package org.projectnessie.client.auth.oauth2;

import java.io.PrintStream;
import java.net.URI;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ScheduledExecutorService;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import javax.net.ssl.SSLContext;
import org.apache.iceberg.shaded.com.fasterxml.jackson.databind.JsonNode;
import org.apache.iceberg.shaded.com.fasterxml.jackson.databind.ObjectMapper;
import org.apache.iceberg.shaded.com.google.errorprone.annotations.CanIgnoreReturnValue;
import org.immutables.value.Value;
import org.projectnessie.client.NessieConfigConstants;
import org.projectnessie.client.auth.BasicAuthenticationProvider;
import org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig;
import org.projectnessie.client.http.HttpAuthentication;
import org.projectnessie.client.http.HttpClient;

/* JADX INFO: Access modifiers changed from: package-private */
@Value.Immutable
/* loaded from: input_file:org/projectnessie/client/auth/oauth2/OAuth2ClientConfig.class */
public abstract class OAuth2ClientConfig implements OAuth2AuthenticatorConfig {
    static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/projectnessie/client/auth/oauth2/OAuth2ClientConfig$Builder.class */
    public interface Builder extends OAuth2AuthenticatorConfig.Builder {
        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        @CanIgnoreReturnValue
        Builder from(OAuth2AuthenticatorConfig oAuth2AuthenticatorConfig);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder issuerUrl(URI uri);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder tokenEndpoint(URI uri);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder authEndpoint(URI uri);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder deviceAuthEndpoint(URI uri);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder grantType(GrantType grantType);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder clientId(String str);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        @CanIgnoreReturnValue
        Builder clientSecret(Secret secret);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        @CanIgnoreReturnValue
        default Builder clientSecret(String str) {
            return clientSecretSupplier(() -> {
                return str;
            });
        }

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        @CanIgnoreReturnValue
        Builder clientSecretSupplier(Supplier<String> supplier);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder username(String str);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        @CanIgnoreReturnValue
        Builder password(Secret secret);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        @CanIgnoreReturnValue
        default Builder password(String str) {
            return passwordSupplier(() -> {
                return str;
            });
        }

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        @CanIgnoreReturnValue
        Builder passwordSupplier(Supplier<String> supplier);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder addScope(String str);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder addScopes(String... strArr);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder scopes(Iterable<String> iterable);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        @CanIgnoreReturnValue
        Builder extraRequestParameters(Map<String, ? extends String> map);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder tokenExchangeConfig(TokenExchangeConfig tokenExchangeConfig);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder impersonationConfig(ImpersonationConfig impersonationConfig);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder defaultAccessTokenLifespan(Duration duration);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder defaultRefreshTokenLifespan(Duration duration);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder refreshSafetyWindow(Duration duration);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder preemptiveTokenRefreshIdleTimeout(Duration duration);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder backgroundThreadIdleTimeout(Duration duration);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder authorizationCodeFlowTimeout(Duration duration);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder authorizationCodeFlowWebServerPort(int i);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder deviceCodeFlowTimeout(Duration duration);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder deviceCodeFlowPollInterval(Duration duration);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder sslContext(SSLContext sSLContext);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder objectMapper(ObjectMapper objectMapper);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        Builder executor(ScheduledExecutorService scheduledExecutorService);

        @CanIgnoreReturnValue
        Builder minDefaultAccessTokenLifespan(Duration duration);

        @CanIgnoreReturnValue
        Builder minRefreshSafetyWindow(Duration duration);

        @CanIgnoreReturnValue
        Builder minPreemptiveTokenRefreshIdleTimeout(Duration duration);

        @CanIgnoreReturnValue
        Builder minAuthorizationCodeFlowTimeout(Duration duration);

        @CanIgnoreReturnValue
        Builder minDeviceCodeFlowTimeout(Duration duration);

        @CanIgnoreReturnValue
        Builder minDeviceCodeFlowPollInterval(Duration duration);

        @CanIgnoreReturnValue
        Builder ignoreDeviceCodeFlowServerPollInterval(boolean z);

        @CanIgnoreReturnValue
        Builder console(PrintStream printStream);

        @CanIgnoreReturnValue
        Builder clock(Supplier<Instant> supplier);

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        OAuth2ClientConfig build();

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        @CanIgnoreReturnValue
        /* bridge */ /* synthetic */ default OAuth2AuthenticatorConfig.Builder extraRequestParameters(Map map) {
            return extraRequestParameters((Map<String, ? extends String>) map);
        }

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        /* bridge */ /* synthetic */ default OAuth2AuthenticatorConfig.Builder scopes(Iterable iterable) {
            return scopes((Iterable<String>) iterable);
        }

