package org.opensearch.migrations.aws;

import java.net.URI;
import java.nio.ByteBuffer;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.time.Clock;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import lombok.Generated;
import org.opensearch.migrations.IHttpMessage;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.signer.internal.BaseAws4Signer;
import software.amazon.awssdk.auth.signer.params.Aws4SignerParams;
import software.amazon.awssdk.core.checksums.SdkChecksum;
import software.amazon.awssdk.http.SdkHttpFullRequest;
import software.amazon.awssdk.http.SdkHttpMethod;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.utils.BinaryUtils;

/* loaded from: input_file:org/opensearch/migrations/aws/SigV4Signer.class */
public class SigV4Signer {
    public static final String CONTENT_TYPE = "Content-Type";
    private MessageDigest messageDigest;
    private AwsCredentialsProvider credentialsProvider;
    private String service;
    private String region;
    private String protocol;
    private Supplier<Clock> timestampSupplier;

    @Generated
    private static final Logger log = LoggerFactory.getLogger(SigV4Signer.class);
    private static final HashSet<String> AUTH_HEADERS_TO_PULL_NO_PAYLOAD = new HashSet<>(Set.of("authorization", "x-amz-date", "x-amz-security-token"));
    public static final String AMZ_CONTENT_SHA_256 = "x-amz-content-sha256";
    private static final HashSet<String> AUTH_HEADERS_TO_PULL_WITH_PAYLOAD = (HashSet) Stream.concat(AUTH_HEADERS_TO_PULL_NO_PAYLOAD.stream(), Stream.of(AMZ_CONTENT_SHA_256)).collect(Collectors.toCollection(HashSet::new));

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/opensearch/migrations/aws/SigV4Signer$AwsSignerWithPrecomputedContentHash.class */
    public static class AwsSignerWithPrecomputedContentHash extends BaseAws4Signer {
        private AwsSignerWithPrecomputedContentHash() {
        }

        protected String calculateContentHash(SdkHttpFullRequest.Builder builder, Aws4SignerParams aws4SignerParams, SdkChecksum sdkChecksum) {
            List list = (List) builder.headers().get(SigV4Signer.AMZ_CONTENT_SHA_256);
            return list != null ? (String) list.get(0) : super.calculateContentHash(builder, aws4SignerParams, sdkChecksum);
        }
    }

    public SigV4Signer(AwsCredentialsProvider awsCredentialsProvider, String str, String str2, String str3, Supplier<Clock> supplier) {
        this.credentialsProvider = awsCredentialsProvider;
        this.service = str;
        this.region = str2;
        this.protocol = str3;
        this.timestampSupplier = supplier;
    }

    public void consumeNextPayloadPart(ByteBuffer byteBuffer) {
        if (byteBuffer.remaining() <= 0) {
            return;
        }
        if (this.messageDigest == null) {
            try {
                this.messageDigest = MessageDigest.getInstance("SHA-256");
            } catch (NoSuchAlgorithmException e) {
                throw e;
            }
        }
        this.messageDigest.update(byteBuffer);
    }

    public Map<String, List<String>> finalizeSignature(IHttpMessage iHttpMessage) {
        return (Map) getSignatureHeadersViaSdk(iHttpMessage).collect(Collectors.toUnmodifiableMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
    }

    private Stream<Map.Entry<String, List<String>>> getSignatureHeadersViaSdk(IHttpMessage iHttpMessage) {
        AwsSignerWithPrecomputedContentHash awsSignerWithPrecomputedContentHash = new AwsSignerWithPrecomputedContentHash();
        SdkHttpFullRequest.Builder builder = SdkHttpFullRequest.builder();
        builder.method(SdkHttpMethod.fromValue(iHttpMessage.method())).uri(URI.create(iHttpMessage.path())).protocol(this.protocol).host(iHttpMessage.getFirstHeaderValueCaseInsensitive("Host").orElseThrow(() -> {
            return new IllegalArgumentException("Host header is missing");
        }));
        iHttpMessage.getFirstHeaderValueCaseInsensitive(CONTENT_TYPE).ifPresent(str -> {
            builder.appendHeader(CONTENT_TYPE, str);
        });
        if (this.messageDigest != null) {
            builder.appendHeader(AMZ_CONTENT_SHA_256, BinaryUtils.toHex(this.messageDigest.digest()));
        }
        SdkHttpFullRequest build = builder.build();
        Aws4SignerParams.Builder awsCredentials = Aws4SignerParams.builder().signingName(this.service).signingRegion(Region.of(this.region)).awsCredentials(this.credentialsProvider.resolveCredentials());
        if (this.timestampSupplier != null) {
            awsCredentials.signingClockOverride(this.timestampSupplier.get());
        }
        SdkHttpFullRequest sign = awsSignerWithPrecomputedContentHash.sign(build, awsCredentials.build());
        HashSet<String> hashSet = this.messageDigest == null ? AUTH_HEADERS_TO_PULL_NO_PAYLOAD : AUTH_HEADERS_TO_PULL_WITH_PAYLOAD;
        return sign.headers().entrySet().stream().filter(entry -> {
            return hashSet.contains(((String) entry.getKey()).toLowerCase());
        });
    }
}
