package io.trino.aws.proxy.server.rest;

import com.google.common.collect.ImmutableMap;
import com.google.common.util.concurrent.MoreExecutors;
import com.google.inject.BindingAnnotation;
import com.google.inject.Inject;
import io.airlift.http.client.HttpClient;
import io.airlift.http.client.Request;
import io.airlift.http.client.StreamingBodyGenerator;
import io.airlift.log.Logger;
import io.trino.aws.proxy.server.TrinoAwsProxyConfig;
import io.trino.aws.proxy.server.security.S3SecurityController;
import io.trino.aws.proxy.spi.remote.RemoteS3Facade;
import io.trino.aws.proxy.spi.rest.ParsedS3Request;
import io.trino.aws.proxy.spi.rest.RequestContent;
import io.trino.aws.proxy.spi.rest.S3RequestRewriter;
import io.trino.aws.proxy.spi.security.SecurityResponse;
import io.trino.aws.proxy.spi.signing.SigningController;
import io.trino.aws.proxy.spi.signing.SigningMetadata;
import io.trino.aws.proxy.spi.util.AwsTimestamp;
import io.trino.aws.proxy.spi.util.ImmutableMultiMap;
import io.trino.aws.proxy.spi.util.MultiMap;
import jakarta.annotation.PreDestroy;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.container.AsyncResponse;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriBuilder;
import java.io.InputStream;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import java.net.URI;
import java.time.Duration;
import java.time.Instant;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import software.amazon.awssdk.utils.http.SdkHttpUtils;

/* loaded from: input_file:io/trino/aws/proxy/server/rest/TrinoS3ProxyClient.class */
public class TrinoS3ProxyClient {
    private static final Logger log = Logger.get(TrinoS3ProxyClient.class);
    private final HttpClient httpClient;
    private final SigningController signingController;
    private final RemoteS3Facade remoteS3Facade;
    private final S3SecurityController s3SecurityController;
    private final S3PresignController s3PresignController;
    private final LimitStreamController limitStreamController;
    private final S3RequestRewriter s3RequestRewriter;
    private final ExecutorService executorService = Executors.newVirtualThreadPerTaskExecutor();
    private final boolean generatePresignedUrlsOnHead;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.trino.aws.proxy.server.rest.TrinoS3ProxyClient$1, reason: invalid class name */
    /* loaded from: input_file:io/trino/aws/proxy/server/rest/TrinoS3ProxyClient$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$trino$aws$proxy$spi$rest$RequestContent$ContentType = new int[RequestContent.ContentType.values().length];

        static {
            try {
                $SwitchMap$io$trino$aws$proxy$spi$rest$RequestContent$ContentType[RequestContent.ContentType.AWS_CHUNKED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$trino$aws$proxy$spi$rest$RequestContent$ContentType[RequestContent.ContentType.AWS_CHUNKED_IN_W3C_CHUNKED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$io$trino$aws$proxy$spi$rest$RequestContent$ContentType[RequestContent.ContentType.STANDARD.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$io$trino$aws$proxy$spi$rest$RequestContent$ContentType[RequestContent.ContentType.W3C_CHUNKED.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$io$trino$aws$proxy$spi$rest$RequestContent$ContentType[RequestContent.ContentType.EMPTY.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    @Target({ElementType.FIELD, ElementType.PARAMETER, ElementType.METHOD})
    @Retention(RetentionPolicy.RUNTIME)
    @BindingAnnotation
    /* loaded from: input_file:io/trino/aws/proxy/server/rest/TrinoS3ProxyClient$ForProxyClient.class */
    public @interface ForProxyClient {
    }

