package io.lakefs.auth;

import com.amazonaws.AmazonClientException;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSSessionCredentials;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.auth.SigningAlgorithm;
import com.amazonaws.util.AwsHostNameUtils;
import com.amazonaws.util.BinaryUtils;
import com.amazonaws.util.StringUtils;
import io.lakefs.Constants;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URLEncoder;
import java.security.MessageDigest;
import java.time.Instant;
import java.time.ZoneId;
import java.time.format.DateTimeFormatter;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.TreeMap;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.ws.rs.core.MediaType;
import org.apache.http.HttpHost;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/lakefs/auth/GetCallerIdentityV4Presigner.class */
public class GetCallerIdentityV4Presigner implements STSGetCallerIdentityPresigner {
    private static final String DEFAULT_ENCODING = "UTF-8";
    private static final String TERMINATOR = "aws4_request";
    private static final String ALGORITHM = "AWS4-HMAC-SHA256";
    private static final String SERVICE_NAME = "sts";
    private static final Logger LOG = LoggerFactory.getLogger(GetCallerIdentityV4Presigner.class);
    private static final Pattern ENCODED_CHARACTERS_PATTERN;

    public byte[] sign(String str, byte[] bArr, SigningAlgorithm signingAlgorithm) throws AmazonClientException {
        try {
            return sign(str.getBytes(StringUtils.UTF8), bArr, signingAlgorithm);
        } catch (Exception e) {
            throw new AmazonClientException("Unable to calculate a request signature: " + e.getMessage(), e);
        }
    }

    protected byte[] sign(byte[] bArr, byte[] bArr2, SigningAlgorithm signingAlgorithm) throws AmazonClientException {
        try {
            Mac mac = Mac.getInstance(signingAlgorithm.toString());
            mac.init(new SecretKeySpec(bArr2, signingAlgorithm.toString()));
            return mac.doFinal(bArr);
        } catch (Exception e) {
            throw new AmazonClientException("Unable to calculate a request signature: " + e.getMessage(), e);
        }
    }

    public byte[] hash(String str) throws AmazonClientException {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            messageDigest.update(str.getBytes(StringUtils.UTF8));
            return messageDigest.digest();
        } catch (Exception e) {
            throw new AmazonClientException("Unable to compute hash while signing request: " + e.getMessage(), e);
        }
    }

    protected String getCanonicalizedQueryString(Map<String, String> map) {
        TreeMap treeMap = new TreeMap();
        for (Map.Entry<String, String> entry : map.entrySet()) {
            treeMap.put(urlEncode(entry.getKey(), false), urlEncode(entry.getValue(), false));
        }
        StringBuilder sb = new StringBuilder();
        Iterator it = treeMap.entrySet().iterator();
        while (it.hasNext()) {
            Map.Entry entry2 = (Map.Entry) it.next();
            sb.append((String) entry2.getKey());
            sb.append("=");
            sb.append((String) entry2.getValue());
            if (it.hasNext()) {
                sb.append("&");
            }
        }
        return sb.toString();
    }

    protected AWSCredentials sanitizeCredentials(AWSCredentials aWSCredentials) {
        String aWSAccessKeyId;
        String aWSSecretKey;
        String str = null;
        synchronized (aWSCredentials) {
            aWSAccessKeyId = aWSCredentials.getAWSAccessKeyId();
            aWSSecretKey = aWSCredentials.getAWSSecretKey();
            if (aWSCredentials instanceof AWSSessionCredentials) {
                str = ((AWSSessionCredentials) aWSCredentials).getSessionToken();
            }
        }
        if (aWSSecretKey != null) {
            aWSSecretKey = aWSSecretKey.trim();
        }
        if (aWSAccessKeyId != null) {
            aWSAccessKeyId = aWSAccessKeyId.trim();
        }
        if (str != null) {
            str = str.trim();
        }
        return aWSCredentials instanceof AWSSessionCredentials ? new BasicSessionCredentials(aWSAccessKeyId, aWSSecretKey, str) : new BasicAWSCredentials(aWSAccessKeyId, aWSSecretKey);
    }

    protected Date getSignatureDate(int i) {
        Date date = new Date();
        if (i != 0) {
            date = new Date(date.getTime() - (i * 1000));
        }
        return date;
    }

