package com.onelogin.aws.assume.role.cli;

import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider;
import com.amazonaws.auth.profile.ProfilesConfigFileWriter;
import com.amazonaws.auth.profile.internal.Profile;
import com.amazonaws.auth.profile.internal.ProfileKeyConstants;
import com.amazonaws.profile.path.AwsProfileFileLocationProvider;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException;
import com.amazonaws.services.securitytoken.model.AssumeRoleWithSAMLRequest;
import com.amazonaws.services.securitytoken.model.AssumeRoleWithSAMLResult;
import com.amazonaws.services.securitytoken.model.AssumedRoleUser;
import com.amazonaws.services.securitytoken.model.Credentials;
import com.amazonaws.util.StringUtils;
import com.onelogin.saml2.authn.SamlResponse;
import com.onelogin.saml2.http.HttpRequest;
import com.onelogin.sdk.conn.Client;
import com.onelogin.sdk.model.Device;
import com.onelogin.sdk.model.MFA;
import com.onelogin.sdk.model.SAMLEndpointResponse;
import java.io.File;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Scanner;
import java.util.concurrent.TimeUnit;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.DefaultParser;
import org.apache.commons.cli.HelpFormatter;
import org.apache.commons.cli.Options;
import org.apache.commons.cli.ParseException;
import org.apache.oltu.oauth2.common.OAuth;

/* loaded from: input_file:com/onelogin/aws/assume/role/cli/OneloginAWSCLI.class */
public class OneloginAWSCLI {
    private static int time = 45;
    private static int loop = 1;
    private static String profileName = null;
    private static File file = null;
    private static String oneloginUsernameOrEmail = null;
    private static String oneloginPassword = null;
    private static String appId = null;
    private static String oneloginDomain = null;
    private static String awsRegion = null;
    private static String awsAccountId = null;
    private static String awsRoleName = null;
    private static int duration = STSAssumeRoleSessionCredentialsProvider.DEFAULT_DURATION_SECONDS;
    private static String oneloginClientID = null;
    private static String oneloginClientSecret = null;
    private static String oneloginRegion = "us";

    public static Boolean commandParser(String[] strArr) {
        String optionValue;
        String optionValue2;
        String optionValue3;
        String optionValue4;
        String optionValue5;
        String optionValue6;
        String optionValue7;
        String optionValue8;
        String optionValue9;
        String optionValue10;
        String optionValue11;
        String optionValue12;
        DefaultParser defaultParser = new DefaultParser();
        Options buildOptions = buildOptions();
        try {
            CommandLine parse = defaultParser.parse(buildOptions, strArr);
            if (parse.hasOption("help")) {
                new HelpFormatter().printHelp("onelogin-aws-cli.jar [options]", buildOptions);
                System.out.println("");
                return false;
            }
            if (parse.hasOption("time")) {
                String optionValue13 = parse.getOptionValue("time");
                if (optionValue13 != null && !optionValue13.isEmpty()) {
                    time = Integer.parseInt(optionValue13);
                }
                if (time < 15) {
                    time = 15;
                }
                if (time > 60) {
                    time = 60;
                }
            }
            if (parse.hasOption("loop") && (optionValue12 = parse.getOptionValue("loop")) != null && !optionValue12.isEmpty()) {
                loop = Integer.parseInt(optionValue12);
            }
            if (parse.hasOption("profile")) {
                String optionValue14 = parse.getOptionValue("profile");
                if (optionValue14 == null || optionValue14.isEmpty()) {
                    profileName = "default";
                } else {
                    profileName = optionValue14;
                }
            }
            if (parse.hasOption("file") && (optionValue11 = parse.getOptionValue("file")) != null && !optionValue11.isEmpty()) {
                file = new File(optionValue11);
            }
            if (parse.hasOption(OAuth.OAUTH_USERNAME) && (optionValue10 = parse.getOptionValue(OAuth.OAUTH_USERNAME)) != null && !optionValue10.isEmpty()) {
                oneloginUsernameOrEmail = optionValue10;
            }
            if (parse.hasOption("subdomain") && (optionValue9 = parse.getOptionValue("subdomain")) != null && !optionValue9.isEmpty()) {
                oneloginDomain = optionValue9;
            }
