package io.trino.aws.proxy.server;

import com.google.common.base.Splitter;
import com.google.inject.Inject;
import io.airlift.http.client.HttpClient;
import io.airlift.http.client.Request;
import io.airlift.http.client.StaticBodyGenerator;
import io.airlift.http.client.StatusResponseHandler;
import io.airlift.http.server.testing.TestingHttpServer;
import io.airlift.units.Duration;
import io.trino.aws.proxy.server.credentials.CredentialsController;
import io.trino.aws.proxy.server.rest.RequestLoggerConfig;
import io.trino.aws.proxy.server.rest.RequestLoggerController;
import io.trino.aws.proxy.server.signing.InternalSigningController;
import io.trino.aws.proxy.server.signing.SigningControllerConfig;
import io.trino.aws.proxy.server.signing.TestingChunkSigningSession;
import io.trino.aws.proxy.server.testing.TestingCredentialsRolesProvider;
import io.trino.aws.proxy.server.testing.TestingRemoteS3Facade;
import io.trino.aws.proxy.server.testing.TestingTrinoAwsProxyServer;
import io.trino.aws.proxy.server.testing.TestingUtil;
import io.trino.aws.proxy.server.testing.containers.S3Container;
import io.trino.aws.proxy.server.testing.harness.TrinoAwsProxyTest;
import io.trino.aws.proxy.server.testing.harness.TrinoAwsProxyTestCommonModules;
import io.trino.aws.proxy.spi.credentials.Credential;
import io.trino.aws.proxy.spi.credentials.Credentials;
import io.trino.aws.proxy.spi.signing.RequestAuthorization;
import io.trino.aws.proxy.spi.signing.SigningMetadata;
import io.trino.aws.proxy.spi.signing.SigningServiceType;
import io.trino.aws.proxy.spi.util.AwsTimestamp;
import io.trino.aws.proxy.spi.util.ImmutableMultiMap;
import io.trino.aws.proxy.spi.util.MultiMap;
import jakarta.ws.rs.core.UriBuilder;
import java.io.IOException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.time.Instant;
import java.util.Locale;
import java.util.Objects;
import java.util.Optional;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import java.util.function.Function;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Test;
import software.amazon.awssdk.auth.signer.internal.chunkedencoding.AwsS3V4ChunkSigner;
import software.amazon.awssdk.services.s3.S3Client;
import software.amazon.awssdk.services.s3.model.HeadObjectResponse;

@TrinoAwsProxyTest(filters = {Filter.class})
/* loaded from: input_file:io/trino/aws/proxy/server/TestGenericRestRequests.class */
public class TestGenericRestRequests {
    private final URI baseUri;
    private final TestingCredentialsRolesProvider credentialsRolesProvider;
    private final InternalSigningController signingController;
    private final HttpClient httpClient;
    private final Credentials testingCredentials;
    private final S3Client storageClient;
    private static final String TEST_CONTENT_TYPE = "text/plain;charset=utf-8";
    private static final String ILLEGAL_CHUNK_SIGNATURE = "0".repeat(AwsS3V4ChunkSigner.getSignatureLength());
    private static final String badContent = TestingUtil.LOREM_IPSUM.toLowerCase(Locale.ROOT);
    private static final String goodSha256 = TestingUtil.sha256(TestingUtil.LOREM_IPSUM);
    private static final String badSha256 = TestingUtil.sha256("fooLorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Viverra aliquet eget sit amet tellus cras adipiscing. Viverra mauris in aliquam sem fringilla. Facilisis mauris sit amet massa vitae. Mauris vitae ultricies leo integer malesuada. Sed libero enim sed faucibus turpis in eu mi bibendum. Lorem sed risus ultricies tristique nulla aliquet enim. Quis blandit turpis cursus in hac habitasse platea dictumst quisque. Diam maecenas ultricies mi eget mauris pharetra et ultrices neque. Aliquam sem fringilla ut morbi.");

