package net.jolivier.s3api.http;

import com.google.common.base.Strings;
import jakarta.inject.Singleton;
import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.container.ContainerRequestFilter;
import jakarta.ws.rs.core.UriInfo;
import jakarta.ws.rs.ext.Provider;
import java.net.URI;
import net.jolivier.s3api.auth.AwsSigV4;
import net.jolivier.s3api.auth.S3Context;
import net.jolivier.s3api.exception.InvalidAuthException;
import net.jolivier.s3api.exception.NoSuchBucketException;
import net.jolivier.s3api.exception.RequestFailedException;
import net.jolivier.s3api.model.User;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
@Provider
/* loaded from: input_file:net/jolivier/s3api/http/SignatureFilter.class */
public class SignatureFilter implements ContainerRequestFilter {
    public static final String CTX_KEY = "s3ctx";
    private static final Logger _logger = LoggerFactory.getLogger(SignatureFilter.class);
    public static final String ORIG_URI = "originalUri";

    public void filter(ContainerRequestContext containerRequestContext) {
        UriInfo uriInfo = containerRequestContext.getUriInfo();
        String createRequestId = S3Context.createRequestId();
        String headerString = containerRequestContext.getHeaderString("Authorization");
        if (!Strings.isNullOrEmpty(headerString)) {
            AwsSigV4 awsSigV4 = new AwsSigV4(headerString);
            if (!headerString.equals(RequestUtils.calculateV4Sig(containerRequestContext, containerRequestContext.getPropertyNames().contains(ORIG_URI) ? (URI) containerRequestContext.getProperty(ORIG_URI) : uriInfo.getRequestUri(), awsSigV4.signedHeaders(), awsSigV4.accessKeyId(), ApiPoint.auth().user(awsSigV4.accessKeyId()).secretAccessKey(), awsSigV4.region()))) {
                throw InvalidAuthException.invalidAuth();
            }
            containerRequestContext.setProperty("sigv4", awsSigV4);
        }
        String str = (String) containerRequestContext.getProperty("bucket");
        boolean z = false;
        if (Strings.isNullOrEmpty(str) && !Strings.isNullOrEmpty(containerRequestContext.getUriInfo().getPath())) {
            throw RequestFailedException.invalidRequest("NoBucket", "No bucket provided");
        }
        if (!Strings.isNullOrEmpty(str)) {
            if (!RequestUtils.BUCKET_REGEX.matcher(str).matches()) {
                throw RequestFailedException.invalidBucketName();
            }
            if (!"PUT".equals(containerRequestContext.getMethod()) && !ApiPoint.data().bucketExists(str)) {
                throw NoSuchBucketException.noSuchBucket(str);
            }
            z = ApiPoint.data().isBucketPublic(str);
        }
        if (z) {
            containerRequestContext.setProperty(CTX_KEY, S3Context.bucketPublic(createRequestId, str, ApiPoint.auth().findOwner(str)));
            return;
        }
        if (Strings.isNullOrEmpty(headerString)) {
            throw InvalidAuthException.noAuthorizationHeader();
        }
        AwsSigV4 awsSigV42 = new AwsSigV4(headerString);
        User user = ApiPoint.auth().user(awsSigV42.accessKeyId());
        if (!headerString.equals(RequestUtils.calculateV4Sig(containerRequestContext, containerRequestContext.getPropertyNames().contains(ORIG_URI) ? (URI) containerRequestContext.getProperty(ORIG_URI) : uriInfo.getRequestUri(), awsSigV42.signedHeaders(), awsSigV42.accessKeyId(), user.secretAccessKey(), awsSigV42.region()))) {
            throw InvalidAuthException.invalidAuth();
        }
        containerRequestContext.setProperty("sigv4", awsSigV42);
        if (Strings.isNullOrEmpty(str)) {
            containerRequestContext.setProperty(CTX_KEY, S3Context.noBucket(createRequestId, user, ApiPoint.auth().findOwner(user)));
        } else {
            containerRequestContext.setProperty(CTX_KEY, S3Context.bucketRestricted(createRequestId, str, user, ApiPoint.auth().findOwner(user)));
        }
    }
}
