package org.apache.iceberg.rest.auth;

import java.time.Duration;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.Function;
import org.apache.iceberg.CatalogProperties;
import org.apache.iceberg.catalog.SessionCatalog;
import org.apache.iceberg.catalog.TableIdentifier;
import org.apache.iceberg.relocated.com.google.common.collect.ImmutableList;
import org.apache.iceberg.relocated.com.google.common.collect.ImmutableSet;
import org.apache.iceberg.relocated.com.google.common.collect.Maps;
import org.apache.iceberg.rest.RESTClient;
import org.apache.iceberg.rest.RESTUtil;
import org.apache.iceberg.rest.ResourcePaths;
import org.apache.iceberg.rest.auth.OAuth2Util;
import org.apache.iceberg.rest.responses.OAuthTokenResponse;
import org.apache.iceberg.util.PropertyUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/iceberg/rest/auth/OAuth2Manager.class */
public class OAuth2Manager extends RefreshingAuthManager {
    private static final Logger LOG = LoggerFactory.getLogger(OAuth2Manager.class);
    private static final List<String> TOKEN_PREFERENCE_ORDER = ImmutableList.of(OAuth2Properties.ID_TOKEN_TYPE, OAuth2Properties.ACCESS_TOKEN_TYPE, OAuth2Properties.JWT_TOKEN_TYPE, OAuth2Properties.SAML2_TOKEN_TYPE, OAuth2Properties.SAML1_TOKEN_TYPE);
    private static final Set<String> TABLE_SESSION_ALLOW_LIST = ImmutableSet.builder().add((ImmutableSet.Builder) OAuth2Properties.TOKEN).addAll((Iterable) TOKEN_PREFERENCE_ORDER).build();
    private final String name;
    private RESTClient client;
    private long startTimeMillis;
    private OAuthTokenResponse authResponse;
    private AuthSessionCache sessionCache;

    public OAuth2Manager(String str) {
        super(str + "-token-refresh");
        this.name = str;
    }

    @Override // org.apache.iceberg.rest.auth.AuthManager
    public OAuth2Util.AuthSession initSession(RESTClient rESTClient, Map<String, String> map) {
        warnIfDeprecatedTokenEndpointUsed(map);
        AuthConfig fromProperties = AuthConfig.fromProperties(map);
        Map<String, String> authHeaders = OAuth2Util.authHeaders(fromProperties.token());
        OAuth2Util.AuthSession authSession = new OAuth2Util.AuthSession(authHeaders, fromProperties);
        if (fromProperties.credential() == null || fromProperties.credential().isEmpty()) {
            return fromProperties.token() != null ? OAuth2Util.AuthSession.fromAccessToken(rESTClient, null, fromProperties.token(), null, authSession) : authSession;
        }
        this.startTimeMillis = System.currentTimeMillis();
        this.authResponse = OAuth2Util.fetchToken(rESTClient, authHeaders, fromProperties.credential(), fromProperties.scope(), fromProperties.oauth2ServerUri(), fromProperties.optionalOAuthParams());
        return OAuth2Util.AuthSession.fromTokenResponse(rESTClient, null, this.authResponse, this.startTimeMillis, authSession);
    }

    @Override // org.apache.iceberg.rest.auth.AuthManager
    public OAuth2Util.AuthSession catalogSession(RESTClient rESTClient, Map<String, String> map) {
        this.client = rESTClient;
        this.sessionCache = newSessionCache(this.name, map);
        AuthConfig fromProperties = AuthConfig.fromProperties(map);
        Map<String, String> authHeaders = OAuth2Util.authHeaders(fromProperties.token());
        OAuth2Util.AuthSession authSession = new OAuth2Util.AuthSession(authHeaders, fromProperties);
        keepRefreshed(fromProperties.keepRefreshed());
        if (this.authResponse != null) {
            return OAuth2Util.AuthSession.fromTokenResponse(this.client, refreshExecutor(), this.authResponse, this.startTimeMillis, authSession);
        }
        if (fromProperties.credential() == null || fromProperties.credential().isEmpty()) {
            return fromProperties.token() != null ? OAuth2Util.AuthSession.fromAccessToken(this.client, refreshExecutor(), fromProperties.token(), fromProperties.expiresAtMillis(), authSession) : authSession;
        }
        return OAuth2Util.AuthSession.fromTokenResponse(rESTClient, refreshExecutor(), OAuth2Util.fetchToken(rESTClient, authHeaders, fromProperties.credential(), fromProperties.scope(), fromProperties.oauth2ServerUri(), fromProperties.optionalOAuthParams()), System.currentTimeMillis(), authSession);
    }

    @Override // org.apache.iceberg.rest.auth.AuthManager
    public OAuth2Util.AuthSession contextualSession(SessionCatalog.SessionContext sessionContext, AuthSession authSession) {
        return maybeCreateChildSession(sessionContext.credentials(), sessionContext.properties(), str -> {
            return sessionContext.sessionId();
        }, (OAuth2Util.AuthSession) authSession);
    }

    @Override // org.apache.iceberg.rest.auth.AuthManager
    public OAuth2Util.AuthSession tableSession(TableIdentifier tableIdentifier, Map<String, String> map, AuthSession authSession) {
        Set<String> set = TABLE_SESSION_ALLOW_LIST;
        Objects.requireNonNull(set);
        Map<String, String> filterKeys = Maps.filterKeys(map, (v1) -> {
            return r2.contains(v1);
        });
        Objects.requireNonNull(map);
        return maybeCreateChildSession(filterKeys, map, (v1) -> {
            return r3.get(v1);
        }, (OAuth2Util.AuthSession) authSession);
    }

