package com.sap.cloud.sdk.cloudplatform.connectivity;

import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.sap.cloud.environment.servicebinding.api.ServiceIdentifier;
import com.sap.cloud.sdk.cloudplatform.cache.CacheKey;
import com.sap.cloud.sdk.cloudplatform.cache.CacheManager;
import com.sap.cloud.sdk.cloudplatform.connectivity.SecurityLibWorkarounds;
import com.sap.cloud.sdk.cloudplatform.connectivity.exception.DestinationAccessException;
import com.sap.cloud.sdk.cloudplatform.connectivity.exception.DestinationOAuthTokenException;
import com.sap.cloud.sdk.cloudplatform.exception.CloudPlatformException;
import com.sap.cloud.sdk.cloudplatform.exception.ShouldNotHappenException;
import com.sap.cloud.sdk.cloudplatform.resilience.ResilienceConfiguration;
import com.sap.cloud.sdk.cloudplatform.resilience.ResilienceDecorator;
import com.sap.cloud.sdk.cloudplatform.resilience.ResilienceIsolationMode;
import com.sap.cloud.sdk.cloudplatform.security.AuthTokenAccessor;
import com.sap.cloud.sdk.cloudplatform.security.exception.TokenRequestFailedException;
import com.sap.cloud.sdk.cloudplatform.tenant.Tenant;
import com.sap.cloud.sdk.cloudplatform.tenant.TenantAccessor;
import com.sap.cloud.sdk.cloudplatform.tenant.TenantWithSubdomain;
import com.sap.cloud.security.client.HttpClientFactory;
import com.sap.cloud.security.config.ClientIdentity;
import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.xsuaa.client.DefaultOAuth2TokenService;
import com.sap.cloud.security.xsuaa.client.OAuth2TokenResponse;
import com.sap.cloud.security.xsuaa.client.OAuth2TokenService;
import com.sap.cloud.security.xsuaa.util.UriUtil;
import io.vavr.CheckedFunction0;
import io.vavr.control.Try;
import java.lang.invoke.SerializedLambda;
import java.net.URI;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2Service.class */
public class OAuth2Service {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(OAuth2Service.class);
    static final Cache<CacheKey, OAuth2TokenService> tokenServiceCache = Caffeine.newBuilder().expireAfterAccess(1, TimeUnit.HOURS).build();

    @Nonnull
    private final URI tokenUri;

    @Nonnull
    private final ClientIdentity identity;

    @Nonnull
    private final OnBehalfOf onBehalfOf;

    @Nonnull
    private final TenantPropagationStrategy tenantPropagationStrategy;

    @Nonnull
    private final Map<String, String> additionalParameters;

    @Nonnull
    private final ResilienceConfiguration resilienceConfiguration;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.sap.cloud.sdk.cloudplatform.connectivity.OAuth2Service$1, reason: invalid class name */
    /* loaded from: input_file:com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2Service$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$sap$cloud$sdk$cloudplatform$connectivity$OnBehalfOf = new int[OnBehalfOf.values().length];

        static {
            try {
                $SwitchMap$com$sap$cloud$sdk$cloudplatform$connectivity$OnBehalfOf[OnBehalfOf.TECHNICAL_USER_PROVIDER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$sap$cloud$sdk$cloudplatform$connectivity$OnBehalfOf[OnBehalfOf.TECHNICAL_USER_CURRENT_TENANT.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$sap$cloud$sdk$cloudplatform$connectivity$OnBehalfOf[OnBehalfOf.NAMED_USER_CURRENT_TENANT.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            $SwitchMap$com$sap$cloud$sdk$cloudplatform$connectivity$OAuth2Service$TenantPropagationStrategy = new int[TenantPropagationStrategy.values().length];
            try {
                $SwitchMap$com$sap$cloud$sdk$cloudplatform$connectivity$OAuth2Service$TenantPropagationStrategy[TenantPropagationStrategy.ZID_HEADER.ordinal()] = 1;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$com$sap$cloud$sdk$cloudplatform$connectivity$OAuth2Service$TenantPropagationStrategy[TenantPropagationStrategy.TENANT_SUBDOMAIN.ordinal()] = 2;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2Service$Builder.class */
    public static class Builder {
        private static final String XSUAA_TOKEN_PATH = "/oauth/token";
        private static final ServiceIdentifier IDENTITY_AUTHENTICATION = ServiceIdentifier.of("identity");
        private URI tokenUri;
        private ClientIdentity identity;
        private OnBehalfOf onBehalfOf = OnBehalfOf.TECHNICAL_USER_CURRENT_TENANT;
        private TenantPropagationStrategy tenantPropagationStrategy = TenantPropagationStrategy.ZID_HEADER;
        private final Map<String, String> additionalParameters = new HashMap();
        private ResilienceConfiguration.TimeLimiterConfiguration timeLimiter = OAuth2Options.DEFAULT_TIMEOUT;

