package io.kroxylicious.kms.provider.aws.kms;

import edu.umd.cs.findbugs.annotations.NonNull;
import io.kroxylicious.kms.service.KmsException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.time.Duration;
import java.time.Instant;
import java.time.ZoneOffset;
import java.time.format.DateTimeFormatter;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.HashMap;
import java.util.HexFormat;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.Flow;
import java.util.function.Predicate;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:io/kroxylicious/kms/provider/aws/kms/AwsV4SigningHttpRequestBuilder.class */
public class AwsV4SigningHttpRequestBuilder implements HttpRequest.Builder {
    private static final Pattern CONSECUTIVE_WHITESPACE = Pattern.compile("\\s+");
    private static final DateTimeFormatter DATE_TIME_FORMATTER = DateTimeFormatter.ofPattern("yyyyMMdd'T'HHmmss'Z'").withZone(ZoneOffset.UTC);
    private static final HexFormat HEX_FORMATTER = HexFormat.of();
    private static final String NO_PAYLOAD_HEXED_SHA256 = HEX_FORMATTER.formatHex(newSha256Digester().digest(new byte[0]));
    private static final String X_AMZ_DATE_HEADER = "X-Amz-Date";
    private static final String AUTHORIZATION_HEADER = "Authorization";
    private static final String HOST_HEADER = "Host";
    private static final String AWS_4_REQUEST = "aws4_request";
    private final String accessKey;
    private final String secretKey;
    private final String region;
    private final String service;
    private final Instant date;
    private final HttpRequest.Builder builder;
    private String payloadHexedSha56;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/kroxylicious/kms/provider/aws/kms/AwsV4SigningHttpRequestBuilder$CanonicalRequestResult.class */
    public static final class CanonicalRequestResult extends Record {
        private final String signedHeaders;
        private final String canonicalRequestHash;

        private CanonicalRequestResult(String str, String str2) {
            this.signedHeaders = str;
            this.canonicalRequestHash = str2;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, CanonicalRequestResult.class), CanonicalRequestResult.class, "signedHeaders;canonicalRequestHash", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/AwsV4SigningHttpRequestBuilder$CanonicalRequestResult;->signedHeaders:Ljava/lang/String;", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/AwsV4SigningHttpRequestBuilder$CanonicalRequestResult;->canonicalRequestHash:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, CanonicalRequestResult.class), CanonicalRequestResult.class, "signedHeaders;canonicalRequestHash", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/AwsV4SigningHttpRequestBuilder$CanonicalRequestResult;->signedHeaders:Ljava/lang/String;", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/AwsV4SigningHttpRequestBuilder$CanonicalRequestResult;->canonicalRequestHash:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, CanonicalRequestResult.class, Object.class), CanonicalRequestResult.class, "signedHeaders;canonicalRequestHash", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/AwsV4SigningHttpRequestBuilder$CanonicalRequestResult;->signedHeaders:Ljava/lang/String;", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/AwsV4SigningHttpRequestBuilder$CanonicalRequestResult;->canonicalRequestHash:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String signedHeaders() {
            return this.signedHeaders;
        }

        public String canonicalRequestHash() {
            return this.canonicalRequestHash;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/kroxylicious/kms/provider/aws/kms/AwsV4SigningHttpRequestBuilder$StringToSignResult.class */
    public static final class StringToSignResult extends Record {
        private final String credentialScope;
        private final String stringToSign;

        private StringToSignResult(String str, String str2) {
            this.credentialScope = str;
            this.stringToSign = str2;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, StringToSignResult.class), StringToSignResult.class, "credentialScope;stringToSign", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/AwsV4SigningHttpRequestBuilder$StringToSignResult;->credentialScope:Ljava/lang/String;", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/AwsV4SigningHttpRequestBuilder$StringToSignResult;->stringToSign:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, StringToSignResult.class), StringToSignResult.class, "credentialScope;stringToSign", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/AwsV4SigningHttpRequestBuilder$StringToSignResult;->credentialScope:Ljava/lang/String;", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/AwsV4SigningHttpRequestBuilder$StringToSignResult;->stringToSign:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, StringToSignResult.class, Object.class), StringToSignResult.class, "credentialScope;stringToSign", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/AwsV4SigningHttpRequestBuilder$StringToSignResult;->credentialScope:Ljava/lang/String;", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/AwsV4SigningHttpRequestBuilder$StringToSignResult;->stringToSign:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String credentialScope() {
            return this.credentialScope;
        }

        public String stringToSign() {
            return this.stringToSign;
        }
    }

    public static HttpRequest.Builder newBuilder(@NonNull String str, @NonNull String str2, @NonNull String str3, @NonNull String str4, @NonNull Instant instant) {
        return new AwsV4SigningHttpRequestBuilder(str, str2, str3, str4, instant, HttpRequest.newBuilder());
    }

