package software.amazon.awssdk.core.auth;

import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.Charset;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import software.amazon.awssdk.annotations.SdkTestInternalApi;
import software.amazon.awssdk.core.auth.internal.Aws4SignerRequestParams;
import software.amazon.awssdk.core.auth.internal.Aws4SignerUtils;
import software.amazon.awssdk.core.auth.internal.SignerConstants;
import software.amazon.awssdk.core.auth.internal.SignerKey;
import software.amazon.awssdk.core.exception.SdkClientException;
import software.amazon.awssdk.core.interceptor.AwsExecutionAttributes;
import software.amazon.awssdk.core.interceptor.Context;
import software.amazon.awssdk.core.interceptor.ExecutionAttributes;
import software.amazon.awssdk.core.internal.collections.FifoCache;
import software.amazon.awssdk.core.util.CredentialUtils;
import software.amazon.awssdk.core.util.DateUtils;
import software.amazon.awssdk.http.SdkHttpFullRequest;
import software.amazon.awssdk.utils.BinaryUtils;
import software.amazon.awssdk.utils.StringUtils;
import software.amazon.awssdk.utils.http.SdkHttpUtils;

/* loaded from: input_file:software/amazon/awssdk/core/auth/Aws4Signer.class */
public class Aws4Signer extends AbstractAwsSigner implements ServiceAwareSigner, RegionAwareSigner, Presigner {
    private static final Logger LOG = LoggerFactory.getLogger(Aws4Signer.class);
    private static final int SIGNER_CACHE_MAX_SIZE = 300;
    private static final FifoCache<SignerKey> SIGNER_CACHE = new FifoCache<>(SIGNER_CACHE_MAX_SIZE);
    private static final List<String> LIST_OF_HEADERS_TO_IGNORE_IN_LOWER_CASE = Arrays.asList("connection", "x-amzn-trace-id");
    protected String serviceName;
    protected String regionName;
    private Date overriddenDate;
    private boolean doubleUrlEncode;
    private final SdkClock clock;

    public Aws4Signer() {
        this(true);
    }

    public Aws4Signer(boolean z) {
        this(z, SdkClock.STANDARD);
    }

    @SdkTestInternalApi
    public Aws4Signer(SdkClock sdkClock) {
        this(true, sdkClock);
    }

    private Aws4Signer(boolean z, SdkClock sdkClock) {
        this.doubleUrlEncode = z;
        this.clock = sdkClock;
    }

    @SdkTestInternalApi
    public void setOverrideDate(Date date) {
        if (date != null) {
            this.overriddenDate = new Date(date.getTime());
        } else {
            this.overriddenDate = null;
        }
    }

    public String getRegionName() {
        return this.regionName;
    }

    @Override // software.amazon.awssdk.core.auth.RegionAwareSigner
    public void setRegionName(String str) {
        this.regionName = str;
    }

    public String getServiceName() {
        return this.serviceName;
    }

    @Override // software.amazon.awssdk.core.auth.ServiceAwareSigner
    public void setServiceName(String str) {
        this.serviceName = str;
    }

    @Override // software.amazon.awssdk.core.auth.Signer
    public SdkHttpFullRequest sign(Context.BeforeTransmission beforeTransmission, ExecutionAttributes executionAttributes) {
        return CredentialUtils.isAnonymous((AwsCredentials) executionAttributes.getAttribute(AwsExecutionAttributes.AWS_CREDENTIALS)) ? beforeTransmission.httpRequest() : beforeTransmission.httpRequest().copy(builder -> {
            doSign(builder, beforeTransmission, executionAttributes);
        });
    }

