package org.cloudfoundry.reactor.tokenprovider;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.netty.handler.codec.http.HttpHeaderNames;
import io.netty.handler.codec.http.HttpHeaderValues;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.netty.util.AsciiString;
import java.time.LocalDateTime;
import java.time.ZoneId;
import java.time.temporal.TemporalAccessor;
import java.util.Base64;
import java.util.Date;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.function.Consumer;
import java.util.function.Function;
import org.cloudfoundry.Nullable;
import org.cloudfoundry.reactor.ConnectionContext;
import org.cloudfoundry.reactor.TokenProvider;
import org.cloudfoundry.reactor.util.ErrorPayloadMapper;
import org.cloudfoundry.reactor.util.JsonCodec;
import org.cloudfoundry.reactor.util.NetworkLogging;
import org.cloudfoundry.reactor.util.UserAgent;
import org.cloudfoundry.uaa.UaaException;
import org.immutables.value.Value;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.util.UriComponentsBuilder;
import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono;
import reactor.core.publisher.ReplayProcessor;
import reactor.ipc.netty.http.client.HttpClientRequest;
import reactor.ipc.netty.http.client.HttpClientResponse;

/* loaded from: input_file:org/cloudfoundry/reactor/tokenprovider/AbstractUaaTokenProvider.class */
public abstract class AbstractUaaTokenProvider implements TokenProvider {
    private static final String ACCESS_TOKEN = "access_token";
    private static final String AUTHORIZATION_ENDPOINT = "authorization_endpoint";
    private static final String REFRESH_TOKEN = "refresh_token";
    private static final String TOKEN_TYPE = "token_type";
    private final ConcurrentMap<ConnectionContext, Mono<String>> accessTokens = new ConcurrentHashMap(1);
    private final ConcurrentMap<ConnectionContext, ReplayProcessor<String>> refreshTokenStreams = new ConcurrentHashMap(1);
    private final ConcurrentMap<ConnectionContext, Mono<String>> refreshTokens = new ConcurrentHashMap(1);
    private static final Logger LOGGER = LoggerFactory.getLogger("cloudfoundry-client.token");
    private static final ZoneId UTC = ZoneId.of("UTC");

    @Value.Default
    public String getClientId() {
        return "cf";
    }

    @Value.Default
    public String getClientSecret() {
        return "";
    }

    public Flux<String> getRefreshTokens(ConnectionContext connectionContext) {
        return getRefreshTokenStream(connectionContext);
    }

    @Override // org.cloudfoundry.reactor.TokenProvider
    public final Mono<String> getToken(ConnectionContext connectionContext) {
        return this.accessTokens.computeIfAbsent(connectionContext, this::token);
    }

    @Override // org.cloudfoundry.reactor.TokenProvider
    public void invalidate(ConnectionContext connectionContext) {
        this.accessTokens.put(connectionContext, token(connectionContext));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nullable
    public abstract String getIdentityZoneSubdomain();

    abstract Mono<Void> tokenRequestTransformer(Mono<HttpClientRequest> mono);

    private static HttpClientRequest addContentType(HttpClientRequest httpClientRequest) {
        return httpClientRequest.header(HttpHeaderNames.CONTENT_TYPE, HttpHeaderValues.APPLICATION_X_WWW_FORM_URLENCODED);
    }

    private static HttpClientRequest disableChunkedTransfer(HttpClientRequest httpClientRequest) {
        return httpClientRequest.chunkedTransfer(false);
    }

    private static HttpClientRequest disableFailOnError(HttpClientRequest httpClientRequest) {
        return httpClientRequest.failOnClientError(false).failOnServerError(false);
    }

    private static String extractAccessToken(Map<String, String> map) {
        String str = map.get(ACCESS_TOKEN);
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Access Token: {}", str);
            parseToken(str).ifPresent(claims -> {
                LOGGER.debug("Access Token Issued At:  {} UTC", toLocalDateTime(claims.getIssuedAt()));
                LOGGER.debug("Access Token Expires At: {} UTC", toLocalDateTime(claims.getExpiration()));
            });
        }
        return String.format("%s %s", map.get(TOKEN_TYPE), str);
    }

    private static String getTokenUri(String str, String str2) {
        UriComponentsBuilder fromUriString = UriComponentsBuilder.fromUriString(str);
        if (str2 != null) {
            fromUriString.host(String.format("%s.%s", str2, fromUriString.build().getHost()));
        }
        return fromUriString.pathSegment(new String[]{"oauth", "token"}).build().encode().toUriString();
    }

    private static Optional<Claims> parseToken(String str) {
        try {
            return Optional.of(Jwts.parser().parseClaimsJwt(str.substring(0, str.lastIndexOf(46) + 1)).getBody());
        } catch (Exception e) {
            return Optional.empty();
        }
    }