    /* loaded from: input_file:io/trino/aws/proxy/server/TestGenericRestRequests$Filter.class */
    public static class Filter extends TrinoAwsProxyTestCommonModules.WithTestingHttpClient {
        @Override // io.trino.aws.proxy.server.testing.harness.TrinoAwsProxyTestCommonModules.WithTestingHttpClient, io.trino.aws.proxy.server.testing.harness.BuilderFilter
        public TestingTrinoAwsProxyServer.Builder filter(TestingTrinoAwsProxyServer.Builder builder) {
            return super.filter(builder).withProperty("signing-controller.clock.max-drift", new Duration(9999999.0d, TimeUnit.DAYS).toString());
        }
    }

    @Inject
    public TestGenericRestRequests(TestingHttpServer testingHttpServer, TestingCredentialsRolesProvider testingCredentialsRolesProvider, @TestingUtil.ForTesting HttpClient httpClient, @TestingUtil.ForTesting Credentials credentials, @S3Container.ForS3Container S3Client s3Client, TrinoAwsProxyConfig trinoAwsProxyConfig) {
        this.baseUri = testingHttpServer.getBaseUrl().resolve(trinoAwsProxyConfig.getS3Path());
        this.credentialsRolesProvider = (TestingCredentialsRolesProvider) Objects.requireNonNull(testingCredentialsRolesProvider, "credentialsRolesProvider is null");
        this.signingController = new InternalSigningController(new CredentialsController(new TestingRemoteS3Facade(), testingCredentialsRolesProvider), new SigningControllerConfig().setMaxClockDrift(new Duration(10.0d, TimeUnit.SECONDS)), new RequestLoggerController(new RequestLoggerConfig()));
        this.httpClient = (HttpClient) Objects.requireNonNull(httpClient, "httpClient is null");
        this.testingCredentials = (Credentials) Objects.requireNonNull(credentials, "testingCredentials is null");
        this.storageClient = (S3Client) Objects.requireNonNull(s3Client, "storageClient is null");
    }

    @AfterEach
    public void cleanupStorage() {
        TestingUtil.deleteAllBuckets(this.storageClient);
    }

    @Test
    public void testAwsChunkedUploadValid() throws IOException {
        String str = "test-aws-chunked";
        this.storageClient.createBucket(builder -> {
            builder.bucket(str).build();
        });
        Credential credential = new Credential(UUID.randomUUID().toString(), UUID.randomUUID().toString());
        this.credentialsRolesProvider.addCredentials(Credentials.build(credential, this.testingCredentials.requiredRemoteCredential()));
        Assertions.assertThat(doAwsChunkedUpload("test-aws-chunked", "aws-chunked-2-partitions", TestingUtil.LOREM_IPSUM, 2, credential).getStatusCode()).isEqualTo(200);
        Assertions.assertThat(TestingUtil.getFileFromStorage(this.storageClient, "test-aws-chunked", "aws-chunked-2-partitions")).isEqualTo(TestingUtil.LOREM_IPSUM);
        Assertions.assertThat(doAwsChunkedUpload("test-aws-chunked", "aws-chunked-3-partitions", TestingUtil.LOREM_IPSUM, 3, credential).getStatusCode()).isEqualTo(200);
        Assertions.assertThat(TestingUtil.getFileFromStorage(this.storageClient, "test-aws-chunked", "aws-chunked-3-partitions")).isEqualTo(TestingUtil.LOREM_IPSUM);
        Assertions.assertThat(doAwsChunkedUpload("test-aws-chunked", "aws-chunked-with-metadata", TestingUtil.LOREM_IPSUM, 3, credential, credential, Function.identity(), ImmutableMultiMap.builder(false).add("x-amz-meta-metadata-key", "some-metadata-value").add("Content-Encoding", "gzip,compress").build()).getStatusCode()).isEqualTo(200);
        Assertions.assertThat(TestingUtil.getFileFromStorage(this.storageClient, "test-aws-chunked", "aws-chunked-with-metadata")).isEqualTo(TestingUtil.LOREM_IPSUM);
        HeadObjectResponse headObjectInStorage = TestingUtil.headObjectInStorage(this.storageClient, "test-aws-chunked", "aws-chunked-with-metadata");
        Assertions.assertThat(headObjectInStorage.contentEncoding()).isEqualTo("gzip,compress");
        Assertions.assertThat(headObjectInStorage.contentType()).isEqualTo(TEST_CONTENT_TYPE);
        Assertions.assertThat(headObjectInStorage.metadata()).containsEntry("metadata-key", "some-metadata-value");
    }

