package com.azure.security.keyvault.certificates.implementation;

import com.azure.core.credential.TokenCredential;
import com.azure.core.credential.TokenRequestContext;
import com.azure.core.http.HttpPipelineCallContext;
import com.azure.core.http.HttpRequest;
import com.azure.core.http.HttpResponse;
import com.azure.core.http.policy.BearerTokenAuthenticationPolicy;
import com.azure.core.util.BinaryData;
import com.azure.core.util.CoreUtils;
import com.azure.core.util.logging.ClientLogger;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.util.Collections;
import java.util.HashMap;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono;

/* loaded from: input_file:com/azure/security/keyvault/certificates/implementation/KeyVaultCredentialPolicy.class */
public class KeyVaultCredentialPolicy extends BearerTokenAuthenticationPolicy {
    private static final String BEARER_TOKEN_PREFIX = "Bearer ";
    private static final String CONTENT_LENGTH_HEADER = "Content-Length";
    private static final String KEY_VAULT_STASHED_CONTENT_KEY = "KeyVaultCredentialPolicyStashedBody";
    private static final String KEY_VAULT_STASHED_CONTENT_LENGTH_KEY = "KeyVaultCredentialPolicyStashedContentLength";
    private static final String WWW_AUTHENTICATE = "WWW-Authenticate";
    private ChallengeParameters challenge;
    private final boolean disableChallengeResourceVerification;
    private static final ClientLogger LOGGER = new ClientLogger(KeyVaultCredentialPolicy.class);
    private static final ConcurrentMap<String, ChallengeParameters> CHALLENGE_CACHE = new ConcurrentHashMap();

    /* loaded from: input_file:com/azure/security/keyvault/certificates/implementation/KeyVaultCredentialPolicy$ChallengeParameters.class */
    private static class ChallengeParameters {
        private final URI authorizationUri;
        private final String tenantId;
        private final String[] scopes;

        ChallengeParameters(URI uri, String[] strArr) {
            this.authorizationUri = uri;
            this.tenantId = uri.getPath().split("/")[1];
            this.scopes = strArr;
        }

        public URI getAuthorizationUri() {
            return this.authorizationUri;
        }

        public String[] getScopes() {
            return this.scopes;
        }

        public String getTenantId() {
            return this.tenantId;
        }
    }

    public KeyVaultCredentialPolicy(TokenCredential tokenCredential, boolean z) {
        super(tokenCredential, new String[0]);
        this.disableChallengeResourceVerification = z;
    }

    private static Map<String, String> extractChallengeAttributes(String str, String str2) {
        if (!isBearerChallenge(str, str2)) {
            return Collections.emptyMap();
        }
        String[] split = str.toLowerCase(Locale.ROOT).replace(str2.toLowerCase(Locale.ROOT), "").split(", ");
        HashMap hashMap = new HashMap();
        for (String str3 : split) {
            String[] split2 = str3.split("=");
            hashMap.put(split2[0].replaceAll("\"", ""), split2[1].replaceAll("\"", ""));
        }
        return hashMap;
    }

    private static boolean isBearerChallenge(String str, String str2) {
        return !CoreUtils.isNullOrEmpty(str) && str.toLowerCase(Locale.ROOT).startsWith(str2.toLowerCase(Locale.ROOT));
    }

    public Mono<Void> authorizeRequest(HttpPipelineCallContext httpPipelineCallContext) {
        return Mono.defer(() -> {
            HttpRequest httpRequest = httpPipelineCallContext.getHttpRequest();
            if (this.challenge == null) {
                this.challenge = CHALLENGE_CACHE.get(getRequestAuthority(httpRequest));
            }
            if (this.challenge != null) {
                return setAuthorizationHeader(httpPipelineCallContext, new TokenRequestContext().addScopes(this.challenge.getScopes()).setTenantId(this.challenge.getTenantId()));
            }
            if (!httpPipelineCallContext.getData(KEY_VAULT_STASHED_CONTENT_KEY).isPresent() && httpRequest.getBody() != null) {
                httpPipelineCallContext.setData(KEY_VAULT_STASHED_CONTENT_KEY, httpRequest.getBody());
                httpPipelineCallContext.setData(KEY_VAULT_STASHED_CONTENT_LENGTH_KEY, httpRequest.getHeaders().getValue(CONTENT_LENGTH_HEADER));
                httpRequest.setHeader(CONTENT_LENGTH_HEADER, "0");
                httpRequest.setBody((Flux) null);
            }
            return Mono.empty();
        });
    }

    public Mono<Boolean> authorizeRequestOnChallenge(HttpPipelineCallContext httpPipelineCallContext, HttpResponse httpResponse) {
        return Mono.defer(() -> {
            HttpRequest httpRequest = httpPipelineCallContext.getHttpRequest();
            Optional data = httpPipelineCallContext.getData(KEY_VAULT_STASHED_CONTENT_KEY);
            Optional data2 = httpPipelineCallContext.getData(KEY_VAULT_STASHED_CONTENT_LENGTH_KEY);
            if (httpRequest.getBody() == null && data.isPresent() && data2.isPresent()) {
                httpRequest.setBody((Flux) data.get());
                httpRequest.setHeader(CONTENT_LENGTH_HEADER, (String) data2.get());
            }
            String requestAuthority = getRequestAuthority(httpRequest);
            Map<String, String> extractChallengeAttributes = extractChallengeAttributes(httpResponse.getHeaderValue(WWW_AUTHENTICATE), BEARER_TOKEN_PREFIX);
            String str = extractChallengeAttributes.get("resource");
            String str2 = str != null ? str + "/.default" : extractChallengeAttributes.get("scope");
            if (str2 == null) {
                this.challenge = CHALLENGE_CACHE.get(requestAuthority);
                if (this.challenge == null) {
                    return Mono.just(false);
                }
            } else {
                if (!this.disableChallengeResourceVerification && !isChallengeResourceValid(httpRequest, str2)) {
                    throw LOGGER.logExceptionAsError(new RuntimeException(String.format("The challenge resource '%s' does not match the requested domain. If you wish to disable this check for your client, pass 'true' to the SecretClientBuilder.disableChallengeResourceVerification() method when building it. See https://aka.ms/azsdk/blog/vault-uri for more information.", str2)));
                }
                String str3 = extractChallengeAttributes.get("authorization");
                if (str3 == null) {
                    str3 = extractChallengeAttributes.get("authorization_uri");
                }
                try {
                    this.challenge = new ChallengeParameters(new URI(str3), new String[]{str2});
                    CHALLENGE_CACHE.put(requestAuthority, this.challenge);
                } catch (URISyntaxException e) {
                    throw LOGGER.logExceptionAsError(new RuntimeException(String.format("The challenge authorization URI '%s' is invalid.", str3), e));
                }
            }
            return setAuthorizationHeader(httpPipelineCallContext, new TokenRequestContext().addScopes(this.challenge.getScopes()).setTenantId(this.challenge.getTenantId())).then(Mono.just(true));
        });
    }

