package io.fabric8.kubernetes.client.utils;

import com.fasterxml.jackson.core.JsonProcessingException;
import io.fabric8.kubernetes.api.model.Config;
import io.fabric8.kubernetes.api.model.NamedContext;
import io.fabric8.kubernetes.client.internal.KubeConfigUtils;
import io.fabric8.kubernetes.client.internal.SSLUtils;
import java.io.File;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.spec.InvalidKeySpecException;
import java.util.Base64;
import java.util.Collections;
import java.util.Map;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import okhttp3.FormBody;
import okhttp3.HttpUrl;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.RequestBody;
import okhttp3.Response;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/kubernetes-client-5.10.1.jar:io/fabric8/kubernetes/client/utils/OpenIDConnectionUtils.class */
public class OpenIDConnectionUtils {
    private static final Logger LOGGER = LoggerFactory.getLogger(OpenIDConnectionUtils.class);
    public static final String EMPTY = "";
    public static final String ID_TOKEN_KUBECONFIG = "id-token";
    public static final String ISSUER_KUBECONFIG = "idp-issuer-url";
    public static final String REFRESH_TOKEN_KUBECONFIG = "refresh-token";
    public static final String REFRESH_TOKEN_PARAM = "refresh_token";
    public static final String GRANT_TYPE_PARAM = "grant_type";
    public static final String CLIENT_ID_PARAM = "client_id";
    public static final String CLIENT_SECRET_PARAM = "client_secret";
    public static final String ID_TOKEN_PARAM = "id_token";
    public static final String ACCESS_TOKEN_PARAM = "access_token";
    public static final String CLIENT_ID_KUBECONFIG = "client-id";
    public static final String CLIENT_SECRET_KUBECONFIG = "client-secret";
    public static final String IDP_CERT_DATA = "idp-certificate-authority-data";
    public static final String TOKEN_ENDPOINT_PARAM = "token_endpoint";
    public static final String WELL_KNOWN_OPENID_CONFIGURATION = ".well-known/openid-configuration";
    public static final String GRANT_TYPE_REFRESH_TOKEN = "refresh_token";

    private OpenIDConnectionUtils() {
    }

    public static String resolveOIDCTokenFromAuthConfig(Map<String, String> map) {
        String str = map.get(ID_TOKEN_KUBECONFIG);
        return isTokenRefreshSupported(map) ? getOIDCProviderTokenEndpointAndRefreshToken(map.get(ISSUER_KUBECONFIG), map.get(CLIENT_ID_KUBECONFIG), map.get(REFRESH_TOKEN_KUBECONFIG), map.getOrDefault(CLIENT_SECRET_KUBECONFIG, EMPTY), str, map.get(IDP_CERT_DATA)) : str;
    }

    static String getOIDCProviderTokenEndpointAndRefreshToken(OkHttpClient okHttpClient, Map<String, Object> map, String str, String str2, String str3, String str4, boolean z) {
        try {
            String refreshToken = refreshToken(okHttpClient, getParametersFromDiscoveryResponse(map, TOKEN_ENDPOINT_PARAM), str, str2, str3, z);
            if (refreshToken != null) {
                str4 = refreshToken;
            }
        } catch (Exception e) {
            LOGGER.warn("Could not refresh OIDC token: {}", e.getMessage());
        }
        return str4;
    }

    static boolean isTokenRefreshSupported(Map<String, String> map) {
        return Utils.isNotNull(map.get(REFRESH_TOKEN_KUBECONFIG));
    }

    static String refreshToken(OkHttpClient okHttpClient, String str, String str2, String str3, String str4, boolean z) {
        try {
            Map<String, Object> refreshOidcToken = refreshOidcToken(okHttpClient, str2, str3, str4, str);
            if (!refreshOidcToken.containsKey(ID_TOKEN_PARAM)) {
                LOGGER.warn("token response did not contain an id_token, either the scope \\\"openid\\\" wasn't requested upon login, or the provider doesn't support id_tokens as part of the refresh response.");
                return null;
            }
            if (z && !persistKubeConfigWithUpdatedToken(refreshOidcToken)) {
                LOGGER.warn("oidc: failure while persisting new tokens into KUBECONFIG");
            }
            return String.valueOf(refreshOidcToken.get(ID_TOKEN_PARAM));
        } catch (IOException e) {
            LOGGER.warn("Failure in fetching refresh token: ", e);
            return null;
        }
    }

