package com.amazonaws.auth;

import com.amazonaws.ReadLimitInfo;
import com.amazonaws.SdkClientException;
import com.amazonaws.SignableRequest;
import com.amazonaws.annotation.SdkTestInternalApi;
import com.amazonaws.auth.SdkClock;
import com.amazonaws.auth.internal.AWS4SignerRequestParams;
import com.amazonaws.auth.internal.AWS4SignerUtils;
import com.amazonaws.auth.internal.SignerConstants;
import com.amazonaws.auth.internal.SignerKey;
import com.amazonaws.internal.FIFOCache;
import com.amazonaws.log.InternalLogApi;
import com.amazonaws.log.InternalLogFactory;
import com.amazonaws.util.BinaryUtils;
import com.amazonaws.util.DateUtils;
import com.amazonaws.util.SdkHttpUtils;
import com.amazonaws.util.endpoint.RegionFromEndpointResolver;
import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.nio.charset.Charset;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import org.apache.commons.lang3.StringUtils;
import org.glassfish.hk2.utilities.BuilderHelper;
import org.springframework.validation.DefaultBindingErrorProcessor;

/* loaded from: input_file:BOOT-INF/lib/aws-java-sdk-core-1.12.279.jar:com/amazonaws/auth/AWS4Signer.class */
public class AWS4Signer extends AbstractAWSSigner implements ServiceAwareSigner, RegionAwareSigner, Presigner, EndpointPrefixAwareSigner, RegionFromEndpointResolverAwareSigner {
    private static final int SIGNER_CACHE_MAX_SIZE = 300;
    private final SdkClock clock;
    protected String serviceName;
    private String endpointPrefix;
    private RegionFromEndpointResolver regionFromEndpointResolver;
    protected String regionName;
    protected Date overriddenDate;
    protected boolean doubleUrlEncode;
    protected static final InternalLogApi log = InternalLogFactory.getLog((Class<?>) AWS4Signer.class);
    private static final FIFOCache<SignerKey> signerCache = new FIFOCache<>(300);
    private static final List<String> listOfHeadersToIgnoreInLowerCase = Arrays.asList("connection", "x-amzn-trace-id");

    public AWS4Signer() {
        this(true);
    }

    public AWS4Signer(boolean z) {
        this(z, SdkClock.Instance.get());
    }

    @SdkTestInternalApi
    public AWS4Signer(SdkClock sdkClock) {
        this(true, sdkClock);
    }

    private AWS4Signer(boolean z, SdkClock sdkClock) {
        this.doubleUrlEncode = z;
        this.clock = sdkClock;
    }

    @Override // com.amazonaws.auth.ServiceAwareSigner
    public void setServiceName(String str) {
        this.serviceName = str;
    }

    @Override // com.amazonaws.auth.RegionAwareSigner
    public void setRegionName(String str) {
        this.regionName = str;
    }

    @Override // com.amazonaws.auth.EndpointPrefixAwareSigner
    public void setEndpointPrefix(String str) {
        this.endpointPrefix = str;
    }

    @SdkTestInternalApi
    public void setOverrideDate(Date date) {
        if (date != null) {
            this.overriddenDate = new Date(date.getTime());
        } else {
            this.overriddenDate = null;
        }
    }

    @Override // com.amazonaws.auth.RegionFromEndpointResolverAwareSigner
    public void setRegionFromEndpointResolver(RegionFromEndpointResolver regionFromEndpointResolver) {
        this.regionFromEndpointResolver = regionFromEndpointResolver;
    }

    public String getRegionName() {
        return this.regionName;
    }

    public String getServiceName() {
        return this.serviceName;
    }

    public Date getOverriddenDate() {
        if (this.overriddenDate == null) {
            return null;
        }
        return new Date(this.overriddenDate.getTime());
    }

