package org.projectnessie.catalog.files.s3;

import java.io.ByteArrayInputStream;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.util.Objects;
import java.util.Optional;
import org.projectnessie.catalog.files.api.ImmutableSigningResponse;
import org.projectnessie.catalog.files.api.RequestSigner;
import org.projectnessie.catalog.files.api.SigningRequest;
import org.projectnessie.catalog.files.api.SigningResponse;
import org.projectnessie.catalog.files.config.S3Options;
import org.projectnessie.catalog.secrets.SecretsProvider;
import org.projectnessie.storage.uri.StorageUri;
import software.amazon.awssdk.http.SdkHttpFullRequest;
import software.amazon.awssdk.http.SdkHttpMethod;
import software.amazon.awssdk.http.SdkHttpRequest;
import software.amazon.awssdk.http.auth.aws.signer.AwsV4HttpSigner;
import software.amazon.awssdk.http.auth.spi.signer.SignRequest;

/* loaded from: input_file:org/projectnessie/catalog/files/s3/S3Signer.class */
public class S3Signer implements RequestSigner {
    private final AwsV4HttpSigner signer = AwsV4HttpSigner.create();
    private final S3Options s3Options;
    private final SecretsProvider secretsProvider;
    private final S3Sessions s3sessions;

    public S3Signer(S3Options s3Options, SecretsProvider secretsProvider, S3Sessions s3Sessions) {
        this.s3Options = s3Options;
        this.secretsProvider = secretsProvider;
        this.s3sessions = s3Sessions;
    }

    public SigningResponse sign(SigningRequest signingRequest) {
        URI uri = signingRequest.uri();
        Optional body = signingRequest.body();
        if (body.isEmpty() && "post".equalsIgnoreCase(signingRequest.method()) && uri.getQuery().contains("delete")) {
            throw new IllegalArgumentException("DELETE requests must have a non-empty body");
        }
        SignRequest.Builder putProperty = SignRequest.builder(S3Clients.serverCredentialsProvider(this.s3Options.resolveOptionsForUri(StorageUri.of(S3Utils.asS3Location(signingRequest.uri().toString()))), this.s3sessions, this.secretsProvider).resolveCredentials()).request(SdkHttpFullRequest.builder().uri(uri).protocol(uri.getScheme()).method(SdkHttpMethod.fromValue(signingRequest.method())).headers(signingRequest.headers()).build()).putProperty(AwsV4HttpSigner.REGION_NAME, signingRequest.region()).putProperty(AwsV4HttpSigner.SERVICE_SIGNING_NAME, "s3").putProperty(AwsV4HttpSigner.DOUBLE_URL_ENCODE, false).putProperty(AwsV4HttpSigner.NORMALIZE_PATH, false).putProperty(AwsV4HttpSigner.CHUNK_ENCODING_ENABLED, false).putProperty(AwsV4HttpSigner.PAYLOAD_SIGNING_ENABLED, false);
        Optional map = body.map(str -> {
            return () -> {
                return new ByteArrayInputStream(((String) body.get()).getBytes(StandardCharsets.UTF_8));
            };
        });
        Objects.requireNonNull(putProperty);
        map.ifPresent((v1) -> {
            r1.payload(v1);
        });
        SdkHttpRequest request = this.signer.sign((SignRequest) putProperty.build()).request();
        return ImmutableSigningResponse.of(request.getUri(), request.headers());
    }
}
