package software.amazon.awssdk.auth.signer.internal;

import java.nio.charset.Charset;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import org.apache.beam.repackaged.core.org.apache.commons.lang3.StringUtils;
import org.springframework.util.AntPathMatcher;
import org.springframework.util.SystemPropertyUtils;
import software.amazon.awssdk.annotations.SdkInternalApi;
import software.amazon.awssdk.auth.credentials.AwsCredentials;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.auth.signer.Aws4Signer;
import software.amazon.awssdk.auth.signer.AwsSignerExecutionAttribute;
import software.amazon.awssdk.auth.signer.params.Aws4PresignerParams;
import software.amazon.awssdk.auth.signer.params.Aws4SignerParams;
import software.amazon.awssdk.core.exception.SdkClientException;
import software.amazon.awssdk.core.interceptor.ExecutionAttributes;
import software.amazon.awssdk.core.signer.Presigner;
import software.amazon.awssdk.http.SdkHttpFullRequest;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.utils.BinaryUtils;
import software.amazon.awssdk.utils.DateUtils;
import software.amazon.awssdk.utils.Logger;
import software.amazon.awssdk.utils.http.SdkHttpUtils;

@SdkInternalApi
/* loaded from: input_file:software/amazon/awssdk/auth/signer/internal/AbstractAws4Signer.class */
public abstract class AbstractAws4Signer<T extends Aws4SignerParams, U extends Aws4PresignerParams> extends AbstractAwsSigner implements Presigner {
    private static final int SIGNER_CACHE_MAX_SIZE = 300;
    public static final String EMPTY_STRING_SHA256_HEX = BinaryUtils.toHex(hash(""));
    private static final Logger LOG = Logger.loggerFor((Class<?>) Aws4Signer.class);
    private static final FifoCache<SignerKey> SIGNER_CACHE = new FifoCache<>(300);
    private static final List<String> LIST_OF_HEADERS_TO_IGNORE_IN_LOWER_CASE = Arrays.asList("connection", "x-amzn-trace-id", "user-agent", "expect");

    /* JADX INFO: Access modifiers changed from: protected */
    public SdkHttpFullRequest.Builder doSign(SdkHttpFullRequest sdkHttpFullRequest, Aws4SignerRequestParams aws4SignerRequestParams, T t) {
        SdkHttpFullRequest.Builder mo6906toBuilder = sdkHttpFullRequest.mo6906toBuilder();
        AwsCredentials sanitizeCredentials = sanitizeCredentials(t.awsCredentials());
        if (sanitizeCredentials instanceof AwsSessionCredentials) {
            addSessionCredentials(mo6906toBuilder, (AwsSessionCredentials) sanitizeCredentials);
        }
        addHostHeader(mo6906toBuilder);
        addDateHeader(mo6906toBuilder, aws4SignerRequestParams.getFormattedRequestSigningDateTime());
        String calculateContentHash = calculateContentHash(mo6906toBuilder, t);
        mo6906toBuilder.firstMatchingHeader(SignerConstant.X_AMZ_CONTENT_SHA256).filter(str -> {
            return str.equals("required");
        }).ifPresent(str2 -> {
            mo6906toBuilder.putHeader(SignerConstant.X_AMZ_CONTENT_SHA256, calculateContentHash);
        });
        String createStringToSign = createStringToSign(createCanonicalRequest(mo6906toBuilder, calculateContentHash, t.doubleUrlEncode().booleanValue()), aws4SignerRequestParams);
        byte[] deriveSigningKey = deriveSigningKey(sanitizeCredentials, aws4SignerRequestParams);
        byte[] computeSignature = computeSignature(createStringToSign, deriveSigningKey);
        mo6906toBuilder.putHeader("Authorization", buildAuthorizationHeader(computeSignature, sanitizeCredentials, aws4SignerRequestParams, mo6906toBuilder));
        processRequestPayload(mo6906toBuilder, computeSignature, deriveSigningKey, aws4SignerRequestParams, t);
        return mo6906toBuilder;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SdkHttpFullRequest.Builder doPresign(SdkHttpFullRequest sdkHttpFullRequest, Aws4SignerRequestParams aws4SignerRequestParams, U u) {
        SdkHttpFullRequest.Builder mo6906toBuilder = sdkHttpFullRequest.mo6906toBuilder();
        long signatureDurationInSeconds = getSignatureDurationInSeconds(aws4SignerRequestParams, u);
        addHostHeader(mo6906toBuilder);
        AwsCredentials sanitizeCredentials = sanitizeCredentials(u.awsCredentials());
        if (sanitizeCredentials instanceof AwsSessionCredentials) {
            mo6906toBuilder.putRawQueryParameter("X-Amz-Security-Token", ((AwsSessionCredentials) sanitizeCredentials).sessionToken());
        }
        addPreSignInformationToRequest(mo6906toBuilder, sanitizeCredentials, aws4SignerRequestParams, signatureDurationInSeconds);
        mo6906toBuilder.putRawQueryParameter("X-Amz-Signature", BinaryUtils.toHex(computeSignature(createStringToSign(createCanonicalRequest(mo6906toBuilder, calculateContentHashPresign(mo6906toBuilder, u), u.doubleUrlEncode().booleanValue()), aws4SignerRequestParams), deriveSigningKey(sanitizeCredentials, aws4SignerRequestParams))));
        return mo6906toBuilder;
    }