    @Override // com.amazonaws.auth.Signer
    public void sign(SignableRequest<?> signableRequest, AWSCredentials aWSCredentials) {
        if (isAnonymous(aWSCredentials)) {
            return;
        }
        AWSCredentials sanitizeCredentials = sanitizeCredentials(aWSCredentials);
        if (sanitizeCredentials instanceof AWSSessionCredentials) {
            addSessionCredentials(signableRequest, (AWSSessionCredentials) sanitizeCredentials);
        }
        AWS4SignerRequestParams aWS4SignerRequestParams = new AWS4SignerRequestParams(signableRequest, this.overriddenDate, this.regionName, this.serviceName, SignerConstants.AWS4_SIGNING_ALGORITHM, this.endpointPrefix, this.regionFromEndpointResolver);
        addHostHeader(signableRequest);
        signableRequest.addHeader(SignerConstants.X_AMZ_DATE, aWS4SignerRequestParams.getFormattedSigningDateTime());
        String calculateContentHash = calculateContentHash(signableRequest);
        if (DefaultBindingErrorProcessor.MISSING_FIELD_ERROR_CODE.equals(signableRequest.getHeaders().get(SignerConstants.X_AMZ_CONTENT_SHA256))) {
            signableRequest.addHeader(SignerConstants.X_AMZ_CONTENT_SHA256, calculateContentHash);
        }
        String createStringToSign = createStringToSign(createCanonicalRequest(signableRequest, calculateContentHash), aWS4SignerRequestParams);
        byte[] deriveSigningKey = deriveSigningKey(sanitizeCredentials, aWS4SignerRequestParams);
        byte[] computeSignature = computeSignature(createStringToSign, deriveSigningKey, aWS4SignerRequestParams);
        signableRequest.addHeader("Authorization", buildAuthorizationHeader(signableRequest, computeSignature, sanitizeCredentials, aWS4SignerRequestParams));
        processRequestPayload(signableRequest, computeSignature, deriveSigningKey, aWS4SignerRequestParams);
    }

    @Override // com.amazonaws.auth.Presigner
    public void presignRequest(SignableRequest<?> signableRequest, AWSCredentials aWSCredentials, Date date) {
        if (isAnonymous(aWSCredentials)) {
            return;
        }
        long generateExpirationDate = generateExpirationDate(date);
        addHostHeader(signableRequest);
        AWSCredentials sanitizeCredentials = sanitizeCredentials(aWSCredentials);
        if (sanitizeCredentials instanceof AWSSessionCredentials) {
            signableRequest.addParameter(SignerConstants.X_AMZ_SECURITY_TOKEN, ((AWSSessionCredentials) sanitizeCredentials).getSessionToken());
        }
        AWS4SignerRequestParams aWS4SignerRequestParams = new AWS4SignerRequestParams(signableRequest, this.overriddenDate, this.regionName, this.serviceName, SignerConstants.AWS4_SIGNING_ALGORITHM, this.endpointPrefix, this.regionFromEndpointResolver);
        addPreSignInformationToRequest(signableRequest, sanitizeCredentials, aWS4SignerRequestParams, aWS4SignerRequestParams.getFormattedSigningDateTime(), generateExpirationDate);
        signableRequest.addParameter(SignerConstants.X_AMZ_SIGNATURE, BinaryUtils.toHex(computeSignature(createStringToSign(createCanonicalRequest(signableRequest, calculateContentHashPresign(signableRequest)), aWS4SignerRequestParams), deriveSigningKey(sanitizeCredentials, aWS4SignerRequestParams), aWS4SignerRequestParams)));
    }

    protected String createCanonicalRequest(SignableRequest<?> signableRequest, String str) {
        String appendUri = SdkHttpUtils.appendUri(signableRequest.getEndpoint().getPath(), signableRequest.getResourcePath());
        StringBuilder sb = new StringBuilder(signableRequest.getHttpMethod().toString());
        sb.append("\n").append(getCanonicalizedResourcePath(appendUri, this.doubleUrlEncode)).append("\n").append(getCanonicalizedQueryString(signableRequest)).append("\n").append(getCanonicalizedHeaderString(signableRequest)).append("\n").append(getSignedHeadersString(signableRequest)).append("\n").append(str);
        String sb2 = sb.toString();
        if (log.isDebugEnabled()) {
            log.debug("AWS4 Canonical Request: '\"" + sb2 + "\"");
        }
        return sb2;
    }

    protected String createStringToSign(String str, AWS4SignerRequestParams aWS4SignerRequestParams) {
        StringBuilder sb = new StringBuilder(aWS4SignerRequestParams.getSigningAlgorithm());
        sb.append("\n").append(aWS4SignerRequestParams.getFormattedSigningDateTime()).append("\n").append(aWS4SignerRequestParams.getScope()).append("\n").append(BinaryUtils.toHex(hash(str)));
        String sb2 = sb.toString();
        if (log.isDebugEnabled()) {
            log.debug("AWS4 String to Sign: '\"" + sb2 + "\"");
        }
        return sb2;
    }

