package com.mongodb.internal.connection;

import com.helger.commons.http.HttpHeaderMap;
import com.mongodb.AuthenticationMechanism;
import com.mongodb.MongoClientException;
import com.mongodb.MongoCommandException;
import com.mongodb.MongoConfigurationException;
import com.mongodb.MongoCredential;
import com.mongodb.MongoException;
import com.mongodb.MongoSecurityException;
import com.mongodb.ServerAddress;
import com.mongodb.ServerApi;
import com.mongodb.assertions.Assertions;
import com.mongodb.connection.ClusterConnectionMode;
import com.mongodb.connection.ConnectionDescription;
import com.mongodb.internal.Locks;
import com.mongodb.internal.async.AsyncRunnable;
import com.mongodb.internal.async.SingleResultCallback;
import com.mongodb.internal.authentication.AzureCredentialHelper;
import com.mongodb.internal.authentication.CredentialInfo;
import com.mongodb.internal.authentication.GcpCredentialHelper;
import com.mongodb.internal.connection.SaslAuthenticator;
import com.mongodb.lang.Nullable;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.time.Duration;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import javax.security.sasl.SaslClient;
import org.bson.BsonDocument;
import org.bson.BsonString;
import org.bson.RawBsonDocument;

/* loaded from: input_file:WEB-INF/lib/mongodb-driver-core-5.1.2.jar:com/mongodb/internal/connection/OidcAuthenticator.class */
public final class OidcAuthenticator extends SaslAuthenticator {
    public static final String OIDC_TOKEN_FILE = "OIDC_TOKEN_FILE";
    private static final int CALLBACK_API_VERSION_NUMBER = 1;

    @Nullable
    private ServerAddress serverAddress;

    @Nullable
    private String connectionLastAccessToken;
    private FallbackState fallbackState;

    @Nullable
    private BsonDocument speculativeAuthenticateResponse;
    private static final String AZURE_ENVIRONMENT = "azure";
    private static final String GCP_ENVIRONMENT = "gcp";
    private static final String TEST_ENVIRONMENT = "test";
    private static final List<String> IMPLEMENTED_ENVIRONMENTS = Arrays.asList(AZURE_ENVIRONMENT, GCP_ENVIRONMENT, TEST_ENVIRONMENT);
    private static final List<String> USER_SUPPORTED_ENVIRONMENTS = Arrays.asList(AZURE_ENVIRONMENT, GCP_ENVIRONMENT);
    private static final List<String> REQUIRES_TOKEN_RESOURCE = Arrays.asList(AZURE_ENVIRONMENT, GCP_ENVIRONMENT);
    private static final List<String> ALLOWS_USERNAME = Arrays.asList(AZURE_ENVIRONMENT);
    private static final Duration CALLBACK_TIMEOUT = Duration.ofMinutes(1);
    private static final Duration HUMAN_CALLBACK_TIMEOUT = Duration.ofMinutes(5);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/mongodb-driver-core-5.1.2.jar:com/mongodb/internal/connection/OidcAuthenticator$FallbackState.class */
    public enum FallbackState {
        INITIAL,
        PHASE_1_CACHED_TOKEN,
        PHASE_2_REFRESH_CALLBACK_TOKEN,
        PHASE_3A_PRINCIPAL,
        PHASE_3B_CALLBACK_TOKEN
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/mongodb-driver-core-5.1.2.jar:com/mongodb/internal/connection/OidcAuthenticator$IdpInfoImpl.class */
    public static final class IdpInfoImpl implements MongoCredential.IdpInfo {
        private final String issuer;

        @Nullable
        private final String clientId;
        private final List<String> requestScopes;

        IdpInfoImpl(String str, @Nullable String str2, @Nullable List<String> list) {
            this.issuer = (String) Assertions.assertNotNull(str);
            this.clientId = str2;
            this.requestScopes = list == null ? Collections.emptyList() : Collections.unmodifiableList(list);
        }

        @Override // com.mongodb.MongoCredential.IdpInfo
        public String getIssuer() {
            return this.issuer;
        }