    @Override // software.amazon.awssdk.auth.signer.internal.AbstractAwsSigner
    protected void addSessionCredentials(SdkHttpFullRequest.Builder builder, AwsSessionCredentials awsSessionCredentials) {
        builder.putHeader("X-Amz-Security-Token", awsSessionCredentials.sessionToken());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String calculateContentHash(SdkHttpFullRequest.Builder builder, T t) {
        return BinaryUtils.toHex(hash(getBinaryRequestPayloadStream(builder.contentStreamProvider())));
    }

    protected abstract void processRequestPayload(SdkHttpFullRequest.Builder builder, byte[] bArr, byte[] bArr2, Aws4SignerRequestParams aws4SignerRequestParams, T t);

    protected abstract String calculateContentHashPresign(SdkHttpFullRequest.Builder builder, U u);

    /* JADX INFO: Access modifiers changed from: protected */
    public byte[] deriveSigningKey(AwsCredentials awsCredentials, Aws4SignerRequestParams aws4SignerRequestParams) {
        String computeSigningCacheKeyName = computeSigningCacheKeyName(awsCredentials, aws4SignerRequestParams);
        long numberOfDaysSinceEpoch = DateUtils.numberOfDaysSinceEpoch(aws4SignerRequestParams.getRequestSigningDateTimeMilli());
        SignerKey signerKey = SIGNER_CACHE.get(computeSigningCacheKeyName);
        if (signerKey != null && numberOfDaysSinceEpoch == signerKey.getNumberOfDaysSinceEpoch()) {
            return signerKey.getSigningKey();
        }
        LOG.trace(() -> {
            return "Generating a new signing key as the signing key not available in the cache for the date: " + TimeUnit.DAYS.toMillis(numberOfDaysSinceEpoch);
        });
        byte[] newSigningKey = newSigningKey(awsCredentials, aws4SignerRequestParams.getFormattedRequestSigningDate(), aws4SignerRequestParams.getRegionName(), aws4SignerRequestParams.getServiceSigningName());
        SIGNER_CACHE.add(computeSigningCacheKeyName, new SignerKey(numberOfDaysSinceEpoch, newSigningKey));
        return newSigningKey;
    }

    private String createCanonicalRequest(SdkHttpFullRequest.Builder builder, String str, boolean z) {
        String str2 = builder.method().toString() + StringUtils.LF + getCanonicalizedResourcePath(builder.encodedPath(), z) + StringUtils.LF + getCanonicalizedQueryString(builder.rawQueryParameters()) + StringUtils.LF + getCanonicalizedHeaderString(builder.headers()) + StringUtils.LF + getSignedHeadersString(builder.headers()) + StringUtils.LF + str;
        LOG.trace(() -> {
            return "AWS4 Canonical Request: " + str2;
        });
        return str2;
    }

