package com.azure.spring.autoconfigure.aad;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.microsoft.aad.msal4j.ClientCredentialFactory;
import com.microsoft.aad.msal4j.ConfidentialClientApplication;
import com.microsoft.aad.msal4j.IAuthenticationResult;
import com.microsoft.aad.msal4j.IClientSecret;
import com.microsoft.aad.msal4j.MsalServiceException;
import com.microsoft.aad.msal4j.OnBehalfOfParameters;
import com.microsoft.aad.msal4j.UserAssertion;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.ExecutionException;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.naming.ServiceUnavailableException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpMethod;
import org.springframework.security.core.authority.SimpleGrantedAuthority;

/* loaded from: input_file:com/azure/spring/autoconfigure/aad/GraphOboClient.class */
public class GraphOboClient {
    private static final Logger LOGGER = LoggerFactory.getLogger(GraphOboClient.class);
    private static final String MICROSOFT_GRAPH_SCOPE = "https://graph.microsoft.com/user.read";
    private static final String AAD_GRAPH_API_SCOPE = "https://graph.windows.net/user.read";
    private static final String REQUEST_ID_SUFFIX = "aadfeed6";
    private static final String V2_VERSION_ENV_FLAG = "v2-graph";
    private final ServiceEndpoints serviceEndpoints;
    private final AADAuthenticationProperties aadAuthenticationProperties;
    private final boolean graphApiVersionIsV2;

    public GraphOboClient(AADAuthenticationProperties aADAuthenticationProperties, ServiceEndpointsProperties serviceEndpointsProperties) {
        this.aadAuthenticationProperties = aADAuthenticationProperties;
        this.serviceEndpoints = serviceEndpointsProperties.getServiceEndpoints(aADAuthenticationProperties.getEnvironment());
        this.graphApiVersionIsV2 = ((Boolean) Optional.of(aADAuthenticationProperties).map((v0) -> {
            return v0.getEnvironment();
        }).map(str -> {
            return Boolean.valueOf(str.contains(V2_VERSION_ENV_FLAG));
        }).orElse(false)).booleanValue();
    }

    private String getUserMemberships(String str, String str2) throws IOException {
        HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(str2).openConnection();
        if (this.graphApiVersionIsV2) {
            httpURLConnection.setRequestMethod(HttpMethod.GET.toString());
            httpURLConnection.setRequestProperty("Authorization", String.format("Bearer %s", str));
            httpURLConnection.setRequestProperty("Accept", "application/json");
            httpURLConnection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
        } else {
            httpURLConnection.setRequestMethod(HttpMethod.GET.toString());
            httpURLConnection.setRequestProperty("api-version", "1.6");
            httpURLConnection.setRequestProperty("Authorization", String.format("Bearer %s", str));
            httpURLConnection.setRequestProperty("Accept", "application/json;odata=minimalmetadata");
        }
        String responseString = getResponseString(httpURLConnection);
        if (httpURLConnection.getResponseCode() == 200) {
            return responseString;
        }
        throw new IllegalStateException("Response is not 200, response json: " + responseString);
    }

    private String getUrlStringFromODataNextLink(String str) {
        if (this.graphApiVersionIsV2) {
            return str;
        }
        return this.serviceEndpoints.getAadMembershipRestUri() + "&" + str.split("/memberOf\\?")[1];
    }

