package org.springframework.cloud.config.server.support;

import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AWSSessionCredentials;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
import com.amazonaws.util.ValidationUtils;
import java.net.URI;
import java.net.URL;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.TimeZone;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.eclipse.jgit.errors.UnsupportedCredentialItem;
import org.eclipse.jgit.transport.CredentialItem;
import org.eclipse.jgit.transport.CredentialsProvider;
import org.eclipse.jgit.transport.URIish;
import org.springframework.util.StringUtils;

/* loaded from: input_file:BOOT-INF/lib/spring-cloud-config-server-2.0.0.RELEASE.jar:org/springframework/cloud/config/server/support/AwsCodeCommitCredentialProvider.class */
public class AwsCodeCommitCredentialProvider extends CredentialsProvider {
    private static final String SHA_256 = "SHA-256";
    private static final String UTF8 = "UTF8";
    private static final String HMAC_SHA256 = "HmacSHA256";
    private static final char[] hexArray = "0123456789abcdef".toCharArray();
    protected Log logger = LogFactory.getLog(getClass());
    private AWSCredentialsProvider awsCredentialProvider;
    private String username;
    private String password;

    /* loaded from: input_file:BOOT-INF/lib/spring-cloud-config-server-2.0.0.RELEASE.jar:org/springframework/cloud/config/server/support/AwsCodeCommitCredentialProvider$AWSStaticCredentialsProvider.class */
    public class AWSStaticCredentialsProvider implements AWSCredentialsProvider {
        private final AWSCredentials credentials;

        public AWSStaticCredentialsProvider(AWSCredentials aWSCredentials) {
            this.credentials = (AWSCredentials) ValidationUtils.assertNotNull(aWSCredentials, "credentials");
        }

        public AWSCredentials getCredentials() {
            return this.credentials;
        }

        public void refresh() {
        }
    }

    @Override // org.eclipse.jgit.transport.CredentialsProvider
    public boolean isInteractive() {
        return false;
    }

    @Override // org.eclipse.jgit.transport.CredentialsProvider
    public boolean supports(CredentialItem... credentialItemArr) {
        for (CredentialItem credentialItem : credentialItemArr) {
            if (!(credentialItem instanceof CredentialItem.Username) && !(credentialItem instanceof CredentialItem.Password)) {
                return false;
            }
        }
        return true;
    }

    private AWSCredentials retrieveAwsCredentials() {
        if (this.awsCredentialProvider == null) {
            if (this.username == null || this.password == null) {
                this.logger.debug("Creating a default AWSCredentialsProvider");
                this.awsCredentialProvider = new DefaultAWSCredentialsProviderChain();
            } else {
                this.logger.debug("Creating a static AWSCredentialsProvider");
                this.awsCredentialProvider = new AWSStaticCredentialsProvider(new BasicAWSCredentials(this.username, this.password));
            }
        }
        return this.awsCredentialProvider.getCredentials();
    }

    @Override // org.eclipse.jgit.transport.CredentialsProvider
    public boolean get(URIish uRIish, CredentialItem... credentialItemArr) throws UnsupportedCredentialItem {
        try {
            AWSSessionCredentials retrieveAwsCredentials = retrieveAwsCredentials();
            StringBuilder sb = new StringBuilder();
            sb.append(retrieveAwsCredentials.getAWSAccessKeyId());
            String aWSSecretKey = retrieveAwsCredentials.getAWSSecretKey();
            if (retrieveAwsCredentials instanceof AWSSessionCredentials) {
                AWSSessionCredentials aWSSessionCredentials = retrieveAwsCredentials;
                if (aWSSessionCredentials.getSessionToken() != null) {
                    sb.append('%').append(aWSSessionCredentials.getSessionToken());
                }
            }
            String sb2 = sb.toString();
            try {
                String calculateCodeCommitPassword = calculateCodeCommitPassword(uRIish, aWSSecretKey);
                for (CredentialItem credentialItem : credentialItemArr) {
                    if (credentialItem instanceof CredentialItem.Username) {
                        ((CredentialItem.Username) credentialItem).setValue(sb2);
                        this.logger.trace("Returning username " + sb2);
                    } else if (credentialItem instanceof CredentialItem.Password) {
                        ((CredentialItem.Password) credentialItem).setValue(calculateCodeCommitPassword.toCharArray());
                        this.logger.trace("Returning password " + calculateCodeCommitPassword);
                    } else {
                        if (!(credentialItem instanceof CredentialItem.StringType) || !credentialItem.getPromptText().equals("Password: ")) {
                            throw new UnsupportedCredentialItem(uRIish, credentialItem.getClass().getName() + ":" + credentialItem.getPromptText());
                        }
                        ((CredentialItem.StringType) credentialItem).setValue(calculateCodeCommitPassword);
                        this.logger.trace("Returning password string " + calculateCodeCommitPassword);
                    }
                }
                return true;
            } catch (Throwable th) {
                this.logger.warn("Error calculating the AWS CodeCommit password", th);
                return false;
            }
        } catch (Throwable th2) {
            this.logger.warn("Unable to retrieve AWS Credentials", th2);
            return false;
        }
    }

