package org.apache.iceberg.aws.s3.signer;

import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ScheduledThreadPoolExecutor;
import java.util.stream.Collectors;
import org.apache.iceberg.aws.s3.MinioContainer;
import org.apache.iceberg.aws.s3.signer.S3SignerServlet;
import org.apache.iceberg.relocated.com.google.common.collect.ImmutableList;
import org.apache.iceberg.relocated.com.google.common.collect.ImmutableMap;
import org.assertj.core.api.Assertions;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.handler.gzip.GzipHandler;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.servlet.ServletHolder;
import org.jetbrains.annotations.NotNull;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
import software.amazon.awssdk.auth.signer.internal.AbstractAws4Signer;
import software.amazon.awssdk.auth.signer.internal.AbstractAwsS3V4Signer;
import software.amazon.awssdk.auth.signer.internal.Aws4SignerRequestParams;
import software.amazon.awssdk.auth.signer.params.Aws4PresignerParams;
import software.amazon.awssdk.auth.signer.params.AwsS3V4SignerParams;
import software.amazon.awssdk.core.checksums.SdkChecksum;
import software.amazon.awssdk.core.client.config.SdkAdvancedClientOption;
import software.amazon.awssdk.core.interceptor.ExecutionAttributes;
import software.amazon.awssdk.core.sync.RequestBody;
import software.amazon.awssdk.http.SdkHttpFullRequest;
import software.amazon.awssdk.http.apache.ApacheHttpClient;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.s3.S3Client;
import software.amazon.awssdk.services.s3.model.CreateBucketRequest;
import software.amazon.awssdk.services.s3.model.CreateMultipartUploadRequest;
import software.amazon.awssdk.services.s3.model.Delete;
import software.amazon.awssdk.services.s3.model.DeleteObjectsRequest;
import software.amazon.awssdk.services.s3.model.GetObjectRequest;
import software.amazon.awssdk.services.s3.model.ListObjectsV2Request;
import software.amazon.awssdk.services.s3.model.ObjectIdentifier;
import software.amazon.awssdk.services.s3.model.PutObjectRequest;
import software.amazon.awssdk.services.s3.model.UploadPartRequest;

/* loaded from: input_file:org/apache/iceberg/aws/s3/signer/TestS3RestSigner.class */
public class TestS3RestSigner {
    private static final String BUCKET = "iceberg-s3-signer-test";
    private static Server httpServer;
    private static ValidatingSigner validatingSigner;
    private S3Client s3;
    private static final Region REGION = Region.US_WEST_2;
    static final AwsCredentialsProvider CREDENTIALS_PROVIDER = StaticCredentialsProvider.create(AwsBasicCredentials.create("accessKeyId", "secretAccessKey"));
    private static final MinioContainer MINIO_CONTAINER = new MinioContainer(CREDENTIALS_PROVIDER.resolveCredentials());

    /* loaded from: input_file:org/apache/iceberg/aws/s3/signer/TestS3RestSigner$CustomAwsS3V4Signer.class */
    private static class CustomAwsS3V4Signer extends AbstractAwsS3V4Signer {
        private CustomAwsS3V4Signer() {
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public String calculateContentHash(SdkHttpFullRequest.Builder builder, AwsS3V4SignerParams awsS3V4SignerParams, SdkChecksum sdkChecksum) {
            String str = "STREAMING-UNSIGNED-PAYLOAD-TRAILER";
            if (((Boolean) builder.firstMatchingHeader("x-amz-content-sha256").map((v1) -> {
                return r1.equals(v1);
            }).orElse(false)).booleanValue()) {
                return "UNSIGNED-PAYLOAD";
            }
            builder.putHeader("x-amz-content-sha256", "required");
            return "UNSIGNED-PAYLOAD";
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/iceberg/aws/s3/signer/TestS3RestSigner$ValidatingSigner.class */
    public static class ValidatingSigner extends AbstractAws4Signer<AwsS3V4SignerParams, Aws4PresignerParams> {
        private final S3V4RestSignerClient icebergSigner;
        private final AbstractAwsS3V4Signer awsSigner;

        private ValidatingSigner(S3V4RestSignerClient s3V4RestSignerClient, AbstractAwsS3V4Signer abstractAwsS3V4Signer) {
            this.icebergSigner = s3V4RestSignerClient;
            this.awsSigner = abstractAwsS3V4Signer;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public void processRequestPayload(SdkHttpFullRequest.Builder builder, byte[] bArr, byte[] bArr2, Aws4SignerRequestParams aws4SignerRequestParams, AwsS3V4SignerParams awsS3V4SignerParams) {
            throw new UnsupportedOperationException();
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public void processRequestPayload(SdkHttpFullRequest.Builder builder, byte[] bArr, byte[] bArr2, Aws4SignerRequestParams aws4SignerRequestParams, AwsS3V4SignerParams awsS3V4SignerParams, SdkChecksum sdkChecksum) {
            throw new UnsupportedOperationException();
        }

