package software.amazon.awssdk.services.s3.internal.endpoints;

import java.net.URI;
import java.util.Optional;
import org.jfree.data.xml.DatasetTags;
import software.amazon.awssdk.annotations.SdkInternalApi;
import software.amazon.awssdk.arns.Arn;
import software.amazon.awssdk.http.SdkHttpRequest;
import software.amazon.awssdk.regions.PartitionMetadata;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.s3.S3Configuration;
import software.amazon.awssdk.services.s3.internal.ConfiguredS3SdkHttpRequest;
import software.amazon.awssdk.services.s3.internal.resource.S3AccessPointBuilder;
import software.amazon.awssdk.services.s3.internal.resource.S3AccessPointResource;
import software.amazon.awssdk.services.s3.internal.resource.S3ArnConverter;
import software.amazon.awssdk.services.s3.internal.resource.S3ObjectLambdaEndpointBuilder;
import software.amazon.awssdk.services.s3.internal.resource.S3ObjectLambdaResource;
import software.amazon.awssdk.services.s3.internal.resource.S3OutpostAccessPointBuilder;
import software.amazon.awssdk.services.s3.internal.resource.S3OutpostResource;
import software.amazon.awssdk.services.s3.internal.resource.S3Resource;
import software.amazon.awssdk.utils.Validate;
import software.amazon.awssdk.utils.http.SdkHttpUtils;

@SdkInternalApi
/* loaded from: input_file:software/amazon/awssdk/services/s3/internal/endpoints/S3AccessPointEndpointResolver.class */
public final class S3AccessPointEndpointResolver implements S3EndpointResolver {
    private static final String S3_CONFIG_ERROR_MESSAGE = "An access point ARN cannot be passed as a bucket parameter to an S3 operation if the S3 client has been configured with %s";
    private static final String S3_OUTPOSTS_NAME = "s3-outposts";
    private static final String S3_OBJECT_LAMBDA_NAME = "s3-object-lambda";

    private S3AccessPointEndpointResolver() {
    }

    public static S3AccessPointEndpointResolver create() {
        return new S3AccessPointEndpointResolver();
    }

    @Override // software.amazon.awssdk.services.s3.internal.endpoints.S3EndpointResolver
    public ConfiguredS3SdkHttpRequest applyEndpointConfiguration(S3EndpointResolverContext s3EndpointResolverContext) {
        S3AccessPointResource s3AccessPointResource = (S3AccessPointResource) Validate.isInstanceOf(S3AccessPointResource.class, S3ArnConverter.create().convertArn(Arn.fromString(getBucketName(s3EndpointResolverContext))), "An ARN was passed as a bucket parameter to an S3 operation, however it does not appear to be a valid S3 access point ARN.", new Object[0]);
        PartitionMetadata of = PartitionMetadata.of(s3EndpointResolverContext.region());
        validateConfiguration(s3EndpointResolverContext, s3AccessPointResource);
        URI uriForAccessPointResource = getUriForAccessPointResource(s3EndpointResolverContext, of, s3AccessPointResource);
        SdkHttpRequest sdkHttpRequest = (SdkHttpRequest) s3EndpointResolverContext.request().mo5246toBuilder().protocol(uriForAccessPointResource.getScheme()).host(uriForAccessPointResource.getHost()).port(Integer.valueOf(uriForAccessPointResource.getPort())).encodedPath(buildPath(uriForAccessPointResource, s3EndpointResolverContext)).mo4874build();
        Region region = (Region) s3AccessPointResource.region().map(Region::of).orElse(null);
        return ConfiguredS3SdkHttpRequest.builder().sdkHttpRequest(sdkHttpRequest).signingRegionModification(region).signingServiceModification((String) s3AccessPointResource.parentS3Resource().flatMap(S3AccessPointEndpointResolver::resolveSigningService).orElse(null)).mo4874build();
    }

    private String buildPath(URI uri, S3EndpointResolverContext s3EndpointResolverContext) {
        String str = (String) s3EndpointResolverContext.originalRequest().getValueForField(DatasetTags.KEY_TAG, String.class).orElse(null);
        StringBuilder sb = new StringBuilder();
        if (uri.getPath() != null) {
            sb.append(uri.getPath());
        }
        if (str != null) {
            if (sb.length() > 0) {
                sb.append('/');
            }
            sb.append(SdkHttpUtils.urlEncodeIgnoreSlashes(str));
        }
        if (sb.length() > 0) {
            return sb.toString();
        }
        return null;
    }