    @Override // org.apache.iceberg.rest.auth.RefreshingAuthManager, org.apache.iceberg.rest.auth.AuthManager, java.lang.AutoCloseable
    public void close() {
        try {
            super.close();
        } finally {
            AuthSessionCache authSessionCache = this.sessionCache;
            this.sessionCache = null;
            if (authSessionCache != null) {
                authSessionCache.close();
            }
        }
    }

    protected AuthSessionCache newSessionCache(String str, Map<String, String> map) {
        return new AuthSessionCache(str, sessionTimeout(map));
    }

    protected OAuth2Util.AuthSession maybeCreateChildSession(Map<String, String> map, Map<String, String> map2, Function<String, String> function, OAuth2Util.AuthSession authSession) {
        if (map != null) {
            if (map.containsKey(OAuth2Properties.TOKEN)) {
                String str = map.get(OAuth2Properties.TOKEN);
                return (OAuth2Util.AuthSession) this.sessionCache.cachedSession(function.apply(OAuth2Properties.TOKEN), str2 -> {
                    return newSessionFromAccessToken(str, map2, authSession);
                });
            }
            if (map.containsKey(OAuth2Properties.CREDENTIAL)) {
                String str3 = map.get(OAuth2Properties.CREDENTIAL);
                return (OAuth2Util.AuthSession) this.sessionCache.cachedSession(function.apply(OAuth2Properties.CREDENTIAL), str4 -> {
                    return newSessionFromCredential(str3, authSession);
                });
            }
            for (String str5 : TOKEN_PREFERENCE_ORDER) {
                if (map.containsKey(str5)) {
                    String str6 = map.get(str5);
                    return (OAuth2Util.AuthSession) this.sessionCache.cachedSession(function.apply(str5), str7 -> {
                        return newSessionFromTokenExchange(str6, str5, authSession);
                    });
                }
            }
        }
        return authSession;
    }

    protected OAuth2Util.AuthSession newSessionFromAccessToken(String str, Map<String, String> map, OAuth2Util.AuthSession authSession) {
        return OAuth2Util.AuthSession.fromAccessToken(this.client, refreshExecutor(), str, AuthConfig.fromProperties(map).expiresAtMillis(), authSession);
    }

    protected OAuth2Util.AuthSession newSessionFromCredential(String str, OAuth2Util.AuthSession authSession) {
        return OAuth2Util.AuthSession.fromCredential(this.client, refreshExecutor(), str, authSession);
    }

    protected OAuth2Util.AuthSession newSessionFromTokenExchange(String str, String str2, OAuth2Util.AuthSession authSession) {
        return OAuth2Util.AuthSession.fromTokenExchange(this.client, refreshExecutor(), str, str2, authSession);
    }

    private static void warnIfDeprecatedTokenEndpointUsed(Map<String, String> map) {
        if (usesDeprecatedTokenEndpoint(map)) {
            String str = map.get(OAuth2Properties.CREDENTIAL);
            String str2 = map.get(OAuth2Properties.TOKEN);
            boolean z = (str == null || str.isEmpty()) ? false : true;
            if ((str2 != null) || z) {
                LOG.warn("Iceberg REST client is missing the OAuth2 server URI configuration and defaults to {}/{}. This automatic fallback will be removed in a future Iceberg release.It is recommended to configure the OAuth2 endpoint using the '{}' property to be prepared. This warning will disappear if the OAuth2 endpoint is explicitly configured. See https://github.com/apache/iceberg/issues/10537", new Object[]{RESTUtil.stripTrailingSlash(map.get(CatalogProperties.URI)), ResourcePaths.tokens(), OAuth2Properties.OAUTH2_SERVER_URI});
            }
        }
    }

    private static boolean usesDeprecatedTokenEndpoint(Map<String, String> map) {
        if (!map.containsKey(OAuth2Properties.OAUTH2_SERVER_URI)) {
            return true;
        }
        String str = map.get(OAuth2Properties.OAUTH2_SERVER_URI);
        return (!str.startsWith("http")) || str.startsWith(map.get(CatalogProperties.URI));
    }

    private static Duration sessionTimeout(Map<String, String> map) {
        return Duration.ofMillis(PropertyUtil.propertyAsLong(map, CatalogProperties.AUTH_SESSION_TIMEOUT_MS, CatalogProperties.AUTH_SESSION_TIMEOUT_MS_DEFAULT));
    }

    @Override // org.apache.iceberg.rest.auth.AuthManager
    public /* bridge */ /* synthetic */ AuthSession tableSession(TableIdentifier tableIdentifier, Map map, AuthSession authSession) {
        return tableSession(tableIdentifier, (Map<String, String>) map, authSession);
    }

    @Override // org.apache.iceberg.rest.auth.AuthManager
    public /* bridge */ /* synthetic */ AuthSession catalogSession(RESTClient rESTClient, Map map) {
        return catalogSession(rESTClient, (Map<String, String>) map);
    }

    @Override // org.apache.iceberg.rest.auth.AuthManager
    public /* bridge */ /* synthetic */ AuthSession initSession(RESTClient rESTClient, Map map) {
        return initSession(rESTClient, (Map<String, String>) map);
    }
}
