package com.atlassian.crowd.directory.rest;

import com.atlassian.crowd.directory.authentication.AzureAdRefreshTokenFilter;
import com.atlassian.crowd.directory.authentication.MsGraphApiAuthenticator;
import com.atlassian.crowd.directory.authentication.impl.MsalAuthenticatorFactory;
import com.atlassian.crowd.directory.rest.endpoint.AzureApiUriResolver;
import com.atlassian.crowd.directory.rest.util.IoUtilsWrapper;
import com.atlassian.crowd.directory.rest.util.JerseyLoggingFilter;
import com.fasterxml.jackson.core.util.JacksonFeature;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.primitives.Ints;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.ClientBuilder;
import org.glassfish.jersey.client.ClientConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/crowd/directory/rest/DefaultAzureAdRestClientFactory.class */
public class DefaultAzureAdRestClientFactory implements AzureAdRestClientFactory {
    public static final String DISABLE_SSL_VALIDATION = "crowd.azure.test.disable.ssl.validation";
    private final MsalAuthenticatorFactory msalAuthenticatorFactory;
    private final IoUtilsWrapper ioUtilsWrapper;
    private static final Logger log = LoggerFactory.getLogger(DefaultAzureAdRestClientFactory.class);

    public DefaultAzureAdRestClientFactory(MsalAuthenticatorFactory msalAuthenticatorFactory, IoUtilsWrapper ioUtilsWrapper) {
        this.msalAuthenticatorFactory = msalAuthenticatorFactory;
        this.ioUtilsWrapper = ioUtilsWrapper;
    }

    @Override // com.atlassian.crowd.directory.rest.AzureAdRestClientFactory
    public AzureAdRestClient create(String str, String str2, String str3, AzureApiUriResolver azureApiUriResolver, long j, long j2) {
        Preconditions.checkNotNull(Strings.emptyToNull(str3), "Tenant ID not specified");
        return new AzureAdRestClient(createJerseyClient(str, str2, str3, azureApiUriResolver, j, j2), azureApiUriResolver, this.ioUtilsWrapper);
    }

    @VisibleForTesting
    Client createJerseyClient(String str, String str2, String str3, AzureApiUriResolver azureApiUriResolver, long j, long j2) {
        ClientConfig clientConfig = new ClientConfig();
        clientConfig.register(JacksonFeature.class);
        clientConfig.register(JerseyLoggingFilter.class);
        Client build = configSslVerification(ClientBuilder.newBuilder()).withConfig(clientConfig).build();
        build.property("jersey.config.client.connectTimeout", Integer.valueOf(loggedSaturatedCast(j, "connection")));
        build.property("jersey.config.client.readTimeout", Integer.valueOf(loggedSaturatedCast(j2, "read")));
        build.register(createAzureAdTokenFilter(this.msalAuthenticatorFactory.create(str, str2, str3, azureApiUriResolver)));
        return build;
    }

    private static ClientBuilder configSslVerification(ClientBuilder clientBuilder) {
        if (Boolean.getBoolean(DISABLE_SSL_VALIDATION)) {
            try {
                log.warn("Disabling SSL verification for Azure AD REST client");
                SSLContext sSLContext = SSLContext.getInstance("TLS");
                sSLContext.init(null, new TrustManager[]{new X509TrustManager() { // from class: com.atlassian.crowd.directory.rest.DefaultAzureAdRestClientFactory.1
                    @Override // javax.net.ssl.X509TrustManager
                    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
                    }

                    @Override // javax.net.ssl.X509TrustManager
                    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
                    }

                    @Override // javax.net.ssl.X509TrustManager
                    public X509Certificate[] getAcceptedIssuers() {
                        return new X509Certificate[0];
                    }
                }}, new SecureRandom());
                return clientBuilder.sslContext(sSLContext).hostnameVerifier((str, sSLSession) -> {
                    return true;
                });
            } catch (Exception e) {
                log.warn("Failed to disable SSL verification for Azure AD REST client", e);
            }
        }
        return clientBuilder;
    }

    private int loggedSaturatedCast(long j, String str) {
        int saturatedCast = Ints.saturatedCast(j);
        if (j != saturatedCast) {
            log.debug("Specified value {} for {} timeout cannot be represented as an integer, performing saturated cast to {}", new Object[]{Long.valueOf(j), str, Integer.valueOf(saturatedCast)});
        }
        return saturatedCast;
    }

    @Override // com.atlassian.crowd.directory.rest.AzureAdRestClientFactory
    public AzureAdPagingWrapper create(AzureAdRestClient azureAdRestClient) {
        return new AzureAdPagingWrapper(azureAdRestClient);
    }

    private AzureAdRefreshTokenFilter createAzureAdTokenFilter(final MsGraphApiAuthenticator msGraphApiAuthenticator) {
        return new AzureAdRefreshTokenFilter(CacheBuilder.newBuilder().build(new CacheLoader<String, String>() { // from class: com.atlassian.crowd.directory.rest.DefaultAzureAdRestClientFactory.2
            public String load(String str) throws Exception {
                Preconditions.checkArgument(AzureAdRefreshTokenFilter.AZURE_AD_TOKEN_CACHE_KEY.equals(str));
                return msGraphApiAuthenticator.getApiToken().accessToken();
            }
        }));
    }
}
