package org.eclipse.edc.gcp.iam;

import com.google.api.gax.rpc.ApiException;
import com.google.api.gax.rpc.StatusCode;
import com.google.auth.oauth2.AccessToken;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.cloud.iam.admin.v1.IAMClient;
import com.google.cloud.iam.credentials.v1.GenerateAccessTokenRequest;
import com.google.cloud.iam.credentials.v1.GenerateAccessTokenResponse;
import com.google.cloud.iam.credentials.v1.IamCredentialsClient;
import com.google.cloud.iam.credentials.v1.ServiceAccountName;
import com.google.iam.admin.v1.ServiceAccount;
import com.google.protobuf.Duration;
import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.Collections;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import org.eclipse.edc.gcp.common.GcpAccessToken;
import org.eclipse.edc.gcp.common.GcpConfiguration;
import org.eclipse.edc.gcp.common.GcpException;
import org.eclipse.edc.gcp.common.GcpServiceAccount;
import org.eclipse.edc.spi.monitor.Monitor;

/* loaded from: input_file:org/eclipse/edc/gcp/iam/IamServiceImpl.class */
public class IamServiceImpl implements IamService {
    private static final long ONE_HOUR_IN_S = TimeUnit.HOURS.toSeconds(1);
    private final Monitor monitor;
    private final GcpConfiguration gcpConfiguration;
    private Supplier<IAMClient> iamClientSupplier;
    private Supplier<IamCredentialsClient> iamCredentialsClientSupplier;
    private AccessTokenProvider applicationDefaultCredentials;

    /* loaded from: input_file:org/eclipse/edc/gcp/iam/IamServiceImpl$ApplicationDefaultCredentials.class */
    private static final class ApplicationDefaultCredentials extends Record implements AccessTokenProvider {
        private final Monitor monitor;

        private ApplicationDefaultCredentials(Monitor monitor) {
            this.monitor = monitor;
        }

        @Override // org.eclipse.edc.gcp.iam.AccessTokenProvider
        public GcpAccessToken getAccessToken() {
            try {
                GoogleCredentials createScoped = GoogleCredentials.getApplicationDefault().createScoped(new String[]{"https://www.googleapis.com/auth/cloud-platform"});
                createScoped.refreshIfExpired();
                AccessToken accessToken = createScoped.getAccessToken();
                return new GcpAccessToken(accessToken.getTokenValue(), accessToken.getExpirationTime().getTime());
            } catch (IOException e) {
                this.monitor.severe("Cannot get application default access token", new Throwable[]{e});
                return null;
            }
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, ApplicationDefaultCredentials.class), ApplicationDefaultCredentials.class, "monitor", "FIELD:Lorg/eclipse/edc/gcp/iam/IamServiceImpl$ApplicationDefaultCredentials;->monitor:Lorg/eclipse/edc/spi/monitor/Monitor;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, ApplicationDefaultCredentials.class), ApplicationDefaultCredentials.class, "monitor", "FIELD:Lorg/eclipse/edc/gcp/iam/IamServiceImpl$ApplicationDefaultCredentials;->monitor:Lorg/eclipse/edc/spi/monitor/Monitor;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, ApplicationDefaultCredentials.class, Object.class), ApplicationDefaultCredentials.class, "monitor", "FIELD:Lorg/eclipse/edc/gcp/iam/IamServiceImpl$ApplicationDefaultCredentials;->monitor:Lorg/eclipse/edc/spi/monitor/Monitor;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public Monitor monitor() {
            return this.monitor;
        }
    }

    /* loaded from: input_file:org/eclipse/edc/gcp/iam/IamServiceImpl$Builder.class */
    public static class Builder {
        private IamServiceImpl iamServiceImpl;

        private Builder(Monitor monitor, GcpConfiguration gcpConfiguration) {
            this.iamServiceImpl = new IamServiceImpl(monitor, gcpConfiguration);
        }

        public static Builder newInstance(Monitor monitor, GcpConfiguration gcpConfiguration) {
            return new Builder(monitor, gcpConfiguration);
        }

        public Builder iamClientSupplier(Supplier<IAMClient> supplier) {
            this.iamServiceImpl.iamClientSupplier = supplier;
            return this;
        }

        public Builder iamCredentialsClientSupplier(Supplier<IamCredentialsClient> supplier) {
            this.iamServiceImpl.iamCredentialsClientSupplier = supplier;
            return this;
        }

        public Builder applicationDefaultCredentials(AccessTokenProvider accessTokenProvider) {
            this.iamServiceImpl.applicationDefaultCredentials = accessTokenProvider;
            return this;
        }

