package org.apache.hadoop.ozone.s3.signature;

import com.google.common.annotations.VisibleForTesting;
import java.io.UnsupportedEncodingException;
import java.net.InetAddress;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URLEncoder;
import java.net.UnknownHostException;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.time.LocalDate;
import java.time.ZoneOffset;
import java.time.format.DateTimeFormatter;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.MultivaluedMap;
import org.apache.hadoop.ozone.s3.exception.OS3Exception;
import org.apache.hadoop.ozone.s3.exception.S3ErrorTable;
import org.apache.hadoop.ozone.s3.signature.AWSSignatureProcessor;
import org.apache.hadoop.util.StringUtils;
import org.apache.kerby.util.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/ozone/s3/signature/StringToSignProducer.class */
public final class StringToSignProducer {
    public static final String X_AMZ_CONTENT_SHA256 = "X-Amz-Content-SHA256";
    public static final String X_AMAZ_DATE = "X-Amz-Date";
    private static final String NEWLINE = "\n";
    private static final String HOST = "host";
    private static final String UNSIGNED_PAYLOAD = "UNSIGNED-PAYLOAD";
    private static final long PRESIGN_URL_MAX_EXPIRATION_SECONDS = 604800;
    private static final Logger LOG = LoggerFactory.getLogger(StringToSignProducer.class);
    private static final Charset UTF_8 = StandardCharsets.UTF_8;
    public static final DateTimeFormatter TIME_FORMATTER = DateTimeFormatter.ofPattern("yyyyMMdd'T'HHmmss'Z'").withZone(ZoneOffset.UTC);

    private StringToSignProducer() {
    }

    public static String createSignatureBase(SignatureInfo signatureInfo, ContainerRequestContext containerRequestContext) throws Exception {
        return createSignatureBase(signatureInfo, containerRequestContext.getUriInfo().getRequestUri().getScheme(), containerRequestContext.getMethod(), containerRequestContext.getUriInfo().getRequestUri().getPath(), AWSSignatureProcessor.LowerCaseKeyStringMap.fromHeaderMap(containerRequestContext.getHeaders()), fromMultiValueToSingleValueMap(containerRequestContext.getUriInfo().getQueryParameters()));
    }

    @VisibleForTesting
    public static String createSignatureBase(SignatureInfo signatureInfo, String str, String str2, String str3, AWSSignatureProcessor.LowerCaseKeyStringMap lowerCaseKeyStringMap, Map<String, String> map) throws Exception {
        StringBuilder sb = new StringBuilder();
        String credentialScope = signatureInfo.getCredentialScope();
        String str4 = str3.trim().length() > 0 ? str3 : "/";
        sb.append(signatureInfo.getAlgorithm() + NEWLINE);
        sb.append(signatureInfo.getDateTime() + NEWLINE);
        sb.append(credentialScope + NEWLINE);
        String buildCanonicalRequest = buildCanonicalRequest(str, str2, str4, signatureInfo.getSignedHeaders(), lowerCaseKeyStringMap, map, !signatureInfo.isSignPayload());
        sb.append(hash(buildCanonicalRequest));
        if (LOG.isDebugEnabled()) {
            LOG.debug("canonicalRequest:[{}]", buildCanonicalRequest);
            LOG.debug("StringToSign:[{}]", sb);
        }
        return sb.toString();
    }

    public static Map<String, String> fromMultiValueToSingleValueMap(MultivaluedMap<String, String> multivaluedMap) {
        HashMap hashMap = new HashMap();
        for (String str : multivaluedMap.keySet()) {
            hashMap.put(str, multivaluedMap.getFirst(str));
        }
        return hashMap;
    }

    public static String hash(String str) throws NoSuchAlgorithmException {
        MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
        messageDigest.update(str.getBytes(UTF_8));
        return Hex.encode(messageDigest.digest()).toLowerCase();
    }

