package com.azure.security.keyvault.jca.implementation.utils;

import com.azure.security.keyvault.jca.implementation.model.AccessToken;
import com.azure.security.keyvault.jca.implementation.shaded.org.apache.http.HttpResponse;
import com.azure.security.keyvault.jca.implementation.shaded.org.apache.http.client.utils.URLEncodedUtils;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URLEncoder;
import java.util.Collections;
import java.util.HashMap;
import java.util.Locale;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;

/* loaded from: input_file:com/azure/security/keyvault/jca/implementation/utils/AccessTokenUtil.class */
public final class AccessTokenUtil {
    private static final String CLIENT_ID_FRAGMENT = "&client_id=";
    private static final String CLIENT_SECRET_FRAGMENT = "&client_secret=";
    private static final String GRANT_TYPE_FRAGMENT = "grant_type=client_credentials";
    private static final String RESOURCE_FRAGMENT = "&resource=";
    private static final String OAUTH2_TOKEN_BASE_URL = "https://login.microsoftonline.com/";
    private static final String OAUTH2_TOKEN_POSTFIX = "oauth2/token";
    private static final String OAUTH2_MANAGED_IDENTITY_TOKEN_URL = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01";
    private static final String BEARER_TOKEN_PREFIX = "Bearer ";
    private static final String WWW_AUTHENTICATE = "WWW-Authenticate";
    private static final Logger LOGGER = Logger.getLogger(AccessTokenUtil.class.getName());
    private static final String PROPERTY_IDENTITY_ENDPOINT = "IDENTITY_ENDPOINT";
    private static final String PROPERTY_IDENTITY_HEADER = "IDENTITY_HEADER";

    public static AccessToken getAccessToken(String str, String str2) {
        return (System.getenv("WEBSITE_SITE_NAME") == null || System.getenv("WEBSITE_SITE_NAME").isEmpty()) ? (System.getenv(PROPERTY_IDENTITY_ENDPOINT) == null || System.getenv(PROPERTY_IDENTITY_ENDPOINT).isEmpty()) ? getAccessTokenOnOthers(str, str2) : getAccessTokenOnContainerApp(str, str2) : getAccessTokenOnAppService(str, str2);
    }

    public static AccessToken getAccessToken(String str, String str2, String str3, String str4, String str5) {
        LOGGER.entering("AccessTokenUtil", "getAccessToken", new Object[]{str, str3, str4, str5});
        LOGGER.info("Getting access token using client ID / client secret");
        AccessToken accessToken = null;
        StringBuilder sb = new StringBuilder();
        if (str2 == null) {
            sb.append(OAUTH2_TOKEN_BASE_URL).append(str3).append("/");
        } else {
            sb.append(HttpUtil.addTrailingSlashIfRequired(str2));
        }
        sb.append(OAUTH2_TOKEN_POSTFIX);
        String str6 = "";
        try {
            str6 = URLEncoder.encode(str5, "UTF-8");
        } catch (UnsupportedEncodingException e) {
            LOGGER.log(Level.WARNING, "Failed to encode client secret for access token request", (Throwable) e);
        }
        StringBuilder sb2 = new StringBuilder();
        sb2.append(GRANT_TYPE_FRAGMENT).append(CLIENT_ID_FRAGMENT).append(str4).append(CLIENT_SECRET_FRAGMENT).append(str6).append(RESOURCE_FRAGMENT).append(str);
        String post = HttpUtil.post(sb.toString(), sb2.toString(), URLEncodedUtils.CONTENT_TYPE);
        if (post != null) {
            try {
                accessToken = (AccessToken) JsonConverterUtil.fromJson(AccessToken::fromJson, post);
            } catch (IOException e2) {
                LOGGER.log(Level.WARNING, "Failed to parse access token response.", (Throwable) e2);
            }
        }
        LOGGER.exiting("AccessTokenUtil", "getAccessToken", accessToken);
        return accessToken;
    }

    private static AccessToken getAccessTokenOnAppService(String str, String str2) {
        LOGGER.entering("AccessTokenUtil", "getAccessTokenOnAppService", str);
        LOGGER.info("Getting access token using managed identity based on MSI_SECRET");
        AccessToken accessToken = null;
        StringBuilder sb = new StringBuilder();
        sb.append(System.getenv("MSI_ENDPOINT")).append("?api-version=2017-09-01").append(RESOURCE_FRAGMENT).append(str);
        if (str2 != null) {
            sb.append("&clientid=").append(str2);
            LOGGER.log(Level.INFO, "Using managed identity with client ID: {0}", str2);
        }
        HashMap hashMap = new HashMap();
        hashMap.put("Metadata", "true");
        hashMap.put("Secret", System.getenv("MSI_SECRET"));
        String str3 = HttpUtil.get(sb.toString(), hashMap);
        if (str3 != null) {
            try {
                accessToken = (AccessToken) JsonConverterUtil.fromJson(AccessToken::fromJson, str3);
            } catch (IOException e) {
                LOGGER.log(Level.WARNING, "Failed to parse access token response.", (Throwable) e);
            }
        }
        LOGGER.exiting("AccessTokenUtil", "getAccessTokenOnAppService", accessToken);
        return accessToken;
    }

