package org.apache.iceberg.aws.s3.signer;

import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.InputStreamReader;
import java.time.Clock;
import java.time.Instant;
import java.time.ZoneId;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.hc.core5.http.ContentType;
import org.apache.iceberg.exceptions.RESTException;
import org.apache.iceberg.relocated.com.google.common.collect.ImmutableMap;
import org.apache.iceberg.relocated.com.google.common.collect.Lists;
import org.apache.iceberg.relocated.com.google.common.collect.Maps;
import org.apache.iceberg.relocated.com.google.common.collect.Sets;
import org.apache.iceberg.relocated.com.google.common.io.CharStreams;
import org.apache.iceberg.rest.RESTCatalogAdapter;
import org.apache.iceberg.rest.RESTUtil;
import org.apache.iceberg.rest.ResourcePaths;
import org.apache.iceberg.rest.responses.ErrorResponse;
import org.apache.iceberg.rest.responses.OAuthTokenResponse;
import org.assertj.core.api.AbstractBooleanAssert;
import org.assertj.core.api.AssertionsForClassTypes;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import software.amazon.awssdk.auth.signer.AwsS3V4Signer;
import software.amazon.awssdk.auth.signer.params.AwsS3V4SignerParams;
import software.amazon.awssdk.http.SdkHttpFullRequest;
import software.amazon.awssdk.http.SdkHttpMethod;
import software.amazon.awssdk.regions.Region;

/* loaded from: input_file:org/apache/iceberg/aws/s3/signer/S3SignerServlet.class */
public class S3SignerServlet extends HttpServlet {
    private static final String POST = "POST";
    private final Map<String, String> responseHeaders;
    private final ObjectMapper mapper;
    private List<SignRequestValidator> s3SignRequestValidators;
    private static final Logger LOG = LoggerFactory.getLogger(S3SignerServlet.class);
    static final Clock SIGNING_CLOCK = Clock.fixed(Instant.now(), ZoneId.of("UTC"));
    static final Set<String> UNSIGNED_HEADERS = Sets.newHashSet(Arrays.asList("range", "x-amz-date", "amz-sdk-invocation-id", "amz-sdk-retry"));
    private static final Set<SdkHttpMethod> CACHEABLE_METHODS = (Set) Stream.of((Object[]) new SdkHttpMethod[]{SdkHttpMethod.GET, SdkHttpMethod.HEAD}).collect(Collectors.toSet());

    /* loaded from: input_file:org/apache/iceberg/aws/s3/signer/S3SignerServlet$SignRequestValidator.class */
    public static class SignRequestValidator {
        private final Predicate<S3SignRequest> requestMatcher;
        private final Predicate<S3SignRequest> requestExpectation;
        private final String assertMessage;

        public SignRequestValidator(Predicate<S3SignRequest> predicate, Predicate<S3SignRequest> predicate2, String str) {
            this.requestExpectation = predicate;
            this.requestMatcher = predicate2;
            this.assertMessage = str;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void validateRequest(S3SignRequest s3SignRequest) {
            if (this.requestMatcher.test(s3SignRequest)) {
                ((AbstractBooleanAssert) AssertionsForClassTypes.assertThat(this.requestExpectation.test(s3SignRequest)).as(this.assertMessage, new Object[0])).isTrue();
            }
        }
    }

    public S3SignerServlet(ObjectMapper objectMapper) {
        this.responseHeaders = ImmutableMap.of("Content-Type", ContentType.APPLICATION_JSON.getMimeType());
        this.s3SignRequestValidators = Lists.newArrayList();
        this.mapper = objectMapper;
    }

    public S3SignerServlet(ObjectMapper objectMapper, List<SignRequestValidator> list) {
        this.responseHeaders = ImmutableMap.of("Content-Type", ContentType.APPLICATION_JSON.getMimeType());
        this.s3SignRequestValidators = Lists.newArrayList();
        this.mapper = objectMapper;
        this.s3SignRequestValidators = list;
    }

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        execute(httpServletRequest, httpServletResponse);
    }

    protected void doHead(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        execute(httpServletRequest, httpServletResponse);
    }

