package com.sap.cloud.sdk.cloudplatform.security;

import com.auth0.jwt.interfaces.DecodedJWT;
import com.google.gson.JsonObject;
import com.sap.cloud.sdk.cloudplatform.ClientCredentialsValidator;
import com.sap.cloud.sdk.cloudplatform.CloudPlatformAccessor;
import com.sap.cloud.sdk.cloudplatform.ScpCfCloudPlatform;
import com.sap.cloud.sdk.cloudplatform.exception.ShouldNotHappenException;
import com.sap.cloud.sdk.cloudplatform.resilience.ResilienceConfiguration;
import com.sap.cloud.sdk.cloudplatform.resilience.ResilienceDecorator;
import com.sap.cloud.sdk.cloudplatform.resilience.ResilienceIsolationMode;
import com.sap.cloud.sdk.cloudplatform.security.exception.TokenRequestDeniedException;
import com.sap.cloud.sdk.cloudplatform.security.exception.TokenRequestFailedException;
import com.sap.cloud.sdk.cloudplatform.servlet.RequestAccessor;
import com.sap.cloud.sdk.cloudplatform.thread.ThreadContextAccessor;
import com.sap.cloud.security.config.OAuth2ServiceConfiguration;
import com.sap.cloud.security.config.Service;
import com.sap.cloud.security.config.cf.CFConstants;
import com.sap.cloud.security.config.cf.CFEnvironment;
import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.token.validation.CombiningValidator;
import com.sap.cloud.security.token.validation.validators.JwtValidatorBuilder;
import com.sap.cloud.security.xsuaa.client.ClientCredentials;
import com.sap.cloud.security.xsuaa.client.DefaultOAuth2TokenService;
import com.sap.cloud.security.xsuaa.client.OAuth2TokenService;
import com.sap.cloud.security.xsuaa.client.XsuaaDefaultEndpoints;
import com.sap.cloud.security.xsuaa.tokenflows.UserTokenFlow;
import com.sap.cloud.security.xsuaa.tokenflows.XsuaaTokenFlows;
import io.vavr.control.Option;
import io.vavr.control.Try;
import java.lang.invoke.SerializedLambda;
import java.net.URI;
import java.time.Duration;
import java.util.Collections;
import java.util.EnumSet;
import java.util.List;
import java.util.Objects;
import java.util.concurrent.Future;
import java.util.concurrent.FutureTask;
import java.util.function.BiFunction;
import java.util.function.UnaryOperator;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/sap/cloud/sdk/cloudplatform/security/DefaultAuthTokenFacade.class */
public class DefaultAuthTokenFacade implements AuthTokenFacade {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(DefaultAuthTokenFacade.class);

    @Nonnull
    static final OAuth2TokenService defaultTokenService = new DefaultOAuth2TokenService();

    @Nonnull
    static final List<CombiningValidator<Token>> defaultValidators = loadXsuaaValidators(loadXsuaaConfigurations());

    @Nonnull
    private final OAuth2TokenService tokenService;

    @Nonnull
    private final List<CombiningValidator<Token>> tokenValidators;

    public DefaultAuthTokenFacade() {
        this(defaultTokenService, defaultValidators);
    }

    public DefaultAuthTokenFacade(@Nonnull OAuth2TokenService oAuth2TokenService, @Nullable OAuth2ServiceConfiguration oAuth2ServiceConfiguration) {
        this(oAuth2TokenService, (List<CombiningValidator<Token>>) Option.of(oAuth2ServiceConfiguration).onEmpty(() -> {
            log.warn("AuthTokenFacade instantiated without an XSUAA configuration.");
        }).map(DefaultAuthTokenFacade::getXsuaaValidator).map((v0) -> {
            return Collections.singletonList(v0);
        }).getOrElse(Collections::emptyList));
    }

    private DefaultAuthTokenFacade(@Nonnull OAuth2TokenService oAuth2TokenService, @Nonnull List<CombiningValidator<Token>> list) {
        this.tokenService = oAuth2TokenService;
        this.tokenValidators = list;
    }