            if (parse.hasOption("appid") && (optionValue8 = parse.getOptionValue("appid")) != null && !optionValue8.isEmpty()) {
                appId = optionValue8;
            }
            if (parse.hasOption(ProfileKeyConstants.REGION) && (optionValue7 = parse.getOptionValue(ProfileKeyConstants.REGION)) != null && !optionValue7.isEmpty()) {
                awsRegion = optionValue7;
            }
            if (parse.hasOption(OAuth.OAUTH_PASSWORD) && (optionValue6 = parse.getOptionValue(OAuth.OAUTH_PASSWORD)) != null && !optionValue6.isEmpty()) {
                oneloginPassword = optionValue6;
            }
            if (parse.hasOption("aws-account-id") && (optionValue5 = parse.getOptionValue("aws-account-id")) != null && !optionValue5.isEmpty()) {
                awsAccountId = optionValue5;
            }
            if (parse.hasOption("aws-role-name") && (optionValue4 = parse.getOptionValue("aws-role-name")) != null && !optionValue4.isEmpty()) {
                awsRoleName = optionValue4;
            }
            if (parse.hasOption("duration")) {
                String optionValue15 = parse.getOptionValue("duration");
                if (optionValue15 != null && !optionValue15.isEmpty()) {
                    duration = Integer.parseInt(optionValue15);
                }
                if (duration < 900) {
                    duration = STSAssumeRoleSessionCredentialsProvider.DEFAULT_DURATION_SECONDS;
                } else if (duration > 43200) {
                    duration = STSAssumeRoleSessionCredentialsProvider.DEFAULT_DURATION_SECONDS;
                }
            } else {
                duration = STSAssumeRoleSessionCredentialsProvider.DEFAULT_DURATION_SECONDS;
            }
            if (parse.hasOption("onelogin-client-id") && (optionValue3 = parse.getOptionValue("onelogin-client-id")) != null && !optionValue3.isEmpty()) {
                oneloginClientID = optionValue3;
            }
            if (parse.hasOption("onelogin-client-secret") && (optionValue2 = parse.getOptionValue("onelogin-client-secret")) != null && !optionValue2.isEmpty()) {
                oneloginClientSecret = optionValue2;
            }
            if (parse.hasOption("onelogin-region") && (optionValue = parse.getOptionValue("onelogin-region")) != null && !optionValue.isEmpty()) {
                oneloginRegion = optionValue;
            }
            if ((awsAccountId != null && !awsAccountId.isEmpty() && (awsRoleName == null || awsRoleName.isEmpty())) || (awsRoleName != null && !awsRoleName.isEmpty() && (awsAccountId == null || awsAccountId.isEmpty()))) {
                System.err.println("--aws-account-id and --aws-role-name need to be set together");
                return false;
            }
            if ((oneloginClientID == null || oneloginClientID.isEmpty() || !(oneloginClientSecret == null || oneloginClientSecret.isEmpty())) && (oneloginClientSecret == null || oneloginClientSecret.isEmpty() || !(oneloginClientID == null || oneloginClientID.isEmpty()))) {
                return true;
            }
            System.err.println("--onelogin-client-id and --onelogin-client-secret need to be set together");
            return false;
        } catch (ParseException e) {
            System.err.println("Encountered exception while parsing" + e.getMessage());
            return false;
        }
    }

    public static Options buildOptions() {
        Options options = new Options();
        options.addOption("h", "help", false, "Show the help guide");
        options.addOption("t", "time", true, "Sleep time between iterations, in minutes  [15-60 min]");
        options.addOption("l", "loop", true, "Number of iterations");
        options.addOption("p", "profile", true, "Save temporary AWS credentials using that profile name");
        options.addOption("f", "file", true, "Set a custom path to save the AWS credentials. (if not used, default AWS path is used)");
        options.addOption("r", ProfileKeyConstants.REGION, true, "Set the AWS region.");
        options.addOption("a", "appid", true, "Set AWS App ID.");
        options.addOption("d", "subdomain", true, "OneLogin Instance Sub Domain.");
        options.addOption("u", OAuth.OAUTH_USERNAME, true, "OneLogin username.");
        options.addOption(null, OAuth.OAUTH_PASSWORD, true, "OneLogin password.");
        options.addOption(null, "aws-account-id", true, "AWS Account ID.");
        options.addOption(null, "aws-role-name", true, "AWS Role Name.");
        options.addOption("z", "duration", true, "Desired AWS Credential Duration");
        options.addOption(null, "onelogin-client-id", true, "A valid OneLogin API client_id");