    protected static String calculateCodeCommitPassword(URIish uRIish, String str) {
        String[] split = uRIish.getHost().split("\\.");
        if (split.length < 4) {
            throw new CredentialException("Cannot detect AWS region from URI", null);
        }
        String str2 = split[1];
        Date date = new Date();
        SimpleDateFormat simpleDateFormat = new SimpleDateFormat("yyyyMMdd'T'HHmmss");
        simpleDateFormat.setTimeZone(TimeZone.getTimeZone("UTC"));
        String format = simpleDateFormat.format(date);
        String substring = format.substring(0, 8);
        try {
            StringBuilder sb = new StringBuilder();
            sb.append("AWS4-HMAC-SHA256\n").append(format).append("\n").append(substring).append("/").append(str2).append("/codecommit/aws4_request\n").append(bytesToHexString(canonicalRequestDigest(uRIish)));
            return format + "Z" + bytesToHexString(sign(str, substring, str2, sb.toString()));
        } catch (Exception e) {
            throw new CredentialException("Error calculating AWS CodeCommit password", e);
        }
    }

    @Override // org.eclipse.jgit.transport.CredentialsProvider
    public void reset(URIish uRIish) {
    }

    private static byte[] hmacSha256(String str, byte[] bArr) throws Exception {
        Mac mac = Mac.getInstance(HMAC_SHA256);
        mac.init(new SecretKeySpec(bArr, HMAC_SHA256));
        return mac.doFinal(str.getBytes(UTF8));
    }

    private static byte[] sign(String str, String str2, String str3, String str4) throws Exception {
        return hmacSha256(str4, hmacSha256("aws4_request", hmacSha256("codecommit", hmacSha256(str3, hmacSha256(str2, ("AWS4" + str).getBytes(UTF8))))));
    }

    private static byte[] canonicalRequestDigest(URIish uRIish) throws NoSuchAlgorithmException {
        StringBuilder sb = new StringBuilder();
        sb.append("GIT\n").append(uRIish.getPath()).append("\n").append("\n").append("host:").append(uRIish.getHost()).append("\n").append("\n").append("host\n");
        return MessageDigest.getInstance("SHA-256").digest(sb.toString().getBytes());
    }

    private static String bytesToHexString(byte[] bArr) {
        char[] cArr = new char[bArr.length * 2];
        for (int i = 0; i < bArr.length; i++) {
            int i2 = bArr[i] & 255;
            cArr[i * 2] = hexArray[i2 >>> 4];
            cArr[(i * 2) + 1] = hexArray[i2 & 15];
        }
        return new String(cArr);
    }

    public AWSCredentialsProvider getAwsCredentialProvider() {
        return this.awsCredentialProvider;
    }

    public void setAwsCredentialProvider(AWSCredentialsProvider aWSCredentialsProvider) {
        this.awsCredentialProvider = aWSCredentialsProvider;
    }

    public static boolean canHandle(String str) {
        if (!StringUtils.hasText(str)) {
            return false;
        }
        try {
            URL url = new URL(str);
            URI uri = new URI(url.getProtocol(), url.getUserInfo(), url.getHost(), url.getPort(), url.getPath(), url.getQuery(), url.getRef());
            if (!uri.getScheme().equals("https")) {
                return false;
            }
            String host = uri.getHost();
            if (host.endsWith(".amazonaws.com")) {
                return host.startsWith("git-codecommit.");
            }
            return false;
        } catch (Throwable th) {
            return false;
        }
    }

    public String getUsername() {
        return this.username;
    }

    public void setUsername(String str) {
        this.username = str;
    }

    public String getPassword() {
        return this.password;
    }

    public void setPassword(String str) {
        this.password = str;
    }
}