    private SdkHttpFullRequest.Builder doSign(SdkHttpFullRequest.Builder builder, Context.BeforeTransmission beforeTransmission, ExecutionAttributes executionAttributes) {
        AwsCredentials sanitizeCredentials = sanitizeCredentials((AwsCredentials) executionAttributes.getAttribute(AwsExecutionAttributes.AWS_CREDENTIALS));
        if (sanitizeCredentials instanceof AwsSessionCredentials) {
            addSessionCredentials(builder, (AwsSessionCredentials) sanitizeCredentials);
        }
        Aws4SignerRequestParams aws4SignerRequestParams = new Aws4SignerRequestParams(beforeTransmission.request(), builder, executionAttributes, this.overriddenDate, this.regionName, this.serviceName, SignerConstants.AWS4_SIGNING_ALGORITHM);
        addHostHeader(builder);
        builder.header(SignerConstants.X_AMZ_DATE, aws4SignerRequestParams.getFormattedSigningDateTime());
        String calculateContentHash = calculateContentHash(aws4SignerRequestParams, builder);
        builder.firstMatchingHeader(SignerConstants.X_AMZ_CONTENT_SHA256).filter(str -> {
            return str.equals("required");
        }).ifPresent(str2 -> {
            builder.header(SignerConstants.X_AMZ_CONTENT_SHA256, calculateContentHash);
        });
        String createStringToSign = createStringToSign(createCanonicalRequest(builder, calculateContentHash), aws4SignerRequestParams);
        byte[] deriveSigningKey = deriveSigningKey(sanitizeCredentials, aws4SignerRequestParams);
        byte[] computeSignature = computeSignature(createStringToSign, deriveSigningKey);
        builder.header(SignerConstants.AUTHORIZATION, buildAuthorizationHeader(computeSignature, sanitizeCredentials, aws4SignerRequestParams));
        processRequestPayload(builder, computeSignature, deriveSigningKey, aws4SignerRequestParams);
        return builder;
    }

    @Override // software.amazon.awssdk.core.auth.Presigner
    public SdkHttpFullRequest presign(Context.BeforeTransmission beforeTransmission, ExecutionAttributes executionAttributes, Date date) {
        if (CredentialUtils.isAnonymous((AwsCredentials) executionAttributes.getAttribute(AwsExecutionAttributes.AWS_CREDENTIALS))) {
            return beforeTransmission.httpRequest();
        }
        SdkHttpFullRequest.Builder builder = (SdkHttpFullRequest.Builder) beforeTransmission.httpRequest().toBuilder();
        long generateExpirationDate = generateExpirationDate(date);
        addHostHeader(builder);
        AwsCredentials sanitizeCredentials = sanitizeCredentials((AwsCredentials) executionAttributes.getAttribute(AwsExecutionAttributes.AWS_CREDENTIALS));
        if (sanitizeCredentials instanceof AwsSessionCredentials) {
            builder.rawQueryParameter(SignerConstants.X_AMZ_SECURITY_TOKEN, ((AwsSessionCredentials) sanitizeCredentials).sessionToken());
        }
        Aws4SignerRequestParams aws4SignerRequestParams = new Aws4SignerRequestParams(beforeTransmission.request(), builder, executionAttributes, this.overriddenDate, this.regionName, this.serviceName, SignerConstants.AWS4_SIGNING_ALGORITHM);
        addPreSignInformationToRequest(builder, sanitizeCredentials, aws4SignerRequestParams, aws4SignerRequestParams.getFormattedSigningDateTime(), generateExpirationDate);
        builder.rawQueryParameter(SignerConstants.X_AMZ_SIGNATURE, BinaryUtils.toHex(computeSignature(createStringToSign(createCanonicalRequest(builder, calculateContentHashPresign(aws4SignerRequestParams, builder)), aws4SignerRequestParams), deriveSigningKey(sanitizeCredentials, aws4SignerRequestParams))));
        return (SdkHttpFullRequest) builder.build();
    }

    private String createCanonicalRequest(SdkHttpFullRequest.Builder builder, String str) {
        String str2 = builder.method().toString() + SignerConstants.LINE_SEPARATOR + getCanonicalizedResourcePath(builder.encodedPath(), this.doubleUrlEncode) + SignerConstants.LINE_SEPARATOR + getCanonicalizedQueryString(builder.rawQueryParameters()) + SignerConstants.LINE_SEPARATOR + getCanonicalizedHeaderString(builder.headers()) + SignerConstants.LINE_SEPARATOR + getSignedHeadersString(builder.headers()) + SignerConstants.LINE_SEPARATOR + str;
        if (LOG.isDebugEnabled()) {
            LOG.debug("AWS4 Canonical Request: '\"" + str2 + "\"");
        }
        return str2;
    }

