package com.oracle.bmc.auth.okeworkloadidentity.internal;

import com.oracle.bmc.auth.ServiceAccountTokenSupplier;
import com.oracle.bmc.auth.SessionKeySupplier;
import com.oracle.bmc.auth.internal.AbstractFederationClient;
import com.oracle.bmc.auth.internal.AuthUtils;
import com.oracle.bmc.auth.internal.SecurityTokenAdapter;
import com.oracle.bmc.auth.okeworkloadidentity.internal.GetOkeResourcePrincipalSessionTokenResponse;
import com.oracle.bmc.circuitbreaker.CircuitBreakerConfiguration;
import com.oracle.bmc.http.ClientConfigurator;
import com.oracle.bmc.http.client.HttpClient;
import com.oracle.bmc.http.client.HttpClientBuilder;
import com.oracle.bmc.http.client.HttpProvider;
import com.oracle.bmc.http.client.Method;
import com.oracle.bmc.http.client.Serializer;
import com.oracle.bmc.http.internal.AuthnClientFilter;
import com.oracle.bmc.http.internal.ClientCall;
import com.oracle.bmc.http.internal.ClientIdFilter;
import com.oracle.bmc.http.internal.LogHeadersFilter;
import com.oracle.bmc.http.signing.RequestSigner;
import com.oracle.bmc.util.internal.StringUtils;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.security.KeyPair;
import java.security.interfaces.RSAPublicKey;
import java.time.Duration;
import java.util.Base64;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/oracle/bmc/auth/okeworkloadidentity/internal/OkeWorkloadIdentityResourcePrincipalsFederationClient.class */
public class OkeWorkloadIdentityResourcePrincipalsFederationClient extends AbstractFederationClient {
    private static final Logger LOG = LoggerFactory.getLogger(OkeWorkloadIdentityResourcePrincipalsFederationClient.class);
    private static final String KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/token";
    private static final String AUTHORIZATION_HEADER = "Authorization";
    private final String OPC_REQUEST_ID_HEADER = "opc-request-id";
    private static final String JWT_FORMAT = "Bearer %s";
    private static final String KUBERNETES_SERVICE_HOST = "KUBERNETES_SERVICE_HOST";
    private static final int PROXYMUX_SERVER_PORT = 12250;
    private final ServiceAccountTokenSupplier serviceAccountTokenSupplier;
    private final OkeTenancyOnlyAuthenticationDetailsProvider provider;

    public OkeWorkloadIdentityResourcePrincipalsFederationClient(SessionKeySupplier sessionKeySupplier, ServiceAccountTokenSupplier serviceAccountTokenSupplier, OkeTenancyOnlyAuthenticationDetailsProvider okeTenancyOnlyAuthenticationDetailsProvider, ClientConfigurator clientConfigurator, CircuitBreakerConfiguration circuitBreakerConfiguration, List<ClientConfigurator> list) {
        super(getRptEndpoint(), "", sessionKeySupplier, okeTenancyOnlyAuthenticationDetailsProvider, clientConfigurator, circuitBreakerConfiguration, list);
        this.OPC_REQUEST_ID_HEADER = "opc-request-id";
        this.serviceAccountTokenSupplier = serviceAccountTokenSupplier;
        this.provider = okeTenancyOnlyAuthenticationDetailsProvider;
    }

    public String getSecurityToken() {
        SecurityTokenAdapter securityTokenAdapter = getSecurityTokenAdapter();
        try {
            Duration duration = Duration.ZERO;
            if (securityTokenAdapter.isValid() && securityTokenAdapter.getTokenValidDuration() != null) {
                duration = securityTokenAdapter.getTokenValidDuration().dividedBy(2L);
            }
            return refreshAndGetSecurityTokenIfExpiringWithin(duration);
        } catch (Exception e) {
            LOG.info("Refresh RPST token failed, use cached RPST token.", e);
            return securityTokenAdapter.getSecurityToken();
        }
    }

