package com.google.auth.credentialaccessboundary;

import com.google.api.client.http.HttpTransport;
import com.google.api.client.util.Clock;
import com.google.auth.TestUtils;
import com.google.auth.credentialaccessboundary.ClientSideCredentialAccessBoundaryFactory;
import com.google.auth.credentialaccessboundary.protobuf.ClientSideAccessBoundaryProto;
import com.google.auth.http.HttpTransportFactory;
import com.google.auth.oauth2.AccessToken;
import com.google.auth.oauth2.CredentialAccessBoundary;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.auth.oauth2.MockStsTransport;
import com.google.auth.oauth2.MockTokenServerTransportFactory;
import com.google.auth.oauth2.OAuth2Utils;
import com.google.auth.oauth2.ServiceAccountCredentials;
import com.google.common.collect.ImmutableList;
import com.google.crypto.tink.Aead;
import com.google.crypto.tink.InsecureSecretKeyAccess;
import com.google.crypto.tink.RegistryConfiguration;
import com.google.crypto.tink.TinkProtoKeysetFormat;
import dev.cel.common.CelValidationException;
import dev.cel.expr.Expr;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.time.Duration;
import java.util.Base64;
import java.util.concurrent.CountDownLatch;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.JUnit4;
import org.mockito.Mockito;

@RunWith(JUnit4.class)
/* loaded from: input_file:com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactoryTest.class */
public class ClientSideCredentialAccessBoundaryFactoryTest {
    private static final String SA_PRIVATE_KEY_PKCS8 = "-----BEGIN PRIVATE KEY-----\nMIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALX0PQoe1igW12ikv1bN/r9lN749y2ijmbc/mFHPyS3hNTyOCjDvBbXYbDhQJzWVUikh4mvGBA07qTj79Xc3yBDfKP2IeyYQIFe0t0zkd7R9Zdn98Y2rIQC47aAbDfubtkU1U72t4zL11kHvoa0/RuFZjncvlr42X7be7lYh4p3NAgMBAAECgYASk5wDw4Az2ZkmeuN6Fk/y9H+Lcb2pskJIXjrL533vrDWGOC48LrsThMQPv8cxBky8HFSEklPpkfTF95tpD43iVwJRB/GrCtGTw65IfJ4/tI09h6zGc4yqvIo1cHX/LQ+SxKLGyir/dQM925rGt/VojxY5ryJR7GLbCzxPnJm/oQJBANwOCO6D2hy1LQYJhXh7O+RLtA/tSnT1xyMQsGT+uUCMiKS2bSKx2wxo9k7h3OegNJIu1q6nZ6AbxDK8H3+d0dUCQQDTrPSXagBxzp8PecbaCHjzNRSQE2in81qYnrAFNB4o3DpHyMMY6s5ALLeHKscEWnqP8Ur6X4PvzZecCWU9BKAZAkAutLPknAuxSCsUOvUfS1i87ex77Ot+w6POp34pEX+UWb+u5iFn2cQacDTHLV1LtE80L8jVLSbrbrlH43H0DjU5AkEAgidhycxS86dxpEljnOMCw8CKoUBd5I880IUahEiUltk7OLJYS/Ts1wbn3kPOVX3wyJs8WBDtBkFrDHW2ezth2QJADj3e1YhMVdjJW5jqwlD/VNddGjgzyunmiZg0uOXsHXbytYmsA545S8KRQFaJKFXYYFo2kOjqOiC1T2cAzMDjCQ==\n-----END PRIVATE KEY-----\n";
    private MockStsTransportFactory mockStsTransportFactory;
    private static MockTokenServerTransportFactory mockTokenServerTransportFactory;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.google.auth.credentialaccessboundary.ClientSideCredentialAccessBoundaryFactoryTest$1, reason: invalid class name */
    /* loaded from: input_file:com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactoryTest$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$google$auth$credentialaccessboundary$ClientSideCredentialAccessBoundaryFactory$RefreshType = new int[ClientSideCredentialAccessBoundaryFactory.RefreshType.values().length];

        static {
            try {
                $SwitchMap$com$google$auth$credentialaccessboundary$ClientSideCredentialAccessBoundaryFactory$RefreshType[ClientSideCredentialAccessBoundaryFactory.RefreshType.NONE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$google$auth$credentialaccessboundary$ClientSideCredentialAccessBoundaryFactory$RefreshType[ClientSideCredentialAccessBoundaryFactory.RefreshType.ASYNC.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$google$auth$credentialaccessboundary$ClientSideCredentialAccessBoundaryFactory$RefreshType[ClientSideCredentialAccessBoundaryFactory.RefreshType.BLOCKING.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactoryTest$CabToken.class */
    public static class CabToken {
        String intermediateToken;
        String encryptedRestriction;

