package io.trino.aws.proxy.server.signing;

import com.google.common.collect.ImmutableSet;
import io.trino.aws.proxy.spi.signing.RequestAuthorization;
import java.time.Instant;
import java.util.Locale;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/trino/aws/proxy/server/signing/TestRequestAuthorization.class */
public class TestRequestAuthorization {
    private static final String VALID_SIGNATURE_ALGORITHM = "AWS4-HMAC-SHA256";

    @Test
    public void testValues() {
        Assertions.assertThat(RequestAuthorization.parse("")).isEqualTo(new RequestAuthorization("", "", "", ImmutableSet.of(), "", Optional.empty(), Optional.empty()));
        Assertions.assertThat(RequestAuthorization.parse("").isValid()).isFalse();
        Assertions.assertThat(RequestAuthorization.parse("").securityToken()).isEmpty();
        String formatted = "%s Credential=THIS_IS_AN_ACCESS_KEY/20240608/us-east-1/s3/aws4_request, SignedHeaders=AMZ-SDK-INVOCATION-ID;amz-sdk-request;amz-sdk-retry;content-type;host;user-agent;x-amz-content-sha256;x-amz-date, Signature=c23adc773b858c0bf6fa6885a047781606ab5dd114116136bd5a388d45ede8cd".formatted(VALID_SIGNATURE_ALGORITHM);
        RequestAuthorization parse = RequestAuthorization.parse(formatted);
        Assertions.assertThat(parse.isValid()).isTrue();
        Assertions.assertThat(parse).extracting(new Function[]{(v0) -> {
            return v0.accessKey();
        }, (v0) -> {
            return v0.region();
        }}).containsExactly(new Object[]{"THIS_IS_AN_ACCESS_KEY", "us-east-1"});
        Assertions.assertThat(parse.lowercaseSignedHeaders()).containsExactly(new String[]{"amz-sdk-invocation-id", "amz-sdk-request", "amz-sdk-retry", "content-type", "host", "user-agent", "x-amz-content-sha256", "x-amz-date"});
        Assertions.assertThat(parse.signature()).isEqualTo("c23adc773b858c0bf6fa6885a047781606ab5dd114116136bd5a388d45ede8cd");
        Assertions.assertThat(parse.securityToken()).isEmpty();
        Assertions.assertThat(parse.authorization().toLowerCase(Locale.ROOT)).isEqualTo(formatted.toLowerCase(Locale.ROOT));
        Assertions.assertThat(parse.expiry()).isEmpty();
        Assertions.assertThat(RequestAuthorization.parse(formatted.replaceAll(VALID_SIGNATURE_ALGORITHM, "SOME-OTHER-ALGORITHM")).isValid()).isFalse();
        RequestAuthorization parse2 = RequestAuthorization.parse("");
        Assertions.assertThat(parse2.isValid()).isFalse();
        Assertions.assertThat(parse2.lowercaseSignedHeaders()).isEmpty();
        Assertions.assertThat(parse2.signature()).isEmpty();
        Assertions.assertThat(parse2.securityToken()).isEmpty();
        RequestAuthorization parse3 = RequestAuthorization.parse("x=y,,,,,,SignedHeaders=");
        Assertions.assertThat(parse3).extracting(new Function[]{(v0) -> {
            return v0.accessKey();
        }, (v0) -> {
            return v0.region();
        }}).containsExactly(new Object[]{"", ""});
        Assertions.assertThat(parse3.lowercaseSignedHeaders()).isEmpty();
        Assertions.assertThat(parse3.signature()).isEmpty();
        Assertions.assertThat(parse3.securityToken()).isEmpty();
        RequestAuthorization parse4 = RequestAuthorization.parse("x=y,,,,,,SignedHeaders=b;b;b;b;c,,,,,,,,,", Optional.of("some-token"));
        Assertions.assertThat(parse4).extracting(new Function[]{(v0) -> {
            return v0.accessKey();
        }, (v0) -> {
            return v0.region();
        }}).containsExactly(new Object[]{"", ""});
        Assertions.assertThat(parse4.lowercaseSignedHeaders()).containsExactly(new String[]{"b", "c"});
        Assertions.assertThat(parse4.signature()).isEmpty();
        Assertions.assertThat(parse4.securityToken()).contains("some-token");
        RequestAuthorization parse5 = RequestAuthorization.parse("%s Credential=x/y/z,SignedHeaders=1,Signature=foo".formatted(VALID_SIGNATURE_ALGORITHM), Optional.of("some-token"));
        Assertions.assertThat(parse5.isValid()).isTrue();
        Assertions.assertThat(parse5).extracting(new Function[]{(v0) -> {
            return v0.accessKey();
        }, (v0) -> {
            return v0.region();
        }}).containsExactly(new Object[]{"x", "z"});
        Assertions.assertThat(parse5.lowercaseSignedHeaders()).containsExactly(new String[]{"1"});
        Assertions.assertThat(parse5.signature()).isEqualTo("foo");
        Assertions.assertThat(parse5.securityToken()).contains("some-token");
    }

