package software.amazon.awssdk.auth.signer.internal;

import com.amazonaws.auth.internal.SignerConstants;
import java.nio.charset.StandardCharsets;
import java.time.Clock;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Comparator;
import java.util.Iterator;
import java.util.List;
import java.util.TreeMap;
import software.amazon.awssdk.annotations.SdkInternalApi;
import software.amazon.awssdk.auth.credentials.AwsCredentials;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.auth.signer.Aws4Signer;
import software.amazon.awssdk.auth.signer.Aws4UnsignedPayloadSigner;
import software.amazon.awssdk.auth.signer.AwsSignerExecutionAttribute;
import software.amazon.awssdk.auth.signer.params.Aws4PresignerParams;
import software.amazon.awssdk.auth.signer.params.Aws4SignerParams;
import software.amazon.awssdk.auth.signer.params.SignerChecksumParams;
import software.amazon.awssdk.core.checksums.ChecksumSpecs;
import software.amazon.awssdk.core.checksums.SdkChecksum;
import software.amazon.awssdk.core.exception.SdkClientException;
import software.amazon.awssdk.core.interceptor.ExecutionAttributes;
import software.amazon.awssdk.core.interceptor.SdkExecutionAttribute;
import software.amazon.awssdk.core.internal.util.HttpChecksumUtils;
import software.amazon.awssdk.core.signer.Presigner;
import software.amazon.awssdk.http.SdkHttpFullRequest;
import software.amazon.awssdk.http.SdkHttpRequest;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.utils.BinaryUtils;
import software.amazon.awssdk.utils.Logger;
import software.amazon.awssdk.utils.Pair;
import software.amazon.awssdk.utils.StringUtils;
import software.amazon.awssdk.utils.http.SdkHttpUtils;

@SdkInternalApi
/* loaded from: input_file:software/amazon/awssdk/auth/signer/internal/AbstractAws4Signer.class */
public abstract class AbstractAws4Signer<T extends Aws4SignerParams, U extends Aws4PresignerParams> extends AbstractAwsSigner implements Presigner {
    private static final int SIGNER_CACHE_MAX_SIZE = 300;
    public static final String EMPTY_STRING_SHA256_HEX = BinaryUtils.toHex(hash(""));
    private static final Logger LOG = Logger.loggerFor((Class<?>) Aws4Signer.class);
    private static final FifoCache<SignerKey> SIGNER_CACHE = new FifoCache<>(300);
    private static final List<String> LIST_OF_HEADERS_TO_IGNORE_IN_LOWER_CASE = Arrays.asList("connection", "x-amzn-trace-id", "user-agent", "expect");

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:software/amazon/awssdk/auth/signer/internal/AbstractAws4Signer$CanonicalRequest.class */
    public static final class CanonicalRequest {
        private final SdkHttpFullRequest request;
        private final SdkHttpFullRequest.Builder requestBuilder;
        private final String contentSha256;
        private final boolean doubleUrlEncode;
        private final boolean normalizePath;
        private String canonicalRequestString;
        private StringBuilder signedHeaderStringBuilder;
        private List<Pair<String, List<String>>> canonicalHeaders;
        private String signedHeaderString;

        CanonicalRequest(SdkHttpFullRequest sdkHttpFullRequest, SdkHttpFullRequest.Builder builder, String str, boolean z, boolean z2) {
            this.request = sdkHttpFullRequest;
            this.requestBuilder = builder;
            this.contentSha256 = str;
            this.doubleUrlEncode = z;
            this.normalizePath = z2;
        }

        public String string() {
            if (this.canonicalRequestString == null) {
                StringBuilder sb = new StringBuilder(512);
                sb.append(this.requestBuilder.method().toString()).append("\n");
                addCanonicalizedResourcePath(sb, this.request, this.doubleUrlEncode, this.normalizePath);
                sb.append("\n");
                addCanonicalizedQueryString(sb, this.requestBuilder);
                sb.append("\n");
                addCanonicalizedHeaderString(sb, canonicalHeaders());
                sb.append("\n").append((CharSequence) signedHeaderStringBuilder()).append("\n").append(this.contentSha256);
                this.canonicalRequestString = sb.toString();
            }
            return this.canonicalRequestString;
        }