        @Override // com.mongodb.MongoCredential.IdpInfo
        @Nullable
        public String getClientId() {
            return this.clientId;
        }

        @Override // com.mongodb.MongoCredential.IdpInfo
        public List<String> getRequestScopes() {
            return this.requestScopes;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/mongodb-driver-core-5.1.2.jar:com/mongodb/internal/connection/OidcAuthenticator$OidcCacheEntry.class */
    public static final class OidcCacheEntry {

        @Nullable
        private final String accessToken;

        @Nullable
        private final String refreshToken;

        @Nullable
        private final MongoCredential.IdpInfo idpInfo;

        public String toString() {
            return "OidcCacheEntry{\n accessToken=[omitted],\n refreshToken=[omitted],\n idpInfo=" + this.idpInfo + '}';
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public OidcCacheEntry() {
            this(null, null, null);
        }

        private OidcCacheEntry(@Nullable String str, @Nullable String str2, @Nullable MongoCredential.IdpInfo idpInfo) {
            this.accessToken = str;
            this.refreshToken = str2;
            this.idpInfo = idpInfo;
        }

        @Nullable
        String getCachedAccessToken() {
            return this.accessToken;
        }

        @Nullable
        String getRefreshToken() {
            return this.refreshToken;
        }

        @Nullable
        MongoCredential.IdpInfo getIdpInfo() {
            return this.idpInfo;
        }

        OidcCacheEntry clearAccessToken() {
            return new OidcCacheEntry(null, this.refreshToken, this.idpInfo);
        }

        OidcCacheEntry clearRefreshToken() {
            return new OidcCacheEntry(this.accessToken, null, null);
        }
    }

    /* loaded from: input_file:WEB-INF/lib/mongodb-driver-core-5.1.2.jar:com/mongodb/internal/connection/OidcAuthenticator$OidcCallbackContextImpl.class */
    static class OidcCallbackContextImpl implements MongoCredential.OidcCallbackContext {
        private final Duration timeout;

        @Nullable
        private final MongoCredential.IdpInfo idpInfo;

        @Nullable
        private final String refreshToken;

        @Nullable
        private final String userName;

        OidcCallbackContextImpl(Duration duration, @Nullable String str) {
            this.timeout = (Duration) Assertions.assertNotNull(duration);
            this.idpInfo = null;
            this.refreshToken = null;
            this.userName = str;
        }

        OidcCallbackContextImpl(Duration duration, MongoCredential.IdpInfo idpInfo, @Nullable String str, @Nullable String str2) {
            this.timeout = (Duration) Assertions.assertNotNull(duration);
            this.idpInfo = (MongoCredential.IdpInfo) Assertions.assertNotNull(idpInfo);
            this.refreshToken = str;
            this.userName = str2;
        }

        @Override // com.mongodb.MongoCredential.OidcCallbackContext
        @Nullable
        public MongoCredential.IdpInfo getIdpInfo() {
            return this.idpInfo;
        }

        @Override // com.mongodb.MongoCredential.OidcCallbackContext
        public Duration getTimeout() {
            return this.timeout;
        }

        @Override // com.mongodb.MongoCredential.OidcCallbackContext
        public int getVersion() {
            return 1;
        }

        @Override // com.mongodb.MongoCredential.OidcCallbackContext
        @Nullable
        public String getRefreshToken() {
            return this.refreshToken;
        }

        @Override // com.mongodb.MongoCredential.OidcCallbackContext
        @Nullable
        public String getUserName() {
            return this.userName;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/mongodb-driver-core-5.1.2.jar:com/mongodb/internal/connection/OidcAuthenticator$OidcSaslClient.class */
    private final class OidcSaslClient extends SaslAuthenticator.SaslClientImpl {
        private OidcSaslClient(MongoCredentialWithCache mongoCredentialWithCache) {
            super(mongoCredentialWithCache.getCredential());
        }

        public byte[] evaluateChallenge(byte[] bArr) {
            return OidcAuthenticator.this.evaluate(bArr);
        }

        public boolean isComplete() {
            return OidcAuthenticator.this.clientIsComplete();
        }
    }

