package org.apache.hadoop.ozone.s3.signature;

import com.google.common.annotations.VisibleForTesting;
import java.time.LocalDate;
import java.time.format.DateTimeParseException;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.ozone.s3.signature.SignatureInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/ozone/s3/signature/AuthorizationV4HeaderParser.class */
public class AuthorizationV4HeaderParser implements SignatureParser {
    private static final Logger LOG = LoggerFactory.getLogger(AuthorizationV4HeaderParser.class);
    private static final String CREDENTIAL = "Credential=";
    private static final String SIGNEDHEADERS = "SignedHeaders=";
    private static final String SIGNATURE = "Signature=";
    private static final String AWS_REQUEST = "aws4_request";
    private String authHeader;
    private String dateHeader;

    public AuthorizationV4HeaderParser(String str, String str2) {
        this.authHeader = str;
        this.dateHeader = str2;
    }

    @Override // org.apache.hadoop.ozone.s3.signature.SignatureParser
    public SignatureInfo parseSignature() throws MalformedResourceException {
        if (this.authHeader == null || !this.authHeader.startsWith("AWS4")) {
            return null;
        }
        int indexOf = this.authHeader.indexOf(32);
        if (indexOf < 0) {
            throw new MalformedResourceException(this.authHeader);
        }
        String[] split = this.authHeader.substring(indexOf + 1).trim().split(", *");
        if (split.length != 3) {
            throw new MalformedResourceException(this.authHeader);
        }
        String parseAlgorithm = parseAlgorithm(this.authHeader.substring(0, indexOf));
        Credential parseCredentials = parseCredentials(split[0]);
        String parseSignedHeaders = parseSignedHeaders(split[1]);
        return new SignatureInfo(SignatureInfo.Version.V4, parseCredentials.getDate(), this.dateHeader, parseCredentials.getAccessKeyID(), parseSignature(split[2]), parseSignedHeaders, parseCredentials.createScope(), parseAlgorithm, true);
    }

    private String parseSignedHeaders(String str) throws MalformedResourceException {
        if (!StringUtils.isNotEmpty(str) || !str.startsWith(SIGNEDHEADERS)) {
            throw new MalformedResourceException("No signed headers found.", this.authHeader);
        }
        String substring = str.substring(SIGNEDHEADERS.length());
        if (org.apache.hadoop.util.StringUtils.getStringCollection(substring, ";").size() == 0) {
            throw new MalformedResourceException("No signed headers found.", this.authHeader);
        }
        return substring;
    }

    private String parseSignature(String str) throws MalformedResourceException {
        if (!str.startsWith(SIGNATURE)) {
            throw new MalformedResourceException("No signature found: " + str, this.authHeader);
        }
        String substring = str.substring(SIGNATURE.length());
        if (StringUtils.isEmpty(substring)) {
            throw new MalformedResourceException("Signature can't be empty: " + str, this.authHeader);
        }
        try {
            Hex.decodeHex(substring);
            return substring;
        } catch (DecoderException e) {
            throw new MalformedResourceException("Signature:" + str + " should be in hexa-decimal encoding.", this.authHeader);
        }
    }

    private Credential parseCredentials(String str) throws MalformedResourceException {
        if (!StringUtils.isNotEmpty(str) || !str.startsWith(CREDENTIAL)) {
            throw new MalformedResourceException(this.authHeader);
        }
        String substring = str.substring(CREDENTIAL.length());
        Credential credential = new Credential(substring);
        if (credential.getAccessKeyID().isEmpty()) {
            throw new MalformedResourceException("AWS access id is empty. credential: " + substring, this.authHeader);
        }
        if (credential.getAwsRegion().isEmpty()) {
            throw new MalformedResourceException("AWS region is empty. credential: " + substring, this.authHeader);
        }
        if (credential.getAwsRequest().isEmpty() || !credential.getAwsRequest().equals(AWS_REQUEST)) {
            throw new MalformedResourceException("AWS request is empty or invalid. credential:" + substring, this.authHeader);
        }
        if (credential.getAwsService().isEmpty()) {
            throw new MalformedResourceException("AWS service is empty. credential:" + substring, this.authHeader);
        }
        if (credential.getDate().isEmpty()) {
            throw new MalformedResourceException("AWS date is empty. credential:{}" + substring, this.authHeader);
        }
        try {
            validateDateRange(credential);
            return credential;
        } catch (DateTimeParseException e) {
            throw new MalformedResourceException("AWS date format is invalid. credential:" + substring, this.authHeader);
        }
    }

    @VisibleForTesting
    public void validateDateRange(Credential credential) throws MalformedResourceException, DateTimeParseException {
        LocalDate parse = LocalDate.parse(credential.getDate(), SignatureProcessor.DATE_FORMATTER);
        LocalDate now = LocalDate.now();
        if (parse.isBefore(now.minus(1L, (TemporalUnit) ChronoUnit.DAYS)) || parse.isAfter(now.plus(1L, (TemporalUnit) ChronoUnit.DAYS))) {
            throw new MalformedResourceException("AWS date not in valid range. Date: " + parse + " should not be older than 1 day(i.e yesterday) and greater than 1 day(i.e tomorrow).", this.authHeader);
        }
    }

    private String parseAlgorithm(String str) throws MalformedResourceException {
        if (StringUtils.isEmpty(str) || !str.equals(SignatureProcessor.AWS4_SIGNING_ALGORITHM)) {
            throw new MalformedResourceException("Unexpected hash algorithm. Algo:" + str, this.authHeader);
        }
        return str;
    }
}