    private String createStringToSign(String str, Aws4SignerRequestParams aws4SignerRequestParams) {
        String str2 = aws4SignerRequestParams.getSigningAlgorithm() + StringUtils.LF + aws4SignerRequestParams.getFormattedRequestSigningDateTime() + StringUtils.LF + aws4SignerRequestParams.getScope() + StringUtils.LF + BinaryUtils.toHex(hash(str));
        LOG.debug(() -> {
            return "AWS4 String to sign: " + str2;
        });
        return str2;
    }

    private String computeSigningCacheKeyName(AwsCredentials awsCredentials, Aws4SignerRequestParams aws4SignerRequestParams) {
        return awsCredentials.secretAccessKey() + "-" + aws4SignerRequestParams.getRegionName() + "-" + aws4SignerRequestParams.getServiceSigningName();
    }

    private byte[] computeSignature(String str, byte[] bArr) {
        return sign(str.getBytes(Charset.forName("UTF-8")), bArr, SigningAlgorithm.HmacSHA256);
    }

    private String buildAuthorizationHeader(byte[] bArr, AwsCredentials awsCredentials, Aws4SignerRequestParams aws4SignerRequestParams, SdkHttpFullRequest.Builder builder) {
        return "AWS4-HMAC-SHA256 " + ("Credential=" + (awsCredentials.accessKeyId() + AntPathMatcher.DEFAULT_PATH_SEPARATOR + aws4SignerRequestParams.getScope())) + ", " + ("SignedHeaders=" + getSignedHeadersString(builder.headers())) + ", " + ("Signature=" + BinaryUtils.toHex(bArr));
    }

    private void addPreSignInformationToRequest(SdkHttpFullRequest.Builder builder, AwsCredentials awsCredentials, Aws4SignerRequestParams aws4SignerRequestParams, long j) {
        String str = awsCredentials.accessKeyId() + AntPathMatcher.DEFAULT_PATH_SEPARATOR + aws4SignerRequestParams.getScope();
        builder.putRawQueryParameter("X-Amz-Algorithm", SignerConstant.AWS4_SIGNING_ALGORITHM);
        builder.putRawQueryParameter("X-Amz-Date", aws4SignerRequestParams.getFormattedRequestSigningDateTime());
        builder.putRawQueryParameter("X-Amz-SignedHeaders", getSignedHeadersString(builder.headers()));
        builder.putRawQueryParameter("X-Amz-Expires", Long.toString(j));
        builder.putRawQueryParameter("X-Amz-Credential", str);
    }

    private String getCanonicalizedHeaderString(Map<String, List<String>> map) {
        ArrayList<String> arrayList = new ArrayList(map.keySet());
        arrayList.sort(String.CASE_INSENSITIVE_ORDER);
        StringBuilder sb = new StringBuilder();
        for (String str : arrayList) {
            if (!shouldExcludeHeaderFromSigning(str)) {
                String lowerCase = software.amazon.awssdk.utils.StringUtils.lowerCase(str);
                for (String str2 : map.get(str)) {
                    appendCompactedString(sb, lowerCase);
                    sb.append(SystemPropertyUtils.VALUE_SEPARATOR);
                    if (str2 != null) {
                        appendCompactedString(sb, str2);
                    }
                    sb.append(StringUtils.LF);
                }
            }
        }
        return sb.toString();
    }

    private void appendCompactedString(StringBuilder sb, String str) {
        boolean z = false;
        int length = str.length();
        for (int i = 0; i < length; i++) {
            char charAt = str.charAt(i);
            if (!isWhiteSpace(charAt)) {
                sb.append(charAt);
                z = false;
            } else if (!z) {
                sb.append(' ');
                z = true;
            }
        }
    }

    private boolean isWhiteSpace(char c) {
        return c == ' ' || c == '\t' || c == '\n' || c == 11 || c == '\r' || c == '\f';
    }

