package io.trino.aws.proxy.server.signing;

import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.inject.Inject;
import io.airlift.log.Logger;
import io.trino.aws.proxy.server.credentials.CredentialsController;
import io.trino.aws.proxy.server.rest.RequestLoggerController;
import io.trino.aws.proxy.spi.credentials.Credential;
import io.trino.aws.proxy.spi.credentials.Credentials;
import io.trino.aws.proxy.spi.rest.Request;
import io.trino.aws.proxy.spi.rest.RequestContent;
import io.trino.aws.proxy.spi.signing.SigningContext;
import io.trino.aws.proxy.spi.signing.SigningController;
import io.trino.aws.proxy.spi.signing.SigningMetadata;
import io.trino.aws.proxy.spi.signing.SigningServiceType;
import io.trino.aws.proxy.spi.util.MultiMap;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.Response;
import java.net.URI;
import java.time.Duration;
import java.time.Instant;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;

/* loaded from: input_file:io/trino/aws/proxy/server/signing/InternalSigningController.class */
public class InternalSigningController implements SigningController {
    private final Duration maxClockDrift;
    private final RequestLoggerController requestLoggerController;
    private final CredentialsController credentialsController;
    private static final Logger log = Logger.get(SigningController.class);
    private static final Set<String> LOWERCASE_HEADERS = ImmutableSet.of("content-type");

    @Inject
    public InternalSigningController(CredentialsController credentialsController, SigningControllerConfig signingControllerConfig, RequestLoggerController requestLoggerController) {
        this.credentialsController = (CredentialsController) Objects.requireNonNull(credentialsController, "credentialsController is null");
        this.requestLoggerController = (RequestLoggerController) Objects.requireNonNull(requestLoggerController, "requestLoggerController is null");
        this.maxClockDrift = signingControllerConfig.getMaxClockDrift().toJavaTime();
    }

    public SigningContext signRequest(SigningMetadata signingMetadata, String str, Instant instant, Optional<Instant> optional, Function<Credentials, Credential> function, URI uri, MultiMap multiMap, MultiMap multiMap2, String str2) {
        return internalSignRequest(signingMetadata, str, instant, optional, RequestContent.EMPTY, function, uri, SigningHeaders.build(multiMap), multiMap2, str2);
    }

    public SigningContext presignRequest(SigningMetadata signingMetadata, String str, Instant instant, Optional<Instant> optional, Function<Credentials, Credential> function, URI uri, MultiMap multiMap, String str2) {
        return internalSignRequest(signingMetadata, str, instant, optional, RequestContent.EMPTY, function, uri, SigningHeaders.EMPTY, multiMap, str2);
    }

    public SigningMetadata validateAndParseAuthorization(Request request, SigningServiceType signingServiceType) {
        if (request.requestAuthorization().isValid()) {
            return (SigningMetadata) this.credentialsController.withCredentials(request.requestAuthorization().accessKey(), request.requestAuthorization().securityToken(), credentials -> {
                return isValidAuthorization(new SigningMetadata(signingServiceType, credentials, Optional.empty()), request, (v0) -> {
                    return v0.emulated();
                });
            }).orElseThrow(() -> {
                log.debug("ValidateAndParseAuthorization failed. Request: %s, SigningServiceType: %s", new Object[]{request, signingServiceType});
                return new WebApplicationException(Response.Status.UNAUTHORIZED);
            });
        }
        log.debug("Invalid requestAuthorization. Request: %s, SigningServiceType: %s", new Object[]{request, signingServiceType});
        throw new WebApplicationException(Response.Status.UNAUTHORIZED);
    }

    private SigningContext internalSignRequest(SigningMetadata signingMetadata, String str, Instant instant, Optional<Instant> optional, RequestContent requestContent, Function<Credentials, Credential> function, URI uri, SigningHeaders signingHeaders, MultiMap multiMap, String str2) {
        Credential apply = function.apply(signingMetadata.credentials());
        return (SigningContext) optional.map(instant2 -> {
            return Signer.presign(signingMetadata.signingServiceType(), uri, signingHeaders, multiMap, str, instant, instant2, str2, apply, this.maxClockDrift, requestContent);
        }).orElseGet(() -> {
            return Signer.sign(signingMetadata.signingServiceType(), uri, signingHeaders, multiMap, str, instant, str2, apply, this.maxClockDrift, requestContent);
        });
    }

    private Optional<SigningMetadata> isValidAuthorization(SigningMetadata signingMetadata, Request request, Function<Credentials, Credential> function) {
        SigningContext internalSignRequest = internalSignRequest(signingMetadata, request.requestAuthorization().region(), request.requestDate(), request.requestAuthorization().expiry(), request.requestContent(), function, request.requestUri(), SigningHeaders.build(request.requestHeaders().unmodifiedHeaders(), request.requestAuthorization().lowercaseSignedHeaders()), request.requestQueryParameters(), request.httpVerb());
        if (request.requestAuthorization().equals(internalSignRequest.signingAuthorization())) {
            return Optional.of(signingMetadata.withSigningContext(internalSignRequest));
        }
        this.requestLoggerController.currentRequestSession(request.requestId()).logError("request.security.authorization.mismatch", ImmutableMap.of("request", request.requestAuthorization(), "generated", internalSignRequest.signingAuthorization()));
        return Optional.empty();
    }
}