        Builder() {
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Nonnull
        public Builder withTokenUri(@Nonnull String str) {
            return withTokenUri(URI.create(str));
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Nonnull
        public Builder withTokenUri(@Nonnull URI uri) {
            this.tokenUri = (uri.getPath() == null || uri.getPath().isBlank()) ? UriUtil.expandPath(uri, XSUAA_TOKEN_PATH) : uri;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Nonnull
        public Builder withIdentity(@Nonnull ClientIdentity clientIdentity) {
            this.identity = clientIdentity;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Nonnull
        public Builder withOnBehalfOf(@Nonnull OnBehalfOf onBehalfOf) {
            this.onBehalfOf = onBehalfOf;
            return this;
        }

        @Nonnull
        Builder withTenantPropagationStrategy(@Nonnull TenantPropagationStrategy tenantPropagationStrategy) {
            this.tenantPropagationStrategy = tenantPropagationStrategy;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Nonnull
        public Builder withTenantPropagationStrategyFrom(@Nullable ServiceIdentifier serviceIdentifier) {
            this.tenantPropagationStrategy = IDENTITY_AUTHENTICATION.equals(serviceIdentifier) ? TenantPropagationStrategy.TENANT_SUBDOMAIN : TenantPropagationStrategy.ZID_HEADER;
            return this;
        }

        @Nonnull
        Builder withAdditionalParameter(@Nonnull String str, @Nonnull String str2) {
            this.additionalParameters.put(str, str2);
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Nonnull
        public Builder withAdditionalParameters(@Nonnull Map<String, String> map) {
            this.additionalParameters.putAll(map);
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Nonnull
        public Builder withTimeLimiter(@Nonnull ResilienceConfiguration.TimeLimiterConfiguration timeLimiterConfiguration) {
            this.timeLimiter = timeLimiterConfiguration;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Nonnull
        public OAuth2Service build() {
            if (this.tokenUri == null || this.identity == null) {
                throw new ShouldNotHappenException("Some required parameters for the OAuth2Service are null.");
            }
            ResilienceConfiguration timeLimiterConfiguration = ResilienceConfiguration.of(this.tokenUri.getHost() + "-" + this.identity.getId()).isolationMode(ResilienceIsolationMode.TENANT_OPTIONAL).timeLimiterConfiguration(this.timeLimiter);
            return new OAuth2Service(this.tokenUri, this.identity, this.onBehalfOf, this.tenantPropagationStrategy, new HashMap(this.additionalParameters), timeLimiterConfiguration);
        }

        @Generated
        URI getTokenUri() {
            return this.tokenUri;
        }

        @Generated
        ClientIdentity getIdentity() {
            return this.identity;
        }

        @Generated
        OnBehalfOf getOnBehalfOf() {
            return this.onBehalfOf;
        }

        @Generated
        TenantPropagationStrategy getTenantPropagationStrategy() {
            return this.tenantPropagationStrategy;
        }

        @Generated
        Map<String, String> getAdditionalParameters() {
            return this.additionalParameters;
        }

        @Generated
        ResilienceConfiguration.TimeLimiterConfiguration getTimeLimiter() {
            return this.timeLimiter;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2Service$TenantPropagationStrategy.class */
    public enum TenantPropagationStrategy {
        TENANT_SUBDOMAIN,
        ZID_HEADER
    }

