package io.fabric8.kubernetes.client.utils;

import com.fasterxml.jackson.core.JsonProcessingException;
import io.fabric8.kubernetes.api.model.Config;
import io.fabric8.kubernetes.api.model.NamedContext;
import io.fabric8.kubernetes.client.http.HttpClient;
import io.fabric8.kubernetes.client.http.HttpRequest;
import io.fabric8.kubernetes.client.http.HttpResponse;
import io.fabric8.kubernetes.client.internal.KubeConfigUtils;
import io.fabric8.kubernetes.client.internal.SSLUtils;
import java.io.File;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.spec.InvalidKeySpecException;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.Map;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:io/fabric8/kubernetes/client/utils/OpenIDConnectionUtils.class
 */
/* loaded from: input_file:lib/kubernetes-client-5.12.2.jar:io/fabric8/kubernetes/client/utils/OpenIDConnectionUtils.class */
public class OpenIDConnectionUtils {
    private static final Logger LOGGER = LoggerFactory.getLogger(OpenIDConnectionUtils.class);
    public static final String EMPTY = "";
    public static final String ID_TOKEN_KUBECONFIG = "id-token";
    public static final String ISSUER_KUBECONFIG = "idp-issuer-url";
    public static final String REFRESH_TOKEN_KUBECONFIG = "refresh-token";
    public static final String REFRESH_TOKEN_PARAM = "refresh_token";
    public static final String GRANT_TYPE_PARAM = "grant_type";
    public static final String CLIENT_ID_PARAM = "client_id";
    public static final String CLIENT_SECRET_PARAM = "client_secret";
    public static final String ID_TOKEN_PARAM = "id_token";
    public static final String ACCESS_TOKEN_PARAM = "access_token";
    public static final String CLIENT_ID_KUBECONFIG = "client-id";
    public static final String CLIENT_SECRET_KUBECONFIG = "client-secret";
    public static final String IDP_CERT_DATA = "idp-certificate-authority-data";
    public static final String TOKEN_ENDPOINT_PARAM = "token_endpoint";
    public static final String WELL_KNOWN_OPENID_CONFIGURATION = ".well-known/openid-configuration";
    public static final String GRANT_TYPE_REFRESH_TOKEN = "refresh_token";

    private OpenIDConnectionUtils() {
    }

    public static String resolveOIDCTokenFromAuthConfig(Map<String, String> map, HttpClient.Builder builder) {
        String str = map.get(ID_TOKEN_KUBECONFIG);
        return isTokenRefreshSupported(map) ? getOIDCProviderTokenEndpointAndRefreshToken(map.get(ISSUER_KUBECONFIG), map.get(CLIENT_ID_KUBECONFIG), map.get(REFRESH_TOKEN_KUBECONFIG), map.getOrDefault(CLIENT_SECRET_KUBECONFIG, ""), str, map.get(IDP_CERT_DATA), builder) : str;
    }

    static String getOIDCProviderTokenEndpointAndRefreshToken(HttpClient httpClient, Map<String, Object> map, String str, String str2, String str3, String str4, boolean z) {
        try {
            String refreshToken = refreshToken(httpClient, getParametersFromDiscoveryResponse(map, TOKEN_ENDPOINT_PARAM), str, str2, str3, z);
            if (refreshToken != null) {
                str4 = refreshToken;
            }
        } catch (Exception e) {
            LOGGER.warn("Could not refresh OIDC token: {}", e.getMessage());
        }
        return str4;
    }

    static boolean isTokenRefreshSupported(Map<String, String> map) {
        return Utils.isNotNull(map.get(REFRESH_TOKEN_KUBECONFIG));
    }

    static String refreshToken(HttpClient httpClient, String str, String str2, String str3, String str4, boolean z) {
        try {
            Map<String, Object> refreshOidcToken = refreshOidcToken(httpClient, str2, str3, str4, str);
            if (!refreshOidcToken.containsKey(ID_TOKEN_PARAM)) {
                LOGGER.warn("token response did not contain an id_token, either the scope \\\"openid\\\" wasn't requested upon login, or the provider doesn't support id_tokens as part of the refresh response.");
                return null;
            }
            if (z && !persistKubeConfigWithUpdatedToken(refreshOidcToken)) {
                LOGGER.warn("oidc: failure while persisting new tokens into KUBECONFIG");
            }
            return String.valueOf(refreshOidcToken.get(ID_TOKEN_PARAM));
        } catch (IOException e) {
            LOGGER.warn("Failure in fetching refresh token: ", e);
            return null;
        }
    }

    static Map<String, Object> refreshOidcToken(HttpClient httpClient, String str, String str2, String str3, String str4) throws IOException {
        HttpResponse send = httpClient.send(getTokenRefreshHttpRequest(httpClient, str4, str, str2, str3), String.class);
        String str5 = (String) send.body();
        if (str5 != null) {
            if (send.isSuccessful()) {
                return convertJsonStringToMap(str5);
            }
            LOGGER.warn("Response: {}", str5);
        }
        return Collections.emptyMap();
    }

