package software.amazon.awssdk.authcrt.signer.internal;

import java.nio.charset.StandardCharsets;
import java.time.Clock;
import java.time.Duration;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.TreeSet;
import software.amazon.awssdk.annotations.SdkInternalApi;
import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentials;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.auth.signer.AwsSignerExecutionAttribute;
import software.amazon.awssdk.core.interceptor.ExecutionAttribute;
import software.amazon.awssdk.core.interceptor.ExecutionAttributes;
import software.amazon.awssdk.crt.auth.credentials.Credentials;
import software.amazon.awssdk.http.SdkHttpFullRequest;
import software.amazon.awssdk.utils.CollectionUtils;
import software.amazon.awssdk.utils.StringUtils;

@SdkInternalApi
/* loaded from: input_file:software/amazon/awssdk/authcrt/signer/internal/SigningUtils.class */
public class SigningUtils {
    private static final String BODY_HASH_NAME = "x-amz-content-sha256";
    private static final String DATE_NAME = "X-Amz-Date";
    private static final String AUTHORIZATION_NAME = "Authorization";
    private static final String REGION_SET_NAME = "X-amz-region-set";
    private static final String SIGNATURE_NAME = "X-Amz-Signature";
    private static final String CREDENTIAL_NAME = "X-Amz-Credential";
    private static final String ALGORITHM_NAME = "X-Amz-Algorithm";
    private static final String SIGNED_HEADERS_NAME = "X-Amz-SignedHeaders";
    private static final String EXPIRES_NAME = "X-Amz-Expires";
    private static final String HOST_HEADER = "Host";
    public static final ExecutionAttribute<Clock> SIGNING_CLOCK = new ExecutionAttribute<>("SigningClock");
    private static final Set<String> FORBIDDEN_HEADERS = buildForbiddenHeaderSet();
    private static final Set<String> FORBIDDEN_PARAMS = buildForbiddenQueryParamSet();

    private SigningUtils() {
    }

    public static Credentials buildCredentials(ExecutionAttributes executionAttributes) {
        AwsSessionCredentials sanitizeCredentials = sanitizeCredentials((AwsCredentials) executionAttributes.getAttribute(AwsSignerExecutionAttribute.AWS_CREDENTIALS));
        byte[] bArr = null;
        if (sanitizeCredentials instanceof AwsSessionCredentials) {
            bArr = sanitizeCredentials.sessionToken().getBytes(StandardCharsets.UTF_8);
        }
        return new Credentials(sanitizeCredentials.accessKeyId().getBytes(StandardCharsets.UTF_8), sanitizeCredentials.secretAccessKey().getBytes(StandardCharsets.UTF_8), bArr);
    }

    public static Clock getSigningClock(ExecutionAttributes executionAttributes) {
        Clock clock = (Clock) executionAttributes.getAttribute(SIGNING_CLOCK);
        if (clock != null) {
            return clock;
        }
        Clock systemUTC = Clock.systemUTC();
        return (Clock) Optional.ofNullable(executionAttributes.getAttribute(AwsSignerExecutionAttribute.TIME_OFFSET)).map(num -> {
            return Clock.offset(systemUTC, Duration.ofSeconds(-num.intValue()));
        }).orElse(systemUTC);
    }

    public static AwsCredentials sanitizeCredentials(AwsCredentials awsCredentials) {
        String trim = StringUtils.trim(awsCredentials.accessKeyId());
        String trim2 = StringUtils.trim(awsCredentials.secretAccessKey());
        return awsCredentials instanceof AwsSessionCredentials ? AwsSessionCredentials.create(trim, trim2, StringUtils.trim(((AwsSessionCredentials) awsCredentials).sessionToken())) : AwsBasicCredentials.create(trim, trim2);
    }

    public static SdkHttpFullRequest sanitizeSdkRequestForCrtSigning(SdkHttpFullRequest sdkHttpFullRequest) {
        SdkHttpFullRequest.Builder builder = sdkHttpFullRequest.toBuilder();
        String encodedPath = builder.encodedPath();
        if (encodedPath == null || encodedPath.length() == 0) {
            builder.encodedPath("/");
        }
        builder.clearHeaders();
        Map headers = sdkHttpFullRequest.headers();
        if (CollectionUtils.isNullOrEmpty((Collection) headers.get(HOST_HEADER))) {
            builder.putHeader(HOST_HEADER, sdkHttpFullRequest.host());
        }
        for (Map.Entry entry : headers.entrySet()) {
            if (!FORBIDDEN_HEADERS.contains(entry.getKey())) {
                builder.putHeader((String) entry.getKey(), (List) entry.getValue());
            }
        }
        builder.clearQueryParameters();
        for (Map.Entry entry2 : sdkHttpFullRequest.rawQueryParameters().entrySet()) {
            if (!FORBIDDEN_PARAMS.contains(entry2.getKey())) {
                builder.putRawQueryParameter((String) entry2.getKey(), (List) entry2.getValue());
            }
        }
        return builder.build();
    }

    private static Set<String> buildForbiddenHeaderSet() {
        TreeSet treeSet = new TreeSet(String.CASE_INSENSITIVE_ORDER);
        treeSet.add(BODY_HASH_NAME);
        treeSet.add(DATE_NAME);
        treeSet.add(AUTHORIZATION_NAME);
        treeSet.add(REGION_SET_NAME);
        return treeSet;
    }

    private static Set<String> buildForbiddenQueryParamSet() {
        TreeSet treeSet = new TreeSet(String.CASE_INSENSITIVE_ORDER);
        treeSet.add(SIGNATURE_NAME);
        treeSet.add(DATE_NAME);
        treeSet.add(CREDENTIAL_NAME);
        treeSet.add(ALGORITHM_NAME);
        treeSet.add(SIGNED_HEADERS_NAME);
        treeSet.add(REGION_SET_NAME);
        treeSet.add(EXPIRES_NAME);
        return treeSet;
    }
}