        CabToken(String str, String str2) {
            this.intermediateToken = str;
            this.encryptedRestriction = str2;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactoryTest$MockStsTransportFactory.class */
    public static class MockStsTransportFactory implements HttpTransportFactory {
        MockStsTransport transport = new MockStsTransport();

        MockStsTransportFactory() {
        }

        public HttpTransport create() {
            return this.transport;
        }
    }

    @Before
    public void setUp() {
        this.mockStsTransportFactory = new MockStsTransportFactory();
        this.mockStsTransportFactory.transport.setReturnAccessBoundarySessionKey(true);
        mockTokenServerTransportFactory = new MockTokenServerTransportFactory();
        mockTokenServerTransportFactory.transport.addServiceAccount("service-account@google.com", "accessToken");
    }

    @Test
    public void fetchIntermediateCredentials() throws Exception {
        ClientSideCredentialAccessBoundaryFactory.IntermediateCredentials fetchIntermediateCredentials = ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(getServiceAccountSourceCredentials(mockTokenServerTransportFactory)).setHttpTransportFactory(this.mockStsTransportFactory).build().fetchIntermediateCredentials();
        Assert.assertEquals("urn:ietf:params:oauth:token-type:access_boundary_intermediary_token", TestUtils.parseQuery(this.mockStsTransportFactory.transport.getRequest().getContentAsString()).get("requested_token_type"));
        Assert.assertEquals(this.mockStsTransportFactory.transport.getAccessBoundarySessionKey(), fetchIntermediateCredentials.getAccessBoundarySessionKey());
        Assert.assertEquals(this.mockStsTransportFactory.transport.getAccessToken(), fetchIntermediateCredentials.getIntermediateAccessToken().getTokenValue());
    }

    @Test
    public void fetchIntermediateCredentials_withCustomUniverseDomain() throws IOException {
        ClientSideCredentialAccessBoundaryFactory.newBuilder().setUniverseDomain("foobar").setSourceCredential(getServiceAccountSourceCredentials(mockTokenServerTransportFactory).toBuilder().setUniverseDomain("foobar").build()).setHttpTransportFactory(this.mockStsTransportFactory).build().fetchIntermediateCredentials();
        Assert.assertEquals(this.mockStsTransportFactory.transport.getRequest().getUrl(), String.format("https://sts.%s/v1/token", "foobar"));
    }

    @Test
    public void fetchIntermediateCredentials_sourceCredentialCannotRefresh_throwsIOException() throws Exception {
        mockTokenServerTransportFactory.transport.setError(new IOException());
        ClientSideCredentialAccessBoundaryFactory build = ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(getServiceAccountSourceCredentials(mockTokenServerTransportFactory)).setHttpTransportFactory(this.mockStsTransportFactory).build();
        build.getClass();
        Assert.assertEquals("Unable to refresh the provided source credential.", ((IOException) Assert.assertThrows(IOException.class, build::fetchIntermediateCredentials)).getMessage());
    }

    @Test
    public void fetchIntermediateCredentials_noExpiresInReturned_copiesSourceExpiration() throws Exception {
        this.mockStsTransportFactory.transport.setReturnExpiresIn(false);
        GoogleCredentials serviceAccountSourceCredentials = getServiceAccountSourceCredentials(mockTokenServerTransportFactory);
        AccessToken intermediateAccessToken = ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(serviceAccountSourceCredentials).setHttpTransportFactory(this.mockStsTransportFactory).build().fetchIntermediateCredentials().getIntermediateAccessToken();
        Assert.assertEquals(this.mockStsTransportFactory.transport.getAccessToken(), intermediateAccessToken.getTokenValue());
        AccessToken accessToken = serviceAccountSourceCredentials.getAccessToken();
        Assert.assertNotNull(accessToken);
        Assert.assertEquals(accessToken.getExpirationTime(), intermediateAccessToken.getExpirationTime());
    }

