package org.apache.iceberg.rest.auth;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import java.util.regex.Pattern;
import org.apache.iceberg.TableProperties;
import org.apache.iceberg.relocated.com.google.common.annotations.VisibleForTesting;
import org.apache.iceberg.relocated.com.google.common.base.Joiner;
import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
import org.apache.iceberg.relocated.com.google.common.base.Splitter;
import org.apache.iceberg.relocated.com.google.common.collect.ImmutableList;
import org.apache.iceberg.relocated.com.google.common.collect.ImmutableMap;
import org.apache.iceberg.relocated.com.google.common.collect.ImmutableSet;
import org.apache.iceberg.relocated.com.google.common.collect.Sets;
import org.apache.iceberg.rest.ErrorHandlers;
import org.apache.iceberg.rest.RESTClient;
import org.apache.iceberg.rest.RESTUtil;
import org.apache.iceberg.rest.ResourcePaths;
import org.apache.iceberg.rest.responses.OAuthTokenResponse;
import org.apache.iceberg.shaded.com.fasterxml.jackson.core.JsonGenerator;
import org.apache.iceberg.shaded.com.fasterxml.jackson.databind.JsonNode;
import org.apache.iceberg.util.JsonUtil;
import org.apache.iceberg.util.Pair;
import org.apache.iceberg.util.Tasks;
import org.projectnessie.client.auth.oauth2.JwtToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/iceberg/rest/auth/OAuth2Util.class */
public class OAuth2Util {
    private static final String AUTHORIZATION_HEADER = "Authorization";
    private static final String BEARER_PREFIX = "Bearer ";
    private static final String BASIC_PREFIX = "Basic ";
    private static final String GRANT_TYPE = "grant_type";
    private static final String CLIENT_CREDENTIALS = "client_credentials";
    private static final String TOKEN_EXCHANGE = "urn:ietf:params:oauth:grant-type:token-exchange";
    private static final String SCOPE = "scope";
    private static final String CLIENT_ID = "client_id";
    private static final String CLIENT_SECRET = "client_secret";
    private static final String SUBJECT_TOKEN = "subject_token";
    private static final String SUBJECT_TOKEN_TYPE = "subject_token_type";
    private static final String ACTOR_TOKEN = "actor_token";
    private static final String ACTOR_TOKEN_TYPE = "actor_token_type";
    private static final String ACCESS_TOKEN = "access_token";
    private static final String TOKEN_TYPE = "token_type";
    private static final String EXPIRES_IN = "expires_in";
    private static final String ISSUED_TOKEN_TYPE = "issued_token_type";
    private static final Logger LOG = LoggerFactory.getLogger(OAuth2Util.class);
    private static final Pattern VALID_SCOPE_TOKEN = Pattern.compile("^[!-~&&[^\"\\\\]]+$");
    private static final Splitter SCOPE_DELIMITER = Splitter.on(" ");
    private static final Joiner SCOPE_JOINER = Joiner.on(" ");
    private static final Splitter CREDENTIAL_SPLITTER = Splitter.on(":").limit(2).trimResults();
    private static final Set<String> VALID_TOKEN_TYPES = Sets.newHashSet(OAuth2Properties.ACCESS_TOKEN_TYPE, OAuth2Properties.REFRESH_TOKEN_TYPE, OAuth2Properties.ID_TOKEN_TYPE, OAuth2Properties.SAML1_TOKEN_TYPE, OAuth2Properties.SAML2_TOKEN_TYPE, OAuth2Properties.JWT_TOKEN_TYPE);

    /* loaded from: input_file:org/apache/iceberg/rest/auth/OAuth2Util$AuthSession.class */
    public static class AuthSession {
        private static int tokenRefreshNumRetries = 5;
        private static final long MAX_REFRESH_WINDOW_MILLIS = 300000;
        private static final long MIN_REFRESH_WAIT_MILLIS = 10;
        private volatile Map<String, String> headers;
        private volatile AuthConfig config;

        public AuthSession(Map<String, String> map, AuthConfig authConfig) {
            this.headers = RESTUtil.merge(map, OAuth2Util.authHeaders(authConfig.token()));
            this.config = authConfig;
        }

        public Map<String, String> headers() {
            return this.headers;
        }

        public String token() {
            return this.config.token();
        }

        public String tokenType() {
            return this.config.tokenType();
        }

        public Long expiresAtMillis() {
            return this.config.expiresAtMillis();
        }

