package com.azure.spring.aad.webapi;

import com.azure.spring.autoconfigure.aad.Constants;
import com.microsoft.aad.msal4j.ClientCredentialFactory;
import com.microsoft.aad.msal4j.ConfidentialClientApplication;
import com.microsoft.aad.msal4j.IAuthenticationResult;
import com.microsoft.aad.msal4j.MsalInteractionRequiredException;
import com.microsoft.aad.msal4j.OnBehalfOfParameters;
import com.microsoft.aad.msal4j.UserAssertion;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import java.net.MalformedURLException;
import java.text.ParseException;
import java.time.Instant;
import java.util.Date;
import java.util.LinkedHashMap;
import java.util.Optional;
import java.util.concurrent.ExecutionException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.server.resource.authentication.AbstractOAuth2TokenAuthenticationToken;
import org.springframework.util.Assert;
import org.springframework.web.context.request.RequestContextHolder;

/* loaded from: input_file:com/azure/spring/aad/webapi/AADOAuth2OboAuthorizedClientRepository.class */
public class AADOAuth2OboAuthorizedClientRepository implements OAuth2AuthorizedClientRepository {
    private static final Logger LOGGER = LoggerFactory.getLogger(AADOAuth2OboAuthorizedClientRepository.class);
    private static final String OBO_AUTHORIZEDCLIENT_PREFIX = "obo_authorizedclient_";
    private final ClientRegistrationRepository repository;

    public AADOAuth2OboAuthorizedClientRepository(ClientRegistrationRepository clientRegistrationRepository) {
        this.repository = clientRegistrationRepository;
    }

    public <T extends OAuth2AuthorizedClient> T loadAuthorizedClient(String str, Authentication authentication, HttpServletRequest httpServletRequest) {
        String str2 = OBO_AUTHORIZEDCLIENT_PREFIX + str;
        if (httpServletRequest.getAttribute(str2) != null) {
            return (T) httpServletRequest.getAttribute(str2);
        }
        if (!(authentication instanceof AbstractOAuth2TokenAuthenticationToken)) {
            throw new IllegalStateException("Unsupported token implementation " + authentication.getClass());
        }
        try {
            try {
                String tokenValue = ((AbstractOAuth2TokenAuthenticationToken) authentication).getToken().getTokenValue();
                ClientRegistration findByRegistrationId = this.repository.findByRegistrationId(str);
                if (findByRegistrationId == null) {
                    LOGGER.warn("Not found the ClientRegistration, registrationId={}", str);
                    return null;
                }
                OnBehalfOfParameters build = OnBehalfOfParameters.builder(findByRegistrationId.getScopes(), new UserAssertion(tokenValue)).build();
                ConfidentialClientApplication createApp = createApp(findByRegistrationId);
                if (null == createApp) {
                    return null;
                }
                String accessToken = ((IAuthenticationResult) createApp.acquireToken(build).get()).accessToken();
                JWT parse = JWTParser.parse(accessToken);
                T t = (T) new OAuth2AuthorizedClient(findByRegistrationId, authentication.getName(), new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, accessToken, Instant.ofEpochMilli(((Date) parse.getJWTClaimsSet().getClaim("iat")).getTime()), Instant.ofEpochMilli(((Date) parse.getJWTClaimsSet().getClaim("exp")).getTime())));
                httpServletRequest.setAttribute(str2, t);
                return t;
            } catch (ExecutionException e) {
                Optional.of(e).map((v0) -> {
                    return v0.getCause();
                }).filter(th -> {
                    return th instanceof MsalInteractionRequiredException;
                }).map(th2 -> {
                    return (MsalInteractionRequiredException) th2;
                }).ifPresent(this::replyForbiddenWithWwwAuthenticateHeader);
                LOGGER.error("Failed to load authorized client.", e);
                return null;
            }
        } catch (InterruptedException | ParseException e2) {
            LOGGER.error("Failed to load authorized client.", e2);
            return null;
        }
    }

    public void saveAuthorizedClient(OAuth2AuthorizedClient oAuth2AuthorizedClient, Authentication authentication, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
    }

    public void removeAuthorizedClient(String str, Authentication authentication, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
    }

    ConfidentialClientApplication createApp(ClientRegistration clientRegistration) {
        try {
            return ConfidentialClientApplication.builder(clientRegistration.getClientId(), ClientCredentialFactory.createFromSecret(clientRegistration.getClientSecret())).authority(interceptAuthorizationUri(clientRegistration.getProviderDetails().getAuthorizationUri())).build();
        } catch (MalformedURLException e) {
            LOGGER.error("Failed to create ConfidentialClientApplication", e);
            return null;
        }
    }

    private String interceptAuthorizationUri(String str) {
        int i = 0;
        for (int i2 = 0; i2 < str.length(); i2++) {
            if (str.charAt(i2) == '/') {
                i++;
            }
            if (i == 4) {
                return str.substring(0, i2 + 1);
            }
        }
        return null;
    }

    void replyForbiddenWithWwwAuthenticateHeader(MsalInteractionRequiredException msalInteractionRequiredException) {
        HttpServletResponse response = RequestContextHolder.currentRequestAttributes().getResponse();
        Assert.notNull(response, "HttpServletResponse should not be null.");
        response.setStatus(HttpStatus.FORBIDDEN.value());
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(Constants.CONDITIONAL_ACCESS_POLICY_CLAIMS, msalInteractionRequiredException.claims());
        linkedHashMap.put("error", "invalid_token");
        linkedHashMap.put("error_description", "The resource server requires higher privileges than provided by the access token");
        response.addHeader("WWW-Authenticate", Constants.BEARER_PREFIX + linkedHashMap.toString());
    }
}