    public static String getDateStamp(long j) {
        return DateTimeFormatter.ofPattern("yyyyMMdd").withZone(ZoneId.of("UTC")).format(Instant.ofEpochMilli(j));
    }

    public static String getTimeStamp(long j) {
        return DateTimeFormatter.ofPattern("yyyyMMdd'T'HHmmss'Z'").withZone(ZoneId.of("UTC")).format(Instant.ofEpochMilli(j));
    }

    protected String getCanonicalizedHeaderString(Map<String, String> map) {
        ArrayList<String> arrayList = new ArrayList();
        arrayList.addAll(map.keySet());
        Collections.sort(arrayList, String.CASE_INSENSITIVE_ORDER);
        StringBuilder sb = new StringBuilder();
        for (String str : arrayList) {
            String replaceAll = str.toLowerCase().replaceAll("\\s+", org.apache.commons.lang3.StringUtils.SPACE);
            String str2 = map.get(str);
            sb.append(replaceAll).append(":");
            if (str2 != null) {
                sb.append(str2.replaceAll("\\s+", org.apache.commons.lang3.StringUtils.SPACE));
            }
            sb.append(org.apache.commons.lang3.StringUtils.LF);
        }
        return sb.toString();
    }

    protected String getSignedHeadersString(Map<String, String> map) {
        ArrayList<String> arrayList = new ArrayList();
        arrayList.addAll(map.keySet());
        Collections.sort(arrayList, String.CASE_INSENSITIVE_ORDER);
        StringBuilder sb = new StringBuilder();
        for (String str : arrayList) {
            if (sb.length() > 0) {
                sb.append(";");
            }
            sb.append(str.toLowerCase());
        }
        return sb.toString();
    }

    protected String getCanonicalRequest(String str, Map<String, String> map, Map<String, String> map2, String str2) {
        String str3 = str + org.apache.commons.lang3.StringUtils.LF + Constants.SEPARATOR + org.apache.commons.lang3.StringUtils.LF + getCanonicalizedQueryString(map) + org.apache.commons.lang3.StringUtils.LF + getCanonicalizedHeaderString(map2) + org.apache.commons.lang3.StringUtils.LF + getSignedHeadersString(map2) + org.apache.commons.lang3.StringUtils.LF + str2;
        LOG.debug("AWS4 Canonical Request: '{}'", str3);
        return str3;
    }

    protected String getStringToSign(String str, String str2, String str3, String str4) {
        String str5 = str + org.apache.commons.lang3.StringUtils.LF + str2 + org.apache.commons.lang3.StringUtils.LF + str3 + org.apache.commons.lang3.StringUtils.LF + BinaryUtils.toHex(hash(str4));
        LOG.debug("AWS4 String to Sign: '{}'", str5);
        return str5;
    }

    public static String urlEncode(String str, boolean z) {
        if (str == null) {
            return "";
        }
        try {
            String encode = URLEncoder.encode(str, "UTF-8");
            Matcher matcher = ENCODED_CHARACTERS_PATTERN.matcher(encode);
            StringBuffer stringBuffer = new StringBuffer(encode.length());
            while (matcher.find()) {
                String group = matcher.group(0);
                if ("+".equals(group)) {
                    group = "%20";
                } else if (MediaType.MEDIA_TYPE_WILDCARD.equals(group)) {
                    group = "%2A";
                } else if ("%7E".equals(group)) {
                    group = "~";
                } else if (z && "%2F".equals(group)) {
                    group = Constants.SEPARATOR;
                }
                matcher.appendReplacement(stringBuffer, group);
            }
            matcher.appendTail(stringBuffer);
            return stringBuffer.toString();
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException(e);
        }
    }

    public static boolean isUsingNonDefaultPort(URI uri) {
        String lowerCase = uri.getScheme().toLowerCase();
        int port = uri.getPort();
        if (port <= 0) {
            return false;
        }
        if (lowerCase.equals(HttpHost.DEFAULT_SCHEME_NAME) && port == 80) {
            return false;
        }
        return (lowerCase.equals("https") && port == 443) ? false : true;
    }

    protected String getHostHeader(URI uri) {
        StringBuilder sb = new StringBuilder(uri.getHost());
        if (isUsingNonDefaultPort(uri)) {
            sb.append(":").append(uri.getPort());
        }
        return sb.toString();
    }

