package fish.payara.microprofile.config.extensions.azure;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.util.Base64;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import fish.payara.microprofile.config.extensions.azure.model.Secret;
import fish.payara.microprofile.config.extensions.azure.model.SecretHolder;
import fish.payara.microprofile.config.extensions.azure.model.SecretsResponse;
import fish.payara.microprofile.config.extensions.oauth.OAuth2Client;
import fish.payara.nucleus.microprofile.config.admin.ConfigSourceConstants;
import fish.payara.nucleus.microprofile.config.source.extension.ConfiguredExtensionConfigSource;
import fish.payara.nucleus.microprofile.config.spi.MicroprofileConfigConfiguration;
import jakarta.inject.Inject;
import jakarta.json.JsonObject;
import jakarta.ws.rs.client.Client;
import jakarta.ws.rs.client.ClientBuilder;
import jakarta.ws.rs.client.Entity;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import jakarta.xml.bind.DatatypeConverter;
import java.io.File;
import java.nio.file.Files;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Stream;
import org.glassfish.api.admin.ServerEnvironment;
import org.jvnet.hk2.annotations.Service;

@Service(name = "azure-secrets-config-source")
/* loaded from: input_file:fish/payara/microprofile/config/extensions/azure/AzureSecretsConfigSource.class */
public class AzureSecretsConfigSource extends ConfiguredExtensionConfigSource<AzureSecretsConfigSourceConfiguration> {
    private static final Logger LOGGER = Logger.getLogger(AzureSecretsConfigSource.class.getName());
    private OAuth2Client authClient;
    private Client client = ClientBuilder.newClient();
    private static final String AUTH_URL = "https://login.microsoftonline.com/%s/oauth2/v2.0/token";
    private static final String SCOPE_URL = "https://vault.azure.net/.default";
    private static final String SECRETS_ENDPOINT = "https://%s.vault.azure.net/secrets";
    private static final String API_VERSION = "?api-version=7.1";

    @Inject
    private ServerEnvironment env;

    @Inject
    MicroprofileConfigConfiguration mpconfig;

    @Override // fish.payara.nucleus.microprofile.config.source.extension.ExtensionConfigSource
    public void bootstrap() {
        StringBuilder sb = new StringBuilder();
        try {
            File privateKeyFile = getPrivateKeyFile();
            if (privateKeyFile == null) {
                LOGGER.warning("Couldn't find private key file, make sure it's configured.");
            } else {
                Stream<String> lines = Files.lines(privateKeyFile.toPath());
                try {
                    lines.forEach(str -> {
                        sb.append(str);
                    });
                    if (lines != null) {
                        lines.close();
                    }
                } finally {
                }
            }
        } catch (Exception e) {
            LOGGER.log(Level.WARNING, "Couldn't find or read the private key file, make sure it exists.", (Throwable) e);
        }
        HashMap hashMap = new HashMap();
        String tenantId = ((AzureSecretsConfigSourceConfiguration) this.configuration).getTenantId();
        String clientId = ((AzureSecretsConfigSourceConfiguration) this.configuration).getClientId();
        if (tenantId == null || clientId == null) {
            LOGGER.warning("An error occurred while authenticating Azure to get a token, makes sure Azure Config Source has been configured with correct  configuration options.");
            return;
        }
        hashMap.put("grant_type", "client_credentials");
        hashMap.put("client_id", clientId);
        hashMap.put("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
        hashMap.put("scope", SCOPE_URL);
        try {
            SignedJWT buildJwt = buildJwt(clientId, String.format(AUTH_URL, tenantId), ((AzureSecretsConfigSourceConfiguration) this.configuration).getThumbprint());
            buildJwt.sign(new RSASSASigner(parsePrivateKey(sb.toString())));
            hashMap.put("client_assertion", buildJwt.serialize());
        } catch (JOSEException | NoSuchAlgorithmException | InvalidKeySpecException e2) {
            LOGGER.log(Level.WARNING, "An error occurred while signing the Azure auth token", e2);
        }
        this.authClient = new OAuth2Client(String.format(AUTH_URL, tenantId), hashMap);
    }

    @Override // org.eclipse.microprofile.config.spi.ConfigSource
    public Map<String, String> getProperties() {
        HashMap hashMap = new HashMap();
        String authenticate = authenticate();
        if (authenticate == null) {
            return hashMap;
        }
        Response response = this.client.target(String.format(SECRETS_ENDPOINT, ((AzureSecretsConfigSourceConfiguration) this.configuration).getKeyVaultName()) + "?api-version=7.1").request().accept(MediaType.APPLICATION_JSON).header("Authorization", "Bearer " + authenticate).get();
        if (response.getStatus() != 200) {
            return hashMap;
        }
        Iterator<Secret> it = ((SecretsResponse) response.readEntity(SecretsResponse.class)).getValue().iterator();
        while (it.hasNext()) {
            String replace = it.next().getId().replace(String.format(SECRETS_ENDPOINT, ((AzureSecretsConfigSourceConfiguration) this.configuration).getKeyVaultName()) + "/", "");
            hashMap.put(replace, getValue(replace));
        }
        return hashMap;
    }

