package io.trino.aws.proxy.server.signing;

import com.google.common.annotations.VisibleForTesting;
import io.airlift.log.Logger;
import io.trino.aws.proxy.server.signing.Signers;
import io.trino.aws.proxy.spi.credentials.Credential;
import io.trino.aws.proxy.spi.rest.RequestContent;
import io.trino.aws.proxy.spi.signing.RequestAuthorization;
import io.trino.aws.proxy.spi.signing.SigningContext;
import io.trino.aws.proxy.spi.signing.SigningServiceType;
import io.trino.aws.proxy.spi.signing.SigningTrait;
import io.trino.aws.proxy.spi.util.AwsTimestamp;
import io.trino.aws.proxy.spi.util.ImmutableMultiMap;
import io.trino.aws.proxy.spi.util.MultiMap;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriBuilder;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.net.URI;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.function.BiFunction;
import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentials;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.auth.signer.internal.Aws4SignerRequestParams;
import software.amazon.awssdk.auth.signer.params.Aws4PresignerParams;
import software.amazon.awssdk.auth.signer.params.Aws4SignerParams;
import software.amazon.awssdk.auth.signer.params.AwsS3V4SignerParams;
import software.amazon.awssdk.http.SdkHttpFullRequest;
import software.amazon.awssdk.http.SdkHttpMethod;
import software.amazon.awssdk.regions.Region;

/* loaded from: input_file:io/trino/aws/proxy/server/signing/Signer.class */
final class Signer {
    private static final Logger log = Logger.get(Signer.class);

    @VisibleForTesting
    static final Duration MAX_PRESIGNED_REQUEST_AGE = Duration.ofDays(7);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/trino/aws/proxy/server/signing/Signer$InternalRequestAuthorization.class */
    public static final class InternalRequestAuthorization extends Record {
        private final RequestAuthorization requestAuthorization;
        private final URI signingUri;

        private InternalRequestAuthorization(RequestAuthorization requestAuthorization, URI uri) {
            Objects.requireNonNull(requestAuthorization, "requestAuthorization is null");
            Objects.requireNonNull(uri, "signingUri is null");
            this.requestAuthorization = requestAuthorization;
            this.signingUri = uri;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, InternalRequestAuthorization.class), InternalRequestAuthorization.class, "requestAuthorization;signingUri", "FIELD:Lio/trino/aws/proxy/server/signing/Signer$InternalRequestAuthorization;->requestAuthorization:Lio/trino/aws/proxy/spi/signing/RequestAuthorization;", "FIELD:Lio/trino/aws/proxy/server/signing/Signer$InternalRequestAuthorization;->signingUri:Ljava/net/URI;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, InternalRequestAuthorization.class), InternalRequestAuthorization.class, "requestAuthorization;signingUri", "FIELD:Lio/trino/aws/proxy/server/signing/Signer$InternalRequestAuthorization;->requestAuthorization:Lio/trino/aws/proxy/spi/signing/RequestAuthorization;", "FIELD:Lio/trino/aws/proxy/server/signing/Signer$InternalRequestAuthorization;->signingUri:Ljava/net/URI;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, InternalRequestAuthorization.class, Object.class), InternalRequestAuthorization.class, "requestAuthorization;signingUri", "FIELD:Lio/trino/aws/proxy/server/signing/Signer$InternalRequestAuthorization;->requestAuthorization:Lio/trino/aws/proxy/spi/signing/RequestAuthorization;", "FIELD:Lio/trino/aws/proxy/server/signing/Signer$InternalRequestAuthorization;->signingUri:Ljava/net/URI;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public RequestAuthorization requestAuthorization() {
            return this.requestAuthorization;
        }