        public String scope() {
            return this.config.scope();
        }

        public synchronized void stopRefreshing() {
            this.config = ImmutableAuthConfig.copyOf(this.config).withKeepRefreshed(false);
        }

        public String credential() {
            return this.config.credential();
        }

        public String oauth2ServerUri() {
            return this.config.oauth2ServerUri();
        }

        public Map<String, String> optionalOAuthParams() {
            return this.config.optionalOAuthParams();
        }

        public AuthConfig config() {
            return this.config;
        }

        @VisibleForTesting
        static void setTokenRefreshNumRetries(int i) {
            tokenRefreshNumRetries = i;
        }

        public static AuthSession empty() {
            return new AuthSession(ImmutableMap.of(), AuthConfig.builder().build());
        }

        public Pair<Integer, TimeUnit> refresh(RESTClient rESTClient) {
            if (token() == null || !this.config.keepRefreshed()) {
                return null;
            }
            AtomicReference atomicReference = new AtomicReference(null);
            if (!Tasks.foreach(atomicReference).suppressFailureWhenFinished().retry(tokenRefreshNumRetries).onFailure((atomicReference2, exc) -> {
                atomicReference2.set(refreshExpiredToken(rESTClient));
                if (atomicReference2.get() == null) {
                    OAuth2Util.LOG.warn("Failed to refresh token", exc);
                }
            }).exponentialBackoff(100L, TableProperties.COMMIT_STATUS_CHECKS_MAX_WAIT_MS_DEFAULT, TableProperties.COMMIT_STATUS_CHECKS_TOTAL_WAIT_MS_DEFAULT, 2.0d).run(atomicReference3 -> {
                atomicReference3.set(refreshCurrentToken(rESTClient));
            }) || atomicReference.get() == null) {
                return null;
            }
            OAuthTokenResponse oAuthTokenResponse = (OAuthTokenResponse) atomicReference.get();
            this.config = AuthConfig.builder().from(config()).token(oAuthTokenResponse.token()).tokenType(oAuthTokenResponse.issuedTokenType()).build();
            this.headers = RESTUtil.merge(this.headers, OAuth2Util.authHeaders(this.config.token()));
            if (oAuthTokenResponse.expiresInSeconds() != null) {
                return Pair.of(oAuthTokenResponse.expiresInSeconds(), TimeUnit.SECONDS);
            }
            return null;
        }

        private OAuthTokenResponse refreshCurrentToken(RESTClient rESTClient) {
            return (null == expiresAtMillis() || expiresAtMillis().longValue() > System.currentTimeMillis()) ? OAuth2Util.refreshToken(rESTClient, headers(), token(), tokenType(), scope(), oauth2ServerUri(), optionalOAuthParams()) : refreshExpiredToken(rESTClient);
        }

        private OAuthTokenResponse refreshExpiredToken(RESTClient rESTClient) {
            if (credential() != null) {
                return OAuth2Util.refreshToken(rESTClient, RESTUtil.merge(headers(), OAuth2Util.basicAuthHeaders(credential())), token(), tokenType(), scope(), oauth2ServerUri(), optionalOAuthParams());
            }
            return null;
        }

        private static void scheduleTokenRefresh(RESTClient rESTClient, ScheduledExecutorService scheduledExecutorService, AuthSession authSession, long j) {
            long currentTimeMillis = j - System.currentTimeMillis();
            scheduledExecutorService.schedule(() -> {
                long currentTimeMillis2 = System.currentTimeMillis();
                Pair<Integer, TimeUnit> refresh = authSession.refresh(rESTClient);
                if (refresh != null) {
                    scheduleTokenRefresh(rESTClient, scheduledExecutorService, authSession, currentTimeMillis2 + refresh.second().toMillis(refresh.first().intValue()));
                }
            }, Math.max(currentTimeMillis - Math.min(currentTimeMillis / MIN_REFRESH_WAIT_MILLIS, MAX_REFRESH_WINDOW_MILLIS), MIN_REFRESH_WAIT_MILLIS), TimeUnit.MILLISECONDS);
        }

