package com.databricks.jdbc.auth;

import com.databricks.internal.apache.commons.lang3.StringUtils;
import com.databricks.internal.apache.http.NameValuePair;
import com.databricks.internal.apache.http.client.entity.UrlEncodedFormEntity;
import com.databricks.internal.apache.http.client.methods.HttpPost;
import com.databricks.internal.apache.http.client.utils.URIBuilder;
import com.databricks.internal.apache.http.message.BasicNameValuePair;
import com.databricks.internal.fasterxml.jackson.databind.ObjectMapper;
import com.databricks.internal.google.common.annotations.VisibleForTesting;
import com.databricks.internal.sdk.core.DatabricksException;
import com.databricks.internal.sdk.core.oauth.OAuthResponse;
import com.databricks.internal.sdk.core.oauth.RefreshableTokenSource;
import com.databricks.internal.sdk.core.oauth.Token;
import com.databricks.jdbc.common.LogLevel;
import com.databricks.jdbc.common.util.LoggingUtil;
import com.databricks.jdbc.dbclient.IDatabricksHttpClient;
import com.databricks.jdbc.exception.DatabricksHttpException;
import com.databricks.jdbc.exception.DatabricksParsingException;
import com.databricks.jdbc.exception.DatabricksSQLException;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.crypto.ECDSASigner;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.io.FileReader;
import java.io.IOException;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.security.PrivateKey;
import java.security.Security;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.sql.Timestamp;
import java.time.LocalDateTime;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.UUID;
import java.util.stream.Collectors;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMException;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
import org.bouncycastle.pkcs.PKCSException;

/* loaded from: input_file:com/databricks/jdbc/auth/JwtPrivateKeyClientCredentials.class */
public class JwtPrivateKeyClientCredentials extends RefreshableTokenSource {
    private final String BOUNCY_CASTLE_PROVIDER = BouncyCastleProvider.PROVIDER_NAME;
    private IDatabricksHttpClient hc;
    private String clientId;
    private String tokenUrl;
    private final List<String> scopes;
    private final String jwtKeyFile;
    private final String jwtKid;
    private final String jwtKeyPassphrase;
    private final JWSAlgorithm jwtAlgorithm;

    /* loaded from: input_file:com/databricks/jdbc/auth/JwtPrivateKeyClientCredentials$Builder.class */
    public static class Builder {
        private String clientId;
        private String tokenUrl;
        private String jwtKeyFile;
        private String jwtKid;
        private String jwtKeyPassphrase;
        private String jwtAlgorithm;
        private IDatabricksHttpClient hc;
        private List<String> scopes = Collections.emptyList();

        public Builder withClientId(String str) {
            this.clientId = str;
            return this;
        }

        public Builder withTokenUrl(String str) {
            this.tokenUrl = str;
            return this;
        }

        public Builder withScopes(List<String> list) {
            this.scopes = list;
            return this;
        }

        public Builder withHttpClient(IDatabricksHttpClient iDatabricksHttpClient) {
            this.hc = iDatabricksHttpClient;
            return this;
        }

        public Builder withJwtAlgorithm(String str) {
            this.jwtAlgorithm = str;
            return this;
        }

        public Builder withJwtKeyPassphrase(String str) {
            this.jwtKeyPassphrase = str;
            return this;
        }

        public Builder withJwtKid(String str) {
            this.jwtKid = str;
            return this;
        }

        public Builder withJwtKeyFile(String str) {
            this.jwtKeyFile = str;
            return this;
        }

        public JwtPrivateKeyClientCredentials build() {
            Objects.requireNonNull(this.clientId, "clientId must be specified");
            Objects.requireNonNull(this.jwtKeyFile, "JWT key file must be specified");
            Objects.requireNonNull(this.jwtKid, "JWT KID must be specified");
            return new JwtPrivateKeyClientCredentials(this.hc, this.clientId, this.jwtKeyFile, this.jwtKid, this.jwtKeyPassphrase, this.jwtAlgorithm, this.tokenUrl, this.scopes);
        }
    }

    private JwtPrivateKeyClientCredentials(IDatabricksHttpClient iDatabricksHttpClient, String str, String str2, String str3, String str4, String str5, String str6, List<String> list) {
        this.hc = iDatabricksHttpClient;
        this.clientId = str;
        this.jwtKeyFile = str2;
        this.jwtKid = str3;
        this.jwtKeyPassphrase = str4;
        this.jwtAlgorithm = determineSignatureAlgorithm(str5);
        this.tokenUrl = str6;
        this.scopes = list;
    }