    private static String getResponseString(HttpURLConnection httpURLConnection) throws IOException {
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(httpURLConnection.getInputStream(), StandardCharsets.UTF_8));
        try {
            StringBuilder sb = new StringBuilder();
            while (true) {
                String readLine = bufferedReader.readLine();
                if (readLine == null) {
                    String sb2 = sb.toString();
                    bufferedReader.close();
                    return sb2;
                }
                sb.append(readLine);
            }
        } catch (Throwable th) {
            try {
                bufferedReader.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    public Set<String> getGroups(String str) throws IOException {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        ObjectMapper jacksonObjectMapperFactory = JacksonObjectMapperFactory.getInstance();
        String aadMembershipRestUri = getAadMembershipRestUri();
        while (true) {
            String str2 = aadMembershipRestUri;
            if (str2 == null) {
                return linkedHashSet;
            }
            Memberships memberships = (Memberships) jacksonObjectMapperFactory.readValue(getUserMemberships(str, str2), Memberships.class);
            Stream<R> map = memberships.getValue().stream().filter(this::isGroupObject).map((v0) -> {
                return v0.getDisplayName();
            });
            Objects.requireNonNull(linkedHashSet);
            map.forEach((v1) -> {
                r1.add(v1);
            });
            aadMembershipRestUri = (String) Optional.of(memberships).map((v0) -> {
                return v0.getOdataNextLink();
            }).map(this::getUrlStringFromODataNextLink).orElse(null);
        }
    }

    private String getAadMembershipRestUri() {
        return AADAuthenticationProperties.getDirectGroupRelationship().equalsIgnoreCase(this.aadAuthenticationProperties.getUserGroup().getGroupRelationship()) ? this.serviceEndpoints.getAadMembershipRestUri() : this.serviceEndpoints.getAadTransitiveMemberRestUri();
    }

    private boolean isGroupObject(Membership membership) {
        return membership.getObjectType().equals(this.aadAuthenticationProperties.getUserGroup().getValue());
    }

    public Set<SimpleGrantedAuthority> getGrantedAuthorities(String str) throws IOException {
        return toGrantedAuthoritySet(getGroups(str));
    }

    public Set<SimpleGrantedAuthority> toGrantedAuthoritySet(Set<String> set) {
        Stream<String> stream = set.stream();
        AADAuthenticationProperties aADAuthenticationProperties = this.aadAuthenticationProperties;
        Objects.requireNonNull(aADAuthenticationProperties);
        return (Set) Optional.of((Set) stream.filter(aADAuthenticationProperties::isAllowedGroup).map(str -> {
            return new SimpleGrantedAuthority(Constants.ROLE_PREFIX + str);
        }).collect(Collectors.toSet())).filter(set2 -> {
            return !set2.isEmpty();
        }).orElse(Constants.DEFAULT_AUTHORITY_SET);
    }

    public IAuthenticationResult acquireTokenForGraphApi(String str, String str2) throws ServiceUnavailableException {
        IClientSecret createFromSecret = ClientCredentialFactory.createFromSecret(this.aadAuthenticationProperties.getClientSecret());
        UserAssertion userAssertion = new UserAssertion(str);
        IAuthenticationResult iAuthenticationResult = null;
        try {
            ConfidentialClientApplication build = ConfidentialClientApplication.builder(this.aadAuthenticationProperties.getClientId(), createFromSecret).authority(this.serviceEndpoints.getAadSigninUri() + str2 + "/").correlationId(getCorrelationId()).build();
            HashSet hashSet = new HashSet();
            hashSet.add(this.graphApiVersionIsV2 ? MICROSOFT_GRAPH_SCOPE : AAD_GRAPH_API_SCOPE);
            iAuthenticationResult = (IAuthenticationResult) build.acquireToken(OnBehalfOfParameters.builder(hashSet, userAssertion).build()).get();
        } catch (InterruptedException | MalformedURLException | ExecutionException e) {
            Throwable cause = e.getCause();
            if (cause instanceof MsalServiceException) {
                MsalServiceException msalServiceException = (MsalServiceException) cause;
                if (msalServiceException.claims() != null && !msalServiceException.claims().isEmpty()) {
                    throw msalServiceException;
                }
            }
            LOGGER.error("acquire on behalf of token for graph api error", e);
        }
        if (iAuthenticationResult == null) {
            throw new ServiceUnavailableException("unable to acquire on-behalf-of token for client " + this.aadAuthenticationProperties.getClientId());
        }
        return iAuthenticationResult;
    }

    private static String getCorrelationId() {
        String uuid = UUID.randomUUID().toString();
        return uuid.substring(0, uuid.length() - REQUEST_ID_SUFFIX.length()) + REQUEST_ID_SUFFIX;
    }
}
