package com.oracle.bmc.auth.okeworkloadidentity;

import com.oracle.bmc.Region;
import com.oracle.bmc.auth.AbstractFederationClientAuthenticationDetailsProviderBuilder;
import com.oracle.bmc.auth.AbstractRequestingAuthenticationDetailsProvider;
import com.oracle.bmc.auth.AuthCachingPolicy;
import com.oracle.bmc.auth.DefaultServiceAccountTokenProvider;
import com.oracle.bmc.auth.ProvidesConfigurableRefresh;
import com.oracle.bmc.auth.RefreshableOnNotAuthenticatedProvider;
import com.oracle.bmc.auth.RegionProvider;
import com.oracle.bmc.auth.ServiceAccountTokenSupplier;
import com.oracle.bmc.auth.SessionKeySupplier;
import com.oracle.bmc.auth.SuppliedServiceAccountTokenProvider;
import com.oracle.bmc.auth.internal.FederationClient;
import com.oracle.bmc.auth.okeworkloadidentity.internal.OkeTenancyOnlyAuthenticationDetailsProvider;
import com.oracle.bmc.auth.okeworkloadidentity.internal.OkeWorkloadIdentityResourcePrincipalsFederationClient;
import com.oracle.bmc.circuitbreaker.CircuitBreakerConfiguration;
import com.oracle.bmc.http.ClientConfigurator;
import com.oracle.bmc.http.client.StandardClientProperties;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Paths;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.ArrayList;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManagerFactory;

@AuthCachingPolicy(cacheKeyId = false, cachePrivateKey = false)
/* loaded from: input_file:com/oracle/bmc/auth/okeworkloadidentity/OkeWorkloadIdentityAuthenticationDetailsProvider.class */
public class OkeWorkloadIdentityAuthenticationDetailsProvider extends AbstractRequestingAuthenticationDetailsProvider implements RegionProvider, RefreshableOnNotAuthenticatedProvider<String>, ProvidesConfigurableRefresh {
    private final Region region;
    private static final String DEFAULT_KUBERNETES_SERVICE_ACCOUNT_CERT_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt";
    private static final String KUBERNETES_SERVICE_ACCOUNT_CERT_PATH_ENV = "OCI_KUBERNETES_SERVICE_ACCOUNT_CERT_PATH";

    /* loaded from: input_file:com/oracle/bmc/auth/okeworkloadidentity/OkeWorkloadIdentityAuthenticationDetailsProvider$OkeWorkloadIdentityAuthenticationDetailsProviderBuilder.class */
    public static class OkeWorkloadIdentityAuthenticationDetailsProviderBuilder extends AbstractFederationClientAuthenticationDetailsProviderBuilder<OkeWorkloadIdentityAuthenticationDetailsProviderBuilder, OkeWorkloadIdentityAuthenticationDetailsProvider> {
        private CircuitBreakerConfiguration circuitBreakerConfig;
        private ServiceAccountTokenSupplier serviceAccountTokenSupplier = new DefaultServiceAccountTokenProvider();

        /* renamed from: tenancyId, reason: merged with bridge method [inline-methods] */
        public OkeWorkloadIdentityAuthenticationDetailsProviderBuilder m3tenancyId(String str) {
            this.tenancyId = str;
            return this;
        }

        public OkeWorkloadIdentityAuthenticationDetailsProviderBuilder circuitBreakerConfig(CircuitBreakerConfiguration circuitBreakerConfiguration) {
            this.circuitBreakerConfig = circuitBreakerConfiguration;
            return this;
        }

        public OkeWorkloadIdentityAuthenticationDetailsProviderBuilder token(String str) {
            this.serviceAccountTokenSupplier = new SuppliedServiceAccountTokenProvider(str);
            return this;
        }

        public OkeWorkloadIdentityAuthenticationDetailsProviderBuilder tokenPath(String str) {
            this.serviceAccountTokenSupplier = new DefaultServiceAccountTokenProvider(str);
            return this;
        }

        public OkeWorkloadIdentityAuthenticationDetailsProviderBuilder tokenPath(ServiceAccountTokenSupplier serviceAccountTokenSupplier) {
            this.serviceAccountTokenSupplier = serviceAccountTokenSupplier;
            return this;
        }

        /* renamed from: build, reason: merged with bridge method [inline-methods] */
        public OkeWorkloadIdentityAuthenticationDetailsProvider m2build() {
            autoDetectEndpointUsingMetadataUrl();
            return super.build();
        }

