package org.apache.jackrabbit.oak.blob.cloud.s3;

import com.amazonaws.services.cloudfront.CloudFrontUrlSigner;
import com.google.common.io.Closeables;
import java.io.FileReader;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.security.interfaces.RSAPrivateKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import javax.annotation.Nonnull;
import javax.jcr.Value;
import org.apache.commons.codec.binary.Base64;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.ConfigurationPolicy;
import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.oak.api.Blob;
import org.apache.jackrabbit.oak.api.conversion.URIProvider;
import org.apache.jackrabbit.oak.plugins.value.OakValue;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service({URIProvider.class})
@Component(immediate = true, metatype = true, policy = ConfigurationPolicy.REQUIRE)
/* loaded from: input_file:org/apache/jackrabbit/oak/blob/cloud/s3/CloudFrontS3SignedUrlProvider.class */
public class CloudFrontS3SignedUrlProvider implements URIProvider {

    @Property(description = "The cloud front URL, including a trailing slash. Normally this is the http://<coudfrontdomain>/")
    public static final String CLOUD_FRONT_URL = "cloudFrontUrl";

    @Property(intValue = {60}, description = "Time each signed url is valid for before it expires, in seconds.")
    public static final String TTL = "ttl";

    @Property(intValue = {100}, description = "Minimum size over which a binary is redirected, in kb.")
    public static final String MIN_SIZE = "minSize";

    @Property(description = "Path to the PKCS8 formatted private key file, probably an absolute path.")
    public static final String PRIVATE_KEY_FILE = "privateKeyFile";

    @Property(description = "The keypair ID generated by AWS Console when the public key was generated or uploaded.")
    public static final String KEY_PAIR_ID = "keyPairId";
    public static final String BEGIN_PRIVATE_KEY = "-----BEGIN PRIVATE KEY-----";
    public static final String END_PRIVATE_KEY = "-----END PRIVATE KEY-----";
    private static final Logger LOGGER = LoggerFactory.getLogger(CloudFrontS3SignedUrlProvider.class);
    private String cloudFrontUrl;
    private long ttl;
    private String keyPairId;
    private RSAPrivateKey privateKey;
    private long minimumSize;

    public CloudFrontS3SignedUrlProvider() {
    }

    public CloudFrontS3SignedUrlProvider(String str, long j, long j2, String str2, String str3) throws InvalidKeySpecException, NoSuchAlgorithmException {
        init(str, j, j2, str2, str3);
    }

    public void close() {
        deactivate(new HashMap());
    }

    @Deactivate
    public void deactivate(Map<String, Object> map) {
    }

    @Activate
    public void activate(Map<String, Object> map) throws InvalidKeySpecException, NoSuchAlgorithmException, IOException {
        LOGGER.debug("Property {}: {} ", CLOUD_FRONT_URL, map.get(CLOUD_FRONT_URL));
        LOGGER.debug("Property {}: {} ", TTL, map.get(TTL));
        LOGGER.debug("Property {}: {} ", PRIVATE_KEY_FILE, map.get(PRIVATE_KEY_FILE));
        LOGGER.debug("Property {}: {} ", KEY_PAIR_ID, map.get(KEY_PAIR_ID));
        LOGGER.debug("Property {}: {} ", MIN_SIZE, map.get(MIN_SIZE));
        init((String) map.get(CLOUD_FRONT_URL), ((Integer) map.get(TTL)).intValue(), ((Integer) map.get(MIN_SIZE)).intValue(), loadPrivateKey((String) map.get(PRIVATE_KEY_FILE)), (String) map.get(KEY_PAIR_ID));
    }

    private String loadPrivateKey(String str) throws IOException {
        FileReader fileReader = null;
        StringBuilder sb = new StringBuilder();
        try {
            fileReader = new FileReader(str);
            char[] cArr = new char[4096];
            while (true) {
                int read = fileReader.read(cArr);
                if (read < 0) {
                    Closeables.close(fileReader, false);
                    return sb.toString();
                }
                sb.append(cArr, 0, read);
            }
        } catch (Throwable th) {
            Closeables.close(fileReader, false);
            throw th;
        }
    }

    private void init(String str, long j, long j2, String str2, String str3) throws InvalidKeySpecException, NoSuchAlgorithmException {
        this.cloudFrontUrl = str;
        this.ttl = j;
        this.minimumSize = j2 * 1024;
        this.privateKey = getPrivateKey(str2);
        this.keyPairId = str3;
    }

    @Override // org.apache.jackrabbit.oak.api.conversion.URIProvider
    public URI toURI(Value value) {
        String contentIdentity;
        if (!(value instanceof OakValue)) {
            return null;
        }
        try {
            Blob blob = ((OakValue) value).getBlob();
            if (blob == null || blob.length() <= this.minimumSize || (contentIdentity = blob.getContentIdentity()) == null) {
                return null;
            }
            URI uri = new URI(signS3Url(contentIdentity, this.ttl, this.cloudFrontUrl, this.keyPairId, this.privateKey));
            LOGGER.info("Generated URI {} ", uri.toString());
            return uri;
        } catch (Exception e) {
            LOGGER.error("Unable to get or sign content identity", (Throwable) e);
            return null;
        }
    }

    @Nonnull
    private String getS3Key(@Nonnull String str) {
        return str.substring(0, 4) + "-" + str.substring(4);
    }

    @Nonnull
    private String signS3Url(@Nonnull String str, long j, @Nonnull String str2, @Nonnull String str3, @Nonnull RSAPrivateKey rSAPrivateKey) throws InvalidKeySpecException, NoSuchAlgorithmException, InvalidKeyException, SignatureException, UnsupportedEncodingException {
        long currentTimeMillis = (System.currentTimeMillis() / 1000) + j;
        StringBuilder sb = new StringBuilder();
        sb.append(str2).append(getS3Key(str));
        return CloudFrontUrlSigner.getSignedURLWithCannedPolicy(sb.toString(), str3, rSAPrivateKey, new Date(currentTimeMillis));
    }

    private RSAPrivateKey getPrivateKey(String str) throws NoSuchAlgorithmException, InvalidKeySpecException {
        int indexOf = str.indexOf(BEGIN_PRIVATE_KEY);
        int indexOf2 = str.indexOf(END_PRIVATE_KEY);
        if (indexOf2 < 0 || indexOf < 0) {
            throw new IllegalArgumentException("Private Key is not correctly encoded, need a PEM encoded key with -----BEGIN PRIVATE KEY----- headers to indicate PKCS8 encoding.");
        }
        return (RSAPrivateKey) KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(Base64.decodeBase64(str.substring(indexOf + BEGIN_PRIVATE_KEY.length(), indexOf2).trim())));
    }
}
