package io.confluent.security.authentication.oidc;

import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.datatype.jdk8.Jdk8Module;
import com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider;
import com.ibm.icu.impl.number.Padder;
import java.io.IOException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Calendar;
import java.util.Map;
import java.util.function.Function;
import java.util.function.Supplier;
import javax.net.ssl.SSLContext;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.ClientBuilder;
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;

/* loaded from: input_file:io/confluent/security/authentication/oidc/OpenIdClient.class */
public class OpenIdClient {
    static final String METADATA_PATH = ".well-known/openid-configuration";
    private static final String CLIENT_SECRET_BASIC_PREFIX = "Basic";
    private final Client client;
    private final Supplier<ClientCredentials> credentialsSupplier;
    private final Function<ClientCredentials, String> authMethod;
    private final ObjectMapper objectMapper;
    private final MetadataResponse providerMetadata;
    private final Calendar calendar;
    private CachedGrant cachedClientCredentialsGrant;

    /* loaded from: input_file:io/confluent/security/authentication/oidc/OpenIdClient$Builder.class */
    public static class Builder {
        private Client client;
        private String metadataEndpoint;
        private ObjectMapper objectMapper;
        private Function<ClientCredentials, String> authMethod;
        private Supplier<ClientCredentials> credentialsSupplier;
        private SSLContext sslContext;
        private Calendar calendar;

        public Builder client(Client client) {
            this.client = client;
            return this;
        }

        public Builder issuer(String str) {
            this.metadataEndpoint = String.join("/", str.replaceAll("/$", JsonProperty.USE_DEFAULT_NAME), OpenIdClient.METADATA_PATH);
            return this;
        }

        public Builder credentialsSupplier(Supplier<ClientCredentials> supplier) {
            this.credentialsSupplier = supplier;
            return this;
        }

        public Builder authMethod(Function<ClientCredentials, String> function) {
            this.authMethod = function;
            return this;
        }

        public Builder objectMapper(ObjectMapper objectMapper) {
            this.objectMapper = objectMapper;
            return this;
        }

        private ObjectMapper objectMapper() {
            return this.objectMapper != null ? this.objectMapper : new ObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false).enable(DeserializationFeature.READ_ENUMS_USING_TO_STRING).registerModule(new Jdk8Module());
        }

        public Builder sslContext(SSLContext sSLContext) {
            this.sslContext = sSLContext;
            return this;
        }

        public Builder calendar(Calendar calendar) {
            this.calendar = calendar;
            return this;
        }

        public OpenIdClient build() {
            this.objectMapper = objectMapper();
            ClientBuilder newBuilder = ClientBuilder.newBuilder();
            if (this.sslContext != null) {
                newBuilder.sslContext(this.sslContext);
            }
            if (this.client == null) {
                this.client = newBuilder.build().register(new JacksonJaxbJsonProvider(this.objectMapper, JacksonJaxbJsonProvider.DEFAULT_ANNOTATIONS));
            }
            try {
                return new OpenIdClient(this.client, this.credentialsSupplier, this.authMethod == null ? clientCredentials -> {
                    return OpenIdClient.clientSecretBasic(clientCredentials);
                } : this.authMethod, (MetadataResponse) this.objectMapper.readValue(new URL(this.metadataEndpoint), MetadataResponse.class), this.objectMapper, this.calendar == null ? Calendar.getInstance() : this.calendar);
            } catch (IOException e) {
                throw new RuntimeException("Failed to obtain OpenId Provider metadata", e);
            }
        }
    }

    private OpenIdClient(Client client, Supplier<ClientCredentials> supplier, Function<ClientCredentials, String> function, MetadataResponse metadataResponse, ObjectMapper objectMapper, Calendar calendar) {
        this.client = client;
        this.credentialsSupplier = supplier;
        this.authMethod = function;
        this.objectMapper = objectMapper;
        this.providerMetadata = metadataResponse;
        this.calendar = calendar;
        this.cachedClientCredentialsGrant = null;
    }

    public void handleGrant(GrantBase grantBase) {
        switch (grantBase.getTokenRequest().grantType()) {
            case CLIENT_CREDENTIALS:
                handleCredentialsGrant(grantBase);
                return;
            default:
                return;
        }
    }

    private void handleCredentialsGrant(GrantBase grantBase) {
        if (this.cachedClientCredentialsGrant != null && !this.cachedClientCredentialsGrant.isExpired()) {
            grantBase.setTokenResponse(TokenResponse.fromCachedEntry(this.cachedClientCredentialsGrant));
            return;
        }
        handleResponse(grantBase, this.client.target(this.providerMetadata.tokenEndpoint()).request(MediaType.APPLICATION_FORM_URLENCODED).accept(MediaType.APPLICATION_JSON).header("Authorization", this.authMethod.apply(this.credentialsSupplier.get())).post(formEncoder(grantBase.getTokenRequest())));
        if (grantBase.getTokenResponse() != null) {
            this.cachedClientCredentialsGrant = CachedGrant.fromTokenResponse(grantBase.getTokenResponse(), this.calendar);
        }
    }

    private void handleResponse(GrantBase grantBase, Response response) {
        Response.Status.Family family = response.getStatusInfo().getFamily();
        if (family == Response.Status.Family.SUCCESSFUL) {
            grantBase.setTokenResponse((TokenResponse) response.readEntity(TokenResponse.class));
            return;
        }
        if (family == Response.Status.Family.REDIRECTION) {
            System.out.println("Redirecting to " + response.getLocation());
        }
        if (family == Response.Status.Family.CLIENT_ERROR) {
            grantBase.setTokenError((TokenError) response.readEntity(TokenError.class));
        }
    }

    private <T> Entity<Form> formEncoder(T t) {
        Map map = (Map) this.objectMapper.convertValue(t, new TypeReference<Map<String, String>>() { // from class: io.confluent.security.authentication.oidc.OpenIdClient.1
        });
        Form form = new Form();
        for (Map.Entry entry : map.entrySet()) {
            form.param((String) entry.getKey(), (String) entry.getValue());
        }
        return Entity.form(form);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String clientSecretBasic(ClientCredentials clientCredentials) {
        return String.join(Padder.FALLBACK_PADDING_STRING, CLIENT_SECRET_BASIC_PREFIX, Base64.getEncoder().encodeToString(String.join(":", clientCredentials.getClientId(), clientCredentials.getClientSecret()).getBytes(StandardCharsets.UTF_8)));
    }

    public static Builder builder() {
        return new Builder();
    }
}
