package software.amazon.awssdk.http.auth.aws.internal.signer;

import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.util.concurrent.CompletableFuture;
import java.util.function.Function;
import software.amazon.awssdk.annotations.SdkInternalApi;
import software.amazon.awssdk.checksums.spi.ChecksumAlgorithm;
import software.amazon.awssdk.http.ContentStreamProvider;
import software.amazon.awssdk.http.SdkHttpRequest;
import software.amazon.awssdk.http.auth.aws.internal.signer.util.ChecksumUtil;
import software.amazon.awssdk.http.auth.aws.internal.signer.util.CredentialUtils;
import software.amazon.awssdk.http.auth.aws.internal.signer.util.OptionalDependencyLoaderUtil;
import software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerConstant;
import software.amazon.awssdk.http.auth.aws.signer.AwsV4FamilyHttpSigner;
import software.amazon.awssdk.http.auth.aws.signer.AwsV4HttpSigner;
import software.amazon.awssdk.http.auth.spi.signer.AsyncSignRequest;
import software.amazon.awssdk.http.auth.spi.signer.AsyncSignedRequest;
import software.amazon.awssdk.http.auth.spi.signer.BaseSignRequest;
import software.amazon.awssdk.http.auth.spi.signer.SignRequest;
import software.amazon.awssdk.http.auth.spi.signer.SignedRequest;
import software.amazon.awssdk.identity.spi.AwsCredentialsIdentity;
import software.amazon.awssdk.utils.Logger;
import software.amazon.awssdk.utils.ProxyConfigProvider;

@SdkInternalApi
/* loaded from: input_file:software/amazon/awssdk/http/auth/aws/internal/signer/DefaultAwsV4HttpSigner.class */
public final class DefaultAwsV4HttpSigner implements AwsV4HttpSigner {
    private static final int DEFAULT_CHUNK_SIZE_IN_BYTES = 131072;
    private static final Logger LOG = Logger.loggerFor((Class<?>) DefaultAwsV4HttpSigner.class);

    @Override // software.amazon.awssdk.http.auth.spi.signer.HttpSigner
    public SignedRequest sign(SignRequest<? extends AwsCredentialsIdentity> signRequest) {
        Checksummer checksummer = ChecksumUtil.checksummer(signRequest, null);
        V4Properties v4Properties = v4Properties(signRequest);
        return doSign(signRequest, checksummer, v4RequestSigner(signRequest, v4Properties), v4PayloadSigner(signRequest, v4Properties));
    }

    @Override // software.amazon.awssdk.http.auth.spi.signer.HttpSigner
    public CompletableFuture<AsyncSignedRequest> signAsync(AsyncSignRequest<? extends AwsCredentialsIdentity> asyncSignRequest) {
        Checksummer asyncChecksummer = asyncChecksummer(asyncSignRequest);
        V4Properties v4Properties = v4Properties(asyncSignRequest);
        return doSign(asyncSignRequest, asyncChecksummer, v4RequestSigner(asyncSignRequest, v4Properties), v4PayloadAsyncSigner(asyncSignRequest, v4Properties));
    }

    private static V4Properties v4Properties(BaseSignRequest<?, ? extends AwsCredentialsIdentity> baseSignRequest) {
        Clock clock = (Clock) baseSignRequest.requireProperty(SIGNING_CLOCK, Clock.systemUTC());
        Instant instant = clock.instant();
        AwsCredentialsIdentity sanitizeCredentials = CredentialUtils.sanitizeCredentials(baseSignRequest.identity());
        return V4Properties.builder().credentials(sanitizeCredentials).credentialScope(new CredentialScope((String) baseSignRequest.requireProperty(AwsV4HttpSigner.REGION_NAME), (String) baseSignRequest.requireProperty(SERVICE_SIGNING_NAME), instant)).signingClock(clock).doubleUrlEncode(Boolean.valueOf(((Boolean) baseSignRequest.requireProperty(DOUBLE_URL_ENCODE, true)).booleanValue())).normalizePath(Boolean.valueOf(((Boolean) baseSignRequest.requireProperty(NORMALIZE_PATH, true)).booleanValue())).build();
    }

    private static V4RequestSigner v4RequestSigner(BaseSignRequest<?, ? extends AwsCredentialsIdentity> baseSignRequest, V4Properties v4Properties) {
        Function function;
        AwsV4FamilyHttpSigner.AuthLocation authLocation = (AwsV4FamilyHttpSigner.AuthLocation) baseSignRequest.requireProperty(AUTH_LOCATION, AwsV4FamilyHttpSigner.AuthLocation.HEADER);
        Duration duration = (Duration) baseSignRequest.property(EXPIRATION_DURATION);
        if (CredentialUtils.isAnonymous(baseSignRequest.identity())) {
            return V4RequestSigner.anonymous(v4Properties);
        }
        switch (authLocation) {
            case HEADER:
                if (duration == null) {
                    function = V4RequestSigner::header;
                    break;
                } else {
                    throw new UnsupportedOperationException(String.format("%s is not supported for %s.", EXPIRATION_DURATION, AwsV4FamilyHttpSigner.AuthLocation.HEADER));
                }
            case QUERY_STRING:
                function = duration == null ? V4RequestSigner::query : v4Properties2 -> {
                    return V4RequestSigner.presigned(v4Properties2, validateExpirationDuration(duration));
                };
                break;
            default:
                throw new UnsupportedOperationException("Unsupported authLocation " + authLocation);
        }
        return (V4RequestSigner) function.apply(v4Properties);
    }