    @Override // com.sap.cloud.sdk.cloudplatform.security.AuthTokenFacade
    @Nonnull
    public Try<AuthToken> tryGetCurrentToken() {
        AuthTokenDecoder authTokenDecoder = getAuthTokenDecoder();
        return ThreadContextAccessor.tryGetCurrentContext().flatMap(threadContext -> {
            return threadContext.getProperty(AuthTokenThreadContextListener.PROPERTY_AUTH_TOKEN);
        }).map((v0) -> {
            return v0.getValue();
        }).orElse(() -> {
            Try tryGetCurrentRequest = RequestAccessor.tryGetCurrentRequest();
            authTokenDecoder.getClass();
            return tryGetCurrentRequest.flatMap(authTokenDecoder::decodeAndValidate);
        });
    }

    @Override // com.sap.cloud.sdk.cloudplatform.security.AuthTokenFacade
    @Nonnull
    public Try<AuthToken> tryGetXsuaaServiceToken() {
        AuthTokenDecoder authTokenDecoder = getAuthTokenDecoder();
        return Try.of(() -> {
            return new AuthTokenRequest(authTokenDecoder, this.tokenService).getXsuaaServiceToken();
        });
    }

    @Override // com.sap.cloud.sdk.cloudplatform.security.AuthTokenFacade
    @Nonnull
    public Future<String> getRefreshToken(@Nonnull DecodedJWT decodedJWT) {
        FutureTask futureTask = new FutureTask(ResilienceDecorator.decorateCallable(() -> {
            return sendTokenRequestAndParseResponse(decodedJWT);
        }, ResilienceConfiguration.of(DefaultAuthTokenFacade.class).isolationMode(ResilienceIsolationMode.NO_ISOLATION).timeLimiterConfiguration(ResilienceConfiguration.TimeLimiterConfiguration.of().timeoutDuration(Duration.ofSeconds(6L))).circuitBreakerConfiguration(ResilienceConfiguration.CircuitBreakerConfiguration.of().waitDuration(Duration.ofSeconds(6L)))));
        futureTask.run();
        return futureTask;
    }

    @Nonnull
    private String sendTokenRequestAndParseResponse(@Nonnull DecodedJWT decodedJWT) throws TokenRequestDeniedException, TokenRequestFailedException {
        ScpCfCloudPlatform cloudPlatform = CloudPlatformAccessor.getCloudPlatform();
        if (!(cloudPlatform instanceof ScpCfCloudPlatform)) {
            throw new ShouldNotHappenException("The current Cloud platform is not an instance of " + ScpCfCloudPlatform.class.getSimpleName() + ". Please make sure to specify a dependency to com.sap.cloud.sdk.cloudplatform:cloudplatform-core-scp-cf.");
        }
        JsonObject xsuaaServiceCredentials = cloudPlatform.getXsuaaServiceCredentials(decodedJWT);
        BiFunction biFunction = (str, unaryOperator) -> {
            return (String) Objects.requireNonNull(unaryOperator.apply(xsuaaServiceCredentials.get(str).getAsString()), str);
        };
        String str2 = (String) biFunction.apply("url", UnaryOperator.identity());
        String str3 = (String) biFunction.apply("clientid", ClientCredentialsValidator::ensureClientId);
        String str4 = (String) biFunction.apply("clientsecret", ClientCredentialsValidator::ensureClientSecret);
        if (!decodedJWT.getClaim("scope").asList(String.class).stream().anyMatch(str5 -> {
            return str5.equals("uaa.user");
        })) {
            throw new TokenRequestDeniedException("Unable to get access token: user does not have scope 'uaa.user'. This is mandatory for the user token flow. Please make sure to that this scope is assigned to the user.");
        }
        UserTokenFlow userTokenFlow = new XsuaaTokenFlows(this.tokenService, new XsuaaDefaultEndpoints(URI.create(str2)), new ClientCredentials(str3, str4)).userTokenFlow().token(decodedJWT.getToken());
        return (String) Try.of(() -> {
            return userTokenFlow.execute().getRefreshToken();
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }, () -> {
            return new TokenRequestFailedException("Failed to get access token: no valid refresh token found in response of user token flow. Please make sure to correctly bind your application to a XSUAA service instance.");
        }).getOrElseThrow(th -> {
            return new TokenRequestFailedException("Refresh JWT request failed", th);
        });
    }