    @Nonnull
    OAuth2TokenService getTokenService(@Nullable String str) {
        return (OAuth2TokenService) tokenServiceCache.get(CacheKey.fromIds(str, (String) null).append(new Object[]{this.identity}), this::createTokenService);
    }

    @Nonnull
    private OAuth2TokenService createTokenService(@Nonnull CacheKey cacheKey) {
        if (!(this.identity instanceof SecurityLibWorkarounds.ZtisClientIdentity)) {
            return new DefaultOAuth2TokenService(HttpClientFactory.create(this.identity));
        }
        try {
            return new DefaultOAuth2TokenService(HttpClientAccessor.getHttpClient(DefaultHttpDestination.builder("").name("oauth-destination-ztis-" + this.identity.getId().hashCode()).keyStore(((SecurityLibWorkarounds.ZtisClientIdentity) this.identity).getKeyStore()).build()));
        } catch (ClassCastException e) {
            throw new DestinationAccessException("For the X509_ATTESTED credential type the 'HttpClientAccessor' must return instances of 'CloseableHttpClient'", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nonnull
    public String retrieveAccessToken() {
        log.debug("Retrieving Access Token from '{}' on behalf of {} with client id '{}'.", new Object[]{this.tokenUri, this.onBehalfOf, this.identity.getId()});
        OAuth2TokenResponse oAuth2TokenResponse = (OAuth2TokenResponse) ResilienceDecorator.executeSupplier(() -> {
            switch (AnonymousClass1.$SwitchMap$com$sap$cloud$sdk$cloudplatform$connectivity$OnBehalfOf[this.onBehalfOf.ordinal()]) {
                case 1:
                    return executeClientCredentialsFlow(null);
                case 2:
                    return executeClientCredentialsFlow((Tenant) TenantAccessor.tryGetCurrentTenant().getOrNull());
                case 3:
                    return executeUserExchangeFlow();
                default:
                    throw new IllegalStateException("Unknown behalf " + this.onBehalfOf);
            }
        }, this.resilienceConfiguration);
        if (oAuth2TokenResponse == null) {
            log.debug("OAuth2 token request failed");
            throw new DestinationOAuthTokenException((String) null, "OAuth2 token request failed");
        }
        String accessToken = oAuth2TokenResponse.getAccessToken();
        if (accessToken != null) {
            return accessToken;
        }
        log.debug("OAuth2 token request succeeded but the response did not contain an access token: {}", oAuth2TokenResponse);
        throw new DestinationOAuthTokenException((String) null, "OAuth2 token request succeeded but the response did not contain an access token");
    }

    @Nullable
    private OAuth2TokenResponse executeClientCredentialsFlow(@Nullable Tenant tenant) {
        log.debug("Retrieving OAuth token via client credentials flow against '{}' on behalf of {} (using tenant {}).", new Object[]{this.tokenUri, this.onBehalfOf, tenant});
        String tenantIdOrNull = getTenantIdOrNull(tenant);
        String tenantHeaderOrNull = getTenantHeaderOrNull(tenantIdOrNull);
        setAppTidInCaseOfIAS(tenantIdOrNull);
        String tenantSubdomainOrNull = getTenantSubdomainOrNull(tenant);
        OAuth2TokenService tokenService = getTokenService(tenantIdOrNull);
        return (OAuth2TokenResponse) Try.of(() -> {
            return tokenService.retrieveAccessTokenViaClientCredentialsGrant(this.tokenUri, this.identity, tenantHeaderOrNull, tenantSubdomainOrNull, this.additionalParameters, false);
        }).getOrElseThrow(th -> {
            return new TokenRequestFailedException("Failed to resolve access token.", th);
        });
    }

    private void setAppTidInCaseOfIAS(@Nullable String str) {
        if (this.tenantPropagationStrategy != TenantPropagationStrategy.TENANT_SUBDOMAIN || str == null) {
            return;
        }
        this.additionalParameters.put("app_tid", str);
    }

    @Nullable
    private String getTenantIdOrNull(@Nullable Tenant tenant) {
        if (tenant == null) {
            return null;
        }
        return tenant.getTenantId();
    }

    @Nullable
    private String getTenantHeaderOrNull(@Nullable String str) {
        if (this.tenantPropagationStrategy != TenantPropagationStrategy.ZID_HEADER) {
            return null;
        }
        return str;
    }