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        execute(httpServletRequest, httpServletResponse);
    }

    protected void doDelete(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        execute(httpServletRequest, httpServletResponse);
    }

    private OAuthTokenResponse handleOAuth(Map<String, String> map) {
        String str = map.get("grant_type");
        boolean z = -1;
        switch (str.hashCode()) {
            case -1238422446:
                if (str.equals("urn:ietf:params:oauth:grant-type:token-exchange")) {
                    z = true;
                    break;
                }
                break;
            case 290069640:
                if (str.equals("client_credentials")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return RESTCatalogAdapter.castResponse(OAuthTokenResponse.class, OAuthTokenResponse.builder().withToken("client-credentials-token:sub=" + map.get("client_id")).withIssuedTokenType("urn:ietf:params:oauth:token-type:access_token").withTokenType("Bearer").setExpirationInSeconds(100).build());
            case true:
                String str2 = map.get("actor_token");
                Object[] objArr = new Object[2];
                objArr[0] = map.get("subject_token");
                objArr[1] = str2 != null ? ",act=" + str2 : "";
                return RESTCatalogAdapter.castResponse(OAuthTokenResponse.class, OAuthTokenResponse.builder().withToken(String.format("token-exchange-token:sub=%s%s", objArr)).withIssuedTokenType("urn:ietf:params:oauth:token-type:access_token").withTokenType("Bearer").setExpirationInSeconds(100).build());
            default:
                throw new UnsupportedOperationException("Unsupported grant_type: " + str);
        }
    }

    private S3SignResponse signRequest(S3SignRequest s3SignRequest) {
        AwsS3V4SignerParams build = AwsS3V4SignerParams.builder().awsCredentials(TestS3RestSigner.CREDENTIALS_PROVIDER.resolveCredentials()).enablePayloadSigning(false).signingClockOverride(SIGNING_CLOCK).enableChunkedEncoding(false).signingRegion(Region.of(s3SignRequest.region())).doubleUrlEncode(false).timeOffset(0).signingName("s3").build();
        Map map = (Map) s3SignRequest.headers().entrySet().stream().filter(entry -> {
            return UNSIGNED_HEADERS.contains(((String) entry.getKey()).toLowerCase());
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
        HashMap newHashMap = Maps.newHashMap(AwsS3V4Signer.create().sign(SdkHttpFullRequest.builder().uri(s3SignRequest.uri()).method(SdkHttpMethod.fromValue(s3SignRequest.method())).headers((Map) s3SignRequest.headers().entrySet().stream().filter(entry2 -> {
            return !UNSIGNED_HEADERS.contains(((String) entry2.getKey()).toLowerCase());
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }))).build(), build).headers());
        newHashMap.putAll(map);
        return ImmutableS3SignResponse.builder().uri(s3SignRequest.uri()).headers(newHashMap).build();
    }

    protected void execute(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        httpServletResponse.setStatus(200);
        Map<String, String> map = this.responseHeaders;
        Objects.requireNonNull(httpServletResponse);
        map.forEach(httpServletResponse::setHeader);
        String substring = httpServletRequest.getRequestURI().substring(1);
        try {
            if (POST.equals(httpServletRequest.getMethod()) && "v1/aws/s3/sign".equals(substring)) {
                S3SignRequest s3SignRequest = (S3SignRequest) RESTCatalogAdapter.castRequest(S3SignRequest.class, this.mapper.readValue(httpServletRequest.getReader(), S3SignRequest.class));
                this.s3SignRequestValidators.forEach(signRequestValidator -> {
                    signRequestValidator.validateRequest(s3SignRequest);
                });
                S3SignResponse signRequest = signRequest(s3SignRequest);
                if (CACHEABLE_METHODS.contains(SdkHttpMethod.fromValue(s3SignRequest.method()))) {
                    httpServletResponse.setHeader("Cache-Control", "private");
                } else {
                    httpServletResponse.setHeader("Cache-Control", "no-cache");
                }
                this.mapper.writeValue(httpServletResponse.getWriter(), signRequest);
            } else if (POST.equals(httpServletRequest.getMethod()) && ResourcePaths.tokens().equals(substring)) {
                InputStreamReader inputStreamReader = new InputStreamReader(httpServletRequest.getInputStream());
                Throwable th = null;
                try {
                    try {
                        Map decodeFormData = RESTUtil.decodeFormData(CharStreams.toString(inputStreamReader));
                        if (0 != 0) {
                            try {
                                inputStreamReader.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            inputStreamReader.close();
                        }
                        this.mapper.writeValue(httpServletResponse.getWriter(), handleOAuth((Map) RESTCatalogAdapter.castRequest(Map.class, decodeFormData)));
                    } catch (Throwable th3) {
                        th = th3;
                        throw th3;
                    }
                } finally {
                }
            } else {
                httpServletResponse.setStatus(400);
                this.mapper.writeValue(httpServletResponse.getWriter(), ErrorResponse.builder().responseCode(400).withType("BadRequestException").withMessage(String.format("No route for request: %s %s", httpServletRequest.getMethod(), substring)).build());
            }
        } catch (RESTException e) {
            LOG.error("Error processing REST request", e);
            httpServletResponse.setStatus(500);
        } catch (Exception e2) {
            LOG.error("Unexpected exception when processing REST request", e2);
            httpServletResponse.setStatus(500);
        }
    }
}
