package org.apache.iceberg.aws.s3.signer;

import java.net.URI;
import java.time.Duration;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import javax.annotation.Nullable;
import org.apache.iceberg.CatalogProperties;
import org.apache.iceberg.relocated.com.google.common.annotations.VisibleForTesting;
import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
import org.apache.iceberg.relocated.com.google.common.collect.ImmutableMap;
import org.apache.iceberg.relocated.com.google.common.collect.Maps;
import org.apache.iceberg.rest.ErrorHandlers;
import org.apache.iceberg.rest.HTTPClient;
import org.apache.iceberg.rest.RESTClient;
import org.apache.iceberg.rest.auth.OAuth2Properties;
import org.apache.iceberg.rest.auth.OAuth2Util;
import org.apache.iceberg.shaded.com.github.benmanes.caffeine.cache.Cache;
import org.apache.iceberg.shaded.com.github.benmanes.caffeine.cache.Caffeine;
import org.apache.iceberg.util.PropertyUtil;
import org.apache.iceberg.util.ThreadPools;
import org.immutables.value.Value;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import software.amazon.awssdk.auth.signer.internal.AbstractAws4Signer;
import software.amazon.awssdk.auth.signer.internal.Aws4SignerRequestParams;
import software.amazon.awssdk.auth.signer.params.Aws4PresignerParams;
import software.amazon.awssdk.auth.signer.params.AwsS3V4SignerParams;
import software.amazon.awssdk.core.checksums.SdkChecksum;
import software.amazon.awssdk.core.interceptor.ExecutionAttributes;
import software.amazon.awssdk.http.SdkHttpFullRequest;

@Value.Immutable
/* loaded from: input_file:org/apache/iceberg/aws/s3/signer/S3V4RestSignerClient.class */
public abstract class S3V4RestSignerClient extends AbstractAws4Signer<AwsS3V4SignerParams, Aws4PresignerParams> {
    public static final String S3_SIGNER_URI = "s3.signer.uri";
    public static final String S3_SIGNER_ENDPOINT = "s3.signer.endpoint";
    static final String S3_SIGNER_DEFAULT_ENDPOINT = "v1/aws/s3/sign";
    static final String UNSIGNED_PAYLOAD = "UNSIGNED-PAYLOAD";
    static final String CACHE_CONTROL = "Cache-Control";
    static final String CACHE_CONTROL_PRIVATE = "private";
    static final String CACHE_CONTROL_NO_CACHE = "no-cache";
    private static final String SCOPE = "sign";
    private static volatile ScheduledExecutorService tokenRefreshExecutor;
    private static volatile RESTClient httpClient;
    private static volatile Cache<String, OAuth2Util.AuthSession> authSessionCache;
    private static final Logger LOG = LoggerFactory.getLogger(S3V4RestSignerClient.class);
    private static final Cache<Key, SignedComponent> SIGNED_COMPONENT_CACHE = Caffeine.newBuilder().expireAfterWrite(30, TimeUnit.SECONDS).maximumSize(100).build();

    @Value.Immutable
    /* loaded from: input_file:org/apache/iceberg/aws/s3/signer/S3V4RestSignerClient$Key.class */
    interface Key {
        String method();

        String region();

        String uri();

        static Key from(S3SignRequest s3SignRequest) {
            return ImmutableKey.builder().method(s3SignRequest.method()).region(s3SignRequest.region()).uri(s3SignRequest.uri().toString()).build();
        }
    }

    @Value.Immutable
    /* loaded from: input_file:org/apache/iceberg/aws/s3/signer/S3V4RestSignerClient$SignedComponent.class */
    interface SignedComponent {
        Map<String, List<String>> headers();

        URI signedURI();
    }

    public abstract Map<String, String> properties();

    @Value.Default
    public Supplier<Map<String, String>> requestPropertiesSupplier() {
        return Collections::emptyMap;
    }

