package net.snowflake.client.core.auth.oauth;

import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.AuthorizationRequest;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.pkce.CodeChallengeMethod;
import com.nimbusds.oauth2.sdk.pkce.CodeVerifier;
import com.sun.net.httpserver.HttpServer;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.util.Map;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import java.util.stream.Collectors;
import net.snowflake.client.core.SFException;
import net.snowflake.client.core.SFLoginInput;
import net.snowflake.client.core.SessionUtilExternalBrowser;
import net.snowflake.client.core.SnowflakeJdbcInternalApi;
import net.snowflake.client.jdbc.ErrorCode;
import net.snowflake.client.jdbc.SnowflakeUseDPoPNonceException;
import net.snowflake.client.log.SFLogger;
import net.snowflake.client.log.SFLoggerFactory;
import org.apache.http.client.methods.HttpRequestBase;
import org.apache.http.client.utils.URLEncodedUtils;

@SnowflakeJdbcInternalApi
/* loaded from: input_file:net/snowflake/client/core/auth/oauth/OAuthAuthorizationCodeAccessTokenProvider.class */
public class OAuthAuthorizationCodeAccessTokenProvider implements AccessTokenProvider {
    private static final SFLogger logger = SFLoggerFactory.getLogger((Class<?>) OAuthAuthorizationCodeAccessTokenProvider.class);
    static final String DEFAULT_REDIRECT_HOST = "http://127.0.0.1";
    static final String DEFAULT_REDIRECT_URI_ENDPOINT = "/";
    private final SessionUtilExternalBrowser.AuthExternalBrowserHandlers browserHandler;
    private final StateProvider<String> stateProvider;
    private final DPoPUtil dpopUtil = new DPoPUtil();
    private final long browserAuthorizationTimeoutSeconds;

    public OAuthAuthorizationCodeAccessTokenProvider(SessionUtilExternalBrowser.AuthExternalBrowserHandlers authExternalBrowserHandlers, StateProvider<String> stateProvider, long j) throws SFException {
        this.browserHandler = authExternalBrowserHandlers;
        this.stateProvider = stateProvider;
        this.browserAuthorizationTimeoutSeconds = j;
    }

    @Override // net.snowflake.client.core.auth.oauth.AccessTokenProvider
    public TokenResponseDTO getAccessToken(SFLoginInput sFLoginInput) throws SFException {
        try {
            logger.info("Starting OAuth authorization code authentication flow...", new Object[0]);
            CodeVerifier codeVerifier = new CodeVerifier();
            URI buildRedirectUri = OAuthUtil.buildRedirectUri(sFLoginInput.getOauthLoginInput());
            return exchangeAuthorizationCodeForAccessToken(sFLoginInput, requestAuthorizationCode(sFLoginInput, codeVerifier, buildRedirectUri), codeVerifier, buildRedirectUri, null, false);
        } catch (Exception e) {
            logger.error("Error during OAuth authorization code flow. Verify configuration passed to driver and IdP (URLs, grant types, scope, etc.)", e);
            throw new SFException(e, ErrorCode.OAUTH_AUTHORIZATION_CODE_FLOW_ERROR, e.getMessage());
        }
    }

    @Override // net.snowflake.client.core.auth.oauth.AccessTokenProvider
    public String getDPoPPublicKey() {
        return this.dpopUtil.getPublicKey();
    }

    private AuthorizationCode requestAuthorizationCode(SFLoginInput sFLoginInput, CodeVerifier codeVerifier, URI uri) throws SFException, IOException {
        State state = new State(this.stateProvider.getState());
        URI uri2 = buildAuthorizationRequest(sFLoginInput, codeVerifier, state, uri).toURI();
        HttpServer createHttpServer = createHttpServer(uri);
        CompletableFuture<String> completableFuture = setupRedirectURIServerForAuthorizationCode(createHttpServer, state);
        logger.debug("Waiting for authorization code redirection to {}...", uri);
        return letUserAuthorize(uri2, completableFuture, createHttpServer);
    }

    private TokenResponseDTO exchangeAuthorizationCodeForAccessToken(SFLoginInput sFLoginInput, AuthorizationCode authorizationCode, CodeVerifier codeVerifier, URI uri, String str, boolean z) throws SFException {
        try {
            return OAuthUtil.sendTokenRequest(buildTokenRequest(sFLoginInput, authorizationCode, codeVerifier, uri, str), sFLoginInput);
        } catch (SnowflakeUseDPoPNonceException e) {
            logger.debug("Received \"use_dpop_nonce\" error from IdP while performing token request", new Object[0]);
            if (z) {
                logger.debug("Skipping DPoP nonce retry as it has been already retried", new Object[0]);
                throw e;
            }
            logger.debug("Retrying token request with DPoP nonce included...", new Object[0]);
            return exchangeAuthorizationCodeForAccessToken(sFLoginInput, authorizationCode, codeVerifier, uri, e.getNonce(), true);
        } catch (Exception e2) {
            logger.error("Error during making OAuth access token request", e2);
            throw new SFException(e2, ErrorCode.OAUTH_AUTHORIZATION_CODE_FLOW_ERROR, e2.getMessage());
        }
    }

