package com.akamai.edgegrid.signer;

import com.akamai.edgegrid.signer.exceptions.RequestSigningException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Date;
import java.util.Map;
import java.util.TimeZone;
import java.util.UUID;
import java.util.regex.Pattern;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.lang3.StringEscapeUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.Validate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/akamai/edgegrid/signer/EdgeGridV1Signer.class */
public class EdgeGridV1Signer {
    private static final String ALGORITHM_NAME = "EG1-HMAC-SHA256";
    private static final String AUTH_CLIENT_TOKEN_NAME = "client_token";
    private static final String AUTH_ACCESS_TOKEN_NAME = "access_token";
    private static final String AUTH_TIMESTAMP_NAME = "timestamp";
    private static final String AUTH_NONCE_NAME = "nonce";
    private static final String AUTH_SIGNATURE_NAME = "signature";
    private static final String DIGEST_ALGORITHM = "SHA-256";
    private static final String SIGNING_ALGORITHM = "HmacSHA256";
    private final Base64.Encoder base64 = Base64.getEncoder();
    private static final Pattern PATTERN_SPACES = Pattern.compile("\\s+");
    private static final Logger log = LoggerFactory.getLogger(EdgeGridV1Signer.class);

    public String getSignature(Request request, ClientCredential clientCredential) throws RequestSigningException {
        return getSignature(request, clientCredential, System.currentTimeMillis(), generateNonce());
    }

    private static String generateNonce() {
        return UUID.randomUUID().toString();
    }

    private static String getAuthorizationHeaderValue(String str, String str2) {
        return str + AUTH_SIGNATURE_NAME + '=' + str2;
    }

    private static String getRelativePathWithQuery(URI uri) {
        StringBuilder sb = new StringBuilder(uri.getPath());
        if (uri.getQuery() != null) {
            sb.append("?").append(uri.getQuery());
        }
        return sb.toString();
    }

    private static byte[] sign(String str, String str2) throws RequestSigningException {
        return sign(str, str2.getBytes(StandardCharsets.UTF_8));
    }

    private static byte[] sign(String str, byte[] bArr) throws RequestSigningException {
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, SIGNING_ALGORITHM);
            Mac mac = Mac.getInstance(SIGNING_ALGORITHM);
            mac.init(secretKeySpec);
            return mac.doFinal(str.getBytes(StandardCharsets.UTF_8));
        } catch (InvalidKeyException e) {
            throw new RequestSigningException("Failed to sign: invalid key", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new RequestSigningException("Failed to sign: your JDK does not recognize signing algorithm <HmacSHA256>", e2);
        }
    }

    private static String formatTimeStamp(long j) {
        SimpleDateFormat simpleDateFormat = new SimpleDateFormat("yyyyMMdd'T'HH:mm:ssZ");
        Date date = new Date(j);
        simpleDateFormat.setTimeZone(TimeZone.getTimeZone("UTC"));
        return simpleDateFormat.format(date);
    }

    private static String canonicalizeUri(String str) {
        if (StringUtils.isEmpty(str)) {
            return "/";
        }
        if (str.charAt(0) != '/') {
            str = "/" + str;
        }
        return str;
    }

    String getSignature(Request request, ClientCredential clientCredential, long j, String str) throws RequestSigningException {
        Validate.notNull(clientCredential, "credential cannot be null", new Object[0]);
        Validate.notNull(request, "request cannot be null", new Object[0]);
        String formatTimeStamp = formatTimeStamp(j);
        String authData = getAuthData(clientCredential, formatTimeStamp, str);
        String signature = getSignature(request, clientCredential, formatTimeStamp, authData);
        log.debug(String.format("Signature: '%s'", signature));
        return getAuthorizationHeaderValue(authData, signature);
    }

    private String getSignature(Request request, ClientCredential clientCredential, String str, String str2) throws RequestSigningException {
        String signingKey = getSigningKey(str, clientCredential.getClientSecret());
        String canonicalizedRequest = getCanonicalizedRequest(request, clientCredential);
        log.debug(String.format("Canonicalized request: '%s'", StringEscapeUtils.escapeJava(canonicalizedRequest)));
        String dataToSign = getDataToSign(canonicalizedRequest, str2);
        log.debug(String.format("Data to sign: '%s'", StringEscapeUtils.escapeJava(dataToSign)));
        return signAndEncode(dataToSign, signingKey);
    }

    private String signAndEncode(String str, String str2) throws RequestSigningException {
        return this.base64.encodeToString(sign(str, str2));
    }

    private String getSigningKey(String str, String str2) throws RequestSigningException {
        return this.base64.encodeToString(sign(str, str2));
    }

    private String getDataToSign(String str, String str2) {
        return str + str2;
    }

    private String getAuthData(ClientCredential clientCredential, String str, String str2) {
        return ALGORITHM_NAME + ' ' + AUTH_CLIENT_TOKEN_NAME + '=' + clientCredential.getClientToken() + ';' + AUTH_ACCESS_TOKEN_NAME + '=' + clientCredential.getAccessToken() + ';' + AUTH_TIMESTAMP_NAME + '=' + str + ';' + AUTH_NONCE_NAME + '=' + str2 + ';';
    }

    private String getCanonicalizedRequest(Request request, ClientCredential clientCredential) throws RequestSigningException {
        return request.getMethod().toUpperCase() + '\t' + StringUtils.defaultString(request.getUriWithQuery().getScheme(), "https").toLowerCase() + '\t' + clientCredential.getHost().toLowerCase() + '\t' + canonicalizeUri(getRelativePathWithQuery(request.getUriWithQuery())) + '\t' + canonicalizeHeaders(request.getHeaders(), clientCredential) + '\t' + getContentHash(request.getMethod(), request.getBody(), clientCredential.getMaxBodySize()) + '\t';
    }

    private byte[] getHash(byte[] bArr, int i, int i2) throws RequestSigningException {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(DIGEST_ALGORITHM);
            messageDigest.update(bArr, i, i2);
            return messageDigest.digest();
        } catch (NoSuchAlgorithmException e) {
            throw new RequestSigningException("Failed to get request hash: your JDK does not recognize algorithm <SHA-256>", e);
        }
    }

    private String canonicalizeHeaders(Map<String, String> map, ClientCredential clientCredential) {
        ArrayList arrayList = new ArrayList();
        for (String str : clientCredential.getHeadersToSign()) {
            String str2 = map.get(str);
            if (!StringUtils.isBlank(str2)) {
                arrayList.add(str.toLowerCase() + ":" + canonicalizeHeaderValue(str2));
            }
        }
        return StringUtils.join(arrayList, "\t");
    }

    private String canonicalizeHeaderValue(String str) {
        String trim = str.trim();
        if (StringUtils.isNotBlank(trim)) {
            trim = PATTERN_SPACES.matcher(trim).replaceAll(" ");
        }
        return trim;
    }

    private String getContentHash(String str, byte[] bArr, int i) throws RequestSigningException {
        if (!"POST".equals(str) || bArr == null || bArr.length == 0) {
            return "";
        }
        int length = bArr.length;
        if (length > i) {
            log.info(String.format("Content length '%d' is larger than the max '%d'. Using first '%d' bytes for computing the hash.", Integer.valueOf(length), Integer.valueOf(i), Integer.valueOf(i)));
            length = i;
        } else {
            log.debug(String.format("Content (Base64): %s", this.base64.encodeToString(bArr)));
        }
        byte[] hash = getHash(bArr, 0, length);
        log.debug(String.format("Content hash (Base64): %s", this.base64.encodeToString(hash)));
        return this.base64.encodeToString(hash);
    }
}