        public URI signingUri() {
            return this.signingUri;
        }
    }

    private Signer() {
    }

    static byte[] signingKey(AwsCredentials awsCredentials, Aws4SignerRequestParams aws4SignerRequestParams) {
        return Signers.awsS3V4Signer.signingKey(awsCredentials, aws4SignerRequestParams);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SigningContext presign(SigningServiceType signingServiceType, URI uri, SigningHeaders signingHeaders, MultiMap multiMap, String str, Instant instant, Instant instant2, String str2, Credential credential, Duration duration, RequestContent requestContent) {
        Duration between = Duration.between(instant, instant2);
        if (between.isNegative() || between.compareTo(MAX_PRESIGNED_REQUEST_AGE) > 0) {
            log.debug("Presigned request expiry is inconsistent with request timestamp. RequestTime: %s Expiry: %s", new Object[]{instant, instant2});
            throw new WebApplicationException(Response.Status.BAD_REQUEST);
        }
        enforceMaxDrift(instant, MAX_PRESIGNED_REQUEST_AGE, duration);
        Aws4PresignerParams.Builder expirationTime = Aws4PresignerParams.builder().expirationTime(instant2);
        return internalSign((signingApi, sdkHttpFullRequest) -> {
            SdkHttpFullRequest presign = signingApi.presign(sdkHttpFullRequest, expirationTime.build());
            return new InternalRequestAuthorization(SigningQueryParameters.splitQueryParameters(ImmutableMultiMap.copyOf(presign.rawQueryParameters().entrySet())).toRequestAuthorization().orElseThrow(() -> {
                log.debug("Presigner did not generate a valid request");
                return new WebApplicationException(Response.Status.BAD_REQUEST);
            }), presign.getUri());
        }, SdkHttpFullRequest.builder(), expirationTime, signingServiceType, uri, signingHeaders, multiMap, str, instant, str2, credential);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SigningContext sign(SigningServiceType signingServiceType, URI uri, SigningHeaders signingHeaders, MultiMap multiMap, String str, Instant instant, String str2, Credential credential, Duration duration, RequestContent requestContent) {
        enforceMaxDrift(instant, duration, duration);
        AwsS3V4SignerParams.Builder enableChunkedEncoding = AwsS3V4SignerParams.builder().enablePayloadSigning(true).enableChunkedEncoding(Boolean.valueOf(requestContent.contentType() == RequestContent.ContentType.AWS_CHUNKED || requestContent.contentType() == RequestContent.ContentType.AWS_CHUNKED_IN_W3C_CHUNKED));
        SdkHttpFullRequest.Builder builder = SdkHttpFullRequest.builder();
        if (signingServiceType.hasTrait(SigningTrait.STREAM_CONTENT)) {
            signingHeaders.getFirst("x-amz-content-sha256").ifPresent(str3 -> {
                builder.putHeader("__TRINO__OVERRIDE_CONTENT_HASH__", str3);
            });
        } else {
            requestContent.inputStream().ifPresent(inputStream -> {
                builder.contentStreamProvider(() -> {
                    return inputStream;
                });
            });
        }
        return internalSign((signingApi, sdkHttpFullRequest) -> {
            SdkHttpFullRequest sign = signingApi.sign(sdkHttpFullRequest, enableChunkedEncoding.build());
            return new InternalRequestAuthorization(RequestAuthorization.parse((String) sign.firstMatchingHeader("Authorization").orElseThrow(() -> {
                log.debug("Signer did not generate \"Authorization\" header");
                return new WebApplicationException(Response.Status.BAD_REQUEST);
            }), credential.session()), sign.getUri());
        }, builder, enableChunkedEncoding, signingServiceType, uri, signingHeaders, multiMap, str, instant, str2, credential);
    }

    private static <R extends Aws4SignerParams.Builder<R>> SigningContext internalSign(BiFunction<Signers.SigningApi, SdkHttpFullRequest, InternalRequestAuthorization> biFunction, SdkHttpFullRequest.Builder builder, R r, SigningServiceType signingServiceType, URI uri, SigningHeaders signingHeaders, MultiMap multiMap, String str, Instant instant, String str2, Credential credential) {
        Signers.SigningApi signingApi;
        builder.uri(UriBuilder.fromUri(uri).replaceQuery("").build(new Object[0])).method(SdkHttpMethod.fromValue(str2));
        signingHeaders.lowercaseHeadersToSign().forEach(entry -> {
            ((List) entry.getValue()).forEach(str3 -> {
                builder.appendHeader((String) entry.getKey(), str3);
            });
        });
        Objects.requireNonNull(builder);
        multiMap.forEach(builder::putRawQueryParameter);
        AwsCredentials awsCredentials = (AwsCredentials) credential.session().map(str3 -> {
            return AwsSessionCredentials.create(credential.accessKey(), credential.secretKey(), str3);
        }).orElseGet(() -> {
            return AwsBasicCredentials.create(credential.accessKey(), credential.secretKey());
        });
        r.signingName(signingServiceType.serviceName()).signingRegion(Region.of(str)).doubleUrlEncode(false).awsCredentials(awsCredentials);
        r.signingClockOverride(Clock.fixed(instant, AwsTimestamp.ZONE));
        if (signingServiceType.hasTrait(SigningTrait.S3V4_SIGNER)) {
            signingApi = isLegacy(signingHeaders) ? Signers.legacyS3AwsV4Signer : Signers.awsS3V4Signer;
        } else {
            signingApi = Signers.awsV4Signer;
        }
        return buildSigningContext(biFunction.apply(signingApi, builder.build()), signingKey(awsCredentials, new Aws4SignerRequestParams(r.build())), instant, signingHeaders.getFirst("x-amz-content-sha256"));
    }

    private static SigningContext buildSigningContext(InternalRequestAuthorization internalRequestAuthorization, byte[] bArr, Instant instant, Optional<String> optional) {
        if (internalRequestAuthorization.requestAuthorization.isValid()) {
            return new SigningContext(internalRequestAuthorization.requestAuthorization, new InternalChunkSigningSession(new ChunkSigner(instant, internalRequestAuthorization.requestAuthorization.keyPath(), bArr), internalRequestAuthorization.requestAuthorization.signature()), optional, internalRequestAuthorization.signingUri);
        }
        log.debug("Invalid RequestAuthorization. RequestAuthorization: %s", new Object[]{internalRequestAuthorization});
        throw new WebApplicationException(Response.Status.UNAUTHORIZED);
    }

    private static void enforceMaxDrift(Instant instant, Duration duration, Duration duration2) {
        Instant now = Instant.now();
        Duration between = Duration.between(now, instant);
        if (between.compareTo(duration.negated()) < 0 || between.compareTo(duration2) > 0) {
            log.debug("Request time exceeds max drift. RequestTime: %s Now: %s", new Object[]{instant, now});
            throw new WebApplicationException(Response.Status.BAD_REQUEST);
        }
    }

    private static boolean isLegacy(SigningHeaders signingHeaders) {
        return signingHeaders.hasHeaderToSign("user-agent");
    }
}