    /* loaded from: input_file:WEB-INF/lib/mongodb-driver-core-5.1.2.jar:com/mongodb/internal/connection/OidcAuthenticator$OidcValidator.class */
    public static final class OidcValidator {
        private OidcValidator() {
        }

        public static void validateOidcCredentialConstruction(String str, Map<String, Object> map) {
            if (!"$external".equals(str)) {
                throw new IllegalArgumentException("source must be '$external'");
            }
            Object obj = map.get(MongoCredential.ENVIRONMENT_KEY.toLowerCase());
            if (obj != null) {
                if (!(obj instanceof String) || !OidcAuthenticator.IMPLEMENTED_ENVIRONMENTS.contains(obj)) {
                    throw new IllegalArgumentException("ENVIRONMENT must be one of: " + OidcAuthenticator.USER_SUPPORTED_ENVIRONMENTS);
                }
            }
        }

        public static void validateCreateOidcCredential(@Nullable char[] cArr) {
            if (cArr != null) {
                throw new IllegalArgumentException("password must not be specified for " + AuthenticationMechanism.MONGODB_OIDC);
            }
        }

        public static void validateBeforeUse(MongoCredential mongoCredential) {
            String userName = mongoCredential.getUserName();
            Object mechanismProperty = mongoCredential.getMechanismProperty(MongoCredential.ENVIRONMENT_KEY, null);
            Object mechanismProperty2 = mongoCredential.getMechanismProperty(MongoCredential.OIDC_CALLBACK_KEY, null);
            Object mechanismProperty3 = mongoCredential.getMechanismProperty(MongoCredential.OIDC_HUMAN_CALLBACK_KEY, null);
            boolean z = mongoCredential.getMechanismProperty(MongoCredential.ALLOWED_HOSTS_KEY, null) != null;
            if (mechanismProperty3 == null && z) {
                throw new IllegalArgumentException("ALLOWED_HOSTS must be specified only when OIDC_HUMAN_CALLBACK is specified");
            }
            if (mechanismProperty == null) {
                if (mechanismProperty2 == null && mechanismProperty3 == null) {
                    throw new IllegalArgumentException("Either ENVIRONMENT or OIDC_CALLBACK or OIDC_HUMAN_CALLBACK must be specified");
                }
                if (mechanismProperty2 != null && mechanismProperty3 != null) {
                    throw new IllegalArgumentException("Both OIDC_CALLBACK and OIDC_HUMAN_CALLBACK must not be specified");
                }
                return;
            }
            if (!(mechanismProperty instanceof String)) {
                throw new IllegalArgumentException("ENVIRONMENT must be a String");
            }
            if (userName != null && !OidcAuthenticator.ALLOWS_USERNAME.contains(mechanismProperty)) {
                throw new IllegalArgumentException("user name must not be specified when ENVIRONMENT is specified");
            }
            if (mechanismProperty2 != null) {
                throw new IllegalArgumentException("OIDC_CALLBACK must not be specified when ENVIRONMENT is specified");
            }
            if (mechanismProperty3 != null) {
                throw new IllegalArgumentException("OIDC_HUMAN_CALLBACK must not be specified when ENVIRONMENT is specified");
            }
            String str = (String) mongoCredential.getMechanismProperty(MongoCredential.TOKEN_RESOURCE_KEY, null);
            if ((str != null) != OidcAuthenticator.REQUIRES_TOKEN_RESOURCE.contains(mechanismProperty)) {
                throw new IllegalArgumentException("TOKEN_RESOURCE must be provided if and only if ENVIRONMENT " + mechanismProperty + "  is one of: " + OidcAuthenticator.REQUIRES_TOKEN_RESOURCE + ". " + MongoCredential.TOKEN_RESOURCE_KEY + HttpHeaderMap.SEPARATOR_KEY_VALUE + str);
            }
        }
    }