    @Nonnull
    static CombiningValidator<Token> getXsuaaValidator(@Nonnull OAuth2ServiceConfiguration oAuth2ServiceConfiguration) {
        return JwtValidatorBuilder.getInstance(oAuth2ServiceConfiguration).build();
    }

    @Nonnull
    static List<CombiningValidator<Token>> loadXsuaaValidators(@Nonnull List<OAuth2ServiceConfiguration> list) {
        if (list.isEmpty()) {
            log.debug("No JWT validators were registered since no XSUAA configuration could be loaded.");
        }
        return (List) list.stream().map(DefaultAuthTokenFacade::getXsuaaValidator).collect(Collectors.toList());
    }

    @Nonnull
    private static List<OAuth2ServiceConfiguration> loadXsuaaConfigurations() {
        Try of = Try.of(CFEnvironment::getInstance);
        if (!of.isSuccess()) {
            log.error("Failed to read environment data for XSUAA configuration.", of.getCause());
            return Collections.emptyList();
        }
        List<OAuth2ServiceConfiguration> list = (List) EnumSet.allOf(CFConstants.Plan.class).stream().map(plan -> {
            return ((CFEnvironment) of.get()).loadForServicePlan(Service.XSUAA, plan);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).peek(oAuth2ServiceConfiguration -> {
            log.debug("Found XSUAA service binding with plan {}, client id {} and application id {}.", new Object[]{oAuth2ServiceConfiguration.getProperty("plan"), oAuth2ServiceConfiguration.getClientId(), oAuth2ServiceConfiguration.getProperty("xsappname")});
        }).collect(Collectors.toList());
        if (list.isEmpty()) {
            log.warn("Could not find any XSUAA service bindings.");
        }
        return list;
    }

    AuthTokenDecoder getAuthTokenDecoder() {
        return new AuthTokenDecoder(this.tokenService, this.tokenValidators);
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case -1661939189:
                if (implMethodName.equals("getInstance")) {
                    z = true;
                    break;
                }
                break;
            case 104491183:
                if (implMethodName.equals("lambda$tryGetXsuaaServiceToken$92a23283$1")) {
                    z = false;
                    break;
                }
                break;
            case 1915056426:
                if (implMethodName.equals("lambda$sendTokenRequestAndParseResponse$7d56c3a4$1")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 7 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction0") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/sap/cloud/sdk/cloudplatform/security/DefaultAuthTokenFacade") && serializedLambda.getImplMethodSignature().equals("(Lcom/sap/cloud/sdk/cloudplatform/security/AuthTokenDecoder;)Lcom/sap/cloud/sdk/cloudplatform/security/AuthToken;")) {
                    DefaultAuthTokenFacade defaultAuthTokenFacade = (DefaultAuthTokenFacade) serializedLambda.getCapturedArg(0);
                    AuthTokenDecoder authTokenDecoder = (AuthTokenDecoder) serializedLambda.getCapturedArg(1);
                    return () -> {
                        return new AuthTokenRequest(authTokenDecoder, this.tokenService).getXsuaaServiceToken();
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction0") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/sap/cloud/security/config/cf/CFEnvironment") && serializedLambda.getImplMethodSignature().equals("()Lcom/sap/cloud/security/config/cf/CFEnvironment;")) {
                    return CFEnvironment::getInstance;
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction0") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/sap/cloud/sdk/cloudplatform/security/DefaultAuthTokenFacade") && serializedLambda.getImplMethodSignature().equals("(Lcom/sap/cloud/security/xsuaa/tokenflows/UserTokenFlow;)Ljava/lang/String;")) {
                    UserTokenFlow userTokenFlow = (UserTokenFlow) serializedLambda.getCapturedArg(0);
                    return () -> {
                        return userTokenFlow.execute().getRefreshToken();
                    };
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }
}