    public void authorizeRequestSync(HttpPipelineCallContext httpPipelineCallContext) {
        HttpRequest httpRequest = httpPipelineCallContext.getHttpRequest();
        if (this.challenge == null) {
            this.challenge = CHALLENGE_CACHE.get(getRequestAuthority(httpRequest));
        }
        if (this.challenge != null) {
            setAuthorizationHeaderSync(httpPipelineCallContext, new TokenRequestContext().addScopes(this.challenge.getScopes()).setTenantId(this.challenge.getTenantId()));
            return;
        }
        if (httpPipelineCallContext.getData(KEY_VAULT_STASHED_CONTENT_KEY).isPresent() || httpRequest.getBodyAsBinaryData() == null) {
            return;
        }
        httpPipelineCallContext.setData(KEY_VAULT_STASHED_CONTENT_KEY, httpRequest.getBodyAsBinaryData());
        httpPipelineCallContext.setData(KEY_VAULT_STASHED_CONTENT_LENGTH_KEY, httpRequest.getHeaders().getValue(CONTENT_LENGTH_HEADER));
        httpRequest.setHeader(CONTENT_LENGTH_HEADER, "0");
        httpRequest.setBody((BinaryData) null);
    }

    public boolean authorizeRequestOnChallengeSync(HttpPipelineCallContext httpPipelineCallContext, HttpResponse httpResponse) {
        HttpRequest httpRequest = httpPipelineCallContext.getHttpRequest();
        Optional data = httpPipelineCallContext.getData(KEY_VAULT_STASHED_CONTENT_KEY);
        Optional data2 = httpPipelineCallContext.getData(KEY_VAULT_STASHED_CONTENT_LENGTH_KEY);
        if (httpRequest.getBody() == null && data.isPresent() && data2.isPresent()) {
            httpRequest.setBody((BinaryData) data.get());
            httpRequest.setHeader(CONTENT_LENGTH_HEADER, (String) data2.get());
        }
        String requestAuthority = getRequestAuthority(httpRequest);
        Map<String, String> extractChallengeAttributes = extractChallengeAttributes(httpResponse.getHeaderValue(WWW_AUTHENTICATE), BEARER_TOKEN_PREFIX);
        String str = extractChallengeAttributes.get("resource");
        String str2 = str != null ? str + "/.default" : extractChallengeAttributes.get("scope");
        if (str2 == null) {
            this.challenge = CHALLENGE_CACHE.get(requestAuthority);
            if (this.challenge == null) {
                return false;
            }
        } else {
            if (!this.disableChallengeResourceVerification && !isChallengeResourceValid(httpRequest, str2)) {
                throw LOGGER.logExceptionAsError(new RuntimeException(String.format("The challenge resource '%s' does not match the requested domain. If you wish to disable this check for your client, pass 'true' to the SecretClientBuilder.disableChallengeResourceVerification() method when building it. See https://aka.ms/azsdk/blog/vault-uri for more information.", str2)));
            }
            String str3 = extractChallengeAttributes.get("authorization");
            if (str3 == null) {
                str3 = extractChallengeAttributes.get("authorization_uri");
            }
            try {
                this.challenge = new ChallengeParameters(new URI(str3), new String[]{str2});
                CHALLENGE_CACHE.put(requestAuthority, this.challenge);
            } catch (URISyntaxException e) {
                throw LOGGER.logExceptionAsError(new RuntimeException(String.format("The challenge authorization URI '%s' is invalid.", str3), e));
            }
        }
        setAuthorizationHeaderSync(httpPipelineCallContext, new TokenRequestContext().addScopes(this.challenge.getScopes()).setTenantId(this.challenge.getTenantId()));
        return true;
    }

    public static void clearCache() {
        CHALLENGE_CACHE.clear();
    }

    private static String getRequestAuthority(HttpRequest httpRequest) {
        URL url = httpRequest.getUrl();
        String authority = url.getAuthority();
        int port = url.getPort();
        if (!authority.contains(":") && port > 0) {
            authority = authority + ":" + port;
        }
        return authority;
    }

    private static boolean isChallengeResourceValid(HttpRequest httpRequest, String str) {
        try {
            return httpRequest.getUrl().getHost().toLowerCase(Locale.ROOT).endsWith("." + new URI(str).getHost().toLowerCase(Locale.ROOT));
        } catch (URISyntaxException e) {
            throw LOGGER.logExceptionAsError(new RuntimeException(String.format("The challenge resource '%s' is not a valid URI.", str), e));
        }
    }
}
