package io.micronaut.oraclecloud.oke.kubernetes.client;

import com.oracle.bmc.Service;
import com.oracle.bmc.auth.AbstractAuthenticationDetailsProvider;
import com.oracle.bmc.containerengine.ContainerEngine;
import com.oracle.bmc.http.signing.RequestSigner;
import com.oracle.bmc.http.signing.RequestSignerFactory;
import com.oracle.bmc.http.signing.SigningStrategy;
import com.oracle.bmc.http.signing.internal.DefaultRequestSignerFactory;
import io.micronaut.context.annotation.BootstrapContextCompatible;
import io.micronaut.context.annotation.Requires;
import io.micronaut.core.annotation.Internal;
import io.micronaut.core.annotation.NonNull;
import io.micronaut.core.annotation.Nullable;
import io.micronaut.http.uri.UriBuilder;
import io.micronaut.kubernetes.client.openapi.config.KubeConfig;
import io.micronaut.kubernetes.client.openapi.config.KubeConfigLoader;
import io.micronaut.kubernetes.client.openapi.config.model.ExecConfig;
import io.micronaut.kubernetes.client.openapi.credential.KubernetesTokenLoader;
import io.micronaut.kubernetes.client.openapi.credential.model.ExecCredential;
import io.micronaut.kubernetes.client.openapi.credential.model.ExecCredentialStatus;
import jakarta.inject.Singleton;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.net.URI;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.time.Duration;
import java.time.ZoneId;
import java.time.ZonedDateTime;
import java.util.Base64;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
@Internal
@BootstrapContextCompatible
@Requires(beans = {AbstractAuthenticationDetailsProvider.class, OkeKubernetesClientConfig.class})
/* loaded from: input_file:io/micronaut/oraclecloud/oke/kubernetes/client/OkeKubernetesCredentialLoader.class */
public class OkeKubernetesCredentialLoader implements KubernetesTokenLoader {
    private static final String EXPECTED_COMMAND = "oci";
    private static final String CLUSTER_ID_ARG = "--cluster-id";
    private static final String REGION_ARG = "--region";
    private static final String DELEGATION_TOKEN_HEADER = "opc-obo-token";
    private static final String AUTHORIZATION_HEADER = "authorization";
    private static final String DATE_HEADER = "date";
    private static final String TOKEN_URL_FORMAT = "%s/cluster_request/%s";
    private static final String EXEC_CREDENTIAL_API_VERSION = "client.authentication.k8s.io/v1beta1";
    private static final String EXEC_CREDENTIAL_KIND = "ExecCredential";
    private static final int ORDER = 5;
    private final String containerEngineEndpoint;
    private final RequestSigner requestSigner;
    private final KubeConfig kubeConfig;
    private volatile ExecCredential execCredential;
    private static final String[] EXPECTED_ARGS = {"ce", "cluster", "generate-token"};
    private static final Logger LOG = LoggerFactory.getLogger(OkeKubernetesCredentialLoader.class);
    private static final Duration BUFFER = Duration.ofSeconds(60);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/micronaut/oraclecloud/oke/kubernetes/client/OkeKubernetesCredentialLoader$ParsedExecCommand.class */
    public static final class ParsedExecCommand extends Record {
        private final String region;
        private final String clusterId;

        private ParsedExecCommand(String str, String str2) {
            this.region = str;
            this.clusterId = str2;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, ParsedExecCommand.class), ParsedExecCommand.class, "region;clusterId", "FIELD:Lio/micronaut/oraclecloud/oke/kubernetes/client/OkeKubernetesCredentialLoader$ParsedExecCommand;->region:Ljava/lang/String;", "FIELD:Lio/micronaut/oraclecloud/oke/kubernetes/client/OkeKubernetesCredentialLoader$ParsedExecCommand;->clusterId:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, ParsedExecCommand.class), ParsedExecCommand.class, "region;clusterId", "FIELD:Lio/micronaut/oraclecloud/oke/kubernetes/client/OkeKubernetesCredentialLoader$ParsedExecCommand;->region:Ljava/lang/String;", "FIELD:Lio/micronaut/oraclecloud/oke/kubernetes/client/OkeKubernetesCredentialLoader$ParsedExecCommand;->clusterId:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, ParsedExecCommand.class, Object.class), ParsedExecCommand.class, "region;clusterId", "FIELD:Lio/micronaut/oraclecloud/oke/kubernetes/client/OkeKubernetesCredentialLoader$ParsedExecCommand;->region:Ljava/lang/String;", "FIELD:Lio/micronaut/oraclecloud/oke/kubernetes/client/OkeKubernetesCredentialLoader$ParsedExecCommand;->clusterId:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String region() {
            return this.region;
        }

