package org.springframework.boot.actuate.autoconfigure.cloudfoundry.reactive;

import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.springframework.boot.actuate.autoconfigure.cloudfoundry.AccessLevel;
import org.springframework.boot.actuate.autoconfigure.cloudfoundry.CloudFoundryAuthorizationException;
import org.springframework.core.ParameterizedTypeReference;
import org.springframework.http.HttpStatus;
import org.springframework.http.client.reactive.ReactorClientHttpConnector;
import org.springframework.util.Assert;
import org.springframework.web.reactive.function.client.WebClient;
import org.springframework.web.reactive.function.client.WebClientResponseException;
import reactor.core.publisher.Mono;
import reactor.netty.http.client.HttpClient;

/* loaded from: input_file:BOOT-INF/lib/spring-boot-actuator-autoconfigure-2.2.0.RELEASE.jar:org/springframework/boot/actuate/autoconfigure/cloudfoundry/reactive/ReactiveCloudFoundrySecurityService.class */
class ReactiveCloudFoundrySecurityService {
    private static final ParameterizedTypeReference<Map<String, Object>> STRING_OBJECT_MAP = new ParameterizedTypeReference<Map<String, Object>>() { // from class: org.springframework.boot.actuate.autoconfigure.cloudfoundry.reactive.ReactiveCloudFoundrySecurityService.1
    };
    private final WebClient webClient;
    private final String cloudControllerUrl;
    private Mono<String> uaaUrl;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ReactiveCloudFoundrySecurityService(WebClient.Builder builder, String str, boolean z) {
        Assert.notNull(builder, "Webclient must not be null");
        Assert.notNull(str, "CloudControllerUrl must not be null");
        if (z) {
            builder.clientConnector(buildTrustAllSslConnector());
        }
        this.webClient = builder.build();
        this.cloudControllerUrl = str;
    }

    protected ReactorClientHttpConnector buildTrustAllSslConnector() {
        return new ReactorClientHttpConnector(HttpClient.create().secure(sslContextSpec -> {
            sslContextSpec.sslContext(createSslContext());
        }));
    }

    private SslContextBuilder createSslContext() {
        return SslContextBuilder.forClient().sslProvider(SslProvider.JDK).trustManager(InsecureTrustManagerFactory.INSTANCE);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Type inference failed for: r0v5, types: [org.springframework.web.reactive.function.client.WebClient$RequestHeadersSpec] */
    public Mono<AccessLevel> getAccessLevel(String str, String str2) throws CloudFoundryAuthorizationException {
        return this.webClient.get().uri(getPermissionsUri(str2), new Object[0]).header("Authorization", "bearer " + str).retrieve().bodyToMono(Map.class).map(this::getAccessLevel).onErrorMap(this::mapError);
    }

    private Throwable mapError(Throwable th) {
        if (th instanceof WebClientResponseException) {
            HttpStatus statusCode = ((WebClientResponseException) th).getStatusCode();
            if (statusCode.equals(HttpStatus.FORBIDDEN)) {
                return new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.ACCESS_DENIED, "Access denied");
            }
            if (statusCode.is4xxClientError()) {
                return new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.INVALID_TOKEN, "Invalid token", th);
            }
        }
        return new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.SERVICE_UNAVAILABLE, "Cloud controller not reachable");
    }

    private AccessLevel getAccessLevel(Map<?, ?> map) {
        return Boolean.TRUE.equals(map.get("read_sensitive_data")) ? AccessLevel.FULL : AccessLevel.RESTRICTED;
    }

    private String getPermissionsUri(String str) {
        return this.cloudControllerUrl + "/v2/apps/" + str + "/permissions";
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Mono<Map<String, String>> fetchTokenKeys() {
        return getUaaUrl().flatMap(this::fetchTokenKeys);
    }

    /* JADX WARN: Type inference failed for: r0v3, types: [org.springframework.web.reactive.function.client.WebClient$RequestHeadersSpec] */
    private Mono<? extends Map<String, String>> fetchTokenKeys(String str) {
        return this.webClient.get().uri(str + "/token_keys", new Object[0]).retrieve().bodyToMono(STRING_OBJECT_MAP).map(this::extractTokenKeys).onErrorMap(th -> {
            return new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.SERVICE_UNAVAILABLE, th.getMessage());
        });
    }

    private Map<String, String> extractTokenKeys(Map<String, Object> map) {
        HashMap hashMap = new HashMap();
        for (Map map2 : (List) map.get("keys")) {
            hashMap.put((String) map2.get("kid"), (String) map2.get("value"));
        }
        return hashMap;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Type inference failed for: r1v3, types: [org.springframework.web.reactive.function.client.WebClient$RequestHeadersSpec] */
    public Mono<String> getUaaUrl() {
        this.uaaUrl = this.webClient.get().uri(this.cloudControllerUrl + "/info", new Object[0]).retrieve().bodyToMono(Map.class).map(map -> {
            return (String) map.get("token_endpoint");
        }).cache().onErrorMap(th -> {
            return new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.SERVICE_UNAVAILABLE, "Unable to fetch token keys from UAA.");
        });
        return this.uaaUrl;
    }
}