    @Override // com.databricks.internal.sdk.core.oauth.RefreshableTokenSource
    protected Token refresh() {
        HashMap hashMap = new HashMap();
        hashMap.put(AuthConstants.GRANT_TYPE_KEY, "client_credentials");
        if (this.scopes != null) {
            hashMap.put("scope", String.join(StringUtils.SPACE, this.scopes));
        }
        hashMap.put("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
        hashMap.put("client_assertion", getSerialisedSignedJWT());
        return retrieveToken(this.hc, this.tokenUrl, hashMap, new HashMap());
    }

    @VisibleForTesting
    protected static Token retrieveToken(IDatabricksHttpClient iDatabricksHttpClient, String str, Map<String, String> map, Map<String, String> map2) {
        try {
            HttpPost httpPost = new HttpPost(new URIBuilder(str).build());
            httpPost.setEntity(new UrlEncodedFormEntity((Iterable<? extends NameValuePair>) map.entrySet().stream().map(entry -> {
                return new BasicNameValuePair((String) entry.getKey(), (String) entry.getValue());
            }).collect(Collectors.toList()), StandardCharsets.UTF_8));
            Objects.requireNonNull(httpPost);
            map2.forEach(httpPost::setHeader);
            OAuthResponse oAuthResponse = (OAuthResponse) new ObjectMapper().readValue(iDatabricksHttpClient.execute(httpPost).getEntity().getContent(), OAuthResponse.class);
            return new Token(oAuthResponse.getAccessToken(), oAuthResponse.getTokenType(), oAuthResponse.getRefreshToken(), LocalDateTime.now().plus(oAuthResponse.getExpiresIn(), (TemporalUnit) ChronoUnit.SECONDS));
        } catch (DatabricksHttpException | IOException | URISyntaxException e) {
            String str2 = "Failed to retrieve custom M2M token: " + e.getMessage();
            LoggingUtil.log(LogLevel.ERROR, str2);
            throw new DatabricksException(str2, e);
        }
    }

    private String getSerialisedSignedJWT() {
        return fetchSignedJWT(getPrivateKey()).serialize();
    }

    @VisibleForTesting
    String getTokenEndpoint() {
        return this.tokenUrl;
    }

    @VisibleForTesting
    JWSAlgorithm determineSignatureAlgorithm(String str) {
        if (str == null) {
            str = "RS256";
        }
        String str2 = str;
        boolean z = -1;
        switch (str2.hashCode()) {
            case 66245349:
                if (str2.equals("ES256")) {
                    z = 8;
                    break;
                }
                break;
            case 66246401:
                if (str2.equals("ES384")) {
                    z = 6;
                    break;
                }
                break;
            case 66248104:
                if (str2.equals("ES512")) {
                    z = 7;
                    break;
                }
                break;
            case 76404080:
                if (str2.equals("PS256")) {
                    z = 2;
                    break;
                }
                break;
            case 76405132:
                if (str2.equals("PS384")) {
                    z = 3;
                    break;
                }
                break;
            case 76406835:
                if (str2.equals("PS512")) {
                    z = 4;
                    break;
                }
                break;
            case 78251122:
                if (str2.equals("RS256")) {
                    z = 5;
                    break;
                }
                break;
            case 78252174:
                if (str2.equals("RS384")) {
                    z = false;
                    break;
                }
                break;
            case 78253877:
                if (str2.equals("RS512")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return JWSAlgorithm.RS384;
            case true:
                return JWSAlgorithm.RS512;
            case true:
                return JWSAlgorithm.PS256;
            case true:
                return JWSAlgorithm.PS384;
            case true:
                return JWSAlgorithm.PS512;
            case true:
                return JWSAlgorithm.RS256;
            case true:
                return JWSAlgorithm.ES384;
            case true:
                return JWSAlgorithm.ES512;
            case true:
                return JWSAlgorithm.ES256;
            default:
                LoggingUtil.log(LogLevel.DEBUG, "Defaulting to RS256. Provided JWT algorithm not supported " + str);
                return JWSAlgorithm.RS256;
        }
    }

