package com.microsoft.aad.msal4j;

import com.azure.core.util.AuthorizationChallengeHandler;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.Collections;
import java.util.HashMap;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:oxygen-ai-positron-enterprise-addon-4.1.0/lib/msal4j-1.17.2.jar:com/microsoft/aad/msal4j/AzureArcManagedIdentitySource.class */
public class AzureArcManagedIdentitySource extends AbstractManagedIdentitySource {
    private static final String ARC_API_VERSION = "2019-11-01";
    private static final String AZURE_ARC = "Azure Arc";
    private static final String LINUX_PATH = "/var/opt/azcmagent/tokens/";
    private static final String FILE_EXTENSION = ".key";
    private static final int MAX_FILE_SIZE_BYTES = 4096;
    private final URI MSI_ENDPOINT;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) AzureArcManagedIdentitySource.class);
    private static final String WINDOWS_PATH = System.getenv("ProgramData") + "/AzureConnectedMachineAgent/Tokens/";

    /* JADX INFO: Access modifiers changed from: package-private */
    public static AbstractManagedIdentitySource create(MsalRequest msalRequest, ServiceBundle serviceBundle) {
        IEnvironmentVariables environmentVariables = getEnvironmentVariables();
        URI validateAndGetUri = validateAndGetUri(environmentVariables.getEnvironmentVariable("IDENTITY_ENDPOINT"), environmentVariables.getEnvironmentVariable(Constants.IMDS_ENDPOINT));
        if (validateAndGetUri == null) {
            return null;
        }
        return new AzureArcManagedIdentitySource(validateAndGetUri, msalRequest, serviceBundle);
    }

    private static URI validateAndGetUri(String str, String str2) {
        if (StringHelper.isNullOrBlank(str) || StringHelper.isNullOrBlank(str2)) {
            LOG.info("[Managed Identity] Azure Arc managed identity is unavailable.");
            return null;
        }
        try {
            URI uri = new URI(str);
            LOG.info(String.format("[Managed Identity] Creating Azure Arc managed identity. Endpoint URI: %s", uri));
            return uri;
        } catch (URISyntaxException e) {
            throw new MsalServiceException(String.format(MsalErrorMessage.MANAGED_IDENTITY_ENDPOINT_INVALID_URI_ERROR, "IDENTITY_ENDPOINT", str, AZURE_ARC), MsalError.INVALID_MANAGED_IDENTITY_ENDPOINT, ManagedIdentitySourceType.AZURE_ARC);
        }
    }

    private AzureArcManagedIdentitySource(URI uri, MsalRequest msalRequest, ServiceBundle serviceBundle) {
        super(msalRequest, serviceBundle, ManagedIdentitySourceType.AZURE_ARC);
        this.MSI_ENDPOINT = uri;
        if (((ManagedIdentityApplication) msalRequest.application()).getManagedIdentityId().getIdType() != ManagedIdentityIdType.SYSTEM_ASSIGNED) {
            throw new MsalServiceException(String.format(MsalErrorMessage.MANAGED_IDENTITY_USER_ASSIGNED_NOT_SUPPORTED, AZURE_ARC), MsalError.USER_ASSIGNED_MANAGED_IDENTITY_NOT_SUPPORTED, ManagedIdentitySourceType.AZURE_ARC);
        }
    }

    @Override // com.microsoft.aad.msal4j.AbstractManagedIdentitySource
    public void createManagedIdentityRequest(String str) {
        this.managedIdentityRequest.baseEndpoint = this.MSI_ENDPOINT;
        this.managedIdentityRequest.method = HttpMethod.GET;
        this.managedIdentityRequest.headers = new HashMap();
        this.managedIdentityRequest.headers.put("Metadata", "true");
        this.managedIdentityRequest.queryParameters = new HashMap();
        this.managedIdentityRequest.queryParameters.put("api-version", Collections.singletonList(ARC_API_VERSION));
        this.managedIdentityRequest.queryParameters.put("resource", Collections.singletonList(str));
    }

