package alluxio.proxy.s3.signature;

import alluxio.proxy.s3.S3Constants;
import alluxio.proxy.s3.S3ErrorCode;
import alluxio.proxy.s3.S3Exception;
import alluxio.proxy.s3.S3RestUtils;
import java.io.UnsupportedEncodingException;
import java.net.InetAddress;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URLEncoder;
import java.net.UnknownHostException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.time.LocalDateTime;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Map;
import java.util.StringJoiner;
import java.util.TreeMap;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.container.ContainerRequestContext;
import org.apache.kerby.util.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:alluxio/proxy/s3/signature/StringToSignProducer.class */
public final class StringToSignProducer {
    private static final Logger LOG = LoggerFactory.getLogger(StringToSignProducer.class);
    private static final String NEWLINE = "\n";
    private static final String HOST = "host";
    private static final String X_AMZ_DATE = "x-amz-date";
    private static final String UNSIGNED_PAYLOAD = "UNSIGNED-PAYLOAD";
    private static final String SHA_256_ALGORITHM = "SHA-256";
    private static final long PRESIGN_URL_MAX_EXPIRATION_SECONDS = 604800;

    private StringToSignProducer() {
    }

    public static String createSignatureBase(SignatureInfo signatureInfo, ContainerRequestContext containerRequestContext) throws Exception {
        return createSignatureBase(signatureInfo, containerRequestContext.getUriInfo().getRequestUri().getScheme(), containerRequestContext.getMethod(), containerRequestContext.getUriInfo().getRequestUri().getPath(), S3RestUtils.fromMultiValueToSingleValueMap(containerRequestContext.getHeaders(), true), S3RestUtils.fromMultiValueToSingleValueMap(containerRequestContext.getUriInfo().getQueryParameters(), false));
    }

    public static String createSignatureBase(SignatureInfo signatureInfo, HttpServletRequest httpServletRequest) throws Exception {
        return createSignatureBase(signatureInfo, httpServletRequest.getScheme(), httpServletRequest.getMethod(), httpServletRequest.getRequestURI(), getHeaders(httpServletRequest), getParameterMap(httpServletRequest));
    }

    public static String createSignatureBase(SignatureInfo signatureInfo, String str, String str2, String str3, Map<String, String> map, Map<String, String> map2) throws Exception {
        StringBuilder sb = new StringBuilder();
        String credentialScope = signatureInfo.getCredentialScope();
        String str4 = str3.trim().length() > 0 ? str3 : "/";
        sb.append(signatureInfo.getAlgorithm() + NEWLINE);
        sb.append(signatureInfo.getDateTime() + NEWLINE);
        sb.append(credentialScope + NEWLINE);
        String buildCanonicalRequest = buildCanonicalRequest(str, str2, str4, signatureInfo.getSignedHeaders(), map, map2, !signatureInfo.isSignPayload());
        sb.append(hash(buildCanonicalRequest));
        if (LOG.isDebugEnabled()) {
            LOG.debug("canonicalRequest:[{}], StringToSign:[{}]", buildCanonicalRequest, sb);
        }
        return sb.toString();
    }

    private static Map<String, String> getHeaders(HttpServletRequest httpServletRequest) {
        TreeMap treeMap = new TreeMap((v0, v1) -> {
            return v0.compareToIgnoreCase(v1);
        });
        Enumeration headerNames = httpServletRequest.getHeaderNames();
        if (headerNames != null) {
            while (headerNames.hasMoreElements()) {
                String str = (String) headerNames.nextElement();
                treeMap.put(str, httpServletRequest.getHeader(str));
            }
        }
        return treeMap;
    }

    private static Map<String, String> getParameterMap(HttpServletRequest httpServletRequest) {
        return (Map) httpServletRequest.getParameterMap().entrySet().stream().collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, entry -> {
            return ((String[]) entry.getValue())[0];
        }));
    }

    public static String hash(String str) throws NoSuchAlgorithmException {
        MessageDigest messageDigest = MessageDigest.getInstance(SHA_256_ALGORITHM);
        messageDigest.update(str.getBytes(S3Constants.AUTHORIZATION_CHARSET));
        return Hex.encode(messageDigest.digest()).toLowerCase();
    }

