package com.microsoft.aad.msal4j;

import io.opentelemetry.javaagent.slf4j.Logger;
import io.opentelemetry.javaagent.slf4j.LoggerFactory;
import java.net.URL;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import java.util.concurrent.TimeUnit;
import org.apache.commons.lang3.BooleanUtils;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:applicationinsights-agent-3.4.14.jar:inst/com/microsoft/aad/msal4j/AadInstanceDiscoveryProvider.classdata */
public class AadInstanceDiscoveryProvider {
    private static final String DEFAULT_TRUSTED_HOST = "login.microsoftonline.com";
    private static final String AUTHORIZE_ENDPOINT_TEMPLATE = "https://{host}/{tenant}/oauth2/v2.0/authorize";
    private static final String INSTANCE_DISCOVERY_ENDPOINT_TEMPLATE = "https://{host}:{port}/common/discovery/instance";
    private static final String INSTANCE_DISCOVERY_REQUEST_PARAMETERS_TEMPLATE = "?api-version=1.1&authorization_endpoint={authorizeEndpoint}";
    private static final String HOST_TEMPLATE_WITH_REGION = "{region}.login.microsoft.com";
    private static final String SOVEREIGN_HOST_TEMPLATE_WITH_REGION = "{region}.{host}";
    private static final String REGION_NAME = "REGION_NAME";
    private static final int PORT_NOT_SET = -1;
    private static final String DEFAULT_API_VERSION = "2020-06-01";
    private static final String IMDS_ENDPOINT = "https://169.254.169.254/metadata/instance/compute/location?2020-06-01&format=text";
    private static final int IMDS_TIMEOUT = 2;
    private static final TimeUnit IMDS_TIMEOUT_UNIT = TimeUnit.SECONDS;
    static final TreeSet<String> TRUSTED_HOSTS_SET = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
    static final TreeSet<String> TRUSTED_SOVEREIGN_HOSTS_SET = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AadInstanceDiscoveryProvider.class);
    private static boolean instanceDiscoveryFailed = false;
    static ConcurrentHashMap<String, InstanceDiscoveryMetadataEntry> cache = new ConcurrentHashMap<>();

    AadInstanceDiscoveryProvider() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static InstanceDiscoveryMetadataEntry getMetadataEntry(URL url, boolean z, MsalRequest msalRequest, ServiceBundle serviceBundle) {
        String host = url.getHost();
        if (shouldUseRegionalEndpoint(msalRequest)) {
            String discoverRegion = discoverRegion(msalRequest, serviceBundle);
            if (msalRequest.application().azureRegion() != null) {
                host = getRegionalizedHost(url.getHost(), msalRequest.application().azureRegion());
            }
            if (null == msalRequest.application().azureRegion() && msalRequest.application().autoDetectRegion() && null != discoverRegion) {
                msalRequest.application().azureRegion = discoverRegion;
            }
            cacheRegionInstanceMetadata(url.getHost(), msalRequest.application().azureRegion());
            serviceBundle.getServerSideTelemetry().getCurrentRequest().regionOutcome(determineRegionOutcome(discoverRegion, msalRequest.application().azureRegion(), msalRequest.application().autoDetectRegion()));
        }
        if (cache.get(host) == null) {
            if (!msalRequest.application().instanceDiscovery() || instanceDiscoveryFailed) {
                return InstanceDiscoveryMetadataEntry.builder().preferredCache(host).preferredNetwork(host).aliases(Collections.singleton(host)).build();
            }
            doInstanceDiscoveryAndCache(url, z, msalRequest, serviceBundle);
        }
        return cache.get(host);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Set<String> getAliases(String str) {
        return cache.containsKey(str) ? cache.get(str).aliases() : Collections.singleton(str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static AadInstanceDiscoveryResponse parseInstanceDiscoveryMetadata(String str) {
        try {
            return (AadInstanceDiscoveryResponse) JsonHelper.convertJsonToObject(str, AadInstanceDiscoveryResponse.class);
        } catch (Exception e) {
            throw new MsalClientException("Error parsing instance discovery response. Data must be in valid JSON format. For more information, see https://aka.ms/msal4j-instance-discovery", AuthenticationErrorCode.INVALID_INSTANCE_DISCOVERY_METADATA);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void cacheInstanceDiscoveryMetadata(String str, AadInstanceDiscoveryResponse aadInstanceDiscoveryResponse) {
        if (aadInstanceDiscoveryResponse != null && aadInstanceDiscoveryResponse.metadata() != null) {
            for (InstanceDiscoveryMetadataEntry instanceDiscoveryMetadataEntry : aadInstanceDiscoveryResponse.metadata()) {
                Iterator<String> it = instanceDiscoveryMetadataEntry.aliases().iterator();
                while (it.hasNext()) {
                    cache.put(it.next(), instanceDiscoveryMetadataEntry);
                }
            }
        }
        cache.putIfAbsent(str, InstanceDiscoveryMetadataEntry.builder().preferredCache(str).preferredNetwork(str).aliases(Collections.singleton(str)).build());
    }