    @Inject
    public TrinoS3ProxyClient(@ForProxyClient HttpClient httpClient, SigningController signingController, RemoteS3Facade remoteS3Facade, S3SecurityController s3SecurityController, TrinoAwsProxyConfig trinoAwsProxyConfig, S3PresignController s3PresignController, LimitStreamController limitStreamController, S3RequestRewriter s3RequestRewriter) {
        this.httpClient = (HttpClient) Objects.requireNonNull(httpClient, "httpClient is null");
        this.signingController = (SigningController) Objects.requireNonNull(signingController, "signingController is null");
        this.remoteS3Facade = (RemoteS3Facade) Objects.requireNonNull(remoteS3Facade, "objectStore is null");
        this.s3SecurityController = (S3SecurityController) Objects.requireNonNull(s3SecurityController, "securityController is null");
        this.s3PresignController = (S3PresignController) Objects.requireNonNull(s3PresignController, "presignController is null");
        this.limitStreamController = (LimitStreamController) Objects.requireNonNull(limitStreamController, "quotaStreamController is null");
        this.s3RequestRewriter = (S3RequestRewriter) Objects.requireNonNull(s3RequestRewriter, "s3RequestRewriter is null");
        this.generatePresignedUrlsOnHead = trinoAwsProxyConfig.isGeneratePresignedUrlsOnHead();
    }

    @PreDestroy
    public void shutDown() {
        if (MoreExecutors.shutdownAndAwaitTermination(this.executorService, Duration.ofSeconds(30L))) {
            return;
        }
        log.warn("Could not shutdown executor service");
    }

    public void proxyRequest(SigningMetadata signingMetadata, ParsedS3Request parsedS3Request, AsyncResponse asyncResponse, RequestLoggingSession requestLoggingSession) {
        Optional rewrite = this.s3RequestRewriter.rewrite(signingMetadata.credentials(), parsedS3Request);
        URI buildEndpoint = this.remoteS3Facade.buildEndpoint(uriBuilder(parsedS3Request.queryParameters()), (String) rewrite.map((v0) -> {
            return v0.finalRequestKey();
        }).map(SdkHttpUtils::urlEncodeIgnoreSlashes).orElse(parsedS3Request.rawPath()), (String) rewrite.map((v0) -> {
            return v0.finalRequestBucket();
        }).orElse(parsedS3Request.bucketName()), parsedS3Request.requestAuthorization().region());
        SecurityResponse.Failure apply = this.s3SecurityController.apply(parsedS3Request, signingMetadata.credentials().identity());
        if (apply instanceof SecurityResponse.Failure) {
            try {
                Optional error = apply.error();
                log.debug("SecurityController check failed. AccessKey: %s, Request: %s, SecurityResponse: %s", new Object[]{signingMetadata.credentials().emulated().accessKey(), parsedS3Request, apply});
                requestLoggingSession.logError("request.security.fail.credentials", signingMetadata.credentials().emulated());
                requestLoggingSession.logError("request.security.fail.request", parsedS3Request);
                requestLoggingSession.logError("request.security.fail.error", error);
                throw new WebApplicationException(Response.Status.UNAUTHORIZED);
            } catch (Throwable th) {
                throw new MatchException(th.toString(), th);
            }
        }
        Request.Builder followRedirects = new Request.Builder().setMethod(parsedS3Request.httpVerb()).setUri(buildEndpoint).setFollowRedirects(true);
        if (buildEndpoint.getHost() == null) {
            log.debug("RemoteURI missing host. AccessKey: %s, Request: %s", new Object[]{signingMetadata.credentials().emulated().accessKey(), parsedS3Request});
            throw new WebApplicationException(Response.Status.BAD_REQUEST);
        }
        ImmutableMultiMap.Builder builder = ImmutableMultiMap.builder(false);
        Instant now = Instant.now();
        MultiMap passthroughHeaders = parsedS3Request.requestHeaders().passthroughHeaders();
        Objects.requireNonNull(builder);
        passthroughHeaders.forEach((v1, v2) -> {
            r1.addAll(v1, v2);
        });
        builder.putOrReplaceSingle("Host", buildRemoteHost(buildEndpoint));
        builder.putOrReplaceSingle("X-Amz-Date", AwsTimestamp.toRequestFormat(now));
        signingMetadata.credentials().requiredRemoteCredential().session().ifPresent(str -> {
            builder.putOrReplaceSingle("x-amz-security-token", str);
        });
        parsedS3Request.requestContent().contentLength().ifPresent(num -> {
            builder.putOrReplaceSingle("content-length", Integer.toString(num.intValue()));
        });
        contentInputStream(parsedS3Request.requestContent(), signingMetadata).ifPresent(inputStream -> {
            followRedirects.setBodyGenerator(StreamingBodyGenerator.streamingBodyGenerator(inputStream));
        });
        builder.putOrReplaceSingle("x-amz-content-sha256", "UNSIGNED-PAYLOAD");
        Map<String, URI> buildPresignedRemoteUrls = (this.generatePresignedUrlsOnHead && parsedS3Request.httpVerb().equalsIgnoreCase("HEAD")) ? this.s3PresignController.buildPresignedRemoteUrls(signingMetadata, parsedS3Request, now, buildEndpoint) : ImmutableMap.of();
        ImmutableMultiMap build = builder.build();
        String authorization = this.signingController.signRequest(signingMetadata, parsedS3Request.requestAuthorization().region(), now, Optional.empty(), (v0) -> {
            return v0.requiredRemoteCredential();
        }, buildEndpoint, build, parsedS3Request.queryParameters(), parsedS3Request.httpVerb()).signingAuthorization().authorization();
        Objects.requireNonNull(followRedirects);
        build.forEachEntry(followRedirects::addHeader);
        followRedirects.addHeader("Authorization", authorization);
        Request build2 = followRedirects.build();
        Map<String, URI> map = buildPresignedRemoteUrls;
        this.executorService.submit(() -> {
            StreamingResponseHandler streamingResponseHandler = new StreamingResponseHandler(asyncResponse, map, requestLoggingSession, this.limitStreamController);
            try {
                this.httpClient.execute(build2, streamingResponseHandler);
            } catch (Throwable th2) {
                streamingResponseHandler.m14handleException(build2, (Exception) new RuntimeException(th2));
            }
        });
    }