    static Map<String, Object> refreshOidcToken(OkHttpClient okHttpClient, String str, String str2, String str3, String str4) throws IOException {
        Response execute = okHttpClient.newCall(getTokenRefreshHttpRequest(str4, str, str2, str3)).execute();
        Throwable th = null;
        try {
            if (execute.body() != null) {
                String string = execute.body().string();
                if (execute.isSuccessful()) {
                    Map<String, Object> convertJsonStringToMap = convertJsonStringToMap(string);
                    if (execute != null) {
                        if (0 != 0) {
                            try {
                                execute.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            execute.close();
                        }
                    }
                    return convertJsonStringToMap;
                }
                LOGGER.warn("Response: {}", string);
            }
            return Collections.emptyMap();
        } finally {
            if (execute != null) {
                if (0 != 0) {
                    try {
                        execute.close();
                    } catch (Throwable th3) {
                        th.addSuppressed(th3);
                    }
                } else {
                    execute.close();
                }
            }
        }
    }

    /* JADX WARN: Failed to calculate best type for var: r7v0 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Failed to calculate best type for var: r8v0 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Multi-variable type inference failed. Error: java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.RegisterArg.getSVar()" because the return value of "jadx.core.dex.nodes.InsnNode.getResult()" is null
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.collectRelatedVars(AbstractTypeConstraint.java:31)
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.<init>(AbstractTypeConstraint.java:19)
    	at jadx.core.dex.visitors.typeinference.TypeSearch$1.<init>(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeMoveConstraint(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeConstraint(TypeSearch.java:361)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.collectConstraints(TypeSearch.java:341)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.run(TypeSearch.java:60)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.runMultiVariableSearch(FixTypesVisitor.java:116)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Not initialized variable reg: 7, insn: 0x009d: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r7 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:44:0x009d */
    /* JADX WARN: Not initialized variable reg: 8, insn: 0x00a1: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r8 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:46:0x00a1 */
    /* JADX WARN: Type inference failed for: r7v0, types: [okhttp3.Response] */
    /* JADX WARN: Type inference failed for: r8v0, types: [java.lang.Throwable] */
    static Map<String, Object> getOIDCDiscoveryDocumentAsMap(OkHttpClient okHttpClient, String str) {
        Response execute;
        Throwable th;
        try {
            try {
                execute = okHttpClient.newCall(getDiscoveryDocumentHttpRequest(str)).execute();
                th = null;
            } finally {
            }
        } catch (IOException e) {
            LOGGER.warn("Could not refresh OIDC token, failure in getting refresh URL", e);
        }
        if (!execute.isSuccessful() || execute.body() == null) {
            LOGGER.warn("oidc: failed to query metadata endpoint: {} {}", Integer.valueOf(execute.code()), execute.body() != null ? execute.body().string() : null);
            if (execute != null) {
                if (0 != 0) {
                    try {
                        execute.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    execute.close();
                }
            }
            return Collections.emptyMap();
        }
        Map<String, Object> convertJsonStringToMap = convertJsonStringToMap(execute.body().string());
        if (execute != null) {
            if (0 != 0) {
                try {
                    execute.close();
                } catch (Throwable th3) {
                    th.addSuppressed(th3);
                }
            } else {
                execute.close();
            }
        }
        return convertJsonStringToMap;
        LOGGER.warn("Could not refresh OIDC token, failure in getting refresh URL", e);
        return Collections.emptyMap();
    }

    static String getWellKnownUrlForOpenIDIssuer(String str) {
        return URLUtils.join(str, "/", WELL_KNOWN_OPENID_CONFIGURATION);
    }

    static String getParametersFromDiscoveryResponse(Map<String, Object> map, String str) {
        if (map.containsKey(str)) {
            return String.valueOf(map.get(str));
        }
        LOGGER.warn("oidc: oidc: discovery object doesn't contain a {}", str);
        return EMPTY;
    }