        protected String calculateContentHashPresign(SdkHttpFullRequest.Builder builder, Aws4PresignerParams aws4PresignerParams) {
            throw new UnsupportedOperationException();
        }

        public SdkHttpFullRequest presign(SdkHttpFullRequest sdkHttpFullRequest, ExecutionAttributes executionAttributes) {
            throw new UnsupportedOperationException();
        }

        public SdkHttpFullRequest sign(SdkHttpFullRequest sdkHttpFullRequest, ExecutionAttributes executionAttributes) {
            AwsS3V4SignerParams build = extractSignerParams(AwsS3V4SignerParams.builder(), executionAttributes).signingClockOverride(S3SignerServlet.SIGNING_CLOCK).enableChunkedEncoding(false).timeOffset(0).doubleUrlEncode(false).enablePayloadSigning(false).signingName("s3").build();
            SdkHttpFullRequest sign = this.icebergSigner.sign(sdkHttpFullRequest, executionAttributes);
            SdkHttpFullRequest signWithAwsSigner = signWithAwsSigner(sdkHttpFullRequest, build);
            Assertions.assertThat((List) signWithAwsSigner.headers().get("Authorization")).isEqualTo(sign.headers().get("Authorization"));
            Assertions.assertThat(signWithAwsSigner.headers()).isEqualTo(sign.headers());
            return signWithAwsSigner;
        }

        @NotNull
        private SdkHttpFullRequest signWithAwsSigner(SdkHttpFullRequest sdkHttpFullRequest, AwsS3V4SignerParams awsS3V4SignerParams) {
            Map map = (Map) sdkHttpFullRequest.headers().entrySet().stream().filter(entry -> {
                return S3SignerServlet.UNSIGNED_HEADERS.contains(((String) entry.getKey()).toLowerCase());
            }).collect(Collectors.toMap((v0) -> {
                return v0.getKey();
            }, (v0) -> {
                return v0.getValue();
            }));
            SdkHttpFullRequest.Builder builder = sdkHttpFullRequest.toBuilder();
            Iterator<String> it = S3SignerServlet.UNSIGNED_HEADERS.iterator();
            while (it.hasNext()) {
                builder.removeHeader(it.next());
            }
            SdkHttpFullRequest.Builder builder2 = this.awsSigner.sign(builder.build(), awsS3V4SignerParams).toBuilder();
            Objects.requireNonNull(builder2);
            map.forEach(builder2::putHeader);
            return builder2.build();
        }
    }

    @BeforeAll
    public static void beforeClass() throws Exception {
        if (null == httpServer) {
            httpServer = initHttpServer();
        }
        validatingSigner = new ValidatingSigner(ImmutableS3V4RestSignerClient.builder().properties(ImmutableMap.of("s3.signer.uri", httpServer.getURI().toString(), "credential", "catalog:12345")).build(), new CustomAwsS3V4Signer());
    }

    @AfterAll
    public static void afterClass() throws Exception {
        Assertions.assertThat(validatingSigner.icebergSigner.tokenRefreshExecutor()).isInstanceOf(ScheduledThreadPoolExecutor.class);
        ScheduledThreadPoolExecutor scheduledThreadPoolExecutor = (ScheduledThreadPoolExecutor) validatingSigner.icebergSigner.tokenRefreshExecutor();
        Assertions.assertThat(scheduledThreadPoolExecutor.getPoolSize()).isEqualTo(1);
        Assertions.assertThat(scheduledThreadPoolExecutor.getQueue()).as("should only have a single token scheduled for refresh", new Object[0]).hasSize(1);
        Assertions.assertThat(scheduledThreadPoolExecutor.getActiveCount()).as("should not have any token being refreshed", new Object[0]).isEqualTo(0);
        Assertions.assertThat(scheduledThreadPoolExecutor.getCompletedTaskCount()).as("should not have any expired token that required a refresh", new Object[0]).isEqualTo(0L);
        if (null != httpServer) {
            httpServer.stop();
        }
    }

