package com.amazon.aes.webservices.client.cmd;

import com.amazon.aes.service.S3Connection;
import com.amazon.aes.service.impl.S3ServiceImpl;
import com.amazon.aes.util.LangUtils;
import com.amazon.aes.util.S3Utils;
import com.amazon.aes.util.XmlUtils;
import com.amazon.aes.webservices.client.BundleInstanceTask;
import com.amazon.aes.webservices.client.Jec2;
import com.amazon.aes.webservices.client.RequestResult;
import com.amazon.aes.webservices.client.RequestResultPair;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.auth.InstanceProfileCredentialsProvider;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Calendar;
import java.util.Formatter;
import java.util.Locale;
import java.util.TimeZone;
import java.util.concurrent.Callable;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;
import org.apache.commons.cli.OptionBuilder;
import org.apache.commons.cli.Options;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.UsernamePasswordCredentials;
import org.apache.commons.httpclient.auth.AuthScope;
import org.apache.commons.httpclient.contrib.amazon.ssl.StrictSSLProtocolSocketFactory;
import org.apache.commons.httpclient.methods.GetMethod;
import org.apache.commons.httpclient.methods.HeadMethod;
import org.apache.commons.httpclient.methods.PutMethod;
import org.apache.commons.httpclient.protocol.Protocol;
import org.w3c.dom.Document;
import org.w3c.dom.Node;
import sun.misc.BASE64Encoder;

/* loaded from: input_file:com/amazon/aes/webservices/client/cmd/BundleInstance.class */
public class BundleInstance extends BaseCmd {
    private static final String PREFIX_DESC = "Prefix for the image component names being store in S3.";
    private static final String BUCKET_DESC = "S3 bucket in which to place the image components. Bucket name should be in lower case.";
    private static final String LOCATION_DESC = "The location of the destination Amazon S3 bucket";
    private static final String LOCATION = "location";
    private static final String EXPIRES_ARG = "HOURS";
    private static final String POLICY_SIGNATURE_ARG = "POLICY-SIG";
    private static final String POLICY_ARG = "POLICY";
    private static final String OWNER_SAK_ARG = "OWNER-SECRET-KEY";
    private static final String OWNER_AKID_ARG = "OWNER-ACCESS-KEY";
    private static final String PREFIX_ARG = "PREFIX";
    private static final String BUCKET_ARG = "BUCKET";
    protected static final String HMAC_SHA1_ALGORITHM = "HmacSHA1";
    protected static final String DEFAULT_VALIDITY = "24";
    protected static final String BUNDLE_USER_SHORT = "ec2-bundled-images";
    protected static final String BUNDLE_USER_LONG = "ec2-bundled-images@amazon.com";
    protected static final String EC2_CANNED_ACL = "ec2-bundle-read";
    protected static final String GRANT = "<AccessControlList><Grant><Grantee xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"AmazonCustomerByEmail\"><EmailAddress>ec2-bundled-images@amazon.com</EmailAddress></Grantee><Permission>READ</Permission></Grant></AccessControlList>";
    private String location;
    private static final String[] POLICY_DESC = {"Plaintext or base-64 encoded upload policy for S3, allowing EC2 to place items", "into S3 on the user's behalf. If this is not given, --owner-sak is required", "and an upload policy is generated and signed automatically. For more information ", "on upload policies see the Amazon S3 Developer Guide."};
    private static final String[] NO_BUCKET_SETUP_DESC = {"If the S3 bucket doesn't exist, don't create it. If the permissions aren't correct, don't attempt to fix them."};
    private static final String[] POLICY_SIGNATURE_DESC = {"Base-64 encoded signature for the S3 upload policy. If --policy is given", "but this is omitted, --owner-sak is required and the policy is signed", "using that value."};
    protected static final Pattern BASE64_RE = Pattern.compile("[a-zA-Z0-9/+=\\s]*");
    private static final String[] EXPIRES_DESC = {"Validity period for a generate upload policy, in hours. Defaults to 24."};
    private static final Pattern EC2_URL_PATTERN = Pattern.compile("https?://(([^.]*)\\.?)ec2\\.amazonaws.com");
    protected static final S3ServiceImpl s3Service = new S3ServiceImpl();

