//
// Copyright 2020 gRPC authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//

#ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_AWS_REQUEST_SIGNER_H
#define GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_AWS_REQUEST_SIGNER_H

#include <grpc/support/port_platform.h>

#include <map>
#include <string>

#include "src/core/lib/iomgr/error.h"
#include "src/core/lib/uri/uri_parser.h"

namespace grpc_core {

// Implements an AWS API request signer based on the AWS Signature Version 4
// signing process.
// https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
// To retrieve the subject token in AwsExternalAccountCredentials, we need to
// sign an AWS request server and use the signed request as the subject token.
// This class is a utility to sign an AWS request.
class AwsRequestSigner {
 public:
  // Construct a signer with the necessary information to sign a request.
  // `access_key_id`, `secret_access_key` and `token` are the AWS credentials
  // required for signing. `method` and `url` are the HTTP method and url of the
  // request. `region` is the region of the AWS environment. `request_payload`
  // is the payload of the HTTP request. `additional_headers` are additional
  // headers to be inject into the request.
  AwsRequestSigner(std::string access_key_id, std::string secret_access_key,
                   std::string token, std::string method, std::string url,
                   std::string region, std::string request_payload,
                   std::map<std::string, std::string> additional_headers,
                   grpc_error** error);

  // This method triggers the signing process then returns the headers of the
  // signed request as a map. In case there is an error, the input `error`
  // parameter will be updated and an empty map will be returned if there is
  // error.
  std::map<std::string, std::string> GetSignedRequestHeaders();

 private:
  std::string access_key_id_;
  std::string secret_access_key_;
  std::string token_;
  std::string method_;
  URI url_;
  std::string region_;
  std::string request_payload_;
  std::map<std::string, std::string> additional_headers_;

  std::string static_request_date_;
  std::map<std::string, std::string> request_headers_;
};

}  // namespace grpc_core

#endif  // GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_AWS_REQUEST_SIGNER_H