package com.cloudbees.jenkins.plugins.awscredentials;

import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.Nullable;
import hudson.Extension;
import hudson.FilePath;
import hudson.Launcher;
import hudson.model.Run;
import hudson.model.TaskListener;
import java.io.IOException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Set;
import org.apache.commons.lang.StringUtils;
import org.jenkinsci.Symbol;
import org.jenkinsci.plugins.credentialsbinding.BindingDescriptor;
import org.jenkinsci.plugins.credentialsbinding.MultiBinding;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.auth.StsAssumeRoleCredentialsProvider;
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;

/* loaded from: input_file:WEB-INF/lib/aws-credentials.jar:com/cloudbees/jenkins/plugins/awscredentials/AmazonWebServicesCredentialsBinding.class */
public class AmazonWebServicesCredentialsBinding extends MultiBinding<AmazonWebServicesCredentials> {
    public static final String DEFAULT_ACCESS_KEY_ID_VARIABLE_NAME = "AWS_ACCESS_KEY_ID";
    private static final String DEFAULT_SECRET_ACCESS_KEY_VARIABLE_NAME = "AWS_SECRET_ACCESS_KEY";
    private static final String SESSION_TOKEN_VARIABLE_NAME = "AWS_SESSION_TOKEN";

    @NonNull
    private final String accessKeyVariable;

    @NonNull
    private final String secretKeyVariable;
    private String roleArn;
    private String roleSessionName;
    private int roleSessionDurationSeconds;

    @Extension
    @Symbol({"aws"})
    /* loaded from: input_file:WEB-INF/lib/aws-credentials.jar:com/cloudbees/jenkins/plugins/awscredentials/AmazonWebServicesCredentialsBinding$DescriptorImpl.class */
    public static class DescriptorImpl extends BindingDescriptor<AmazonWebServicesCredentials> {
        protected Class<AmazonWebServicesCredentials> type() {
            return AmazonWebServicesCredentials.class;
        }

        public String getDisplayName() {
            return "AWS access key and secret";
        }

        public boolean requiresWorkspace() {
            return false;
        }
    }

    @DataBoundConstructor
    public AmazonWebServicesCredentialsBinding(@Nullable String str, @Nullable String str2, String str3) {
        super(str3);
        this.accessKeyVariable = StringUtils.defaultIfBlank(str, DEFAULT_ACCESS_KEY_ID_VARIABLE_NAME);
        this.secretKeyVariable = StringUtils.defaultIfBlank(str2, DEFAULT_SECRET_ACCESS_KEY_VARIABLE_NAME);
    }

    @NonNull
    public String getAccessKeyVariable() {
        return this.accessKeyVariable;
    }

    @NonNull
    public String getSecretKeyVariable() {
        return this.secretKeyVariable;
    }

    @Nullable
    public String getRoleArn() {
        return this.roleArn;
    }

    @Nullable
    public String getRoleSessionName() {
        return this.roleSessionName;
    }

    public int getRoleSessionDurationSeconds() {
        return this.roleSessionDurationSeconds;
    }

    @DataBoundSetter
    public void setRoleArn(String str) {
        this.roleArn = str;
    }

    @DataBoundSetter
    public void setRoleSessionName(String str) {
        this.roleSessionName = str;
    }

    @DataBoundSetter
    public void setRoleSessionDurationSeconds(int i) {
        this.roleSessionDurationSeconds = i;
    }

    protected Class<AmazonWebServicesCredentials> type() {
        return AmazonWebServicesCredentials.class;
    }

    public MultiBinding.MultiEnvironment bind(@NonNull Run<?, ?> run, FilePath filePath, Launcher launcher, TaskListener taskListener) throws IOException, InterruptedException {
        AwsCredentialsProvider awsCredentialsProvider = (AwsCredentialsProvider) getCredentials(run);
        if (!StringUtils.isEmpty(this.roleArn)) {
            awsCredentialsProvider = assumeRoleProvider(awsCredentialsProvider);
        }
        AwsSessionCredentials resolveCredentials = awsCredentialsProvider.resolveCredentials();
        HashMap hashMap = new HashMap();
        hashMap.put(this.accessKeyVariable, resolveCredentials.accessKeyId());
        hashMap.put(this.secretKeyVariable, resolveCredentials.secretAccessKey());
        if (resolveCredentials instanceof AwsSessionCredentials) {
            hashMap.put(SESSION_TOKEN_VARIABLE_NAME, resolveCredentials.sessionToken());
        }
        return new MultiBinding.MultiEnvironment(hashMap);
    }

    private AwsCredentialsProvider assumeRoleProvider(AwsCredentialsProvider awsCredentialsProvider) {
        StsClient buildStsClient = AWSCredentialsImpl.buildStsClient(awsCredentialsProvider);
        AssumeRoleRequest.Builder roleSessionName = AssumeRoleRequest.builder().roleArn(this.roleArn).roleSessionName(StringUtils.defaultIfBlank(this.roleSessionName, "Jenkins"));
        if (this.roleSessionDurationSeconds > 0) {
            roleSessionName.durationSeconds(Integer.valueOf(this.roleSessionDurationSeconds));
        }
        return StsAssumeRoleCredentialsProvider.builder().stsClient(buildStsClient).refreshRequest((AssumeRoleRequest) roleSessionName.build()).build();
    }

    public Set<String> variables() {
        return new HashSet(Arrays.asList(this.accessKeyVariable, this.secretKeyVariable, SESSION_TOKEN_VARIABLE_NAME));
    }
}
