package org.springframework.boot.actuate.autoconfigure.cloudfoundry.servlet;

import io.jsonwebtoken.JwsHeader;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.springframework.boot.actuate.autoconfigure.cloudfoundry.AccessLevel;
import org.springframework.boot.actuate.autoconfigure.cloudfoundry.CloudFoundryAuthorizationException;
import org.springframework.boot.web.client.RestTemplateBuilder;
import org.springframework.http.HttpStatus;
import org.springframework.http.RequestEntity;
import org.springframework.util.Assert;
import org.springframework.web.client.HttpClientErrorException;
import org.springframework.web.client.HttpServerErrorException;
import org.springframework.web.client.HttpStatusCodeException;
import org.springframework.web.client.RestTemplate;

/* loaded from: input_file:BOOT-INF/lib/spring-boot-actuator-autoconfigure-2.6.7.jar:org/springframework/boot/actuate/autoconfigure/cloudfoundry/servlet/CloudFoundrySecurityService.class */
class CloudFoundrySecurityService {
    private final RestTemplate restTemplate;
    private final String cloudControllerUrl;
    private String uaaUrl;

    /* JADX INFO: Access modifiers changed from: package-private */
    public CloudFoundrySecurityService(RestTemplateBuilder restTemplateBuilder, String str, boolean z) {
        Assert.notNull(restTemplateBuilder, "RestTemplateBuilder must not be null");
        Assert.notNull(str, "CloudControllerUrl must not be null");
        this.restTemplate = (z ? restTemplateBuilder.requestFactory(SkipSslVerificationHttpRequestFactory.class) : restTemplateBuilder).build();
        this.cloudControllerUrl = str;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Type inference failed for: r0v10, types: [org.springframework.http.RequestEntity$HeadersBuilder] */
    public AccessLevel getAccessLevel(String str, String str2) throws CloudFoundryAuthorizationException {
        try {
            return Boolean.TRUE.equals(((Map) this.restTemplate.exchange(RequestEntity.get(getPermissionsUri(str2)).header("Authorization", new StringBuilder().append("bearer ").append(str).toString()).build(), Map.class).getBody()).get("read_sensitive_data")) ? AccessLevel.FULL : AccessLevel.RESTRICTED;
        } catch (HttpClientErrorException e) {
            if (e.getStatusCode().equals(HttpStatus.FORBIDDEN)) {
                throw new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.ACCESS_DENIED, "Access denied");
            }
            throw new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.INVALID_TOKEN, "Invalid token", e);
        } catch (HttpServerErrorException e2) {
            throw new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.SERVICE_UNAVAILABLE, "Cloud controller not reachable");
        }
    }

    private URI getPermissionsUri(String str) {
        try {
            return new URI(this.cloudControllerUrl + "/v2/apps/" + str + "/permissions");
        } catch (URISyntaxException e) {
            throw new IllegalStateException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Map<String, String> fetchTokenKeys() {
        try {
            return extractTokenKeys((Map) this.restTemplate.getForObject(getUaaUrl() + "/token_keys", Map.class, new Object[0]));
        } catch (HttpStatusCodeException e) {
            throw new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.SERVICE_UNAVAILABLE, "UAA not reachable");
        }
    }

    private Map<String, String> extractTokenKeys(Map<?, ?> map) {
        HashMap hashMap = new HashMap();
        for (Map map2 : (List) map.get("keys")) {
            hashMap.put((String) map2.get(JwsHeader.KEY_ID), (String) map2.get("value"));
        }
        return hashMap;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getUaaUrl() {
        if (this.uaaUrl == null) {
            try {
                this.uaaUrl = (String) ((Map) this.restTemplate.getForObject(this.cloudControllerUrl + "/info", Map.class, new Object[0])).get("token_endpoint");
            } catch (HttpStatusCodeException e) {
                throw new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.SERVICE_UNAVAILABLE, "Unable to fetch token keys from UAA");
            }
        }
        return this.uaaUrl;
    }
}