        public static AuthSession fromAccessToken(RESTClient rESTClient, ScheduledExecutorService scheduledExecutorService, String str, Long l, AuthSession authSession) {
            AuthSession authSession2 = new AuthSession(authSession.headers(), AuthConfig.builder().from(authSession.config()).token(str).tokenType(OAuth2Properties.ACCESS_TOKEN_TYPE).build());
            long currentTimeMillis = System.currentTimeMillis();
            Long expiresAtMillis = authSession2.expiresAtMillis();
            if (null != expiresAtMillis && expiresAtMillis.longValue() <= currentTimeMillis) {
                Pair<Integer, TimeUnit> refresh = authSession2.refresh(rESTClient);
                expiresAtMillis = refresh != null ? null != authSession2.expiresAtMillis() ? authSession2.expiresAtMillis() : Long.valueOf(currentTimeMillis + refresh.second().toMillis(refresh.first().intValue())) : null;
            } else if (null == expiresAtMillis && l != null) {
                expiresAtMillis = l;
            }
            if (null != scheduledExecutorService && null != expiresAtMillis) {
                scheduleTokenRefresh(rESTClient, scheduledExecutorService, authSession2, expiresAtMillis.longValue());
            }
            return authSession2;
        }

        public static AuthSession fromCredential(RESTClient rESTClient, ScheduledExecutorService scheduledExecutorService, String str, AuthSession authSession) {
            return fromTokenResponse(rESTClient, scheduledExecutorService, OAuth2Util.fetchToken(rESTClient, authSession.headers(), str, authSession.scope(), authSession.oauth2ServerUri(), authSession.optionalOAuthParams()), System.currentTimeMillis(), authSession, str);
        }

        public static AuthSession fromTokenResponse(RESTClient rESTClient, ScheduledExecutorService scheduledExecutorService, OAuthTokenResponse oAuthTokenResponse, long j, AuthSession authSession) {
            return fromTokenResponse(rESTClient, scheduledExecutorService, oAuthTokenResponse, j, authSession, authSession.credential());
        }

        private static AuthSession fromTokenResponse(RESTClient rESTClient, ScheduledExecutorService scheduledExecutorService, OAuthTokenResponse oAuthTokenResponse, long j, AuthSession authSession, String str) {
            String issuedTokenType = oAuthTokenResponse.issuedTokenType();
            if (issuedTokenType == null) {
                issuedTokenType = OAuth2Properties.ACCESS_TOKEN_TYPE;
            }
            AuthSession authSession2 = new AuthSession(authSession.headers(), AuthConfig.builder().from(authSession.config()).token(oAuthTokenResponse.token()).tokenType(issuedTokenType).credential(str).build());
            Long expiresAtMillis = authSession2.expiresAtMillis();
            if (null == expiresAtMillis && oAuthTokenResponse.expiresInSeconds() != null) {
                expiresAtMillis = Long.valueOf(j + TimeUnit.SECONDS.toMillis(oAuthTokenResponse.expiresInSeconds().intValue()));
            }
            if (null != scheduledExecutorService && null != expiresAtMillis) {
                scheduleTokenRefresh(rESTClient, scheduledExecutorService, authSession2, expiresAtMillis.longValue());
            }
            return authSession2;
        }

        public static AuthSession fromTokenExchange(RESTClient rESTClient, ScheduledExecutorService scheduledExecutorService, String str, String str2, AuthSession authSession) {
            return fromTokenResponse(rESTClient, scheduledExecutorService, OAuth2Util.exchangeToken(rESTClient, authSession.headers(), str, str2, authSession.token(), authSession.tokenType(), authSession.scope(), authSession.oauth2ServerUri(), authSession.optionalOAuthParams()), System.currentTimeMillis(), authSession);
        }
    }

    private OAuth2Util() {
    }

    public static Map<String, String> authHeaders(String str) {
        return str != null ? ImmutableMap.of("Authorization", "Bearer " + str) : ImmutableMap.of();
    }

    public static Map<String, String> basicAuthHeaders(String str) {
        return str != null ? ImmutableMap.of("Authorization", "Basic " + Base64.getEncoder().encodeToString(str.getBytes(StandardCharsets.UTF_8))) : ImmutableMap.of();
    }

    public static boolean isValidScopeToken(String str) {
        return VALID_SCOPE_TOKEN.matcher(str).matches();
    }

    public static List<String> parseScope(String str) {
        return SCOPE_DELIMITER.splitToList(str);
    }

    public static String toScope(Iterable<String> iterable) {
        return SCOPE_JOINER.join(iterable);
    }

