package com.dbeaver.net.auth.azure;

import com.azure.core.credential.AccessToken;
import com.azure.core.credential.TokenCredential;
import com.azure.core.credential.TokenRequestContext;
import com.azure.core.management.AzureEnvironment;
import com.azure.core.management.profile.AzureProfile;
import com.azure.identity.ClientCertificateCredentialBuilder;
import com.azure.identity.ClientSecretCredentialBuilder;
import com.azure.identity.DefaultAzureCredentialBuilder;
import com.azure.resourcemanager.subscription.SubscriptionManager;
import com.azure.resourcemanager.subscription.models.Subscription;
import com.azure.resourcemanager.subscription.models.TenantIdDescription;
import com.dbeaver.model.auth.SMAuthUtils;
import com.dbeaver.model.auth.SMSessionAuthCredentials;
import com.microsoft.aad.msal4j.IAccount;
import com.microsoft.aad.msal4j.IAuthenticationResult;
import com.microsoft.aad.msal4j.InteractiveRequestParameters;
import com.microsoft.aad.msal4j.PublicClientApplication;
import com.microsoft.aad.msal4j.SilentParameters;
import java.io.ByteArrayInputStream;
import java.net.MalformedURLException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.text.MessageFormat;
import java.time.OffsetDateTime;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.TimeUnit;
import java.util.function.BiFunction;
import org.jkiss.code.NotNull;
import org.jkiss.code.Nullable;
import org.jkiss.dbeaver.DBException;
import org.jkiss.dbeaver.model.exec.DBCException;
import org.jkiss.dbeaver.model.impl.auth.AuthModelDatabaseNativeCredentials;
import org.jkiss.dbeaver.model.runtime.DBRProgressMonitor;
import org.jkiss.utils.CommonUtils;

/* loaded from: input_file:com/dbeaver/net/auth/azure/AuthModelAzureCredentials.class */
public class AuthModelAzureCredentials extends AuthModelDatabaseNativeCredentials implements SMSessionAuthCredentials {
    private static final long AUTH_TIMEOUT = 180;

    @NotNull
    private AzureAuthType authType;
    private String clientId;
    private String clientSecret;
    private String clientCertificateValue;
    private String clientCertificatePath;
    private String tenantId;
    private transient PublicClientApplication application;
    private transient String subscriptionId;
    private final transient Map<String, AccessToken> resourceTokens;
    private transient String azureUserId;

    /* loaded from: input_file:com/dbeaver/net/auth/azure/AuthModelAzureCredentials$AzureScopes.class */
    public interface AzureScopes {
        Set<String> getScopes();
    }

    /* loaded from: input_file:com/dbeaver/net/auth/azure/AuthModelAzureCredentials$Resource.class */
    public enum Resource implements AzureScopes {
        MANAGEMENT("https://management.azure.com//.default"),
        DATABASE("https://database.windows.net//.default"),
        AAD_DATABASE("https://ossrdbms-aad.database.windows.net/.default"),
        GRAPH("https://graph.microsoft.com//.default");

        private final Set<String> scopes;

        Resource(@NotNull String... strArr) {
            this.scopes = Set.of((Object[]) strArr);
        }

        @Override // com.dbeaver.net.auth.azure.AuthModelAzureCredentials.AzureScopes
        public Set<String> getScopes() {
            return this.scopes;
        }