    private static AccessToken getAccessTokenOnContainerApp(String str, String str2) {
        LOGGER.entering("AccessTokenUtil", "getAccessTokenOnContainerApp", str);
        LOGGER.info("Getting access token using managed identity.");
        AccessToken accessToken = null;
        StringBuilder sb = new StringBuilder();
        sb.append(System.getenv(PROPERTY_IDENTITY_ENDPOINT)).append("?api-version=2019-08-01").append(RESOURCE_FRAGMENT).append(str);
        if (str2 != null) {
            sb.append(CLIENT_ID_FRAGMENT).append(str2);
            LOGGER.log(Level.INFO, "Using managed identity with client ID: {0}", str2);
        }
        HashMap hashMap = new HashMap();
        if (System.getenv(PROPERTY_IDENTITY_HEADER) != null && !System.getenv(PROPERTY_IDENTITY_HEADER).isEmpty()) {
            hashMap.put("X-IDENTITY-HEADER", System.getenv(PROPERTY_IDENTITY_HEADER));
        }
        String str3 = HttpUtil.get(sb.toString(), hashMap);
        if (str3 != null) {
            try {
                accessToken = (AccessToken) JsonConverterUtil.fromJson(AccessToken::fromJson, str3);
            } catch (IOException e) {
                LOGGER.log(Level.WARNING, "Failed to parse access token response.", (Throwable) e);
            }
        }
        LOGGER.exiting("AccessTokenUtil", "getAccessTokenOnContainerApp", accessToken);
        return accessToken;
    }

    private static AccessToken getAccessTokenOnOthers(String str, String str2) {
        LOGGER.entering("AccessTokenUtil", "getAccessTokenOnOthers", str);
        LOGGER.info("Getting access token using managed identity");
        if (str2 != null) {
            LOGGER.log(Level.INFO, "Using managed identity with object ID: {0}", str2);
        }
        AccessToken accessToken = null;
        StringBuilder sb = new StringBuilder();
        sb.append(OAUTH2_MANAGED_IDENTITY_TOKEN_URL).append(RESOURCE_FRAGMENT).append(str);
        if (str2 != null) {
            sb.append("&object_id=").append(str2);
        }
        HashMap hashMap = new HashMap();
        hashMap.put("Metadata", "true");
        String str3 = HttpUtil.get(sb.toString(), hashMap);
        if (str3 != null) {
            try {
                accessToken = (AccessToken) JsonConverterUtil.fromJson(AccessToken::fromJson, str3);
            } catch (IOException e) {
                LOGGER.log(Level.WARNING, "Failed to parse access token response.", (Throwable) e);
            }
        }
        LOGGER.exiting("AccessTokenUtil", "getAccessTokenOnOthers", accessToken);
        return accessToken;
    }

    public static String getLoginUri(String str, boolean z) {
        LOGGER.entering("AccessTokenUtil", "getLoginUri", str);
        LOGGER.log(Level.INFO, "Getting login URI using: {0}", str);
        HttpResponse withResponse = HttpUtil.getWithResponse(str, null);
        if (withResponse == null) {
            throw new IllegalStateException("Could not obtain login URI to retrieve access token from.");
        }
        Map<String, String> extractChallengeAttributes = extractChallengeAttributes(withResponse.getFirstHeader("WWW-Authenticate").getValue());
        String str2 = extractChallengeAttributes.get("resource");
        String str3 = str2 != null ? str2 + "/.default" : extractChallengeAttributes.get("scope");
        if (str3 == null) {
            return null;
        }
        if (!z && !isChallengeResourceValid(str, str3)) {
            throw new IllegalStateException("The challenge resource " + str3 + " does not match the requested domain. If you wish to disable this check, set the environment property 'azure.keyvault.disable-challenge-resource-verification' to 'true'. See https://aka.ms/azsdk/blog/vault-uri for more information.");
        }
        String str4 = extractChallengeAttributes.get("authorization");
        if (str4 == null) {
            str4 = extractChallengeAttributes.get("authorization_uri");
        }
        try {
            new URI(str4);
            LOGGER.log(Level.INFO, "Obtained login URI: {0}", str4);
            LOGGER.exiting("AccessTokenUtil", "getLoginUri", str4);
            return str4;
        } catch (URISyntaxException e) {
            throw new IllegalStateException("The challenge authorization URI " + str4 + " is invalid.", e);
        }
    }

    private static Map<String, String> extractChallengeAttributes(String str) {
        LOGGER.entering("AccessTokenUtil", "extractChallengeAttributes", str);
        if (!isBearerChallenge(str)) {
            return Collections.emptyMap();
        }
        String[] split = str.toLowerCase(Locale.ROOT).replace(BEARER_TOKEN_PREFIX.toLowerCase(Locale.ROOT), "").split(", ");
        HashMap hashMap = new HashMap();
        for (String str2 : split) {
            String[] split2 = str2.split("=");
            hashMap.put(split2[0].replaceAll("\"", ""), split2[1].replaceAll("\"", ""));
        }
        LOGGER.exiting("AccessTokenUtil", "extractChallengeAttributes", hashMap);
        return hashMap;
    }

    private static boolean isBearerChallenge(String str) {
        return (str == null || str.isEmpty() || !str.toLowerCase(Locale.ROOT).startsWith(BEARER_TOKEN_PREFIX.toLowerCase(Locale.ROOT))) ? false : true;
    }

    private static boolean isChallengeResourceValid(String str, String str2) {
        LOGGER.entering("AccessTokenUtil", "isChallengeResourceValid", new Object[]{str, str2});
        try {
            try {
                boolean endsWith = new URI(str).getHost().toLowerCase(Locale.ROOT).endsWith("." + new URI(str2).getHost().toLowerCase(Locale.ROOT));
                LOGGER.exiting("AccessTokenUtil", "isChallengeResourceValid", Boolean.valueOf(endsWith));
                return endsWith;
            } catch (URISyntaxException e) {
                throw new IllegalStateException("The challenge scope " + str2 + " is not a valid URI.", e);
            }
        } catch (URISyntaxException e2) {
            throw new IllegalStateException("The provided resource " + str + " is not a valid URI.", e2);
        }
    }
}
