package org.projectnessie.catalog.service.rest;

import io.smallrye.common.annotation.Blocking;
import io.smallrye.mutiny.Uni;
import jakarta.enterprise.context.RequestScoped;
import jakarta.inject.Inject;
import jakarta.validation.constraints.NotNull;
import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriInfo;
import java.time.Clock;
import java.util.List;
import java.util.Optional;
import org.eclipse.microprofile.openapi.annotations.Operation;
import org.jboss.resteasy.reactive.server.ServerExceptionMapper;
import org.projectnessie.catalog.files.api.RequestSigner;
import org.projectnessie.catalog.formats.iceberg.meta.IcebergTableIdentifier;
import org.projectnessie.catalog.formats.iceberg.rest.IcebergS3SignRequest;
import org.projectnessie.catalog.formats.iceberg.rest.IcebergS3SignResponse;
import org.projectnessie.catalog.service.api.SignerKeysService;
import org.projectnessie.catalog.service.config.LakehouseConfig;
import org.projectnessie.catalog.service.objtypes.SignerKey;
import org.projectnessie.catalog.service.rest.IcebergErrorMapper;
import org.projectnessie.model.ContentKey;
import org.projectnessie.services.authz.AccessContext;
import org.projectnessie.services.authz.Authorizer;
import org.projectnessie.services.config.ServerConfig;
import org.projectnessie.versioned.VersionStore;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Produces({"application/json"})
@RequestScoped
@Path("iceberg")
@Consumes({"application/json"})
/* loaded from: input_file:org/projectnessie/catalog/service/rest/IcebergApiV1S3SignResource.class */
public class IcebergApiV1S3SignResource extends IcebergApiV1ResourceBase {
    private static final Logger LOGGER = LoggerFactory.getLogger(IcebergApiV1S3SignResource.class);

    @Inject
    RequestSigner signer;

    @Inject
    IcebergErrorMapper errorMapper;

    @Inject
    SignerKeysService signerKeysService;

    @Inject
    UriInfo uriInfo;
    Clock clock;

    public IcebergApiV1S3SignResource() {
        this(null, null, null, null, null);
    }

    @Inject
    public IcebergApiV1S3SignResource(ServerConfig serverConfig, LakehouseConfig lakehouseConfig, VersionStore versionStore, Authorizer authorizer, AccessContext accessContext) {
        super(serverConfig, lakehouseConfig, versionStore, authorizer, accessContext);
        this.clock = Clock.systemUTC();
    }

    @ServerExceptionMapper
    public Response mapException(Exception exc) {
        return this.errorMapper.toResponse(exc, IcebergErrorMapper.IcebergEntityKind.UNKNOWN);
    }

    @Operation(operationId = "iceberg.v1.s3sign.blob")
    @Blocking
    @POST
    @Path("/v1/{prefix}/s3sign/{signedParams}")
    public Uni<IcebergS3SignResponse> s3signWIthOpaqueParams(IcebergS3SignRequest icebergS3SignRequest, @PathParam("prefix") String str, @PathParam("signedParams") String str2) {
        SignerParams fromPathParam = SignerParams.fromPathParam(str2);
        SignerKey signerKey = this.signerKeysService.getSignerKey(fromPathParam.keyName());
        SignerSignature signerSignature = fromPathParam.signerSignature();
        Optional<String> verify = signerSignature.verify(signerKey, fromPathParam.signature(), this.clock.instant());
        if (!verify.isPresent()) {
            return ImmutableIcebergS3SignParams.builder().request(icebergS3SignRequest).ref(decodePrefix(str).parsedReference()).key(ContentKey.fromPathString(signerSignature.identifier())).warehouseLocation(signerSignature.warehouseLocation()).writeLocations(signerSignature.mo15writeLocations()).readLocations(signerSignature.mo14readLocations()).catalogService(this.catalogService).signer(this.signer).build().verifyAndSign();
        }
        LOGGER.warn("{} for request {}", verify.get(), this.uriInfo.getRequestUri());
        throw new IllegalArgumentException("Invalid signature");
    }

    @Operation(operationId = "iceberg.v1.s3sign")
    @Blocking
    @POST
    @Path("/v1/{prefix}/s3-sign/{identifier}")
    public Uni<IcebergS3SignResponse> s3sign(IcebergS3SignRequest icebergS3SignRequest, @PathParam("prefix") String str, @PathParam("identifier") String str2, @NotNull @QueryParam("b") String str3, @QueryParam("w") List<String> list, @QueryParam("r") List<String> list2, @NotNull @QueryParam("e") Long l, @NotNull @QueryParam("k") String str4, @NotNull @QueryParam("s") String str5) {
        Optional<String> verify = SignerSignature.builder().prefix(str).identifier(str2).warehouseLocation(str3).writeLocations(list).readLocations(list2).expirationTimestamp(l.longValue()).build().verify(this.signerKeysService.getSignerKey(str4), str5, this.clock.instant());
        if (!verify.isPresent()) {
            return ImmutableIcebergS3SignParams.builder().request(icebergS3SignRequest).ref(decodePrefix(str).parsedReference()).key(ContentKey.fromPathString(str2)).warehouseLocation(str3).writeLocations(list).readLocations(list2).catalogService(this.catalogService).signer(this.signer).build().verifyAndSign();
        }
        LOGGER.warn("{} for request {}", verify.get(), this.uriInfo.getRequestUri());
        throw new IllegalArgumentException("Invalid signature");
    }

    @Override // org.projectnessie.catalog.service.rest.IcebergApiV1ResourceBase
    public /* bridge */ /* synthetic */ TableRef decodeTableRef(String str, IcebergTableIdentifier icebergTableIdentifier) {
        return super.decodeTableRef(str, icebergTableIdentifier);
    }

    @Override // org.projectnessie.catalog.service.rest.IcebergApiV1ResourceBase
    public /* bridge */ /* synthetic */ TableRef decodeTableRef(String str, String str2, String str3) {
        return super.decodeTableRef(str, str2, str3);
    }
}