    public static String buildCanonicalRequest(String str, String str2, String str3, String str4, Map<String, String> map, Map<String, String> map2, boolean z) throws S3Exception {
        String canonicalUri = getCanonicalUri("/", str3);
        String queryParamString = getQueryParamString(map2);
        StringBuilder sb = new StringBuilder();
        for (String str5 : str4.split(";")) {
            sb.append(str5);
            sb.append(S3Constants.BUCKET_SEPARATOR);
            if (!map.containsKey(str5)) {
                throw new RuntimeException(String.format("%s %s %s", "Header", str5, "not present in request but requested to be signed."));
            }
            String str6 = map.get(str5);
            sb.append(str6);
            sb.append(NEWLINE);
            validateSignedHeader(str, str5, str6);
        }
        String str7 = (UNSIGNED_PAYLOAD.equals(map.get(S3Constants.S3_SIGN_CONTENT_SHA256)) || z) ? UNSIGNED_PAYLOAD : map.get(S3Constants.S3_SIGN_CONTENT_SHA256);
        StringJoiner stringJoiner = new StringJoiner(NEWLINE);
        stringJoiner.add(str2).add(canonicalUri).add(queryParamString).add(sb).add(str4).add(str7);
        return stringJoiner.toString();
    }

    private static String getCanonicalUri(String str, String str2) {
        StringJoiner stringJoiner = new StringJoiner(str);
        Matcher matcher = Pattern.compile(str).matcher(str2);
        int i = 0;
        while (true) {
            int i2 = i;
            if (!matcher.find()) {
                stringJoiner.add(urlEncode(str2.substring(i2)));
                return stringJoiner.toString();
            }
            stringJoiner.add(urlEncode(str2.substring(i2, matcher.start())));
            i = matcher.end();
        }
    }

    private static String getQueryParamString(Map<String, String> map) {
        ArrayList arrayList = new ArrayList(map.keySet());
        Collections.sort(arrayList, (str, str2) -> {
            return str.equals(str2) ? ((String) map.get(str)).compareTo((String) map.get(str2)) : str.compareTo(str2);
        });
        arrayList.remove(S3Constants.S3_SIGN_SIGNATURE);
        StringJoiner stringJoiner = new StringJoiner("&");
        arrayList.forEach(str3 -> {
            stringJoiner.add(String.format("%s=%s", urlEncode(str3), urlEncode((String) map.get(str3))));
        });
        return stringJoiner.toString();
    }

    private static String urlEncode(String str) {
        try {
            return URLEncoder.encode(str, "UTF-8").replaceAll("\\+", "%20").replaceAll("%7E", "~");
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException(e);
        }
    }

    static void validateSignedHeader(String str, String str2, String str3) throws S3Exception {
        boolean z = -1;
        switch (str2.hashCode()) {
            case 3208616:
                if (str2.equals(HOST)) {
                    z = false;
                    break;
                }
                break;
            case 1202065922:
                if (str2.equals(X_AMZ_DATE)) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                try {
                    InetAddress.getByName(new URI(String.format("%s://%s", str, str3)).getHost());
                    return;
                } catch (URISyntaxException | UnknownHostException e) {
                    LOG.error("Host value mentioned in signed header is not valid. Host:{}", str3);
                    throw new S3Exception(str3, S3ErrorCode.AUTHINFO_CREATION_ERROR);
                }
            case true:
                LocalDateTime parse = LocalDateTime.parse(str3, S3Constants.TIME_FORMATTER);
                LocalDateTime now = LocalDateTime.now();
                if (parse.isBefore(now.minus(PRESIGN_URL_MAX_EXPIRATION_SECONDS, (TemporalUnit) ChronoUnit.SECONDS)) || parse.isAfter(now.plus(PRESIGN_URL_MAX_EXPIRATION_SECONDS, (TemporalUnit) ChronoUnit.SECONDS))) {
                    LOG.error("AWS date not in valid range. Request timestamp:{} should not be older than {} seconds.", str3, Long.valueOf(PRESIGN_URL_MAX_EXPIRATION_SECONDS));
                    throw new S3Exception(str3, S3ErrorCode.AUTHINFO_CREATION_ERROR);
                }
                return;
            default:
                return;
        }
    }
}