    @Test
    public void refreshCredentialsIfRequired_firstCallWillFetchIntermediateCredentials() throws IOException {
        ClientSideCredentialAccessBoundaryFactory build = ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(getServiceAccountSourceCredentials(mockTokenServerTransportFactory)).setHttpTransportFactory(this.mockStsTransportFactory).build();
        Assert.assertEquals(0L, this.mockStsTransportFactory.transport.getRequestCount());
        build.refreshCredentialsIfRequired();
        Assert.assertEquals(1L, this.mockStsTransportFactory.transport.getRequestCount());
    }

    @Test
    public void refreshCredentialsIfRequired_noRefreshNeeded() throws IOException {
        ClientSideCredentialAccessBoundaryFactory clientSideCredentialAccessBoundaryFactory = getClientSideCredentialAccessBoundaryFactory(ClientSideCredentialAccessBoundaryFactory.RefreshType.NONE);
        clientSideCredentialAccessBoundaryFactory.refreshCredentialsIfRequired();
        Assert.assertEquals(1L, this.mockStsTransportFactory.transport.getRequestCount());
        clientSideCredentialAccessBoundaryFactory.refreshCredentialsIfRequired();
        Assert.assertEquals(1L, this.mockStsTransportFactory.transport.getRequestCount());
    }

    @Test
    public void refreshCredentialsIfRequired_blockingSingleThread() throws IOException {
        ClientSideCredentialAccessBoundaryFactory clientSideCredentialAccessBoundaryFactory = getClientSideCredentialAccessBoundaryFactory(ClientSideCredentialAccessBoundaryFactory.RefreshType.BLOCKING);
        clientSideCredentialAccessBoundaryFactory.refreshCredentialsIfRequired();
        Assert.assertEquals(1L, this.mockStsTransportFactory.transport.getRequestCount());
        for (int i = 0; i < 3; i++) {
            clientSideCredentialAccessBoundaryFactory.refreshCredentialsIfRequired();
        }
        Assert.assertEquals(1 + 3, this.mockStsTransportFactory.transport.getRequestCount());
    }

    @Test
    public void refreshCredentialsIfRequired_asyncSingleThread() throws IOException {
        ClientSideCredentialAccessBoundaryFactory clientSideCredentialAccessBoundaryFactory = getClientSideCredentialAccessBoundaryFactory(ClientSideCredentialAccessBoundaryFactory.RefreshType.ASYNC);
        clientSideCredentialAccessBoundaryFactory.refreshCredentialsIfRequired();
        Assert.assertEquals(1L, this.mockStsTransportFactory.transport.getRequestCount());
        for (int i = 0; i < 3; i++) {
            clientSideCredentialAccessBoundaryFactory.refreshCredentialsIfRequired();
        }
        Assert.assertEquals(1L, this.mockStsTransportFactory.transport.getRequestCount());
        try {
            Thread.sleep(1000L);
            Assert.assertEquals(2L, this.mockStsTransportFactory.transport.getRequestCount());
        } catch (InterruptedException e) {
            throw new IOException(e);
        }
    }

    @Test
    public void refreshCredentialsIfRequired_blockingMultiThread() throws IOException, InterruptedException {
        ClientSideCredentialAccessBoundaryFactory clientSideCredentialAccessBoundaryFactory = getClientSideCredentialAccessBoundaryFactory(ClientSideCredentialAccessBoundaryFactory.RefreshType.BLOCKING);
        clientSideCredentialAccessBoundaryFactory.refreshCredentialsIfRequired();
        Assert.assertEquals(1L, this.mockStsTransportFactory.transport.getRequestCount());
        triggerConcurrentRefresh(clientSideCredentialAccessBoundaryFactory, 3);
        Assert.assertEquals(2L, this.mockStsTransportFactory.transport.getRequestCount());
    }

    @Test
    public void refreshCredentialsIfRequired_asyncMultiThread() throws IOException, InterruptedException {
        ClientSideCredentialAccessBoundaryFactory clientSideCredentialAccessBoundaryFactory = getClientSideCredentialAccessBoundaryFactory(ClientSideCredentialAccessBoundaryFactory.RefreshType.ASYNC);
        clientSideCredentialAccessBoundaryFactory.refreshCredentialsIfRequired();
        Assert.assertEquals(1L, this.mockStsTransportFactory.transport.getRequestCount());
        triggerConcurrentRefresh(clientSideCredentialAccessBoundaryFactory, 5);
        try {
            Thread.sleep(100L);
            Assert.assertEquals(2L, this.mockStsTransportFactory.transport.getRequestCount());
        } catch (InterruptedException e) {
            throw new IOException(e);
        }
    }