    @Test
    public void testAwsChunkedUploadInvalidContent() throws IOException {
        String str = "test-aws-chunked";
        this.storageClient.createBucket(builder -> {
            builder.bucket(str).build();
        });
        Credential credential = new Credential(UUID.randomUUID().toString(), UUID.randomUUID().toString());
        this.credentialsRolesProvider.addCredentials(Credentials.build(credential, this.testingCredentials.requiredRemoteCredential()));
        Credential credential2 = new Credential(UUID.randomUUID().toString(), UUID.randomUUID().toString());
        this.credentialsRolesProvider.addCredentials(Credentials.build(credential2, this.testingCredentials.requiredRemoteCredential()));
        Assertions.assertThat(doAwsChunkedUpload("test-aws-chunked", "sample_file_chunked", TestingUtil.LOREM_IPSUM, 2, new Credential(UUID.randomUUID().toString(), UUID.randomUUID().toString())).getStatusCode()).isEqualTo(401);
        TestingUtil.assertFileNotInS3(this.storageClient, "test-aws-chunked", "sample_file_chunked");
        Assertions.assertThat(doAwsChunkedUpload("test-aws-chunked", "sample_file_chunked", TestingUtil.LOREM_IPSUM, 2, credential, credential2, Function.identity(), ImmutableMultiMap.empty()).getStatusCode()).isEqualTo(401);
        TestingUtil.assertFileNotInS3(this.storageClient, "test-aws-chunked", "sample_file_chunked");
        Assertions.assertThat(doAwsChunkedUpload("test-aws-chunked", "sample_file_chunked", TestingUtil.LOREM_IPSUM, 2, credential, str2 -> {
            return str2.replaceFirst("\\r\\n0;chunk-signature=(\\w+)", "\r\n1;chunk-signature=$1");
        }).getStatusCode()).isEqualTo(500);
        TestingUtil.assertFileNotInS3(this.storageClient, "test-aws-chunked", "sample_file_chunked");
        Assertions.assertThat(doAwsChunkedUpload("test-aws-chunked", "sample_file_chunked", TestingUtil.LOREM_IPSUM, 2, credential, str3 -> {
            int indexOf = str3.indexOf(";");
            String substring = str3.substring(0, indexOf);
            String num = Integer.toString(Integer.parseInt(substring.strip(), 16) - 1, 16);
            if (num.length() < substring.length()) {
                num = "0" + num;
            }
            return "%s%s".formatted(num, str3.substring(indexOf));
        }).getStatusCode()).isEqualTo(500);
        TestingUtil.assertFileNotInS3(this.storageClient, "test-aws-chunked", "sample_file_chunked");
        Assertions.assertThat(doAwsChunkedUpload("test-aws-chunked", "sample_file_chunked", TestingUtil.LOREM_IPSUM, 3, credential, getMutatorToBreakSignatureForChunk(0)).getStatusCode()).isEqualTo(401);
        TestingUtil.assertFileNotInS3(this.storageClient, "test-aws-chunked", "sample_file_chunked");
        Assertions.assertThat(doAwsChunkedUpload("test-aws-chunked", "sample_file_chunked", TestingUtil.LOREM_IPSUM, 3, credential, getMutatorToBreakSignatureForChunk(1)).getStatusCode()).isEqualTo(401);
        TestingUtil.assertFileNotInS3(this.storageClient, "test-aws-chunked", "sample_file_chunked");
        Assertions.assertThat(doAwsChunkedUpload("test-aws-chunked", "sample_file_chunked", TestingUtil.LOREM_IPSUM, 3, credential, getMutatorToBreakSignatureForChunk(2)).getStatusCode()).isEqualTo(401);
        TestingUtil.assertFileNotInS3(this.storageClient, "test-aws-chunked", "sample_file_chunked");
        Assertions.assertThat(doAwsChunkedUpload("test-aws-chunked", "sample_file_chunked", TestingUtil.LOREM_IPSUM, 2, credential).getStatusCode()).isEqualTo(200);
        Assertions.assertThat(TestingUtil.getFileFromStorage(this.storageClient, "test-aws-chunked", "sample_file_chunked")).isEqualTo(TestingUtil.LOREM_IPSUM);
    }

