package com.microsoft.azure.spring.autoconfigure.aad;

import com.fasterxml.jackson.databind.JsonNode;
import com.microsoft.aad.msal4j.ClientCredentialFactory;
import com.microsoft.aad.msal4j.ConfidentialClientApplication;
import com.microsoft.aad.msal4j.IAuthenticationResult;
import com.microsoft.aad.msal4j.IClientCredential;
import com.microsoft.aad.msal4j.MsalServiceException;
import com.microsoft.aad.msal4j.OnBehalfOfParameters;
import com.microsoft.aad.msal4j.UserAssertion;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.stream.Collectors;
import java.util.stream.StreamSupport;
import javax.naming.ServiceUnavailableException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpMethod;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;

/* loaded from: input_file:com/microsoft/azure/spring/autoconfigure/aad/AzureADGraphClient.class */
public class AzureADGraphClient {
    private static final Logger log = LoggerFactory.getLogger(AzureADGraphClient.class);
    private static final SimpleGrantedAuthority DEFAULT_AUTHORITY = new SimpleGrantedAuthority("ROLE_USER");
    private static final String DEFAULT_ROLE_PREFIX = "ROLE_";
    private static final String MICROSOFT_GRAPH_SCOPE = "https://graph.microsoft.com/user.read";
    private static final String AAD_GRAPH_API_SCOPE = "https://graph.windows.net/user.read";
    private final String clientId;
    private final String clientSecret;
    private final ServiceEndpoints serviceEndpoints;
    private final AADAuthenticationProperties aadAuthenticationProperties;
    private static final String V2_VERSION_ENV_FLAG = "v2-graph";
    private boolean aadMicrosoftGraphApiBool;

    public AzureADGraphClient(String str, String str2, AADAuthenticationProperties aADAuthenticationProperties, ServiceEndpointsProperties serviceEndpointsProperties) {
        this.clientId = str;
        this.clientSecret = str2;
        this.aadAuthenticationProperties = aADAuthenticationProperties;
        this.serviceEndpoints = serviceEndpointsProperties.getServiceEndpoints(aADAuthenticationProperties.getEnvironment());
        initAADMicrosoftGraphApiBool(aADAuthenticationProperties.getEnvironment());
    }

    private void initAADMicrosoftGraphApiBool(String str) {
        this.aadMicrosoftGraphApiBool = str.contains(V2_VERSION_ENV_FLAG);
    }

    private String getUserMembershipsV1(String str) throws IOException {
        HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(this.serviceEndpoints.getAadMembershipRestUri()).openConnection();
        if (this.aadMicrosoftGraphApiBool) {
            httpURLConnection.setRequestMethod(HttpMethod.GET.toString());
            httpURLConnection.setRequestProperty("Authorization", String.format("Bearer %s", str));
            httpURLConnection.setRequestProperty("Accept", "application/json");
            httpURLConnection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
        } else {
            httpURLConnection.setRequestMethod(HttpMethod.GET.toString());
            httpURLConnection.setRequestProperty("api-version", "1.6");
            httpURLConnection.setRequestProperty("Authorization", str);
            httpURLConnection.setRequestProperty("Accept", "application/json;odata=minimalmetadata");
        }
        String responseStringFromConn = getResponseStringFromConn(httpURLConnection);
        if (httpURLConnection.getResponseCode() == 200) {
            return responseStringFromConn;
        }
        throw new IllegalStateException("Response is not 200, response json: " + responseStringFromConn);
    }

    private static String getResponseStringFromConn(HttpURLConnection httpURLConnection) throws IOException {
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(httpURLConnection.getInputStream(), StandardCharsets.UTF_8));
        Throwable th = null;
        try {
            StringBuilder sb = new StringBuilder();
            while (true) {
                String readLine = bufferedReader.readLine();
                if (readLine == null) {
                    break;
                }
                sb.append(readLine);
            }
            String sb2 = sb.toString();
            if (bufferedReader != null) {
                if (0 != 0) {
                    try {
                        bufferedReader.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    bufferedReader.close();
                }
            }
            return sb2;
        } catch (Throwable th3) {
            if (bufferedReader != null) {
                if (0 != 0) {
                    try {
                        bufferedReader.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    bufferedReader.close();
                }
            }
            throw th3;
        }
    }