        public String clusterId() {
            return this.clusterId;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public OkeKubernetesCredentialLoader(@Nullable RequestSignerFactory requestSignerFactory, @NonNull AbstractAuthenticationDetailsProvider abstractAuthenticationDetailsProvider, KubeConfigLoader kubeConfigLoader, @NonNull ContainerEngine containerEngine) {
        this.containerEngineEndpoint = containerEngine.getEndpoint();
        this.requestSigner = (requestSignerFactory == null ? new DefaultRequestSignerFactory(SigningStrategy.STANDARD) : requestSignerFactory).createRequestSigner((Service) null, abstractAuthenticationDetailsProvider);
        this.kubeConfig = kubeConfigLoader.getKubeConfig();
    }

    public String getToken() {
        setExecCredential();
        if (this.execCredential == null) {
            return null;
        }
        return this.execCredential.status().token();
    }

    public int getOrder() {
        return ORDER;
    }

    private void setExecCredential() {
        ParsedExecCommand parseCommand;
        if (this.kubeConfig == null || this.kubeConfig.getUser() == null || (parseCommand = parseCommand(this.kubeConfig.getUser().exec())) == null || !shouldLoadCredential()) {
            return;
        }
        synchronized (this) {
            if (shouldLoadCredential()) {
                try {
                    this.execCredential = loadCredential(parseCommand);
                } catch (Exception e) {
                    LOG.error("Failed to load exec credential", e);
                }
            }
        }
    }

    private ParsedExecCommand parseCommand(ExecConfig execConfig) {
        if (execConfig == null || !EXPECTED_COMMAND.equals(execConfig.command())) {
            return null;
        }
        List args = execConfig.args();
        for (int i = 0; i < EXPECTED_ARGS.length; i++) {
            if (!EXPECTED_ARGS[i].equals(args.get(i))) {
                return null;
            }
        }
        String str = null;
        String str2 = null;
        int length = EXPECTED_ARGS.length;
        while (length < args.size() - 1) {
            if (CLUSTER_ID_ARG.equals(args.get(length))) {
                length++;
                str = (String) args.get(length);
            }
            if (REGION_ARG.equals(args.get(length))) {
                length++;
                str2 = (String) args.get(length);
            }
            length++;
        }
        if (str == null) {
            throw new IllegalStateException("Cluster ID is required, but was not found in the kubeconfig exec command");
        }
        return new ParsedExecCommand(str2, str);
    }

    private boolean shouldLoadCredential() {
        if (this.execCredential == null) {
            return true;
        }
        ZonedDateTime expirationTimestamp = this.execCredential.status().expirationTimestamp();
        if (expirationTimestamp == null) {
            return false;
        }
        ZonedDateTime now = ZonedDateTime.now(ZoneId.of("UTC"));
        LOG.debug("Check whether credential loading needed, now={}, buffer={}, expiration={}", new Object[]{now, BUFFER, expirationTimestamp});
        return expirationTimestamp.isBefore(now.plusSeconds(BUFFER.toSeconds()));
    }

    private ExecCredential loadCredential(ParsedExecCommand parsedExecCommand) {
        LOG.debug("Creating OKE kubernetes client credential");
        URI create = URI.create(String.format(TOKEN_URL_FORMAT, this.containerEngineEndpoint, parsedExecCommand.clusterId));
        Map signRequest = this.requestSigner.signRequest(create, "GET", Collections.emptyMap(), (Object) null);
        UriBuilder queryParam = UriBuilder.of(create).queryParam(AUTHORIZATION_HEADER, new Object[]{signRequest.get(AUTHORIZATION_HEADER)}).queryParam(DATE_HEADER, new Object[]{signRequest.get(DATE_HEADER)});
        if (signRequest.containsKey(DELEGATION_TOKEN_HEADER)) {
            queryParam.queryParam(DELEGATION_TOKEN_HEADER, new Object[]{signRequest.get(DELEGATION_TOKEN_HEADER)});
        }
        return new ExecCredential(EXEC_CREDENTIAL_API_VERSION, EXEC_CREDENTIAL_KIND, new ExecCredentialStatus(base64Encode(queryParam.toString()), (byte[]) null, (byte[]) null, ZonedDateTime.now().plusMinutes(4L)));
    }

    private String base64Encode(String str) {
        return StandardCharsets.UTF_8.decode(Base64.getUrlEncoder().encode(ByteBuffer.wrap(str.getBytes(StandardCharsets.UTF_8)))).toString();
    }
}