    @Test
    public void testPresignedAuthorization() {
        String formatted = "%s/20240608/%s/s3/aws4_request".formatted("THIS_IS_AN_ACCESS_KEY", "us-east-1");
        testPresignedAuthorizationValid("some-access-key", "some-region", "foo", "some-signature", 123L, Optional.empty(), ImmutableSet.of("foo"));
        testPresignedAuthorizationValid("some-access-key", "some-region", "SOME;header;header;header", "some-signature", 999999L, Optional.of("some-token"), ImmutableSet.of("some", "header"));
        Assertions.assertThat(RequestAuthorization.presignedParse(VALID_SIGNATURE_ALGORITHM, formatted, "FOO;BAR", "some-signature", -123L, Instant.now(), Optional.of("some-token")).isValid()).isFalse();
        Assertions.assertThat(RequestAuthorization.presignedParse(VALID_SIGNATURE_ALGORITHM, formatted, "FOO;BAR", "some-signature", 0L, Instant.now(), Optional.of("some-token")).isValid()).isFalse();
        Assertions.assertThat(RequestAuthorization.presignedParse("SOME-OTHER-ALGORITHM", formatted, "FOO;BAR", "some-signature", 123L, Instant.now(), Optional.of("some-token")).isValid()).isFalse();
    }

    private void testPresignedAuthorizationValid(String str, String str2, String str3, String str4, Long l, Optional<String> optional, Set<String> set) {
        Instant now = Instant.now();
        RequestAuthorization presignedParse = RequestAuthorization.presignedParse(VALID_SIGNATURE_ALGORITHM, "%s/20240608/%s/s3/aws4_request".formatted(str, str2), str3, str4, l.longValue(), now, optional);
        Assertions.assertThat(presignedParse.isValid()).isTrue();
        Assertions.assertThat(presignedParse).extracting(new Function[]{(v0) -> {
            return v0.accessKey();
        }, (v0) -> {
            return v0.region();
        }, (v0) -> {
            return v0.signature();
        }}).containsExactly(new Object[]{str, str2, str4});
        Assertions.assertThat(presignedParse.lowercaseSignedHeaders()).containsExactlyElementsOf(set);
        Assertions.assertThat(presignedParse.securityToken()).isEqualTo(optional);
        Assertions.assertThat(presignedParse.expiry()).contains(now.plusSeconds(l.longValue()));
        Objects.requireNonNull(presignedParse);
        Assertions.assertThatThrownBy(presignedParse::authorization).isInstanceOf(IllegalStateException.class).hasMessage("authorization cannot be computed for an expiring request");
    }

    @Test
    public void testPresignedAuthorizationExpiry() {
        Instant minusSeconds = Instant.now().minusSeconds(60L);
        RequestAuthorization presignedParse = RequestAuthorization.presignedParse(VALID_SIGNATURE_ALGORITHM, "some-credential/20240608/some-region/s3/aws4_request", "FOO", "some-signature", 10L, minusSeconds, Optional.empty());
        Assertions.assertThat(presignedParse.isValid()).isFalse();
        Assertions.assertThat(presignedParse.expiry()).get().matches(instant -> {
            return instant.isBefore(Instant.now());
        });
        RequestAuthorization presignedParse2 = RequestAuthorization.presignedParse(VALID_SIGNATURE_ALGORITHM, "some-credential/20240608/some-region/s3/aws4_request", "FOO", "some-signature", 100L, minusSeconds, Optional.empty());
        Assertions.assertThat(presignedParse2.isValid()).isTrue();
        Assertions.assertThat(presignedParse2.expiry()).get().matches(instant2 -> {
            return !instant2.isBefore(Instant.now());
        });
    }
}
