package io.fabric8.openshift.client.internal;

import io.fabric8.kubernetes.api.model.HasMetadata;
import io.fabric8.kubernetes.api.model.authorization.v1.SelfSubjectAccessReview;
import io.fabric8.kubernetes.client.KubernetesClientException;
import io.fabric8.kubernetes.client.utils.Serialization;
import io.fabric8.kubernetes.client.utils.URLUtils;
import io.fabric8.kubernetes.client.utils.Utils;
import io.fabric8.openshift.api.model.LocalResourceAccessReview;
import io.fabric8.openshift.api.model.LocalSubjectAccessReview;
import io.fabric8.openshift.api.model.ResourceAccessReview;
import io.fabric8.openshift.api.model.SelfSubjectRulesReview;
import io.fabric8.openshift.api.model.SubjectAccessReview;
import io.fabric8.openshift.api.model.SubjectRulesReview;
import io.fabric8.openshift.client.OpenShiftConfig;
import java.io.IOException;
import java.net.URL;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import java.util.stream.Stream;
import okhttp3.Credentials;
import okhttp3.Interceptor;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;

/* loaded from: input_file:WEB-INF/lib/openshift-client-5.4.1.jar:io/fabric8/openshift/client/internal/OpenShiftOAuthInterceptor.class */
public class OpenShiftOAuthInterceptor implements Interceptor {
    private static final String AUTHORIZATION = "Authorization";
    private static final String LOCATION = "Location";
    private static final String AUTHORIZATION_SERVER_PATH = ".well-known/oauth-authorization-server";
    private static final String AUTHORIZE_QUERY = "?response_type=token&client_id=openshift-challenging-client";
    private static final String BEFORE_TOKEN = "access_token=";
    private static final String AFTER_TOKEN = "&expires";
    private static final Set<String> RETRIABLE_RESOURCES = Collections.unmodifiableSet(new HashSet(Arrays.asList(HasMetadata.getPlural(LocalSubjectAccessReview.class), HasMetadata.getPlural(LocalResourceAccessReview.class), HasMetadata.getPlural(ResourceAccessReview.class), HasMetadata.getPlural(SelfSubjectRulesReview.class), HasMetadata.getPlural(SubjectRulesReview.class), HasMetadata.getPlural(SubjectAccessReview.class), HasMetadata.getPlural(SelfSubjectAccessReview.class))));
    private final OkHttpClient client;
    private final OpenShiftConfig config;
    private final AtomicReference<String> oauthToken = new AtomicReference<>();

    public OpenShiftOAuthInterceptor(OkHttpClient okHttpClient, OpenShiftConfig openShiftConfig) {
        this.client = okHttpClient;
        this.config = openShiftConfig;
    }

    @Override // okhttp3.Interceptor
    public Response intercept(Interceptor.Chain chain) throws IOException {
        Request request = chain.request();
        Request.Builder newBuilder = request.newBuilder();
        String str = this.oauthToken.get();
        if (Utils.isNotNullOrEmpty(str) && Utils.isNullOrEmpty(request.header(AUTHORIZATION))) {
            setAuthHeader(newBuilder, str);
        }
        Request build = newBuilder.build();
        Response proceed = chain.proceed(build);
        if (isResponseSuccessful(build, proceed)) {
            return proceed;
        }
        if (Utils.isNotNullOrEmpty(this.config.getUsername()) && Utils.isNotNullOrEmpty(this.config.getPassword())) {
            synchronized (this.client) {
                this.oauthToken.set(null);
                str = authorize();
                if (str != null) {
                    this.oauthToken.set(str);
                }
            }
        } else if (Utils.isNotNullOrEmpty(this.config.getOauthToken())) {
            str = this.config.getOauthToken();
            this.oauthToken.set(str);
        }
        if (!Utils.isNotNullOrEmpty(str)) {
            return proceed;
        }
        proceed.body().close();
        setAuthHeader(newBuilder, str);
        return chain.proceed(newBuilder.build());
    }

    private void setAuthHeader(Request.Builder builder, String str) {
        if (str != null) {
            builder.header(AUTHORIZATION, String.format("Bearer %s", str));
        }
    }

    private String authorize() {
        try {
            OkHttpClient.Builder newBuilder = this.client.newBuilder();
            newBuilder.interceptors().remove(this);
            OkHttpClient build = newBuilder.build();
            Response execute = build.newCall(new Request.Builder().get().url(new URL(URLUtils.join(this.config.getMasterUrl(), AUTHORIZATION_SERVER_PATH))).build()).execute();
            if (!execute.isSuccessful() || execute.body() == null) {
                throw new KubernetesClientException("Unexpected response (" + execute.code() + " " + execute.message() + ")");
            }
            String asText = Serialization.jsonMapper().readTree(execute.body().string()).get("authorization_endpoint").asText();
            execute.close();
            Response execute2 = build.newCall(new Request.Builder().get().url(new URL(asText + AUTHORIZE_QUERY)).header(AUTHORIZATION, Credentials.basic(this.config.getUsername(), this.config.getPassword())).build()).execute();
            execute2.close();
            Response priorResponse = execute2.priorResponse() != null ? execute2.priorResponse() : execute2;
            Response networkResponse = priorResponse.networkResponse() != null ? priorResponse.networkResponse() : priorResponse;
            String header = networkResponse.header(LOCATION);
            if (header == null || header.isEmpty()) {
                throw new KubernetesClientException("Unexpected response (" + networkResponse.code() + " " + networkResponse.message() + "), to the authorization request. Missing header:[" + LOCATION + "]!");
            }
            String substring = header.substring(header.indexOf(BEFORE_TOKEN) + BEFORE_TOKEN.length());
            return substring.substring(0, substring.indexOf(AFTER_TOKEN));
        } catch (Exception e) {
            throw KubernetesClientException.launderThrowable(e);
        }
    }

    private boolean isResponseSuccessful(Request request, Response response) {
        String httpUrl = request.url().toString();
        if (request.method().equals("POST")) {
            Stream<String> stream = RETRIABLE_RESOURCES.stream();
            httpUrl.getClass();
            if (stream.anyMatch(httpUrl::endsWith)) {
                return false;
            }
        }
        return (response.code() == 401 || response.code() == 403) ? false : true;
    }
}