    public OidcAuthenticator(MongoCredentialWithCache mongoCredentialWithCache, ClusterConnectionMode clusterConnectionMode, @Nullable ServerApi serverApi) {
        super(mongoCredentialWithCache, clusterConnectionMode, serverApi);
        this.fallbackState = FallbackState.INITIAL;
        OidcValidator.validateBeforeUse(mongoCredentialWithCache.getCredential());
        if (getMongoCredential().getAuthenticationMechanism() != AuthenticationMechanism.MONGODB_OIDC) {
            throw new MongoException("Incorrect mechanism: " + getMongoCredential().getMechanism());
        }
    }

    private Duration getCallbackTimeout() {
        return isHumanCallback() ? HUMAN_CALLBACK_TIMEOUT : CALLBACK_TIMEOUT;
    }

    @Override // com.mongodb.internal.connection.SaslAuthenticator
    public String getMechanismName() {
        return AuthenticationMechanism.MONGODB_OIDC.getMechanismName();
    }

    @Override // com.mongodb.internal.connection.SaslAuthenticator
    protected SaslClient createSaslClient(ServerAddress serverAddress) {
        this.serverAddress = (ServerAddress) Assertions.assertNotNull(serverAddress);
        return new OidcSaslClient(getMongoCredentialWithCache());
    }

    @Override // com.mongodb.internal.connection.SpeculativeAuthenticator
    @Nullable
    public BsonDocument createSpeculativeAuthenticateCommand(InternalConnection internalConnection) {
        try {
            String cachedAccessToken = getMongoCredentialWithCache().getOidcCacheEntry().getCachedAccessToken();
            if (cachedAccessToken != null) {
                return wrapInSpeculative(prepareTokenAsJwt(cachedAccessToken));
            }
            return null;
        } catch (Exception e) {
            throw wrapException(e);
        }
    }

    private BsonDocument wrapInSpeculative(byte[] bArr) {
        BsonDocument append = createSaslStartCommandDocument(bArr).append("db", new BsonString(getMongoCredential().getSource()));
        appendSaslStartOptions(append);
        return append;
    }

    @Override // com.mongodb.internal.connection.SpeculativeAuthenticator
    @Nullable
    public BsonDocument getSpeculativeAuthenticateResponse() {
        BsonDocument bsonDocument = this.speculativeAuthenticateResponse;
        this.speculativeAuthenticateResponse = null;
        if (bsonDocument == null) {
            this.connectionLastAccessToken = null;
        }
        return bsonDocument;
    }

    @Override // com.mongodb.internal.connection.SpeculativeAuthenticator
    public void setSpeculativeAuthenticateResponse(@Nullable BsonDocument bsonDocument) {
        this.speculativeAuthenticateResponse = bsonDocument;
    }

    private boolean isHumanCallback() {
        return getOidcCallbackMechanismProperty(MongoCredential.OIDC_HUMAN_CALLBACK_KEY) != null;
    }

    @Nullable
    private MongoCredential.OidcCallback getOidcCallbackMechanismProperty(String str) {
        return (MongoCredential.OidcCallback) getMongoCredentialWithCache().getCredential().getMechanismProperty(str, null);
    }

    private MongoCredential.OidcCallback getRequestCallback() {
        String str = (String) getMongoCredential().getMechanismProperty(MongoCredential.ENVIRONMENT_KEY, null);
        MongoCredential.OidcCallback testCallback = TEST_ENVIRONMENT.equals(str) ? getTestCallback() : AZURE_ENVIRONMENT.equals(str) ? getAzureCallback(getMongoCredential()) : GCP_ENVIRONMENT.equals(str) ? getGcpCallback(getMongoCredential()) : getOidcCallbackMechanismProperty(MongoCredential.OIDC_CALLBACK_KEY);
        return testCallback != null ? testCallback : (MongoCredential.OidcCallback) Assertions.assertNotNull(getOidcCallbackMechanismProperty(MongoCredential.OIDC_HUMAN_CALLBACK_KEY));
    }

    private static MongoCredential.OidcCallback getTestCallback() {
        return oidcCallbackContext -> {
            return new MongoCredential.OidcCallbackResult(readTokenFromFile());
        };
    }

