package com.mongodb.internal.connection;

import com.mongodb.AuthenticationMechanism;
import com.mongodb.MongoCredential;
import com.mongodb.MongoException;
import com.mongodb.MongoInternalException;
import com.mongodb.ServerAddress;
import com.mongodb.connection.ConnectionDescription;
import com.mongodb.lang.NonNull;
import com.mongodb.lang.Nullable;
import io.debezium.connector.mongodb.SourceInfo;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.time.Instant;
import java.time.ZoneId;
import java.time.format.DateTimeFormatter;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import javax.ws.rs.HttpMethod;
import org.bson.BsonBinary;
import org.bson.BsonBinaryWriter;
import org.bson.BsonDocument;
import org.bson.BsonInt32;
import org.bson.BsonString;
import org.bson.BsonWriter;
import org.bson.RawBsonDocument;
import org.bson.codecs.BsonDocumentCodec;
import org.bson.codecs.EncoderContext;
import org.bson.io.BasicOutputBuffer;

/* loaded from: input_file:META-INF/bundled-dependencies/mongodb-driver-core-4.2.2.jar:com/mongodb/internal/connection/AwsAuthenticator.class */
public class AwsAuthenticator extends SaslAuthenticator {
    private static final String MONGODB_AWS_MECHANISM_NAME = "MONGODB-AWS";
    private static final int RANDOM_LENGTH = 32;

    /* loaded from: input_file:META-INF/bundled-dependencies/mongodb-driver-core-4.2.2.jar:com/mongodb/internal/connection/AwsAuthenticator$AwsSaslClient.class */
    private static class AwsSaslClient implements SaslClient {
        private final MongoCredential credential;
        private final byte[] clientNonce = new byte[32];
        private int step = -1;
        private String httpResponse;

        AwsSaslClient(MongoCredential mongoCredential) {
            this.credential = mongoCredential;
        }

        public String getMechanismName() {
            AuthenticationMechanism authenticationMechanism = this.credential.getAuthenticationMechanism();
            if (authenticationMechanism == null) {
                throw new IllegalArgumentException("Authentication mechanism cannot be null");
            }
            return authenticationMechanism.getMechanismName();
        }

        public boolean hasInitialResponse() {
            return true;
        }

        public byte[] evaluateChallenge(byte[] bArr) throws SaslException {
            this.step++;
            if (this.step == 0) {
                return computeClientFirstMessage();
            }
            if (this.step == 1) {
                return computeClientFinalMessage(bArr);
            }
            throw new SaslException(String.format("Too many steps involved in the %s negotiation.", getMechanismName()));
        }

        public boolean isComplete() {
            return this.step == 1;
        }

        public byte[] unwrap(byte[] bArr, int i, int i2) {
            throw new UnsupportedOperationException("Not implemented yet!");
        }

        public byte[] wrap(byte[] bArr, int i, int i2) {
            throw new UnsupportedOperationException("Not implemented yet!");
        }

        public Object getNegotiatedProperty(String str) {
            throw new UnsupportedOperationException("Not implemented yet!");
        }

        public void dispose() {
        }

        private byte[] computeClientFirstMessage() {
            new SecureRandom().nextBytes(this.clientNonce);
            return toBson(new BsonDocument().append("r", new BsonBinary(this.clientNonce)).append("p", new BsonInt32(110)));
        }

        private byte[] computeClientFinalMessage(byte[] bArr) throws SaslException {
            RawBsonDocument rawBsonDocument = new RawBsonDocument(bArr);
            String value = rawBsonDocument.getString(SourceInfo.OPERATION_ID).getValue();
            byte[] data = rawBsonDocument.getBinary("s").getData();
            if (data.length != 64) {
                throw new SaslException(String.format("Server nonce must be %d bytes", 64));
            }
            if (!Arrays.equals(Arrays.copyOf(data, 32), this.clientNonce)) {
                throw new SaslException(String.format("The first %d bytes of the server nonce must be the client nonce", 32));
            }
            String format = DateTimeFormatter.ofPattern("yyyyMMdd'T'HHmmss'Z'").withZone(ZoneId.of("UTC")).format(Instant.now());
            String sessionToken = getSessionToken();
            AuthorizationHeader build = AuthorizationHeader.builder().setAccessKeyID(getUserName()).setSecretKey(getPassword()).setSessionToken(sessionToken).setHost(value).setNonce(data).setTimestamp(format).build();
            BsonDocument append = new BsonDocument().append("a", new BsonString(build.toString())).append("d", new BsonString(build.getTimestamp()));
            if (sessionToken != null) {
                append.append("t", new BsonString(sessionToken));
            }
            return toBson(append);
        }

        private byte[] toBson(BsonDocument bsonDocument) {
            BasicOutputBuffer basicOutputBuffer = new BasicOutputBuffer();
            new BsonDocumentCodec().encode((BsonWriter) new BsonBinaryWriter(basicOutputBuffer), bsonDocument, EncoderContext.builder().build());
            byte[] bArr = new byte[basicOutputBuffer.size()];
            System.arraycopy(basicOutputBuffer.getInternalBuffer(), 0, bArr, 0, basicOutputBuffer.getSize());
            return bArr;
        }