    public static Map<String, String> buildOptionalParam(Map<String, String> map) {
        ImmutableSet<String> of = ImmutableSet.of(OAuth2Properties.AUDIENCE, OAuth2Properties.RESOURCE);
        ImmutableMap.Builder builder = ImmutableMap.builder();
        builder.put("scope", map.getOrDefault("scope", OAuth2Properties.CATALOG_SCOPE));
        for (String str : of) {
            String str2 = map.get(str);
            if (str2 != null) {
                builder.put(str, str2);
            }
        }
        return builder.buildKeepingLast();
    }

    private static OAuthTokenResponse refreshToken(RESTClient rESTClient, Map<String, String> map, String str, String str2, String str3, String str4, Map<String, String> map2) {
        OAuthTokenResponse oAuthTokenResponse = (OAuthTokenResponse) rESTClient.postForm(str4, tokenExchangeRequest(str, str2, str3 != null ? ImmutableList.of(str3) : ImmutableList.of(), map2), OAuthTokenResponse.class, map, ErrorHandlers.oauthErrorHandler());
        oAuthTokenResponse.validate();
        return oAuthTokenResponse;
    }

    public static OAuthTokenResponse exchangeToken(RESTClient rESTClient, Map<String, String> map, String str, String str2, String str3, String str4, String str5, String str6, Map<String, String> map2) {
        OAuthTokenResponse oAuthTokenResponse = (OAuthTokenResponse) rESTClient.postForm(str6, tokenExchangeRequest(str, str2, str3, str4, str5 != null ? ImmutableList.of(str5) : ImmutableList.of(), map2), OAuthTokenResponse.class, map, ErrorHandlers.oauthErrorHandler());
        oAuthTokenResponse.validate();
        return oAuthTokenResponse;
    }

    public static OAuthTokenResponse exchangeToken(RESTClient rESTClient, Map<String, String> map, String str, String str2, String str3, String str4, String str5) {
        return exchangeToken(rESTClient, map, str, str2, str3, str4, str5, ResourcePaths.tokens(), ImmutableMap.of());
    }

    public static OAuthTokenResponse exchangeToken(RESTClient rESTClient, Map<String, String> map, String str, String str2, String str3, String str4, String str5, String str6) {
        return exchangeToken(rESTClient, map, str, str2, str3, str4, str5, str6, ImmutableMap.of());
    }

    public static OAuthTokenResponse fetchToken(RESTClient rESTClient, Map<String, String> map, String str, String str2, String str3, Map<String, String> map2) {
        OAuthTokenResponse oAuthTokenResponse = (OAuthTokenResponse) rESTClient.postForm(str3, clientCredentialsRequest(str, str2 != null ? ImmutableList.of(str2) : ImmutableList.of(), map2), OAuthTokenResponse.class, map, ErrorHandlers.oauthErrorHandler());
        oAuthTokenResponse.validate();
        return oAuthTokenResponse;
    }

    public static OAuthTokenResponse fetchToken(RESTClient rESTClient, Map<String, String> map, String str, String str2) {
        return fetchToken(rESTClient, map, str, str2, ResourcePaths.tokens(), ImmutableMap.of());
    }

    public static OAuthTokenResponse fetchToken(RESTClient rESTClient, Map<String, String> map, String str, String str2, String str3) {
        return fetchToken(rESTClient, map, str, str2, str3, ImmutableMap.of());
    }

    private static Map<String, String> tokenExchangeRequest(String str, String str2, List<String> list, Map<String, String> map) {
        return tokenExchangeRequest(str, str2, null, null, list, map);
    }

    private static Map<String, String> tokenExchangeRequest(String str, String str2, String str3, String str4, List<String> list, Map<String, String> map) {
        Preconditions.checkArgument(VALID_TOKEN_TYPES.contains(str2), "Invalid token type: %s", str2);
        Preconditions.checkArgument(str3 == null || VALID_TOKEN_TYPES.contains(str4), "Invalid token type: %s", str4);
        ImmutableMap.Builder builder = ImmutableMap.builder();
        builder.put(GRANT_TYPE, "urn:ietf:params:oauth:grant-type:token-exchange");
        builder.put("scope", toScope(list));
        builder.put(SUBJECT_TOKEN, str);
        builder.put(SUBJECT_TOKEN_TYPE, str2);
        if (str3 != null) {
            builder.put(ACTOR_TOKEN, str3);
            builder.put(ACTOR_TOKEN_TYPE, str4);
        }
        builder.putAll(map);
        return builder.buildKeepingLast();
    }