        public IamServiceImpl build() {
            Objects.requireNonNull(this.iamServiceImpl.gcpConfiguration, "gcpConfiguration");
            Objects.requireNonNull(this.iamServiceImpl.monitor, "monitor");
            if (this.iamServiceImpl.iamClientSupplier == null) {
                this.iamServiceImpl.iamClientSupplier = defaultIamClientSupplier();
            }
            if (this.iamServiceImpl.iamCredentialsClientSupplier == null) {
                this.iamServiceImpl.iamCredentialsClientSupplier = defaultIamCredentialsClientSupplier();
            }
            if (this.iamServiceImpl.applicationDefaultCredentials == null) {
                this.iamServiceImpl.applicationDefaultCredentials = new ApplicationDefaultCredentials(this.iamServiceImpl.monitor);
            }
            return this.iamServiceImpl;
        }

        private Supplier<IAMClient> defaultIamClientSupplier() {
            return () -> {
                try {
                    return IAMClient.create();
                } catch (IOException e) {
                    throw new GcpException("Error while creating IAMClient", e);
                }
            };
        }

        private Supplier<IamCredentialsClient> defaultIamCredentialsClientSupplier() {
            return () -> {
                try {
                    return IamCredentialsClient.create();
                } catch (IOException e) {
                    throw new GcpException("Error while creating IamCredentialsClient", e);
                }
            };
        }
    }

    private IamServiceImpl(Monitor monitor, GcpConfiguration gcpConfiguration) {
        this.monitor = monitor;
        this.gcpConfiguration = gcpConfiguration;
    }

    @Override // org.eclipse.edc.gcp.iam.IamService
    public GcpServiceAccount getServiceAccount(String str) {
        if (str == null && this.gcpConfiguration.serviceAccountName() == null) {
            return ADC_SERVICE_ACCOUNT;
        }
        if (str == null) {
            str = this.gcpConfiguration.serviceAccountName();
        }
        try {
            IAMClient iAMClient = this.iamClientSupplier.get();
            try {
                ServiceAccount serviceAccount = iAMClient.getServiceAccount(ServiceAccountName.of(this.gcpConfiguration.projectId(), getServiceAccountEmail(str, this.gcpConfiguration.projectId())).toString());
                GcpServiceAccount gcpServiceAccount = new GcpServiceAccount(serviceAccount.getEmail(), serviceAccount.getName(), serviceAccount.getDescription());
                if (iAMClient != null) {
                    iAMClient.close();
                }
                return gcpServiceAccount;
            } finally {
            }
        } catch (ApiException e) {
            if (e.getStatusCode().getCode() == StatusCode.Code.NOT_FOUND) {
                this.monitor.severe("Service account '" + str + "'not found", new Throwable[]{e});
                throw new GcpException("Service account '" + str + "'not found", e);
            }
            this.monitor.severe("Unable to get service account '" + str + "'", new Throwable[]{e});
            throw new GcpException("Unable to get service account '" + str + "'", e);
        }
    }

    @Override // org.eclipse.edc.gcp.iam.IamService
    public GcpAccessToken createAccessToken(GcpServiceAccount gcpServiceAccount) {
        if (gcpServiceAccount.equals(ADC_SERVICE_ACCOUNT)) {
            return this.applicationDefaultCredentials.getAccessToken();
        }
        try {
            IamCredentialsClient iamCredentialsClient = this.iamCredentialsClientSupplier.get();
            try {
                ServiceAccountName of = ServiceAccountName.of("-", gcpServiceAccount.getEmail());
                GenerateAccessTokenResponse generateAccessToken = iamCredentialsClient.generateAccessToken(GenerateAccessTokenRequest.newBuilder().setName(of.toString()).addAllScope(Collections.singleton("https://www.googleapis.com/auth/cloud-platform")).setLifetime(Duration.newBuilder().setSeconds(ONE_HOUR_IN_S).build()).build());
                this.monitor.debug("Created access token for " + gcpServiceAccount.getEmail(), new Throwable[0]);
                GcpAccessToken gcpAccessToken = new GcpAccessToken(generateAccessToken.getAccessToken(), generateAccessToken.getExpireTime().getSeconds() * 1000);
                if (iamCredentialsClient != null) {
                    iamCredentialsClient.close();
                }
                return gcpAccessToken;
            } finally {
            }
        } catch (Exception e) {
            throw new GcpException("Error creating service account token:\n" + e);
        }
    }

    private String getServiceAccountEmail(String str, String str2) {
        return String.format("%s@%s.iam.gserviceaccount.com", str, str2);
    }
}
