package software.aws.mcs.auth;

import com.datastax.oss.driver.api.core.auth.AuthProvider;
import com.datastax.oss.driver.api.core.auth.AuthenticationException;
import com.datastax.oss.driver.api.core.auth.Authenticator;
import com.datastax.oss.driver.api.core.config.DriverOption;
import com.datastax.oss.driver.api.core.context.DriverContext;
import com.datastax.oss.driver.api.core.metadata.EndPoint;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.time.Instant;
import java.time.format.DateTimeFormatter;
import java.time.format.DateTimeFormatterBuilder;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.validation.constraints.NotNull;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.codec.digest.MessageDigestAlgorithms;
import software.amazon.awssdk.auth.credentials.AwsCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.auth.signer.internal.Aws4SignerUtils;
import software.amazon.awssdk.auth.signer.internal.SignerConstant;
import software.amazon.awssdk.regions.providers.DefaultAwsRegionProviderChain;

/* loaded from: input_file:software/aws/mcs/auth/SigV4AuthProvider.class */
public class SigV4AuthProvider implements AuthProvider {
    private static final byte[] SIGV4_INITIAL_RESPONSE_BYTES = "SigV4����".getBytes(StandardCharsets.UTF_8);
    private static final ByteBuffer SIGV4_INITIAL_RESPONSE;
    private static final int AWS_FRACTIONAL_TIMESTAMP_DIGITS = 3;
    private static final DateTimeFormatter timestampFormatter;
    private static final byte[] NONCE_KEY;
    private static final int EXPECTED_NONCE_LENGTH = 32;
    private static final String CANONICAL_SERVICE = "cassandra";
    private final AwsCredentialsProvider credentialsProvider;
    private final String signingRegion;
    private static final DriverOption REGION_OPTION;
    private static final String AMZ_ALGO_HEADER = "X-Amz-Algorithm=AWS4-HMAC-SHA256";
    private static final String AMZ_EXPIRES_HEADER = "X-Amz-Expires=900";
    private static final String HMAC_ALGORITHM = "hmacSHA256";

    /* loaded from: input_file:software/aws/mcs/auth/SigV4AuthProvider$SigV4Authenticator.class */
    public class SigV4Authenticator implements Authenticator {
        public SigV4Authenticator() {
        }

        public CompletionStage<ByteBuffer> initialResponse() {
            return CompletableFuture.completedFuture(SigV4AuthProvider.SIGV4_INITIAL_RESPONSE);
        }

        public CompletionStage<ByteBuffer> evaluateChallenge(ByteBuffer byteBuffer) {
            try {
                byte[] extractNonce = SigV4AuthProvider.extractNonce(byteBuffer);
                Instant now = Instant.now();
                AwsCredentials resolveCredentials = SigV4AuthProvider.this.credentialsProvider.resolveCredentials();
                String format = String.format("signature=%s,access_key=%s,amzdate=%s", SigV4AuthProvider.this.generateSignature(extractNonce, now, resolveCredentials), resolveCredentials.accessKeyId(), SigV4AuthProvider.timestampFormatter.format(now));
                if (resolveCredentials instanceof AwsSessionCredentials) {
                    format = format + ",session_token=" + ((AwsSessionCredentials) resolveCredentials).sessionToken();
                }
                return CompletableFuture.completedFuture(ByteBuffer.wrap(format.getBytes(StandardCharsets.UTF_8)));
            } catch (UnsupportedEncodingException e) {
                throw new RuntimeException("This platform does not support the UTF-8encoding", e);
            }
        }

        public CompletionStage<Void> onAuthenticationSuccess(ByteBuffer byteBuffer) {
            return CompletableFuture.completedFuture(null);
        }
    }

    public SigV4AuthProvider() {
        this(DefaultCredentialsProvider.create(), null);
    }

    public SigV4AuthProvider(DriverContext driverContext) {
        this(driverContext.getConfig().getDefaultProfile().getString(REGION_OPTION, (String) null));
    }

    public SigV4AuthProvider(String str) {
        this(DefaultCredentialsProvider.create(), str);
    }

    public SigV4AuthProvider(@NotNull AwsCredentialsProvider awsCredentialsProvider, String str) {
        this.credentialsProvider = awsCredentialsProvider;
        if (str == null) {
            this.signingRegion = new DefaultAwsRegionProviderChain().getRegion().toString().toLowerCase();
        } else {
            this.signingRegion = str.toLowerCase();
        }
        if (this.signingRegion == null) {
            throw new IllegalStateException("A region must be specified by constructor, AWS_REGION env variable, or aws.region system property");
        }
    }

    public Authenticator newAuthenticator(EndPoint endPoint, String str) throws AuthenticationException {
        return new SigV4Authenticator();
    }