    public List<UserGroup> getGroups(String str) throws IOException {
        return loadUserGroups(str);
    }

    private List<UserGroup> loadUserGroups(String str) throws IOException {
        String userMembershipsV1 = getUserMembershipsV1(str);
        ArrayList arrayList = new ArrayList();
        JsonNode jsonNode = ((JsonNode) JacksonObjectMapperFactory.getInstance().readValue(userMembershipsV1, JsonNode.class)).get("value");
        if (jsonNode != null) {
            arrayList.addAll((Collection) StreamSupport.stream(jsonNode.spliterator(), false).filter(this::isMatchingUserGroupKey).map(jsonNode2 -> {
                return new UserGroup(jsonNode2.get(this.aadAuthenticationProperties.getUserGroup().getObjectIDKey()).asText(), jsonNode2.get("displayName").asText());
            }).collect(Collectors.toList()));
        }
        return arrayList;
    }

    private boolean isMatchingUserGroupKey(JsonNode jsonNode) {
        return jsonNode.get(this.aadAuthenticationProperties.getUserGroup().getKey()).asText().equals(this.aadAuthenticationProperties.getUserGroup().getValue());
    }

    public Set<GrantedAuthority> getGrantedAuthorities(String str) throws IOException {
        return convertGroupsToGrantedAuthorities(getGroups(str));
    }

    public Set<GrantedAuthority> convertGroupsToGrantedAuthorities(List<UserGroup> list) {
        Set<GrantedAuthority> set = (Set) list.stream().filter(this::isValidUserGroupToGrantAuthority).map(userGroup -> {
            return new SimpleGrantedAuthority(DEFAULT_ROLE_PREFIX + userGroup.getDisplayName());
        }).collect(Collectors.toCollection(LinkedHashSet::new));
        if (set.isEmpty()) {
            set.add(DEFAULT_AUTHORITY);
        }
        return set;
    }

    private boolean isValidUserGroupToGrantAuthority(UserGroup userGroup) {
        return this.aadAuthenticationProperties.getUserGroup().getAllowedGroups().contains(userGroup.getDisplayName()) || this.aadAuthenticationProperties.getActiveDirectoryGroups().contains(userGroup.getDisplayName());
    }

    public IAuthenticationResult acquireTokenForGraphApi(String str, String str2) throws ServiceUnavailableException {
        IClientCredential create = ClientCredentialFactory.create(this.clientSecret);
        UserAssertion userAssertion = new UserAssertion(str);
        IAuthenticationResult iAuthenticationResult = null;
        ExecutorService executorService = null;
        try {
            try {
                executorService = Executors.newFixedThreadPool(1);
                ConfidentialClientApplication build = ConfidentialClientApplication.builder(this.clientId, create).build();
                HashSet hashSet = new HashSet();
                hashSet.add(this.aadMicrosoftGraphApiBool ? MICROSOFT_GRAPH_SCOPE : AAD_GRAPH_API_SCOPE);
                iAuthenticationResult = (IAuthenticationResult) build.acquireToken(OnBehalfOfParameters.builder(hashSet, userAssertion).build()).get();
                if (executorService != null) {
                    executorService.shutdown();
                }
            } catch (Exception e) {
                MsalServiceException cause = e.getCause();
                if (cause instanceof MsalServiceException) {
                    MsalServiceException msalServiceException = cause;
                    if (msalServiceException.claims() != null && !msalServiceException.claims().isEmpty()) {
                        throw msalServiceException;
                    }
                }
                log.error("acquire on behalf of token for graph api error", e);
                if (executorService != null) {
                    executorService.shutdown();
                }
            }
            if (iAuthenticationResult == null) {
                throw new ServiceUnavailableException("unable to acquire on-behalf-of token for client " + this.clientId);
            }
            return iAuthenticationResult;
        } catch (Throwable th) {
            if (executorService != null) {
                executorService.shutdown();
            }
            throw th;
        }
    }
}