    private static LocalDateTime toLocalDateTime(Date date) {
        return LocalDateTime.from((TemporalAccessor) date.toInstant().atZone(UTC));
    }

    private HttpClientRequest addAuthorization(HttpClientRequest httpClientRequest) {
        return httpClientRequest.header(HttpHeaderNames.AUTHORIZATION, String.format("Basic %s", Base64.getEncoder().encodeToString(new AsciiString(getClientId()).concat(":").concat(getClientSecret()).toByteArray())));
    }

    private Consumer<Map<String, String>> extractRefreshToken(ConnectionContext connectionContext) {
        return map -> {
            Optional.ofNullable(map.get(REFRESH_TOKEN)).ifPresent(str -> {
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("Refresh Token: {}", str);
                    parseToken(str).ifPresent(claims -> {
                        LOGGER.debug("Refresh Token Issued At:  {} UTC", toLocalDateTime(claims.getIssuedAt()));
                        LOGGER.debug("Refresh Token Expires At: {} UTC", toLocalDateTime(claims.getExpiration()));
                    });
                }
                this.refreshTokens.put(connectionContext, Mono.just(str));
                getRefreshTokenStream(connectionContext).onNext(str);
            });
        };
    }

    private Function<Mono<HttpClientResponse>, Mono<String>> extractTokens(ConnectionContext connectionContext) {
        return mono -> {
            return mono.transform(JsonCodec.decode(connectionContext.getObjectMapper(), Map.class)).map(map -> {
                return map;
            }).doOnNext(extractRefreshToken(connectionContext)).map(AbstractUaaTokenProvider::extractAccessToken);
        };
    }

    private ReplayProcessor<String> getRefreshTokenStream(ConnectionContext connectionContext) {
        return this.refreshTokenStreams.computeIfAbsent(connectionContext, connectionContext2 -> {
            return ReplayProcessor.create(1);
        });
    }

    private Mono<HttpClientResponse> primaryToken(ConnectionContext connectionContext) {
        return requestToken(connectionContext, this::tokenRequestTransformer);
    }

    private Mono<HttpClientResponse> refreshToken(ConnectionContext connectionContext, String str) {
        return requestToken(connectionContext, refreshTokenGrantTokenRequestTransformer(str)).onErrorResume(th -> {
            return (th instanceof UaaException) && ((UaaException) th).getStatusCode() == HttpResponseStatus.UNAUTHORIZED.code();
        }, th2 -> {
            return Mono.empty();
        });
    }

    private Function<Mono<HttpClientRequest>, Mono<Void>> refreshTokenGrantTokenRequestTransformer(String str) {
        return mono -> {
            return mono.then(httpClientRequest -> {
                return httpClientRequest.sendForm(form -> {
                    form.multipart(false).attr("client_id", getClientId()).attr("client_secret", getClientSecret()).attr("grant_type", REFRESH_TOKEN).attr(REFRESH_TOKEN, str);
                }).then();
            });
        };
    }

    private Mono<HttpClientResponse> requestToken(ConnectionContext connectionContext, Function<Mono<HttpClientRequest>, Mono<Void>> function) {
        return connectionContext.getRoot(AUTHORIZATION_ENDPOINT).map(str -> {
            return getTokenUri(str, getIdentityZoneSubdomain());
        }).then(str2 -> {
            return connectionContext.getHttpClient().post(str2, httpClientRequest -> {
                return Mono.just(httpClientRequest).map(AbstractUaaTokenProvider::disableChunkedTransfer).map(AbstractUaaTokenProvider::disableFailOnError).map(this::addAuthorization).map(UserAgent::addUserAgent).map(AbstractUaaTokenProvider::addContentType).map(JsonCodec::addDecodeHeaders).transform(function);
            }).doOnSubscribe(NetworkLogging.post(str2)).transform(NetworkLogging.response(str2));
        }).transform(ErrorPayloadMapper.uaa(connectionContext.getObjectMapper()));
    }

    private Mono<String> token(ConnectionContext connectionContext) {
        return this.refreshTokens.getOrDefault(connectionContext, Mono.empty()).then(str -> {
            return refreshToken(connectionContext, str).doOnSubscribe(subscription -> {
                LOGGER.debug("Negotiating using refresh token");
            });
        }).switchIfEmpty(primaryToken(connectionContext).doOnSubscribe(subscription -> {
            LOGGER.debug("Negotiating using token provider");
        })).transform(ErrorPayloadMapper.fallback()).transform(extractTokens(connectionContext)).cache().checkpoint();
    }
}