    @Nullable
    private String getTenantSubdomainOrNull(@Nullable Tenant tenant) {
        if (this.tenantPropagationStrategy != TenantPropagationStrategy.TENANT_SUBDOMAIN || tenant == null) {
            return null;
        }
        if (tenant instanceof TenantWithSubdomain) {
            return ((TenantWithSubdomain) tenant).getSubdomain();
        }
        throw new DestinationAccessException("Unable to get subdomain of tenant '%s' because the instance is not an instance of %s.".formatted(tenant, TenantWithSubdomain.class.getSimpleName()));
    }

    @Nullable
    private OAuth2TokenResponse executeUserExchangeFlow() {
        CheckedFunction0 checkedFunction0;
        log.debug("Retrieving OAuth token via user token exchange flow against '{}'.", this.tokenUri);
        Try map = AuthTokenAccessor.tryGetCurrentToken().map((v0) -> {
            return v0.getJwt();
        });
        Try tryGetCurrentTenant = TenantAccessor.tryGetCurrentTenant();
        if (map.isFailure()) {
            throw new CloudPlatformException("Failed to get the current user token.", map.getCause());
        }
        Token token = (Token) map.map((v0) -> {
            return v0.getToken();
        }).map(Token::create).get();
        if (tryGetCurrentTenant.isFailure()) {
            log.warn("Unexpected state: An Auth Token was found in the current context, but the current tenant is undefined.This is unexpected, please ensure the TenantAccessor and AuthTokenAccessor return consistent results.Proceeding with tenant {} defined in the current token.", token.getAppTid());
            log.debug("The following token is used for the JwtBearerTokenFlow: {}", token);
        } else if (!((Tenant) tryGetCurrentTenant.get()).getTenantId().equals(token.getAppTid())) {
            throw new CloudPlatformException("Unexpected state: Auth Token and tenant of the current context have different tenant IDs.AuthTokenAccessor returned a token containing tenant ID " + token.getAppTid() + " while TenantAccessor returned " + tryGetCurrentTenant.get() + ". This is unexpected, please ensure the TenantAccessor and AuthTokenAccessor return consistent results.");
        }
        String appTid = token.getAppTid();
        setAppTidInCaseOfIAS(appTid);
        OAuth2TokenService tokenService = getTokenService(appTid);
        String tenantSubdomainOrNull = getTenantSubdomainOrNull((Tenant) tryGetCurrentTenant.getOrNull());
        switch (this.tenantPropagationStrategy) {
            case ZID_HEADER:
                checkedFunction0 = () -> {
                    return tokenService.retrieveAccessTokenViaJwtBearerTokenGrant(this.tokenUri, this.identity, token.getTokenValue(), this.additionalParameters, false, appTid);
                };
                break;
            case TENANT_SUBDOMAIN:
                checkedFunction0 = () -> {
                    return tokenService.retrieveAccessTokenViaJwtBearerTokenGrant(this.tokenUri, this.identity, token.getTokenValue(), tenantSubdomainOrNull, this.additionalParameters, false);
                };
                break;
            default:
                throw new DestinationAccessException("Unhandled TenantPropagation Strategy: %s.".formatted(this.tenantPropagationStrategy));
        }
        return (OAuth2TokenResponse) Try.of(checkedFunction0).getOrElseThrow(th -> {
            return new TokenRequestFailedException("Failed to resolve access token.", th);
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nonnull
    public static Builder builder() {
        return new Builder();
    }

