package org.projectnessie.client.auth.oauth2;

import java.io.Closeable;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Arrays;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.Executor;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import java.util.function.BiConsumer;
import org.apache.iceberg.shaded.com.fasterxml.jackson.databind.ObjectMapper;
import org.projectnessie.client.http.HttpClient;
import org.projectnessie.client.http.HttpClientException;
import org.projectnessie.client.http.ResponseContext;
import org.projectnessie.client.http.Status;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/projectnessie/client/auth/oauth2/OAuth2Client.class */
class OAuth2Client implements OAuth2Authenticator, Closeable {
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth2Client.class);
    private final String grantType;
    private final String username;
    private final byte[] password;
    private final String scope;
    private final Duration defaultAccessTokenLifespan;
    private final Duration defaultRefreshTokenLifespan;
    private final Duration refreshSafetyWindow;
    private final boolean tokenExchangeEnabled;
    private final HttpClient httpClient;
    private final ScheduledExecutorService executor;
    private final boolean shouldCloseExecutor;
    private final ObjectMapper objectMapper;
    private final CompletableFuture<Void> started = new CompletableFuture<>();
    private volatile CompletionStage<Tokens> currentTokensStage;
    private volatile ScheduledFuture<?> tokenRefreshFuture;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/projectnessie/client/auth/oauth2/OAuth2Client$MustFetchNewTokensException.class */
    public static class MustFetchNewTokensException extends RuntimeException {
        public MustFetchNewTokensException(String str) {
            super(str);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public OAuth2Client(OAuth2ClientParams oAuth2ClientParams) {
        this.grantType = oAuth2ClientParams.getGrantType();
        this.username = oAuth2ClientParams.getUsername().orElse(null);
        this.password = (byte[]) oAuth2ClientParams.getPassword().map(str -> {
            return str.getBytes(StandardCharsets.UTF_8);
        }).orElse(null);
        this.scope = oAuth2ClientParams.getScope().orElse(null);
        this.defaultAccessTokenLifespan = oAuth2ClientParams.getDefaultAccessTokenLifespan();
        this.defaultRefreshTokenLifespan = oAuth2ClientParams.getDefaultRefreshTokenLifespan();
        this.refreshSafetyWindow = oAuth2ClientParams.getRefreshSafetyWindow();
        this.tokenExchangeEnabled = oAuth2ClientParams.getTokenExchangeEnabled();
        this.httpClient = oAuth2ClientParams.getHttpClient().addResponseFilter(this::checkErrorResponse).build();
        this.executor = oAuth2ClientParams.getExecutor().orElseGet(OAuth2Client::createDefaultExecutor);
        this.shouldCloseExecutor = !oAuth2ClientParams.getExecutor().isPresent();
        this.objectMapper = oAuth2ClientParams.getObjectMapper();
        this.currentTokensStage = this.started.thenApplyAsync(r3 -> {
            return fetchNewTokens();
        }, (Executor) this.executor).whenComplete((BiConsumer<? super U, ? super Throwable>) this::log);
        this.currentTokensStage.thenAccept(this::scheduleTokensRenewal);
    }

    private static ScheduledExecutorService createDefaultExecutor() {
        return Executors.newSingleThreadScheduledExecutor(runnable -> {
            Thread newThread = Executors.defaultThreadFactory().newThread(runnable);
            newThread.setDaemon(true);
            newThread.setName("oauth2-client");
            return newThread;
        });
    }

    @Override // org.projectnessie.client.auth.oauth2.OAuth2Authenticator
    public AccessToken authenticate() {
        return getCurrentTokens().getAccessToken();
    }

    Tokens getCurrentTokens() {
        try {
            return this.currentTokensStage.toCompletableFuture().get();
        } catch (InterruptedException e) {
            Thread.currentThread().interrupt();
            throw new RuntimeException(e);
        } catch (ExecutionException e2) {
            Throwable cause = e2.getCause();
            if (cause instanceof RuntimeException) {
                throw ((RuntimeException) cause);
            }
            if (cause instanceof Error) {
                throw ((Error) cause);
            }
            throw new RuntimeException(cause);
        }
    }

    public void start() {
        this.started.complete(null);
    }

    @Override // org.projectnessie.client.auth.oauth2.OAuth2Authenticator, java.lang.AutoCloseable
    public void close() {
        try {
            this.currentTokensStage.toCompletableFuture().cancel(true);
            ScheduledFuture<?> scheduledFuture = this.tokenRefreshFuture;
            if (scheduledFuture != null) {
                scheduledFuture.cancel(true);
            }
            if (this.shouldCloseExecutor && !this.executor.isShutdown()) {
                this.executor.shutdown();
                if (!this.executor.awaitTermination(10L, TimeUnit.SECONDS)) {
                    this.executor.shutdownNow();
                }
            }
            if (this.password != null) {
                Arrays.fill(this.password, (byte) 0);
            }
        } catch (InterruptedException e) {
            Thread.currentThread().interrupt();
        } finally {
            this.tokenRefreshFuture = null;
        }
    }