    @Override // io.lakefs.auth.STSGetCallerIdentityPresigner
    public GeneratePresignGetCallerIdentityResponse presignRequest(final GeneratePresignGetCallerIdentityRequest generatePresignGetCallerIdentityRequest) {
        final AWSCredentials sanitizeCredentials = sanitizeCredentials(generatePresignGetCallerIdentityRequest.getCredentials());
        String parseRegionName = AwsHostNameUtils.parseRegionName(generatePresignGetCallerIdentityRequest.getStsEndpoint());
        String dateStamp = getDateStamp(getSignatureDate(0).getTime());
        final String timeStamp = getTimeStamp(System.currentTimeMillis());
        String str = dateStamp + Constants.SEPARATOR + parseRegionName + Constants.SEPARATOR + SERVICE_NAME + Constants.SEPARATOR + TERMINATOR;
        final String str2 = sanitizeCredentials.getAWSAccessKeyId() + Constants.SEPARATOR + str;
        final HashMap<String, String> hashMap = new HashMap<String, String>() { // from class: io.lakefs.auth.GetCallerIdentityV4Presigner.1
            {
                put("Host", GetCallerIdentityV4Presigner.this.getHostHeader(generatePresignGetCallerIdentityRequest.getStsEndpoint()));
            }
        };
        for (Map.Entry<String, String> entry : generatePresignGetCallerIdentityRequest.getAdditionalHeaders().entrySet()) {
            hashMap.put(entry.getKey(), entry.getValue());
        }
        HashMap<String, String> hashMap2 = new HashMap<String, String>() { // from class: io.lakefs.auth.GetCallerIdentityV4Presigner.2
            {
                put(STSGetCallerIdentityPresigner.AMZ_ACTION_PARAM_NAME, "GetCallerIdentity");
                put(STSGetCallerIdentityPresigner.AMZ_VERSION_PARAM_NAME, "2011-06-15");
                put(STSGetCallerIdentityPresigner.AMZ_SECURITY_TOKEN_PARAM_NAME, sanitizeCredentials.getSessionToken());
                put(STSGetCallerIdentityPresigner.AMZ_ALGORITHM_PARAM_NAME, GetCallerIdentityV4Presigner.ALGORITHM);
                put(STSGetCallerIdentityPresigner.AMZ_DATE_PARAM_NAME, timeStamp);
                put(STSGetCallerIdentityPresigner.AMZ_SIGNED_HEADERS_PARAM_NAME, GetCallerIdentityV4Presigner.this.getSignedHeadersString(hashMap));
                put(STSGetCallerIdentityPresigner.AMZ_EXPIRES_PARAM_NAME, String.valueOf(generatePresignGetCallerIdentityRequest.getExpirationInSeconds()));
                put(STSGetCallerIdentityPresigner.AMZ_CREDENTIAL_PARAM_NAME, str2);
            }
        };
        return new GeneratePresignGetCallerIdentityResponse(generatePresignGetCallerIdentityRequest, parseRegionName, hashMap2, hashMap, BinaryUtils.toHex(computeSignature(sanitizeCredentials, dateStamp, parseRegionName, SERVICE_NAME, TERMINATOR, getStringToSign(ALGORITHM, timeStamp, str, getCanonicalRequest("POST", hashMap2, hashMap, BinaryUtils.toHex(hash("")))))));
    }

    public byte[] computeSignature(AWSCredentials aWSCredentials, String str, String str2, String str3, String str4, String str5) {
        return sign(str5.getBytes(), sign(str4, sign(str3, sign(str2, sign(str, ("AWS4" + aWSCredentials.getAWSSecretKey()).getBytes(), SigningAlgorithm.HmacSHA256), SigningAlgorithm.HmacSHA256), SigningAlgorithm.HmacSHA256), SigningAlgorithm.HmacSHA256), SigningAlgorithm.HmacSHA256);
    }

    static {
        StringBuilder sb = new StringBuilder();
        sb.append(Pattern.quote("+")).append("|").append(Pattern.quote(MediaType.MEDIA_TYPE_WILDCARD)).append("|").append(Pattern.quote("%7E")).append("|").append(Pattern.quote("%2F"));
        ENCODED_CHARACTERS_PATTERN = Pattern.compile(sb.toString());
    }
}