    public BundleInstance(String[] strArr) {
        super("ec2bundle", "ec2-bundle-instance");
        init(getOptions());
        parseOpts(strArr);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.amazon.aes.webservices.client.cmd.BaseCmd
    public void parseOpts(String[] strArr) {
        super.parseOpts(strArr);
        this.location = getOptionValue(LOCATION);
        if (this.location != null && !this.location.equals("EU") && !this.location.equals("US")) {
            throw new InvalidArgument(LOCATION, this.location);
        }
    }

    private Options getOptions() {
        Options options = new Options();
        OptionBuilder.withLongOpt(BaseCmd.BUCKET);
        OptionBuilder.hasArgs();
        OptionBuilder.withDescription(BUCKET_DESC);
        OptionBuilder.withArgName("BUCKET");
        options.addOption(OptionBuilder.create("b"));
        OptionBuilder.withLongOpt(BaseCmd.PREFIX);
        OptionBuilder.hasArgs();
        OptionBuilder.withDescription(PREFIX_DESC);
        OptionBuilder.withArgName("PREFIX");
        options.addOption(OptionBuilder.create("p"));
        OptionBuilder.withLongOpt(BaseCmd.OWNER_AKID);
        OptionBuilder.hasArgs();
        OptionBuilder.withDescription(BaseCmd.OWNER_AKID_DESC);
        OptionBuilder.withArgName(OWNER_AKID_ARG);
        options.addOption(OptionBuilder.create("o"));
        OptionBuilder.withLongOpt(BaseCmd.OWNER_SAK);
        OptionBuilder.hasArgs();
        OptionBuilder.withDescription(OWNER_SAK_DESC);
        OptionBuilder.withArgName(OWNER_SAK_ARG);
        options.addOption(OptionBuilder.create("w"));
        OptionBuilder.withLongOpt(BaseCmd.POLICY);
        OptionBuilder.hasArgs();
        OptionBuilder.withDescription(joinDescription(POLICY_DESC));
        OptionBuilder.withArgName(POLICY_ARG);
        options.addOption(OptionBuilder.create("c"));
        OptionBuilder.withLongOpt(BaseCmd.POLICY_SIGNATURE);
        OptionBuilder.hasArgs();
        OptionBuilder.withDescription(joinDescription(POLICY_SIGNATURE_DESC));
        OptionBuilder.withArgName(POLICY_SIGNATURE_ARG);
        options.addOption(OptionBuilder.create("s"));
        OptionBuilder.withLongOpt(BaseCmd.EXPIRES);
        OptionBuilder.hasArgs();
        OptionBuilder.withDescription(joinDescription(EXPIRES_DESC));
        OptionBuilder.withArgName(EXPIRES_ARG);
        options.addOption(OptionBuilder.create("x"));
        OptionBuilder.withLongOpt(BaseCmd.NO_BUCKET_SETUP);
        OptionBuilder.withDescription(joinDescription(NO_BUCKET_SETUP_DESC));
        options.addOption(OptionBuilder.create("B"));
        options.addOption((String) null, LOCATION, true, LOCATION_DESC);
        return options;
    }

    @Override // com.amazon.aes.webservices.client.cmd.BaseCmd
    protected String getOptionString() {
        return "-b BUCKET -p PREFIX -o OWNER-AKID (-c POLICY | -w OWNER-ACCESS-KEY) [OPTIONS] INSTANCE";
    }

