package io.jenkins.plugins.cloudmanager;

import hudson.util.Secret;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;
import java.util.Calendar;
import java.util.Date;
import java.util.Optional;
import kong.unirest.HttpResponse;
import kong.unirest.JsonNode;
import kong.unirest.Unirest;
import kong.unirest.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/adobe-cloud-manager.jar:io/jenkins/plugins/cloudmanager/CloudManagerAuthUtil.class */
public class CloudManagerAuthUtil {
    private static final Logger LOGGER = LoggerFactory.getLogger(CloudManagerAuthUtil.class);
    private static final Base64.Decoder DECODER = Base64.getMimeDecoder();

    public static String getAccessToken(AdobeioConfig adobeioConfig) throws AdobeIOException {
        HttpResponse<JsonNode> asJson = Unirest.post(AdobeioConstants.IMS_JWT_EXCHANGE_ENDPOINT).header(AdobeioConstants.CACHE_CONTRL, AdobeioConstants.NO_CACHE).header(AdobeioConstants.CONTENT_TYPE, "application/x-www-form-urlencoded").field(AdobeioConstants.CLIENT_ID, safeGetPlainText(adobeioConfig.getApiKey())).field(AdobeioConstants.CLIENT_SECRET, safeGetPlainText(adobeioConfig.getClientSecret())).field(AdobeioConstants.JWT_TOKEN, getJwtToken(adobeioConfig)).asJson();
        if (!asJson.isSuccess()) {
            LOGGER.info("Failed with response code {} ", Integer.valueOf(asJson.getStatus()));
            LOGGER.info("Failed with response body {} ", asJson.getBody());
            throw new AdobeIOException("Failed to get access token, Adobe send response: [" + asJson.getStatus() + "] " + asJson.getBody());
        }
        JSONObject object = asJson.getBody().getObject();
        if (object.has(AdobeioConstants.JSON_ACCESS_TOKEN)) {
            return object.getString(AdobeioConstants.JSON_ACCESS_TOKEN);
        }
        throw new AdobeIOException("JWT Exchange response does not contain an access token.");
    }

    public static String safeGetPlainText(Secret secret) {
        return (String) Optional.ofNullable(secret).map((v0) -> {
            return v0.getPlainText();
        }).orElse(null);
    }

    private static String getJwtToken(AdobeioConfig adobeioConfig) {
        try {
            return Jwts.builder().setIssuer(adobeioConfig.getOrganizationID()).setSubject(adobeioConfig.getTechnicalAccountId()).setExpiration(getExpirationDate()).setAudience(String.format("%s/c/%s", AdobeioConstants.IMS_ENDPOINT, safeGetPlainText(adobeioConfig.getApiKey()))).claim(AdobeioConstants.CLOUD_MANAGER_JWT_SCOPE, Boolean.TRUE).signWith(SignatureAlgorithm.RS256, getPrivateKey(adobeioConfig)).compact();
        } catch (Exception e) {
            throw new IllegalStateException("Error while generating JWT token", e);
        }
    }

    private static PrivateKey getPrivateKey(AdobeioConfig adobeioConfig) throws NoSuchAlgorithmException, InvalidKeySpecException {
        Optional map = Optional.ofNullable(safeGetPlainText(adobeioConfig.getPrivateKey())).map(str -> {
            return str.replaceAll("-----\\w+ PRIVATE KEY-----", "");
        }).map(str2 -> {
            return str2.replaceAll("\\s+", "");
        });
        Base64.Decoder decoder = DECODER;
        decoder.getClass();
        return KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec((byte[]) map.map(decoder::decode).orElse(null)));
    }

    private static Date getExpirationDate() {
        Calendar calendar = Calendar.getInstance();
        calendar.setTime(new Date());
        calendar.add(10, 24);
        return calendar.getTime();
    }
}