    private void validateConfiguration(S3EndpointResolverContext s3EndpointResolverContext, S3AccessPointResource s3AccessPointResource) {
        S3Configuration serviceConfiguration = s3EndpointResolverContext.serviceConfiguration();
        Validate.isFalse(S3EndpointUtils.isAccelerateEnabled(serviceConfiguration), S3_CONFIG_ERROR_MESSAGE, "accelerate mode enabled.");
        Validate.isFalse(S3EndpointUtils.isPathStyleAccessEnabled(serviceConfiguration), S3_CONFIG_ERROR_MESSAGE, "path style addressing enabled.");
        Validate.isTrue(s3AccessPointResource.accountId().isPresent(), "An S3 access point ARN must have an account ID", new Object[0]);
        Region region = s3EndpointResolverContext.region();
        if (s3AccessPointResource.region().isPresent()) {
            validateRegion(s3AccessPointResource, serviceConfiguration, region, s3EndpointResolverContext.fipsEnabled());
        } else {
            validateGlobalConfiguration(serviceConfiguration, region);
        }
        validatePartition(s3AccessPointResource, region);
    }

    private void validatePartition(S3AccessPointResource s3AccessPointResource, Region region) {
        String id = PartitionMetadata.of(region).id();
        Validate.isFalse(illegalPartitionConfiguration(s3AccessPointResource, id), "The partition field of the ARN being passed as a bucket parameter to an S3 operation does not match the partition the S3 client has been configured with. Provided partition: '%s'; client partition: '%s'.", s3AccessPointResource.partition().orElse(""), id);
    }

    private boolean illegalPartitionConfiguration(S3Resource s3Resource, String str) {
        return str == null || str.isEmpty() || !s3Resource.partition().isPresent() || !str.equals(s3Resource.partition().get());
    }

    private void validateRegion(S3AccessPointResource s3AccessPointResource, S3Configuration s3Configuration, Region region, boolean z) {
        String str = s3AccessPointResource.region().get();
        Validate.isFalse(S3EndpointUtils.isFipsRegion(str), "Invalid ARN, FIPS region is not allowed in ARN. Provided arn region: '" + str + "'.", new Object[0]);
        Validate.isFalse((z || S3EndpointUtils.isFipsRegion(region.id())) && clientRegionDiffersFromArnRegion(region, str), String.format("The region field of the ARN being passed as a bucket parameter to an S3 operation does not match the region the client was configured with. Cross region access not allowed for fips region in client or arn. Provided region: '%s'; client region:'%s'.", str, region), new Object[0]);
        Validate.isFalse(!S3EndpointUtils.isArnRegionEnabled(s3Configuration) && clientRegionDiffersFromArnRegion(region, str), "The region field of the ARN being passed as a bucket parameter to an S3 operation does not match the region the client was configured with. To enable this behavior and prevent this exception set 'useArnRegionEnabled' to true in the configuration when building the S3 client. Provided region: '%s'; client region: '%s'.", str, region);
    }

    private boolean clientRegionDiffersFromArnRegion(Region region, String str) {
        return !S3EndpointUtils.removeFipsIfNeeded(region.id()).equals(str);
    }

    private void validateGlobalConfiguration(S3Configuration s3Configuration, Region region) {
        Validate.isTrue(s3Configuration.multiRegionEnabled(), "An Access Point ARN without a region value was passed as a bucket parameter but multi-region is disabled. Check client configuration, environment variables and system configuration for multi-region disable configurations.", new Object[0]);
        Validate.isFalse(S3EndpointUtils.isDualstackEnabled(s3Configuration), S3_CONFIG_ERROR_MESSAGE, "dualstack, if the ARN contains no region.");
        Validate.isFalse(S3EndpointUtils.isFipsRegion(region.toString()), S3_CONFIG_ERROR_MESSAGE, "a FIPS enabled region, if the ARN contains no region.");
    }

    private String getBucketName(S3EndpointResolverContext s3EndpointResolverContext) {
        return (String) s3EndpointResolverContext.originalRequest().getValueForField("Bucket", String.class).orElseThrow(() -> {
            return new IllegalArgumentException("Bucket name cannot be empty when parsing access points.");
        });
    }