    private String getSignedHeadersString(Map<String, List<String>> map) {
        ArrayList<String> arrayList = new ArrayList(map.keySet());
        arrayList.sort(String.CASE_INSENSITIVE_ORDER);
        StringBuilder sb = new StringBuilder();
        for (String str : arrayList) {
            if (!shouldExcludeHeaderFromSigning(str)) {
                if (sb.length() > 0) {
                    sb.append(";");
                }
                sb.append(software.amazon.awssdk.utils.StringUtils.lowerCase(str));
            }
        }
        return sb.toString();
    }

    private boolean shouldExcludeHeaderFromSigning(String str) {
        return LIST_OF_HEADERS_TO_IGNORE_IN_LOWER_CASE.contains(software.amazon.awssdk.utils.StringUtils.lowerCase(str));
    }

    private void addHostHeader(SdkHttpFullRequest.Builder builder) {
        StringBuilder sb = new StringBuilder(builder.host());
        if (!SdkHttpUtils.isUsingStandardPort(builder.protocol(), builder.port())) {
            sb.append(SystemPropertyUtils.VALUE_SEPARATOR).append(builder.port());
        }
        builder.putHeader("Host", sb.toString());
    }

    private void addDateHeader(SdkHttpFullRequest.Builder builder, String str) {
        builder.putHeader("X-Amz-Date", str);
    }

    private long getSignatureDurationInSeconds(Aws4SignerRequestParams aws4SignerRequestParams, U u) {
        long longValue = ((Long) u.expirationTime().map(instant -> {
            return Long.valueOf(instant.getEpochSecond() - (aws4SignerRequestParams.getRequestSigningDateTimeMilli() / 1000));
        }).orElse(Long.valueOf(SignerConstant.PRESIGN_URL_MAX_EXPIRATION_SECONDS))).longValue();
        if (longValue > SignerConstant.PRESIGN_URL_MAX_EXPIRATION_SECONDS) {
            throw SdkClientException.builder().message("Requests that are pre-signed by SigV4 algorithm are valid for at most 7 days. The expiration date set on the current request [" + Aws4SignerUtils.formatTimestamp(longValue * 1000) + "] + has exceeded this limit.").mo6657build();
        }
        return longValue;
    }

    private byte[] newSigningKey(AwsCredentials awsCredentials, String str, String str2, String str3) {
        return sign(SignerConstant.AWS4_TERMINATOR, sign(str3, sign(str2, sign(str, ("AWS4" + awsCredentials.secretAccessKey()).getBytes(Charset.forName("UTF-8")), SigningAlgorithm.HmacSHA256), SigningAlgorithm.HmacSHA256), SigningAlgorithm.HmacSHA256), SigningAlgorithm.HmacSHA256);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public <B extends Aws4PresignerParams.Builder> B extractPresignerParams(B b, ExecutionAttributes executionAttributes) {
        B b2 = (B) extractSignerParams(b, executionAttributes);
        b2.expirationTime((Instant) executionAttributes.getAttribute(AwsSignerExecutionAttribute.PRESIGNER_EXPIRATION));
        return b2;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public <B extends Aws4SignerParams.Builder> B extractSignerParams(B b, ExecutionAttributes executionAttributes) {
        b.awsCredentials((AwsCredentials) executionAttributes.getAttribute(AwsSignerExecutionAttribute.AWS_CREDENTIALS)).signingName((String) executionAttributes.getAttribute(AwsSignerExecutionAttribute.SERVICE_SIGNING_NAME)).signingRegion((Region) executionAttributes.getAttribute(AwsSignerExecutionAttribute.SIGNING_REGION)).timeOffset((Integer) executionAttributes.getAttribute(AwsSignerExecutionAttribute.TIME_OFFSET));
        if (executionAttributes.getAttribute(AwsSignerExecutionAttribute.SIGNER_DOUBLE_URL_ENCODE) != null) {
            b.doubleUrlEncode((Boolean) executionAttributes.getAttribute(AwsSignerExecutionAttribute.SIGNER_DOUBLE_URL_ENCODE));
        }
        return b;
    }
}
