<?php

namespace DeliciousBrains\WP_Offload_Media\Aws3\Aws\Credentials;

use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Exception\CredentialsException;
use DeliciousBrains\WP_Offload_Media\Aws3\GuzzleHttp\Exception\ConnectException;
use DeliciousBrains\WP_Offload_Media\Aws3\GuzzleHttp\Exception\GuzzleException;
use DeliciousBrains\WP_Offload_Media\Aws3\GuzzleHttp\Psr7\Request;
use DeliciousBrains\WP_Offload_Media\Aws3\GuzzleHttp\Promise;
use DeliciousBrains\WP_Offload_Media\Aws3\GuzzleHttp\Promise\PromiseInterface;
use DeliciousBrains\WP_Offload_Media\Aws3\Psr\Http\Message\ResponseInterface;
/**
 * Credential provider that fetches container credentials with GET request.
 * container environment variables are used in constructing request URI.
 */
class EcsCredentialProvider
{
    const SERVER_URI = 'http://169.254.170.2';
    const ENV_URI = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI";
    const ENV_FULL_URI = "AWS_CONTAINER_CREDENTIALS_FULL_URI";
    const ENV_AUTH_TOKEN = "AWS_CONTAINER_AUTHORIZATION_TOKEN";
    const ENV_AUTH_TOKEN_FILE = "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE";
    const ENV_TIMEOUT = 'AWS_METADATA_SERVICE_TIMEOUT';
    const EKS_SERVER_HOST_IPV4 = '169.254.170.23';
    const EKS_SERVER_HOST_IPV6 = 'fd00:ec2::23';
    const ENV_RETRIES = 'AWS_METADATA_SERVICE_NUM_ATTEMPTS';
    const DEFAULT_ENV_TIMEOUT = 1.0;
    const DEFAULT_ENV_RETRIES = 3;
    /** @var callable */
    private $client;
    /** @var float|mixed */
    private $timeout;
    /** @var int */
    private $retries;
    /** @var int */
    private $attempts;
    /**
     *  The constructor accepts following options:
     *  - timeout: (optional) Connection timeout, in seconds, default 1.0
     *  - retries: Optional number of retries to be attempted, default 3.
     *  - client: An EcsClient to make request from
     *
     * @param array $config Configuration options
     */
    public function __construct(array $config = [])
    {
        $this->timeout = (float) isset($config['timeout']) ? $config['timeout'] : (\getenv(self::ENV_TIMEOUT) ?: self::DEFAULT_ENV_TIMEOUT);
        $this->retries = (int) isset($config['retries']) ? $config['retries'] : ((int) \getenv(self::ENV_RETRIES) ?: self::DEFAULT_ENV_RETRIES);
        $this->client = $config['client'] ?? \DeliciousBrains\WP_Offload_Media\Aws3\Aws\default_http_handler();
    }
    /**
     * Load container credentials.
     *
     * @return PromiseInterface
     * @throws GuzzleException
     */
    public function __invoke()
    {
        $this->attempts = 0;
        $uri = $this->getEcsUri();
        if ($this->isCompatibleUri($uri)) {
            return Promise\Coroutine::of(function () {
                $client = $this->client;
                $request = new Request('GET', $this->getEcsUri());
                $headers = $this->getHeadersForAuthToken();
                $credentials = null;
                while ($credentials === null) {
                    $credentials = (yield $client($request, ['timeout' => $this->timeout, 'proxy' => '', 'headers' => $headers])->then(function (ResponseInterface $response) {
                        $result = $this->decodeResult((string) $response->getBody());
                        return new Credentials($result['AccessKeyId'], $result['SecretAccessKey'], $result['Token'], \strtotime($result['Expiration']), $result['AccountId'] ?? null);
                    })->otherwise(function ($reason) {
                        $reason = \is_array($reason) ? $reason['exception'] : $reason;
                        $isRetryable = $reason instanceof ConnectException;
                        if ($isRetryable && $this->attempts < $this->retries) {
                            \sleep((int) \pow(1.2, $this->attempts));
                        } else {
                            $msg = $reason->getMessage();
                            throw new CredentialsException(\sprintf('Error retrieving credentials from container metadata after attempt %d/%d (%s)', $this->attempts, $this->retries, $msg));
                        }
                    }));
                    $this->attempts++;
                }
                (yield $credentials);
            });
        }
        throw new CredentialsException("Uri '{$uri}' contains an unsupported host.");
    }
    /**
     * Returns the number of attempts that have been done.
