package com.okta.sdk.impl.oauth2;

import com.okta.commons.http.authc.DisabledAuthenticator;
import com.okta.commons.lang.Assert;
import com.okta.commons.lang.Strings;
import com.okta.sdk.authc.credentials.ClientCredentials;
import com.okta.sdk.client.AuthenticationScheme;
import com.okta.sdk.client.AuthorizationMode;
import com.okta.sdk.impl.api.DefaultClientCredentialsResolver;
import com.okta.sdk.impl.config.ClientConfiguration;
import com.okta.sdk.impl.error.DefaultError;
import com.okta.sdk.impl.util.ConfigUtil;
import com.okta.sdk.resource.ExtensibleResource;
import com.okta.sdk.resource.ResourceException;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import j$.time.Instant;
import j$.time.temporal.ChronoUnit;
import j$.util.DesugarDate;
import j$.util.Optional;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.Reader;
import java.io.StringReader;
import java.nio.charset.Charset;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.InvalidKeyException;
import java.security.PrivateKey;
import java.util.UUID;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: classes7.dex */
public class AccessTokenRetrieverServiceImpl implements AccessTokenRetrieverService {
    private static final String TOKEN_URI = "/oauth2/v1/token";
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AccessTokenRetrieverServiceImpl.class);
    private final OAuth2TokenClient tokenClient;
    private final ClientConfiguration tokenClientConfiguration;

    public AccessTokenRetrieverServiceImpl(ClientConfiguration clientConfiguration) {
        Assert.notNull(clientConfiguration, "apiClientConfiguration must not be null.");
        ClientConfiguration constructTokenClientConfig = constructTokenClientConfig(clientConfiguration);
        this.tokenClient = new OAuth2TokenClient(constructTokenClientConfig);
        this.tokenClientConfiguration = constructTokenClientConfig;
    }

    public AccessTokenRetrieverServiceImpl(ClientConfiguration clientConfiguration, OAuth2TokenClient oAuth2TokenClient) {
        Assert.notNull(clientConfiguration, "apiClientConfiguration must not be null.");
        Assert.notNull(oAuth2TokenClient, "tokenClient must not be null.");
        this.tokenClient = oAuth2TokenClient;
        this.tokenClientConfiguration = constructTokenClientConfig(clientConfiguration);
    }

    private Reader getPemReader() throws IOException {
        Path path;
        BufferedReader newBufferedReader;
        String privateKey = this.tokenClientConfiguration.getPrivateKey();
        if (ConfigUtil.hasPrivateKeyContentWrapper(privateKey)) {
            return new StringReader(privateKey);
        }
        path = Paths.get(privateKey, new String[0]);
        newBufferedReader = Files.newBufferedReader(path, Charset.defaultCharset());
        return newBufferedReader;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static /* synthetic */ Object lambda$constructTokenClientConfig$0() {
        return Optional.empty();
    }

    ClientConfiguration constructTokenClientConfig(ClientConfiguration clientConfiguration) {
        ClientConfiguration clientConfiguration2 = new ClientConfiguration();
        clientConfiguration2.setClientCredentialsResolver(new DefaultClientCredentialsResolver(new ClientCredentials() { // from class: com.okta.sdk.impl.oauth2.AccessTokenRetrieverServiceImpl$$ExternalSyntheticLambda2
            @Override // com.okta.sdk.authc.credentials.ClientCredentials
            public final Object getCredentials() {
                Object lambda$constructTokenClientConfig$0;
                lambda$constructTokenClientConfig$0 = AccessTokenRetrieverServiceImpl.lambda$constructTokenClientConfig$0();
                return lambda$constructTokenClientConfig$0;
            }
        }));
        clientConfiguration2.setRequestAuthenticator(new DisabledAuthenticator());
        clientConfiguration2.setCacheManagerEnabled(false);
        if (clientConfiguration.getBaseUrlResolver() != null) {
            clientConfiguration2.setBaseUrlResolver(clientConfiguration.getBaseUrlResolver());
        }
        if (clientConfiguration.getProxy() != null) {
            clientConfiguration2.setProxy(clientConfiguration.getProxy());
        }
        clientConfiguration2.setAuthenticationScheme(AuthenticationScheme.NONE);
        clientConfiguration2.setAuthorizationMode(AuthorizationMode.get(clientConfiguration2.getAuthenticationScheme()));
        clientConfiguration2.setClientId(clientConfiguration.getClientId());
        clientConfiguration2.setScopes(clientConfiguration.getScopes());
        clientConfiguration2.setPrivateKey(clientConfiguration.getPrivateKey());
        clientConfiguration2.setKid(clientConfiguration.getKid());
        clientConfiguration2.setRetryMaxElapsed(0);
        clientConfiguration2.setRetryMaxAttempts(1);
        return clientConfiguration2;
    }

