package org.projectnessie.catalog.service.rest;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import io.smallrye.mutiny.Multi;
import io.smallrye.mutiny.Uni;
import jakarta.ws.rs.core.Response;
import java.net.URI;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Stream;
import org.immutables.value.Value;
import org.projectnessie.api.v2.params.ParsedReference;
import org.projectnessie.catalog.files.api.RequestSigner;
import org.projectnessie.catalog.files.api.SigningRequest;
import org.projectnessie.catalog.files.api.SigningResponse;
import org.projectnessie.catalog.files.s3.S3Utils;
import org.projectnessie.catalog.formats.iceberg.nessie.CatalogOps;
import org.projectnessie.catalog.formats.iceberg.rest.IcebergError;
import org.projectnessie.catalog.formats.iceberg.rest.IcebergException;
import org.projectnessie.catalog.formats.iceberg.rest.IcebergS3SignRequest;
import org.projectnessie.catalog.formats.iceberg.rest.IcebergS3SignResponse;
import org.projectnessie.catalog.model.snapshot.NessieEntitySnapshot;
import org.projectnessie.catalog.service.api.CatalogService;
import org.projectnessie.catalog.service.api.SnapshotReqParams;
import org.projectnessie.catalog.service.api.SnapshotResponse;
import org.projectnessie.error.NessieContentNotFoundException;
import org.projectnessie.error.NessieNotFoundException;
import org.projectnessie.model.Content;
import org.projectnessie.model.ContentKey;
import org.projectnessie.model.IcebergContent;
import org.projectnessie.versioned.RequestMeta;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Value.Immutable
/* loaded from: input_file:org/projectnessie/catalog/service/rest/IcebergS3SignParams.class */
abstract class IcebergS3SignParams {
    private static final Pattern NEW_OBJECT_STORAGE_LAYOUT = Pattern.compile("[01]{4}/[01]{4}/[01]{4}/[01]{8}/(.*)");
    private static final Logger LOGGER = LoggerFactory.getLogger(IcebergS3SignParams.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    public abstract IcebergS3SignRequest request();

    /* JADX INFO: Access modifiers changed from: package-private */
    public abstract ParsedReference ref();

    /* JADX INFO: Access modifiers changed from: package-private */
    public abstract ContentKey key();

    /* JADX INFO: Access modifiers changed from: package-private */
    public abstract String warehouseLocation();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: writeLocations */
    public abstract List<String> mo12writeLocations();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: readLocations */
    public abstract List<String> mo11readLocations();

    /* JADX INFO: Access modifiers changed from: package-private */
    public abstract CatalogService catalogService();

    /* JADX INFO: Access modifiers changed from: package-private */
    public abstract RequestSigner signer();

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Check
    public void check() {
        Preconditions.checkArgument(mo12writeLocations().stream().allMatch(str -> {
            return str.startsWith("s3:");
        }) && mo11readLocations().stream().allMatch(str2 -> {
            return str2.startsWith("s3:");
        }), "locations must be S3 URIs");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Lazy
    public String requestedS3Uri() {
        return S3Utils.asS3Location(request().uri());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Lazy
    public boolean write() {
        return request().method().equalsIgnoreCase("PUT") || request().method().equalsIgnoreCase("POST") || request().method().equalsIgnoreCase("DELETE") || request().method().equalsIgnoreCase("PATCH");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Uni<IcebergS3SignResponse> verifyAndSign() {
        return fetchSnapshot().call(this::checkForbiddenLocations).onItem().transformToMulti(this::collectAllowedLocations).filter(this::checkLocation).toUni().onItem().ifNull().failWith(this::unauthorized).replaceWith(request().uri()).map(this::sign);
    }

    private boolean checkLocation(String str) {
        return checkLocation(warehouseLocation(), requestedS3Uri(), str);
    }

    @VisibleForTesting
    static boolean checkLocation(String str, String str2, String str3) {
        String substring;
        if (str2.startsWith(str3)) {
            return true;
        }
        int length = str.length();
        if (length == 0) {
            return false;
        }
        if (!str.endsWith("/")) {
            str = str + "/";
            length++;
        }
        if (!str3.endsWith("/")) {
            str3 = str3 + "/";
        }
        if (!str2.startsWith(str) || !str3.startsWith(str)) {
            return false;
        }
        String substring2 = str2.substring(length);
        Matcher matcher = NEW_OBJECT_STORAGE_LAYOUT.matcher(substring2);
        if (matcher.find()) {
            substring = matcher.group(1);
        } else {
            int indexOf = substring2.indexOf(47);
            if (indexOf == -1) {
                return false;
            }
            substring = substring2.substring(indexOf + 1);
        }
        return substring.startsWith(str3.substring(length));
    }