    private StatusResponseHandler.StatusResponse doAwsChunkedUpload(String str, String str2, String str3, int i, Credential credential) {
        return doAwsChunkedUpload(str, str2, str3, i, credential, Function.identity());
    }

    private StatusResponseHandler.StatusResponse doAwsChunkedUpload(String str, String str2, String str3, int i, Credential credential, Function<String, String> function) {
        return doAwsChunkedUpload(str, str2, str3, i, credential, credential, function, ImmutableMultiMap.empty());
    }

    private StatusResponseHandler.StatusResponse doAwsChunkedUpload(String str, String str2, String str3, int i, Credential credential, Credential credential2, Function<String, String> function, MultiMap multiMap) {
        Instant now = Instant.now();
        ImmutableMultiMap.Builder builder = ImmutableMultiMap.builder(false);
        Objects.requireNonNull(builder);
        multiMap.forEach((v1, v2) -> {
            r1.addAll(v1, v2);
        });
        builder.add("Host", "%s:%d".formatted(this.baseUri.getHost(), Integer.valueOf(this.baseUri.getPort()))).add("X-Amz-Date", AwsTimestamp.toRequestFormat(now)).add("X-Amz-Content-Sha256", "STREAMING-AWS4-HMAC-SHA256-PAYLOAD").add("X-Amz-Decoded-Content-Length", String.valueOf(str3.length())).add("Content-Length", String.valueOf(TestingChunkSigningSession.getExpectedChunkedStreamSize(str3, i))).add("Content-Type", TEST_CONTENT_TYPE).add("Content-Encoding", "aws-chunked");
        URI build = UriBuilder.fromUri(this.baseUri).path(str).path(str2).build(new Object[0]);
        RequestAuthorization signRequest = signRequest(credential, build, now, "PUT", builder.build());
        String apply = function.apply(TestingChunkSigningSession.build(credential2, signRequest.signature(), now).generateChunkedStream(str3, i));
        Request.Builder uri = Request.Builder.preparePut().setUri(build);
        builder.add("Authorization", signRequest.authorization());
        ImmutableMultiMap build2 = builder.build();
        Objects.requireNonNull(uri);
        build2.forEachEntry(uri::addHeader);
        uri.setBodyGenerator(StaticBodyGenerator.createStaticBodyGenerator(apply.getBytes(StandardCharsets.UTF_8)));
        return (StatusResponseHandler.StatusResponse) this.httpClient.execute(uri.build(), StatusResponseHandler.createStatusResponseHandler());
    }