        private void addCanonicalizedResourcePath(StringBuilder sb, SdkHttpRequest sdkHttpRequest, boolean z, boolean z2) {
            String rawPath = z2 ? sdkHttpRequest.getUri().normalize().getRawPath() : sdkHttpRequest.encodedPath();
            if (StringUtils.isEmpty(rawPath)) {
                sb.append("/");
                return;
            }
            if (z) {
                rawPath = SdkHttpUtils.urlEncodeIgnoreSlashes(rawPath);
            }
            if (!rawPath.startsWith("/")) {
                sb.append("/");
            }
            sb.append(rawPath);
            if (z2 && rawPath.length() > 1 && !sdkHttpRequest.encodedPath().endsWith("/") && sb.charAt(sb.length() - 1) == '/') {
                sb.setLength(sb.length() - 1);
            }
        }

        private void addCanonicalizedQueryString(StringBuilder sb, SdkHttpRequest.Builder builder) {
            TreeMap treeMap = new TreeMap();
            builder.forEachRawQueryParameter((str, list) -> {
                if (StringUtils.isEmpty(str)) {
                    return;
                }
                String urlEncode = SdkHttpUtils.urlEncode(str);
                ArrayList arrayList = new ArrayList(list.size());
                Iterator it = list.iterator();
                while (it.hasNext()) {
                    String urlEncode2 = SdkHttpUtils.urlEncode((String) it.next());
                    arrayList.add(urlEncode2 == null ? "" : urlEncode2);
                }
                Collections.sort(arrayList);
                treeMap.put(urlEncode, arrayList);
            });
            SdkHttpUtils.flattenQueryParameters(sb, treeMap);
        }

        public StringBuilder signedHeaderStringBuilder() {
            if (this.signedHeaderStringBuilder == null) {
                this.signedHeaderStringBuilder = new StringBuilder();
                addSignedHeaders(this.signedHeaderStringBuilder, canonicalHeaders());
            }
            return this.signedHeaderStringBuilder;
        }

        public String signedHeaderString() {
            if (this.signedHeaderString == null) {
                this.signedHeaderString = signedHeaderStringBuilder().toString();
            }
            return this.signedHeaderString;
        }

        private List<Pair<String, List<String>>> canonicalHeaders() {
            if (this.canonicalHeaders == null) {
                this.canonicalHeaders = canonicalizeSigningHeaders(this.requestBuilder);
            }
            return this.canonicalHeaders;
        }

        private void addCanonicalizedHeaderString(StringBuilder sb, List<Pair<String, List<String>>> list) {
            list.forEach(pair -> {
                sb.append((String) pair.left());
                sb.append(":");
                Iterator it = ((List) pair.right()).iterator();
                while (it.hasNext()) {
                    addAndTrim(sb, (String) it.next());
                    sb.append(",");
                }
                sb.setLength(sb.length() - 1);
                sb.append("\n");
            });
        }

        private List<Pair<String, List<String>>> canonicalizeSigningHeaders(SdkHttpFullRequest.Builder builder) {
            ArrayList arrayList = new ArrayList(builder.numHeaders());
            builder.forEachHeader((str, list) -> {
                String lowerCase = StringUtils.lowerCase(str);
                if (AbstractAws4Signer.LIST_OF_HEADERS_TO_IGNORE_IN_LOWER_CASE.contains(lowerCase)) {
                    return;
                }
                arrayList.add(Pair.of(lowerCase, list));
            });
            arrayList.sort(Comparator.comparing((v0) -> {
                return v0.left();
            }));
            return arrayList;
        }