        /* renamed from: values, reason: to resolve conflict with enum method */
        public static Resource[] valuesCustom() {
            Resource[] valuesCustom = values();
            int length = valuesCustom.length;
            Resource[] resourceArr = new Resource[length];
            System.arraycopy(valuesCustom, 0, resourceArr, 0, length);
            return resourceArr;
        }
    }

    public AuthModelAzureCredentials() {
        this.authType = AzureAuthType.WEB_APPLICATION;
        this.resourceTokens = new HashMap();
    }

    public AuthModelAzureCredentials(@NotNull AuthModelAzureCredentials authModelAzureCredentials) {
        this.authType = AzureAuthType.WEB_APPLICATION;
        this.resourceTokens = new HashMap();
        this.authType = authModelAzureCredentials.getAuthType();
        this.clientId = authModelAzureCredentials.clientId;
        this.clientSecret = authModelAzureCredentials.clientSecret;
        this.clientCertificateValue = authModelAzureCredentials.clientCertificateValue;
        this.clientCertificatePath = authModelAzureCredentials.clientCertificatePath;
        this.application = authModelAzureCredentials.application;
        this.tenantId = authModelAzureCredentials.tenantId;
        this.subscriptionId = authModelAzureCredentials.subscriptionId;
        this.resourceTokens.putAll(authModelAzureCredentials.resourceTokens);
        this.azureUserId = authModelAzureCredentials.azureUserId;
    }

    public boolean isSessionCredentials() {
        return this.authType == AzureAuthType.SESSION_CREDENTIALS;
    }

    @NotNull
    public AzureAuthType getAuthType() {
        return this.authType;
    }

    public void setAuthType(@NotNull AzureAuthType azureAuthType) {
        this.authType = azureAuthType;
    }

    @NotNull
    public <T> T authenticateWithToken(@NotNull DBRProgressMonitor dBRProgressMonitor, @NotNull AzureScopes azureScopes, @NotNull BiFunction<TokenCredential, AzureProfile, T> biFunction) throws DBException {
        TokenCredential accessCredentials = getAccessCredentials(dBRProgressMonitor, azureScopes);
        return biFunction.apply(accessCredentials, acquireProfile(dBRProgressMonitor, accessCredentials));
    }

    public void addToken(AzureScopes azureScopes, AccessToken accessToken) {
        Iterator<String> it = azureScopes.getScopes().iterator();
        while (it.hasNext()) {
            this.resourceTokens.put(it.next(), accessToken);
        }
    }

    public void addResourceToken(@NotNull String str, @NotNull Resource resource) {
        addToken(resource, new AccessToken(str, OffsetDateTime.MAX));
    }

    @NotNull
    public synchronized AccessToken getAccessToken(@NotNull DBRProgressMonitor dBRProgressMonitor, @NotNull AzureScopes azureScopes) throws DBException {
        getAccessCredentials(dBRProgressMonitor, azureScopes);
        AccessToken tokenByScopes = getTokenByScopes(azureScopes);
        if (tokenByScopes == null) {
            throw new DBException("Access token not found for '" + String.valueOf(azureScopes.getScopes()) + "'");
        }
        return tokenByScopes;
    }

    @Nullable
    private AccessToken getTokenByScopes(@NotNull AzureScopes azureScopes) {
        Iterator<String> it = azureScopes.getScopes().iterator();
        if (!it.hasNext()) {
            return null;
        }
        AccessToken accessToken = this.resourceTokens.get(it.next());
        if (accessToken == null) {
            return null;
        }
        return accessToken;
    }