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        @CanIgnoreReturnValue
        /* bridge */ /* synthetic */ default OAuth2AuthenticatorConfig.Builder passwordSupplier(Supplier supplier) {
            return passwordSupplier((Supplier<String>) supplier);
        }

        @Override // org.projectnessie.client.auth.oauth2.OAuth2AuthenticatorConfig.Builder
        @CanIgnoreReturnValue
        /* bridge */ /* synthetic */ default OAuth2AuthenticatorConfig.Builder clientSecretSupplier(Supplier supplier) {
            return clientSecretSupplier((Supplier<String>) supplier);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Builder builder() {
        return ImmutableOAuth2ClientConfig.builder();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Derived
    public String getClientName() {
        return "nessie-oauth2-client-" + OAuth2Utils.randomAlphaNumString(4);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Default
    public Duration getMinDefaultAccessTokenLifespan() {
        return Duration.ofSeconds(10L);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Default
    public Duration getMinRefreshSafetyWindow() {
        return Duration.ofSeconds(1L);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Default
    public Duration getMinPreemptiveTokenRefreshIdleTimeout() {
        return Duration.ofSeconds(1L);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Default
    public Duration getMinAuthorizationCodeFlowTimeout() {
        return Duration.ofSeconds(30L);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Default
    public Duration getMinDeviceCodeFlowTimeout() {
        return Duration.ofSeconds(30L);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Default
    public Duration getMinDeviceCodeFlowPollInterval() {
        return Duration.ofSeconds(5L);
    }

    @Value.Default
    public boolean ignoreDeviceCodeFlowServerPollInterval() {
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Default
    public PrintStream getConsole() {
        return System.out;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Default
    public Supplier<Instant> getClock() {
        Clock systemUTC = Clock.systemUTC();
        Objects.requireNonNull(systemUTC);
        return systemUTC::instant;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Derived
    public boolean isPublicClient() {
        return getClientSecret().isEmpty() && getClientSecretSupplier().isEmpty();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Derived
    public Optional<Boolean> isImpersonationPublicClient() {
        return getImpersonationConfig().getClientId().map(str -> {
            return Boolean.valueOf(getClientSecret().isEmpty() && getClientSecretSupplier().isEmpty());
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Lazy
    public JsonNode getOpenIdProviderMetadata() {
        return OAuth2Utils.fetchOpenIdProviderMetadata(getHttpClient(), getIssuerUrl().orElseThrow(() -> {
            return new IllegalStateException("No issuer-URL");
        }));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Lazy
    public Optional<JsonNode> getImpersonationOpenIdProviderMetadata() {
        return getImpersonationConfig().getIssuerUrl().map(uri -> {
            return OAuth2Utils.fetchOpenIdProviderMetadata(getHttpClient(), uri);
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Lazy
    public URI getResolvedTokenEndpoint() {
        if (getTokenEndpoint().isPresent()) {
            return getTokenEndpoint().get();
        }
        JsonNode openIdProviderMetadata = getOpenIdProviderMetadata();
        if (openIdProviderMetadata.has("token_endpoint")) {
            return URI.create(openIdProviderMetadata.get("token_endpoint").asText());
        }
        throw new IllegalStateException("OpenID provider metadata does not contain a token endpoint");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Lazy
    public URI getResolvedAuthEndpoint() {
        if (getAuthEndpoint().isPresent()) {
            return getAuthEndpoint().get();
        }
        JsonNode openIdProviderMetadata = getOpenIdProviderMetadata();
        if (openIdProviderMetadata.has("authorization_endpoint")) {
            return URI.create(openIdProviderMetadata.get("authorization_endpoint").asText());
        }
        throw new IllegalStateException("OpenID provider metadata does not contain an authorization endpoint");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Lazy
    public URI getResolvedDeviceAuthEndpoint() {
        if (getDeviceAuthEndpoint().isPresent()) {
            return getDeviceAuthEndpoint().get();
        }
        JsonNode openIdProviderMetadata = getOpenIdProviderMetadata();
        if (openIdProviderMetadata.has("device_authorization_endpoint")) {
            return URI.create(openIdProviderMetadata.get("device_authorization_endpoint").asText());
        }
        throw new IllegalStateException("OpenID provider metadata does not contain a device authorization endpoint");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Lazy
    public Optional<URI> getResolvedImpersonationTokenEndpoint() {
        return getImpersonationConfig().getTokenEndpoint().or(() -> {
            return getImpersonationOpenIdProviderMetadata().map(jsonNode -> {
                if (jsonNode.has("token_endpoint")) {
                    return URI.create(jsonNode.get("token_endpoint").asText());
                }
                throw new IllegalStateException("OpenID provider metadata does not contain a token endpoint");
            });
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Lazy
    public Optional<HttpAuthentication> getBasicAuthentication() {
        return getClientSecret().map(secret -> {
            return BasicAuthenticationProvider.create(getClientId(), secret.getString());
        }).or(() -> {
            return getClientSecretSupplier().map(supplier -> {
                return BasicAuthenticationProvider.create(getClientId(), (Supplier<String>) supplier);
            });
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Lazy
    public Optional<HttpAuthentication> getImpersonationBasicAuthentication() {
        return getImpersonationConfig().getClientId().flatMap(str -> {
            return getClientSecret().map(secret -> {
                return BasicAuthenticationProvider.create(str, secret.getString());
            }).or(() -> {
                return getClientSecretSupplier().map(supplier -> {
                    return BasicAuthenticationProvider.create(str, (Supplier<String>) supplier);
                });
            });
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Lazy
    public HttpClient getHttpClient() {
        return HttpClient.builder().setObjectMapper(getObjectMapper()).setSslContext(getSslContext().orElse(null)).setDisableCompression(true).addResponseFilter(new OAuth2ResponseFilter(getObjectMapper())).build();
    }