    @Test
    public void refreshCredentialsIfRequired_sourceCredentialCannotRefresh_throwsIOException() throws Exception {
        mockTokenServerTransportFactory.transport.setError(new IOException());
        ClientSideCredentialAccessBoundaryFactory build = ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(getServiceAccountSourceCredentials(mockTokenServerTransportFactory)).setHttpTransportFactory(this.mockStsTransportFactory).build();
        build.getClass();
        Assert.assertEquals("Unable to refresh the provided source credential.", ((IOException) Assert.assertThrows(IOException.class, build::refreshCredentialsIfRequired)).getMessage());
    }

    @Test
    public void builder_noSourceCredential_throws() {
        Assert.assertEquals("Source credential must not be null.", ((NullPointerException) Assert.assertThrows(NullPointerException.class, () -> {
            ClientSideCredentialAccessBoundaryFactory.newBuilder().setHttpTransportFactory(OAuth2Utils.HTTP_TRANSPORT_FACTORY).build();
        })).getMessage());
    }

    @Test
    public void builder_minimumTokenLifetime_negative_throws() throws IOException {
        GoogleCredentials serviceAccountSourceCredentials = getServiceAccountSourceCredentials(mockTokenServerTransportFactory);
        Assert.assertEquals("Minimum token lifetime must be greater than zero.", ((IllegalArgumentException) Assert.assertThrows(IllegalArgumentException.class, () -> {
            ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(serviceAccountSourceCredentials).setMinimumTokenLifetime(Duration.ofMinutes(-1L));
        })).getMessage());
    }

    @Test
    public void builder_minimumTokenLifetime_zero_throws() throws IOException {
        GoogleCredentials serviceAccountSourceCredentials = getServiceAccountSourceCredentials(mockTokenServerTransportFactory);
        Assert.assertEquals("Minimum token lifetime must be greater than zero.", ((IllegalArgumentException) Assert.assertThrows(IllegalArgumentException.class, () -> {
            ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(serviceAccountSourceCredentials).setMinimumTokenLifetime(Duration.ZERO);
        })).getMessage());
    }

    @Test
    public void builder_refreshMargin_negative_throws() throws IOException {
        GoogleCredentials serviceAccountSourceCredentials = getServiceAccountSourceCredentials(mockTokenServerTransportFactory);
        Assert.assertEquals("Refresh margin must be greater than zero.", ((IllegalArgumentException) Assert.assertThrows(IllegalArgumentException.class, () -> {
            ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(serviceAccountSourceCredentials).setRefreshMargin(Duration.ofMinutes(-1L));
        })).getMessage());
    }

    @Test
    public void builder_refreshMargin_zero_throws() throws IOException {
        GoogleCredentials serviceAccountSourceCredentials = getServiceAccountSourceCredentials(mockTokenServerTransportFactory);
        Assert.assertEquals("Refresh margin must be greater than zero.", ((IllegalArgumentException) Assert.assertThrows(IllegalArgumentException.class, () -> {
            ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(serviceAccountSourceCredentials).setRefreshMargin(Duration.ZERO);
        })).getMessage());
    }

    @Test
    public void builder_setsCorrectDefaultValues() throws IOException {
        ClientSideCredentialAccessBoundaryFactory build = ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(getServiceAccountSourceCredentials(mockTokenServerTransportFactory)).build();
        Assert.assertEquals(OAuth2Utils.HTTP_TRANSPORT_FACTORY, build.getTransportFactory());
        Assert.assertEquals(String.format("https://sts.%s/v1/token", "googleapis.com"), build.getTokenExchangeEndpoint());
    }

    @Test
    public void builder_universeDomainMismatch_throws() throws IOException {
        GoogleCredentials serviceAccountSourceCredentials = getServiceAccountSourceCredentials(mockTokenServerTransportFactory);
        Assert.assertEquals("The client side access boundary credential's universe domain must be the same as the source credential.", ((IllegalArgumentException) Assert.assertThrows(IllegalArgumentException.class, () -> {
            ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(serviceAccountSourceCredentials).setUniverseDomain("differentUniverseDomain").build();
        })).getMessage());
    }