    private Optional<InputStream> contentInputStream(RequestContent requestContent, SigningMetadata signingMetadata) {
        switch (AnonymousClass1.$SwitchMap$io$trino$aws$proxy$spi$rest$RequestContent$ContentType[requestContent.contentType().ordinal()]) {
            case 1:
            case 2:
                return requestContent.inputStream().map(inputStream -> {
                    return new AwsChunkedInputStream(this.limitStreamController.wrap(inputStream), signingMetadata.requiredSigningContext().chunkSigningSession(), ((Integer) requestContent.contentLength().orElseThrow()).intValue());
                });
            case 3:
            case 4:
                return requestContent.inputStream().map(inputStream2 -> {
                    return (InputStream) signingMetadata.requiredSigningContext().contentHash().filter(str -> {
                        return (str.startsWith("STREAMING-") || str.startsWith("UNSIGNED-")) ? false : true;
                    }).map(str2 -> {
                        return new HashCheckInputStream(this.limitStreamController.wrap(inputStream2), str2, requestContent.contentLength());
                    }).orElse(inputStream2);
                });
            case 5:
                return Optional.empty();
            default:
                throw new MatchException((String) null, (Throwable) null);
        }
    }

    private static String buildRemoteHost(URI uri) {
        int port = uri.getPort();
        return (port < 0 || port == 80 || port == 443) ? uri.getHost() : uri.getHost() + ":" + port;
    }

    private static UriBuilder uriBuilder(MultiMap multiMap) {
        UriBuilder newInstance = UriBuilder.newInstance();
        Objects.requireNonNull(newInstance);
        multiMap.forEachEntry((str, obj) -> {
            newInstance.queryParam(str, new Object[]{obj});
        });
        return newInstance;
    }
}
