package com.spotify.styx.client;

import com.google.api.client.auth.oauth2.ClientParametersAuthentication;
import com.google.api.client.auth.oauth2.RefreshTokenRequest;
import com.google.api.client.auth.oauth2.TokenRequest;
import com.google.api.client.googleapis.auth.oauth2.GoogleOAuthConstants;
import com.google.api.client.googleapis.json.GoogleJsonResponseException;
import com.google.api.client.googleapis.util.Utils;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpExecuteInterceptor;
import com.google.api.client.http.HttpHeaders;
import com.google.api.client.http.HttpRequestInitializer;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.UriTemplate;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.webtoken.JsonWebSignature;
import com.google.api.client.json.webtoken.JsonWebToken;
import com.google.api.client.util.Base64;
import com.google.api.client.util.StringUtils;
import com.google.api.services.iam.v1.Iam;
import com.google.api.services.iam.v1.IamScopes;
import com.google.api.services.iam.v1.model.SignBlobRequest;
import com.google.api.services.oauth2.Oauth2;
import com.google.api.services.oauth2.Oauth2Scopes;
import com.google.auth.http.HttpCredentialsAdapter;
import com.google.auth.oauth2.AccessToken;
import com.google.auth.oauth2.ComputeEngineCredentials;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.auth.oauth2.ImpersonatedCredentials;
import com.google.auth.oauth2.ServiceAccountCredentials;
import com.google.auth.oauth2.UserCredentials;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.Collection;
import java.util.Objects;
import java.util.Optional;
import java.util.regex.Pattern;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/spotify/styx/client/GoogleIdTokenAuth.class */
class GoogleIdTokenAuth {
    private static final String DEFAULT_GCE_METADATA_HOST = "169.254.169.254";
    private static final String GCE_METADATA_IDENTITY_PATH = "/computeMetadata/v1/instance/service-accounts/default/identity{?audience,format}";
    private final HttpTransport httpTransport;
    private final Optional<GoogleCredentials> credentials;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) GoogleIdTokenAuth.class);
    private static final JsonFactory JSON_FACTORY = Utils.getDefaultJsonFactory();
    private static final Pattern SERVICE_ACCOUNT_PATTERN = Pattern.compile("^.+\\.gserviceaccount\\.com$");

    private GoogleIdTokenAuth(HttpTransport httpTransport, Optional<GoogleCredentials> optional) {
        this.httpTransport = (HttpTransport) Objects.requireNonNull(httpTransport, "httpTransport");
        this.credentials = (Optional) Objects.requireNonNull(optional, "credentials");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Optional<String> getToken(String str) throws IOException, GeneralSecurityException {
        return this.credentials.isPresent() ? Optional.of(getToken(str, this.credentials.get())) : Optional.empty();
    }

    private String getToken(String str, GoogleCredentials googleCredentials) throws IOException, GeneralSecurityException {
        return googleCredentials instanceof ServiceAccountCredentials ? getServiceAccountToken((ServiceAccountCredentials) googleCredentials, str) : googleCredentials instanceof UserCredentials ? getUserToken((UserCredentials) googleCredentials) : googleCredentials instanceof ComputeEngineCredentials ? getDefaultGCEIdToken(str) : googleCredentials instanceof ImpersonatedCredentials ? getImpersonatedIdToken((ImpersonatedCredentials) googleCredentials, str) : getServiceAccountIdTokenUsingAccessToken(googleCredentials, str);
    }

    private String getDefaultGCEIdToken(String str) throws IOException {
        return this.httpTransport.createRequestFactory().buildGetRequest(new GenericUrl(UriTemplate.expand("http://" + System.getenv().getOrDefault("GCE_METADATA_HOST", DEFAULT_GCE_METADATA_HOST) + "/computeMetadata/v1/instance/service-accounts/default/identity{?audience,format}", ImmutableMap.of("audience", str, "format", "full"), false))).setHeaders(new HttpHeaders().set("Metadata-Flavor", (Object) "Google")).execute().parseAsString();
    }

    private String getServiceAccountToken(ServiceAccountCredentials serviceAccountCredentials, String str) throws IOException, GeneralSecurityException {
        log.debug("Fetching service account id token for {}", serviceAccountCredentials.getAccount());
        TokenRequest tokenRequest = new TokenRequest(this.httpTransport, JSON_FACTORY, new GenericUrl(serviceAccountCredentials.getTokenServerUri()), "urn:ietf:params:oauth:grant-type:jwt-bearer");
        tokenRequest.put("assertion", (Object) JsonWebSignature.signUsingRsaSha256(serviceAccountCredentials.getPrivateKey(), JSON_FACTORY, jwtHeader(), jwtPayload(str, serviceAccountCredentials.getAccount(), serviceAccountCredentials.getTokenServerUri().toString())));
        return (String) tokenRequest.execute().get("id_token");
    }

    private String getImpersonatedIdToken(ImpersonatedCredentials impersonatedCredentials, String str) throws IOException {
        return getServiceAccountIdTokenUsingAccessToken(impersonatedCredentials, impersonatedCredentials.toBuilder().getTargetPrincipal(), str);
    }