    static MongoCredential.OidcCallback getAzureCallback(MongoCredential mongoCredential) {
        return oidcCallbackContext -> {
            CredentialInfo fetchAzureCredentialInfo = AzureCredentialHelper.fetchAzureCredentialInfo((String) Assertions.assertNotNull((String) mongoCredential.getMechanismProperty(MongoCredential.TOKEN_RESOURCE_KEY, null)), mongoCredential.getUserName());
            return new MongoCredential.OidcCallbackResult(fetchAzureCredentialInfo.getAccessToken(), fetchAzureCredentialInfo.getExpiresIn());
        };
    }

    static MongoCredential.OidcCallback getGcpCallback(MongoCredential mongoCredential) {
        return oidcCallbackContext -> {
            CredentialInfo fetchGcpCredentialInfo = GcpCredentialHelper.fetchGcpCredentialInfo((String) Assertions.assertNotNull((String) mongoCredential.getMechanismProperty(MongoCredential.TOKEN_RESOURCE_KEY, null)));
            return new MongoCredential.OidcCallbackResult(fetchGcpCredentialInfo.getAccessToken(), fetchGcpCredentialInfo.getExpiresIn());
        };
    }

    @Override // com.mongodb.internal.connection.Authenticator
    public void reauthenticate(InternalConnection internalConnection) {
        Assertions.assertTrue(internalConnection.opened());
        authenticationLoop(internalConnection, internalConnection.getDescription());
    }

    @Override // com.mongodb.internal.connection.Authenticator
    public void reauthenticateAsync(InternalConnection internalConnection, SingleResultCallback<Void> singleResultCallback) {
        AsyncRunnable.beginAsync().thenRun(singleResultCallback2 -> {
            Assertions.assertTrue(internalConnection.opened());
            authenticationLoopAsync(internalConnection, internalConnection.getDescription(), singleResultCallback2);
        }).finish(singleResultCallback);
    }

    @Override // com.mongodb.internal.connection.SaslAuthenticator, com.mongodb.internal.connection.Authenticator
    public void authenticate(InternalConnection internalConnection, ConnectionDescription connectionDescription) {
        Assertions.assertFalse(internalConnection.opened());
        authenticationLoop(internalConnection, connectionDescription);
    }

    @Override // com.mongodb.internal.connection.SaslAuthenticator, com.mongodb.internal.connection.Authenticator
    void authenticateAsync(InternalConnection internalConnection, ConnectionDescription connectionDescription, SingleResultCallback<Void> singleResultCallback) {
        AsyncRunnable.beginAsync().thenRun(singleResultCallback2 -> {
            Assertions.assertFalse(internalConnection.opened());
            authenticationLoopAsync(internalConnection, connectionDescription, singleResultCallback2);
        }).finish(singleResultCallback);
    }

    private static boolean triggersRetry(@Nullable Throwable th) {
        if (!(th instanceof MongoSecurityException)) {
            return false;
        }
        Throwable cause = ((MongoSecurityException) th).getCause();
        return (cause instanceof MongoCommandException) && ((MongoCommandException) cause).getErrorCode() == 18;
    }

    private void authenticationLoop(InternalConnection internalConnection, ConnectionDescription connectionDescription) {
        this.fallbackState = FallbackState.INITIAL;
        do {
            try {
                super.authenticate(internalConnection, connectionDescription);
                return;
            } catch (Exception e) {
                if (!triggersRetry(e)) {
                    break;
                }
                throw e;
            }
        } while (shouldRetryHandler());
        throw e;
    }