    private final byte[] deriveSigningKey(AWSCredentials aWSCredentials, AWS4SignerRequestParams aWS4SignerRequestParams) {
        String computeSigningCacheKeyName = computeSigningCacheKeyName(aWSCredentials, aWS4SignerRequestParams);
        long numberOfDaysSinceEpoch = DateUtils.numberOfDaysSinceEpoch(aWS4SignerRequestParams.getSigningDateTimeMilli());
        SignerKey signerKey = signerCache.get(computeSigningCacheKeyName);
        if (signerKey != null && numberOfDaysSinceEpoch == signerKey.getNumberOfDaysSinceEpoch()) {
            return signerKey.getSigningKey();
        }
        if (log.isDebugEnabled()) {
            log.debug("Generating a new signing key as the signing key not available in the cache for the date " + TimeUnit.DAYS.toMillis(numberOfDaysSinceEpoch));
        }
        byte[] newSigningKey = newSigningKey(aWSCredentials, aWS4SignerRequestParams.getFormattedSigningDate(), aWS4SignerRequestParams.getRegionName(), aWS4SignerRequestParams.getServiceName());
        signerCache.add(computeSigningCacheKeyName, new SignerKey(numberOfDaysSinceEpoch, newSigningKey));
        return newSigningKey;
    }

    private final String computeSigningCacheKeyName(AWSCredentials aWSCredentials, AWS4SignerRequestParams aWS4SignerRequestParams) {
        return aWSCredentials.getAWSSecretKey() + "-" + aWS4SignerRequestParams.getRegionName() + "-" + aWS4SignerRequestParams.getServiceName();
    }

    protected final byte[] computeSignature(String str, byte[] bArr, AWS4SignerRequestParams aWS4SignerRequestParams) {
        return sign(str.getBytes(Charset.forName("UTF-8")), bArr, SigningAlgorithm.HmacSHA256);
    }

    private String buildAuthorizationHeader(SignableRequest<?> signableRequest, byte[] bArr, AWSCredentials aWSCredentials, AWS4SignerRequestParams aWS4SignerRequestParams) {
        String str = "Credential=" + (aWSCredentials.getAWSAccessKeyId() + "/" + aWS4SignerRequestParams.getScope());
        String str2 = "SignedHeaders=" + getSignedHeadersString(signableRequest);
        String str3 = "Signature=" + BinaryUtils.toHex(bArr);
        StringBuilder sb = new StringBuilder();
        sb.append(SignerConstants.AWS4_SIGNING_ALGORITHM).append(StringUtils.SPACE).append(str).append(", ").append(str2).append(", ").append(str3);
        return sb.toString();
    }

    private void addPreSignInformationToRequest(SignableRequest<?> signableRequest, AWSCredentials aWSCredentials, AWS4SignerRequestParams aWS4SignerRequestParams, String str, long j) {
        String str2 = aWSCredentials.getAWSAccessKeyId() + "/" + aWS4SignerRequestParams.getScope();
        signableRequest.addParameter(SignerConstants.X_AMZ_ALGORITHM, SignerConstants.AWS4_SIGNING_ALGORITHM);
        signableRequest.addParameter(SignerConstants.X_AMZ_DATE, str);
        signableRequest.addParameter(SignerConstants.X_AMZ_SIGNED_HEADER, getSignedHeadersString(signableRequest));
        signableRequest.addParameter(SignerConstants.X_AMZ_EXPIRES, Long.toString(j));
        signableRequest.addParameter(SignerConstants.X_AMZ_CREDENTIAL, str2);
    }

