package au.csiro.pathling.fhir;

import au.csiro.pathling.utilities.Preconditions;
import ca.uhn.fhir.interceptor.api.Hook;
import ca.uhn.fhir.interceptor.api.Interceptor;
import ca.uhn.fhir.interceptor.api.Pointcut;
import ca.uhn.fhir.rest.api.Constants;
import ca.uhn.fhir.rest.client.api.IHttpRequest;
import com.google.gson.FieldNamingPolicy;
import com.google.gson.GsonBuilder;
import java.io.IOException;
import java.time.Instant;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.apache.http.Header;
import org.apache.http.NameValuePair;
import org.apache.http.client.ClientProtocolException;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.DefaultHttpRequestRetryHandler;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.util.EntityUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Interceptor
/* loaded from: input_file:au/csiro/pathling/fhir/ClientAuthInterceptor.class */
public class ClientAuthInterceptor {
    public static final int AUTH_CONNECT_TIMEOUT = 5000;
    public static final int AUTH_CONNECTION_REQUEST_TIMEOUT = 5000;
    public static final int AUTH_SOCKET_TIMEOUT = 5000;
    public static final int AUTH_RETRY_COUNT = 3;

    @Nonnull
    private final String tokenEndpoint;

    @Nonnull
    private final String clientId;

    @Nonnull
    private final String clientSecret;

    @Nullable
    private final String scope;
    private final long tokenExpiryTolerance;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ClientAuthInterceptor.class);

    @Nonnull
    private static final Map<AccessScope, AccessContext> accessContexts = new HashMap();

    public ClientAuthInterceptor(@Nonnull String str, @Nonnull String str2, @Nonnull String str3, @Nullable String str4, long j) {
        this.tokenEndpoint = str;
        this.clientId = str2;
        this.clientSecret = str3;
        this.scope = str4;
        this.tokenExpiryTolerance = j;
    }

    @Hook(Pointcut.CLIENT_REQUEST)
    public void handleClientRequest(@Nullable IHttpRequest iHttpRequest) throws IOException {
        if (iHttpRequest != null) {
            String accessToken = ensureAccessContext(this.clientId, this.clientSecret, this.tokenEndpoint, this.scope, this.tokenExpiryTolerance).getClientCredentialsResponse().getAccessToken();
            Preconditions.checkNotNull(accessToken);
            iHttpRequest.addHeader("Authorization", "Bearer " + accessToken);
        }
    }

    @Nonnull
    private static AccessContext ensureAccessContext(@Nonnull String str, @Nonnull String str2, @Nonnull String str3, @Nonnull String str4, long j) throws IOException {
        AccessContext accessContext;
        synchronized (accessContexts) {
            AccessScope accessScope = new AccessScope(str3, str, str4);
            AccessContext accessContext2 = accessContexts.get(accessScope);
            if (accessContext2 == null || accessContext2.getExpiryTime().isBefore(Instant.now().plusSeconds(j))) {
                log.debug("Getting new token");
                accessContext2 = getNewAccessContext(str, str2, str3, str4, j);
                accessContexts.put(accessScope, accessContext2);
            }
            accessContext = accessContext2;
        }
        return accessContext;
    }

    @Nonnull
    private static AccessContext getNewAccessContext(@Nonnull String str, @Nonnull String str2, @Nonnull String str3, @Nullable String str4, long j) throws IOException {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new BasicNameValuePair("client_id", str));
        arrayList.add(new BasicNameValuePair("client_secret", str2));
        return getAccessContext(arrayList, str3, str4, j);
    }

    @Nonnull
    private static AccessContext getAccessContext(@Nonnull List<NameValuePair> list, @Nonnull String str, @Nullable String str2, long j) throws IOException {
        ClientCredentialsResponse clientCredentialsGrant = clientCredentialsGrant(list, str, str2, j);
        Instant expiryTime = getExpiryTime(clientCredentialsGrant);
        log.debug("New token will expire at {}", expiryTime);
        return new AccessContext(clientCredentialsGrant, expiryTime);
    }

    @Nonnull
    private static ClientCredentialsResponse clientCredentialsGrant(@Nonnull List<NameValuePair> list, @Nonnull String str, @Nullable String str2, long j) throws IOException {
        log.debug("Performing client credentials grant using token endpoint: {}", str);
        CloseableHttpClient httpClient = getHttpClient();
        try {
            HttpPost httpPost = new HttpPost(str);
            httpPost.addHeader("Content-Type", "application/x-www-form-urlencoded");
            httpPost.addHeader("Accept", Constants.CT_JSON);
            ArrayList arrayList = new ArrayList();
            arrayList.add(new BasicNameValuePair("grant_type", "client_credentials"));
            if (str2 != null) {
                list.add(new BasicNameValuePair("scope", str2));
            }
            arrayList.addAll(list);
            httpPost.setEntity(new UrlEncodedFormEntity((List<? extends NameValuePair>) arrayList));
            CloseableHttpResponse execute = httpClient.execute((HttpUriRequest) httpPost);
            Header firstHeader = execute.getFirstHeader("Content-Type");
            if (firstHeader == null) {
                throw new ClientProtocolException("Client credentials response contains no Content-Type header");
            }
            if (!firstHeader.getValue().startsWith(Constants.CT_JSON)) {
                throw new ClientProtocolException("Invalid response from token endpoint: content type is not application/json");
            }
            ClientCredentialsResponse clientCredentialsResponse = (ClientCredentialsResponse) new GsonBuilder().setFieldNamingPolicy(FieldNamingPolicy.LOWER_CASE_WITH_UNDERSCORES).create().fromJson(EntityUtils.toString(execute.getEntity()), ClientCredentialsResponse.class);
            if (clientCredentialsResponse.getAccessToken() == null) {
                throw new ClientProtocolException("Client credentials grant does not contain access token");
            }
            if (clientCredentialsResponse.getExpiresIn() < j) {
                throw new ClientProtocolException("Client credentials grant expiry is less than the tolerance: " + clientCredentialsResponse.getExpiresIn());
            }
            if (httpClient != null) {
                httpClient.close();
            }
            return clientCredentialsResponse;
        } catch (Throwable th) {
            if (httpClient != null) {
                try {
                    httpClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static CloseableHttpClient getHttpClient() {
        return HttpClients.custom().setRetryHandler(new DefaultHttpRequestRetryHandler(3, true)).setDefaultRequestConfig(RequestConfig.custom().setConnectTimeout(5000).setConnectionRequestTimeout(5000).setSocketTimeout(5000).build()).build();
    }

    private static Instant getExpiryTime(@Nonnull ClientCredentialsResponse clientCredentialsResponse) {
        return Instant.now().plusSeconds(clientCredentialsResponse.getExpiresIn());
    }

    public static void clearAccessContexts() {
        synchronized (accessContexts) {
            accessContexts.clear();
        }
    }
}