    private void authenticationLoopAsync(InternalConnection internalConnection, ConnectionDescription connectionDescription, SingleResultCallback<Void> singleResultCallback) {
        this.fallbackState = FallbackState.INITIAL;
        AsyncRunnable.beginAsync().thenRunRetryingWhile(singleResultCallback2 -> {
            super.authenticateAsync(internalConnection, connectionDescription, singleResultCallback2);
        }, th -> {
            return triggersRetry(th) && shouldRetryHandler();
        }).finish(singleResultCallback);
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v1, types: [byte[], byte[][]] */
    public byte[] evaluate(byte[] bArr) {
        ?? r0 = new byte[1];
        Locks.withInterruptibleLock(getMongoCredentialWithCache().getOidcLock(), () -> {
            OidcCacheEntry oidcCacheEntry = getMongoCredentialWithCache().getOidcCacheEntry();
            String refreshToken = oidcCacheEntry.getRefreshToken();
            MongoCredential.IdpInfo idpInfo = oidcCacheEntry.getIdpInfo();
            String validatedCachedAccessToken = validatedCachedAccessToken();
            MongoCredential.OidcCallback requestCallback = getRequestCallback();
            boolean isHumanCallback = isHumanCallback();
            String userName = getMongoCredentialWithCache().getCredential().getUserName();
            if (validatedCachedAccessToken != null) {
                this.fallbackState = FallbackState.PHASE_1_CACHED_TOKEN;
                r0[0] = prepareTokenAsJwt(validatedCachedAccessToken);
                return;
            }
            if (refreshToken != null) {
                Assertions.assertNotNull(idpInfo);
                this.fallbackState = FallbackState.PHASE_2_REFRESH_CALLBACK_TOKEN;
                r0[0] = populateCacheWithCallbackResultAndPrepareJwt(idpInfo, requestCallback.onRequest(new OidcCallbackContextImpl(getCallbackTimeout(), idpInfo, refreshToken, userName)));
                return;
            }
            if (!isHumanCallback) {
                this.fallbackState = FallbackState.PHASE_3B_CALLBACK_TOKEN;
                MongoCredential.OidcCallbackResult onRequest = requestCallback.onRequest(new OidcCallbackContextImpl(getCallbackTimeout(), userName));
                r0[0] = populateCacheWithCallbackResultAndPrepareJwt(null, onRequest);
                if (onRequest.getRefreshToken() != null) {
                    throw new MongoConfigurationException("Refresh token must only be provided in human workflow");
                }
                return;
            }
            boolean z = bArr.length == 0;
            if (!(this.fallbackState == FallbackState.PHASE_3A_PRINCIPAL) && z) {
                this.fallbackState = FallbackState.PHASE_3A_PRINCIPAL;
                r0[0] = prepareUsername(userName);
            } else {
                MongoCredential.IdpInfo idpInfo2 = toIdpInfo(bArr);
                this.fallbackState = FallbackState.PHASE_3B_CALLBACK_TOKEN;
                r0[0] = populateCacheWithCallbackResultAndPrepareJwt(idpInfo2, requestCallback.onRequest(new OidcCallbackContextImpl(getCallbackTimeout(), idpInfo2, null, userName)));
            }
        });
        return r0[0];
    }

    @Nullable
    private String validatedCachedAccessToken() {
        MongoCredentialWithCache mongoCredentialWithCache = getMongoCredentialWithCache();
        OidcCacheEntry oidcCacheEntry = mongoCredentialWithCache.getOidcCacheEntry();
        String cachedAccessToken = oidcCacheEntry.getCachedAccessToken();
        String str = this.connectionLastAccessToken;
        if (cachedAccessToken != null && cachedAccessToken.equals(str)) {
            mongoCredentialWithCache.setOidcCacheEntry(oidcCacheEntry.clearAccessToken());
            cachedAccessToken = null;
        }
        return cachedAccessToken;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean clientIsComplete() {
        return this.fallbackState != FallbackState.PHASE_3A_PRINCIPAL;
    }

    private boolean shouldRetryHandler() {
        boolean[] zArr = new boolean[1];
        Locks.withInterruptibleLock(getMongoCredentialWithCache().getOidcLock(), () -> {
            MongoCredentialWithCache mongoCredentialWithCache = getMongoCredentialWithCache();
            OidcCacheEntry oidcCacheEntry = mongoCredentialWithCache.getOidcCacheEntry();
            if (this.fallbackState == FallbackState.PHASE_1_CACHED_TOKEN) {
                mongoCredentialWithCache.setOidcCacheEntry(oidcCacheEntry.clearAccessToken());
                zArr[0] = true;
            } else if (this.fallbackState == FallbackState.PHASE_2_REFRESH_CALLBACK_TOKEN) {
                mongoCredentialWithCache.setOidcCacheEntry(oidcCacheEntry.clearAccessToken().clearRefreshToken());
                zArr[0] = true;
            } else {
                mongoCredentialWithCache.setOidcCacheEntry(oidcCacheEntry.clearAccessToken().clearRefreshToken());
                zArr[0] = false;
            }
        });
        return zArr[0];
    }