    @Test
    public void builder_invalidRefreshMarginAndMinimumTokenLifetime_throws() throws IOException {
        GoogleCredentials serviceAccountSourceCredentials = getServiceAccountSourceCredentials(mockTokenServerTransportFactory);
        Assert.assertEquals("Refresh margin must be at least one minute longer than the minimum token lifetime.", ((IllegalArgumentException) Assert.assertThrows(IllegalArgumentException.class, () -> {
            ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(serviceAccountSourceCredentials).setRefreshMargin(Duration.ofMinutes(50L)).setMinimumTokenLifetime(Duration.ofMinutes(50L)).build();
        })).getMessage());
    }

    @Test
    public void builder_invalidRefreshMargin_throws() throws IOException {
        GoogleCredentials serviceAccountSourceCredentials = getServiceAccountSourceCredentials(mockTokenServerTransportFactory);
        Assert.assertEquals("Refresh margin must be at least one minute longer than the minimum token lifetime.", ((IllegalArgumentException) Assert.assertThrows(IllegalArgumentException.class, () -> {
            ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(serviceAccountSourceCredentials).setRefreshMargin(Duration.ofMinutes(25L)).build();
        })).getMessage());
    }

    @Test
    public void builder_invalidMinimumTokenLifetime_throws() throws IOException {
        GoogleCredentials serviceAccountSourceCredentials = getServiceAccountSourceCredentials(mockTokenServerTransportFactory);
        Assert.assertEquals("Refresh margin must be at least one minute longer than the minimum token lifetime.", ((IllegalArgumentException) Assert.assertThrows(IllegalArgumentException.class, () -> {
            ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(serviceAccountSourceCredentials).setMinimumTokenLifetime(Duration.ofMinutes(50L)).build();
        })).getMessage());
    }

    @Test
    public void builder_minimumTokenLifetimeNotSet_usesDefault() throws IOException {
        Assert.assertEquals(ClientSideCredentialAccessBoundaryFactory.DEFAULT_MINIMUM_TOKEN_LIFETIME, ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(getServiceAccountSourceCredentials(mockTokenServerTransportFactory)).setRefreshMargin(Duration.ofMinutes(50L)).build().getMinimumTokenLifetime());
    }

    @Test
    public void builder_refreshMarginNotSet_usesDefault() throws IOException {
        Assert.assertEquals(ClientSideCredentialAccessBoundaryFactory.DEFAULT_REFRESH_MARGIN, ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(getServiceAccountSourceCredentials(mockTokenServerTransportFactory)).setMinimumTokenLifetime(Duration.ofMinutes(20L)).build().getRefreshMargin());
    }

    private static GoogleCredentials getServiceAccountSourceCredentials(MockTokenServerTransportFactory mockTokenServerTransportFactory2) throws IOException {
        return ServiceAccountCredentials.newBuilder().setClientEmail("service-account@google.com").setPrivateKey(OAuth2Utils.privateKeyFromPkcs8(SA_PRIVATE_KEY_PKCS8)).setPrivateKeyId("privateKeyId").setProjectId("projectId").setHttpTransportFactory(mockTokenServerTransportFactory2).build().createScoped(new String[]{"https://www.googleapis.com/auth/cloud-platform"});
    }

    private ClientSideCredentialAccessBoundaryFactory getClientSideCredentialAccessBoundaryFactory(ClientSideCredentialAccessBoundaryFactory.RefreshType refreshType) throws IOException {
        GoogleCredentials serviceAccountSourceCredentials = getServiceAccountSourceCredentials(mockTokenServerTransportFactory);
        return ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(serviceAccountSourceCredentials).setHttpTransportFactory(this.mockStsTransportFactory).setClock(createMockClock(refreshType, serviceAccountSourceCredentials)).build();
    }

