package io.fabric8.kubernetes.client.utils;

import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
import com.fasterxml.jackson.annotation.JsonProperty;
import io.fabric8.kubernetes.api.model.AuthInfo;
import io.fabric8.kubernetes.api.model.AuthProviderConfig;
import io.fabric8.kubernetes.api.model.NamedAuthInfo;
import io.fabric8.kubernetes.client.Config;
import io.fabric8.kubernetes.client.KubernetesClientException;
import io.fabric8.kubernetes.client.http.HttpClient;
import io.fabric8.kubernetes.client.http.HttpRequest;
import io.fabric8.kubernetes.client.internal.KubeConfigUtils;
import io.fabric8.kubernetes.client.internal.SSLUtils;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.spec.InvalidKeySpecException;
import java.time.Instant;
import java.util.Base64;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import java.util.function.Function;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/fabric8/kubernetes/client/utils/OpenIDConnectionUtils.class */
public class OpenIDConnectionUtils {
    private static final Logger LOGGER = LoggerFactory.getLogger(OpenIDConnectionUtils.class);
    public static final String ID_TOKEN_KUBECONFIG = "id-token";
    public static final String ISSUER_KUBECONFIG = "idp-issuer-url";
    public static final String REFRESH_TOKEN_KUBECONFIG = "refresh-token";
    private static final String REFRESH_TOKEN_PARAM = "refresh_token";
    public static final String GRANT_TYPE_PARAM = "grant_type";
    public static final String CLIENT_ID_PARAM = "client_id";
    public static final String CLIENT_SECRET_PARAM = "client_secret";
    public static final String CLIENT_ID_KUBECONFIG = "client-id";
    public static final String CLIENT_SECRET_KUBECONFIG = "client-secret";
    private static final String IDP_CERT_DATA = "idp-certificate-authority-data";
    private static final String WELL_KNOWN_OPENID_CONFIGURATION = ".well-known/openid-configuration";
    private static final String GRANT_TYPE_REFRESH_TOKEN = "refresh_token";
    private static final String JWT_TOKEN_EXPIRY_TIMESTAMP_KEY = "exp";
    private static final String JWT_PARTS_DELIMITER_REGEX = "\\.";
    private static final int TOKEN_EXPIRY_DELTA = 10;

    @JsonIgnoreProperties(ignoreUnknown = true)
    /* loaded from: input_file:io/fabric8/kubernetes/client/utils/OpenIDConnectionUtils$OAuthToken.class */
    public static final class OAuthToken {

        @JsonProperty("id_token")
        private String idToken;

        @JsonProperty("refresh_token")
        private String refreshToken;

        @JsonProperty("id_token")
        public void setIdToken(String str) {
            this.idToken = str;
        }

        @JsonProperty("refresh_token")
        public void setRefreshToken(String str) {
            this.refreshToken = str;
        }
    }

    @JsonIgnoreProperties(ignoreUnknown = true)
    /* loaded from: input_file:io/fabric8/kubernetes/client/utils/OpenIDConnectionUtils$OpenIdConfiguration.class */
    public static final class OpenIdConfiguration {

        @JsonProperty("token_endpoint")
        private String tokenEndpoint;

        @JsonProperty("token_endpoint")
        public void setTokenEndpoint(String str) {
            this.tokenEndpoint = str;
        }
    }

    private OpenIDConnectionUtils() {
    }

    public static CompletableFuture<String> resolveOIDCTokenFromAuthConfig(Config config, Map<String, String> map, HttpClient.Builder builder) {
        String str = map.get(ID_TOKEN_KUBECONFIG);
        String orDefault = map.getOrDefault(IDP_CERT_DATA, getClientCertDataFromConfig(config));
        if (!isTokenRefreshSupported(map)) {
            return CompletableFuture.completedFuture(str);
        }
        HttpClient initHttpClientWithPemCert = initHttpClientWithPemCert(orDefault, builder);
        CompletableFuture<String> thenApply = getOpenIdConfiguration(initHttpClientWithPemCert, map).thenCompose(openIdConfiguration -> {
            return refreshOpenIdToken(initHttpClientWithPemCert, map, openIdConfiguration);
        }).thenApply((Function<? super U, ? extends U>) oAuthToken -> {
            return persistOAuthToken(config, oAuthToken, null);
        }).thenApply(oAuthToken2 -> {
            if (oAuthToken2 != null && !Utils.isNullOrEmpty(oAuthToken2.idToken)) {
                return oAuthToken2.idToken;
            }
            LOGGER.warn("token response did not contain an id_token, either the scope \\\"openid\\\" wasn't requested upon login, or the provider doesn't support id_tokens as part of the refresh response.");
            return str;
        });
        thenApply.whenComplete((str2, th) -> {
            initHttpClientWithPemCert.close();
        });
        return thenApply;
    }