    @Test
    public void testAwsChunkedCornerCases() throws InterruptedException {
        String str = "test-aws-chunked-illegal";
        String repeat = "hello there".repeat(4096);
        this.storageClient.createBucket(builder -> {
            builder.bucket(str).build();
        });
        testAwsChunkedIllegalChunks("test-aws-chunked-illegal", "no-final-chunk", buildFakeChunk(repeat, repeat.length()), repeat.length(), 500);
        testAwsChunkedIllegalChunks("test-aws-chunked-illegal", "with-final-chunk", "%s%s".formatted(buildFakeChunk(repeat, repeat.length()), buildFakeChunk("", 0)), repeat.length(), 401);
        testAwsChunkedIllegalChunks("test-aws-chunked-illegal", "no-final-chunk-more-data-than-headers-indicate", buildFakeChunk(repeat, repeat.length()), 4096, 500);
        testAwsChunkedIllegalChunks("test-aws-chunked-illegal", "with-final-chunk-more-data-than-headers-indicate", "%s%s".formatted(buildFakeChunk(repeat, repeat.length()), buildFakeChunk("", 0)), 4096, 500);
        testAwsChunkedIllegalChunks("test-aws-chunked-illegal", "no-final-chunk-chunk-underreports-size", buildFakeChunk(repeat, 4096), 4096, 500);
        testAwsChunkedIllegalChunks("test-aws-chunked-illegal", "with-final-chunk-chunk-underreports-size", "%s%s".formatted(buildFakeChunk(repeat, 4096), buildFakeChunk("", 0)), 4096, 500);
        testAwsChunkedIllegalChunks("test-aws-chunked-illegal", "no-final-chunk-chunk-overreports-size", buildFakeChunk(repeat, 9000000), 4096, 500);
        testAwsChunkedIllegalChunks("test-aws-chunked-illegal", "with-final-chunk-chunk-overreports-size", "%s%s".formatted(buildFakeChunk(repeat, 9000000), buildFakeChunk("", 0)), 4096, 500);
        Thread.sleep(1000L);
        Assertions.assertThat(TestingUtil.listFilesInS3Bucket(this.storageClient, "test-aws-chunked-illegal")).isEmpty();
    }

    private static String buildFakeChunk(String str, int i) {
        return "%s;chunk-signature=%s\r\n%s\r\n".formatted(Integer.toString(i, 16), ILLEGAL_CHUNK_SIGNATURE, str);
    }

    private void testAwsChunkedIllegalChunks(String str, String str2, String str3, int i, int i2) {
        Instant now = Instant.now();
        Credential credential = new Credential(UUID.randomUUID().toString(), UUID.randomUUID().toString());
        this.credentialsRolesProvider.addCredentials(Credentials.build(credential, this.testingCredentials.requiredRemoteCredential()));
        ImmutableMultiMap.Builder builder = ImmutableMultiMap.builder(false);
        builder.add("Host", "%s:%d".formatted(this.baseUri.getHost(), Integer.valueOf(this.baseUri.getPort()))).add("X-Amz-Date", AwsTimestamp.toRequestFormat(now)).add("X-Amz-Content-Sha256", "STREAMING-AWS4-HMAC-SHA256-PAYLOAD").add("X-Amz-Decoded-Content-Length", String.valueOf(i)).add("Content-Length", String.valueOf(str3.length())).add("Content-Type", TEST_CONTENT_TYPE).add("Content-Encoding", "aws-chunked");
        URI build = UriBuilder.fromUri(this.baseUri).path(str).path(str2).build(new Object[0]);
        RequestAuthorization signRequest = signRequest(credential, build, now, "PUT", builder.build());
        Request.Builder uri = Request.Builder.preparePut().setUri(build);
        builder.add("Authorization", signRequest.authorization());
        ImmutableMultiMap build2 = builder.build();
        Objects.requireNonNull(uri);
        build2.forEachEntry(uri::addHeader);
        uri.setBodyGenerator(StaticBodyGenerator.createStaticBodyGenerator(str3.getBytes(StandardCharsets.UTF_8)));
        Assertions.assertThat(((StatusResponseHandler.StatusResponse) this.httpClient.execute(uri.build(), StatusResponseHandler.createStatusResponseHandler())).getStatusCode()).isEqualTo(i2);
    }