        options.addOption(null, "onelogin-client-secret", true, "A valid OneLogin API client_secret");
        options.addOption(null, "onelogin-region", true, "Onelogin region. us or eu  (Default value: us)");
        return options;
    }

    /* JADX WARN: Multi-variable type inference failed */
    public static void main(String[] strArr) throws Exception {
        AssumeRoleWithSAMLResult assumeRoleWithSAML;
        ArrayList arrayList;
        System.out.println("\nOneLogin AWS Assume Role Tool\n");
        if (commandParser(strArr).booleanValue()) {
            Client client = ((oneloginClientID == null || oneloginClientID.isEmpty()) && (oneloginClientSecret == null || oneloginClientSecret.isEmpty())) ? new Client() : new Client(oneloginClientID, oneloginClientSecret, oneloginRegion);
            String ip = client.getIP();
            client.getAccessToken();
            Scanner scanner = new Scanner(System.in);
            int i = duration;
            try {
                Map map = null;
                String str = null;
                String str2 = null;
                String name = Regions.DEFAULT_REGION.getName();
                for (int i2 = 0; i2 < loop; i2++) {
                    if (i2 == 0) {
                        System.out.print("OneLogin Username: ");
                        if (oneloginUsernameOrEmail == null) {
                            oneloginUsernameOrEmail = scanner.next();
                        } else {
                            System.out.println(oneloginUsernameOrEmail);
                        }
                        if (oneloginPassword == null) {
                            System.out.print("OneLogin Password: ");
                            try {
                                oneloginPassword = String.valueOf(System.console().readPassword());
                            } catch (Exception e) {
                                oneloginPassword = scanner.next();
                            }
                        }
                        System.out.print("AWS App ID: ");
                        if (appId == null) {
                            appId = scanner.next();
                        } else {
                            System.out.println(appId);
                        }
                        System.out.print("Onelogin Instance Sub Domain: ");
                        if (oneloginDomain == null) {
                            oneloginDomain = scanner.next();
                        } else {
                            System.out.println(oneloginDomain);
                        }
                    } else {
                        TimeUnit.MINUTES.sleep(time);
                    }
                    Map<String, Object> samlResponse = getSamlResponse(client, scanner, oneloginUsernameOrEmail, oneloginPassword, appId, oneloginDomain, map, ip);
                    map = (Map) samlResponse.get("mfaVerifyInfo");
                    String str3 = (String) samlResponse.get("samlResponse");
                    if (i2 == 0) {
                        HashMap<String, List<String>> attributes = new SamlResponse(null, new HttpRequest("http://example.com").addParameter("SAMLResponse", str3)).getAttributes();
                        if (attributes.containsKey("https://aws.amazon.com/SAML/Attributes/Role")) {
                            String str4 = "";
                            List<String> list = attributes.get("https://aws.amazon.com/SAML/Attributes/Role");
                            if (awsAccountId != null) {
                                arrayList = new ArrayList();
                                for (int i3 = 0; i3 < list.size(); i3++) {
                                    if (list.get(i3).split(":")[4].equals(awsAccountId)) {
                                        arrayList.add(list.get(i3));
                                    }
                                }
                            } else {
                                arrayList = new ArrayList(list);
                            }
                            if (arrayList.size() == 1 && !((String) arrayList.get(0)).isEmpty()) {
                                String[] split = ((String) arrayList.get(0)).split(":");
                                System.out.println("Role selected: " + split[5].replace("role/", "") + " (Account " + split[4] + ")");
                                str4 = (String) arrayList.get(0);
                            } else if (arrayList.size() > 1) {
                                System.out.println("\nAvailable AWS Roles");
                                System.out.println("-----------------------------------------------------------------------");
