package com.databricks.sdk.core.oauth;

import com.databricks.sdk.core.DatabricksConfig;
import com.databricks.sdk.core.DatabricksException;
import com.databricks.sdk.core.http.HttpClient;
import com.databricks.sdk.core.oauth.Consent;
import java.io.IOException;
import java.net.MalformedURLException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Base64;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Collectors;

/* loaded from: input_file:com/databricks/sdk/core/oauth/OAuthClient.class */
public class OAuthClient {
    private final String clientId;
    private final String clientSecret;
    private final String host;
    private final String redirectUrl;
    private final List<String> scopes;
    private final String tokenUrl;
    private final String authUrl;
    private final HttpClient hc;
    private final SecureRandom random;
    private final boolean isAws;
    private final boolean isAzure;

    /* loaded from: input_file:com/databricks/sdk/core/oauth/OAuthClient$Builder.class */
    public static class Builder {
        private String host;
        private String clientId;
        private String redirectUrl;
        private List<String> scopes;
        private String clientSecret;
        private HttpClient hc;

        public Builder withHttpClient(HttpClient httpClient) {
            this.hc = httpClient;
            return this;
        }

        public Builder withHost(String str) {
            this.host = str;
            return this;
        }

        public Builder withClientId(String str) {
            this.clientId = str;
            return this;
        }

        public Builder withClientSecret(String str) {
            this.clientSecret = str;
            return this;
        }

        public Builder withRedirectUrl(String str) {
            this.redirectUrl = str;
            return this;
        }

        public Builder withScopes(List<String> list) {
            this.scopes = list;
            return this;
        }

        public OAuthClient build() throws IOException {
            return new OAuthClient(this);
        }
    }

    private OAuthClient(Builder builder) throws IOException {
        this.random = new SecureRandom();
        this.clientId = (String) Objects.requireNonNull(builder.clientId);
        this.clientSecret = builder.clientSecret;
        this.redirectUrl = (String) Objects.requireNonNull(builder.redirectUrl);
        this.host = builder.host;
        this.hc = builder.hc;
        DatabricksConfig resolve = new DatabricksConfig().setHost(builder.host).resolve();
        OpenIDConnectEndpoints oidcEndpoints = resolve.getOidcEndpoints();
        if (oidcEndpoints == null) {
            throw new DatabricksException(builder.host + " does not support OAuth");
        }
        this.isAws = resolve.isAws();
        this.isAzure = resolve.isAzure();
        this.tokenUrl = oidcEndpoints.getTokenEndpoint();
        this.authUrl = oidcEndpoints.getAuthorizationEndpoint();
        List<String> list = builder.scopes;
        this.scopes = resolve.isAzure() ? Arrays.asList(resolve.getEffectiveAzureLoginAppId() + "/user_impersonation", "offline_access") : list == null ? Arrays.asList("offline_access", "clusters", "sql") : list;
    }

    public String getHost() {
        return this.host;
    }

    public String getClientId() {
        return this.clientId;
    }

    public String getClientSecret() {
        return this.clientSecret;
    }

    public String getRedirectUrl() {
        return this.redirectUrl;
    }

    public String getTokenUrl() {
        return this.tokenUrl;
    }

    public String getAuthUrl() {
        return this.authUrl;
    }

    public List<String> getScopes() {
        return this.scopes;
    }

    public boolean isAws() {
        return this.isAws;
    }

    public boolean isAzure() {
        return this.isAzure;
    }

    private String tokenUrlSafe(int i) {
        byte[] bArr = new byte[i];
        this.random.nextBytes(bArr);
        return Base64.getUrlEncoder().withoutPadding().encodeToString(bArr);
    }

    private static byte[] sha256(byte[] bArr) {
        try {
            return MessageDigest.getInstance("SHA-256").digest(bArr);
        } catch (NoSuchAlgorithmException e) {
            throw new DatabricksException("SHA-256 algorithm not found", e);
        }
    }

    private static String urlEncode(String str, Map<String, String> map) {
        return str + "?" + ((String) map.entrySet().stream().map(entry -> {
            return ((String) entry.getKey()) + "=" + ((String) entry.getValue());
        }).collect(Collectors.joining("&"))).replaceAll(" ", "%20");
    }

    public Consent initiateConsent() throws MalformedURLException {
        String str = tokenUrlSafe(16);
        String str2 = tokenUrlSafe(32);
        String encodeToString = Base64.getUrlEncoder().withoutPadding().encodeToString(sha256(str2.getBytes(StandardCharsets.UTF_8)));
        HashMap hashMap = new HashMap();
        hashMap.put("response_type", "code");
        hashMap.put("client_id", this.clientId);
        hashMap.put("redirect_uri", this.redirectUrl);
        hashMap.put("scope", String.join(" ", this.scopes));
        hashMap.put("state", str);
        hashMap.put("code_challenge", encodeToString);
        hashMap.put("code_challenge_method", "S256");
        return new Consent.Builder().withClientId(this.clientId).withClientSecret(this.clientSecret).withAuthUrl(urlEncode(this.authUrl, hashMap)).withTokenUrl(this.tokenUrl).withRedirectUrl(this.redirectUrl).withState(str).withVerifier(str2).withHttpClient(this.hc).build();
    }
}