    private Clock createMockClock(ClientSideCredentialAccessBoundaryFactory.RefreshType refreshType, GoogleCredentials googleCredentials) {
        long j;
        Clock clock = (Clock) Mockito.mock(Clock.class);
        long currentTimeMillis = Clock.SYSTEM.currentTimeMillis();
        long millis = ClientSideCredentialAccessBoundaryFactory.DEFAULT_REFRESH_MARGIN.toMillis();
        long millis2 = ClientSideCredentialAccessBoundaryFactory.DEFAULT_MINIMUM_TOKEN_LIFETIME.toMillis();
        long time = googleCredentials.getAccessToken() != null ? googleCredentials.getAccessToken().getExpirationTime().getTime() : currentTimeMillis + 3600000;
        switch (AnonymousClass1.$SwitchMap$com$google$auth$credentialaccessboundary$ClientSideCredentialAccessBoundaryFactory$RefreshType[refreshType.ordinal()]) {
            case 1:
                j = (time - millis) - 60000;
                break;
            case 2:
                j = (time - millis) + 60000;
                break;
            case 3:
                j = (time - millis2) + 60000;
                break;
            default:
                throw new IllegalArgumentException("Unexpected RefreshType: " + refreshType);
        }
        Mockito.when(Long.valueOf(clock.currentTimeMillis())).thenReturn(Long.valueOf(j));
        return clock;
    }

    private static void triggerConcurrentRefresh(ClientSideCredentialAccessBoundaryFactory clientSideCredentialAccessBoundaryFactory, int i) throws InterruptedException {
        Thread[] threadArr = new Thread[i];
        CountDownLatch countDownLatch = new CountDownLatch(i);
        for (int i2 = 0; i2 < i; i2++) {
            threadArr[i2] = new Thread(() -> {
                try {
                    countDownLatch.countDown();
                    countDownLatch.await();
                    clientSideCredentialAccessBoundaryFactory.refreshCredentialsIfRequired();
                } catch (IOException e) {
                    throw new RuntimeException(e);
                } catch (InterruptedException e2) {
                    Thread.currentThread().interrupt();
                }
            });
            threadArr[i2].start();
        }
        for (Thread thread : threadArr) {
            thread.join(5000L);
            if (thread.isAlive()) {
                thread.interrupt();
                throw new AssertionError("Thread running refreshCredentialsIfRequired timed out after 5000 milliseconds.");
            }
        }
    }

    private static CabToken parseCabToken(AccessToken accessToken) {
        String[] split = accessToken.getTokenValue().split("\\.");
        Assert.assertEquals(2L, split.length);
        return new CabToken(split[0], split[1]);
    }

    private static ClientSideAccessBoundaryProto.ClientSideAccessBoundary decryptRestriction(String str, String str2) throws Exception {
        return ClientSideAccessBoundaryProto.ClientSideAccessBoundary.parseFrom(((Aead) TinkProtoKeysetFormat.parseKeyset(Base64.getDecoder().decode(str2), InsecureSecretKeyAccess.get()).getPrimitive(RegistryConfiguration.get(), Aead.class)).decrypt(Base64.getUrlDecoder().decode(str), new byte[0]));
    }

    @Test
    public void generateToken_withAvailablityCondition_success() throws Exception {
        MockStsTransportFactory mockStsTransportFactory = new MockStsTransportFactory();
        mockStsTransportFactory.transport.setReturnAccessBoundarySessionKey(true);
        CabToken parseCabToken = parseCabToken(ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(getServiceAccountSourceCredentials(mockTokenServerTransportFactory)).setHttpTransportFactory(mockStsTransportFactory).build().generateToken(CredentialAccessBoundary.newBuilder().addRule(CredentialAccessBoundary.AccessBoundaryRule.newBuilder().setAvailableResource("resource").setAvailablePermissions(ImmutableList.of("role1", "role2")).setAvailabilityCondition(CredentialAccessBoundary.AccessBoundaryRule.AvailabilityCondition.newBuilder().setExpression("a == b").build()).build()).build()));
        Assert.assertEquals("accessToken", parseCabToken.intermediateToken);
        ClientSideAccessBoundaryProto.ClientSideAccessBoundary decryptRestriction = decryptRestriction(parseCabToken.encryptedRestriction, mockStsTransportFactory.transport.getAccessBoundarySessionKey());
        Assert.assertEquals(1L, decryptRestriction.getAccessBoundaryRulesCount());
        ClientSideAccessBoundaryProto.ClientSideAccessBoundaryRule accessBoundaryRules = decryptRestriction.getAccessBoundaryRules(0);
        Assert.assertEquals("resource", accessBoundaryRules.getAvailableResource());
        Assert.assertEquals(ImmutableList.of("role1", "role2"), accessBoundaryRules.getAvailablePermissionsList());
        Expr compiledAvailabilityCondition = accessBoundaryRules.getCompiledAvailabilityCondition();
        Assert.assertEquals("_==_", compiledAvailabilityCondition.getCallExpr().getFunction());
        Assert.assertEquals("a", compiledAvailabilityCondition.getCallExpr().getArgs(0).getIdentExpr().getName());
        Assert.assertEquals("b", compiledAvailabilityCondition.getCallExpr().getArgs(1).getIdentExpr().getName());
    }