    @VisibleForTesting
    public static String buildCanonicalRequest(String str, String str2, String str3, String str4, Map<String, String> map, Map<String, String> map2, boolean z) throws OS3Exception {
        Iterable<String> split = split("/", str3);
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = split.iterator();
        while (it.hasNext()) {
            arrayList.add(urlEncode(it.next()));
        }
        String join = join("/", arrayList);
        String queryParamString = getQueryParamString(map2);
        StringBuilder sb = new StringBuilder();
        for (String str5 : StringUtils.getStringCollection(str4, ";")) {
            sb.append(str5.toLowerCase());
            sb.append(":");
            if (!map.containsKey(str5)) {
                throw new RuntimeException("Header " + str5 + " not present in request but requested to be signed.");
            }
            String str6 = map.get(str5);
            sb.append(str6);
            sb.append(NEWLINE);
            validateSignedHeader(str, str5, str6);
        }
        return str2 + NEWLINE + join + NEWLINE + queryParamString + NEWLINE + ((Object) sb) + NEWLINE + str4 + NEWLINE + ((UNSIGNED_PAYLOAD.equals(map.get(X_AMZ_CONTENT_SHA256)) || z) ? UNSIGNED_PAYLOAD : map.get(X_AMZ_CONTENT_SHA256));
    }

    private static String join(String str, List<String> list) {
        StringBuilder sb = new StringBuilder();
        boolean z = false;
        for (String str2 : list) {
            if (z) {
                sb.append(str);
            }
            sb.append(str2);
            z = true;
        }
        return sb.toString();
    }

    private static Iterable<String> split(String str, String str2) {
        Matcher matcher = Pattern.compile(str).matcher(str2);
        ArrayList arrayList = new ArrayList();
        int i = 0;
        while (true) {
            int i2 = i;
            if (!matcher.find()) {
                arrayList.add(str2.substring(i2));
                return arrayList;
            }
            arrayList.add(str2.substring(i2, matcher.start()));
            i = matcher.end();
        }
    }

    private static String urlEncode(String str) {
        try {
            return URLEncoder.encode(str, UTF_8.name()).replaceAll("\\+", "%20").replaceAll("%7E", "~");
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException(e);
        }
    }

    private static String getQueryParamString(Map<String, String> map) {
        ArrayList<String> arrayList = new ArrayList(map.keySet());
        Collections.sort(arrayList, (str, str2) -> {
            return str.equals(str2) ? ((String) map.get(str)).compareTo((String) map.get(str2)) : str.compareTo(str2);
        });
        StringBuilder sb = new StringBuilder();
        for (String str3 : arrayList) {
            if (!str3.equals("X-Amz-Signature")) {
                if (sb.length() > 0) {
                    sb.append("&");
                }
                sb.append(urlEncode(str3));
                sb.append('=');
                sb.append(urlEncode(map.get(str3)));
            }
        }
        return sb.toString();
    }

    @VisibleForTesting
    static void validateSignedHeader(String str, String str2, String str3) throws OS3Exception {
        boolean z = -1;
        switch (str2.hashCode()) {
            case -1485629489:
                if (str2.equals(X_AMZ_CONTENT_SHA256)) {
                    z = 2;
                    break;
                }
                break;
            case -1035745694:
                if (str2.equals(X_AMAZ_DATE)) {
                    z = true;
                    break;
                }
                break;
            case 3208616:
                if (str2.equals(HOST)) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                try {
                    InetAddress.getByName(new URI(str + "://" + str3).getHost());
                    return;
                } catch (URISyntaxException | UnknownHostException e) {
                    LOG.error("Host value mentioned in signed header is not valid. Host:{}", str3);
                    throw S3ErrorTable.S3_AUTHINFO_CREATION_ERROR;
                }
            case true:
                LocalDate parse = LocalDate.parse(str3, TIME_FORMATTER);
                LocalDate now = LocalDate.now();
                if (parse.isBefore(now.minus(PRESIGN_URL_MAX_EXPIRATION_SECONDS, (TemporalUnit) ChronoUnit.SECONDS)) || parse.isAfter(now.plus(PRESIGN_URL_MAX_EXPIRATION_SECONDS, (TemporalUnit) ChronoUnit.SECONDS))) {
                    LOG.error("AWS date not in valid range. Request timestamp:{} should not be older than {} seconds.", str3, Long.valueOf(PRESIGN_URL_MAX_EXPIRATION_SECONDS));
                    throw S3ErrorTable.S3_AUTHINFO_CREATION_ERROR;
                }
                return;
            case true:
            default:
                return;
        }
    }
}