    @Override // com.amazon.aes.webservices.client.cmd.BaseCmd
    public void printOptions() {
        super.printOptions();
        printOption(BaseCmd.BUCKET);
        printOption(BaseCmd.PREFIX);
        printOption(BaseCmd.OWNER_AKID);
        printOption(BaseCmd.OWNER_SAK);
        printOption(BaseCmd.POLICY);
        printOption(BaseCmd.POLICY_SIGNATURE);
        printOption(BaseCmd.EXPIRES);
        printOption(BaseCmd.NO_BUCKET_SETUP);
        printOption(LOCATION);
    }

    @Override // com.amazon.aes.webservices.client.cmd.BaseCmd
    public void printDescription() {
        super.printDescription();
        System.out.println("     Bundle a running instance into an AMI upon next reboot and");
        System.out.println("     store the image components in S3. Items are stored in S3 on");
        System.out.println("     the user's behalf using a signed S3 upload policy.");
        System.out.println();
        System.out.println("     An upload policy and corresponding signature can be specified");
        System.out.println("     as parameters or generated automatically if the Secret Access");
        System.out.println("     Key for the owner of the S3 bucket is available. The generated");
        System.out.println("     policy is valid for 24 hours by default. Alternatively, if a");
        System.out.println("     policy and Secret Access Key are given, the provided policy is");
        System.out.println("     signed and used.");
        System.out.println();
        System.out.println("     If a policy is generated, use --verbose to display the policy.");
        System.out.println();
        System.out.println("     The S3 bucket is created if it does not exist and the user");
        System.out.println("     ec2-bundled-images@amazon.com is granted read permissions on the");
        System.out.println("     entire bucket. To skip these checks, use --no-bucket-setup.");
    }

    @Override // com.amazon.aes.webservices.client.cmd.BaseCmd
    protected boolean invokeOnline(Jec2 jec2, Outputter outputter) throws Exception {
        BasicSessionCredentials basicSessionCredentials;
        String base64Encode;
        String signUploadPolicy;
        assertNonOptionSet(BaseCmd.INSTANCE_ARG);
        String str = getNonOptions()[0];
        assertOptionSet(BaseCmd.BUCKET);
        assertOptionSet(BaseCmd.PREFIX);
        warnIfTooManyNonOptions();
        String optionValue = getOptionValue(BaseCmd.BUCKET);
        if (!optionValue.toLowerCase().equals(optionValue)) {
            throw new InvalidArgumentCombination("Bucket name should be lower case");
        }
        String optionValue2 = getOptionValue(BaseCmd.PREFIX);
        if (isOptionSet(BaseCmd.OWNER_AKID)) {
            basicSessionCredentials = new BasicSessionCredentials(getOptionValue(BaseCmd.OWNER_AKID), getOptionValue(BaseCmd.OWNER_SAK), (String) null);
        } else if (isOptionSet(BaseCmd.AWS_ACCESS_KEY)) {
            basicSessionCredentials = new BasicSessionCredentials(getOptionValue(BaseCmd.AWS_ACCESS_KEY), getOptionValue(BaseCmd.AWS_SECRET_KEY), getOptionValue(BaseCmd.AWS_DELEGATION_TOKEN));
        } else {
            try {
                basicSessionCredentials = new InstanceProfileCredentialsProvider().getCredentials();
            } catch (Exception e) {
                basicSessionCredentials = null;
                assertOptionSet(BaseCmd.OWNER_AKID);
            }
        }
        if (isOptionSet(BaseCmd.POLICY)) {
            base64Encode = ensureBase64(getOptionValue(BaseCmd.POLICY));
            if (isOptionSet(BaseCmd.POLICY_SIGNATURE)) {
                signUploadPolicy = getOptionValue(BaseCmd.POLICY_SIGNATURE);
            } else {
                if (!isOptionSet(BaseCmd.OWNER_SAK)) {
                    throw new InvalidArgumentCombination("Given --policy but missing --policy-signature or --owner-sak");
                }
                signUploadPolicy = signUploadPolicy(base64Encode, getOptionValue(BaseCmd.OWNER_SAK));
            }
        } else {
            if (isOptionSet(BaseCmd.POLICY_SIGNATURE)) {
                throw new InvalidArgumentCombination("Given --policy-signature but missing --policy");
            }
            if (!isOptionSet(BaseCmd.OWNER_SAK)) {
                throw new MissingAtLeastOneArgument(new String[]{BaseCmd.POLICY, BaseCmd.OWNER_SAK});
            }
            base64Encode = base64Encode(generateUploadPolicy(optionValue, optionValue2, getPolicyValidity()));
            signUploadPolicy = signUploadPolicy(base64Encode, getOptionValue(BaseCmd.OWNER_SAK));
        }
        if (!isOptionSet(BaseCmd.NO_BUCKET_SETUP)) {
            setupS3Client();
            validateBucket(optionValue, basicSessionCredentials);
        }
        RequestResultPair bundleInstance = jec2.bundleInstance(str, basicSessionCredentials.getAWSAccessKeyId(), optionValue, optionValue2, base64Encode, signUploadPolicy);
        outputter.output(System.out, (BundleInstanceTask) bundleInstance.getResponse());
        outputter.printRequestId(System.out, (RequestResult) bundleInstance);
        return true;
    }