    static Map<String, Object> getOIDCDiscoveryDocumentAsMap(HttpClient httpClient, String str) {
        HttpResponse send;
        try {
            send = httpClient.send(httpClient.newHttpRequestBuilder().uri(getWellKnownUrlForOpenIDIssuer(str)).build(), String.class);
        } catch (IOException e) {
            LOGGER.warn("Could not refresh OIDC token, failure in getting refresh URL", e);
        }
        if (send.isSuccessful() && send.body() != null) {
            return convertJsonStringToMap((String) send.body());
        }
        LOGGER.warn("oidc: failed to query metadata endpoint: {} {}", Integer.valueOf(send.code()), (String) send.body());
        return Collections.emptyMap();
    }

    static String getWellKnownUrlForOpenIDIssuer(String str) {
        return URLUtils.join(str, "/", WELL_KNOWN_OPENID_CONFIGURATION);
    }

    static String getParametersFromDiscoveryResponse(Map<String, Object> map, String str) {
        if (map.containsKey(str)) {
            return String.valueOf(map.get(str));
        }
        LOGGER.warn("oidc: oidc: discovery object doesn't contain a {}", str);
        return "";
    }

    static boolean persistKubeConfigWithUpdatedToken(String str, Map<String, Object> map) throws IOException {
        Config parseConfig = KubeConfigUtils.parseConfig(new File(str));
        NamedContext currentContext = KubeConfigUtils.getCurrentContext(parseConfig);
        if (currentContext == null) {
            return false;
        }
        int namedUserIndexFromConfig = KubeConfigUtils.getNamedUserIndexFromConfig(parseConfig, currentContext.getContext().getUser());
        Map<String, String> config = parseConfig.getUsers().get(namedUserIndexFromConfig).getUser().getAuthProvider().getConfig();
        config.put(ID_TOKEN_KUBECONFIG, String.valueOf(map.get(ID_TOKEN_PARAM)));
        config.put(REFRESH_TOKEN_KUBECONFIG, String.valueOf(map.get("refresh_token")));
        parseConfig.getUsers().get(namedUserIndexFromConfig).getUser().getAuthProvider().setConfig(config);
        try {
            KubeConfigUtils.persistKubeConfigIntoFile(parseConfig, str);
            return true;
        } catch (IOException e) {
            LOGGER.warn("failed to write file {}", str, e);
            return false;
        }
    }

    private static Map<String, Object> convertJsonStringToMap(String str) throws JsonProcessingException {
        return (Map) Serialization.jsonMapper().readValue(str, Map.class);
    }

    private static HttpClient getDefaultHttpClientWithPemCert(String str, HttpClient.Builder builder) {
        String str2 = new String(java.util.Base64.getDecoder().decode(str));
        try {
            TrustManager[] trustManagers = SSLUtils.trustManagers(str2, null, false, null, null);
            SSLContext sslContext = SSLUtils.sslContext(SSLUtils.keyManagers(str2, null, null, null, null, null, null, null), trustManagers);
            if (sslContext != null) {
                builder.sslContext(sslContext, trustManagers);
            }
            return builder.build();
        } catch (IOException | KeyManagementException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | InvalidKeySpecException e) {
            throw new RuntimeException("Could not import idp certificate", e);
        }
    }

    private static HttpRequest getTokenRefreshHttpRequest(HttpClient httpClient, String str, String str2, String str3, String str4) {
        HttpRequest.Builder uri = httpClient.newHttpRequestBuilder().uri(str);
        Map<String, String> requestBodyContentForRefresh = getRequestBodyContentForRefresh(str2, str3, str4);
        uri.header("Authorization", "Basic " + java.util.Base64.getEncoder().encodeToString((str2 + ':' + str4).getBytes(StandardCharsets.UTF_8)));
        uri.post(requestBodyContentForRefresh);
        return uri.build();
    }

    private static Map<String, String> getRequestBodyContentForRefresh(String str, String str2, String str3) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("refresh_token", str2);
        linkedHashMap.put(GRANT_TYPE_PARAM, "refresh_token");
        linkedHashMap.put(CLIENT_ID_PARAM, str);
        linkedHashMap.put(CLIENT_SECRET_PARAM, str3);
        return linkedHashMap;
    }

    private static String getOIDCProviderTokenEndpointAndRefreshToken(String str, String str2, String str3, String str4, String str5, String str6, HttpClient.Builder builder) {
        HttpClient defaultHttpClientWithPemCert = getDefaultHttpClientWithPemCert(str6, builder);
        Throwable th = null;
        try {
            try {
                String oIDCProviderTokenEndpointAndRefreshToken = getOIDCProviderTokenEndpointAndRefreshToken(defaultHttpClientWithPemCert, getOIDCDiscoveryDocumentAsMap(defaultHttpClientWithPemCert, str), str2, str3, str4, str5, true);
                if (defaultHttpClientWithPemCert != null) {
                    if (0 != 0) {
                        try {
                            defaultHttpClientWithPemCert.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        defaultHttpClientWithPemCert.close();
                    }
                }
                return oIDCProviderTokenEndpointAndRefreshToken;
            } finally {
            }
        } catch (Throwable th3) {
            if (defaultHttpClientWithPemCert != null) {
                if (th != null) {
                    try {
                        defaultHttpClientWithPemCert.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    defaultHttpClientWithPemCert.close();
                }
            }
            throw th3;
        }
    }

    private static boolean persistKubeConfigWithUpdatedToken(Map<String, Object> map) throws IOException {
        return persistKubeConfigWithUpdatedToken(io.fabric8.kubernetes.client.Config.getKubeconfigFilename(), map);
    }
}