     *
     * @return int
     */
    public function getAttempts() : int
    {
        return $this->attempts;
    }
    /**
     * Retrieves authorization token.
     *
     * @return array|false|string
     */
    private function getEcsAuthToken()
    {
        if (!empty($path = \getenv(self::ENV_AUTH_TOKEN_FILE))) {
            $token = @\file_get_contents($path);
            if (\false === $token) {
                \clearstatcache(\true, \dirname($path) . \DIRECTORY_SEPARATOR . @\readlink($path));
                \clearstatcache(\true, \dirname($path) . \DIRECTORY_SEPARATOR . \dirname(@\readlink($path)));
                \clearstatcache(\true, $path);
            }
            if (!\is_readable($path)) {
                throw new CredentialsException("Failed to read authorization token from '{$path}': no such file or directory.");
            }
            $token = @\file_get_contents($path);
            if (empty($token)) {
                throw new CredentialsException("Invalid authorization token read from `{$path}`. Token file is empty!");
            }
            return $token;
        }
        return \getenv(self::ENV_AUTH_TOKEN);
    }
    /**
     * Provides headers for credential metadata request.
     *
     * @return array|array[]|string[]
     */
    private function getHeadersForAuthToken()
    {
        $authToken = self::getEcsAuthToken();
        $headers = [];
        if (!empty($authToken)) {
            $headers = ['Authorization' => $authToken];
        }
        return $headers;
    }
    /** @deprecated */
    public function setHeaderForAuthToken()
    {
        $authToken = self::getEcsAuthToken();
        $headers = [];
        if (!empty($authToken)) {
            $headers = ['Authorization' => $authToken];
        }
        return $headers;
    }
    /**
     * Fetch container metadata URI from container environment variable.
     *
     * @return string Returns container metadata URI
     */
    private function getEcsUri()
    {
        $credsUri = \getenv(self::ENV_URI);
        if ($credsUri === \false) {
            $credsUri = $_SERVER[self::ENV_URI] ?? '';
        }
        if (empty($credsUri)) {
            $credFullUri = \getenv(self::ENV_FULL_URI);
            if ($credFullUri === \false) {
                $credFullUri = $_SERVER[self::ENV_FULL_URI] ?? '';
            }
            if (!empty($credFullUri)) {
                return $credFullUri;
            }
        }
        return self::SERVER_URI . $credsUri;
    }
    private function decodeResult($response)
    {
        $result = \json_decode($response, \true);
        if (!isset($result['AccessKeyId'])) {
            throw new CredentialsException('Unexpected container metadata credentials value');
        }
        return $result;
    }
    /**
     * Determines whether or not a given request URI is a valid
     * container credential request URI.
     *
     * @param $uri
     *
     * @return bool
     */
    private function isCompatibleUri($uri)
    {
        $parsed = \parse_url($uri);
        if ($parsed['scheme'] !== 'https') {
            $host = \trim($parsed['host'], '[]');
            $ecsHost = \parse_url(self::SERVER_URI)['host'];
            $eksHost = self::EKS_SERVER_HOST_IPV4;
            if ($host !== $ecsHost && $host !== $eksHost && $host !== self::EKS_SERVER_HOST_IPV6 && !CredentialsUtils::isLoopBackAddress(\gethostbyname($host))) {
                return \false;
            }
        }
        return \true;
    }
}