package com.spotify.styx.api;

import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.googleapis.json.GoogleJsonResponseException;
import com.google.api.services.cloudresourcemanager.CloudResourceManager;
import com.google.api.services.cloudresourcemanager.model.Ancestor;
import com.google.api.services.cloudresourcemanager.model.GetAncestryRequest;
import com.google.api.services.cloudresourcemanager.model.GetAncestryResponse;
import com.google.api.services.cloudresourcemanager.model.ListProjectsResponse;
import com.google.api.services.cloudresourcemanager.model.Project;
import com.google.api.services.cloudresourcemanager.model.ResourceId;
import com.google.api.services.iam.v1.Iam;
import com.google.api.services.iam.v1.model.ServiceAccount;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.collect.Sets;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/spotify/styx/api/Authenticator.class */
public class Authenticator {
    private static final Logger logger = LoggerFactory.getLogger(Authenticator.class);
    private static final Pattern SERVICE_ACCOUNT_PATTERN = Pattern.compile("^.+\\.gserviceaccount\\.com$");
    private static final Pattern USER_CREATED_SERVICE_ACCOUNT_PATTERN = Pattern.compile("^.+@(.+)\\.iam\\.gserviceaccount\\.com$");
    private static final long VALIDATED_EMAIL_CACHE_SIZE = 1000;
    private final GoogleIdTokenVerifier googleIdTokenVerifier;
    private final CloudResourceManager cloudResourceManager;
    private final Iam iam;
    private final Set<String> domainWhitelist;
    private final Set<ResourceId> resourceWhitelist;
    private final Set<ResourceId> resourceCache = Sets.newConcurrentHashSet();
    private final Cache<String, String> validatedEmailCache = CacheBuilder.newBuilder().maximumSize(VALIDATED_EMAIL_CACHE_SIZE).build();

    /* JADX INFO: Access modifiers changed from: package-private */
    public Authenticator(GoogleIdTokenVerifier googleIdTokenVerifier, CloudResourceManager cloudResourceManager, Iam iam, AuthenticatorConfiguration authenticatorConfiguration) {
        this.googleIdTokenVerifier = (GoogleIdTokenVerifier) Objects.requireNonNull(googleIdTokenVerifier, "googleIdTokenVerifier");
        this.cloudResourceManager = (CloudResourceManager) Objects.requireNonNull(cloudResourceManager, "cloudResourceManager");
        this.iam = (Iam) Objects.requireNonNull(iam, "iam");
        this.domainWhitelist = authenticatorConfiguration.domainWhitelist();
        this.resourceWhitelist = authenticatorConfiguration.resourceWhitelist();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void cacheResources() throws IOException {
        ListProjectsResponse listProjectsResponse;
        CloudResourceManager.Projects.List list = this.cloudResourceManager.projects().list();
        do {
            listProjectsResponse = (ListProjectsResponse) list.execute();
            if (listProjectsResponse.getProjects() != null) {
                for (Project project : listProjectsResponse.getProjects()) {
                    logger.info("Resolved project: {}, access={}", project.getProjectId(), Boolean.valueOf(resolveProject(project)));
                }
                list.setPageToken(listProjectsResponse.getNextPageToken());
            }
        } while (listProjectsResponse.getNextPageToken() != null);
        logger.info("Resource cache loaded");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public GoogleIdToken authenticate(String str) {
        try {
            GoogleIdToken verifyIdToken = verifyIdToken(str);
            if (verifyIdToken == null) {
                return null;
            }
            String email = verifyIdToken.getPayload().getEmail();
            if (email == null) {
                logger.debug("No email in id token");
                return null;
            }
            String domain = getDomain(email);
            if (domain == null) {
                logger.warn("Invalid email address {}", email);
                return null;
            }
            if (this.domainWhitelist.contains(domain)) {
                logger.debug("Domain {} in whitelist", domain);
                return verifyIdToken;
            }
            if (this.validatedEmailCache.getIfPresent(email) != null) {
                return verifyIdToken;
            }
            if (!SERVICE_ACCOUNT_PATTERN.matcher(email).matches()) {
                return null;
            }
            try {
                String checkServiceAccountProject = checkServiceAccountProject(email);
                if (checkServiceAccountProject == null) {
                    return null;
                }
                this.validatedEmailCache.put(email, checkServiceAccountProject);
                return verifyIdToken;
            } catch (IOException e) {
                logger.info("Cannot authenticate {}", email);
                return null;
            }
        } catch (IOException e2) {
            logger.warn("Failed to verify token");
            return null;
        }
    }

