package io.fabric8.openshift.client.internal;

import io.fabric8.kubernetes.api.model.HasMetadata;
import io.fabric8.kubernetes.api.model.authorization.v1.SelfSubjectAccessReview;
import io.fabric8.kubernetes.client.KubernetesClientException;
import io.fabric8.kubernetes.client.http.BasicBuilder;
import io.fabric8.kubernetes.client.http.HttpClient;
import io.fabric8.kubernetes.client.http.HttpHeaders;
import io.fabric8.kubernetes.client.http.HttpRequest;
import io.fabric8.kubernetes.client.http.HttpResponse;
import io.fabric8.kubernetes.client.http.Interceptor;
import io.fabric8.kubernetes.client.http.StandardHttpRequest;
import io.fabric8.kubernetes.client.utils.HttpClientUtils;
import io.fabric8.kubernetes.client.utils.Serialization;
import io.fabric8.kubernetes.client.utils.TokenRefreshInterceptor;
import io.fabric8.kubernetes.client.utils.URLUtils;
import io.fabric8.kubernetes.client.utils.Utils;
import io.fabric8.openshift.api.model.LocalResourceAccessReview;
import io.fabric8.openshift.api.model.LocalSubjectAccessReview;
import io.fabric8.openshift.api.model.ResourceAccessReview;
import io.fabric8.openshift.api.model.SelfSubjectRulesReview;
import io.fabric8.openshift.api.model.SubjectAccessReview;
import io.fabric8.openshift.api.model.SubjectRulesReview;
import io.fabric8.openshift.client.OpenShiftConfig;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.atomic.AtomicReference;
import java.util.stream.Stream;

/* loaded from: input_file:WEB-INF/lib/openshift-client-6.0.0.jar:io/fabric8/openshift/client/internal/OpenShiftOAuthInterceptor.class */
public class OpenShiftOAuthInterceptor implements Interceptor {
    private static final String AUTHORIZATION = "Authorization";
    private static final String LOCATION = "Location";
    private static final String AUTHORIZATION_SERVER_PATH = ".well-known/oauth-authorization-server";
    private static final String AUTHORIZE_QUERY = "?response_type=token&client_id=openshift-challenging-client";
    private static final String BEFORE_TOKEN = "access_token=";
    private static final String AFTER_TOKEN = "&expires";
    private static final Set<String> RETRIABLE_RESOURCES = Collections.unmodifiableSet(new HashSet(Arrays.asList(HasMetadata.getPlural(LocalSubjectAccessReview.class), HasMetadata.getPlural(LocalResourceAccessReview.class), HasMetadata.getPlural(ResourceAccessReview.class), HasMetadata.getPlural(SelfSubjectRulesReview.class), HasMetadata.getPlural(SubjectRulesReview.class), HasMetadata.getPlural(SubjectAccessReview.class), HasMetadata.getPlural(SelfSubjectAccessReview.class))));
    private final HttpClient client;
    private final OpenShiftConfig config;
    private final AtomicReference<String> oauthToken = new AtomicReference<>();

    public OpenShiftOAuthInterceptor(HttpClient httpClient, OpenShiftConfig openShiftConfig) {
        this.client = httpClient;
        this.config = openShiftConfig;
    }

    @Override // io.fabric8.kubernetes.client.http.Interceptor
    public void before(BasicBuilder basicBuilder, HttpHeaders httpHeaders) {
        String str = this.oauthToken.get();
        if (Utils.isNotNullOrEmpty(str)) {
            if (httpHeaders.headers(AUTHORIZATION).isEmpty() || Utils.isNullOrEmpty(httpHeaders.headers(AUTHORIZATION).get(0))) {
                setAuthHeader(basicBuilder, str);
            }
        }
    }

    @Override // io.fabric8.kubernetes.client.http.Interceptor
    public CompletableFuture<Boolean> afterFailure(HttpRequest.Builder builder, HttpResponse<?> httpResponse) {
        if (shouldProceed(httpResponse.request(), httpResponse)) {
            return CompletableFuture.completedFuture(false);
        }
        return ((Utils.isNotNullOrEmpty(this.config.getUsername()) && Utils.isNotNullOrEmpty(this.config.getPassword())) ? authorize() : CompletableFuture.completedFuture(Utils.getNonNullOrElse(this.config.getOauthToken(), this.oauthToken.get()))).thenApply(str -> {
            if (str != null) {
                this.oauthToken.set(str);
            }
            if (!Utils.isNotNullOrEmpty(str)) {
                return false;
            }
            setAuthHeader(builder, str);
            return true;
        });
    }

    private void setAuthHeader(BasicBuilder basicBuilder, String str) {
        if (str != null) {
            basicBuilder.setHeader(AUTHORIZATION, String.format("Bearer %s", str));
        }
    }

    private CompletableFuture<String> authorize() {
        HttpClient.DerivedClientBuilder newBuilder = this.client.newBuilder();
        newBuilder.addOrReplaceInterceptor(TokenRefreshInterceptor.NAME, null);
        HttpClient build = newBuilder.build();
        try {
            return build.sendAsync(build.newHttpRequestBuilder().url(new URL(URLUtils.join(this.config.getMasterUrl(), AUTHORIZATION_SERVER_PATH))).build(), String.class).thenCompose(httpResponse -> {
                if (!httpResponse.isSuccessful() || httpResponse.body() == null) {
                    throw new KubernetesClientException("Unexpected response (" + httpResponse.code() + " " + httpResponse.message() + ")");
                }
                try {
                    return build.sendAsync(this.client.newHttpRequestBuilder().url(new URL(Serialization.jsonMapper().readTree((String) httpResponse.body()).get("authorization_endpoint").asText() + AUTHORIZE_QUERY)).setHeader(AUTHORIZATION, HttpClientUtils.basicCredentials(this.config.getUsername(), this.config.getPassword())).build(), String.class);
                } catch (Exception e) {
                    throw KubernetesClientException.launderThrowable(e);
                }
            }).thenApply(httpResponse2 -> {
                HttpResponse httpResponse2 = httpResponse2.previousResponse().isPresent() ? httpResponse2.previousResponse().get() : httpResponse2;
                List<String> headers = httpResponse2.headers(LOCATION);
                String str = !headers.isEmpty() ? headers.get(0) : null;
                if (str == null || str.isEmpty()) {
                    throw new KubernetesClientException("Unexpected response (" + httpResponse2.code() + " " + httpResponse2.message() + "), to the authorization request. Missing header:[" + LOCATION + "]!");
                }
                String substring = str.substring(str.indexOf(BEFORE_TOKEN) + BEFORE_TOKEN.length());
                return substring.substring(0, substring.indexOf(AFTER_TOKEN));
            });
        } catch (MalformedURLException e) {
            throw KubernetesClientException.launderThrowable(e);
        }
    }

    private boolean shouldProceed(HttpRequest httpRequest, HttpResponse<?> httpResponse) {
        String uri = httpRequest.uri().toString();
        if (httpRequest.method().equals(StandardHttpRequest.METHOD_POST)) {
            Stream<String> stream = RETRIABLE_RESOURCES.stream();
            uri.getClass();
            if (stream.anyMatch(uri::endsWith)) {
                return false;
            }
        }
        return (httpResponse.code() == 401 || httpResponse.code() == 403) ? false : true;
    }
}
