package io.kubernetes.client.util.authenticators;

import io.kubernetes.client.util.KubeConfig;
import io.netty.handler.ssl.SslProtocols;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.net.URL;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.Base64;
import java.util.Iterator;
import java.util.Map;
import java.util.Scanner;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import org.apache.logging.log4j.util.ProcessIdUtil;
import org.jose4j.json.internal.json_simple.JSONObject;
import org.jose4j.json.internal.json_simple.parser.JSONParser;
import org.jose4j.json.internal.json_simple.parser.ParseException;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.lang.JoseException;

/* loaded from: input_file:META-INF/bundled-dependencies/client-java-9.0.2.jar:io/kubernetes/client/util/authenticators/OpenIDConnectAuthenticator.class */
public class OpenIDConnectAuthenticator implements Authenticator {
    public static final String OIDC_ID_TOKEN = "id-token";
    public static final String OIDC_ISSUER = "idp-issuer-url";
    public static final String OIDC_REFRESH_TOKEN = "refresh-token";
    public static final String OIDC_CLIENT_ID = "client-id";
    public static final String OIDC_CLIENT_SECRET = "client-secret";
    public static final String OIDC_IDP_CERT_DATA = "idp-certificate-authority-data";

    @Override // io.kubernetes.client.util.authenticators.Authenticator
    public String getName() {
        return "oidc";
    }

    @Override // io.kubernetes.client.util.authenticators.Authenticator
    public String getToken(Map<String, Object> map) {
        return (String) map.get(OIDC_ID_TOKEN);
    }

    @Override // io.kubernetes.client.util.authenticators.Authenticator
    public boolean isExpired(Map<String, Object> map) {
        String str = (String) map.get(OIDC_ID_TOKEN);
        if (str == null) {
            return true;
        }
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        try {
            jsonWebSignature.setCompactSerialization(str);
            JwtClaims parse = JwtClaims.parse(jsonWebSignature.getUnverifiedPayload());
            if (parse.getExpirationTime() != null) {
                if (!NumericDate.now().isOnOrAfter(parse.getExpirationTime())) {
                    return false;
                }
            }
            return true;
        } catch (MalformedClaimException | InvalidJwtException | JoseException e) {
            throw new RuntimeException(e);
        }
    }

    @Override // io.kubernetes.client.util.authenticators.Authenticator
    public Map<String, Object> refresh(Map<String, Object> map) {
        String str = (String) map.get(OIDC_ISSUER);
        String str2 = (String) map.get(OIDC_CLIENT_ID);
        String str3 = (String) map.get(OIDC_REFRESH_TOKEN);
        String str4 = (String) map.getOrDefault(OIDC_CLIENT_SECRET, "");
        String str5 = (String) map.get(OIDC_IDP_CERT_DATA);
        SSLContext sSLContext = null;
        if (str5 != null) {
            String str6 = new String(Base64.getDecoder().decode(str5));
            try {
                KeyStore keyStore = KeyStore.getInstance("PKCS12");
                keyStore.load(null, "doenotmatter".toCharArray());
                int i = 0;
                Iterator<? extends Certificate> it = CertificateFactory.getInstance("X.509").generateCertificates(new ByteArrayInputStream(str6.getBytes("UTF-8"))).iterator();
                while (it.hasNext()) {
                    keyStore.setCertificateEntry("doenotmatter" + ProcessIdUtil.DEFAULT_PROCESSID + i, it.next());
                    i++;
                }
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX");
                trustManagerFactory.init(keyStore);
                sSLContext = SSLContext.getInstance(SslProtocols.TLS_v1_2);
                sSLContext.init(null, trustManagerFactory.getTrustManagers(), new SecureRandom());
            } catch (IOException | KeyManagementException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
                throw new RuntimeException("Could not import idp certificate", e);
            }
        }
        JSONObject refreshOidcToken = refreshOidcToken(str2, str3, str4, sSLContext, loadTokenURL(str, sSLContext));
        map.put(OIDC_ID_TOKEN, refreshOidcToken.get("id_token"));
        map.put(OIDC_REFRESH_TOKEN, refreshOidcToken.get("refresh_token"));
        return map;
    }

    private JSONObject refreshOidcToken(String str, String str2, String str3, SSLContext sSLContext, String str4) {
        try {
            HttpsURLConnection httpsURLConnection = (HttpsURLConnection) new URL(str4).openConnection();
            httpsURLConnection.setRequestMethod("POST");
            if (sSLContext != null) {
                httpsURLConnection.setSSLSocketFactory(sSLContext.getSocketFactory());
            }
            httpsURLConnection.setRequestProperty("Authorization", "Basic " + Base64.getEncoder().encodeToString((str + ':' + str3).getBytes("UTF-8")));
            httpsURLConnection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
            httpsURLConnection.setDoOutput(true);
            String str5 = "refresh_token=" + URLEncoder.encode(str2, "UTF-8") + "&grant_type=refresh_token";
            OutputStream outputStream = httpsURLConnection.getOutputStream();
            outputStream.write(str5.getBytes("UTF-8"));
            outputStream.flush();
            outputStream.close();
            int responseCode = httpsURLConnection.getResponseCode();
            if (responseCode != 200) {
                throw new RuntimeException("Invalid response code for token retrieval - " + responseCode);
            }
            return (JSONObject) new JSONParser().parse(new Scanner(httpsURLConnection.getInputStream(), StandardCharsets.UTF_8.name()).useDelimiter("\\A").next());
        } catch (Throwable th) {
            throw new RuntimeException("Could not refresh token", th);
        }
    }

    private String loadTokenURL(String str, SSLContext sSLContext) {
        StringBuilder sb = new StringBuilder();
        sb.append(str);
        if (!str.endsWith("/")) {
            sb.append("/");
        }
        sb.append(".well-known/openid-configuration");
        try {
            HttpsURLConnection httpsURLConnection = (HttpsURLConnection) new URL(sb.toString()).openConnection();
            httpsURLConnection.setRequestMethod("GET");
            if (sSLContext != null) {
                httpsURLConnection.setSSLSocketFactory(sSLContext.getSocketFactory());
            }
            httpsURLConnection.setUseCaches(false);
            int responseCode = httpsURLConnection.getResponseCode();
            if (responseCode != 200) {
                throw new RuntimeException("Invalid response code for issuer - " + responseCode);
            }
            return (String) ((JSONObject) new JSONParser().parse(new Scanner(httpsURLConnection.getInputStream(), StandardCharsets.UTF_8.name()).useDelimiter("\\A").next())).get("token_endpoint");
        } catch (IOException | ParseException e) {
            throw new RuntimeException("Could not refresh", e);
        }
    }

    static {
        KubeConfig.registerAuthenticator(new OpenIDConnectAuthenticator());
    }
}