    @VisibleForTesting
    void clearResourceCache() {
        this.resourceCache.clear();
    }

    private boolean isWhitelisted(ResourceId resourceId) {
        return this.resourceWhitelist.contains(resourceId) || this.resourceCache.contains(resourceId);
    }

    @VisibleForTesting
    static ResourceId resourceId(String str, String str2) {
        return new ResourceId().setType(str).setId(str2);
    }

    @VisibleForTesting
    static ResourceId resourceId(Project project) {
        return resourceId("project", project.getProjectId());
    }

    private GoogleIdToken verifyIdToken(String str) throws IOException {
        try {
            return this.googleIdTokenVerifier.verify(str);
        } catch (GeneralSecurityException e) {
            return null;
        }
    }

    private String checkServiceAccountProject(String str) throws IOException {
        String str2 = null;
        Matcher matcher = USER_CREATED_SERVICE_ACCOUNT_PATTERN.matcher(str);
        if (matcher.matches()) {
            str2 = matcher.group(1);
        }
        if (str2 == null) {
            logger.debug("Email {} doesn't contain project id, looking up its project", str);
            str2 = getProjectIdOfServiceAccount(str);
        }
        if (str2 == null) {
            return null;
        }
        if (isWhitelisted(resourceId("project", str2))) {
            logger.debug("Hit cache for project id {}", str2);
            return str2;
        }
        if (resolveProjectAccess(str2)) {
            return str2;
        }
        return null;
    }

    private String getProjectIdOfServiceAccount(String str) throws IOException {
        try {
            return ((ServiceAccount) this.iam.projects().serviceAccounts().get("projects/-/serviceAccounts/" + str).execute()).getProjectId();
        } catch (GoogleJsonResponseException e) {
            if (e.getStatusCode() == 404) {
                logger.debug("Service account {} doesn't exist", str, e);
                return null;
            }
            logger.info("Cannot get project id for service account {}", str, e);
            return null;
        }
    }

    private boolean resolveProjectAccess(String str) throws IOException {
        try {
            return resolveAccess(((GetAncestryResponse) this.cloudResourceManager.projects().getAncestry(str, new GetAncestryRequest()).execute()).getAncestor());
        } catch (GoogleJsonResponseException e) {
            if (e.getStatusCode() == 404) {
                logger.debug("Project {} doesn't exist", str, e);
                return false;
            }
            logger.info("Cannot get project with id {}", str, e);
            return false;
        }
    }

    private boolean resolveProject(Project project) throws IOException {
        if (isWhitelisted(resourceId(project))) {
            return true;
        }
        if (project.getParent() == null || !isWhitelisted(project.getParent())) {
            return resolveProjectAccess(project.getProjectId());
        }
        return true;
    }

    private boolean resolveAccess(List<Ancestor> list) {
        for (int i = 0; i < list.size(); i++) {
            Ancestor ancestor = list.get(i);
            if (isWhitelisted(ancestor.getResourceId())) {
                for (Ancestor ancestor2 : list.subList(0, i)) {
                    if (this.resourceCache.add(ancestor2.getResourceId())) {
                        logger.debug("Whitelist cached {}/{}, descendant of {}/{}", new Object[]{ancestor2.getResourceId().getType(), ancestor2.getResourceId().getId(), ancestor.getResourceId().getType(), ancestor.getResourceId().getId()});
                    }
                }
                return true;
            }
        }
        return false;
    }

    private static String getDomain(String str) {
        int indexOf = str.indexOf(64);
        if (indexOf == -1) {
            return null;
        }
        return str.substring(indexOf + 1);
    }
}