    @Generated
    OAuth2Service(@Nonnull URI uri, @Nonnull ClientIdentity clientIdentity, @Nonnull OnBehalfOf onBehalfOf, @Nonnull TenantPropagationStrategy tenantPropagationStrategy, @Nonnull Map<String, String> map, @Nonnull ResilienceConfiguration resilienceConfiguration) {
        if (uri == null) {
            throw new NullPointerException("tokenUri is marked non-null but is null");
        }
        if (clientIdentity == null) {
            throw new NullPointerException("identity is marked non-null but is null");
        }
        if (onBehalfOf == null) {
            throw new NullPointerException("onBehalfOf is marked non-null but is null");
        }
        if (tenantPropagationStrategy == null) {
            throw new NullPointerException("tenantPropagationStrategy is marked non-null but is null");
        }
        if (map == null) {
            throw new NullPointerException("additionalParameters is marked non-null but is null");
        }
        if (resilienceConfiguration == null) {
            throw new NullPointerException("resilienceConfiguration is marked non-null but is null");
        }
        this.tokenUri = uri;
        this.identity = clientIdentity;
        this.onBehalfOf = onBehalfOf;
        this.tenantPropagationStrategy = tenantPropagationStrategy;
        this.additionalParameters = map;
        this.resilienceConfiguration = resilienceConfiguration;
    }

    @Nonnull
    @Generated
    ResilienceConfiguration getResilienceConfiguration() {
        return this.resilienceConfiguration;
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case -949802370:
                if (implMethodName.equals("lambda$executeClientCredentialsFlow$1c851743$1")) {
                    z = true;
                    break;
                }
                break;
            case -160136383:
                if (implMethodName.equals("lambda$executeUserExchangeFlow$5b6622b9$1")) {
                    z = false;
                    break;
                }
                break;
            case 671117982:
                if (implMethodName.equals("lambda$executeUserExchangeFlow$d9f91060$1")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 5 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction0") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2Service") && serializedLambda.getImplMethodSignature().equals("(Lcom/sap/cloud/security/xsuaa/client/OAuth2TokenService;Lcom/sap/cloud/security/token/Token;Ljava/lang/String;)Lcom/sap/cloud/security/xsuaa/client/OAuth2TokenResponse;")) {
                    OAuth2Service oAuth2Service = (OAuth2Service) serializedLambda.getCapturedArg(0);
                    OAuth2TokenService oAuth2TokenService = (OAuth2TokenService) serializedLambda.getCapturedArg(1);
                    Token token = (Token) serializedLambda.getCapturedArg(2);
                    String str = (String) serializedLambda.getCapturedArg(3);
                    return () -> {
                        return oAuth2TokenService.retrieveAccessTokenViaJwtBearerTokenGrant(this.tokenUri, this.identity, token.getTokenValue(), this.additionalParameters, false, str);
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 5 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction0") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2Service") && serializedLambda.getImplMethodSignature().equals("(Lcom/sap/cloud/security/xsuaa/client/OAuth2TokenService;Ljava/lang/String;Ljava/lang/String;)Lcom/sap/cloud/security/xsuaa/client/OAuth2TokenResponse;")) {
                    OAuth2Service oAuth2Service2 = (OAuth2Service) serializedLambda.getCapturedArg(0);
                    OAuth2TokenService oAuth2TokenService2 = (OAuth2TokenService) serializedLambda.getCapturedArg(1);
                    String str2 = (String) serializedLambda.getCapturedArg(2);
                    String str3 = (String) serializedLambda.getCapturedArg(3);
                    return () -> {
                        return oAuth2TokenService2.retrieveAccessTokenViaClientCredentialsGrant(this.tokenUri, this.identity, str2, str3, this.additionalParameters, false);
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 5 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction0") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2Service") && serializedLambda.getImplMethodSignature().equals("(Lcom/sap/cloud/security/xsuaa/client/OAuth2TokenService;Lcom/sap/cloud/security/token/Token;Ljava/lang/String;)Lcom/sap/cloud/security/xsuaa/client/OAuth2TokenResponse;")) {
                    OAuth2Service oAuth2Service3 = (OAuth2Service) serializedLambda.getCapturedArg(0);
                    OAuth2TokenService oAuth2TokenService3 = (OAuth2TokenService) serializedLambda.getCapturedArg(1);
                    Token token2 = (Token) serializedLambda.getCapturedArg(2);
                    String str4 = (String) serializedLambda.getCapturedArg(3);
                    return () -> {
                        return oAuth2TokenService3.retrieveAccessTokenViaJwtBearerTokenGrant(this.tokenUri, this.identity, token2.getTokenValue(), str4, this.additionalParameters, false);
                    };
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }

    static {
        CacheManager.register(tokenServiceCache);
    }
}
