package org.springframework.credhub.core;

import java.io.IOException;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Collections;
import org.springframework.http.HttpRequest;
import org.springframework.http.client.ClientHttpRequestExecution;
import org.springframework.http.client.ClientHttpRequestInterceptor;
import org.springframework.http.client.ClientHttpResponse;
import org.springframework.http.client.support.HttpRequestWrapper;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.endpoint.DefaultClientCredentialsTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.OAuth2ClientCredentialsGrantRequest;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
import org.springframework.web.client.RestOperations;

/* loaded from: input_file:org/springframework/credhub/core/CredHubOAuth2RequestInterceptor.class */
class CredHubOAuth2RequestInterceptor implements ClientHttpRequestInterceptor {
    private final ClientRegistration clientRegistration;
    private final OAuth2AuthorizedClientService authorizedClientService;
    private final DefaultClientCredentialsTokenResponseClient clientCredentialsTokenResponseClient;
    private final Clock clock = Clock.systemUTC();
    private final Duration accessTokenExpiresSkew = Duration.ofMinutes(1);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/springframework/credhub/core/CredHubOAuth2RequestInterceptor$OAuth2ClientCredentialsGrantAuthenticationToken.class */
    public static class OAuth2ClientCredentialsGrantAuthenticationToken extends AbstractAuthenticationToken {
        private final ClientRegistration clientRegistration;
        private final OAuth2AccessToken accessToken;

        OAuth2ClientCredentialsGrantAuthenticationToken(ClientRegistration clientRegistration, OAuth2AccessToken oAuth2AccessToken) {
            super(Collections.emptyList());
            this.clientRegistration = clientRegistration;
            this.accessToken = oAuth2AccessToken;
        }

        public Object getCredentials() {
            return this.accessToken.getTokenValue();
        }

        public Object getPrincipal() {
            return this.clientRegistration.getClientId();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CredHubOAuth2RequestInterceptor(RestOperations restOperations, ClientRegistration clientRegistration, OAuth2AuthorizedClientService oAuth2AuthorizedClientService) {
        this.clientRegistration = clientRegistration;
        this.authorizedClientService = oAuth2AuthorizedClientService;
        this.clientCredentialsTokenResponseClient = createClientCredentialsTokenResponseClient(restOperations);
    }

    public ClientHttpResponse intercept(HttpRequest httpRequest, byte[] bArr, ClientHttpRequestExecution clientHttpRequestExecution) throws IOException {
        HttpRequestWrapper httpRequestWrapper = new HttpRequestWrapper(httpRequest);
        httpRequestWrapper.getHeaders().setBearerAuth(getAccessToken().getTokenValue());
        return clientHttpRequestExecution.execute(httpRequestWrapper, bArr);
    }

    private OAuth2AccessToken getAccessToken() {
        OAuth2AuthorizedClient loadAuthorizedClient = this.authorizedClientService.loadAuthorizedClient(this.clientRegistration.getRegistrationId(), this.clientRegistration.getClientId());
        if (loadAuthorizedClient == null || tokenExpiring(loadAuthorizedClient)) {
            loadAuthorizedClient = authorizeClient();
        }
        return loadAuthorizedClient.getAccessToken();
    }

    private OAuth2AuthorizedClient authorizeClient() {
        OAuth2AccessTokenResponse tokenResponse = this.clientCredentialsTokenResponseClient.getTokenResponse(new OAuth2ClientCredentialsGrantRequest(this.clientRegistration));
        OAuth2AccessToken accessToken = tokenResponse.getAccessToken();
        OAuth2AuthorizedClient oAuth2AuthorizedClient = new OAuth2AuthorizedClient(this.clientRegistration, this.clientRegistration.getClientId(), accessToken, tokenResponse.getRefreshToken());
        saveAuthorizedClient(this.clientRegistration, accessToken, oAuth2AuthorizedClient);
        return oAuth2AuthorizedClient;
    }

    private boolean tokenExpiring(OAuth2AuthorizedClient oAuth2AuthorizedClient) {
        Instant instant = this.clock.instant();
        Instant expiresAt = oAuth2AuthorizedClient.getAccessToken().getExpiresAt();
        return expiresAt != null && instant.isAfter(expiresAt.minus((TemporalAmount) this.accessTokenExpiresSkew));
    }

    private void saveAuthorizedClient(ClientRegistration clientRegistration, OAuth2AccessToken oAuth2AccessToken, OAuth2AuthorizedClient oAuth2AuthorizedClient) {
        this.authorizedClientService.saveAuthorizedClient(oAuth2AuthorizedClient, new OAuth2ClientCredentialsGrantAuthenticationToken(clientRegistration, oAuth2AccessToken));
    }

    private static DefaultClientCredentialsTokenResponseClient createClientCredentialsTokenResponseClient(RestOperations restOperations) {
        DefaultClientCredentialsTokenResponseClient defaultClientCredentialsTokenResponseClient = new DefaultClientCredentialsTokenResponseClient();
        defaultClientCredentialsTokenResponseClient.setRestOperations(restOperations);
        return defaultClientCredentialsTokenResponseClient;
    }
}