    @Value.Lazy
    public String baseSignerUri() {
        return properties().getOrDefault(S3_SIGNER_URI, properties().get(CatalogProperties.URI));
    }

    @Value.Lazy
    public String endpoint() {
        return properties().getOrDefault(S3_SIGNER_ENDPOINT, S3_SIGNER_DEFAULT_ENDPOINT);
    }

    @Nullable
    @Value.Lazy
    public String credential() {
        return properties().get(OAuth2Properties.CREDENTIAL);
    }

    @Value.Default
    public Supplier<String> token() {
        return () -> {
            return properties().get(OAuth2Properties.TOKEN);
        };
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Lazy
    public boolean keepTokenRefreshed() {
        return PropertyUtil.propertyAsBoolean(properties(), OAuth2Properties.TOKEN_REFRESH_ENABLED, true);
    }

    @VisibleForTesting
    ScheduledExecutorService tokenRefreshExecutor() {
        if (!keepTokenRefreshed()) {
            return null;
        }
        if (null == tokenRefreshExecutor) {
            synchronized (S3V4RestSignerClient.class) {
                if (null == tokenRefreshExecutor) {
                    tokenRefreshExecutor = ThreadPools.newScheduledPool("s3-signer-token-refresh", 1);
                }
            }
        }
        return tokenRefreshExecutor;
    }

    private Cache<String, OAuth2Util.AuthSession> authSessionCache() {
        if (null == authSessionCache) {
            synchronized (S3V4RestSignerClient.class) {
                if (null == authSessionCache) {
                    authSessionCache = Caffeine.newBuilder().expireAfterAccess(Duration.ofMillis(PropertyUtil.propertyAsLong(properties(), CatalogProperties.AUTH_SESSION_TIMEOUT_MS, CatalogProperties.AUTH_SESSION_TIMEOUT_MS_DEFAULT))).removalListener((str, authSession, removalCause) -> {
                        if (null != authSession) {
                            LOG.trace("Stopping refresh for AuthSession");
                            authSession.stopRefreshing();
                        }
                    }).build();
                }
            }
        }
        return authSessionCache;
    }

    private RESTClient httpClient() {
        if (null == httpClient) {
            synchronized (S3V4RestSignerClient.class) {
                if (null == httpClient) {
                    httpClient = HTTPClient.builder(properties()).uri(baseSignerUri()).withObjectMapper(S3ObjectMapper.mapper()).build();
                }
            }
        }
        return httpClient;
    }

    private OAuth2Util.AuthSession authSession() {
        String str = token().get();
        return null != str ? authSessionCache().get(str, str2 -> {
            return OAuth2Util.AuthSession.fromAccessToken(httpClient(), tokenRefreshExecutor(), str, expiresAtMillis(properties()), new OAuth2Util.AuthSession(ImmutableMap.of(), str, null, credential(), SCOPE));
        }) : credentialProvided() ? authSessionCache().get(credential(), str3 -> {
            OAuth2Util.AuthSession authSession = new OAuth2Util.AuthSession(ImmutableMap.of(), null, null, credential(), SCOPE);
            long currentTimeMillis = System.currentTimeMillis();
            return OAuth2Util.AuthSession.fromTokenResponse(httpClient(), tokenRefreshExecutor(), OAuth2Util.fetchToken(httpClient(), authSession.headers(), credential(), SCOPE), currentTimeMillis, authSession);
        }) : OAuth2Util.AuthSession.empty();
    }

    private boolean credentialProvided() {
        return (null == credential() || credential().isEmpty()) ? false : true;
    }

