package org.eclipse.edc.gcp.iam;

import com.google.api.gax.rpc.ApiException;
import com.google.api.gax.rpc.StatusCode;
import com.google.cloud.iam.admin.v1.IAMClient;
import com.google.cloud.iam.credentials.v1.GenerateAccessTokenRequest;
import com.google.cloud.iam.credentials.v1.GenerateAccessTokenResponse;
import com.google.cloud.iam.credentials.v1.IamCredentialsClient;
import com.google.cloud.iam.credentials.v1.ServiceAccountName;
import com.google.common.collect.ImmutableList;
import com.google.iam.admin.v1.CreateServiceAccountRequest;
import com.google.iam.admin.v1.ProjectName;
import com.google.iam.admin.v1.ServiceAccount;
import com.google.protobuf.Duration;
import java.io.IOException;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import org.eclipse.edc.gcp.common.GcpAccessToken;
import org.eclipse.edc.gcp.common.GcpException;
import org.eclipse.edc.gcp.common.GcpServiceAccount;
import org.eclipse.edc.spi.monitor.Monitor;

/* loaded from: input_file:org/eclipse/edc/gcp/iam/IamServiceImpl.class */
public class IamServiceImpl implements IamService {
    private static final ImmutableList<String> OAUTH_SCOPE = ImmutableList.of("https://www.googleapis.com/auth/cloud-platform");
    private static final long ONE_HOUR_IN_S = TimeUnit.HOURS.toSeconds(1);
    private final String gcpProjectId;
    private final Supplier<IAMClient> iamClientSupplier;
    private final Supplier<IamCredentialsClient> iamCredentialsClientSupplier;
    private final Monitor monitor;

    /* loaded from: input_file:org/eclipse/edc/gcp/iam/IamServiceImpl$Builder.class */
    public static class Builder {
        private final String gcpProjectId;
        private final Monitor monitor;
        private Supplier<IAMClient> iamClientSupplier;
        private Supplier<IamCredentialsClient> iamCredentialsClientSupplier;

        private Builder(Monitor monitor, String str) {
            this.gcpProjectId = str;
            this.monitor = monitor;
        }

        public static Builder newInstance(Monitor monitor, String str) {
            return new Builder(monitor, str);
        }

        public Builder iamClientSupplier(Supplier<IAMClient> supplier) {
            this.iamClientSupplier = supplier;
            return this;
        }

        public Builder iamCredentialsClientSupplier(Supplier<IamCredentialsClient> supplier) {
            this.iamCredentialsClientSupplier = supplier;
            return this;
        }

        public IamServiceImpl build() {
            Objects.requireNonNull(this.gcpProjectId, "gcpProjectId");
            Objects.requireNonNull(this.monitor, "monitor");
            if (this.iamClientSupplier == null) {
                this.iamClientSupplier = defaultIamClientSupplier();
            }
            if (this.iamCredentialsClientSupplier == null) {
                this.iamCredentialsClientSupplier = defaultIamCredentialsClientSupplier();
            }
            return new IamServiceImpl(this.monitor, this.gcpProjectId, this.iamClientSupplier, this.iamCredentialsClientSupplier);
        }

        private Supplier<IAMClient> defaultIamClientSupplier() {
            return () -> {
                try {
                    return IAMClient.create();
                } catch (IOException e) {
                    throw new GcpException("Error while creating IAMClient", e);
                }
            };
        }

        private Supplier<IamCredentialsClient> defaultIamCredentialsClientSupplier() {
            return () -> {
                try {
                    return IamCredentialsClient.create();
                } catch (IOException e) {
                    throw new GcpException("Error while creating IamCredentialsClient", e);
                }
            };
        }
    }

    private IamServiceImpl(Monitor monitor, String str, Supplier<IAMClient> supplier, Supplier<IamCredentialsClient> supplier2) {
        this.monitor = monitor;
        this.gcpProjectId = str;
        this.iamClientSupplier = supplier;
        this.iamCredentialsClientSupplier = supplier2;
    }