    String createSignedJWT() throws InvalidKeyException, IOException {
        String clientId = this.tokenClientConfiguration.getClientId();
        PrivateKey parsePrivateKey = parsePrivateKey(getPemReader());
        Instant now = Instant.now();
        JwtBuilder signWith = Jwts.builder().setAudience(this.tokenClientConfiguration.getBaseUrl() + TOKEN_URI).setIssuedAt(DesugarDate.from(now)).setExpiration(DesugarDate.from(now.e(50L, ChronoUnit.MINUTES))).setIssuer(clientId).setSubject(clientId).claim("jti", UUID.randomUUID().toString()).signWith(parsePrivateKey);
        if (Strings.hasText(this.tokenClientConfiguration.getKid())) {
            signWith.setHeaderParam("kid", this.tokenClientConfiguration.getKid());
        }
        return signWith.compact();
    }

    @Override // com.okta.sdk.impl.oauth2.AccessTokenRetrieverService
    public OAuth2AccessToken getOAuth2AccessToken() throws IOException, InvalidKeyException, OAuth2TokenRetrieverException {
        Logger logger = log;
        logger.debug("Attempting to get OAuth2 access token for client id {} from {}", this.tokenClientConfiguration.getClientId(), this.tokenClientConfiguration.getBaseUrl() + TOKEN_URI);
        try {
            ExtensibleResource extensibleResource = (ExtensibleResource) this.tokenClient.http().addHeaderParameter("Accept", "application/json").addHeaderParameter("Content-Type", "application/x-www-form-urlencoded").addQueryParameter("grant_type", "client_credentials").addQueryParameter("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer").addQueryParameter("client_assertion", createSignedJWT()).addQueryParameter("scope", AccessTokenRetrieverServiceImpl$$ExternalSyntheticBackport1.m(" ", this.tokenClientConfiguration.getScopes())).post(TOKEN_URI, ExtensibleResource.class);
            OAuth2AccessToken oAuth2AccessToken = new OAuth2AccessToken();
            oAuth2AccessToken.setTokenType(extensibleResource.getString("token_type"));
            oAuth2AccessToken.setExpiresIn(extensibleResource.getInteger("expires_in"));
            oAuth2AccessToken.setAccessToken(extensibleResource.getString("access_token"));
            oAuth2AccessToken.setScope(extensibleResource.getString("scope"));
            logger.debug("Got OAuth2 access token for client id {} from {}", this.tokenClientConfiguration.getClientId(), this.tokenClientConfiguration.getBaseUrl() + TOKEN_URI);
            return oAuth2AccessToken;
        } catch (ResourceException e) {
            DefaultError defaultError = (DefaultError) e.getError();
            defaultError.setMessage(defaultError.getString("error") + " - " + defaultError.getString("error_description"));
            throw new OAuth2HttpException(defaultError, e, e.getStatus() == 401);
        } catch (Exception e2) {
            throw new OAuth2TokenRetrieverException("Exception while trying to get OAuth2 access token for client id " + this.tokenClientConfiguration.getClientId(), e2);
        }
    }

    PrivateKey getPrivateKeyFromPEM(Reader reader) throws IOException {
        PrivateKey privateKey;
        PEMParser pEMParser = new PEMParser(reader);
        try {
            JcaPEMKeyConverter jcaPEMKeyConverter = new JcaPEMKeyConverter();
            Object readObject = pEMParser.readObject();
            if (readObject == null) {
                throw new IllegalArgumentException("Invalid Private Key PEM file");
            }
            if (readObject instanceof PEMKeyPair) {
                privateKey = jcaPEMKeyConverter.getKeyPair((PEMKeyPair) readObject).getPrivate();
            } else {
                if (!(readObject instanceof PrivateKeyInfo)) {
                    throw new IllegalArgumentException("Unsupported Private Key format '" + readObject.getClass().getSimpleName() + '\"');
                }
                privateKey = jcaPEMKeyConverter.getPrivateKey((PrivateKeyInfo) readObject);
            }
            pEMParser.close();
            return privateKey;
        } catch (Throwable th) {
            try {
                throw th;
            } catch (Throwable th2) {
                try {
                    pEMParser.close();
                } catch (Throwable th3) {
                    th.addSuppressed(th3);
                }
                throw th2;
            }
        }
    }

    PrivateKey parsePrivateKey(Reader reader) throws IOException, InvalidKeyException {
        PrivateKey privateKeyFromPEM = getPrivateKeyFromPEM(reader);
        String algorithm = privateKeyFromPEM.getAlgorithm();
        if (algorithm.equals("RSA") || algorithm.equals("EC")) {
            return privateKeyFromPEM;
        }
        throw new InvalidKeyException("Supplied privateKey is not an RSA or EC key - " + algorithm);
    }
}