    private AwsV4SigningHttpRequestBuilder(String str, String str2, String str3, String str4, Instant instant, HttpRequest.Builder builder) {
        Objects.requireNonNull(str);
        Objects.requireNonNull(str2);
        Objects.requireNonNull(str3);
        Objects.requireNonNull(str4);
        Objects.requireNonNull(instant);
        Objects.requireNonNull(builder);
        this.accessKey = str;
        this.secretKey = str2;
        this.region = str3;
        this.service = str4;
        this.date = instant;
        this.builder = builder;
    }

    public HttpRequest.Builder expectContinue(boolean z) {
        this.builder.expectContinue(z);
        return this;
    }

    public HttpRequest.Builder version(HttpClient.Version version) {
        this.builder.version(version);
        return this;
    }

    public HttpRequest.Builder header(String str, String str2) {
        this.builder.header(str, str2);
        return this;
    }

    public HttpRequest.Builder headers(String... strArr) {
        this.builder.headers(strArr);
        return this;
    }

    public HttpRequest.Builder timeout(Duration duration) {
        this.builder.timeout(duration);
        return this;
    }

    public HttpRequest.Builder setHeader(String str, String str2) {
        this.builder.setHeader(str, str2);
        return this;
    }

    public HttpRequest.Builder GET() {
        this.builder.GET();
        return this;
    }

    public HttpRequest.Builder POST(HttpRequest.BodyPublisher bodyPublisher) {
        this.builder.POST(digestingPublisher(bodyPublisher));
        return this;
    }

    public HttpRequest.Builder PUT(HttpRequest.BodyPublisher bodyPublisher) {
        this.builder.PUT(digestingPublisher(bodyPublisher));
        return this;
    }

    public HttpRequest.Builder DELETE() {
        this.builder.DELETE();
        return this;
    }

    public HttpRequest.Builder method(String str, HttpRequest.BodyPublisher bodyPublisher) {
        this.builder.method(str, digestingPublisher(bodyPublisher));
        return this;
    }

    public HttpRequest.Builder copy() {
        return new AwsV4SigningHttpRequestBuilder(this.accessKey, this.secretKey, this.region, this.service, this.date, this.builder.copy());
    }

    public HttpRequest.Builder uri(URI uri) {
        this.builder.uri(uri);
        return this;
    }

    public HttpRequest build() {
        signRequest();
        return this.builder.build();
    }

    @NonNull
    private HttpRequest.BodyPublisher digestingPublisher(HttpRequest.BodyPublisher bodyPublisher) {
        final ArrayList arrayList = new ArrayList();
        bodyPublisher.subscribe(new Flow.Subscriber<ByteBuffer>() { // from class: io.kroxylicious.kms.provider.aws.kms.AwsV4SigningHttpRequestBuilder.1
            final MessageDigest digest = AwsV4SigningHttpRequestBuilder.newSha256Digester();

            @Override // java.util.concurrent.Flow.Subscriber
            public void onSubscribe(Flow.Subscription subscription) {
                subscription.request(Long.MAX_VALUE);
            }

            @Override // java.util.concurrent.Flow.Subscriber
            public void onNext(ByteBuffer byteBuffer) {
                this.digest.update(byteBuffer.array());
                arrayList.add(HttpRequest.BodyPublishers.ofByteArray(byteBuffer.array()));
            }

            @Override // java.util.concurrent.Flow.Subscriber
            public void onError(Throwable th) {
                throw new IllegalStateException(th);
            }

            @Override // java.util.concurrent.Flow.Subscriber
            public void onComplete() {
                AwsV4SigningHttpRequestBuilder.this.payloadHexedSha56 = AwsV4SigningHttpRequestBuilder.HEX_FORMATTER.formatHex(this.digest.digest());
            }
        });
        return HttpRequest.BodyPublishers.concat((HttpRequest.BodyPublisher[]) arrayList.toArray(new HttpRequest.BodyPublisher[0]));
    }

    private void signRequest() {
        String format = DATE_TIME_FORMATTER.format(this.date);
        String substring = format.substring(0, 8);
        HttpRequest build = this.builder.build();
        HashMap hashMap = new HashMap(getSingleValuedHeaders(build));
        hashMap.put(HOST_HEADER, getHostHeaderForSigning(build.uri()));
        hashMap.put(X_AMZ_DATE_HEADER, format);
        CanonicalRequestResult computeCanonicalRequest = computeCanonicalRequest(hashMap, build);
        this.builder.header(AUTHORIZATION_HEADER, computeAuthorization(computeCanonicalRequest, computeStringToSign(computeCanonicalRequest, format, substring), substring));
        this.builder.header(X_AMZ_DATE_HEADER, format);
    }