    private static String getRptEndpoint() {
        String str = System.getenv().get(KUBERNETES_SERVICE_HOST);
        if (str == null) {
            throw new IllegalArgumentException("Invalid environment variable KUBERNETES_SERVICE_HOST, please contact OKE Foundation team for help.");
        }
        return "https://" + str + ":" + PROXYMUX_SERVER_PORT;
    }

    protected HttpClient makeClient(String str, RequestSigner requestSigner) {
        if (StringUtils.isBlank(str)) {
            return null;
        }
        HttpClientBuilder registerRequestInterceptor = HttpProvider.getDefault().newBuilder().baseUri(URI.create(str)).registerRequestInterceptor(1000, new AuthnClientFilter(requestSigner, Collections.emptyMap())).registerRequestInterceptor(3000, new ClientIdFilter()).registerRequestInterceptor(5000, new LogHeadersFilter());
        if (this.clientConfigurator != null) {
            this.clientConfigurator.customizeClient(registerRequestInterceptor);
        }
        Iterator it = this.additionalClientConfigurator.iterator();
        while (it.hasNext()) {
            ((ClientConfigurator) it.next()).customizeClient(registerRequestInterceptor);
        }
        return registerRequestInterceptor.build();
    }

    protected SecurityTokenAdapter getSecurityTokenFromServer() {
        LOG.info("Getting security token from the proxymux server");
        String serviceAccountToken = this.serviceAccountTokenSupplier.getServiceAccountToken();
        KeyPair keyPair = this.sessionKeySupplier.getKeyPair();
        if (keyPair == null) {
            throw new IllegalStateException("Key pair for session was not provided");
        }
        RSAPublicKey rSAPublicKey = (RSAPublicKey) keyPair.getPublic();
        if (rSAPublicKey == null) {
            throw new IllegalArgumentException("Public key is not present");
        }
        String generateRequestId = ClientCall.generateRequestId();
        LOG.debug("Request id for resourcePrincipalSessionTokens request: '{}'", generateRequestId);
        try {
            return new SecurityTokenAdapter(((OkeResourcePrincipalSessionToken) Serializer.getDefault().readValue(new String(Base64.getDecoder().decode(((GetOkeResourcePrincipalSessionTokenResponse) ClientCall.builder(this.resourcePrincipalTokenClient, GetOkeResourcePrincipalSessionTokenRequest.builder().getOkeResourcePrincipalSessionTokenDetails(GetOkeResourcePrincipalSessionTokenDetails.builder().podKey(AuthUtils.base64EncodeNoChunking(rSAPublicKey)).build()).m5build(), GetOkeResourcePrincipalSessionTokenResponse.Builder::new).logger(LOG, "OkeWorkloadIdentityResourcePrincipalsTokenClient").serviceDetails("OkeWorkloadIdentity", "resourcePrincipalSessionTokens", "Unknown API reference link").method(Method.POST).requestBuilder(GetOkeResourcePrincipalSessionTokenRequest::builder).appendPathPart("resourcePrincipalSessionTokens").accept(new String[]{"application/json"}).appendHeader(AUTHORIZATION_HEADER, String.format(JWT_FORMAT, serviceAccountToken)).appendHeader("opc-request-id", generateRequestId).hasBody().handleBody(OkeResourcePrincipalSessionToken.class, (v0, v1) -> {
                v0.body(v1);
            }).clientConfigurator(this.clientConfigurator).circuitBreaker(this.circuitBreaker).callSync()).body.getToken()), "UTF-8"), OkeResourcePrincipalSessionToken.class)).getToken().substring(3), this.sessionKeySupplier);
        } catch (UnsupportedEncodingException e) {
            throw new IllegalArgumentException("RPST cannot be decoded correctly. Please contact OKE Foundation team for help.", e);
        } catch (IOException e2) {
            throw new IllegalArgumentException("RPST cannot be parsed correctly. Please contact OKE Foundation team for help.", e2);
        }
    }
}