    @NotNull
    public synchronized TokenCredential getAccessCredentials(@NotNull DBRProgressMonitor dBRProgressMonitor, @NotNull AzureScopes azureScopes) throws DBException {
        CompletableFuture acquireTokenSilently;
        AccessToken tokenByScopes;
        AccessToken tokenByScopes2 = getTokenByScopes(azureScopes);
        if (tokenByScopes2 != null && tokenByScopes2.getExpiresAt() != null && tokenByScopes2.isExpired()) {
            tokenByScopes2 = null;
        }
        if (tokenByScopes2 == null) {
            if (resolveSessionCredentials(dBRProgressMonitor) && (tokenByScopes = getTokenByScopes(azureScopes)) != null) {
                return new AzureFederatedTokenCredential(tokenByScopes);
            }
            Set<String> scopes = azureScopes.getScopes();
            if (this.authType == AzureAuthType.DEFAULT) {
                return acquireTokenFromCredentials(azureScopes, scopes, new DefaultAzureCredentialBuilder().build());
            }
            if (CommonUtils.isEmpty(this.clientId)) {
                throw new DBException("Azure authentication is available in Microsoft Entra ID session only");
            }
            String str = this.tenantId;
            if (CommonUtils.isEmptyTrimmed(str)) {
                str = null;
            }
            if (!CommonUtils.isEmpty(this.clientSecret)) {
                ClientSecretCredentialBuilder clientSecret = new ClientSecretCredentialBuilder().clientId(this.clientId).clientSecret(this.clientSecret);
                if (!CommonUtils.isEmpty(str)) {
                    clientSecret.tenantId(str);
                }
                return acquireTokenFromCredentials(azureScopes, scopes, clientSecret.build());
            }
            if (!CommonUtils.isEmpty(this.clientCertificateValue) || !CommonUtils.isEmpty(this.clientCertificatePath)) {
                ClientCertificateCredentialBuilder clientId = new ClientCertificateCredentialBuilder().clientId(this.clientId);
                if (!CommonUtils.isEmpty(str)) {
                    clientId.tenantId(str);
                }
                if (CommonUtils.isEmpty(this.clientCertificatePath)) {
                    clientId.pemCertificate(new ByteArrayInputStream(this.clientCertificatePath.getBytes(StandardCharsets.UTF_8)));
                } else {
                    clientId.pemCertificate(this.clientCertificatePath);
                }
                return acquireTokenFromCredentials(azureScopes, scopes, clientId.build());
            }
            if (this.application == null) {
                PublicClientApplication.Builder builder = PublicClientApplication.builder(this.clientId);
                try {
                    builder.authority(MessageFormat.format(AuthModelAzureConstants.DEFAULT_MICROSOFT_ENTRA_LOGIN_URL_PATTERN, CommonUtils.toString(str, AuthModelAzureConstants.TENANT_COMMON)));
                    this.application = builder.build();
                } catch (MalformedURLException e) {
                    throw new DBException("Error configuring Entra authority", e);
                }
            }
            try {
                try {
                    dBRProgressMonitor.subTask("Read account info");
                    Set set = (Set) this.application.getAccounts().get(AUTH_TIMEOUT, TimeUnit.SECONDS);
                    if (set.isEmpty()) {
                        InteractiveRequestParameters.InteractiveRequestParametersBuilder scopes2 = InteractiveRequestParameters.builder(URI.create("http://localhost")).scopes(scopes);
                        if (!CommonUtils.isEmpty(str)) {
                            scopes2.tenant(str);
                        }
                        acquireTokenSilently = this.application.acquireToken(scopes2.build());
                    } else {
                        SilentParameters.SilentParametersBuilder builder2 = SilentParameters.builder(scopes, (IAccount) set.iterator().next());
                        if (!CommonUtils.isEmpty(str)) {
                            builder2.tenant(str);
                        }
                        acquireTokenSilently = this.application.acquireTokenSilently(builder2.build());
                    }
                    dBRProgressMonitor.subTask("Read token from cloud");
                    IAuthenticationResult iAuthenticationResult = (IAuthenticationResult) acquireTokenSilently.get(AUTH_TIMEOUT, TimeUnit.SECONDS);
                    tokenByScopes2 = new AccessToken(iAuthenticationResult.accessToken(), iAuthenticationResult.expiresOnDate().toInstant().atOffset(OffsetDateTime.now().getOffset()));
                    setAzureUserId(iAuthenticationResult.account().username());
                    addToken(azureScopes, tokenByScopes2);
                } catch (Exception e2) {
                    throw new DBException("Error acquiring token", e2);
                }
            } finally {
                dBRProgressMonitor.worked(1);
            }
        }
        return new AzureFederatedTokenCredential(tokenByScopes2);
    }

    private boolean resolveSessionCredentials(DBRProgressMonitor dBRProgressMonitor) throws DBException {
        if (!isSessionCredentials() || !this.resourceTokens.isEmpty()) {
            return false;
        }
        if (SMAuthUtils.updateSessionCredentialsFromSession(dBRProgressMonitor, AuthModelAzureConstants.AUTH_CONTEXT_TYPE, "Azure", this)) {
            return true;
        }
        throw new DBCException("Azure session credentials are missing");
    }

