package com.okta.sdk.impl.oauth2;

import com.nimbusds.oauth2.sdk.auth.JWTAuthentication;
import com.okta.commons.http.authc.DisabledAuthenticator;
import com.okta.commons.lang.Assert;
import com.okta.commons.lang.Strings;
import com.okta.sdk.client.AuthenticationScheme;
import com.okta.sdk.client.AuthorizationMode;
import com.okta.sdk.error.ResourceException;
import com.okta.sdk.impl.api.DefaultClientCredentialsResolver;
import com.okta.sdk.impl.config.ClientConfiguration;
import com.okta.sdk.impl.util.ConfigUtil;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import java.io.IOException;
import java.io.Reader;
import java.io.StringReader;
import java.nio.charset.Charset;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.InvalidKeyException;
import java.security.PrivateKey;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Collections;
import java.util.Date;
import java.util.Optional;
import java.util.UUID;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.openapitools.client.ApiClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.ParameterizedTypeReference;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.util.LinkedMultiValueMap;

/* loaded from: input_file:WEB-INF/classes/bundles/net.tirasa.connid.bundles.okta-3.0.0-bundle.jar:lib/okta-sdk-impl-10.2.2.jar:com/okta/sdk/impl/oauth2/AccessTokenRetrieverServiceImpl.class */
public class AccessTokenRetrieverServiceImpl implements AccessTokenRetrieverService {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AccessTokenRetrieverServiceImpl.class);
    private static final String TOKEN_URI = "/oauth2/v1/token";
    private final ClientConfiguration tokenClientConfiguration;
    private final ApiClient apiClient;

    public AccessTokenRetrieverServiceImpl(ClientConfiguration clientConfiguration, ApiClient apiClient) {
        Assert.notNull(clientConfiguration, "apiClientConfiguration must not be null.");
        Assert.notNull(apiClient, "apiClient must not be null.");
        this.apiClient = apiClient;
        this.tokenClientConfiguration = constructTokenClientConfig(clientConfiguration);
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // com.okta.sdk.impl.oauth2.AccessTokenRetrieverService
    public OAuth2AccessToken getOAuth2AccessToken() throws IOException, InvalidKeyException, OAuth2TokenRetrieverException {
        log.debug("Attempting to get OAuth2 access token for client id {} from {}", this.tokenClientConfiguration.getClientId(), this.tokenClientConfiguration.getBaseUrl() + TOKEN_URI);
        String createSignedJWT = createSignedJWT();
        String join = String.join(" ", this.tokenClientConfiguration.getScopes());
        try {
            LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
            linkedMultiValueMap.add("grant_type", "client_credentials");
            linkedMultiValueMap.add("client_assertion_type", JWTAuthentication.CLIENT_ASSERTION_TYPE);
            linkedMultiValueMap.add("client_assertion", createSignedJWT);
            linkedMultiValueMap.add("scope", join);
            OAuth2AccessToken oAuth2AccessToken = (OAuth2AccessToken) this.apiClient.invokeAPI(TOKEN_URI, HttpMethod.POST, Collections.emptyMap(), linkedMultiValueMap, null, new HttpHeaders(), new LinkedMultiValueMap(), null, Collections.singletonList(MediaType.APPLICATION_JSON), MediaType.APPLICATION_FORM_URLENCODED, new String[]{"oauth2"}, new ParameterizedTypeReference<OAuth2AccessToken>() { // from class: com.okta.sdk.impl.oauth2.AccessTokenRetrieverServiceImpl.1
            }).getBody();
            log.debug("Got OAuth2 access token for client id {} from {}", this.tokenClientConfiguration.getClientId(), this.tokenClientConfiguration.getBaseUrl() + TOKEN_URI);
            this.apiClient.setAccessToken(oAuth2AccessToken.getAccessToken());
            return oAuth2AccessToken;
        } catch (ResourceException e) {
            throw new OAuth2HttpException(e.getError().getMessage(), e, e.getStatus() == 401);
        } catch (Exception e2) {
            throw new OAuth2TokenRetrieverException("Exception while trying to get OAuth2 access token for client id " + this.tokenClientConfiguration.getClientId(), e2);
        }
    }