    private static Pair<String, String> parseCredential(String str) {
        Preconditions.checkNotNull(str, "Invalid credential: null");
        List<String> splitToList = CREDENTIAL_SPLITTER.splitToList(str);
        switch (splitToList.size()) {
            case 1:
                return Pair.of(null, splitToList.get(0));
            case 2:
                return Pair.of(splitToList.get(0), splitToList.get(1));
            default:
                throw new IllegalArgumentException("Invalid credential: " + str);
        }
    }

    private static Map<String, String> clientCredentialsRequest(String str, List<String> list, Map<String, String> map) {
        Pair<String, String> parseCredential = parseCredential(str);
        return clientCredentialsRequest(parseCredential.first(), parseCredential.second(), list, map);
    }

    private static Map<String, String> clientCredentialsRequest(String str, String str2, List<String> list, Map<String, String> map) {
        ImmutableMap.Builder builder = ImmutableMap.builder();
        builder.put(GRANT_TYPE, "client_credentials");
        if (str != null) {
            builder.put(CLIENT_ID, str);
        }
        builder.put(CLIENT_SECRET, str2);
        builder.put("scope", toScope(list));
        builder.putAll(map);
        return builder.buildKeepingLast();
    }

    public static String tokenResponseToJson(OAuthTokenResponse oAuthTokenResponse) {
        return JsonUtil.generate(jsonGenerator -> {
            tokenResponseToJson(oAuthTokenResponse, jsonGenerator);
        }, false);
    }

    public static void tokenResponseToJson(OAuthTokenResponse oAuthTokenResponse, JsonGenerator jsonGenerator) throws IOException {
        oAuthTokenResponse.validate();
        jsonGenerator.writeStartObject();
        jsonGenerator.writeStringField(ACCESS_TOKEN, oAuthTokenResponse.token());
        jsonGenerator.writeStringField(TOKEN_TYPE, oAuthTokenResponse.tokenType());
        if (oAuthTokenResponse.issuedTokenType() != null) {
            jsonGenerator.writeStringField(ISSUED_TOKEN_TYPE, oAuthTokenResponse.issuedTokenType());
        }
        if (oAuthTokenResponse.expiresInSeconds() != null) {
            jsonGenerator.writeNumberField(EXPIRES_IN, oAuthTokenResponse.expiresInSeconds().intValue());
        }
        if (oAuthTokenResponse.scopes() != null && !oAuthTokenResponse.scopes().isEmpty()) {
            jsonGenerator.writeStringField("scope", toScope(oAuthTokenResponse.scopes()));
        }
        jsonGenerator.writeEndObject();
    }

    public static OAuthTokenResponse tokenResponseFromJson(String str) {
        return (OAuthTokenResponse) JsonUtil.parse(str, OAuth2Util::tokenResponseFromJson);
    }

    public static OAuthTokenResponse tokenResponseFromJson(JsonNode jsonNode) {
        Preconditions.checkArgument(jsonNode.isObject(), "Cannot parse token response from non-object: %s", jsonNode);
        OAuthTokenResponse.Builder withIssuedTokenType = OAuthTokenResponse.builder().withToken(JsonUtil.getString(ACCESS_TOKEN, jsonNode)).withTokenType(JsonUtil.getString(TOKEN_TYPE, jsonNode)).withIssuedTokenType(JsonUtil.getStringOrNull(ISSUED_TOKEN_TYPE, jsonNode));
        if (jsonNode.has(EXPIRES_IN)) {
            withIssuedTokenType.setExpirationInSeconds(JsonUtil.getInt(EXPIRES_IN, jsonNode));
        }
        if (jsonNode.has("scope")) {
            withIssuedTokenType.addScopes(parseScope(JsonUtil.getString("scope", jsonNode)));
        }
        return withIssuedTokenType.build();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Long expiresAtMillis(String str) {
        if (null == str) {
            return null;
        }
        List<String> splitToList = Splitter.on('.').splitToList(str);
        if (splitToList.size() != 3) {
            return null;
        }
        try {
            Long longOrNull = JsonUtil.getLongOrNull(JwtToken.EXP_CLAIM, JsonUtil.mapper().readTree(Base64.getUrlDecoder().decode(splitToList.get(1))));
            if (longOrNull != null) {
                return Long.valueOf(TimeUnit.SECONDS.toMillis(longOrNull.longValue()));
            }
            return null;
        } catch (IOException e) {
            return null;
        }
    }
}