    protected void setupS3Client() {
        final String property = System.getProperty("https.proxyHost", null);
        final int intValue = Integer.getInteger("https.proxyPort", 8080).intValue();
        if (property != null) {
            if (isOptionSet(BaseCmd.VERBOSE)) {
                System.err.println("Using S3 proxy [" + property + ":" + intValue + "]");
            }
            final String property2 = System.getProperty("http.proxyUser", null);
            final String property3 = System.getProperty("http.proxyPass", null);
            if (property2 != null && isOptionSet(BaseCmd.VERBOSE)) {
                System.err.println("Using S3 proxy credentials [" + property2 + "@" + property3 + "] for all realms");
            }
            S3Utils.setGetClient(new Callable<HttpClient>() { // from class: com.amazon.aes.webservices.client.cmd.BundleInstance.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public HttpClient call() throws Exception {
                    Protocol.registerProtocol("https", new Protocol("https", new StrictSSLProtocolSocketFactory(!"false".equals(System.getProperty("soap.checkHostName"))), 443));
                    HttpClient httpClient = new HttpClient();
                    httpClient.getHostConfiguration().setProxy(property, intValue);
                    if (property2 != null) {
                        httpClient.getParams().setAuthenticationPreemptive(true);
                        httpClient.getState().setProxyCredentials(new AuthScope(AuthScope.ANY_HOST, -1, AuthScope.ANY_REALM), new UsernamePasswordCredentials(property2, property3));
                    }
                    return httpClient;
                }
            });
        }
    }

    protected void validateBucket(String str, AWSCredentials aWSCredentials) throws IOException {
        if (null != aWSCredentials) {
            ensureBucketReadPerms(str, aWSCredentials);
        } else {
            checkBucketExists(str);
        }
    }

    protected void checkBucketExists(String str) throws IOException {
        if (isOptionSet(BaseCmd.VERBOSE)) {
            System.err.println("Checking S3 bucket " + str + " exists.");
        }
        S3ServiceImpl.S3ConnectionHelper connectionHelper = s3Service.getConnectionHelper(str);
        HeadMethod head = S3Utils.head(connectionHelper.getBaseUrl(str), connectionHelper.getBucketName(str), null, null);
        int statusCode = head.getStatusCode();
        if (statusCode == 404) {
            throw new GeneralError("Bucket " + str + " does not exist. Provide --" + BaseCmd.OWNER_SAK + " to create it, or --" + BaseCmd.NO_BUCKET_SETUP + " to ignore this error.");
        }
        if (statusCode / 100 != 2 && statusCode != 403) {
            throw new GeneralError("S3 returned " + statusCode + " (" + head.getStatusText() + ") for bucket " + str + ". Provide --" + BaseCmd.NO_BUCKET_SETUP + " to ignore this error.");
        }
        if (isOptionSet(BaseCmd.VERBOSE)) {
            System.err.println("S3 returned " + statusCode + " for bucket " + str + ". Okay.");
        }
    }