    private static String readTokenFromFile() {
        String str = System.getenv(OIDC_TOKEN_FILE);
        if (str == null) {
            throw new MongoClientException(String.format("Environment variable must be specified: %s", OIDC_TOKEN_FILE));
        }
        try {
            return new String(Files.readAllBytes(Paths.get(str, new String[0])), StandardCharsets.UTF_8);
        } catch (IOException e) {
            throw new MongoClientException(String.format("Could not read file specified by environment variable: %s at path: %s", OIDC_TOKEN_FILE, str), e);
        }
    }

    private byte[] populateCacheWithCallbackResultAndPrepareJwt(@Nullable MongoCredential.IdpInfo idpInfo, @Nullable MongoCredential.OidcCallbackResult oidcCallbackResult) {
        if (oidcCallbackResult == null) {
            throw new MongoConfigurationException("Result of callback must not be null");
        }
        getMongoCredentialWithCache().setOidcCacheEntry(new OidcCacheEntry(oidcCallbackResult.getAccessToken(), oidcCallbackResult.getRefreshToken(), idpInfo));
        return prepareTokenAsJwt(oidcCallbackResult.getAccessToken());
    }

    private static byte[] prepareUsername(@Nullable String str) {
        BsonDocument bsonDocument = new BsonDocument();
        if (str != null) {
            bsonDocument = bsonDocument.append("n", new BsonString(str));
        }
        return toBson(bsonDocument);
    }

    private MongoCredential.IdpInfo toIdpInfo(byte[] bArr) {
        validateAllowedHosts(getMongoCredential());
        RawBsonDocument rawBsonDocument = new RawBsonDocument(bArr);
        return new IdpInfoImpl(rawBsonDocument.getString("issuer").getValue(), !rawBsonDocument.containsKey("clientId") ? null : rawBsonDocument.getString("clientId").getValue(), getStringArray(rawBsonDocument, "requestScopes"));
    }

    @Nullable
    private static List<String> getStringArray(BsonDocument bsonDocument, String str) {
        if (bsonDocument.isArray(str)) {
            return (List) bsonDocument.getArray(str).stream().filter(bsonValue -> {
                return bsonValue.isString();
            }).map(bsonValue2 -> {
                return bsonValue2.asString().getValue();
            }).collect(Collectors.toList());
        }
        return null;
    }

    private void validateAllowedHosts(MongoCredential mongoCredential) {
        List list = (List) Assertions.assertNotNull((List) mongoCredential.getMechanismProperty(MongoCredential.ALLOWED_HOSTS_KEY, MongoCredential.DEFAULT_ALLOWED_HOSTS));
        String host = ((ServerAddress) Assertions.assertNotNull(this.serverAddress)).getHost();
        if (!list.stream().anyMatch(str -> {
            if (str.startsWith("*.")) {
                return host.endsWith(str.substring(1));
            }
            if (str.contains("*")) {
                throw new IllegalArgumentException("Allowed host " + str + " contains invalid wildcard");
            }
            return host.equals(str);
        })) {
            throw new MongoSecurityException(mongoCredential, "Host " + host + " not permitted by " + MongoCredential.ALLOWED_HOSTS_KEY + ", values:  " + list);
        }
    }

    private byte[] prepareTokenAsJwt(String str) {
        this.connectionLastAccessToken = str;
        return toJwtDocument(str);
    }

    private static byte[] toJwtDocument(String str) {
        return toBson(new BsonDocument().append("jwt", new BsonString(str)));
    }
}