    private Long expiresAtMillis(Map<String, String> map) {
        if (!map.containsKey(OAuth2Properties.TOKEN_EXPIRES_IN_MS)) {
            return null;
        }
        return Long.valueOf(System.currentTimeMillis() + PropertyUtil.propertyAsLong(map, OAuth2Properties.TOKEN_EXPIRES_IN_MS, OAuth2Properties.TOKEN_EXPIRES_IN_MS_DEFAULT));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Value.Check
    public void check() {
        Preconditions.checkArgument(properties().containsKey(S3_SIGNER_URI) || properties().containsKey(CatalogProperties.URI), "S3 signer service URI is required");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void processRequestPayload(SdkHttpFullRequest.Builder builder, byte[] bArr, byte[] bArr2, Aws4SignerRequestParams aws4SignerRequestParams, AwsS3V4SignerParams awsS3V4SignerParams) {
        checkSignerParams(awsS3V4SignerParams);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void processRequestPayload(SdkHttpFullRequest.Builder builder, byte[] bArr, byte[] bArr2, Aws4SignerRequestParams aws4SignerRequestParams, AwsS3V4SignerParams awsS3V4SignerParams, SdkChecksum sdkChecksum) {
        checkSignerParams(awsS3V4SignerParams);
    }

    protected String calculateContentHashPresign(SdkHttpFullRequest.Builder builder, Aws4PresignerParams aws4PresignerParams) {
        return UNSIGNED_PAYLOAD;
    }

    public SdkHttpFullRequest presign(SdkHttpFullRequest sdkHttpFullRequest, ExecutionAttributes executionAttributes) {
        throw new UnsupportedOperationException("Pre-signing not allowed.");
    }

    public SdkHttpFullRequest sign(SdkHttpFullRequest sdkHttpFullRequest, ExecutionAttributes executionAttributes) {
        SignedComponent build;
        ImmutableS3SignRequest build2 = ImmutableS3SignRequest.builder().method(sdkHttpFullRequest.method().name()).region(extractSignerParams(AwsS3V4SignerParams.builder(), executionAttributes).build().signingRegion().id()).uri(sdkHttpFullRequest.getUri()).headers(sdkHttpFullRequest.headers()).properties(requestPropertiesSupplier().get()).build();
        Key from = Key.from(build2);
        SignedComponent ifPresent = SIGNED_COMPONENT_CACHE.getIfPresent(from);
        if (null != ifPresent) {
            build = ifPresent;
        } else {
            HashMap newHashMap = Maps.newHashMap();
            Objects.requireNonNull(newHashMap);
            S3SignResponse s3SignResponse = (S3SignResponse) httpClient().post(endpoint(), build2, S3SignResponse.class, () -> {
                return authSession().headers();
            }, ErrorHandlers.defaultErrorHandler(), newHashMap::putAll);
            build = ImmutableSignedComponent.builder().headers(s3SignResponse.headers()).signedURI(s3SignResponse.uri()).build();
            if (canBeCached(newHashMap)) {
                SIGNED_COMPONENT_CACHE.put(from, build);
            }
        }
        SdkHttpFullRequest.Builder builder = sdkHttpFullRequest.toBuilder();
        builder.encodedPath("");
        builder.uri(build.signedURI());
        reconstructHeaders(build.headers(), builder);
        return builder.build();
    }

    private void reconstructHeaders(Map<String, List<String>> map, SdkHttpFullRequest.Builder builder) {
        HashMap newHashMap = Maps.newHashMap(map);
        newHashMap.remove("Cache-Control");
        newHashMap.putAll(builder.headers());
        Objects.requireNonNull(builder);
        newHashMap.forEach(builder::putHeader);
    }

    private boolean canBeCached(Map<String, String> map) {
        return CACHE_CONTROL_PRIVATE.equals(map.get("Cache-Control"));
    }

    private void checkSignerParams(AwsS3V4SignerParams awsS3V4SignerParams) {
        if (awsS3V4SignerParams.enablePayloadSigning().booleanValue()) {
            throw new UnsupportedOperationException("Payload signing not supported");
        }
        if (awsS3V4SignerParams.enableChunkedEncoding().booleanValue()) {
            throw new UnsupportedOperationException("Chunked encoding not supported");
        }
    }

    public static S3V4RestSignerClient create(Map<String, String> map) {
        return ImmutableS3V4RestSignerClient.builder().properties(map).build();
    }
}