    static boolean persistKubeConfigWithUpdatedToken(String str, Map<String, Object> map) throws IOException {
        Config parseConfig = KubeConfigUtils.parseConfig(new File(str));
        NamedContext currentContext = KubeConfigUtils.getCurrentContext(parseConfig);
        if (currentContext == null) {
            return false;
        }
        int namedUserIndexFromConfig = KubeConfigUtils.getNamedUserIndexFromConfig(parseConfig, currentContext.getContext().getUser());
        Map<String, String> config = parseConfig.getUsers().get(namedUserIndexFromConfig).getUser().getAuthProvider().getConfig();
        config.put(ID_TOKEN_KUBECONFIG, String.valueOf(map.get(ID_TOKEN_PARAM)));
        config.put(REFRESH_TOKEN_KUBECONFIG, String.valueOf(map.get("refresh_token")));
        parseConfig.getUsers().get(namedUserIndexFromConfig).getUser().getAuthProvider().setConfig(config);
        try {
            KubeConfigUtils.persistKubeConfigIntoFile(parseConfig, str);
            return true;
        } catch (IOException e) {
            LOGGER.warn("failed to write file {}", str, e);
            return false;
        }
    }

    private static Map<String, Object> convertJsonStringToMap(String str) throws JsonProcessingException {
        return (Map) Serialization.jsonMapper().readValue(str, Map.class);
    }

    private static SSLContext getSSLContext(String str) {
        SSLContext sSLContext = null;
        if (str != null) {
            String str2 = new String(Base64.getDecoder().decode(str));
            try {
                sSLContext = SSLUtils.sslContext(SSLUtils.keyManagers(str2, null, null, null, null, null, null, null), SSLUtils.trustManagers(str2, null, false, null, null));
            } catch (IOException | KeyManagementException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | InvalidKeySpecException e) {
                throw new RuntimeException("Could not import idp certificate", e);
            }
        }
        return sSLContext;
    }

    private static OkHttpClient getOkHttpClient(SSLContext sSLContext, String str) {
        OkHttpClient.Builder builder = new OkHttpClient.Builder();
        if (sSLContext != null) {
            builder.sslSocketFactory(sSLContext.getSocketFactory(), getTrustManagerForAllCerts(str));
        }
        return builder.build();
    }

    private static X509TrustManager getTrustManagerForAllCerts(String str) {
        X509TrustManager x509TrustManager = null;
        try {
            TrustManager[] trustManagers = SSLUtils.trustManagers(str, null, false, null, null);
            if (trustManagers != null && trustManagers.length == 1) {
                x509TrustManager = (X509TrustManager) trustManagers[0];
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            LOGGER.warn("Could not get trust manager");
        }
        return x509TrustManager;
    }

    private static Request getTokenRefreshHttpRequest(String str, String str2, String str3, String str4) throws JsonProcessingException {
        Request.Builder url = new Request.Builder().post(getRequestBodyContentForRefresh(str2, str3, str4)).url(HttpUrl.get(str).newBuilder().build());
        url.addHeader("Authorization", "Basic " + Base64.getEncoder().encodeToString((str2 + ':' + str4).getBytes(StandardCharsets.UTF_8)));
        url.addHeader("Content-Type", "application/x-www-form-urlencoded");
        return url.build();
    }

    private static Request getDiscoveryDocumentHttpRequest(String str) throws MalformedURLException {
        return new Request.Builder().url(new URL(getWellKnownUrlForOpenIDIssuer(str))).build();
    }

    private static RequestBody getRequestBodyContentForRefresh(String str, String str2, String str3) {
        return new FormBody.Builder().add("refresh_token", str2).add(GRANT_TYPE_PARAM, "refresh_token").add(CLIENT_ID_PARAM, str).add(CLIENT_SECRET_PARAM, str3).build();
    }

    private static String getOIDCProviderTokenEndpointAndRefreshToken(String str, String str2, String str3, String str4, String str5, String str6) {
        OkHttpClient okHttpClient = getOkHttpClient(getSSLContext(str6), str6);
        try {
            String oIDCProviderTokenEndpointAndRefreshToken = getOIDCProviderTokenEndpointAndRefreshToken(okHttpClient, getOIDCDiscoveryDocumentAsMap(okHttpClient, str), str2, str3, str4, str5, true);
            HttpClientUtils.close(okHttpClient);
            return oIDCProviderTokenEndpointAndRefreshToken;
        } catch (Throwable th) {
            HttpClientUtils.close(okHttpClient);
            throw th;
        }
    }

    private static boolean persistKubeConfigWithUpdatedToken(Map<String, Object> map) throws IOException {
        return persistKubeConfigWithUpdatedToken(io.fabric8.kubernetes.client.Config.getKubeconfigFilename(), map);
    }
}