                                HashMap hashMap = new HashMap();
                                for (int i4 = 0; i4 < arrayList.size(); i4++) {
                                    String[] split2 = ((String) arrayList.get(i4)).split(StringUtils.COMMA_SEPARATOR)[0].split(":");
                                    String str5 = split2[4];
                                    String replace = split2[5].replace("role/", "");
                                    System.out.println(" " + i4 + " | " + replace + " (Account " + str5 + ")");
                                    if (hashMap.containsKey(str5)) {
                                        ((Map) hashMap.get(str5)).put(replace, Integer.valueOf(i4));
                                    } else {
                                        HashMap hashMap2 = new HashMap();
                                        hashMap2.put(replace, Integer.valueOf(i4));
                                        hashMap.put(str5, hashMap2);
                                    }
                                }
                                Integer num = null;
                                if (awsAccountId != null && awsRoleName != null && hashMap.containsKey(awsAccountId) && ((Map) hashMap.get(awsAccountId)).containsKey(awsRoleName)) {
                                    num = (Integer) ((Map) hashMap.get(awsAccountId)).get(awsRoleName);
                                }
                                if (num == null) {
                                    if (awsAccountId != null && !awsAccountId.isEmpty() && awsRoleName != null && !awsRoleName.isEmpty()) {
                                        System.out.println("SAMLResponse from Identity Provider does not contain available AWS Role: " + awsAccountId + " for AWS Account: " + awsRoleName);
                                    }
                                    System.out.println("-----------------------------------------------------------------------");
                                    System.out.print("Select the desired Role [0-" + (arrayList.size() - 1) + "]: ");
                                    num = getSelection(scanner, arrayList.size());
                                }
                                str4 = (String) arrayList.get(num.intValue());
                            } else {
                                System.out.print("SAMLResponse from Identity Provider does not contain available AWS Role for this user");
                                System.exit(0);
                            }
                            if (!str4.isEmpty()) {
                                String[] split3 = str4.split(StringUtils.COMMA_SEPARATOR);
                                str = split3[0];
                                str2 = split3[1];
                            }
                        } else {
                            System.out.print("SAMLResponse from Identity Provider does not contain AWS Role info");
                            System.exit(0);
                        }
                    }
                    if (i2 == 0) {
                        if (awsRegion == null) {
                            System.out.print("AWS Region (" + name + "): ");
                            awsRegion = scanner.next();
                            if (awsRegion.isEmpty() || awsRegion.equals(HelpFormatter.DEFAULT_OPT_PREFIX)) {
                                awsRegion = name;
                            }
                        } else {
                            System.out.print("AWS Region: " + awsRegion);
                        }
                    }
                    AWSSecurityTokenService build = ((AWSSecurityTokenServiceClientBuilder) ((AWSSecurityTokenServiceClientBuilder) AWSSecurityTokenServiceClientBuilder.standard().withRegion(awsRegion)).withCredentials(new AWSStaticCredentialsProvider(new BasicAWSCredentials("", "")))).build();
                    try {
                        assumeRoleWithSAML = build.assumeRoleWithSAML(new AssumeRoleWithSAMLRequest().withPrincipalArn(str2).withRoleArn(str).withSAMLAssertion(str3).withDurationSeconds(Integer.valueOf(i)));
                    } catch (AWSSecurityTokenServiceException e2) {
                        if (!e2.getErrorMessage().contains("'durationSeconds' failed to satisfy constraint") && !e2.getErrorMessage().contains("DurationSeconds exceeds")) {
                            throw e2;
                        }
                        System.out.print("Introduce a new value, to be used on this Role, for DurationSeconds between 900 and 43200. Previously was " + i + ": ");