        private void addAndTrim(StringBuilder sb, String str) {
            int length = sb.length();
            boolean z = true;
            boolean z2 = false;
            for (int i = 0; i < str.length(); i++) {
                char charAt = str.charAt(i);
                if (!AbstractAws4Signer.isWhiteSpace(charAt)) {
                    sb.append(charAt);
                    z = false;
                    z2 = false;
                } else if (!z2 && !z) {
                    sb.append(' ');
                    z2 = true;
                }
            }
            if (length == sb.length()) {
                return;
            }
            int length2 = sb.length() - 1;
            while (AbstractAws4Signer.isWhiteSpace(sb.charAt(length2))) {
                length2--;
            }
            sb.setLength(length2 + 1);
        }

        private void addSignedHeaders(StringBuilder sb, List<Pair<String, List<String>>> list) {
            Iterator<Pair<String, List<String>>> it = list.iterator();
            while (it.hasNext()) {
                sb.append(it.next().left()).append(';');
            }
            if (list.isEmpty()) {
                return;
            }
            sb.setLength(sb.length() - 1);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SdkHttpFullRequest.Builder doSign(SdkHttpFullRequest sdkHttpFullRequest, Aws4SignerRequestParams aws4SignerRequestParams, T t) {
        SdkHttpFullRequest.Builder mo11901toBuilder = sdkHttpFullRequest.mo11901toBuilder();
        SdkChecksum createSdkChecksumFromParams = createSdkChecksumFromParams(t, sdkHttpFullRequest);
        return doSign(mo11901toBuilder.mo11378build(), aws4SignerRequestParams, t, new ContentChecksum(calculateContentHash(mo11901toBuilder, t, createSdkChecksumFromParams), createSdkChecksumFromParams));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SdkHttpFullRequest.Builder doSign(SdkHttpFullRequest sdkHttpFullRequest, Aws4SignerRequestParams aws4SignerRequestParams, T t, ContentChecksum contentChecksum) {
        SdkHttpFullRequest.Builder mo11901toBuilder = sdkHttpFullRequest.mo11901toBuilder();
        AwsCredentials sanitizeCredentials = sanitizeCredentials(t.awsCredentials());
        if (sanitizeCredentials instanceof AwsSessionCredentials) {
            addSessionCredentials(mo11901toBuilder, (AwsSessionCredentials) sanitizeCredentials);
        }
        addHostHeader(mo11901toBuilder);
        addDateHeader(mo11901toBuilder, aws4SignerRequestParams.getFormattedRequestSigningDateTime());
        mo11901toBuilder.firstMatchingHeader("x-amz-content-sha256").filter(str -> {
            return str.equals("required");
        }).ifPresent(str2 -> {
            mo11901toBuilder.putHeader("x-amz-content-sha256", contentChecksum.contentHash());
        });
        putChecksumHeader(t.checksumParams(), contentChecksum.contentFlexibleChecksum(), mo11901toBuilder, contentChecksum.contentHash());
        CanonicalRequest createCanonicalRequest = createCanonicalRequest(sdkHttpFullRequest, mo11901toBuilder, contentChecksum.contentHash(), t.doubleUrlEncode().booleanValue(), t.normalizePath().booleanValue());
        String createStringToSign = createStringToSign(createCanonicalRequest.string(), aws4SignerRequestParams);
        byte[] deriveSigningKey = deriveSigningKey(sanitizeCredentials, aws4SignerRequestParams);
        byte[] computeSignature = computeSignature(createStringToSign, deriveSigningKey);
        mo11901toBuilder.putHeader("Authorization", buildAuthorizationHeader(computeSignature, sanitizeCredentials, aws4SignerRequestParams, createCanonicalRequest));
        processRequestPayload(mo11901toBuilder, computeSignature, deriveSigningKey, aws4SignerRequestParams, t, contentChecksum.contentFlexibleChecksum());
        return mo11901toBuilder;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SdkHttpFullRequest.Builder doPresign(SdkHttpFullRequest sdkHttpFullRequest, Aws4SignerRequestParams aws4SignerRequestParams, U u) {
        SdkHttpFullRequest.Builder mo11901toBuilder = sdkHttpFullRequest.mo11901toBuilder();
        long signatureDurationInSeconds = getSignatureDurationInSeconds(aws4SignerRequestParams, u);
        addHostHeader(mo11901toBuilder);
        AwsCredentials sanitizeCredentials = sanitizeCredentials(u.awsCredentials());
        if (sanitizeCredentials instanceof AwsSessionCredentials) {
            mo11901toBuilder.putRawQueryParameter(SignerConstants.X_AMZ_SECURITY_TOKEN, ((AwsSessionCredentials) sanitizeCredentials).sessionToken());
        }
        CanonicalRequest createCanonicalRequest = createCanonicalRequest(sdkHttpFullRequest, mo11901toBuilder, calculateContentHashPresign(mo11901toBuilder, u), u.doubleUrlEncode().booleanValue(), u.normalizePath().booleanValue());
        addPreSignInformationToRequest(mo11901toBuilder, createCanonicalRequest, sanitizeCredentials, aws4SignerRequestParams, signatureDurationInSeconds);
        mo11901toBuilder.putRawQueryParameter(SignerConstants.X_AMZ_SIGNATURE, BinaryUtils.toHex(computeSignature(createStringToSign(createCanonicalRequest.string(), aws4SignerRequestParams), deriveSigningKey(sanitizeCredentials, aws4SignerRequestParams))));
        return mo11901toBuilder;
    }