    @Test
    public void generateToken_withoutAvailabilityCondition_success() throws Exception {
        MockStsTransportFactory mockStsTransportFactory = new MockStsTransportFactory();
        mockStsTransportFactory.transport.setReturnAccessBoundarySessionKey(true);
        CabToken parseCabToken = parseCabToken(ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(getServiceAccountSourceCredentials(mockTokenServerTransportFactory)).setHttpTransportFactory(mockStsTransportFactory).build().generateToken(CredentialAccessBoundary.newBuilder().addRule(CredentialAccessBoundary.AccessBoundaryRule.newBuilder().setAvailableResource("resource").setAvailablePermissions(ImmutableList.of("role")).build()).build()));
        Assert.assertEquals("accessToken", parseCabToken.intermediateToken);
        ClientSideAccessBoundaryProto.ClientSideAccessBoundary decryptRestriction = decryptRestriction(parseCabToken.encryptedRestriction, mockStsTransportFactory.transport.getAccessBoundarySessionKey());
        Assert.assertEquals(1L, decryptRestriction.getAccessBoundaryRulesCount());
        ClientSideAccessBoundaryProto.ClientSideAccessBoundaryRule accessBoundaryRules = decryptRestriction.getAccessBoundaryRules(0);
        Assert.assertEquals("resource", accessBoundaryRules.getAvailableResource());
        Assert.assertEquals(ImmutableList.of("role"), accessBoundaryRules.getAvailablePermissionsList());
        Assert.assertFalse(accessBoundaryRules.hasCompiledAvailabilityCondition());
    }

    @Test
    public void generateToken_withMultipleRules_success() throws Exception {
        MockStsTransportFactory mockStsTransportFactory = new MockStsTransportFactory();
        mockStsTransportFactory.transport.setReturnAccessBoundarySessionKey(true);
        CabToken parseCabToken = parseCabToken(ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(getServiceAccountSourceCredentials(mockTokenServerTransportFactory)).setHttpTransportFactory(mockStsTransportFactory).build().generateToken(CredentialAccessBoundary.newBuilder().addRule(CredentialAccessBoundary.AccessBoundaryRule.newBuilder().setAvailableResource("resource1").setAvailablePermissions(ImmutableList.of("role1-1", "role1-2")).setAvailabilityCondition(CredentialAccessBoundary.AccessBoundaryRule.AvailabilityCondition.newBuilder().setExpression("a == b").build()).build()).addRule(CredentialAccessBoundary.AccessBoundaryRule.newBuilder().setAvailableResource("resource").setAvailablePermissions(ImmutableList.of("role2")).build()).build()));
        Assert.assertEquals("accessToken", parseCabToken.intermediateToken);
        ClientSideAccessBoundaryProto.ClientSideAccessBoundary decryptRestriction = decryptRestriction(parseCabToken.encryptedRestriction, mockStsTransportFactory.transport.getAccessBoundarySessionKey());
        Assert.assertEquals(2L, decryptRestriction.getAccessBoundaryRulesCount());
        ClientSideAccessBoundaryProto.ClientSideAccessBoundaryRule accessBoundaryRules = decryptRestriction.getAccessBoundaryRules(0);
        Assert.assertEquals("resource1", accessBoundaryRules.getAvailableResource());
        Assert.assertEquals(ImmutableList.of("role1-1", "role1-2"), accessBoundaryRules.getAvailablePermissionsList());
        Expr compiledAvailabilityCondition = accessBoundaryRules.getCompiledAvailabilityCondition();
        Assert.assertEquals("_==_", compiledAvailabilityCondition.getCallExpr().getFunction());
        Assert.assertEquals("a", compiledAvailabilityCondition.getCallExpr().getArgs(0).getIdentExpr().getName());
        Assert.assertEquals("b", compiledAvailabilityCondition.getCallExpr().getArgs(1).getIdentExpr().getName());
        ClientSideAccessBoundaryProto.ClientSideAccessBoundaryRule accessBoundaryRules2 = decryptRestriction.getAccessBoundaryRules(1);
        Assert.assertEquals("resource", accessBoundaryRules2.getAvailableResource());
        Assert.assertEquals(ImmutableList.of("role2"), accessBoundaryRules2.getAvailablePermissionsList());
        Assert.assertFalse(accessBoundaryRules2.hasCompiledAvailabilityCondition());
    }

