package com.amazon.servicecatalog.terraform.customresource;

import com.amazon.servicecatalog.terraform.customresource.facades.CloudFormationFacade;
import com.amazon.servicecatalog.terraform.customresource.facades.StsFacade;
import com.amazon.servicecatalog.terraform.customresource.fulfillment.CommandSender;
import com.amazon.servicecatalog.terraform.customresource.fulfillment.EnvConfig;
import com.amazon.servicecatalog.terraform.customresource.model.CustomResourceRequest;
import com.amazon.servicecatalog.terraform.customresource.model.RequestType;
import com.amazon.servicecatalog.terraform.customresource.model.TerraformResourceProperties;
import com.amazon.servicecatalog.terraform.customresource.model.sns.SnsRecordContent;
import com.amazon.servicecatalog.terraform.customresource.util.ArnParser;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.lambda.runtime.Context;
import com.amazonaws.services.lambda.runtime.RequestStreamHandler;
import com.amazonaws.services.s3.AmazonS3URI;
import com.google.common.base.Splitter;
import com.google.common.io.CharStreams;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.nio.charset.StandardCharsets;
import java.util.Optional;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:com/amazon/servicecatalog/terraform/customresource/TerraformRequestHandler.class */
public class TerraformRequestHandler implements RequestStreamHandler {
    private static final Logger log = LogManager.getLogger((Class<?>) TerraformRequestHandler.class);

    @Override // com.amazonaws.services.lambda.runtime.RequestStreamHandler
    public void handleRequest(InputStream inputStream, OutputStream outputStream, Context context) {
        String requestString = toRequestString(inputStream);
        log.trace("Original unparsed input:\n" + requestString);
        try {
            SnsRecordContent readSnsRecordContent = CustomResourceMarshaller.readSnsRecordContent(requestString, false);
            CustomResourceRequest readCustomResourceRequest = CustomResourceMarshaller.readCustomResourceRequest(readSnsRecordContent, false);
            try {
                TerraformResourceProperties resourceProperties = readCustomResourceRequest.getResourceProperties();
                resourceProperties.validateFields();
                verifyNoCrossAccountAccess(resourceProperties, readSnsRecordContent);
                CustomResourceMarshaller.verifySnsSignature(readSnsRecordContent);
                handle(context, readCustomResourceRequest);
            } catch (RuntimeException e) {
                ResponsePoster.postFailure(readCustomResourceRequest, e.getMessage());
                log.error("Unexpected error encountered when handling the request.", (Throwable) e);
            }
        } catch (RuntimeException e2) {
            log.error("Failed to parse request.", (Throwable) e2);
            try {
                ResponsePoster.postFailure(CustomResourceMarshaller.readCustomResourceRequest(CustomResourceMarshaller.readSnsRecordContent(requestString, true), true), "Failed to parse request: " + e2.getMessage());
            } catch (RuntimeException e3) {
                log.error("Unexpected error parsing request or posting failure response.", (Throwable) e3);
            }
        }
    }

    private void handle(Context context, CustomResourceRequest customResourceRequest) {
        EnvConfig fromEnvironmentVariables = EnvConfig.fromEnvironmentVariables();
        String externalId = StsFacade.getExternalId(context);
        CloudFormationFacade cfnFacade = getCfnFacade(customResourceRequest, getLaunchRoleCredentials(externalId, customResourceRequest));
        if (customResourceRequest.getRequestType() == RequestType.UPDATE && cfnFacade.isStackInUpdateRollback(customResourceRequest.getStackId())) {
            ResponsePoster.postSuccess(customResourceRequest);
        } else {
            verifyWhitelistedTerraformArtifactSource(customResourceRequest.getResourceProperties(), fromEnvironmentVariables);
            new CommandSender(customResourceRequest, fromEnvironmentVariables, externalId).sendCommand();
        }
    }

    private String toRequestString(InputStream inputStream) {
        try {
            return CharStreams.toString(new InputStreamReader(inputStream, StandardCharsets.UTF_8));
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private static AWSCredentialsProvider getLaunchRoleCredentials(String str, CustomResourceRequest customResourceRequest) {
        return new StsFacade().getCredentialsProvider(customResourceRequest.getResourceProperties().getLaunchRoleArn(), str);
    }

    private static CloudFormationFacade getCfnFacade(CustomResourceRequest customResourceRequest, AWSCredentialsProvider aWSCredentialsProvider) {
        return new CloudFormationFacade(Regions.fromName(Splitter.on(':').splitToList(customResourceRequest.getStackId()).get(3)), aWSCredentialsProvider);
    }

    private void verifyWhitelistedTerraformArtifactSource(TerraformResourceProperties terraformResourceProperties, EnvConfig envConfig) {
        try {
            String bucket = new AmazonS3URI(terraformResourceProperties.getTerraformArtifactUrl()).getBucket();
            String terraformArtifactS3Bucket = envConfig.getTerraformArtifactS3Bucket();
            if (!terraformArtifactS3Bucket.equals(bucket)) {
                throw new RuntimeException(String.format("Invalid TerraformArtifactUrl. TerraformArtifacts must be contained in the following bucket: %s", terraformArtifactS3Bucket));
            }
        } catch (IllegalArgumentException e) {
            throw new RuntimeException("Invalid TerraformArtifactUrl. " + e.getMessage());
        }
    }

    private void verifyNoCrossAccountAccess(TerraformResourceProperties terraformResourceProperties, SnsRecordContent snsRecordContent) {
        if (!((String) Optional.ofNullable(snsRecordContent.getMessageAttributes()).map(map -> {
            return (SnsRecordContent.AttributeValue) map.get(TerraformLaunchRequestHandler.ACCOUNT_ID_ATTRIBUTE_KEY);
        }).map((v0) -> {
            return v0.getValue();
        }).orElseThrow(() -> {
            return new RuntimeException("SNS input message does not contain AccountId attribute");
        })).equals(ArnParser.getAccountId(terraformResourceProperties.getLaunchRoleArn()))) {
            throw new RuntimeException("To prevent permissions escalation TerraformStacks cannot use a LaunchRoleArn that references another account.");
        }
    }
}