    private static boolean shouldUseRegionalEndpoint(MsalRequest msalRequest) {
        if (msalRequest.application().azureRegion() == null && !msalRequest.application().autoDetectRegion()) {
            return false;
        }
        if (msalRequest.getClass() == ClientCredentialRequest.class) {
            return true;
        }
        if (msalRequest.getClass() == SilentRequest.class) {
            return false;
        }
        log.warn("Regional endpoints are only available for client credential flow, request will fall back to using the global endpoint. See here for more information about supported scenarios: https://aka.ms/msal4j-azure-regions");
        return false;
    }

    static void cacheRegionInstanceMetadata(String str, String str2) {
        HashSet hashSet = new HashSet();
        hashSet.add(str);
        String regionalizedHost = getRegionalizedHost(str, str2);
        cache.putIfAbsent(regionalizedHost, InstanceDiscoveryMetadataEntry.builder().preferredCache(str).preferredNetwork(regionalizedHost).aliases(hashSet).build());
    }

    private static String getRegionalizedHost(String str, String str2) {
        if (str2 != null && !str.contains(str2)) {
            return (!TRUSTED_HOSTS_SET.contains(str) || TRUSTED_SOVEREIGN_HOSTS_SET.contains(str)) ? SOVEREIGN_HOST_TEMPLATE_WITH_REGION.replace("{region}", str2).replace("{host}", str) : HOST_TEMPLATE_WITH_REGION.replace("{region}", str2);
        }
        return str;
    }

    private static String getAuthorizeEndpoint(String str, String str2) {
        return AUTHORIZE_ENDPOINT_TEMPLATE.replace("{host}", str).replace("{tenant}", str2);
    }

    private static String getInstanceDiscoveryEndpoint(URL url) {
        return INSTANCE_DISCOVERY_ENDPOINT_TEMPLATE.replace("{host}", TRUSTED_HOSTS_SET.contains(url.getHost()) ? url.getHost() : DEFAULT_TRUSTED_HOST).replace("{port}", String.valueOf(url.getPort() == -1 ? url.getDefaultPort() : url.getPort()));
    }

    private static AadInstanceDiscoveryResponse sendInstanceDiscoveryRequest(URL url, MsalRequest msalRequest, ServiceBundle serviceBundle) {
        IHttpResponse executeRequest = executeRequest(getInstanceDiscoveryEndpoint(url) + formInstanceDiscoveryParameters(url), msalRequest.headers().getReadonlyHeaderMap(), msalRequest, serviceBundle);
        AadInstanceDiscoveryResponse aadInstanceDiscoveryResponse = (AadInstanceDiscoveryResponse) JsonHelper.convertJsonToObject(executeRequest.body(), AadInstanceDiscoveryResponse.class);
        if (executeRequest.statusCode() != 200) {
            if (executeRequest.statusCode() == 400 && aadInstanceDiscoveryResponse.error().equals("invalid_instance")) {
                throw MsalServiceExceptionFactory.fromHttpResponse(executeRequest);
            }
            instanceDiscoveryFailed = true;
        }
        return aadInstanceDiscoveryResponse;
    }

    private static int determineRegionOutcome(String str, String str2, boolean z) {
        int i = 0;
        if (str2 != null) {
            i = str == null ? RegionTelemetry.REGION_OUTCOME_DEVELOPER_AUTODETECT_FAILED.telemetryValue : str2.equals(str) ? RegionTelemetry.REGION_OUTCOME_DEVELOPER_AUTODETECT_MATCH.telemetryValue : RegionTelemetry.REGION_OUTCOME_DEVELOPER_AUTODETECT_MISMATCH.telemetryValue;
        } else if (z) {
            i = str == null ? RegionTelemetry.REGION_OUTCOME_AUTODETECT_FAILED.telemetryValue : RegionTelemetry.REGION_OUTCOME_AUTODETECT_SUCCESS.telemetryValue;
        }
        return i;
    }