    static boolean isTokenRefreshSupported(Map<String, String> map) {
        return Utils.isNotNull(map.get(REFRESH_TOKEN_KUBECONFIG));
    }

    private static CompletableFuture<OpenIdConfiguration> getOpenIdConfiguration(HttpClient httpClient, Map<String, String> map) {
        return httpClient.sendAsync(httpClient.newHttpRequestBuilder().uri(resolveWellKnownUrlForOpenIDIssuer(map)).build(), String.class).thenApply(httpResponse -> {
            try {
                if (httpResponse.isSuccessful() && httpResponse.body() != null) {
                    return (OpenIdConfiguration) Serialization.unmarshal((String) httpResponse.body(), OpenIdConfiguration.class);
                }
                LOGGER.warn("oidc: failed to query metadata endpoint: {} {}", Integer.valueOf(httpResponse.code()), (String) httpResponse.body());
                return null;
            } catch (Exception e) {
                LOGGER.warn("Could not refresh OIDC token, failure in getting refresh URL", e);
                return null;
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static CompletableFuture<OAuthToken> refreshOpenIdToken(HttpClient httpClient, Map<String, String> map, OpenIdConfiguration openIdConfiguration) {
        if (openIdConfiguration != null && !Utils.isNullOrEmpty(openIdConfiguration.tokenEndpoint)) {
            return httpClient.sendAsync(initTokenRefreshHttpRequest(httpClient, map, openIdConfiguration.tokenEndpoint), String.class).thenApply(httpResponse -> {
                String str = (String) httpResponse.body();
                if (str == null) {
                    return null;
                }
                if (!httpResponse.isSuccessful()) {
                    LOGGER.warn("Response: {}", str);
                    return null;
                }
                try {
                    return (OAuthToken) Serialization.unmarshal(str, OAuthToken.class);
                } catch (Exception e) {
                    LOGGER.warn("Failure in fetching refresh token: ", e);
                    return null;
                }
            });
        }
        LOGGER.warn("oidc: discovery object doesn't contain a valid token endpoint: {}", openIdConfiguration);
        return CompletableFuture.completedFuture(null);
    }

    public static OAuthToken persistOAuthToken(Config config, OAuthToken oAuthToken, String str) {
        HashMap hashMap = new HashMap();
        if (oAuthToken != null) {
            hashMap.put(ID_TOKEN_KUBECONFIG, oAuthToken.idToken);
            hashMap.put(REFRESH_TOKEN_KUBECONFIG, oAuthToken.refreshToken);
            Optional.of(config).map((v0) -> {
                return v0.getAuthProvider();
            }).map((v0) -> {
                return v0.getConfig();
            }).ifPresent(map -> {
                map.putAll(hashMap);
            });
        }
        if (config.getFile() != null && config.getCurrentContext() != null) {
            try {
                io.fabric8.kubernetes.api.model.Config parseConfig = KubeConfigUtils.parseConfig(config.getFile());
                String user = config.getCurrentContext().getContext().getUser();
                NamedAuthInfo namedAuthInfo = (NamedAuthInfo) parseConfig.getUsers().stream().filter(namedAuthInfo2 -> {
                    return namedAuthInfo2.getName().equals(user);
                }).findFirst().orElseGet(() -> {
                    NamedAuthInfo namedAuthInfo3 = new NamedAuthInfo(user, new AuthInfo());
                    parseConfig.getUsers().add(namedAuthInfo3);
                    return namedAuthInfo3;
                });
                if (namedAuthInfo.getUser() == null) {
                    namedAuthInfo.setUser(new AuthInfo());
                }
                if (namedAuthInfo.getUser().getAuthProvider() == null) {
                    namedAuthInfo.getUser().setAuthProvider(new AuthProviderConfig());
                }
                namedAuthInfo.getUser().getAuthProvider().getConfig().putAll(hashMap);
                if (Utils.isNotNullOrEmpty(str)) {
                    namedAuthInfo.getUser().setToken(str);
                }
                KubeConfigUtils.persistKubeConfigIntoFile(parseConfig, config.getFile().getAbsolutePath());
            } catch (IOException e) {
                LOGGER.warn("oidc: failure while persisting new tokens into KUBECONFIG", e);
            }
        }
        return oAuthToken;
    }