    private static Checksummer asyncChecksummer(BaseSignRequest<?, ? extends AwsCredentialsIdentity> baseSignRequest) {
        return ChecksumUtil.checksummer(baseSignRequest, (!ProxyConfigProvider.HTTPS.equals(baseSignRequest.request().protocol())) && ChecksumUtil.isPayloadSigning(baseSignRequest) && ((Boolean) baseSignRequest.requireProperty(CHUNK_ENCODING_ENABLED, false)).booleanValue() ? false : null);
    }

    private static V4PayloadSigner v4PayloadSigner(SignRequest<? extends AwsCredentialsIdentity> signRequest, V4Properties v4Properties) {
        boolean isPayloadSigning = ChecksumUtil.isPayloadSigning(signRequest);
        boolean isEventStreaming = ChecksumUtil.isEventStreaming(signRequest.request());
        boolean booleanValue = ((Boolean) signRequest.requireProperty(CHUNK_ENCODING_ENABLED, false)).booleanValue();
        boolean isPresent = signRequest.request().firstMatchingHeader("x-amz-trailer").isPresent();
        boolean z = signRequest.hasProperty(CHECKSUM_ALGORITHM) && !ChecksumUtil.hasChecksumHeader(signRequest);
        if (!isEventStreaming) {
            return ChecksumUtil.useChunkEncoding(isPayloadSigning, booleanValue, isPresent || z) ? AwsChunkedV4PayloadSigner.builder().credentialScope(v4Properties.getCredentialScope()).chunkSize(131072).checksumAlgorithm((ChecksumAlgorithm) signRequest.property(CHECKSUM_ALGORITHM)).build() : V4PayloadSigner.create();
        }
        if (isPayloadSigning) {
            return OptionalDependencyLoaderUtil.getEventStreamV4PayloadSigner(v4Properties.getCredentials(), v4Properties.getCredentialScope(), v4Properties.getSigningClock());
        }
        throw new UnsupportedOperationException("Unsigned payload is not supported with event-streaming.");
    }

    private static V4PayloadSigner v4PayloadAsyncSigner(AsyncSignRequest<? extends AwsCredentialsIdentity> asyncSignRequest, V4Properties v4Properties) {
        boolean booleanValue = ((Boolean) asyncSignRequest.requireProperty(PAYLOAD_SIGNING_ENABLED, true)).booleanValue();
        boolean isEventStreaming = ChecksumUtil.isEventStreaming(asyncSignRequest.request());
        boolean booleanValue2 = ((Boolean) asyncSignRequest.requireProperty(CHUNK_ENCODING_ENABLED, false)).booleanValue();
        if (!isEventStreaming) {
            return (booleanValue2 && booleanValue) ? V4PayloadSigner.create() : V4PayloadSigner.create();
        }
        if (booleanValue) {
            return OptionalDependencyLoaderUtil.getEventStreamV4PayloadSigner(v4Properties.getCredentials(), v4Properties.getCredentialScope(), v4Properties.getSigningClock());
        }
        throw new UnsupportedOperationException("Unsigned payload is not supported with event-streaming.");
    }

    private static SignedRequest doSign(SignRequest<? extends AwsCredentialsIdentity> signRequest, Checksummer checksummer, V4RequestSigner v4RequestSigner, V4PayloadSigner v4PayloadSigner) {
        SdkHttpRequest.Builder builder = signRequest.request().mo4209toBuilder();
        ContentStreamProvider orElse = signRequest.payload().orElse(null);
        checksummer.checksum(orElse, builder);
        v4PayloadSigner.beforeSigning(builder, orElse);
        V4RequestSigningResult sign = v4RequestSigner.sign(builder);
        ContentStreamProvider contentStreamProvider = null;
        if (orElse != null) {
            contentStreamProvider = v4PayloadSigner.sign(orElse, sign);
        }
        return (SignedRequest) SignedRequest.builder().request((SdkHttpRequest) sign.getSignedRequest().mo3643build()).payload(contentStreamProvider).mo3643build();
    }

    private static CompletableFuture<AsyncSignedRequest> doSign(AsyncSignRequest<? extends AwsCredentialsIdentity> asyncSignRequest, Checksummer checksummer, V4RequestSigner v4RequestSigner, V4PayloadSigner v4PayloadSigner) {
        SdkHttpRequest.Builder builder = asyncSignRequest.request().mo4209toBuilder();
        return checksummer.checksum(asyncSignRequest.payload().orElse(null), builder).thenApply(publisher -> {
            V4RequestSigningResult sign = v4RequestSigner.sign(builder);
            return (AsyncSignedRequest) AsyncSignedRequest.builder().request((SdkHttpRequest) sign.getSignedRequest().mo3643build()).payload(v4PayloadSigner.signAsync(publisher, sign)).mo3643build();
        });
    }

    private static Duration validateExpirationDuration(Duration duration) {
        if (isBetweenInclusive(Duration.ofSeconds(1L), duration, SignerConstant.PRESIGN_URL_MAX_EXPIRATION_DURATION)) {
            return duration;
        }
        throw new IllegalArgumentException("Requests that are pre-signed by SigV4 algorithm are valid for at least 1 second and at most 7 days. The expiration duration set on the current request [" + duration + "] does not meet these bounds.");
    }

    private static boolean isBetweenInclusive(Duration duration, Duration duration2, Duration duration3) {
        return duration.compareTo(duration2) <= 0 && duration2.compareTo(duration3) <= 0;
    }
}