    public void onMissingChallenge(EndPoint endPoint) {
        throw new AuthenticationException(endPoint, "SigV4 requires a challenge from the endpoint. None was sent");
    }

    public void close() {
    }

    static byte[] extractNonce(ByteBuffer byteBuffer) {
        byte[] bArr = new byte[byteBuffer.remaining()];
        byteBuffer.get(bArr);
        int indexOf = indexOf(bArr, NONCE_KEY);
        if (indexOf == -1) {
            throw new IllegalArgumentException("Did not find nonce in SigV4 challenge: " + new String(bArr, StandardCharsets.UTF_8));
        }
        int length = indexOf + NONCE_KEY.length;
        int i = length;
        while (i < bArr.length && bArr[i] != 44) {
            i++;
        }
        int i2 = i - length;
        if (i2 != 32) {
            throw new IllegalArgumentException("Expected a nonce of 32 bytes but received " + i2);
        }
        return Arrays.copyOfRange(bArr, length, i);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String generateSignature(byte[] bArr, Instant instant, AwsCredentials awsCredentials) throws UnsupportedEncodingException {
        String formatDateStamp = Aws4SignerUtils.formatDateStamp(instant.toEpochMilli());
        String format = String.format("%s/%s/%s/aws4_request", formatDateStamp, this.signingRegion, CANONICAL_SERVICE);
        return Hex.encodeHexString(hmacSHA256(String.format("%s\n%s\n%s\n%s", SignerConstant.AWS4_SIGNING_ALGORITHM, timestampFormatter.format(instant), format, sha256Digest(canonicalizeRequest(awsCredentials.accessKeyId(), format, instant, sha256Digest(bArr)))), getSignatureKey(awsCredentials.secretAccessKey(), formatDateStamp, this.signingRegion, CANONICAL_SERVICE)), true);
    }

    private static String canonicalizeRequest(String str, String str2, Instant instant, String str3) throws UnsupportedEncodingException {
        List asList = Arrays.asList(AMZ_ALGO_HEADER, String.format("X-Amz-Credential=%s%%2F%s", str, URLEncoder.encode(str2, StandardCharsets.UTF_8.name())), "X-Amz-Date=" + URLEncoder.encode(timestampFormatter.format(instant), StandardCharsets.UTF_8.name()), AMZ_EXPIRES_HEADER);
        Collections.sort(asList);
        return String.format("PUT\n/authenticate\n%s\nhost:%s\n\nhost\n%s", String.join("&", asList), CANONICAL_SERVICE, str3);
    }

    static String sha256Digest(byte[] bArr) {
        try {
            return Hex.encodeHexString(MessageDigest.getInstance(MessageDigestAlgorithms.SHA_256).digest(bArr), true);
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("This platform does not support the SHA-256 digest algorithm", e);
        }
    }

    static String sha256Digest(String str) {
        return sha256Digest(str.getBytes(StandardCharsets.UTF_8));
    }

    static byte[] hmacSHA256(String str, byte[] bArr) {
        try {
            Mac mac = Mac.getInstance(HMAC_ALGORITHM);
            mac.init(new SecretKeySpec(bArr, HMAC_ALGORITHM));
            return mac.doFinal(str.getBytes(StandardCharsets.UTF_8));
        } catch (Exception e) {
            throw new RuntimeException("Failure computing HMAC-SHA256", e);
        }
    }

    static byte[] getSignatureKey(String str, String str2, String str3, String str4) {
        return hmacSHA256(SignerConstant.AWS4_TERMINATOR, hmacSHA256(str4, hmacSHA256(str3, hmacSHA256(str2, ("AWS4" + str).getBytes(StandardCharsets.UTF_8)))));
    }

    static int indexOf(byte[] bArr, byte[] bArr2) {
        int length = bArr.length - bArr2.length;
        for (int i = 0; i <= length; i++) {
            if (bArr2[0] == bArr[i]) {
                int i2 = 0;
                for (int i3 = i; i2 < bArr2.length && bArr2[i2] == bArr[i3]; i3++) {
                    i2++;
                }
                if (i2 == bArr2.length) {
                    return i;
                }
            }
        }
        return -1;
    }

    static {
        ByteBuffer allocate = ByteBuffer.allocate(SIGV4_INITIAL_RESPONSE_BYTES.length);
        allocate.put(SIGV4_INITIAL_RESPONSE_BYTES);
        allocate.flip();
        SIGV4_INITIAL_RESPONSE = allocate.asReadOnlyBuffer();
        timestampFormatter = new DateTimeFormatterBuilder().appendInstant(3).toFormatter();
        NONCE_KEY = "nonce=".getBytes(StandardCharsets.UTF_8);
        REGION_OPTION = new DriverOption() { // from class: software.aws.mcs.auth.SigV4AuthProvider.1
            public String getPath() {
                return "advanced.auth-provider.aws-region";
            }
        };
    }
}