    private URI getUriForAccessPointResource(S3EndpointResolverContext s3EndpointResolverContext, PartitionMetadata partitionMetadata, S3AccessPointResource s3AccessPointResource) {
        return isOutpostAccessPoint(s3AccessPointResource) ? getOutpostAccessPointUri(s3EndpointResolverContext, partitionMetadata, s3AccessPointResource) : isObjectLambdaAccessPoint(s3AccessPointResource) ? getObjectLambdaAccessPointUri(s3EndpointResolverContext, partitionMetadata, s3AccessPointResource) : S3AccessPointBuilder.create().endpointOverride(s3EndpointResolverContext.endpointOverride()).accessPointName(s3AccessPointResource.accessPointName()).accountId(s3AccessPointResource.accountId().get()).fipsEnabled(Boolean.valueOf(isFipsEnabled(s3EndpointResolverContext))).region(s3AccessPointResource.region().orElse(null)).protocol(s3EndpointResolverContext.request().protocol()).domain(partitionMetadata.dnsSuffix()).dualstackEnabled(Boolean.valueOf(S3EndpointUtils.isDualstackEnabled(s3EndpointResolverContext.serviceConfiguration()))).toUri();
    }

    private boolean isOutpostAccessPoint(S3AccessPointResource s3AccessPointResource) {
        return s3AccessPointResource.parentS3Resource().filter(s3Resource -> {
            return s3Resource instanceof S3OutpostResource;
        }).isPresent();
    }

    private boolean isObjectLambdaAccessPoint(S3AccessPointResource s3AccessPointResource) {
        return s3AccessPointResource.parentS3Resource().filter(s3Resource -> {
            return s3Resource instanceof S3ObjectLambdaResource;
        }).isPresent();
    }

    private URI getOutpostAccessPointUri(S3EndpointResolverContext s3EndpointResolverContext, PartitionMetadata partitionMetadata, S3AccessPointResource s3AccessPointResource) {
        if (S3EndpointUtils.isDualstackEnabled(s3EndpointResolverContext.serviceConfiguration())) {
            throw new IllegalArgumentException("An Outpost Access Point ARN cannot be passed as a bucket parameter to an S3 operation if the S3 client has been configured with dualstack");
        }
        if (isFipsEnabled(s3EndpointResolverContext)) {
            throw new IllegalArgumentException("An access point ARN cannot be passed as a bucket parameter to an S3 operation if the S3 client has been configured with a FIPS enabled region.");
        }
        return S3OutpostAccessPointBuilder.create().endpointOverride(s3EndpointResolverContext.endpointOverride()).accountId(s3AccessPointResource.accountId().get()).outpostId(((S3OutpostResource) s3AccessPointResource.parentS3Resource().get()).outpostId()).region(s3AccessPointResource.region().get()).accessPointName(s3AccessPointResource.accessPointName()).protocol(s3EndpointResolverContext.request().protocol()).domain(partitionMetadata.dnsSuffix()).toUri();
    }

    private URI getObjectLambdaAccessPointUri(S3EndpointResolverContext s3EndpointResolverContext, PartitionMetadata partitionMetadata, S3AccessPointResource s3AccessPointResource) {
        if (S3EndpointUtils.isDualstackEnabled(s3EndpointResolverContext.serviceConfiguration())) {
            throw new IllegalArgumentException("An Object Lambda Access Point ARN cannot be passed as a bucket parameter to an S3 operation if the S3 client has been configured with dualstack.");
        }
        return S3ObjectLambdaEndpointBuilder.create().endpointOverride(s3EndpointResolverContext.endpointOverride()).accountId(s3AccessPointResource.accountId().get()).region(s3AccessPointResource.region().get()).accessPointName(s3AccessPointResource.accessPointName()).protocol(s3EndpointResolverContext.request().protocol()).fipsEnabled(Boolean.valueOf(isFipsEnabled(s3EndpointResolverContext))).dualstackEnabled(Boolean.valueOf(S3EndpointUtils.isDualstackEnabled(s3EndpointResolverContext.serviceConfiguration()))).domain(partitionMetadata.dnsSuffix()).toUri();
    }

    private static Optional<String> resolveSigningService(S3Resource s3Resource) {
        return s3Resource instanceof S3OutpostResource ? Optional.of(S3_OUTPOSTS_NAME) : s3Resource instanceof S3ObjectLambdaResource ? Optional.of(S3_OBJECT_LAMBDA_NAME) : Optional.empty();
    }

    private boolean isFipsEnabled(S3EndpointResolverContext s3EndpointResolverContext) {
        return s3EndpointResolverContext.fipsEnabled() || S3EndpointUtils.isFipsRegion(s3EndpointResolverContext.region().toString());
    }
}