    String createSignedJWT() throws InvalidKeyException, IOException {
        String clientId = this.tokenClientConfiguration.getClientId();
        PrivateKey parsePrivateKey = parsePrivateKey(getPemReader());
        Instant now = Instant.now();
        JwtBuilder signWith = Jwts.builder().setAudience(this.tokenClientConfiguration.getBaseUrl() + TOKEN_URI).setIssuedAt(Date.from(now)).setExpiration(Date.from(now.plus(50L, (TemporalUnit) ChronoUnit.MINUTES))).setIssuer(clientId).setSubject(clientId).claim("jti", UUID.randomUUID().toString()).signWith(parsePrivateKey);
        if (Strings.hasText(this.tokenClientConfiguration.getKid())) {
            signWith.setHeaderParam("kid", this.tokenClientConfiguration.getKid());
        }
        return signWith.compact();
    }

    PrivateKey parsePrivateKey(Reader reader) throws IOException, InvalidKeyException {
        PrivateKey privateKeyFromPEM = getPrivateKeyFromPEM(reader);
        String algorithm = privateKeyFromPEM.getAlgorithm();
        if (algorithm.equals("RSA") || algorithm.equals("EC")) {
            return privateKeyFromPEM;
        }
        throw new InvalidKeyException("Supplied privateKey is not an RSA or EC key - " + algorithm);
    }

    private Reader getPemReader() throws IOException {
        String privateKey = this.tokenClientConfiguration.getPrivateKey();
        return ConfigUtil.hasPrivateKeyContentWrapper(privateKey) ? new StringReader(privateKey) : Files.newBufferedReader(Paths.get(privateKey, new String[0]), Charset.defaultCharset());
    }

    PrivateKey getPrivateKeyFromPEM(Reader reader) throws IOException {
        PrivateKey privateKey;
        PEMParser pEMParser = new PEMParser(reader);
        try {
            JcaPEMKeyConverter jcaPEMKeyConverter = new JcaPEMKeyConverter();
            Object readObject = pEMParser.readObject();
            if (readObject == null) {
                throw new IllegalArgumentException("Invalid Private Key PEM file");
            }
            if (readObject instanceof PEMKeyPair) {
                privateKey = jcaPEMKeyConverter.getKeyPair((PEMKeyPair) readObject).getPrivate();
            } else {
                if (!(readObject instanceof PrivateKeyInfo)) {
                    throw new IllegalArgumentException("Unsupported Private Key format '" + readObject.getClass().getSimpleName() + '\"');
                }
                privateKey = jcaPEMKeyConverter.getPrivateKey((PrivateKeyInfo) readObject);
            }
            pEMParser.close();
            return privateKey;
        } catch (Throwable th) {
            try {
                pEMParser.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    ClientConfiguration constructTokenClientConfig(ClientConfiguration clientConfiguration) {
        ClientConfiguration clientConfiguration2 = new ClientConfiguration();
        clientConfiguration2.setClientCredentialsResolver(new DefaultClientCredentialsResolver(Optional::empty));
        clientConfiguration2.setRequestAuthenticator(new DisabledAuthenticator());
        if (clientConfiguration.getBaseUrlResolver() != null) {
            clientConfiguration2.setBaseUrlResolver(clientConfiguration.getBaseUrlResolver());
        }
        if (clientConfiguration.getProxy() != null) {
            clientConfiguration2.setProxy(clientConfiguration.getProxy());
        }
        clientConfiguration2.setBaseUrl(clientConfiguration.getBaseUrl());
        clientConfiguration2.setAuthenticationScheme(AuthenticationScheme.OAUTH2_PRIVATE_KEY);
        clientConfiguration2.setAuthorizationMode(AuthorizationMode.get(clientConfiguration2.getAuthenticationScheme()));
        clientConfiguration2.setClientId(clientConfiguration.getClientId());
        clientConfiguration2.setScopes(clientConfiguration.getScopes());
        clientConfiguration2.setPrivateKey(clientConfiguration.getPrivateKey());
        clientConfiguration2.setKid(clientConfiguration.getKid());
        clientConfiguration2.setRetryMaxElapsed(0);
        clientConfiguration2.setRetryMaxAttempts(1);
        return clientConfiguration2;
    }
}