    @Override // software.amazon.awssdk.auth.signer.internal.AbstractAwsSigner
    protected void addSessionCredentials(SdkHttpFullRequest.Builder builder, AwsSessionCredentials awsSessionCredentials) {
        builder.putHeader(SignerConstants.X_AMZ_SECURITY_TOKEN, awsSessionCredentials.sessionToken());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String calculateContentHash(SdkHttpFullRequest.Builder builder, T t) {
        return calculateContentHash(builder, t, null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String calculateContentHash(SdkHttpFullRequest.Builder builder, T t, SdkChecksum sdkChecksum) {
        return BinaryUtils.toHex(hash(getBinaryRequestPayloadStream(builder.contentStreamProvider()), sdkChecksum));
    }

    protected abstract void processRequestPayload(SdkHttpFullRequest.Builder builder, byte[] bArr, byte[] bArr2, Aws4SignerRequestParams aws4SignerRequestParams, T t);

    protected abstract void processRequestPayload(SdkHttpFullRequest.Builder builder, byte[] bArr, byte[] bArr2, Aws4SignerRequestParams aws4SignerRequestParams, T t, SdkChecksum sdkChecksum);

    protected abstract String calculateContentHashPresign(SdkHttpFullRequest.Builder builder, U u);

    protected final byte[] deriveSigningKey(AwsCredentials awsCredentials, Aws4SignerRequestParams aws4SignerRequestParams) {
        return deriveSigningKey(awsCredentials, Instant.ofEpochMilli(aws4SignerRequestParams.getRequestSigningDateTimeMilli()), aws4SignerRequestParams.getRegionName(), aws4SignerRequestParams.getServiceSigningName());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final byte[] deriveSigningKey(AwsCredentials awsCredentials, Instant instant, String str, String str2) {
        String createSigningCacheKeyName = createSigningCacheKeyName(awsCredentials, str, str2);
        SignerKey signerKey = SIGNER_CACHE.get(createSigningCacheKeyName);
        if (signerKey != null && signerKey.isValidForDate(instant)) {
            return signerKey.getSigningKey();
        }
        LOG.trace(() -> {
            return "Generating a new signing key as the signing key not available in the cache for the date: " + instant.toEpochMilli();
        });
        byte[] newSigningKey = newSigningKey(awsCredentials, Aws4SignerUtils.formatDateStamp(instant), str, str2);
        SIGNER_CACHE.add(createSigningCacheKeyName, new SignerKey(instant, newSigningKey));
        return newSigningKey;
    }

    private CanonicalRequest createCanonicalRequest(SdkHttpFullRequest sdkHttpFullRequest, SdkHttpFullRequest.Builder builder, String str, boolean z, boolean z2) {
        return new CanonicalRequest(sdkHttpFullRequest, builder, str, z, z2);
    }

