package net.snowflake.client.core.auth.oauth;

import net.snowflake.client.core.SFException;
import net.snowflake.client.core.SFLoginInput;
import net.snowflake.client.core.SnowflakeJdbcInternalApi;
import net.snowflake.client.jdbc.ErrorCode;
import net.snowflake.client.jdbc.SnowflakeUseDPoPNonceException;
import net.snowflake.client.jdbc.internal.apache.http.client.methods.HttpRequestBase;
import net.snowflake.client.jdbc.internal.com.nimbusds.oauth2.sdk.RefreshTokenGrant;
import net.snowflake.client.jdbc.internal.com.nimbusds.oauth2.sdk.Scope;
import net.snowflake.client.jdbc.internal.com.nimbusds.oauth2.sdk.TokenRequest;
import net.snowflake.client.jdbc.internal.com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import net.snowflake.client.jdbc.internal.com.nimbusds.oauth2.sdk.auth.Secret;
import net.snowflake.client.jdbc.internal.com.nimbusds.oauth2.sdk.id.ClientID;
import net.snowflake.client.jdbc.internal.com.nimbusds.oauth2.sdk.token.RefreshToken;
import net.snowflake.client.log.SFLogger;
import net.snowflake.client.log.SFLoggerFactory;

@SnowflakeJdbcInternalApi
/* loaded from: input_file:net/snowflake/client/core/auth/oauth/OAuthAccessTokenForRefreshTokenProvider.class */
public class OAuthAccessTokenForRefreshTokenProvider implements AccessTokenProvider {
    private static final SFLogger logger = SFLoggerFactory.getLogger((Class<?>) OAuthClientCredentialsAccessTokenProvider.class);
    private final DPoPUtil dPoPUtil = new DPoPUtil();

    @Override // net.snowflake.client.core.auth.oauth.AccessTokenProvider
    public TokenResponseDTO getAccessToken(SFLoginInput sFLoginInput) throws SFException {
        return exchangeRefreshTokenForAccessToken(sFLoginInput, null, false);
    }

    @Override // net.snowflake.client.core.auth.oauth.AccessTokenProvider
    public String getDPoPPublicKey() {
        return this.dPoPUtil.getPublicKey();
    }

    private TokenResponseDTO exchangeRefreshTokenForAccessToken(SFLoginInput sFLoginInput, String str, boolean z) throws SFException {
        try {
            logger.info("Obtaining new OAuth access token using refresh token...", new Object[0]);
            return OAuthUtil.sendTokenRequest(buildTokenRequest(sFLoginInput, str), sFLoginInput);
        } catch (SnowflakeUseDPoPNonceException e) {
            logger.debug("Received \"use_dpop_nonce\" error from IdP while performing token request", new Object[0]);
            if (z) {
                logger.debug("Skipping DPoP nonce retry as it has been already retried", new Object[0]);
                throw e;
            }
            logger.debug("Retrying token request with DPoP nonce included...", new Object[0]);
            return exchangeRefreshTokenForAccessToken(sFLoginInput, e.getNonce(), true);
        } catch (Exception e2) {
            logger.error("Error during OAuth refresh token flow.", e2);
            throw new SFException(e2, ErrorCode.OAUTH_REFRESH_TOKEN_FLOW_ERROR, e2.getMessage());
        }
    }

    private HttpRequestBase buildTokenRequest(SFLoginInput sFLoginInput, String str) throws SFException {
        HttpRequestBase convertToBaseRequest = OAuthUtil.convertToBaseRequest(new TokenRequest(OAuthUtil.getTokenRequestUrl(sFLoginInput.getOauthLoginInput(), sFLoginInput.getServerUrl()), new ClientSecretBasic(new ClientID(sFLoginInput.getOauthLoginInput().getClientId()), new Secret(sFLoginInput.getOauthLoginInput().getClientSecret())), new RefreshTokenGrant(new RefreshToken(sFLoginInput.getOauthRefreshToken())), new Scope(OAuthUtil.getScope(sFLoginInput.getOauthLoginInput(), sFLoginInput.getRole()))).toHTTPRequest());
        if (sFLoginInput.isDPoPEnabled()) {
            this.dPoPUtil.addDPoPProofHeaderToRequest(convertToBaseRequest, str);
        }
        return convertToBaseRequest;
    }
}
