package org.commonjava.indy.subsys.service.keycloak;

import java.util.Collections;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.message.BasicHeader;
import org.commonjava.indy.client.core.auth.IndyClientAuthenticator;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.authorization.client.Configuration;
import org.keycloak.representations.AccessTokenResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/commonjava/indy/subsys/service/keycloak/KeycloakTokenAuthenticator.class */
public class KeycloakTokenAuthenticator extends IndyClientAuthenticator {
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private static final String AUTHORIZATION_HEADER = "Authorization";
    private static final String BEARER_FORMAT = "Bearer %s";
    private final String keycloakAuthUrl;
    private final String keycloakAuthRealm;
    private final String keycloakClientId;
    private final String keycloakClientSecret;
    private Configuration config;
    private String cachedToken;
    private Long cachedTokenExpireAtInSecs;

    public KeycloakTokenAuthenticator(String str, String str2, String str3, String str4) {
        this.keycloakAuthUrl = str;
        this.keycloakAuthRealm = str2;
        this.keycloakClientId = str3;
        this.keycloakClientSecret = str4;
    }

    @Override // org.commonjava.indy.client.core.auth.IndyClientAuthenticator, org.commonjava.util.jhttpc.auth.ClientAuthenticator
    public HttpClientBuilder decorateClientBuilder(HttpClientBuilder httpClientBuilder) {
        httpClientBuilder.addInterceptorFirst((httpRequest, httpContext) -> {
            httpRequest.addHeader(new BasicHeader(AUTHORIZATION_HEADER, String.format(BEARER_FORMAT, getToken())));
        });
        return httpClientBuilder;
    }

    private Boolean shouldRefresh() {
        if (this.cachedTokenExpireAtInSecs == null) {
            return false;
        }
        return Boolean.valueOf(System.currentTimeMillis() / 1000 > this.cachedTokenExpireAtInSecs.longValue());
    }

    private Configuration getKeycloakClientCfg() {
        if (this.config == null) {
            this.config = new Configuration();
            this.config.setAuthServerUrl(this.keycloakAuthUrl);
            this.config.setRealm(this.keycloakAuthRealm);
            this.config.setResource(this.keycloakClientId);
            this.config.setCredentials(Collections.singletonMap("secret", this.keycloakClientSecret));
        }
        return this.config;
    }

    private String getToken() {
        if (StringUtils.isBlank(this.cachedToken) || shouldRefresh().booleanValue()) {
            AccessTokenResponse obtainAccessToken = AuthzClient.create(getKeycloakClientCfg()).obtainAccessToken();
            this.cachedToken = obtainAccessToken.getToken();
            this.cachedTokenExpireAtInSecs = Long.valueOf((System.currentTimeMillis() / 1000) + obtainAccessToken.getExpiresIn());
            this.logger.debug("Got keycloak access token for client: {}, expire in: {}", this.keycloakClientId, this.cachedTokenExpireAtInSecs);
        }
        return this.cachedToken;
    }
}