    private String createStringToSign(String str, Aws4SignerRequestParams aws4SignerRequestParams) {
        LOG.debug(() -> {
            return "AWS4 Canonical Request: " + str;
        });
        String str2 = aws4SignerRequestParams.getSigningAlgorithm() + "\n" + aws4SignerRequestParams.getFormattedRequestSigningDateTime() + "\n" + aws4SignerRequestParams.getScope() + "\n" + BinaryUtils.toHex(hash(str));
        LOG.debug(() -> {
            return "AWS4 String to sign: " + str2;
        });
        return str2;
    }

    private String createSigningCacheKeyName(AwsCredentials awsCredentials, String str, String str2) {
        return awsCredentials.secretAccessKey() + "-" + str + "-" + str2;
    }

    private byte[] computeSignature(String str, byte[] bArr) {
        return sign(str.getBytes(StandardCharsets.UTF_8), bArr, SigningAlgorithm.HmacSHA256);
    }

    private String buildAuthorizationHeader(byte[] bArr, AwsCredentials awsCredentials, Aws4SignerRequestParams aws4SignerRequestParams, CanonicalRequest canonicalRequest) {
        return "AWS4-HMAC-SHA256 Credential=" + awsCredentials.accessKeyId() + "/" + aws4SignerRequestParams.getScope() + ", SignedHeaders=" + ((Object) canonicalRequest.signedHeaderStringBuilder()) + ", Signature=" + BinaryUtils.toHex(bArr);
    }

    private void addPreSignInformationToRequest(SdkHttpFullRequest.Builder builder, CanonicalRequest canonicalRequest, AwsCredentials awsCredentials, Aws4SignerRequestParams aws4SignerRequestParams, long j) {
        String str = awsCredentials.accessKeyId() + "/" + aws4SignerRequestParams.getScope();
        builder.putRawQueryParameter(SignerConstants.X_AMZ_ALGORITHM, "AWS4-HMAC-SHA256");
        builder.putRawQueryParameter(SignerConstants.X_AMZ_DATE, aws4SignerRequestParams.getFormattedRequestSigningDateTime());
        builder.putRawQueryParameter(SignerConstants.X_AMZ_SIGNED_HEADER, canonicalRequest.signedHeaderString());
        builder.putRawQueryParameter(SignerConstants.X_AMZ_EXPIRES, Long.toString(j));
        builder.putRawQueryParameter(SignerConstants.X_AMZ_CREDENTIAL, str);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isWhiteSpace(char c) {
        return c == ' ' || c == '\t' || c == '\n' || c == 11 || c == '\r' || c == '\f';
    }

    private void addHostHeader(SdkHttpFullRequest.Builder builder) {
        StringBuilder sb = new StringBuilder(builder.host());
        if (!SdkHttpUtils.isUsingStandardPort(builder.protocol(), builder.port())) {
            sb.append(":").append(builder.port());
        }
        builder.putHeader("Host", sb.toString());
    }

    private void addDateHeader(SdkHttpFullRequest.Builder builder, String str) {
        builder.putHeader(SignerConstants.X_AMZ_DATE, str);
    }

    private long getSignatureDurationInSeconds(Aws4SignerRequestParams aws4SignerRequestParams, U u) {
        long longValue = ((Long) u.expirationTime().map(instant -> {
            return Long.valueOf(instant.getEpochSecond() - (aws4SignerRequestParams.getRequestSigningDateTimeMilli() / 1000));
        }).orElse(604800L)).longValue();
        if (longValue > 604800) {
            throw SdkClientException.builder().message("Requests that are pre-signed by SigV4 algorithm are valid for at most 7 days. The expiration date set on the current request [" + Aws4SignerUtils.formatTimestamp(longValue * 1000) + "] + has exceeded this limit.").mo11378build();
        }
        return longValue;
    }

