package com.azure.core.experimental.credential;

import com.azure.core.credential.TokenCredential;
import com.azure.core.experimental.implementation.AccessTokenCache;
import com.azure.core.experimental.implementation.AuthorizationChallengeParser;
import com.azure.core.http.HttpHeaderName;
import com.azure.core.http.HttpHeaders;
import com.azure.core.http.HttpPipelineCallContext;
import com.azure.core.http.HttpPipelineNextPolicy;
import com.azure.core.http.HttpPipelineNextSyncPolicy;
import com.azure.core.http.HttpResponse;
import com.azure.core.http.policy.HttpPipelinePolicy;
import com.azure.core.util.CoreUtils;
import com.azure.core.util.logging.ClientLogger;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import reactor.core.publisher.Mono;

/* loaded from: input_file:com/azure/core/experimental/credential/PopTokenAuthenticationPolicy.class */
public class PopTokenAuthenticationPolicy implements HttpPipelinePolicy {
    private static final ClientLogger LOGGER = new ClientLogger(PopTokenAuthenticationPolicy.class);
    private final List<String> scopes = new ArrayList();
    private final AccessTokenCache cache;
    private String popNonce;

    public PopTokenAuthenticationPolicy(TokenCredential tokenCredential, String... strArr) {
        Objects.requireNonNull(tokenCredential);
        this.scopes.clear();
        this.scopes.addAll(Arrays.asList(strArr));
        this.cache = new AccessTokenCache(tokenCredential);
    }

    public Mono<Void> authorizeRequest(HttpPipelineCallContext httpPipelineCallContext) {
        return this.scopes == null ? Mono.empty() : setAuthorizationHeaderHelper(httpPipelineCallContext, false);
    }

    public void authorizeRequestSync(HttpPipelineCallContext httpPipelineCallContext) {
        setAuthorizationHeaderHelperSync(httpPipelineCallContext, false);
    }

    public Mono<Boolean> authorizeRequestOnChallenge(HttpPipelineCallContext httpPipelineCallContext, HttpResponse httpResponse) {
        this.popNonce = AuthorizationChallengeParser.getChallengeParameterFromResponse(httpResponse, "PoP", "nonce");
        if (!CoreUtils.isNullOrEmpty(this.popNonce) && this.scopes != null) {
            return setAuthorizationHeaderHelper(httpPipelineCallContext, true).flatMap(r2 -> {
                return Mono.just(true);
            });
        }
        return Mono.just(false);
    }

    public boolean authorizeRequestOnChallengeSync(HttpPipelineCallContext httpPipelineCallContext, HttpResponse httpResponse) {
        this.popNonce = AuthorizationChallengeParser.getChallengeParameterFromResponse(httpResponse, "PoP", "nonce");
        if (CoreUtils.isNullOrEmpty(this.popNonce) || this.scopes == null) {
            return false;
        }
        setAuthorizationHeaderHelperSync(httpPipelineCallContext, true);
        return true;
    }

    public Mono<HttpResponse> process(HttpPipelineCallContext httpPipelineCallContext, HttpPipelineNextPolicy httpPipelineNextPolicy) {
        if (!"https".equals(httpPipelineCallContext.getHttpRequest().getUrl().getProtocol())) {
            return Mono.error(new RuntimeException("Proof of possession token authentication is not permitted for non TLS-protected (HTTPS) endpoints."));
        }
        HttpPipelineNextPolicy clone = httpPipelineNextPolicy.clone();
        Mono<Void> authorizeRequest = authorizeRequest(httpPipelineCallContext);
        Objects.requireNonNull(httpPipelineNextPolicy);
        return authorizeRequest.then(Mono.defer(httpPipelineNextPolicy::process)).flatMap(httpResponse -> {
            String headerValue = httpResponse.getHeaderValue(HttpHeaderName.WWW_AUTHENTICATE);
            if (httpResponse.getStatusCode() == 401 && headerValue != null) {
                return authorizeRequestOnChallenge(httpPipelineCallContext, httpResponse).flatMap(bool -> {
                    if (!bool.booleanValue()) {
                        return Mono.just(httpResponse);
                    }
                    httpResponse.close();
                    return clone.process();
                });
            }
            if (headerValue != null) {
                this.popNonce = AuthorizationChallengeParser.getChallengeParameterFromResponse(httpResponse, "PoP", "nonce");
            }
            return Mono.just(httpResponse);
        });
    }

