package com.palantir.foundry.sql.driver.auth;

import com.palantir.foundry.sql.driver.logging.DriverLoggerFactory;
import com.palantir.foundry.sql.multipass.oauth.client.MultipassOAuth2Service;
import com.palantir.foundry.sql.multipass.oauth.client.TokenResponse;
import com.palantir.foundry.sql.multipass.oauth.flow.FoundryOAuthFlow;
import com.palantir.foundry.sql.multipass.oauth.store.CredentialStore;
import com.palantir.logsafe.Arg;
import com.palantir.logsafe.exceptions.SafeRuntimeException;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Objects;
import java.util.Optional;
import org.slf4j.Logger;
import shadow.palantir.driver.com.palantir.conjure.java.api.errors.RemoteException;
import shadow.palantir.driver.com.palantir.tokens.auth.AuthHeader;
import shadow.palantir.driver.com.palantir.tokens.auth.BearerToken;

/* loaded from: input_file:com/palantir/foundry/sql/driver/auth/OAuthTokenFactory.class */
public final class OAuthTokenFactory {
    private static final Logger log = DriverLoggerFactory.getLogger(OAuthTokenFactory.class);
    private static final Duration CHECK_CACHE_DURATION = Duration.ofMinutes(2);
    private final FoundryOAuthFlow oauthFlow;
    private final CredentialStore credentialStore;
    private final MultipassOAuth2Service oAuth2Service;
    private Instant checkedUntil = Instant.EPOCH;

    /* JADX INFO: Access modifiers changed from: package-private */
    public OAuthTokenFactory(FoundryOAuthFlow foundryOAuthFlow, CredentialStore credentialStore, MultipassOAuth2Service multipassOAuth2Service) {
        this.oauthFlow = foundryOAuthFlow;
        this.credentialStore = credentialStore;
        this.oAuth2Service = multipassOAuth2Service;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CachedAccessToken refresh() {
        try {
            Optional<BearerToken> optional = this.credentialStore.get();
            FoundryOAuthFlow foundryOAuthFlow = this.oauthFlow;
            Objects.requireNonNull(foundryOAuthFlow);
            Optional<U> map = optional.map(foundryOAuthFlow::refresh);
            FoundryOAuthFlow foundryOAuthFlow2 = this.oauthFlow;
            Objects.requireNonNull(foundryOAuthFlow2);
            TokenResponse tokenResponse = (TokenResponse) map.orElseGet(foundryOAuthFlow2::freshOauthFlow);
            this.credentialStore.put(tokenResponse.getRefreshToken().orElseThrow(() -> {
                return new SafeRuntimeException("Missing refresh token from response", new Arg[0]);
            }));
            return new CachedAccessToken(tokenResponse.getAccessToken(), tokenResponse.getExpiresIn());
        } catch (Exception e) {
            log.error("OAuth authentication failed", (Throwable) e);
            this.credentialStore.clear();
            throw new SafeRuntimeException("OAuth authentication failed", e, new Arg[0]);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean checkToken(BearerToken bearerToken) {
        if (this.checkedUntil.isAfter(Instant.now())) {
            return true;
        }
        try {
            this.oAuth2Service.checkToken(AuthHeader.of(bearerToken));
            this.checkedUntil = Instant.now().plus((TemporalAmount) CHECK_CACHE_DURATION);
            return true;
        } catch (RemoteException e) {
            log.warn("Cached token is unexpectedly invalid, refreshing...", (Throwable) e);
            return false;
        }
    }
}