        protected FederationClient createFederationClient(SessionKeySupplier sessionKeySupplier) {
            OkeTenancyOnlyAuthenticationDetailsProvider okeTenancyOnlyAuthenticationDetailsProvider = new OkeTenancyOnlyAuthenticationDetailsProvider();
            String str = System.getenv(OkeWorkloadIdentityAuthenticationDetailsProvider.KUBERNETES_SERVICE_ACCOUNT_CERT_PATH_ENV) != null ? System.getenv(OkeWorkloadIdentityAuthenticationDetailsProvider.KUBERNETES_SERVICE_ACCOUNT_CERT_PATH_ENV) : OkeWorkloadIdentityAuthenticationDetailsProvider.DEFAULT_KUBERNETES_SERVICE_ACCOUNT_CERT_PATH;
            if (!Files.exists(Paths.get(str, new String[0]), new LinkOption[0])) {
                throw new IllegalArgumentException("Kubernetes service account ca cert doesn't exist.");
            }
            FileInputStream fileInputStream = null;
            try {
                try {
                    try {
                        try {
                            fileInputStream = new FileInputStream(Paths.get(str, new String[0]).toFile());
                            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(fileInputStream);
                            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                            keyStore.load(null, null);
                            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                            keyStore.setCertificateEntry("ocp-cert", x509Certificate);
                            trustManagerFactory.init(keyStore);
                            SSLContext sSLContext = SSLContext.getInstance("TLS");
                            sSLContext.init(null, trustManagerFactory.getTrustManagers(), null);
                            try {
                                fileInputStream.close();
                                ClientConfigurator clientConfigurator = httpClientBuilder -> {
                                    httpClientBuilder.property(StandardClientProperties.HOSTNAME_VERIFIER, new HostnameVerifier() { // from class: com.oracle.bmc.auth.okeworkloadidentity.OkeWorkloadIdentityAuthenticationDetailsProvider.OkeWorkloadIdentityAuthenticationDetailsProviderBuilder.1
                                        @Override // javax.net.ssl.HostnameVerifier
                                        public boolean verify(String str2, SSLSession sSLSession) {
                                            return true;
                                        }

                                        public final String toString() {
                                            return "NO_OP";
                                        }
                                    });
                                    httpClientBuilder.property(StandardClientProperties.SSL_CONTEXT, sSLContext);
                                    httpClientBuilder.property(StandardClientProperties.BUFFER_REQUEST, false);
                                };
                                ArrayList arrayList = new ArrayList();
                                if (this.federationClientConfigurator != null) {
                                    arrayList.add(this.federationClientConfigurator);
                                }
                                arrayList.addAll(this.additionalFederationClientConfigurators);
                                return new OkeWorkloadIdentityResourcePrincipalsFederationClient(sessionKeySupplier, this.serviceAccountTokenSupplier, okeTenancyOnlyAuthenticationDetailsProvider, clientConfigurator, this.circuitBreakerConfig, arrayList);
                            } catch (IOException e) {
                                throw new RuntimeException("Kubernetes service account ca cert doesn't exist.", e);
                            }
                        } catch (Throwable th) {
                            try {
                                fileInputStream.close();
                                throw th;
                            } catch (IOException e2) {
                                throw new RuntimeException("Kubernetes service account ca cert doesn't exist.", e2);
                            }
                        }
                    } catch (KeyManagementException e3) {
                        throw new IllegalArgumentException("Failed to load ssl context when trying to request rpst token. Please contact OKE Foundation team for help.", e3);
                    } catch (NoSuchAlgorithmException e4) {
                        throw new IllegalArgumentException("Cannot load keystore. Please contact OKE Foundation team for help.", e4);
                    }
                } catch (IOException e5) {
                    throw new IllegalArgumentException("Cannot load keystore. Please contact OKE Foundation team for help.", e5);
                } catch (CertificateException e6) {
                    throw new IllegalArgumentException("Invalid Kubernetes ca certification. Please contact OKE Foundation team for help.", e6);
                }
            } catch (FileNotFoundException e7) {
                throw new IllegalArgumentException("Kubernetes service account ca cert doesn't exist.", e7);
            } catch (KeyStoreException e8) {
                throw new IllegalArgumentException("Cannot create keystore based on Kubernetes ca cert. Please contact OKE Foundation team for help.", e8);
            }
        }

        /* JADX INFO: Access modifiers changed from: protected */
        /* renamed from: buildProvider, reason: merged with bridge method [inline-methods] */
        public OkeWorkloadIdentityAuthenticationDetailsProvider m1buildProvider(SessionKeySupplier sessionKeySupplier) {
            return new OkeWorkloadIdentityAuthenticationDetailsProvider(this.federationClient, sessionKeySupplier, this.region);
        }
    }

    private OkeWorkloadIdentityAuthenticationDetailsProvider(FederationClient federationClient, SessionKeySupplier sessionKeySupplier, Region region) {
        super(federationClient, sessionKeySupplier);
        this.region = region;
    }

    public static OkeWorkloadIdentityAuthenticationDetailsProviderBuilder builder() {
        return new OkeWorkloadIdentityAuthenticationDetailsProviderBuilder();
    }

    /* renamed from: refresh, reason: merged with bridge method [inline-methods] */
    public String m0refresh() {
        return this.federationClient.refreshAndGetSecurityToken();
    }

    public Region getRegion() {
        return this.region;
    }

    public String refreshAndGetSecurityTokenIfExpiringWithin(Duration duration) {
        return this.federationClient instanceof ProvidesConfigurableRefresh ? this.federationClient.refreshAndGetSecurityTokenIfExpiringWithin(duration) : this.federationClient.refreshAndGetSecurityToken();
    }

    public String refreshAndGetSecurityTokenIfExpiringWithin(Duration duration, boolean z) {
        return this.federationClient instanceof ProvidesConfigurableRefresh ? this.federationClient.refreshAndGetSecurityTokenIfExpiringWithin(duration, z) : this.federationClient.refreshAndGetSecurityToken();
    }
}