    @Test
    public void testPutObject() throws IOException {
        String str = "foo";
        this.storageClient.createBucket(builder -> {
            builder.bucket(str).build();
        });
        testPutObject("foo", TestingUtil.LOREM_IPSUM, goodSha256, 200, true);
        testPutObject("foo", TestingUtil.LOREM_IPSUM, "UNSIGNED-PAYLOAD", 200, true);
        testPutObject("foo", badContent, goodSha256, 401, false);
        testPutObject("foo", TestingUtil.LOREM_IPSUM, badSha256, 401, false);
        testPutObject("foo", badContent, badSha256, 401, false);
    }

    private void testPutObject(String str, String str2, String str3, int i, boolean z) throws IOException {
        String uuid = UUID.randomUUID().toString();
        Assertions.assertThat(doPutObject(str, uuid, str2, str3).getStatusCode()).isEqualTo(i);
        if (z) {
            Assertions.assertThat(TestingUtil.getFileFromStorage(this.storageClient, str, uuid)).isEqualTo(str2);
        } else {
            TestingUtil.assertFileNotInS3(this.storageClient, str, uuid);
        }
    }

    private StatusResponseHandler.StatusResponse doPutObject(String str, String str2, String str3, String str4) {
        Instant now = Instant.now();
        String requestFormat = AwsTimestamp.toRequestFormat(now);
        URI build = UriBuilder.fromUri(this.baseUri).path(str).path(str2).build(new Object[0]);
        ImmutableMultiMap.Builder add = ImmutableMultiMap.builder(false).add("Host", "%s:%d".formatted(build.getHost(), Integer.valueOf(build.getPort()))).add("Accept-Encoding", "identity").add("Content-Type", "text/plain").add("User-Agent", "aws-cli/2.15.53 md/awscrt#0.19.19 ua/2.0 os/macos#22.6.0 md/arch#x86_64 lang/python#3.11.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3.cp").add("Expect", "100-continue").add("X-Amz-Date", requestFormat).add("X-Amz-Content-SHA256", str4).add("Content-Length", String.valueOf(str3.length()));
        add.add("Authorization", signRequest(this.testingCredentials.emulated(), build, now, "PUT", add.build()).authorization());
        Request.Builder bodyGenerator = Request.Builder.preparePut().setUri(build).setBodyGenerator(StaticBodyGenerator.createStaticBodyGenerator(str3, StandardCharsets.UTF_8));
        ImmutableMultiMap build2 = add.build();
        Objects.requireNonNull(bodyGenerator);
        build2.forEachEntry(bodyGenerator::addHeader);
        return (StatusResponseHandler.StatusResponse) this.httpClient.execute(bodyGenerator.build(), StatusResponseHandler.createStatusResponseHandler());
    }

    private RequestAuthorization signRequest(Credential credential, URI uri, Instant instant, String str, MultiMap multiMap) {
        return this.signingController.signRequest(new SigningMetadata(SigningServiceType.S3, Credentials.build(credential, this.testingCredentials.requiredRemoteCredential()), Optional.empty()), "us-east-1", instant, Optional.empty(), (v0) -> {
            return v0.emulated();
        }, uri, multiMap, ImmutableMultiMap.empty(), str).signingAuthorization();
    }

    private static Function<String, String> getMutatorToBreakSignatureForChunk(int i) {
        return str -> {
            int i2 = i;
            StringBuilder sb = new StringBuilder();
            for (String str : Splitter.on("\r\n").omitEmptyStrings().splitToList(str)) {
                if (str.contains(";chunk-signature=")) {
                    int i3 = i2;
                    i2--;
                    if (i3 == 0) {
                        sb.append(str.replaceFirst("([0-9a-f]+;chunk-signature=)(\\w+)", "$1" + ILLEGAL_CHUNK_SIGNATURE));
                        sb.append("\r\n");
                    }
                }
                sb.append(str);
                sb.append("\r\n");
            }
            sb.append("\r\n");
            return sb.toString();
        };
    }
}