                        i = getDuration(scanner).intValue();
                        assumeRoleWithSAML = build.assumeRoleWithSAML(new AssumeRoleWithSAMLRequest().withPrincipalArn(str2).withRoleArn(str).withSAMLAssertion(str3).withDurationSeconds(Integer.valueOf(i)));
                    }
                    Credentials credentials = assumeRoleWithSAML.getCredentials();
                    AssumedRoleUser assumedRoleUser = assumeRoleWithSAML.getAssumedRoleUser();
                    if (profileName == null && file == null) {
                        String str6 = System.getProperty("os.name").toLowerCase().contains("win") ? "set" : "export";
                        System.out.println("\n-----------------------------------------------------------------------\n");
                        System.out.println("Success!\n");
                        System.out.println("Assumed Role User: " + assumedRoleUser.getArn() + "\n");
                        System.out.println("Temporary AWS Credentials Granted via OneLogin\n ");
                        System.out.println("It will expire at " + credentials.getExpiration());
                        System.out.println("Copy/Paste to set these as environment variables\n");
                        System.out.println("-----------------------------------------------------------------------\n");
                        System.out.println(str6 + " AWS_SESSION_TOKEN=" + credentials.getSessionToken());
                        System.out.println();
                        System.out.println(str6 + " AWS_ACCESS_KEY_ID=" + credentials.getAccessKeyId());
                        System.out.println();
                        System.out.println(str6 + " AWS_SECRET_ACCESS_KEY=" + credentials.getSecretAccessKey());
                        System.out.println();
                    } else {
                        if (file == null) {
                            file = AwsProfileFileLocationProvider.DEFAULT_CREDENTIALS_LOCATION_PROVIDER.getLocation();
                        }
                        if (profileName == null) {
                            profileName = "default";
                        }
                        HashMap hashMap3 = new HashMap();
                        hashMap3.put(ProfileKeyConstants.AWS_ACCESS_KEY_ID, credentials.getAccessKeyId());
                        hashMap3.put(ProfileKeyConstants.AWS_SECRET_ACCESS_KEY, credentials.getSecretAccessKey());
                        hashMap3.put(ProfileKeyConstants.AWS_SESSION_TOKEN, credentials.getSessionToken());
                        hashMap3.put(ProfileKeyConstants.REGION, awsRegion);
                        ProfilesConfigFileWriter.modifyOneProfile(file, profileName, new Profile(profileName, hashMap3, null));
                        System.out.println("\n-----------------------------------------------------------------------");
                        System.out.println("Success!\n");
                        System.out.println("Temporary AWS Credentials Granted via OneLogin\n");
                        System.out.println("Updated AWS profile '" + profileName + "' located at " + file.getAbsolutePath());
                        if (loop > i2 + 1) {
                            System.out.println("This process will regenerate credentials " + (loop - (i2 + 1)) + " more times.\n");
                            System.out.println("Press Ctrl + C to exit");
                        }
                    }
                }
            } finally {
                scanner.close();
            }
        }
    }

    public static Integer getSelection(Scanner scanner, int i) {
        Integer valueOf = Integer.valueOf(scanner.next());
        while (true) {
            Integer num = valueOf;
            if (num.intValue() >= 0 && num.intValue() < i) {
                return num;
            }
            System.out.println("Wrong number, add a number between 0 - " + (i - 1));
            valueOf = Integer.valueOf(scanner.next());
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    public static Map<String, Object> getSamlResponse(Client client, Scanner scanner, String str, String str2, String str3, String str4, Map<String, String> map, String str5) throws Exception {
        String str6;
        String str7;
        String str8;
        Integer selection;
        String str9 = null;
        Map hashMap = new HashMap();
        SAMLEndpointResponse sAMLAssertion = client.getSAMLAssertion(str, str2, str3, str4, str5);
        String type = sAMLAssertion.getType();
        while (true) {
            str6 = type;
            if (!str6.equals("pending")) {
                break;
            }