    private byte[] newSigningKey(AwsCredentials awsCredentials, String str, String str2, String str3) {
        return sign("aws4_request", sign(str3, sign(str2, sign(str, ("AWS4" + awsCredentials.secretAccessKey()).getBytes(StandardCharsets.UTF_8), SigningAlgorithm.HmacSHA256), SigningAlgorithm.HmacSHA256), SigningAlgorithm.HmacSHA256), SigningAlgorithm.HmacSHA256);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public <B extends Aws4PresignerParams.Builder> B extractPresignerParams(B b, ExecutionAttributes executionAttributes) {
        B b2 = (B) extractSignerParams(b, executionAttributes);
        b2.expirationTime((Instant) executionAttributes.getAttribute(AwsSignerExecutionAttribute.PRESIGNER_EXPIRATION));
        return b2;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public <B extends Aws4SignerParams.Builder> B extractSignerParams(B b, ExecutionAttributes executionAttributes) {
        b.awsCredentials((AwsCredentials) executionAttributes.getAttribute(AwsSignerExecutionAttribute.AWS_CREDENTIALS)).signingName((String) executionAttributes.getAttribute(AwsSignerExecutionAttribute.SERVICE_SIGNING_NAME)).signingRegion((Region) executionAttributes.getAttribute(AwsSignerExecutionAttribute.SIGNING_REGION)).timeOffset((Integer) executionAttributes.getAttribute(AwsSignerExecutionAttribute.TIME_OFFSET)).signingClockOverride((Clock) executionAttributes.getAttribute(AwsSignerExecutionAttribute.SIGNING_CLOCK));
        Boolean bool = (Boolean) executionAttributes.getAttribute(AwsSignerExecutionAttribute.SIGNER_DOUBLE_URL_ENCODE);
        if (bool != null) {
            b.doubleUrlEncode(bool);
        }
        Boolean bool2 = (Boolean) executionAttributes.getAttribute(AwsSignerExecutionAttribute.SIGNER_NORMALIZE_PATH);
        if (bool2 != null) {
            b.normalizePath(bool2);
        }
        ChecksumSpecs checksumSpecs = (ChecksumSpecs) executionAttributes.getAttribute(SdkExecutionAttribute.RESOLVED_CHECKSUM_SPECS);
        if (checksumSpecs != null && checksumSpecs.algorithm() != null) {
            b.checksumParams(buildSignerChecksumParams(checksumSpecs));
        }
        return b;
    }

    private void putChecksumHeader(SignerChecksumParams signerChecksumParams, SdkChecksum sdkChecksum, SdkHttpFullRequest.Builder builder, String str) {
        if (signerChecksumParams == null || sdkChecksum == null || Aws4UnsignedPayloadSigner.UNSIGNED_PAYLOAD.equals(str) || "STREAMING-UNSIGNED-PAYLOAD-TRAILER".equals(str)) {
            return;
        }
        if (HttpChecksumUtils.isHttpChecksumPresent(builder.mo11378build(), ChecksumSpecs.builder().headerName(signerChecksumParams.checksumHeaderName()).build())) {
            LOG.debug(() -> {
                return "Checksum already added in header ";
            });
            return;
        }
        String checksumHeaderName = signerChecksumParams.checksumHeaderName();
        if (StringUtils.isNotBlank(checksumHeaderName)) {
            builder.putHeader(checksumHeaderName, BinaryUtils.toBase64(sdkChecksum.getChecksumBytes()));
        }
    }

    private SignerChecksumParams buildSignerChecksumParams(ChecksumSpecs checksumSpecs) {
        return SignerChecksumParams.builder().algorithm(checksumSpecs.algorithm()).isStreamingRequest(checksumSpecs.isRequestStreaming()).checksumHeaderName(checksumSpecs.headerName()).build();
    }

    private SdkChecksum createSdkChecksumFromParams(T t, SdkHttpFullRequest sdkHttpFullRequest) {
        SignerChecksumParams checksumParams = t.checksumParams();
        if (!(checksumParams != null && StringUtils.isNotBlank(checksumParams.checksumHeaderName())) || HttpChecksumUtils.isHttpChecksumPresent(sdkHttpFullRequest, ChecksumSpecs.builder().headerName(checksumParams.checksumHeaderName()).build())) {
            return null;
        }
        return SdkChecksum.forAlgorithm(checksumParams.algorithm());
    }
}
