package net.snowflake.client.core.auth.oauth;

import java.net.URI;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import net.snowflake.client.core.AssertUtil;
import net.snowflake.client.core.SFException;
import net.snowflake.client.core.SFLoginInput;
import net.snowflake.client.core.SessionUtilExternalBrowser;
import net.snowflake.client.core.SnowflakeJdbcInternalApi;
import net.snowflake.client.core.auth.AuthenticatorType;
import net.snowflake.client.jdbc.ErrorCode;
import net.snowflake.client.jdbc.SnowflakeUtil;
import net.snowflake.client.log.SFLogger;
import net.snowflake.client.log.SFLoggerFactory;

@SnowflakeJdbcInternalApi
/* loaded from: input_file:net/snowflake/client/core/auth/oauth/OAuthAccessTokenProviderFactory.class */
public class OAuthAccessTokenProviderFactory {
    private final SFLogger logger = SFLoggerFactory.getLogger((Class<?>) OAuthAccessTokenProviderFactory.class);
    private static final Set<AuthenticatorType> ELIGIBLE_AUTH_TYPES = new HashSet(Arrays.asList(AuthenticatorType.OAUTH_AUTHORIZATION_CODE, AuthenticatorType.OAUTH_CLIENT_CREDENTIALS));
    private final SessionUtilExternalBrowser.AuthExternalBrowserHandlers browserHandler;
    private final long browserAuthorizationTimeoutSeconds;

    public OAuthAccessTokenProviderFactory(SessionUtilExternalBrowser.AuthExternalBrowserHandlers authExternalBrowserHandlers, long j) {
        this.browserHandler = authExternalBrowserHandlers;
        this.browserAuthorizationTimeoutSeconds = j;
    }

    public AccessTokenProvider createAccessTokenProvider(AuthenticatorType authenticatorType, SFLoginInput sFLoginInput) throws SFException {
        switch (authenticatorType) {
            case OAUTH_AUTHORIZATION_CODE:
                assertContainsClientCredentials(sFLoginInput, authenticatorType);
                validateHttpRedirectUriIfSpecified(sFLoginInput);
                validateAuthorizationAndTokenEndpointsIfSpecified(sFLoginInput);
                return new OAuthAuthorizationCodeAccessTokenProvider(this.browserHandler, new RandomStateProvider(), this.browserAuthorizationTimeoutSeconds);
            case OAUTH_CLIENT_CREDENTIALS:
                assertContainsClientCredentials(sFLoginInput, authenticatorType);
                AssertUtil.assertTrue(sFLoginInput.getOauthLoginInput().getTokenRequestUrl() != null, "passing oauthTokenRequestUrl is required for OAUTH_CLIENT_CREDENTIALS authentication");
                return new OAuthClientCredentialsAccessTokenProvider();
            default:
                String str = "Unsupported authenticator type: " + authenticatorType;
                this.logger.error(str, new Object[0]);
                throw new SFException(ErrorCode.INTERNAL_ERROR, str);
        }
    }

    private void validateAuthorizationAndTokenEndpointsIfSpecified(SFLoginInput sFLoginInput) throws SFException {
        String authorizationUrl = sFLoginInput.getOauthLoginInput().getAuthorizationUrl();
        String tokenRequestUrl = sFLoginInput.getOauthLoginInput().getTokenRequestUrl();
        if ((!SnowflakeUtil.isNullOrEmpty(authorizationUrl) && SnowflakeUtil.isNullOrEmpty(tokenRequestUrl)) || (SnowflakeUtil.isNullOrEmpty(authorizationUrl) && !SnowflakeUtil.isNullOrEmpty(tokenRequestUrl))) {
            throw new SFException(ErrorCode.OAUTH_AUTHORIZATION_CODE_FLOW_ERROR, "For OAUTH_AUTHORIZATION_CODE authentication with external IdP, both oauthAuthorizationUrl and oauthTokenRequestUrl must be specified");
        }
        if (SnowflakeUtil.isNullOrEmpty(authorizationUrl) || SnowflakeUtil.isNullOrEmpty(tokenRequestUrl)) {
            return;
        }
        URI create = URI.create(authorizationUrl);
        URI create2 = URI.create(tokenRequestUrl);
        if (SnowflakeUtil.isNullOrEmpty(create.getHost()) || SnowflakeUtil.isNullOrEmpty(create2.getHost())) {
            throw new SFException(ErrorCode.OAUTH_AUTHORIZATION_CODE_FLOW_ERROR, String.format("OAuth authorization URL and token URL must be specified in proper format; oauthAuthorizationUrl=%s oauthTokenRequestUrl=%s", create, create2));
        }
        if (create.getHost().equals(create2.getHost())) {
            return;
        }
        this.logger.warn(String.format("Both oauthAuthorizationUrl and oauthTokenRequestUrl should belong to the same host; oauthAuthorizationUrl=%s oauthTokenRequestUrl=%s", create, create2), new Object[0]);
    }

    private void validateHttpRedirectUriIfSpecified(SFLoginInput sFLoginInput) throws SFException {
        String redirectUri = sFLoginInput.getOauthLoginInput().getRedirectUri();
        if (redirectUri != null) {
            AssertUtil.assertTrue(!redirectUri.startsWith("https"), "provided redirect URI should start with \"http\", not \"https\"");
        }
    }

    public static boolean isEligible(AuthenticatorType authenticatorType) {
        return getEligible().contains(authenticatorType);
    }

    private static Set<AuthenticatorType> getEligible() {
        return ELIGIBLE_AUTH_TYPES;
    }

    private void assertContainsClientCredentials(SFLoginInput sFLoginInput, AuthenticatorType authenticatorType) throws SFException {
        AssertUtil.assertTrue(sFLoginInput.getOauthLoginInput().getClientId() != null, String.format("passing oauthClientId is required for %s authentication", authenticatorType.name()));
        AssertUtil.assertTrue(sFLoginInput.getOauthLoginInput().getClientSecret() != null, String.format("passing oauthClientSecret is required for %s authentication", authenticatorType.name()));
    }
}