    private String createStringToSign(String str, Aws4SignerRequestParams aws4SignerRequestParams) {
        String str2 = aws4SignerRequestParams.getSigningAlgorithm() + SignerConstants.LINE_SEPARATOR + aws4SignerRequestParams.getFormattedSigningDateTime() + SignerConstants.LINE_SEPARATOR + aws4SignerRequestParams.getScope() + SignerConstants.LINE_SEPARATOR + BinaryUtils.toHex(hash(str));
        if (LOG.isDebugEnabled()) {
            LOG.debug("AWS4 String to Sign: '\"" + str2 + "\"");
        }
        return str2;
    }

    private byte[] deriveSigningKey(AwsCredentials awsCredentials, Aws4SignerRequestParams aws4SignerRequestParams) {
        String computeSigningCacheKeyName = computeSigningCacheKeyName(awsCredentials, aws4SignerRequestParams);
        long numberOfDaysSinceEpoch = DateUtils.numberOfDaysSinceEpoch(aws4SignerRequestParams.getSigningDateTimeMilli());
        SignerKey signerKey = SIGNER_CACHE.get(computeSigningCacheKeyName);
        if (signerKey != null && numberOfDaysSinceEpoch == signerKey.getNumberOfDaysSinceEpoch()) {
            return signerKey.getSigningKey();
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Generating a new signing key as the signing key not available in the cache for the date " + TimeUnit.DAYS.toMillis(numberOfDaysSinceEpoch));
        }
        byte[] newSigningKey = newSigningKey(awsCredentials, aws4SignerRequestParams.getFormattedSigningDate(), aws4SignerRequestParams.getRegionName(), aws4SignerRequestParams.getServiceName());
        SIGNER_CACHE.add(computeSigningCacheKeyName, new SignerKey(numberOfDaysSinceEpoch, newSigningKey));
        return newSigningKey;
    }

    private String computeSigningCacheKeyName(AwsCredentials awsCredentials, Aws4SignerRequestParams aws4SignerRequestParams) {
        return awsCredentials.secretAccessKey() + "-" + aws4SignerRequestParams.getRegionName() + "-" + aws4SignerRequestParams.getServiceName();
    }

    private byte[] computeSignature(String str, byte[] bArr) {
        return sign(str.getBytes(Charset.forName("UTF-8")), bArr, SigningAlgorithm.HmacSHA256);
    }

    private String buildAuthorizationHeader(byte[] bArr, AwsCredentials awsCredentials, Aws4SignerRequestParams aws4SignerRequestParams) {
        return "AWS4-HMAC-SHA256 " + ("Credential=" + (awsCredentials.accessKeyId() + "/" + aws4SignerRequestParams.getScope())) + ", " + ("SignedHeaders=" + getSignedHeadersString(aws4SignerRequestParams.httpRequest().headers())) + ", " + ("Signature=" + BinaryUtils.toHex(bArr));
    }

    private void addPreSignInformationToRequest(SdkHttpFullRequest.Builder builder, AwsCredentials awsCredentials, Aws4SignerRequestParams aws4SignerRequestParams, String str, long j) {
        String str2 = awsCredentials.accessKeyId() + "/" + aws4SignerRequestParams.getScope();
        builder.rawQueryParameter(SignerConstants.X_AMZ_ALGORITHM, SignerConstants.AWS4_SIGNING_ALGORITHM);
        builder.rawQueryParameter(SignerConstants.X_AMZ_DATE, str);
        builder.rawQueryParameter(SignerConstants.X_AMZ_SIGNED_HEADER, getSignedHeadersString(aws4SignerRequestParams.httpRequest().headers()));
        builder.rawQueryParameter(SignerConstants.X_AMZ_EXPIRES, Long.toString(j));
        builder.rawQueryParameter(SignerConstants.X_AMZ_CREDENTIAL, str2);
    }