    @BeforeEach
    public void before() throws Exception {
        MINIO_CONTAINER.start();
        this.s3 = (S3Client) S3Client.builder().region(REGION).credentialsProvider(CREDENTIALS_PROVIDER).applyMutation(s3ClientBuilder -> {
            s3ClientBuilder.httpClientBuilder(ApacheHttpClient.builder());
        }).endpointOverride(MINIO_CONTAINER.getURI()).forcePathStyle(true).overrideConfiguration(builder -> {
            builder.putAdvancedOption(SdkAdvancedClientOption.SIGNER, validatingSigner);
        }).build();
        this.s3.createBucket((CreateBucketRequest) CreateBucketRequest.builder().bucket(BUCKET).build());
        this.s3.putObject((PutObjectRequest) PutObjectRequest.builder().bucket(BUCKET).key("random/key").build(), Paths.get("/etc/hosts", new String[0]));
        this.s3.putObject((PutObjectRequest) PutObjectRequest.builder().bucket(BUCKET).key("encoded/key=value/file").build(), Paths.get("/etc/hosts", new String[0]));
        this.s3.createMultipartUpload((CreateMultipartUploadRequest) CreateMultipartUploadRequest.builder().bucket(BUCKET).key("random/multipart-key").build());
    }

    private static Server initHttpServer() throws Exception {
        S3SignerServlet s3SignerServlet = new S3SignerServlet(S3ObjectMapper.mapper(), ImmutableList.of(new S3SignerServlet.SignRequestValidator(s3SignRequest -> {
            return "post".equalsIgnoreCase(s3SignRequest.method()) && s3SignRequest.uri().getQuery().contains("delete");
        }, s3SignRequest2 -> {
            return (s3SignRequest2.body() == null || s3SignRequest2.body().isEmpty()) ? false : true;
        }, "Sign request for delete objects should have a request body")));
        ServletContextHandler servletContextHandler = new ServletContextHandler(0);
        servletContextHandler.setContextPath("/");
        ServletHolder servletHolder = new ServletHolder(s3SignerServlet);
        servletHolder.setInitParameter("javax.ws.rs.Application", "ServiceListPublic");
        servletContextHandler.addServlet(servletHolder, "/*");
        servletContextHandler.setVirtualHosts((String[]) null);
        servletContextHandler.setGzipHandler(new GzipHandler());
        Server server = new Server(0);
        server.setHandler(servletContextHandler);
        server.start();
        return server;
    }

    @Test
    public void validateGetObject() {
        this.s3.getObject((GetObjectRequest) GetObjectRequest.builder().bucket(BUCKET).key("random/key").build());
        this.s3.getObject((GetObjectRequest) GetObjectRequest.builder().bucket(BUCKET).key("random/key").build());
    }

    @Test
    public void validatePutObject() {
        this.s3.putObject((PutObjectRequest) PutObjectRequest.builder().bucket(BUCKET).key("some/key").build(), Paths.get("/etc/hosts", new String[0]));
    }

    @Test
    public void validateDeleteObjects() {
        Path path = Paths.get("/etc/hosts", new String[0]);
        this.s3.putObject((PutObjectRequest) PutObjectRequest.builder().bucket(BUCKET).key("some/key1").build(), path);
        this.s3.putObject((PutObjectRequest) PutObjectRequest.builder().bucket(BUCKET).key("some/key2").build(), path);
        this.s3.deleteObjects((DeleteObjectsRequest) DeleteObjectsRequest.builder().bucket(BUCKET).delete((Delete) Delete.builder().objects(new ObjectIdentifier[]{(ObjectIdentifier) ObjectIdentifier.builder().key("some/key1").build(), (ObjectIdentifier) ObjectIdentifier.builder().key("some/key2").build()}).build()).build());
    }

    @Test
    public void validateListPrefix() {
        this.s3.listObjectsV2((ListObjectsV2Request) ListObjectsV2Request.builder().bucket(BUCKET).prefix("some/prefix/").build());
    }

    @Test
    public void validateEncodedGetObject() {
        this.s3.getObject((GetObjectRequest) GetObjectRequest.builder().bucket(BUCKET).key("encoded/key=value/file").build());
        this.s3.getObject((GetObjectRequest) GetObjectRequest.builder().bucket(BUCKET).key("encoded/key=value/file").build());
    }

    @Test
    public void validatedCreateMultiPartUpload() {
        this.s3.createMultipartUpload((CreateMultipartUploadRequest) CreateMultipartUploadRequest.builder().bucket(BUCKET).key("some/multipart-key").build());
    }

    @AfterEach
    public void after() {
        MINIO_CONTAINER.stop();
    }

    @Test
    public void validatedUploadPart() {
        this.s3.uploadPart((UploadPartRequest) UploadPartRequest.builder().bucket(BUCKET).key("some/multipart-key").uploadId(this.s3.createMultipartUpload((CreateMultipartUploadRequest) CreateMultipartUploadRequest.builder().bucket(BUCKET).key("some/multipart-key").build()).uploadId()).partNumber(1).build(), RequestBody.fromString("content"));
    }
}