    @Override // org.eclipse.edc.gcp.iam.IamService
    public GcpServiceAccount getOrCreateServiceAccount(String str, String str2) {
        CreateServiceAccountRequest build = CreateServiceAccountRequest.newBuilder().setName(ProjectName.of(this.gcpProjectId).toString()).setAccountId(str).setServiceAccount(ServiceAccount.newBuilder().setDisplayName(str).setDescription(str2).build()).build();
        try {
            IAMClient iAMClient = this.iamClientSupplier.get();
            try {
                ServiceAccount createServiceAccount = iAMClient.createServiceAccount(build);
                this.monitor.debug("Created service account: " + createServiceAccount.getEmail(), new Throwable[0]);
                GcpServiceAccount gcpServiceAccount = new GcpServiceAccount(createServiceAccount.getEmail(), createServiceAccount.getName(), str2);
                if (iAMClient != null) {
                    iAMClient.close();
                }
                return gcpServiceAccount;
            } finally {
            }
        } catch (ApiException e) {
            if (e.getStatusCode().getCode() == StatusCode.Code.ALREADY_EXISTS) {
                return getServiceAccount(str, str2);
            }
            this.monitor.severe("Unable to create service account", new Throwable[]{e});
            throw new GcpException("Unable to create service account", e);
        }
    }

    private GcpServiceAccount getServiceAccount(String str, String str2) {
        IAMClient iAMClient = this.iamClientSupplier.get();
        try {
            ServiceAccount serviceAccount = iAMClient.getServiceAccount(ServiceAccountName.of(this.gcpProjectId, getServiceAccountEmail(str, this.gcpProjectId)).toString());
            if (!serviceAccount.getDescription().equals(str2)) {
                this.monitor.severe("A service account with the same name but different description existed already. Please ensure a unique name is used for every transfer process", new Throwable[0]);
                throw new GcpException("A service account with the same name but different description existed already. Please ensure a unique name is used for every transfer process");
            }
            GcpServiceAccount gcpServiceAccount = new GcpServiceAccount(serviceAccount.getEmail(), serviceAccount.getName(), serviceAccount.getDescription());
            if (iAMClient != null) {
                iAMClient.close();
            }
            return gcpServiceAccount;
        } catch (Throwable th) {
            if (iAMClient != null) {
                try {
                    iAMClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Override // org.eclipse.edc.gcp.iam.IamService
    public GcpAccessToken createAccessToken(GcpServiceAccount gcpServiceAccount) {
        try {
            IamCredentialsClient iamCredentialsClient = this.iamCredentialsClientSupplier.get();
            try {
                ServiceAccountName of = ServiceAccountName.of("-", gcpServiceAccount.getEmail());
                GenerateAccessTokenResponse generateAccessToken = iamCredentialsClient.generateAccessToken(GenerateAccessTokenRequest.newBuilder().setName(of.toString()).addAllScope(OAUTH_SCOPE).setLifetime(Duration.newBuilder().setSeconds(ONE_HOUR_IN_S).build()).build());
                this.monitor.debug("Created access token for " + gcpServiceAccount.getEmail(), new Throwable[0]);
                GcpAccessToken gcpAccessToken = new GcpAccessToken(generateAccessToken.getAccessToken(), generateAccessToken.getExpireTime().getSeconds() * 1000);
                if (iamCredentialsClient != null) {
                    iamCredentialsClient.close();
                }
                return gcpAccessToken;
            } finally {
            }
        } catch (Exception e) {
            throw new GcpException("Error creating service account token:\n" + e);
        }
    }

    @Override // org.eclipse.edc.gcp.iam.IamService
    public void deleteServiceAccountIfExists(GcpServiceAccount gcpServiceAccount) {
        try {
            IAMClient iAMClient = this.iamClientSupplier.get();
            try {
                iAMClient.deleteServiceAccount(ServiceAccountName.of(this.gcpProjectId, gcpServiceAccount.getEmail()).toString());
                this.monitor.debug("Deleted service account: " + gcpServiceAccount.getEmail(), new Throwable[0]);
                if (iAMClient != null) {
                    iAMClient.close();
                }
            } finally {
            }
        } catch (ApiException e) {
            if (e.getStatusCode().getCode() == StatusCode.Code.NOT_FOUND) {
                this.monitor.severe("Service account not found", new Throwable[]{e});
            } else {
                this.monitor.severe("Unable to delete service account", new Throwable[]{e});
                throw new GcpException(e);
            }
        }
    }

    private String getServiceAccountEmail(String str, String str2) {
        return String.format("%s@%s.iam.gserviceaccount.com", str, str2);
    }
}
