package com.palantir.foundry.sql.multipass.oauth.flow;

import com.palantir.foundry.sql.multipass.oauth.client.MultipassOAuth2Service;
import com.palantir.foundry.sql.multipass.oauth.client.TokenResponse;
import com.palantir.logsafe.Arg;
import com.palantir.logsafe.exceptions.SafeRuntimeException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Optional;
import java.util.UUID;
import java.util.function.Supplier;
import shadow.palantir.driver.com.google.common.collect.ImmutableMap;
import shadow.palantir.driver.com.google.common.hash.HashFunction;
import shadow.palantir.driver.com.google.common.hash.Hashing;
import shadow.palantir.driver.com.palantir.tokens.auth.BearerToken;
import shadow.palantir.driver.org.apache.hc.core5.net.URIBuilder;

/* loaded from: input_file:com/palantir/foundry/sql/multipass/oauth/flow/FoundryOAuthFlow.class */
public final class FoundryOAuthFlow {
    private static final String CLIENT_ID_KEY = "client_id";
    private static final String CLIENT_SECRET_KEY = "client_secret";
    private static final String GRANT_TYPE_KEY = "grant_type";
    private static final String REFRESH_TOKEN_KEY = "refresh_token";
    private static final String CODE_VERIFIER_KEY = "code_verifier";
    private static final String AUTHORIZATION_CODE_KEY = "code";
    private static final String REDIRECT_URI_KEY = "redirect_uri";
    private static final String TOKEN_SCOPE_KEY = "scope";
    private static final String STATE_KEY = "state";
    private static final String CODE_CHALLENGE_METHOD_KEY = "code_challenge_method";
    private static final String CODE_CHALLENGE_KEY = "code_challenge";
    private static final String RESPONSE_TYPE_KEY = "response_type";
    private static final String REDIRECT_HOST = "http://127.0.0.1";
    private static final String REDIRECT_PATH = "/foundrydriver/oauthredirect";
    private static final String TOKEN_SCOPE = "foundry-sql-server:query offline_access";
    private static final String CODE_CHALLENGE_METHOD = "S256";
    private static final String RESPONSE_TYPE = "code";
    private static final String AUTHORIZE_GRANT_TYPE = "authorization_code";
    private static final String REFRESH_GRANT_TYPE = "refresh_token";
    private static final HashFunction CODE_CHALLENGE_HASHER = Hashing.sha256();
    private static final Base64.Encoder CODE_CHALLENGE_ENCODER = Base64.getUrlEncoder().withoutPadding();
    private final String clientId;
    private final Optional<String> clientSecret;
    private final String authorizeEndpoint;
    private final int redirectPort;
    private final String redirectUri;
    private final MultipassOAuth2Service oAuth2Service;
    private final Supplier<String> stateSupplier;

    public FoundryOAuthFlow(String str, Optional<String> optional, String str2, int i, MultipassOAuth2Service multipassOAuth2Service, Supplier<String> supplier) {
        this.clientId = str;
        this.clientSecret = optional;
        this.authorizeEndpoint = str2;
        this.redirectPort = i;
        this.redirectUri = String.format("%s:%s%s", REDIRECT_HOST, Integer.valueOf(i), REDIRECT_PATH);
        this.oAuth2Service = multipassOAuth2Service;
        this.stateSupplier = supplier;
    }

    public TokenResponse refresh(BearerToken bearerToken) {
        ImmutableMap.Builder put = ImmutableMap.builder().put(CLIENT_ID_KEY, this.clientId).put(GRANT_TYPE_KEY, "refresh_token").put("refresh_token", bearerToken.getToken());
        this.clientSecret.ifPresent(str -> {
            put.put(CLIENT_SECRET_KEY, str);
        });
        return this.oAuth2Service.token(put.buildOrThrow());
    }

    public TokenResponse freshOauthFlow() {
        String str = UUID.randomUUID().toString() + UUID.randomUUID();
        return token(authorize(str), str);
    }

    private String authorize(String str) {
        String str2 = this.stateSupplier.get();
        try {
            OAuthCallBackServer oAuthCallBackServer = new OAuthCallBackServer(REDIRECT_PATH, this.redirectPort, str2);
            try {
                WindowsBrowser.browse(buildAuthorizationUrl(this.clientId, this.authorizeEndpoint, this.redirectUri, str, str2));
                String awaitCallback = oAuthCallBackServer.awaitCallback();
                oAuthCallBackServer.close();
                return awaitCallback;
            } finally {
            }
        } catch (Exception e) {
            throw new SafeRuntimeException("Failed to authorize", e, new Arg[0]);
        }
    }

    private TokenResponse token(String str, String str2) {
        ImmutableMap.Builder put = ImmutableMap.builder().put(CLIENT_ID_KEY, this.clientId).put(GRANT_TYPE_KEY, AUTHORIZE_GRANT_TYPE).put(CODE_VERIFIER_KEY, str2).put("code", str).put(REDIRECT_URI_KEY, this.redirectUri);
        this.clientSecret.ifPresent(str3 -> {
            put.put(CLIENT_SECRET_KEY, str3);
        });
        return this.oAuth2Service.token(put.buildOrThrow());
    }

    private static URI buildAuthorizationUrl(String str, String str2, String str3, String str4, String str5) throws URISyntaxException {
        return new URIBuilder(str2).addParameter(CLIENT_ID_KEY, str).addParameter(TOKEN_SCOPE_KEY, TOKEN_SCOPE).addParameter(STATE_KEY, str5).addParameter(CODE_CHALLENGE_METHOD_KEY, CODE_CHALLENGE_METHOD).addParameter(CODE_CHALLENGE_KEY, codeChallenge(str4)).addParameter(REDIRECT_URI_KEY, str3).addParameter(RESPONSE_TYPE_KEY, "code").build();
    }

    private static String codeChallenge(String str) {
        return new String(CODE_CHALLENGE_ENCODER.encode(CODE_CHALLENGE_HASHER.hashString(str, StandardCharsets.UTF_8).asBytes()), StandardCharsets.UTF_8);
    }
}