    private static String formInstanceDiscoveryParameters(URL url) {
        return INSTANCE_DISCOVERY_REQUEST_PARAMETERS_TEMPLATE.replace("{authorizeEndpoint}", getAuthorizeEndpoint(url.getHost(), Authority.getTenant(url, Authority.detectAuthorityType(url))));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static IHttpResponse executeRequest(String str, Map<String, String> map, MsalRequest msalRequest, ServiceBundle serviceBundle) {
        return HttpHelper.executeHttpRequest(new HttpRequest(HttpMethod.GET, str, map), msalRequest.requestContext(), serviceBundle);
    }

    private static String discoverRegion(MsalRequest msalRequest, ServiceBundle serviceBundle) {
        CurrentRequest currentRequest = serviceBundle.getServerSideTelemetry().getCurrentRequest();
        if (System.getenv(REGION_NAME) != null) {
            log.info("Region found in environment variable: " + System.getenv(REGION_NAME));
            currentRequest.regionSource(RegionTelemetry.REGION_SOURCE_ENV_VARIABLE.telemetryValue);
            return System.getenv(REGION_NAME);
        }
        HashMap hashMap = new HashMap();
        hashMap.put("Metadata", BooleanUtils.TRUE);
        ExecutorService newSingleThreadExecutor = Executors.newSingleThreadExecutor();
        Future submit = newSingleThreadExecutor.submit(() -> {
            return executeRequest(IMDS_ENDPOINT, hashMap, msalRequest, serviceBundle);
        });
        try {
            try {
                log.info("Starting call to IMDS endpoint.");
                IHttpResponse iHttpResponse = (IHttpResponse) submit.get(2L, IMDS_TIMEOUT_UNIT);
                if (iHttpResponse.statusCode() != 200 || iHttpResponse.body().isEmpty()) {
                    log.warn(String.format("Call to local IMDS failed with status code: %s, or response was empty", Integer.valueOf(iHttpResponse.statusCode())));
                    currentRequest.regionSource(RegionTelemetry.REGION_SOURCE_FAILED_AUTODETECT.telemetryValue);
                    newSingleThreadExecutor.shutdownNow();
                    return null;
                }
                log.info(String.format("Region retrieved from IMDS endpoint: %s", iHttpResponse.body()));
                currentRequest.regionSource(RegionTelemetry.REGION_SOURCE_IMDS.telemetryValue);
                String body = iHttpResponse.body();
                newSingleThreadExecutor.shutdownNow();
                return body;
            } catch (Exception e) {
                log.warn(String.format("Exception during call to local IMDS endpoint: %s", e.getMessage()));
                currentRequest.regionSource(RegionTelemetry.REGION_SOURCE_FAILED_AUTODETECT.telemetryValue);
                submit.cancel(true);
                newSingleThreadExecutor.shutdownNow();
                return null;
            }
        } catch (Throwable th) {
            newSingleThreadExecutor.shutdownNow();
            throw th;
        }
    }

    private static void doInstanceDiscoveryAndCache(URL url, boolean z, MsalRequest msalRequest, ServiceBundle serviceBundle) {
        AadInstanceDiscoveryResponse aadInstanceDiscoveryResponse = null;
        if (msalRequest.application().authenticationAuthority.authorityType.equals(AuthorityType.AAD)) {
            aadInstanceDiscoveryResponse = sendInstanceDiscoveryRequest(url, msalRequest, serviceBundle);
            if (z) {
                validate(aadInstanceDiscoveryResponse);
            }
        }
        cacheInstanceDiscoveryMetadata(url.getHost(), aadInstanceDiscoveryResponse);
    }

    private static void validate(AadInstanceDiscoveryResponse aadInstanceDiscoveryResponse) {
        if (StringHelper.isBlank(aadInstanceDiscoveryResponse.tenantDiscoveryEndpoint())) {
            throw new MsalServiceException(aadInstanceDiscoveryResponse);
        }
    }

    static {
        TRUSTED_SOVEREIGN_HOSTS_SET.addAll(Arrays.asList("login.chinacloudapi.cn", "login-us.microsoftonline.com", "login.microsoftonline.de", "login.microsoftonline.us"));
        TRUSTED_HOSTS_SET.addAll(Arrays.asList("login.windows.net", DEFAULT_TRUSTED_HOST, "login.microsoft.com", "sts.windows.net"));
        TRUSTED_HOSTS_SET.addAll(TRUSTED_SOVEREIGN_HOSTS_SET);
    }
}