    private static void check(List<String> list, String str, boolean z, String str2, Object... objArr) {
        if (z) {
            return;
        }
        if (objArr.length == 0) {
            list.add(str2 + " (" + str + ")");
        } else {
            list.add(String.format(str2, objArr) + " (" + str + ")");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Check
    public void check() {
        ArrayList arrayList = new ArrayList();
        check(arrayList, NessieConfigConstants.CONF_NESSIE_OAUTH2_CLIENT_ID, !getClientId().isEmpty(), "client ID must not be empty", new Object[0]);
        check(arrayList, "nessie.authentication.oauth2.grant-type / nessie.authentication.oauth2.client-secret", getClientSecret().isPresent() || getClientSecretSupplier().isPresent() || getGrantType() != GrantType.CLIENT_CREDENTIALS, "client secret must not be empty when grant type is '%s'", "client_credentials");
        check(arrayList, "nessie.authentication.oauth2.issuer-url / nessie.authentication.oauth2.token-endpoint", getIssuerUrl().isPresent() || getTokenEndpoint().isPresent(), "either issuer URL or token endpoint must be set", new Object[0]);
        if (getTokenEndpoint().isPresent()) {
            check(arrayList, NessieConfigConstants.CONF_NESSIE_OAUTH2_TOKEN_ENDPOINT, getTokenEndpoint().get().getQuery() == null, "Token endpoint must not have a query part", new Object[0]);
            check(arrayList, NessieConfigConstants.CONF_NESSIE_OAUTH2_TOKEN_ENDPOINT, getTokenEndpoint().get().getFragment() == null, "Token endpoint must not have a fragment part", new Object[0]);
        }
        if (getAuthEndpoint().isPresent()) {
            check(arrayList, NessieConfigConstants.CONF_NESSIE_OAUTH2_AUTH_ENDPOINT, getAuthEndpoint().get().getQuery() == null, "Authorization endpoint must not have a query part", new Object[0]);
            check(arrayList, NessieConfigConstants.CONF_NESSIE_OAUTH2_AUTH_ENDPOINT, getAuthEndpoint().get().getFragment() == null, "Authorization endpoint must not have a fragment part", new Object[0]);
        }
        GrantType grantType = getGrantType();
        check(arrayList, NessieConfigConstants.CONF_NESSIE_OAUTH2_GRANT_TYPE, grantType.isInitial(), "grant type must be one of: %s", Arrays.stream(GrantType.values()).filter((v0) -> {
            return v0.isInitial();
        }).map((v0) -> {
            return v0.name();
        }).map((v0) -> {
            return v0.toLowerCase();
        }).collect(Collectors.joining("', '", "'", "'")));
        if (grantType == GrantType.PASSWORD) {
            check(arrayList, NessieConfigConstants.CONF_NESSIE_OAUTH2_USERNAME, getUsername().isPresent() && !getUsername().get().isEmpty(), "username must be set if grant type is '%s'", "password");
            check(arrayList, NessieConfigConstants.CONF_NESSIE_OAUTH2_PASSWORD, getPassword().isPresent() || getPasswordSupplier().isPresent(), "password must be set if grant type is '%s'", "password");
        }
        if (grantType == GrantType.AUTHORIZATION_CODE) {
            check(arrayList, "nessie.authentication.oauth2.issuer-url / nessie.authentication.oauth2.auth-endpoint", getIssuerUrl().isPresent() || getAuthEndpoint().isPresent(), "either issuer URL or authorization endpoint must be set if grant type is '%s'", "authorization_code");
            if (getAuthorizationCodeFlowWebServerPort().isPresent()) {
                check(arrayList, NessieConfigConstants.CONF_NESSIE_OAUTH2_AUTHORIZATION_CODE_FLOW_WEB_PORT, getAuthorizationCodeFlowWebServerPort().getAsInt() >= 0 && getAuthorizationCodeFlowWebServerPort().getAsInt() <= 65535, "authorization code flow: web server port must be between 0 and 65535 (inclusive)", new Object[0]);
            }