    private Uni<SnapshotResponse> fetchSnapshot() {
        try {
            RequestMeta.RequestMetaBuilder apiWrite = write() ? RequestMeta.apiWrite() : RequestMeta.apiRead();
            apiWrite.addKeyAction(key(), CatalogOps.CATALOG_S3_SIGN.name());
            return Uni.createFrom().completionStage(catalogService().retrieveSnapshot(SnapshotReqParams.forSnapshotHttpReq(ref(), "iceberg", (String) null), key(), (Content.Type) null, apiWrite.build(), IcebergApiV1ResourceBase.ICEBERG_V1)).onFailure().recoverWithNull();
        } catch (NessieNotFoundException e) {
            return Uni.createFrom().failure(e);
        } catch (NessieContentNotFoundException e2) {
            return Uni.createFrom().nullItem();
        }
    }

    private Uni<?> checkForbiddenLocations(SnapshotResponse snapshotResponse) {
        if (snapshotResponse != null && write()) {
            IcebergContent content = snapshotResponse.content();
            String str = null;
            if (content instanceof IcebergContent) {
                str = content.getMetadataLocation();
            }
            if (str != null && requestedS3Uri().equals(S3Utils.normalizeS3Scheme(str))) {
                return Uni.createFrom().failure(unauthorized());
            }
        }
        return Uni.createFrom().item(snapshotResponse);
    }

    private Multi<String> collectAllowedLocations(SnapshotResponse snapshotResponse) {
        if (snapshotResponse == null) {
            return Multi.createFrom().items(Stream.concat(mo12writeLocations().stream(), mo11readLocations().stream()));
        }
        NessieEntitySnapshot nessieSnapshot = snapshotResponse.nessieSnapshot();
        return Multi.createFrom().emitter(multiEmitter -> {
            ArrayList arrayList = new ArrayList();
            String normalizeS3Scheme = S3Utils.normalizeS3Scheme((String) Objects.requireNonNull(nessieSnapshot.icebergLocation()));
            arrayList.add(normalizeS3Scheme);
            String icebergWriteLocation = IcebergConfigurer.icebergWriteLocation(nessieSnapshot.properties());
            if (icebergWriteLocation != null) {
                String normalizeS3Scheme2 = S3Utils.normalizeS3Scheme(icebergWriteLocation);
                if (!normalizeS3Scheme2.startsWith(normalizeS3Scheme)) {
                    arrayList.add(normalizeS3Scheme2);
                }
            }
            if (write()) {
                for (String str : mo12writeLocations()) {
                    if (arrayList.contains(str)) {
                        multiEmitter.emit(str);
                        multiEmitter.complete();
                        return;
                    }
                }
            } else {
                for (String str2 : Stream.concat(mo12writeLocations().stream(), mo11readLocations().stream())) {
                    if (arrayList.contains(str2)) {
                        multiEmitter.emit(str2);
                        Iterator it = nessieSnapshot.additionalKnownLocations().iterator();
                        while (it.hasNext()) {
                            multiEmitter.emit(S3Utils.normalizeS3Scheme((String) it.next()));
                        }
                        multiEmitter.complete();
                        return;
                    }
                }
            }
            multiEmitter.fail(unauthorized());
        });
    }

    private IcebergS3SignResponse sign(String str) {
        URI create = URI.create(str);
        SigningResponse sign = signer().sign(SigningRequest.signingRequest(create, request().method(), request().region(), S3Utils.extractBucketName(create), Optional.ofNullable(request().body()), request().headers()));
        return IcebergS3SignResponse.icebergS3SignResponse(sign.uri().toString(), sign.headers());
    }

    private IcebergException unauthorized() {
        IcebergException icebergException = new IcebergException(IcebergError.icebergError(Response.Status.FORBIDDEN.getStatusCode(), "NotAuthorizedException", "URI not allowed for signing: " + request().uri(), List.of()));
        LOGGER.warn("Unauthorized signing request: key: {}, ref: {}, s3-uri: {}, request uri: {}, request method: {}, warehouse: {}, writeable locations: {}, readable locations: {}", new Object[]{key(), ref(), requestedS3Uri(), request().uri(), request().method(), warehouseLocation(), mo12writeLocations(), mo11readLocations()});
        return icebergException;
    }
}