    private static String resolveWellKnownUrlForOpenIDIssuer(Map<String, String> map) {
        return URLUtils.join(map.get(ISSUER_KUBECONFIG), "/", WELL_KNOWN_OPENID_CONFIGURATION);
    }

    private static HttpClient initHttpClientWithPemCert(String str, HttpClient.Builder builder) {
        String str2 = new String(Base64.getDecoder().decode(str));
        try {
            builder.sslContext(SSLUtils.keyManagers(str2, null, null, null, null, null, null, null), SSLUtils.trustManagers(str2, null, false, null, null));
            return builder.build();
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | InvalidKeySpecException e) {
            throw KubernetesClientException.launderThrowable("Could not import idp certificate", e);
        }
    }

    private static HttpRequest initTokenRefreshHttpRequest(HttpClient httpClient, Map<String, String> map, String str) {
        String str2 = map.get(CLIENT_ID_KUBECONFIG);
        String orDefault = map.getOrDefault(CLIENT_SECRET_KUBECONFIG, "");
        HttpRequest.Builder uri = httpClient.newHttpRequestBuilder().uri(str);
        uri.header(TokenRefreshInterceptor.AUTHORIZATION, "Basic " + Base64.getEncoder().encodeToString((str2 + ':' + orDefault).getBytes(StandardCharsets.UTF_8)));
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("refresh_token", map.get(REFRESH_TOKEN_KUBECONFIG));
        linkedHashMap.put(GRANT_TYPE_PARAM, "refresh_token");
        linkedHashMap.put(CLIENT_ID_PARAM, str2);
        linkedHashMap.put(CLIENT_SECRET_PARAM, orDefault);
        uri.post(linkedHashMap);
        return uri.build();
    }

    public static boolean idTokenExpired(Config config) {
        if (config.getAuthProvider() == null || config.getAuthProvider().getConfig() == null) {
            return true;
        }
        if (!isValidJwt((String) config.getAuthProvider().getConfig().get(ID_TOKEN_KUBECONFIG))) {
            return true;
        }
        try {
            return Instant.ofEpochSecond(((Integer) ((Map) Serialization.unmarshal(new String(Base64.getDecoder().decode(r0.split(JWT_PARTS_DELIMITER_REGEX)[1])), Map.class)).get(JWT_TOKEN_EXPIRY_TIMESTAMP_KEY)).intValue()).minusSeconds(10L).isBefore(Instant.now());
        } catch (Exception e) {
            return true;
        }
    }

    private static boolean isValidJwt(String str) {
        return (str == null || str.isEmpty() || str.split(JWT_PARTS_DELIMITER_REGEX).length != 3) ? false : true;
    }

    private static String getClientCertDataFromConfig(Config config) {
        if (config.getCaCertData() != null && !config.getCaCertData().isEmpty()) {
            return config.getCaCertData();
        }
        try {
            if (config.getCaCertFile() != null) {
                return Base64.getEncoder().encodeToString(Files.readAllBytes(Paths.get(config.getCaCertFile(), new String[0])));
            }
            return null;
        } catch (IOException e) {
            LOGGER.debug("Failure in reading certificate data from {}", config.getCaCertFile());
            return null;
        }
    }
}