    @NotNull
    private TokenCredential acquireTokenFromCredentials(@NotNull AzureScopes azureScopes, @NotNull Set<String> set, @NotNull TokenCredential tokenCredential) {
        TokenRequestContext tokenRequestContext = new TokenRequestContext();
        tokenRequestContext.setScopes(new ArrayList(set));
        tokenRequestContext.setTenantId(this.tenantId);
        addToken(azureScopes, tokenCredential.getTokenSync(tokenRequestContext));
        return tokenCredential;
    }

    @Nullable
    public String getResourceToken(@NotNull Resource resource) {
        AccessToken tokenByScopes = getTokenByScopes(resource);
        if (tokenByScopes == null) {
            return null;
        }
        return tokenByScopes.getToken();
    }

    @Nullable
    public String getClientId() {
        return this.clientId;
    }

    public void setClientId(String str) {
        this.clientId = str;
        this.application = null;
        this.tenantId = null;
        this.subscriptionId = null;
        this.resourceTokens.clear();
    }

    @Nullable
    public String getTenantId() {
        return this.tenantId;
    }

    public void setTenantId(String str) {
        this.tenantId = str;
    }

    @Nullable
    public String getClientSecret() {
        return this.clientSecret;
    }

    public void setClientSecret(String str) {
        this.clientSecret = str;
    }

    @Nullable
    public String getClientCertificateValue() {
        return this.clientCertificateValue;
    }

    public void setClientCertificateValue(String str) {
        this.clientCertificateValue = str;
    }

    @Nullable
    public String getClientCertificatePath() {
        return this.clientCertificatePath;
    }

    public void setClientCertificatePath(String str) {
        this.clientCertificatePath = str;
    }

    public String getUserName() {
        return super.getUserName();
    }

    public String getUserPassword() {
        return super.getUserPassword();
    }

    public String getAzureUserId() {
        return this.azureUserId;
    }

    public void setAzureUserId(String str) {
        this.azureUserId = str;
    }

    @NotNull
    private synchronized AzureProfile acquireProfile(@NotNull DBRProgressMonitor dBRProgressMonitor, @NotNull TokenCredential tokenCredential) {
        if (this.tenantId == null || this.subscriptionId == null) {
            SubscriptionManager authenticate = SubscriptionManager.authenticate(tokenCredential, new AzureProfile(AzureEnvironment.AZURE));
            try {
                dBRProgressMonitor.beginTask("Acquire Azure profile", 2);
                dBRProgressMonitor.subTask("Retrieve information about subscriptions");
                this.subscriptionId = ((Subscription) authenticate.subscriptions().list().stream().findFirst().orElseThrow(() -> {
                    return new IllegalStateException("No Azure subscriptions found. Check user permissions.");
                })).subscriptionId();
                dBRProgressMonitor.worked(1);
                if (this.tenantId == null) {
                    dBRProgressMonitor.subTask("Retrieve information about tenants");
                    this.tenantId = ((TenantIdDescription) authenticate.tenants().list().stream().findFirst().orElseThrow(() -> {
                        return new IllegalStateException("No Azure tenants found in account. Check user permissions.");
                    })).tenantId();
                    dBRProgressMonitor.worked(1);
                }
            } finally {
                dBRProgressMonitor.done();
            }
        }
        return new AzureProfile(this.tenantId, this.subscriptionId, AzureEnvironment.AZURE);
    }
}