    @Override // org.eclipse.microprofile.config.spi.ConfigSource
    public Set<String> getPropertyNames() {
        return getProperties().keySet();
    }

    @Override // org.eclipse.microprofile.config.spi.ConfigSource
    public String getValue(String str) {
        String authenticate = authenticate();
        if (authenticate == null) {
            return null;
        }
        Response response = this.client.target(String.format(SECRETS_ENDPOINT, ((AzureSecretsConfigSourceConfiguration) this.configuration).getKeyVaultName()) + "/" + str + "?api-version=7.1").request().accept(MediaType.APPLICATION_JSON).header("Authorization", "Bearer " + authenticate).get();
        int status = response.getStatus();
        if (status == 200) {
            return ((Secret) response.readEntity(Secret.class)).getValue();
        }
        if (status == 400) {
            return null;
        }
        LOGGER.log(Level.WARNING, "Failed to get Azure secret. {0}", response.readEntity(String.class));
        return null;
    }

    @Override // fish.payara.nucleus.microprofile.config.source.extension.ExtensionConfigSource
    public boolean setValue(String str, String str2) {
        String authenticate = authenticate();
        if (authenticate == null) {
            return false;
        }
        Response put = this.client.target(String.format(SECRETS_ENDPOINT, ((AzureSecretsConfigSourceConfiguration) this.configuration).getKeyVaultName()) + "/" + str + "?api-version=7.1").request().accept(MediaType.APPLICATION_JSON).header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON).header("Authorization", "Bearer " + authenticate).put(Entity.entity(new SecretHolder(str2), MediaType.APPLICATION_JSON));
        if (put.getStatus() == 200) {
            return true;
        }
        LOGGER.log(Level.WARNING, "Failed to set Azure secret. {0}", put.readEntity(String.class));
        return false;
    }

    @Override // fish.payara.nucleus.microprofile.config.source.extension.ExtensionConfigSource
    public boolean deleteValue(String str) {
        String authenticate = authenticate();
        if (authenticate == null) {
            return false;
        }
        Response delete = this.client.target(String.format(SECRETS_ENDPOINT, ((AzureSecretsConfigSourceConfiguration) this.configuration).getKeyVaultName()) + "/" + str + "?api-version=7.1").request().accept(MediaType.APPLICATION_JSON).header("Authorization", "Bearer " + authenticate).delete();
        if (delete.getStatus() == 200) {
            return true;
        }
        LOGGER.log(Level.WARNING, "Failed to delete Azure secret. {0}", delete.readEntity(String.class));
        return false;
    }

    @Override // fish.payara.nucleus.microprofile.config.source.extension.ExtensionConfigSource
    public String getSource() {
        return ConfigSourceConstants.CLOUD;
    }

    @Override // org.eclipse.microprofile.config.spi.ConfigSource
    public String getName() {
        return "azure";
    }

    @Override // org.eclipse.microprofile.config.spi.ConfigSource
    public int getOrdinal() {
        return Integer.parseInt(this.mpconfig.getCloudOrdinality());
    }

    private File getPrivateKeyFile() {
        if (((AzureSecretsConfigSourceConfiguration) this.configuration).getPrivateKeyFilePath() != null) {
            return this.env.getConfigDirPath().toPath().resolve(((AzureSecretsConfigSourceConfiguration) this.configuration).getPrivateKeyFilePath()).toFile();
        }
        return null;
    }

    private static SignedJWT buildJwt(String str, String str2, String str3) {
        Instant now = Instant.now();
        return new SignedJWT(new JWSHeader.Builder(JWSAlgorithm.RS256).type(JOSEObjectType.JWT).x509CertThumbprint(Base64URL.encode(DatatypeConverter.parseHexBinary(str3))).build(), new JWTClaimsSet.Builder().subject(str).audience(str2).expirationTime(Date.from(now.plus(1L, (TemporalUnit) ChronoUnit.MINUTES))).issueTime(Date.from(now)).issuer(str).build());
    }

    private static PrivateKey parsePrivateKey(String str) throws NoSuchAlgorithmException, InvalidKeySpecException {
        return KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(new Base64(str.replaceAll("\\n", "").replace("-----BEGIN PRIVATE KEY-----", "").replace("-----END PRIVATE KEY-----", "")).decode()));
    }

    private String authenticate() {
        if (this.authClient == null) {
            LOGGER.log(Level.WARNING, "Couldn't authenticate with Azure. Check your configuration options are correct.");
            return null;
        }
        Response authenticate = this.authClient.authenticate();
        int status = authenticate.getStatus();
        if (status == 200) {
            JsonObject jsonObject = (JsonObject) authenticate.readEntity(JsonObject.class);
            this.authClient.expire(Duration.ofSeconds(Integer.valueOf(jsonObject.getInt("expires_in")).intValue()));
            return jsonObject.getString("access_token");
        }
        if (status != 400) {
            return null;
        }
        LOGGER.log(Level.WARNING, "Couldn't authenticate with Azure. Check your configuration options are correct.");
        return null;
    }
}
