instanceProperty)) {
            throw error("Unable to extract AWS Account id");
        }
        String str = domain + "." + service;
        if (!str.equals(aWSAttestationData.getRole()) && !service.equals(aWSAttestationData.getRole())) {
            throw error("Service name mismatch: " + aWSAttestationData.getRole() + " vs. " + str);
        }
        StringBuilder sb = new StringBuilder(256);
        validateSanDnsNames(attributes, domain, service, sb);
        boolean z = aWSAttestationData.getDocument() != null;
        StringBuilder sb2 = new StringBuilder(64);
        if (z) {
            StringBuilder sb3 = new StringBuilder(256);
            if (!validateAWSDocument(instanceConfirmation.getProvider(), aWSAttestationData, instanceProperty, sb.toString(), true, sb2, sb3)) {
                throw error("Unable to validate AWS document: " + String.valueOf(sb3));
            }
        }
        setConfirmationAttributes(instanceConfirmation, z, sb2.toString(), sb.toString());
        if (verifyInstanceIdentity(aWSAttestationData, instanceProperty)) {
            return instanceConfirmation;
        }
        throw error("Unable to verify instance identity credentials");
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceConfirmation refreshInstance(InstanceConfirmation instanceConfirmation) throws ProviderResourceException {
        String attestationData = instanceConfirmation.getAttestationData();
        if (attestationData == null || attestationData.isEmpty()) {
            throw error(this.supportRefresh ? ProviderResourceException.FORBIDDEN : ProviderResourceException.NOT_FOUND, "No attestation data provided");
        }
        AWSAttestationData aWSAttestationData = (AWSAttestationData) JSON.fromString(attestationData, AWSAttestationData.class);
        Map<String, String> attributes = instanceConfirmation.getAttributes();
        String domain = instanceConfirmation.getDomain();
        String service = instanceConfirmation.getService();
        String instanceProperty = InstanceUtils.getInstanceProperty(attributes, InstanceProvider.ZTS_INSTANCE_AWS_ACCOUNT);
        if (StringUtil.isEmpty(instanceProperty)) {
            throw error("Unable to extract AWS Account id");
        }
        String str = domain + "." + service;
        if (!str.equals(aWSAttestationData.getRole()) && !service.equals(aWSAttestationData.getRole())) {
            throw error("Service name mismatch: " + aWSAttestationData.getRole() + " vs. " + str);
        }
        StringBuilder sb = new StringBuilder(256);
        validateSanDnsNames(attributes, domain, service, sb);
        boolean z = aWSAttestationData.getDocument() != null;
        StringBuilder sb2 = new StringBuilder(64);
        if (z) {
            StringBuilder sb3 = new StringBuilder(256);
            if (!validateAWSDocument(instanceConfirmation.getProvider(), aWSAttestationData, instanceProperty, sb.toString(), false, sb2, sb3)) {
                throw error("Unable to validate AWS document: " + String.valueOf(sb3));
            }
        }
        setConfirmationAttributes(instanceConfirmation, z, sb2.toString(), sb.toString());
        if (verifyInstanceIdentity(aWSAttestationData, instanceProperty)) {
            return instanceConfirmation;
        }
        throw error("Unable to verify instance identity credentials");
    }

    public void validateSanDnsNames(Map<String, String> map, String str, String str2, StringBuilder sb) throws ProviderResourceException {
        if (!InstanceUtils.validateCertRequestSanDnsNames(map, str, str2, getDnsSuffixes(), getEksDnsSuffixes(), getEksClusterNames(), true, sb, null)) {
            throw error("Unable to validate certificate request hostnames");
        }
    }

    protected void setConfirmationAttributes(InstanceConfirmation instanceConfirmation, boolean z, String str, String str2) {
        HashMap hashMap = new HashMap();
        hashMap.put(InstanceProvider.ZTS_CERT_SSH, Boolean.toString(z));
        if (!z) {
            hashMap.put(InstanceProvider.ZTS_CERT_EXPIRY_TIME, Long.toString(this.certValidityTime));
        }
        if (!str.isEmpty()) {
            hashMap.put(InstanceProvider.ZTS_INSTANCE_PRIVATE_IP, str);
        }
        if (!str2.isEmpty()) {
            hashMap.put(InstanceProvider.ZTS_ATTESTED_SSH_CERT_PRINCIPALS, str2);
        }
        instanceConfirmation.setAttributes(hashMap);
    }

    StsClient getInstanceClient(AWSAttestationData aWSAttestationData) {
        String access = aWSAttestationData.getAccess();
        if (StringUtil.isEmpty(access)) {
            LOGGER.error("getInstanceClient: No access key available in instance document");
            return null;
        }
        String secret = aWSAttestationData.getSecret();
        if (StringUtil.isEmpty(secret)) {
            LOGGER.error("getInstanceClient: No secret key available in instance document");
            return null;
        }
        String token = aWSAttestationData.getToken();
        if (StringUtil.isEmpty(token)) {
            LOGGER.error("getInstanceClient: No session token available in instance document");
            return null;
        }
        return (StsClient) StsClient.builder().credentialsProvider(StaticCredentialsProvider.create(AwsSessionCredentials.create(access, secret, token))).region(Region.of(this.awsRegion)).build();
    }

    boolean verifyInstanceIdentity(AWSAttestationData aWSAttestationData, String str) {
        try {
            StsClient instanceClient = getInstanceClient(aWSAttestationData);
            if (instanceClient == null) {
                LOGGER.error("verifyInstanceIdentity - unable to get AWS STS client object");
                return false;
            }
            GetCallerIdentityResponse callerIdentity = instanceClient.getCallerIdentity((GetCallerIdentityRequest) GetCallerIdentityRequest.builder().build());
            if (callerIdentity == null) {
                LOGGER.error("verifyInstanceIdentity - unable to get caller identity");
                return false;
            }
            String str2 = "arn:aws:sts::" + str + ":assumed-role/" + aWSAttestationData.getRole() + "/";
            if (callerIdentity.arn().startsWith(str2)) {
                return true;
            }
            LOGGER.error("verifyInstanceIdentity - ARN mismatch - request: {} caller-identity: {}", str2, callerIdentity.arn());
            return false;
        } catch (Exception e) {
            LOGGER.error("CloudStore: verifyInstanceIdentity - unable get caller identity: {}", e.getMessage());
            return false;
        }
    }
}