    protected void ensureBucketReadPerms(String str, AWSCredentials aWSCredentials) throws IOException {
        String responseBodyAsString;
        if (isOptionSet(BaseCmd.VERBOSE)) {
            System.err.println("Checking permissions of S3 bucket " + str);
        }
        S3ServiceImpl.S3ConnectionHelper connectionHelper = s3Service.getConnectionHelper(str);
        GetMethod getMethod = S3Utils.get(connectionHelper.getBaseUrl(str) + "?acl", connectionHelper.getBucketName(str), "acl", aWSCredentials);
        int statusCode = getMethod.getStatusCode();
        if (statusCode == 200) {
            responseBodyAsString = getMethod.getResponseBodyAsString();
        } else {
            if (statusCode == 403) {
                throw new GeneralError("S3 returned " + statusCode + " for ACL on bucket " + str + ". Are your access key and secret access key correct?");
            }
            if (statusCode != 404) {
                throw new GeneralError("S3 returned " + statusCode + " (" + getMethod.getStatusText() + ") for ACL on bucket " + str + ". Use --" + BaseCmd.NO_BUCKET_SETUP + " to ignore this error.");
            }
            if (isOptionSet(BaseCmd.VERBOSE)) {
                System.err.println("Creating bucket " + str);
            }
            if (LangUtils.isEmpty(this.location)) {
                this.location = guessLocation();
                if (isOptionSet(BaseCmd.VERBOSE)) {
                    System.out.println("Location not specified. Guessing by EC2 region: " + this.location);
                }
            }
            if (isOptionSet(BaseCmd.VERBOSE)) {
                System.out.println("Bucket " + str + " does not exist. Creating it with location " + (this.location == null ? "none" : this.location) + ".");
            }
            S3Connection.OperationResult createBucket = s3Service.makeS3Connection(aWSCredentials, str).createBucket(this.location);
            if (S3Connection.OperationCode.OK != createBucket.getOperationCode()) {
                throw new GeneralError("Creating S3 bucket " + str + " failed (" + createBucket + "). Use --" + BaseCmd.NO_BUCKET_SETUP + " to ignore this error.");
            }
            if (isOptionSet(BaseCmd.VERBOSE)) {
                System.err.println("Checking permissions of newly created S3 bucket " + str);
            }
            GetMethod getMethod2 = S3Utils.get(connectionHelper.getBaseUrl(str) + "?acl", connectionHelper.getBucketName(str), "acl", aWSCredentials);
            if (getMethod2.getStatusCode() != 200) {
                throw new GeneralError("S3 returned " + statusCode + " (" + getMethod2.getStatusText() + ") when trying to get ACL on newly-created bucket " + str + ".");
            }
            responseBodyAsString = getMethod2.getResponseBodyAsString();
        }
        Document parseDocument = parseDocument(responseBodyAsString);
        if (hasReadPerms(parseDocument)) {
            return;
        }
        if (isOptionSet(BaseCmd.VERBOSE)) {
            System.err.println("Giving ec2-bundled-images@amazon.com read permissions on S3 bucket " + str);
        }
        addReadPerms(parseDocument);
        PutMethod put = S3Utils.put(connectionHelper.getBaseUrl(str) + "?acl", connectionHelper.getBucketName(str), "acl", XmlUtils.toXmlString(parseDocument, true), aWSCredentials);
        int statusCode2 = put.getStatusCode();
        if (statusCode2 != 200) {
            if (isOptionSet(BaseCmd.VERBOSE)) {
                System.err.println("S3 response: \n" + put.getResponseBodyAsString());
            }
            throw new GeneralError("S3 returned " + statusCode2 + " (" + put.getStatusText() + ") when setting ACL on bucket " + str + ".");
        }
    }