            check(arrayList, NessieConfigConstants.CONF_NESSIE_OAUTH2_AUTHORIZATION_CODE_FLOW_TIMEOUT, getAuthorizationCodeFlowTimeout().compareTo(getMinAuthorizationCodeFlowTimeout()) >= 0, "authorization code flow: timeout must be greater than or equal to %s", getMinAuthorizationCodeFlowTimeout());
        }
        if (grantType == GrantType.DEVICE_CODE) {
            check(arrayList, "nessie.authentication.oauth2.issuer-url / nessie.authentication.oauth2.auth-endpoint", getIssuerUrl().isPresent() || getDeviceAuthEndpoint().isPresent(), "either issuer URL or device authorization endpoint must be set if grant type is '%s'", NessieConfigConstants.CONF_NESSIE_OAUTH2_GRANT_TYPE_DEVICE_CODE);
            check(arrayList, NessieConfigConstants.CONF_NESSIE_OAUTH2_DEVICE_CODE_FLOW_POLL_INTERVAL, getDeviceCodeFlowPollInterval().compareTo(getMinDeviceCodeFlowPollInterval()) >= 0, "device code flow: poll interval must be greater than or equal to %s", getMinDeviceCodeFlowPollInterval());
            check(arrayList, NessieConfigConstants.CONF_NESSIE_OAUTH2_DEVICE_CODE_FLOW_TIMEOUT, getDeviceCodeFlowTimeout().compareTo(getMinDeviceCodeFlowTimeout()) >= 0, "device code flow: timeout must be greater than or equal to %s", getMinDeviceCodeFlowTimeout());
        }
        check(arrayList, NessieConfigConstants.CONF_NESSIE_OAUTH2_DEFAULT_ACCESS_TOKEN_LIFESPAN, getDefaultAccessTokenLifespan().compareTo(getMinDefaultAccessTokenLifespan()) >= 0, "default token lifespan must be greater than or equal to %s", getMinDefaultAccessTokenLifespan());
        check(arrayList, NessieConfigConstants.CONF_NESSIE_OAUTH2_REFRESH_SAFETY_WINDOW, getRefreshSafetyWindow().compareTo(getMinRefreshSafetyWindow()) >= 0, "refresh safety window must be greater than or equal to %s", getMinRefreshSafetyWindow());
        check(arrayList, "nessie.authentication.oauth2.refresh-safety-window/nessie.authentication.oauth2.default-access-token-lifespan", getRefreshSafetyWindow().compareTo(getDefaultAccessTokenLifespan()) < 0, "refresh safety window must be less than the default token lifespan", new Object[0]);
        check(arrayList, NessieConfigConstants.CONF_NESSIE_OAUTH2_PREEMPTIVE_TOKEN_REFRESH_IDLE_TIMEOUT, getPreemptiveTokenRefreshIdleTimeout().compareTo(getMinPreemptiveTokenRefreshIdleTimeout()) >= 0, "preemptive token refresh idle timeout must be greater than or equal to %s", getMinPreemptiveTokenRefreshIdleTimeout());
        check(arrayList, NessieConfigConstants.CONF_NESSIE_OAUTH2_BACKGROUND_THREAD_IDLE_TIMEOUT, getBackgroundThreadIdleTimeout().compareTo(Duration.ZERO) > 0, "background thread idle timeout must be greater than zero", new Object[0]);
        check(arrayList, "nessie.authentication.oauth2.impersonation.enabled / nessie.authentication.oauth2.grant-type", (getImpersonationConfig().isEnabled() && grantType == GrantType.TOKEN_EXCHANGE) ? false : true, "impersonation cannot be enabled if grant type is '%s'", NessieConfigConstants.CONF_NESSIE_OAUTH2_GRANT_TYPE_TOKEN_EXCHANGE);
        if (!arrayList.isEmpty()) {
            throw new IllegalArgumentException("OAuth2 authentication has configuration errors and could not be initialized: " + String.join(", ", arrayList));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void applyConfigOption(Function<String, String> function, String str, Consumer<String> consumer) {
        applyConfigOption(function, str, consumer, Function.identity());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static <T> void applyConfigOption(Function<String, String> function, String str, Consumer<T> consumer, Function<String, T> function2) {
        String apply = function.apply(str);
        if (apply != null) {
            consumer.accept(function2.apply(apply));
        }
    }
}