            TimeUnit.SECONDS.sleep(30L);
            sAMLAssertion = client.getSAMLAssertion(str, str2, str3, str4, str5);
            type = sAMLAssertion.getType();
        }
        if (str6.equals("success")) {
            if (sAMLAssertion.getMFA() != null) {
                MFA mfa = sAMLAssertion.getMFA();
                List<Device> devices = mfa.getDevices();
                if (map == null) {
                    System.out.println();
                    System.out.println("MFA Required");
                    System.out.println("Authenticate using one of these devices:");
                } else {
                    str9 = map.get("deviceId");
                    if (!checkDeviceExists(devices, Long.valueOf(Long.parseLong(str9))).booleanValue()) {
                        System.out.println();
                        System.out.println("The device selected with ID " + str9 + " is not available anymore");
                        System.out.println("Those are the devices available now:");
                        map = null;
                    }
                }
                if (map == null) {
                    System.out.println("-----------------------------------------------------------------------");
                    if (devices.size() == 1) {
                        selection = 0;
                    } else {
                        for (int i = 0; i < devices.size(); i++) {
                            System.out.println(" " + i + " | " + devices.get(i).getType());
                        }
                        System.out.println("-----------------------------------------------------------------------");
                        System.out.print("\nSelect the desired MFA Device [0-" + (devices.size() - 1) + "]: ");
                        selection = getSelection(scanner, devices.size());
                    }
                    Device device = devices.get(selection.intValue());
                    str9 = Long.valueOf(device.getID()).toString();
                    System.out.print("Enter the OTP Token for " + device.getType() + ": ");
                    str7 = scanner.next();
                    str8 = mfa.getStateToken();
                    map = new HashMap();
                    map.put("otpToken", str7);
                    map.put("stateToken", str8);
                } else {
                    str7 = map.get("otpToken");
                    str8 = map.get("stateToken");
                }
                hashMap = verifyToken(client, scanner, str3, str9, str8, str7, map);
            } else {
                hashMap.put("samlResponse", sAMLAssertion.getSAMLResponse());
                hashMap.put("mfaVerifyInfo", map);
            }
        }
        return hashMap;
    }

    public static Integer getDuration(Scanner scanner) {
        Integer num = null;
        boolean z = true;
        while (true) {
            if (num != null && num.intValue() >= 900 && num.intValue() <= 43200) {
                return num;
            }
            if (!z) {
                System.out.println("Wrong value, insert a value between 900 and 43200: ");
            }
            z = false;
            try {
                num = Integer.valueOf(scanner.next());
            } catch (Exception e) {
            }
        }
    }

    public static Map<String, Object> getSamlResponse(Client client, Scanner scanner, String str, String str2, String str3, String str4, Map<String, String> map) throws Exception {
        return getSamlResponse(client, scanner, str, str2, str3, str4, map, null);
    }

    public static Boolean checkDeviceExists(List<Device> list, Long l) {
        Iterator<Device> it = list.iterator();
        while (it.hasNext()) {
            if (it.next().getID() == l.longValue()) {
                return true;
            }
        }
        return false;
    }

    /* JADX WARN: Multi-variable type inference failed */
    public static Map<String, Object> verifyToken(Client client, Scanner scanner, String str, String str2, String str3, String str4, Map<String, String> map) {
        Map hashMap = new HashMap();
        try {
            SAMLEndpointResponse sAMLAssertionVerifying = client.getSAMLAssertionVerifying(str, str2, str3, str4, null);
            map.put("otpToken", str4);
            hashMap.put("samlResponse", sAMLAssertionVerifying.getSAMLResponse());
            hashMap.put("mfaVerifyInfo", map);
        } catch (Exception e) {
            System.out.print("The OTP Token was invalid, please introduce a new one: ");
            hashMap = verifyToken(client, scanner, str, str2, str3, scanner.next(), map);
        }
        return hashMap;
    }
}
