package com.azure.spring.cloud.autoconfigure.implementation.aad.filter;

import com.azure.spring.cloud.autoconfigure.implementation.aad.configuration.properties.AadAuthenticationProperties;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.constants.Constants;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.graph.Membership;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.graph.Memberships;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.properties.AadAuthorizationServerEndpoints;
import com.azure.spring.cloud.autoconfigure.implementation.aad.utils.AadRestTemplateCreator;
import com.azure.spring.cloud.autoconfigure.implementation.aad.utils.JacksonObjectMapperFactory;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.microsoft.aad.msal4j.ClientCredentialFactory;
import com.microsoft.aad.msal4j.ConfidentialClientApplication;
import com.microsoft.aad.msal4j.IAuthenticationResult;
import com.microsoft.aad.msal4j.IClientSecret;
import com.microsoft.aad.msal4j.MsalServiceException;
import com.microsoft.aad.msal4j.OnBehalfOfParameters;
import com.microsoft.aad.msal4j.UserAssertion;
import java.io.IOException;
import java.net.MalformedURLException;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.ExecutionException;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.naming.ServiceUnavailableException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.web.client.RestTemplateBuilder;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.web.client.RestOperations;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/azure/spring/cloud/autoconfigure/implementation/aad/filter/AadGraphClient.class */
public class AadGraphClient {
    private static final Logger LOGGER = LoggerFactory.getLogger(AadGraphClient.class);
    private static final String MICROSOFT_GRAPH_SCOPE = "User.Read";
    private static final String REQUEST_ID_SUFFIX = "aadfeed6";
    private final String clientId;
    private final String clientSecret;
    private final AadAuthorizationServerEndpoints endpoints;
    private final AadAuthenticationProperties aadAuthenticationProperties;
    private RestOperations operations;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AadGraphClient(String str, String str2, AadAuthenticationProperties aadAuthenticationProperties, AadAuthorizationServerEndpoints aadAuthorizationServerEndpoints, RestTemplateBuilder restTemplateBuilder) {
        this.clientId = str;
        this.clientSecret = str2;
        this.aadAuthenticationProperties = aadAuthenticationProperties;
        this.endpoints = aadAuthorizationServerEndpoints;
        this.operations = AadRestTemplateCreator.createRestTemplate(restTemplateBuilder);
    }

    void setRestOperations(RestOperations restOperations) {
        this.operations = restOperations;
    }

    private String getUserMemberships(String str, String str2) throws IOException {
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.set("Authorization", String.format("Bearer %s", str));
        httpHeaders.set("Accept", "application/json");
        httpHeaders.set("Content-Type", "application/x-www-form-urlencoded");
        ResponseEntity exchange = this.operations.exchange(str2, HttpMethod.GET, new HttpEntity(httpHeaders), String.class, new Object[0]);
        String str3 = (String) exchange.getBody();
        if (exchange.getStatusCode() == HttpStatus.OK) {
            return (String) exchange.getBody();
        }
        throw new IllegalStateException("Response is not " + String.valueOf(HttpStatus.OK) + ", response json: " + str3);
    }

    public Set<String> getGroups(String str) throws IOException {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        ObjectMapper jacksonObjectMapperFactory = JacksonObjectMapperFactory.getInstance();
        String graphMembershipUri = this.aadAuthenticationProperties.getGraphMembershipUri();
        while (true) {
            String str2 = graphMembershipUri;
            if (str2 == null) {
                return linkedHashSet;
            }
            Memberships memberships = (Memberships) jacksonObjectMapperFactory.readValue(getUserMemberships(str, str2), Memberships.class);
            Stream<R> map = memberships.getValue().stream().filter(this::isGroupObject).map((v0) -> {
                return v0.getDisplayName();
            });
            Objects.requireNonNull(linkedHashSet);
            map.forEach((v1) -> {
                r1.add(v1);
            });
            graphMembershipUri = (String) Optional.of(memberships).map((v0) -> {
                return v0.getOdataNextLink();
            }).orElse(null);
        }
    }

    private boolean isGroupObject(Membership membership) {
        return membership.getObjectType().equals(Membership.OBJECT_TYPE_GROUP);
    }

    public Set<SimpleGrantedAuthority> toGrantedAuthoritySet(Set<String> set) {
        Stream<String> stream = set.stream();
        AadAuthenticationProperties aadAuthenticationProperties = this.aadAuthenticationProperties;
        Objects.requireNonNull(aadAuthenticationProperties);
        return (Set) Optional.of((Set) stream.filter(aadAuthenticationProperties::isAllowedGroup).map(str -> {
            return new SimpleGrantedAuthority("ROLE_" + str);
        }).collect(Collectors.toSet())).filter(set2 -> {
            return !set2.isEmpty();
        }).orElse(Constants.DEFAULT_AUTHORITY_SET);
    }

    public IAuthenticationResult acquireTokenForGraphApi(String str, String str2) throws ServiceUnavailableException {
        IClientSecret createFromSecret = ClientCredentialFactory.createFromSecret(this.clientSecret);
        UserAssertion userAssertion = new UserAssertion(str);
        IAuthenticationResult iAuthenticationResult = null;
        try {
            ConfidentialClientApplication build = ConfidentialClientApplication.builder(this.clientId, createFromSecret).authority(this.endpoints.getBaseUri() + str2 + "/").correlationId(getCorrelationId()).build();
            HashSet hashSet = new HashSet();
            hashSet.add(MICROSOFT_GRAPH_SCOPE);
            iAuthenticationResult = (IAuthenticationResult) build.acquireToken(OnBehalfOfParameters.builder(hashSet, userAssertion).build()).get();
        } catch (InterruptedException e) {
            LOGGER.warn("Interrupted during acquiring token for graph API!", e);
            Thread.currentThread().interrupt();
        } catch (MalformedURLException | ExecutionException e2) {
            Throwable cause = e2.getCause();
            if (cause instanceof MsalServiceException) {
                MsalServiceException msalServiceException = (MsalServiceException) cause;
                if (msalServiceException.claims() != null && !msalServiceException.claims().isEmpty()) {
                    throw msalServiceException;
                }
            }
            LOGGER.error("acquire on behalf of token for graph api error", e2);
        }
        if (iAuthenticationResult == null) {
            throw new ServiceUnavailableException("unable to acquire on_behalf_of token for client " + this.clientId);
        }
        return iAuthenticationResult;
    }

    private static String getCorrelationId() {
        String uuid = UUID.randomUUID().toString();
        return uuid.substring(0, uuid.length() - REQUEST_ID_SUFFIX.length()) + "aadfeed6";
    }
}