    private void scheduleTokensRenewal(Tokens tokens) {
        Instant now = Instant.now();
        Duration nextDelay = nextDelay(now, tokenExpirationTime(now, tokens.getAccessToken(), this.defaultAccessTokenLifespan), tokenExpirationTime(now, tokens.getRefreshToken(), this.defaultRefreshTokenLifespan), this.refreshSafetyWindow);
        LOGGER.debug("Scheduling token refresh in {}", nextDelay);
        this.tokenRefreshFuture = this.executor.schedule(() -> {
            this.currentTokensStage = renewTokens();
            this.currentTokensStage.thenAccept(this::scheduleTokensRenewal);
        }, nextDelay.toMillis(), TimeUnit.MILLISECONDS);
    }

    private CompletionStage<Tokens> renewTokens() {
        return this.currentTokensStage.thenApply(this::refreshTokens).exceptionally(th -> {
            return fetchNewTokens();
        }).whenComplete(this::log);
    }

    private void log(Tokens tokens, Throwable th) {
        if (th != null) {
            LOGGER.error("Failed to renew tokens", th);
        } else {
            LOGGER.debug("Successfully renewed tokens");
        }
    }

    Tokens fetchNewTokens() {
        LOGGER.debug("Fetching new tokens");
        if (this.grantType.equals("client_credentials")) {
            return (Tokens) this.httpClient.newRequest().postForm(ImmutableClientCredentialsTokensRequest.builder().scope(this.scope).build()).readEntity(ClientCredentialsTokensResponse.class);
        }
        return (Tokens) this.httpClient.newRequest().postForm(ImmutablePasswordTokensRequest.builder().username(this.username).password(new String(this.password, StandardCharsets.UTF_8)).scope(this.scope).build()).readEntity(PasswordTokensResponse.class);
    }

    Tokens refreshTokens(Tokens tokens) {
        if (tokens.getRefreshToken() == null) {
            return exchangeTokens(tokens);
        }
        if (isAboutToExpire(tokens.getRefreshToken())) {
            throw new MustFetchNewTokensException("Refresh token is about to expire");
        }
        LOGGER.debug("Refreshing tokens");
        return (Tokens) this.httpClient.newRequest().postForm(ImmutableRefreshTokensRequest.builder().refreshToken(tokens.getRefreshToken().getPayload()).scope(this.scope).build()).readEntity(RefreshTokensResponse.class);
    }

    Tokens exchangeTokens(Tokens tokens) {
        if (!this.tokenExchangeEnabled) {
            throw new MustFetchNewTokensException("Token exchange is disabled");
        }
        LOGGER.debug("Exchanging tokens");
        return (Tokens) this.httpClient.newRequest().postForm(ImmutableTokensExchangeRequest.builder().subjectToken(tokens.getAccessToken().getPayload()).subjectTokenType(TokenTypeIdentifiers.ACCESS_TOKEN).requestedTokenType(TokenTypeIdentifiers.REFRESH_TOKEN).scope(this.scope).build()).readEntity(TokensExchangeResponse.class);
    }

    private boolean isAboutToExpire(Token token) {
        Instant now = Instant.now();
        return tokenExpirationTime(now, token, this.defaultRefreshTokenLifespan).isBefore(now.plus((TemporalAmount) this.refreshSafetyWindow));
    }

    static Duration nextDelay(Instant instant, Instant instant2, Instant instant3, Duration duration) {
        Duration minus = Duration.between(instant, instant2.isBefore(instant3) ? instant2 : instant3).minus(duration);
        if (minus.compareTo(OAuth2ClientParams.MIN_REFRESH_DELAY) < 0) {
            minus = OAuth2ClientParams.MIN_REFRESH_DELAY;
        }
        return minus;
    }

    static Instant tokenExpirationTime(Instant instant, Token token, Duration duration) {
        Instant instant2 = null;
        if (token != null) {
            instant2 = token.getExpirationTime();
            if (instant2 == null) {
                try {
                    instant2 = JwtToken.parse(token.getPayload()).getExpirationTime();
                } catch (Exception e) {
                }
            }
        }
        if (instant2 == null) {
            instant2 = instant.plus((TemporalAmount) duration);
        }
        return instant2;
    }

    private void checkErrorResponse(ResponseContext responseContext) {
        try {
            Status responseCode = responseContext.getResponseCode();
            if (responseCode.getCode() >= 400) {
                if (!responseContext.isJsonCompatibleResponse()) {
                    throw genericError(responseCode);
                }
                InputStream errorStream = responseContext.getErrorStream();
                if (errorStream != null) {
                    try {
                        throw new OAuth2Exception(responseCode, (ErrorResponse) this.objectMapper.readValue(errorStream, ErrorResponse.class));
                    } catch (IOException e) {
                        throw genericError(responseCode);
                    }
                }
            }
        } catch (RuntimeException e2) {
            throw e2;
        } catch (Exception e3) {
            throw new HttpClientException(e3);
        }
    }

    private static HttpClientException genericError(Status status) {
        return new HttpClientException("OAuth2 server replied with HTTP status code: " + status.getCode());
    }
}