    protected void addReadPerms(Document document) {
        Node item;
        Node firstChild = parseDocument(GRANT).getFirstChild();
        if (document.getElementsByTagName("AccessControlList").getLength() == 0) {
            item = document.getElementsByTagName("AccessControlPolicy").item(0);
        } else {
            item = document.getElementsByTagName("AccessControlList").item(0);
            firstChild = firstChild.getFirstChild();
        }
        item.appendChild(document.importNode(firstChild, true));
    }

    protected boolean hasReadPerms(Document document) {
        try {
            return ((Node) XPathFactory.newInstance().newXPath().evaluate("/AccessControlPolicy/AccessControlList/Grant/Grantee/DisplayName[text()='ec2-bundled-images']", document, XPathConstants.NODE)) != null;
        } catch (XPathExpressionException e) {
            throw new RuntimeException("Error searching bucket ACL", e);
        }
    }

    protected Document parseDocument(String str) {
        try {
            return DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(new ByteArrayInputStream(str.getBytes()));
        } catch (Exception e) {
            throw new RuntimeException("Error parsing XML", e);
        }
    }

    protected int getPolicyValidity() {
        try {
            int parseInt = Integer.parseInt(getOptionValue(BaseCmd.EXPIRES, DEFAULT_VALIDITY));
            if (parseInt < 1) {
                throw new NumberFormatException();
            }
            return parseInt;
        } catch (NumberFormatException e) {
            throw new InvalidArgument(BaseCmd.EXPIRES, getOptionValue(BaseCmd.EXPIRES));
        }
    }

    protected String ensureBase64(String str) throws UnsupportedEncodingException {
        return !BASE64_RE.matcher(str).matches() ? base64Encode(str) : str;
    }

    protected String guessLocation() {
        String optionValue = getOptionValue(BaseCmd.REGION);
        if (LangUtils.isEmpty(optionValue)) {
            optionValue = getRegionFromUrl(getOptionValue("url"));
        }
        if (optionValue == null || optionValue.length() < 2) {
            throw new RuntimeException("Cannot guess location with this region: " + optionValue);
        }
        return optionValue.substring(0, 2).toUpperCase();
    }

    protected String getRegionFromUrl(String str) {
        Matcher matcher = EC2_URL_PATTERN.matcher(str);
        if (matcher.matches()) {
            return LangUtils.defaultStrIfEmpty(matcher.group(2), "us-east-1");
        }
        return null;
    }

    protected String signUploadPolicy(String str, String str2) throws NoSuchAlgorithmException, InvalidKeyException, UnsupportedEncodingException {
        SecretKeySpec secretKeySpec = new SecretKeySpec(str2.getBytes(), HMAC_SHA1_ALGORITHM);
        Mac mac = Mac.getInstance(HMAC_SHA1_ALGORITHM);
        mac.init(secretKeySpec);
        return base64Encode(mac.doFinal(str.getBytes()));
    }

    protected String generateUploadPolicy(String str, String str2, int i) {
        Calendar calendar = Calendar.getInstance(TimeZone.getTimeZone("GMT"));
        calendar.add(10, i);
        String str3 = "{\"expiration\": \"" + new Formatter(Locale.US).format("%1$tFT%1$tH:%1$tM:%1$tSZ", calendar) + "\",\"conditions\": [{\"bucket\": \"" + str + "\"},{\"acl\": \"" + EC2_CANNED_ACL + "\"},[\"starts-with\", \"$key\", \"" + str2 + "\"]]}";
        if (isOptionSet(BaseCmd.VERBOSE)) {
            System.err.println("Generated upload policy: " + str3);
        }
        return str3;
    }

    protected String base64Encode(String str) throws UnsupportedEncodingException {
        return base64Encode(str.getBytes("UTF-8"));
    }

    protected String base64Encode(byte[] bArr) {
        return new BASE64Encoder().encodeBuffer(bArr).replaceAll("\\s", "");
    }

    public static void main(String[] strArr) {
        new BundleInstance(strArr).invoke();
    }
}
