package net.snowflake.client.core.auth.wif;

import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import net.snowflake.client.core.SFLoginInput;
import net.snowflake.client.core.SnowflakeJdbcInternalApi;
import net.snowflake.client.core.auth.wif.WorkloadIdentityUtil;
import net.snowflake.client.jdbc.internal.apache.http.client.methods.HttpGet;
import net.snowflake.client.jdbc.internal.fasterxml.jackson.databind.ObjectMapper;
import net.snowflake.client.jdbc.internal.google.common.base.Strings;
import net.snowflake.client.jdbc.internal.microsoft.azure.storage.Constants;
import net.snowflake.client.log.SFLogger;
import net.snowflake.client.log.SFLoggerFactory;

@SnowflakeJdbcInternalApi
/* loaded from: input_file:net/snowflake/client/core/auth/wif/AzureIdentityAttestationCreator.class */
public class AzureIdentityAttestationCreator implements WorkloadIdentityAttestationCreator {
    private static final SFLogger logger = SFLoggerFactory.getLogger((Class<?>) AzureIdentityAttestationCreator.class);
    public static final ObjectMapper objectMapper = new ObjectMapper();
    private static final Set<String> ALLOWED_AZURE_TOKEN_ISSUER_PREFIXES = new HashSet(Arrays.asList("https://sts.windows.net/", "https://login.microsoftonline.com/"));
    private static final String DEFAULT_WORKLOAD_IDENTITY_ENTRA_RESOURCE = "api://fd3f753b-eed3-462c-b6a7-a4b5bb650aad";
    private final AzureAttestationService azureAttestationService;
    private final SFLoginInput loginInput;
    private final String workloadIdentityEntraResource;
    private final String azureMetadataServiceBaseUrl;

    public AzureIdentityAttestationCreator(AzureAttestationService azureAttestationService, SFLoginInput sFLoginInput) {
        this.azureAttestationService = azureAttestationService;
        this.azureMetadataServiceBaseUrl = "http://169.254.169.254";
        this.loginInput = sFLoginInput;
        this.workloadIdentityEntraResource = getEntraResource(sFLoginInput);
    }

    public AzureIdentityAttestationCreator(AzureAttestationService azureAttestationService, SFLoginInput sFLoginInput, String str) {
        this.azureAttestationService = azureAttestationService;
        this.azureMetadataServiceBaseUrl = str;
        this.loginInput = sFLoginInput;
        this.workloadIdentityEntraResource = getEntraResource(sFLoginInput);
    }

    @Override // net.snowflake.client.core.auth.wif.WorkloadIdentityAttestationCreator
    public WorkloadIdentityAttestation createAttestation() {
        HttpGet createAzureFunctionsIdentityRequest;
        logger.debug("Creating Azure identity attestation...", new Object[0]);
        String identityEndpoint = this.azureAttestationService.getIdentityEndpoint();
        if (Strings.isNullOrEmpty(identityEndpoint)) {
            createAzureFunctionsIdentityRequest = createAzureVMIdentityRequest();
        } else {
            String identityHeader = this.azureAttestationService.getIdentityHeader();
            if (Strings.isNullOrEmpty(identityHeader)) {
                logger.warn("Managed identity is not enabled on this Azure function.", new Object[0]);
                return null;
            }
            createAzureFunctionsIdentityRequest = createAzureFunctionsIdentityRequest(identityEndpoint, identityHeader, this.azureAttestationService.getClientId());
        }
        String fetchTokenFromMetadataService = this.azureAttestationService.fetchTokenFromMetadataService(createAzureFunctionsIdentityRequest, this.loginInput);
        if (fetchTokenFromMetadataService == null) {
            logger.debug("Could not fetch Azure token.", new Object[0]);
            return null;
        }
        String extractTokenFromJson = extractTokenFromJson(fetchTokenFromMetadataService);
        if (extractTokenFromJson == null) {
            logger.error("No access token found in Azure response.", new Object[0]);
            return null;
        }
        WorkloadIdentityUtil.SubjectAndIssuer extractClaimsWithoutVerifyingSignature = WorkloadIdentityUtil.extractClaimsWithoutVerifyingSignature(extractTokenFromJson);
        if (extractClaimsWithoutVerifyingSignature == null) {
            logger.error("Could not extract claims from token", new Object[0]);
            return null;
        }
        if (ALLOWED_AZURE_TOKEN_ISSUER_PREFIXES.stream().anyMatch(str -> {
            return extractClaimsWithoutVerifyingSignature.getIssuer().startsWith(str);
        })) {
            return new WorkloadIdentityAttestation(WorkloadIdentityProviderType.AZURE, extractTokenFromJson, extractClaimsWithoutVerifyingSignature.toMap());
        }
        logger.error("Unexpected Azure token issuer: {}", extractClaimsWithoutVerifyingSignature.getIssuer());
        return null;
    }

    private String getEntraResource(SFLoginInput sFLoginInput) {
        return !Strings.isNullOrEmpty(sFLoginInput.getWorkloadIdentityEntraResource()) ? sFLoginInput.getWorkloadIdentityEntraResource() : DEFAULT_WORKLOAD_IDENTITY_ENTRA_RESOURCE;
    }

    private String extractTokenFromJson(String str) {
        try {
            return objectMapper.readTree(str).get("access_token").asText();
        } catch (Exception e) {
            logger.error("Unable to extract token from Azure metadata response: {}", e.getMessage());
            return null;
        }
    }

    private HttpGet createAzureFunctionsIdentityRequest(String str, String str2, String str3) {
        String str4 = "api-version=2019-08-01&resource=" + this.workloadIdentityEntraResource;
        if (str3 != null) {
            str4 = str4 + "&client_id=" + str3;
        }
        HttpGet httpGet = new HttpGet(String.format("%s?%s", str, str4));
        httpGet.addHeader("X-IDENTITY-HEADER", str2);
        return httpGet;
    }

    private HttpGet createAzureVMIdentityRequest() {
        HttpGet httpGet = new HttpGet((this.azureMetadataServiceBaseUrl + "/metadata/identity/oauth2/token?") + ("api-version=2018-02-01&resource=" + this.workloadIdentityEntraResource));
        httpGet.setHeader(Constants.METADATA_ELEMENT, "True");
        return httpGet;
    }
}