    private String getServiceAccountIdTokenUsingAccessToken(GoogleCredentials googleCredentials, String str) throws IOException {
        String email = new Oauth2.Builder(this.httpTransport, JSON_FACTORY, null).build().tokeninfo().setAccessToken(accessToken(withScopes(googleCredentials, ImmutableList.of(Oauth2Scopes.USERINFO_EMAIL))).getTokenValue()).execute().getEmail();
        if (email == null) {
            throw new IOException("Unable to look up principal email, credentials missing email scope?");
        }
        if (SERVICE_ACCOUNT_PATTERN.matcher(email).matches()) {
            return getServiceAccountIdTokenUsingAccessToken(googleCredentials, email, str);
        }
        throw new IOException("Principal is not a service account, unable to acquire id token: " + email);
    }

    private String getServiceAccountIdTokenUsingAccessToken(GoogleCredentials googleCredentials, String str, String str2) throws IOException {
        JsonWebSignature.Header jwtHeader = jwtHeader();
        JsonWebToken.Payload jwtPayload = jwtPayload(str2, str, GoogleOAuthConstants.TOKEN_SERVER_URL);
        Iam build = new Iam.Builder(this.httpTransport, JSON_FACTORY, new HttpCredentialsAdapter(withScopes(googleCredentials, IamScopes.all()))).build();
        String str3 = Base64.encodeBase64URLSafeString(JSON_FACTORY.toByteArray(jwtHeader)) + "." + Base64.encodeBase64URLSafeString(JSON_FACTORY.toByteArray(jwtPayload));
        try {
            String str4 = str3 + "." + build.projects().serviceAccounts().signBlob("projects/-/serviceAccounts/" + str, new SignBlobRequest().encodeBytesToSign(StringUtils.getBytesUtf8(str3))).execute().getSignature();
            TokenRequest tokenRequest = new TokenRequest(this.httpTransport, JSON_FACTORY, new GenericUrl(GoogleOAuthConstants.TOKEN_SERVER_URL), "urn:ietf:params:oauth:grant-type:jwt-bearer");
            tokenRequest.put("assertion", (Object) str4);
            return (String) tokenRequest.execute().get("id_token");
        } catch (GoogleJsonResponseException e) {
            if (e.getStatusCode() == 403) {
                throw new IOException("Unable to sign request for id token, missing Service Account Token Creator role for self on " + str + " or IAM api not enabled?", e);
            }
            throw e;
        }
    }

    private static JsonWebToken.Payload jwtPayload(String str, String str2, String str3) {
        JsonWebToken.Payload payload = new JsonWebToken.Payload();
        long currentTimeMillis = System.currentTimeMillis();
        payload.put("target_audience", (Object) str);
        payload.setIssuer(str2);
        payload.setAudience(str3);
        payload.setIssuedAtTimeSeconds(Long.valueOf(currentTimeMillis / 1000));
        payload.setExpirationTimeSeconds(Long.valueOf((currentTimeMillis / 1000) + 3600));
        return payload;
    }

    private static JsonWebSignature.Header jwtHeader() {
        JsonWebSignature.Header header = new JsonWebSignature.Header();
        header.setAlgorithm("RS256");
        header.setType("JWT");
        return header;
    }

    private String getUserToken(UserCredentials userCredentials) throws IOException {
        log.debug("Fetching user id token");
        return (String) new RefreshTokenRequest(this.httpTransport, JSON_FACTORY, new GenericUrl(userCredentials.toBuilder().getTokenServerUri()), userCredentials.getRefreshToken()).setClientAuthentication((HttpExecuteInterceptor) new ClientParametersAuthentication(userCredentials.getClientId(), userCredentials.getClientSecret())).setRequestInitializer((HttpRequestInitializer) new HttpCredentialsAdapter(userCredentials)).execute().get("id_token");
    }

    private static AccessToken accessToken(GoogleCredentials googleCredentials) throws IOException {
        if (googleCredentials.getAccessToken() == null) {
            googleCredentials.refresh();
        }
        return googleCredentials.getAccessToken();
    }

    private static GoogleCredentials withScopes(GoogleCredentials googleCredentials, Collection<String> collection) {
        return !googleCredentials.createScopedRequired() ? googleCredentials : googleCredentials.createScoped(collection);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static GoogleIdTokenAuth ofDefaultCredential() {
        try {
            return new GoogleIdTokenAuth(Utils.getDefaultTransport(), Optional.of(GoogleCredentials.getApplicationDefault()));
        } catch (IOException e) {
            return of((Optional<GoogleCredentials>) Optional.empty());
        }
    }

    public static GoogleIdTokenAuth of(Optional<GoogleCredentials> optional) {
        return of(Utils.getDefaultTransport(), optional);
    }

    public static GoogleIdTokenAuth of(GoogleCredentials googleCredentials) {
        return of(Utils.getDefaultTransport(), Optional.of(googleCredentials));
    }

    private static GoogleIdTokenAuth of(HttpTransport httpTransport, Optional<GoogleCredentials> optional) {
        return new GoogleIdTokenAuth(httpTransport, optional);
    }
}