    @Override // com.microsoft.aad.msal4j.AbstractManagedIdentitySource
    public ManagedIdentityResponse handleResponse(ManagedIdentityParameters managedIdentityParameters, IHttpResponse iHttpResponse) {
        LOG.info("[Managed Identity] Response received. Status code: {response.StatusCode}");
        if (iHttpResponse.statusCode() != 401) {
            return super.handleResponse(managedIdentityParameters, iHttpResponse);
        }
        if (!iHttpResponse.headers().containsKey(AuthorizationChallengeHandler.WWW_AUTHENTICATE)) {
            LOG.error("[Managed Identity] WWW-Authenticate header is expected but not found.");
            throw new MsalServiceException(MsalErrorMessage.MANAGED_IDENTITY_NO_CHALLENGE_ERROR, "managed_identity_request_failed", ManagedIdentitySourceType.AZURE_ARC);
        }
        String[] split = iHttpResponse.headers().get(AuthorizationChallengeHandler.WWW_AUTHENTICATE).get(0).split("=");
        if (split.length != 2) {
            LOG.error("[Managed Identity] The WWW-Authenticate header for Azure arc managed identity is not an expected format.");
            throw new MsalServiceException(MsalErrorMessage.MANAGED_IDENTITY_INVALID_CHALLENGE, "managed_identity_request_failed", ManagedIdentitySourceType.AZURE_ARC);
        }
        Path normalize = Paths.get(split[1], new String[0]).normalize();
        validateFile(normalize);
        if (!normalize.toFile().exists()) {
            LOG.error("[Managed Identity] The WWW-Authenticate header specifies a file that does not exist");
            throw new MsalServiceException(MsalErrorMessage.MANAGED_IDENTITY_INVALID_FILEPATH, MsalError.MANAGED_IDENTITY_FILE_READ_ERROR, ManagedIdentitySourceType.AZURE_ARC);
        }
        try {
            String str = "Basic " + new String(Files.readAllBytes(normalize), StandardCharsets.UTF_8);
            createManagedIdentityRequest(managedIdentityParameters.resource);
            LOG.info("[Managed Identity] Adding authorization header to the request.");
            this.managedIdentityRequest.headers.put(AuthorizationChallengeHandler.AUTHORIZATION, str);
            try {
                return super.handleResponse(managedIdentityParameters, this.serviceBundle.getHttpHelper().executeHttpRequest(new HttpRequest(HttpMethod.GET, this.managedIdentityRequest.computeURI().toString(), this.managedIdentityRequest.headers), this.managedIdentityRequest.requestContext(), this.serviceBundle));
            } catch (URISyntaxException e) {
                throw new MsalServiceException(MsalErrorMessage.MANAGED_IDENTITY_ENDPOINT_INVALID_URI_ERROR, MsalError.INVALID_MANAGED_IDENTITY_ENDPOINT, this.managedIdentitySourceType);
            }
        } catch (IOException e2) {
            throw new MsalServiceException(e2.getMessage(), MsalError.MANAGED_IDENTITY_FILE_READ_ERROR, ManagedIdentitySourceType.AZURE_ARC);
        }
    }

    private void validateFile(Path path) {
        String lowerCase = System.getProperty("os.name").toLowerCase();
        if (!lowerCase.contains("windows") && !lowerCase.contains("linux")) {
            LOG.error(String.format("[Managed Identity] Unsupported platform: %s", lowerCase));
            throw new MsalServiceException(MsalErrorMessage.MANAGED_IDENTITY_PLATFORM_NOT_SUPPORTED, MsalError.MANAGED_IDENTITY_FILE_READ_ERROR, ManagedIdentitySourceType.AZURE_ARC);
        }
        if (!isValidWindowsPath(path) && !isValidLinuxPath(path)) {
            LOG.error("[Managed Identity] Invalid filepath.");
            throw new MsalServiceException(MsalErrorMessage.MANAGED_IDENTITY_INVALID_FILEPATH, MsalError.MANAGED_IDENTITY_FILE_READ_ERROR, ManagedIdentitySourceType.AZURE_ARC);
        }
        if (path.toFile().length() > 4096) {
            LOG.error(String.format("[Managed Identity] File is larger than %s bytes.", 4096));
            throw new MsalServiceException(MsalErrorMessage.MANAGED_IDENTITY_INVALID_FILEPATH, MsalError.MANAGED_IDENTITY_FILE_READ_ERROR, ManagedIdentitySourceType.AZURE_ARC);
        }
        LOG.error("[Managed Identity] Path passed validation.");
    }

    private boolean isValidWindowsPath(Path path) {
        return path.startsWith(WINDOWS_PATH) && path.toString().toLowerCase().endsWith(FILE_EXTENSION);
    }

    private boolean isValidLinuxPath(Path path) {
        return path.startsWith(LINUX_PATH) && path.toString().toLowerCase().endsWith(FILE_EXTENSION);
    }
}
