package io.debezium.server.http.webhooks;

import io.debezium.DebeziumException;
import io.debezium.server.http.Authenticator;
import java.net.http.HttpRequest;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.time.Clock;
import java.time.Instant;
import java.util.Base64;
import java.util.UUID;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: input_file:io/debezium/server/http/webhooks/StandardWebhooksAuthenticator.class */
public class StandardWebhooksAuthenticator implements Authenticator {
    static final String SECRET_PREFIX = "whsec_";
    static final String UNBRANDED_MSG_ID_KEY = "webhook-id";
    static final String UNBRANDED_MSG_SIGNATURE_KEY = "webhook-signature";
    static final String UNBRANDED_MSG_TIMESTAMP_KEY = "webhook-timestamp";
    private static final String HMAC_SHA256 = "HmacSHA256";
    private final Clock clock;
    private final Mac sha512Hmac;

    public StandardWebhooksAuthenticator(String str) {
        this(str, Clock.systemUTC());
    }

    StandardWebhooksAuthenticator(String str, Clock clock) {
        this.clock = clock;
        String str2 = str;
        byte[] decode = Base64.getDecoder().decode(str2.startsWith(SECRET_PREFIX) ? str2.substring(SECRET_PREFIX.length()) : str2);
        if (decode.length < 24 || decode.length > 64) {
            throw new DebeziumException("Webhook secret must be between 24 and 64 bytes");
        }
        try {
            this.sha512Hmac = Mac.getInstance(HMAC_SHA256);
            this.sha512Hmac.init(new SecretKeySpec(decode, HMAC_SHA256));
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            throw new DebeziumException("Failed to initialize HMAC-SHA256 signing algorithm", e);
        }
    }

    @Override // io.debezium.server.http.Authenticator
    public void setAuthorizationHeader(HttpRequest.Builder builder, String str, UUID uuid) {
        long epochSecond = Instant.now(this.clock).getEpochSecond();
        String str2 = "msg_" + String.valueOf(uuid);
        String sign = sign(str2, epochSecond, str);
        builder.setHeader(UNBRANDED_MSG_ID_KEY, str2);
        builder.setHeader(UNBRANDED_MSG_SIGNATURE_KEY, sign);
        builder.setHeader(UNBRANDED_MSG_TIMESTAMP_KEY, Long.toString(epochSecond));
    }

    @Override // io.debezium.server.http.Authenticator
    public boolean authenticate() throws InterruptedException {
        return true;
    }

    String sign(String str, long j, String str2) {
        return String.format("v1,%s", Base64.getEncoder().encodeToString(this.sha512Hmac.doFinal(String.format("%s.%s.%s", str, Long.valueOf(j), str2).getBytes(StandardCharsets.UTF_8))));
    }
}