    private AuthorizationCode letUserAuthorize(URI uri, CompletableFuture<String> completableFuture, HttpServer httpServer) throws SFException {
        try {
            try {
                try {
                    logger.debug("Opening browser for authorization code request to: {}", uri.getAuthority() + uri.getPath());
                    this.browserHandler.openBrowser(uri.toString());
                    AuthorizationCode authorizationCode = new AuthorizationCode(completableFuture.get(this.browserAuthorizationTimeoutSeconds, TimeUnit.SECONDS));
                    logger.debug("Stopping OAuth redirect URI server @ {}", httpServer.getAddress());
                    httpServer.stop(1);
                    return authorizationCode;
                } catch (Exception e) {
                    throw new SFException(e, ErrorCode.OAUTH_AUTHORIZATION_CODE_FLOW_ERROR, e.getMessage());
                }
            } catch (TimeoutException e2) {
                throw new SFException(e2, ErrorCode.OAUTH_AUTHORIZATION_CODE_FLOW_ERROR, "Authorization request timed out. Snowflake driver did not receive authorization code back to the redirect URI. Verify your security integration and driver configuration.");
            }
        } catch (Throwable th) {
            logger.debug("Stopping OAuth redirect URI server @ {}", httpServer.getAddress());
            httpServer.stop(1);
            throw th;
        }
    }

    private static CompletableFuture<String> setupRedirectURIServerForAuthorizationCode(HttpServer httpServer, State state) {
        CompletableFuture<String> completableFuture = new CompletableFuture<>();
        httpServer.createContext(DEFAULT_REDIRECT_URI_ENDPOINT, httpExchange -> {
            String handleRedirectRequest = AuthorizationCodeRedirectRequestHandler.handleRedirectRequest((Map) URLEncodedUtils.parse(httpExchange.getRequestURI(), StandardCharsets.UTF_8).stream().collect(Collectors.toMap((v0) -> {
                return v0.getName();
            }, (v0) -> {
                return v0.getValue();
            })), completableFuture, state);
            httpExchange.sendResponseHeaders(200, handleRedirectRequest.length());
            httpExchange.getResponseBody().write(handleRedirectRequest.getBytes(StandardCharsets.UTF_8));
            httpExchange.getResponseBody().close();
        });
        logger.debug("Starting OAuth redirect URI server @ {}", httpServer.getAddress());
        httpServer.start();
        return completableFuture;
    }

    private static HttpServer createHttpServer(URI uri) throws IOException {
        return HttpServer.create(new InetSocketAddress(uri.getHost(), uri.getPort()), 0);
    }

    private AuthorizationRequest buildAuthorizationRequest(SFLoginInput sFLoginInput, CodeVerifier codeVerifier, State state, URI uri) throws SFException {
        AuthorizationRequest.Builder endpointURI = new AuthorizationRequest.Builder(new ResponseType(new ResponseType.Value[]{ResponseType.Value.CODE}), new ClientID(sFLoginInput.getOauthLoginInput().getClientId())).scope(new Scope(new String[]{OAuthUtil.getScope(sFLoginInput.getOauthLoginInput(), sFLoginInput.getRole())})).state(state).redirectionURI(uri).codeChallenge(codeVerifier, CodeChallengeMethod.S256).endpointURI(OAuthUtil.getAuthorizationUrl(sFLoginInput.getOauthLoginInput(), sFLoginInput.getServerUrl()));
        if (sFLoginInput.isDPoPEnabled()) {
            endpointURI.dPoPJWKThumbprintConfirmation(new DPoPUtil().getThumbprint());
        }
        return endpointURI.build();
    }

    private HttpRequestBase buildTokenRequest(SFLoginInput sFLoginInput, AuthorizationCode authorizationCode, CodeVerifier codeVerifier, URI uri, String str) throws SFException {
        AuthorizationCodeGrant authorizationCodeGrant = new AuthorizationCodeGrant(authorizationCode, uri, codeVerifier);
        TokenRequest.Builder scope = new TokenRequest.Builder(OAuthUtil.getTokenRequestUrl(sFLoginInput.getOauthLoginInput(), sFLoginInput.getServerUrl()), new ClientSecretBasic(new ClientID(sFLoginInput.getOauthLoginInput().getClientId()), new Secret(sFLoginInput.getOauthLoginInput().getClientSecret())), authorizationCodeGrant).scope(new Scope(new String[]{OAuthUtil.getScope(sFLoginInput.getOauthLoginInput(), sFLoginInput.getRole())}));
        if (sFLoginInput.getOauthLoginInput().getEnableSingleUseRefreshTokens()) {
            scope.customParameter("enable_single_use_refresh_tokens", new String[]{"true"});
        }
        HttpRequestBase convertToBaseRequest = OAuthUtil.convertToBaseRequest(scope.build().toHTTPRequest());
        if (sFLoginInput.isDPoPEnabled()) {
            this.dpopUtil.addDPoPProofHeaderToRequest(convertToBaseRequest, str);
        }
        return convertToBaseRequest;
    }
}