    @NonNull
    private CanonicalRequestResult computeCanonicalRequest(Map<String, String> map, HttpRequest httpRequest) {
        String method = httpRequest.method();
        URI uri = httpRequest.uri();
        String str = (String) Optional.ofNullable(uri.getPath()).filter(Predicate.not((v0) -> {
            return v0.isEmpty();
        })).orElse("/");
        String str2 = (String) Optional.ofNullable(uri.getQuery()).orElse("");
        ArrayList arrayList = new ArrayList();
        arrayList.add(method);
        arrayList.add(str);
        arrayList.add(str2);
        ArrayList arrayList2 = new ArrayList(map.size());
        for (String str3 : map.keySet().stream().sorted(Comparator.comparing(str4 -> {
            return str4.toLowerCase(Locale.ROOT);
        })).toList()) {
            arrayList2.add(str3.toLowerCase(Locale.ROOT));
            arrayList.add(str3.toLowerCase(Locale.ROOT) + ":" + normalizeHeaderValue(map.get(str3)));
        }
        arrayList.add(null);
        String join = String.join(";", arrayList2);
        arrayList.add(join);
        arrayList.add(this.payloadHexedSha56 == null ? NO_PAYLOAD_HEXED_SHA256 : this.payloadHexedSha56);
        return new CanonicalRequestResult(join, HEX_FORMATTER.formatHex(sha256(((String) arrayList.stream().map(str5 -> {
            return str5 == null ? "" : str5;
        }).collect(Collectors.joining("\n"))).getBytes(StandardCharsets.UTF_8))));
    }

    @NonNull
    private StringToSignResult computeStringToSign(CanonicalRequestResult canonicalRequestResult, String str, String str2) {
        ArrayList arrayList = new ArrayList();
        arrayList.add("AWS4-HMAC-SHA256");
        arrayList.add(str);
        String str3 = str2 + "/" + this.region + "/" + this.service + "/aws4_request";
        arrayList.add(str3);
        arrayList.add(canonicalRequestResult.canonicalRequestHash());
        return new StringToSignResult(str3, String.join("\n", arrayList));
    }

    @NonNull
    private String computeAuthorization(CanonicalRequestResult canonicalRequestResult, StringToSignResult stringToSignResult, String str) {
        return "AWS4-HMAC-SHA256 Credential=" + this.accessKey + "/" + stringToSignResult.credentialScope() + ", SignedHeaders=" + canonicalRequestResult.signedHeaders() + ", Signature=" + HEX_FORMATTER.formatHex(hmac(hmac(hmac(hmac(hmac(("AWS4" + this.secretKey).getBytes(StandardCharsets.UTF_8), str), this.region), this.service), AWS_4_REQUEST), stringToSignResult.stringToSign()));
    }

    String getHostHeaderForSigning(URI uri) {
        boolean z;
        int port = uri.getPort();
        String host = uri.getHost();
        if (port == -1) {
            z = true;
        } else if (uri.getScheme().toLowerCase(Locale.ROOT).equals("https")) {
            z = port == 443;
        } else {
            z = port == 80;
        }
        return z ? host : host + ":" + port;
    }

    private static String normalizeHeaderValue(String str) {
        return CONSECUTIVE_WHITESPACE.matcher(str).replaceAll(" ").trim();
    }

    private static byte[] sha256(byte[] bArr) {
        MessageDigest newSha256Digester = newSha256Digester();
        newSha256Digester.update(bArr);
        return newSha256Digester.digest();
    }

    private static byte[] hmac(byte[] bArr, String str) {
        try {
            Mac newHmacSha256 = newHmacSha256();
            newHmacSha256.init(new SecretKeySpec(bArr, "HmacSHA256"));
            return newHmacSha256.doFinal(str.getBytes(StandardCharsets.UTF_8));
        } catch (InvalidKeyException e) {
            throw new KmsException("Failed to initialize hmac", e);
        }
    }

    @NonNull
    private static Mac newHmacSha256() {
        try {
            return Mac.getInstance("HmacSHA256");
        } catch (NoSuchAlgorithmException e) {
            throw new KmsException("Failed to create SHA-256 hmac", e);
        }
    }

    @NonNull
    private static MessageDigest newSha256Digester() {
        try {
            return MessageDigest.getInstance("SHA-256");
        } catch (NoSuchAlgorithmException e) {
            throw new KmsException("Failed to create SHA-256 digester", e);
        }
    }

    @NonNull
    private static Map<String, String> getSingleValuedHeaders(HttpRequest httpRequest) {
        return (Map) httpRequest.headers().map().entrySet().stream().filter(AwsV4SigningHttpRequestBuilder::hasSingleValue).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, entry -> {
            return (String) ((List) entry.getValue()).get(0);
        }));
    }

    private static boolean hasSingleValue(Map.Entry<String, List<String>> entry) {
        return entry.getValue() != null && entry.getValue().size() == 1;
    }
}