    @Test
    public void generateToken_withInvalidAvailabilityCondition_failure() throws Exception {
        MockStsTransportFactory mockStsTransportFactory = new MockStsTransportFactory();
        mockStsTransportFactory.transport.setReturnAccessBoundarySessionKey(true);
        ClientSideCredentialAccessBoundaryFactory build = ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(getServiceAccountSourceCredentials(mockTokenServerTransportFactory)).setHttpTransportFactory(mockStsTransportFactory).build();
        CredentialAccessBoundary build2 = CredentialAccessBoundary.newBuilder().addRule(CredentialAccessBoundary.AccessBoundaryRule.newBuilder().setAvailableResource("//storage.googleapis.com/projects/_/buckets/example-bucket").setAvailablePermissions(ImmutableList.of("inRole:roles/storage.objectViewer")).setAvailabilityCondition(CredentialAccessBoundary.AccessBoundaryRule.AvailabilityCondition.newBuilder().setExpression("resource.name.startsWith('projects/_/buckets/example-bucket/objects/customer-a'").build()).build()).build();
        Assert.assertThrows(CelValidationException.class, () -> {
            build.generateToken(build2);
        });
    }

    @Test
    public void generateToken_withSessionKeyNotBase64Encoded_failure() throws Exception {
        MockStsTransportFactory mockStsTransportFactory = new MockStsTransportFactory();
        mockStsTransportFactory.transport.setReturnAccessBoundarySessionKey(true);
        mockStsTransportFactory.transport.setAccessBoundarySessionKey("invalid_key");
        ClientSideCredentialAccessBoundaryFactory build = ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(getServiceAccountSourceCredentials(mockTokenServerTransportFactory)).setHttpTransportFactory(mockStsTransportFactory).build();
        CredentialAccessBoundary build2 = CredentialAccessBoundary.newBuilder().addRule(CredentialAccessBoundary.AccessBoundaryRule.newBuilder().setAvailableResource("//storage.googleapis.com/projects/_/buckets/example-bucket").setAvailablePermissions(ImmutableList.of("inRole:roles/storage.objectViewer")).setAvailabilityCondition(CredentialAccessBoundary.AccessBoundaryRule.AvailabilityCondition.newBuilder().setExpression("resource.name.startsWith('projects/_/buckets/example-bucket/objects/customer-a')").build()).build()).build();
        Assert.assertThrows(IllegalStateException.class, () -> {
            build.generateToken(build2);
        });
    }

    @Test
    public void generateToken_withMalformSessionKey_failure() throws Exception {
        MockStsTransportFactory mockStsTransportFactory = new MockStsTransportFactory();
        mockStsTransportFactory.transport.setReturnAccessBoundarySessionKey(true);
        mockStsTransportFactory.transport.setAccessBoundarySessionKey("aW52YWxpZF9rZXk=");
        ClientSideCredentialAccessBoundaryFactory build = ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(getServiceAccountSourceCredentials(mockTokenServerTransportFactory)).setHttpTransportFactory(mockStsTransportFactory).build();
        CredentialAccessBoundary build2 = CredentialAccessBoundary.newBuilder().addRule(CredentialAccessBoundary.AccessBoundaryRule.newBuilder().setAvailableResource("//storage.googleapis.com/projects/_/buckets/example-bucket").setAvailablePermissions(ImmutableList.of("inRole:roles/storage.objectViewer")).setAvailabilityCondition(CredentialAccessBoundary.AccessBoundaryRule.AvailabilityCondition.newBuilder().setExpression("resource.name.startsWith('projects/_/buckets/example-bucket/objects/customer-a')").build()).build()).build();
        Assert.assertThrows(GeneralSecurityException.class, () -> {
            build.generateToken(build2);
        });
    }
}