    @Override // software.amazon.awssdk.core.auth.AbstractAwsSigner
    protected void addSessionCredentials(SdkHttpFullRequest.Builder builder, AwsSessionCredentials awsSessionCredentials) {
        builder.header(SignerConstants.X_AMZ_SECURITY_TOKEN, awsSessionCredentials.sessionToken());
    }

    private String getCanonicalizedHeaderString(Map<String, List<String>> map) {
        ArrayList<String> arrayList = new ArrayList(map.keySet());
        arrayList.sort(String.CASE_INSENSITIVE_ORDER);
        StringBuilder sb = new StringBuilder();
        for (String str : arrayList) {
            if (!shouldExcludeHeaderFromSigning(str)) {
                String lowerCase = StringUtils.lowerCase(str);
                for (String str2 : map.get(str)) {
                    software.amazon.awssdk.core.util.StringUtils.appendCompactedString(sb, lowerCase);
                    sb.append(":");
                    if (str2 != null) {
                        software.amazon.awssdk.core.util.StringUtils.appendCompactedString(sb, str2);
                    }
                    sb.append(SignerConstants.LINE_SEPARATOR);
                }
            }
        }
        return sb.toString();
    }

    private String getSignedHeadersString(Map<String, List<String>> map) {
        ArrayList<String> arrayList = new ArrayList(map.keySet());
        arrayList.sort(String.CASE_INSENSITIVE_ORDER);
        StringBuilder sb = new StringBuilder();
        for (String str : arrayList) {
            if (!shouldExcludeHeaderFromSigning(str)) {
                if (sb.length() > 0) {
                    sb.append(";");
                }
                sb.append(StringUtils.lowerCase(str));
            }
        }
        return sb.toString();
    }

    private boolean shouldExcludeHeaderFromSigning(String str) {
        return LIST_OF_HEADERS_TO_IGNORE_IN_LOWER_CASE.contains(StringUtils.lowerCase(str));
    }

    private void addHostHeader(SdkHttpFullRequest.Builder builder) {
        StringBuilder sb = new StringBuilder(builder.host());
        if (!SdkHttpUtils.isUsingStandardPort(builder.protocol(), builder.port())) {
            sb.append(":").append(builder.port());
        }
        builder.header(SignerConstants.HOST, sb.toString());
    }

    protected String calculateContentHash(Aws4SignerRequestParams aws4SignerRequestParams, SdkHttpFullRequest.Builder builder) {
        InputStream binaryRequestPayloadStream = getBinaryRequestPayloadStream(aws4SignerRequestParams.httpRequest().content());
        binaryRequestPayloadStream.mark(getReadLimit(aws4SignerRequestParams));
        String hex = BinaryUtils.toHex(hash(binaryRequestPayloadStream));
        try {
            binaryRequestPayloadStream.reset();
            return hex;
        } catch (IOException e) {
            throw new SdkClientException("Unable to reset stream after calculating AWS4 signature", e);
        }
    }

    protected void processRequestPayload(SdkHttpFullRequest.Builder builder, byte[] bArr, byte[] bArr2, Aws4SignerRequestParams aws4SignerRequestParams) {
    }

    protected String calculateContentHashPresign(Aws4SignerRequestParams aws4SignerRequestParams, SdkHttpFullRequest.Builder builder) {
        return calculateContentHash(aws4SignerRequestParams, builder);
    }

    private long generateExpirationDate(Date date) {
        long time = date != null ? (date.getTime() - this.clock.currentTimeMillis()) / 1000 : SignerConstants.PRESIGN_URL_MAX_EXPIRATION_SECONDS;
        if (time > SignerConstants.PRESIGN_URL_MAX_EXPIRATION_SECONDS) {
            throw new SdkClientException("Requests that are pre-signed by SigV4 algorithm are valid for at most 7 days. The expiration date set on the current request [" + Aws4SignerUtils.formatTimestamp(date.getTime()) + "] has exceeded this limit.");
        }
        return time;
    }

    private byte[] newSigningKey(AwsCredentials awsCredentials, String str, String str2, String str3) {
        return sign(SignerConstants.AWS4_TERMINATOR, sign(str3, sign(str2, sign(str, ("AWS4" + awsCredentials.secretAccessKey()).getBytes(Charset.forName("UTF-8")), SigningAlgorithm.HmacSHA256), SigningAlgorithm.HmacSHA256), SigningAlgorithm.HmacSHA256), SigningAlgorithm.HmacSHA256);
    }
}