    private PrivateKey getPrivateKey() {
        try {
            Security.addProvider(new BouncyCastleProvider());
            FileReader fileReader = new FileReader(this.jwtKeyFile);
            try {
                PEMParser pEMParser = new PEMParser(fileReader);
                try {
                    PrivateKey convertPrivateKey = convertPrivateKey(pEMParser.readObject());
                    pEMParser.close();
                    fileReader.close();
                    return convertPrivateKey;
                } catch (Throwable th) {
                    try {
                        pEMParser.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            } catch (Throwable th3) {
                try {
                    fileReader.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
                throw th3;
            }
        } catch (DatabricksSQLException | IOException e) {
            String str = "Failed to parse private key: " + e.getMessage();
            LoggingUtil.log(LogLevel.ERROR, str);
            throw new DatabricksException(str, e);
        }
    }

    PrivateKey convertPrivateKey(Object obj) throws DatabricksParsingException {
        PrivateKeyInfo privateKeyInfo;
        try {
            if (this.jwtKeyPassphrase != null) {
                JceOpenSSLPKCS8DecryptorProviderBuilder jceOpenSSLPKCS8DecryptorProviderBuilder = new JceOpenSSLPKCS8DecryptorProviderBuilder();
                jceOpenSSLPKCS8DecryptorProviderBuilder.setProvider(BouncyCastleProvider.PROVIDER_NAME);
                privateKeyInfo = ((PKCS8EncryptedPrivateKeyInfo) obj).decryptPrivateKeyInfo(jceOpenSSLPKCS8DecryptorProviderBuilder.build(this.jwtKeyPassphrase.toCharArray()));
            } else {
                try {
                    privateKeyInfo = ((PEMKeyPair) obj).getPrivateKeyInfo();
                } catch (ClassCastException e) {
                    privateKeyInfo = (PrivateKeyInfo) obj;
                }
            }
            return new JcaPEMKeyConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getPrivateKey(privateKeyInfo);
        } catch (PEMException | OperatorCreationException | PKCSException e2) {
            String str = "Cannot decrypt private JWT key " + e2.getMessage();
            LoggingUtil.log(LogLevel.ERROR, str);
            throw new DatabricksParsingException(str);
        }
    }

    @VisibleForTesting
    SignedJWT fetchSignedJWT(PrivateKey privateKey) {
        JWSSigner eCDSASigner;
        try {
            if (privateKey instanceof RSAPrivateKey) {
                eCDSASigner = new RSASSASigner(privateKey);
            } else {
                if (!(privateKey instanceof ECPrivateKey)) {
                    String str = "Unsupported private key type: " + privateKey.getClass().getName();
                    LoggingUtil.log(LogLevel.ERROR, str);
                    throw new DatabricksException(str);
                }
                eCDSASigner = new ECDSASigner((ECPrivateKey) privateKey);
            }
            Timestamp valueOf = Timestamp.valueOf(LocalDateTime.now());
            SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(this.jwtAlgorithm).keyID(this.jwtKid).build(), new JWTClaimsSet.Builder().subject(this.clientId).issuer(this.clientId).issueTime(valueOf).expirationTime(valueOf).jwtID(UUID.randomUUID().toString()).audience(this.tokenUrl).build());
            signedJWT.sign(eCDSASigner);
            return signedJWT;
        } catch (JOSEException e) {
            String str2 = "Error signing the JWT: " + e.getMessage();
            LoggingUtil.log(LogLevel.ERROR, str2);
            throw new DatabricksException(str2, e);
        }
    }
}