    @Override // com.amazonaws.auth.AbstractAWSSigner
    protected void addSessionCredentials(SignableRequest<?> signableRequest, AWSSessionCredentials aWSSessionCredentials) {
        signableRequest.addHeader(SignerConstants.X_AMZ_SECURITY_TOKEN, aWSSessionCredentials.getSessionToken());
    }

    protected String getCanonicalizedHeaderString(SignableRequest<?> signableRequest) {
        ArrayList<String> arrayList = new ArrayList(signableRequest.getHeaders().keySet());
        Collections.sort(arrayList, String.CASE_INSENSITIVE_ORDER);
        Map<String, String> headers = signableRequest.getHeaders();
        StringBuilder sb = new StringBuilder();
        for (String str : arrayList) {
            if (!shouldExcludeHeaderFromSigning(str)) {
                String lowerCase = com.amazonaws.util.StringUtils.lowerCase(str);
                String str2 = headers.get(str);
                com.amazonaws.util.StringUtils.appendCompactedString(sb, lowerCase);
                sb.append(":");
                if (str2 != null) {
                    com.amazonaws.util.StringUtils.appendCompactedString(sb, str2);
                }
                sb.append("\n");
            }
        }
        return sb.toString();
    }

    protected String getSignedHeadersString(SignableRequest<?> signableRequest) {
        ArrayList<String> arrayList = new ArrayList(signableRequest.getHeaders().keySet());
        Collections.sort(arrayList, String.CASE_INSENSITIVE_ORDER);
        StringBuilder sb = new StringBuilder();
        for (String str : arrayList) {
            if (!shouldExcludeHeaderFromSigning(str)) {
                if (sb.length() > 0) {
                    sb.append(BuilderHelper.TOKEN_SEPARATOR);
                }
                sb.append(com.amazonaws.util.StringUtils.lowerCase(str));
            }
        }
        return sb.toString();
    }

    protected boolean shouldExcludeHeaderFromSigning(String str) {
        return listOfHeadersToIgnoreInLowerCase.contains(str.toLowerCase());
    }

    protected void addHostHeader(SignableRequest<?> signableRequest) {
        URI endpoint = signableRequest.getEndpoint();
        if (endpoint.getHost() == null) {
            throw new IllegalArgumentException("Request endpoint must have a valid hostname, but it did not: " + endpoint);
        }
        StringBuilder sb = new StringBuilder(endpoint.getHost());
        if (SdkHttpUtils.isUsingNonDefaultPort(endpoint)) {
            sb.append(":").append(endpoint.getPort());
        }
        signableRequest.addHeader("Host", sb.toString());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String calculateContentHash(SignableRequest<?> signableRequest) {
        InputStream binaryRequestPayloadStream = getBinaryRequestPayloadStream(signableRequest);
        ReadLimitInfo readLimitInfo = signableRequest.getReadLimitInfo();
        binaryRequestPayloadStream.mark(readLimitInfo == null ? -1 : readLimitInfo.getReadLimit());
        String hex = BinaryUtils.toHex(hash(binaryRequestPayloadStream));
        try {
            binaryRequestPayloadStream.reset();
            return hex;
        } catch (IOException e) {
            throw new SdkClientException("Unable to reset stream after calculating AWS4 signature", e);
        }
    }

    protected void processRequestPayload(SignableRequest<?> signableRequest, byte[] bArr, byte[] bArr2, AWS4SignerRequestParams aWS4SignerRequestParams) {
    }

    protected String calculateContentHashPresign(SignableRequest<?> signableRequest) {
        return calculateContentHash(signableRequest);
    }

    private boolean isAnonymous(AWSCredentials aWSCredentials) {
        return aWSCredentials instanceof AnonymousAWSCredentials;
    }

    private long generateExpirationDate(Date date) {
        long time = date != null ? (date.getTime() - this.clock.currentTimeMillis()) / 1000 : SignerConstants.PRESIGN_URL_MAX_EXPIRATION_SECONDS;
        if (time > SignerConstants.PRESIGN_URL_MAX_EXPIRATION_SECONDS) {
            throw new SdkClientException("Requests that are pre-signed by SigV4 algorithm are valid for at most 7 days. The expiration date set on the current request [" + AWS4SignerUtils.formatTimestamp(date.getTime()) + "] has exceeded this limit.");
        }
        return time;
    }

    protected byte[] newSigningKey(AWSCredentials aWSCredentials, String str, String str2, String str3) {
        return sign(SignerConstants.AWS4_TERMINATOR, sign(str3, sign(str2, sign(str, ("AWS4" + aWSCredentials.getAWSSecretKey()).getBytes(Charset.forName("UTF-8")), SigningAlgorithm.HmacSHA256), SigningAlgorithm.HmacSHA256), SigningAlgorithm.HmacSHA256), SigningAlgorithm.HmacSHA256);
    }
}