    public HttpResponse processSync(HttpPipelineCallContext httpPipelineCallContext, HttpPipelineNextSyncPolicy httpPipelineNextSyncPolicy) {
        if (!"https".equals(httpPipelineCallContext.getHttpRequest().getUrl().getProtocol())) {
            throw LOGGER.logExceptionAsError(new RuntimeException("Proof of possession token authentication is not permitted for non TLS-protected (HTTPS) endpoints."));
        }
        HttpPipelineNextSyncPolicy clone = httpPipelineNextSyncPolicy.clone();
        authorizeRequestSync(httpPipelineCallContext);
        HttpResponse processSync = httpPipelineNextSyncPolicy.processSync();
        String headerValue = processSync.getHeaderValue(HttpHeaderName.WWW_AUTHENTICATE);
        if (processSync.getStatusCode() != 401 || headerValue == null) {
            if (headerValue == null) {
                return processSync;
            }
            this.popNonce = AuthorizationChallengeParser.getChallengeParameterFromResponse(processSync, "PoP", "nonce");
            return processSync;
        }
        if (!authorizeRequestOnChallengeSync(httpPipelineCallContext, processSync)) {
            return processSync;
        }
        processSync.close();
        return clone.processSync();
    }

    private Mono<Void> setAuthorizationHeaderHelper(HttpPipelineCallContext httpPipelineCallContext, boolean z) {
        if ("https".equals(httpPipelineCallContext.getHttpRequest().getUrl().getProtocol())) {
            return !CoreUtils.isNullOrEmpty(this.popNonce) ? this.cache.getToken(new PopTokenRequestContext().m5addScopes(this.scopes.get(0)).setProofOfPossessionNonce(this.popNonce).setResourceRequestUrl(httpPipelineCallContext.getHttpRequest().getUrl()).setResourceRequestMethod(httpPipelineCallContext.getHttpRequest().getHttpMethod()), z).flatMap(accessToken -> {
                setAuthorizationHeader(httpPipelineCallContext.getHttpRequest().getHeaders(), accessToken.getToken());
                return Mono.empty();
            }) : Mono.empty();
        }
        throw LOGGER.logExceptionAsError(new RuntimeException("Proof of possession token authentication is not permitted for non TLS-protected (HTTPS) endpoints."));
    }

    private void setAuthorizationHeaderHelperSync(HttpPipelineCallContext httpPipelineCallContext, boolean z) {
        if (!"https".equals(httpPipelineCallContext.getHttpRequest().getUrl().getProtocol())) {
            throw LOGGER.logExceptionAsError(new RuntimeException("Proof of possession token authentication is not permitted for non TLS-protected (HTTPS) endpoints."));
        }
        setAuthorizationHeader(httpPipelineCallContext.getHttpRequest().getHeaders(), this.cache.getTokenSync(new PopTokenRequestContext().m5addScopes(this.scopes.get(0)).setProofOfPossessionNonce(this.popNonce).setResourceRequestUrl(httpPipelineCallContext.getHttpRequest().getUrl()).setResourceRequestMethod(httpPipelineCallContext.getHttpRequest().getHttpMethod()), z).getToken());
    }

    private static void setAuthorizationHeader(HttpHeaders httpHeaders, String str) {
        httpHeaders.set(HttpHeaderName.AUTHORIZATION, "Pop " + str);
    }
}