        @NonNull
        String getUserName() {
            String userName = this.credential.getUserName();
            if (userName == null) {
                userName = System.getenv("AWS_ACCESS_KEY_ID");
                if (userName == null) {
                    userName = BsonDocument.parse(getHttpResponse()).getString("AccessKeyId").getValue();
                }
            }
            return userName;
        }

        @NonNull
        private String getPassword() {
            char[] password = this.credential.getPassword();
            if (password == null) {
                password = System.getenv("AWS_SECRET_ACCESS_KEY") != null ? System.getenv("AWS_SECRET_ACCESS_KEY").toCharArray() : BsonDocument.parse(getHttpResponse()).getString("SecretAccessKey").getValue().toCharArray();
            }
            return new String(password);
        }

        @Nullable
        private String getSessionToken() {
            String str = (String) this.credential.getMechanismProperty("AWS_SESSION_TOKEN", null);
            if (this.credential.getUserName() != null) {
                return str;
            }
            if (str != null) {
                throw new IllegalArgumentException("The connection string contains a session token without credentials");
            }
            if (System.getenv("AWS_SECRET_ACCESS_KEY") == null && System.getenv("AWS_ACCESS_KEY_ID") == null && System.getenv("AWS_SESSION_TOKEN") == null) {
                return BsonDocument.parse(getHttpResponse()).getString("Token").getValue();
            }
            if (System.getenv("AWS_SECRET_ACCESS_KEY") == null || System.getenv("AWS_ACCESS_KEY_ID") == null) {
                throw new IllegalArgumentException("The environment variables 'AWS_ACCESS_KEY_ID' and 'AWS_SECRET_ACCESS_KEY' must either both be set or both be null");
            }
            return System.getenv("AWS_SESSION_TOKEN");
        }

        @NonNull
        private String getHttpResponse() {
            if (this.httpResponse != null) {
                return this.httpResponse;
            }
            String str = System.getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI");
            this.httpResponse = str == null ? getEc2Response() : getHttpContents(HttpMethod.GET, "http://169.254.170.2" + str, null);
            return this.httpResponse;
        }

        private String getEc2Response() {
            HashMap hashMap = new HashMap();
            hashMap.put("X-aws-ec2-metadata-token-ttl-seconds", "30");
            String httpContents = getHttpContents("PUT", "http://169.254.169.254/latest/api/token", hashMap);
            hashMap.clear();
            hashMap.put("X-aws-ec2-metadata-token", httpContents);
            return getHttpContents(HttpMethod.GET, "http://169.254.169.254/latest/meta-data/iam/security-credentials/" + getHttpContents(HttpMethod.GET, "http://169.254.169.254/latest/meta-data/iam/security-credentials/", hashMap), hashMap);
        }

        @NonNull
        private static String getHttpContents(String str, String str2, Map<String, String> map) {
            StringBuilder sb = new StringBuilder();
            HttpURLConnection httpURLConnection = null;
            try {
                try {
                    HttpURLConnection httpURLConnection2 = (HttpURLConnection) new URL(str2).openConnection();
                    httpURLConnection2.setRequestMethod(str);
                    httpURLConnection2.setReadTimeout(10000);
                    if (map != null) {
                        for (Map.Entry<String, String> entry : map.entrySet()) {
                            httpURLConnection2.setRequestProperty(entry.getKey(), entry.getValue());
                        }
                    }
                    int responseCode = httpURLConnection2.getResponseCode();
                    if (responseCode != 200) {
                        throw new IOException(String.format("%d %s", Integer.valueOf(responseCode), httpURLConnection2.getResponseMessage()));
                    }
                    BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(httpURLConnection2.getInputStream(), StandardCharsets.UTF_8));
                    while (true) {
                        try {
                            String readLine = bufferedReader.readLine();
                            if (readLine == null) {
                                break;
                            }
                            sb.append(readLine);
                        } catch (Throwable th) {
                            try {
                                bufferedReader.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                            throw th;
                        }
                    }
                    bufferedReader.close();
                    if (httpURLConnection2 != null) {
                        httpURLConnection2.disconnect();
                    }
                    return sb.toString();
                } catch (Throwable th3) {
                    if (0 != 0) {
                        httpURLConnection.disconnect();
                    }
                    throw th3;
                }
            } catch (IOException e) {
                throw new MongoInternalException("Unexpected IOException", e);
            }
        }
    }

    public AwsAuthenticator(MongoCredentialWithCache mongoCredentialWithCache) {
        super(mongoCredentialWithCache);
        if (getMongoCredential().getAuthenticationMechanism() != AuthenticationMechanism.MONGODB_AWS) {
            throw new MongoException("Incorrect mechanism: " + getMongoCredential().getMechanism());
        }
    }

    @Override // com.mongodb.internal.connection.SaslAuthenticator
    public String getMechanismName() {
        return MONGODB_AWS_MECHANISM_NAME;
    }

    @Override // com.mongodb.internal.connection.SaslAuthenticator
    protected SaslClient createSaslClient(ServerAddress serverAddress) {
        return new AwsSaslClient(getMongoCredential());
    }

    @Override // com.mongodb.internal.connection.SaslAuthenticator, com.mongodb.internal.connection.Authenticator
    public /* bridge */ /* synthetic */ void authenticate(InternalConnection internalConnection, ConnectionDescription connectionDescription) {
        super.authenticate(internalConnection, connectionDescription);
    }
}
