package com.google.auth.credentialaccessboundary;

import com.google.api.client.util.Clock;
import com.google.auth.credentialaccessboundary.protobuf.ClientSideAccessBoundaryProto;
import com.google.auth.http.HttpTransportFactory;
import com.google.auth.oauth2.AccessToken;
import com.google.auth.oauth2.CredentialAccessBoundary;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.auth.oauth2.OAuth2Credentials;
import com.google.auth.oauth2.OAuth2Utils;
import com.google.auth.oauth2.StsRequestHandler;
import com.google.auth.oauth2.StsTokenExchangeRequest;
import com.google.auth.oauth2.StsTokenExchangeResponse;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.util.concurrent.AbstractFuture;
import com.google.common.util.concurrent.FutureCallback;
import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
import com.google.common.util.concurrent.ListenableFutureTask;
import com.google.common.util.concurrent.MoreExecutors;
import com.google.crypto.tink.Aead;
import com.google.crypto.tink.InsecureSecretKeyAccess;
import com.google.crypto.tink.RegistryConfiguration;
import com.google.crypto.tink.TinkProtoKeysetFormat;
import com.google.crypto.tink.aead.AeadConfig;
import com.google.errorprone.annotations.CanIgnoreReturnValue;
import dev.cel.common.CelOptions;
import dev.cel.common.CelProtoAbstractSyntaxTree;
import dev.cel.common.CelValidationException;
import dev.cel.compiler.CelCompiler;
import dev.cel.compiler.CelCompilerFactory;
import dev.cel.expr.Expr;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.time.Duration;
import java.util.Base64;
import java.util.Date;
import java.util.List;
import java.util.concurrent.ExecutionException;
import javax.annotation.Nullable;

/* loaded from: input_file:com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.class */
public class ClientSideCredentialAccessBoundaryFactory {
    static final Duration DEFAULT_REFRESH_MARGIN = Duration.ofMinutes(45);
    static final Duration DEFAULT_MINIMUM_TOKEN_LIFETIME = Duration.ofMinutes(30);
    private final GoogleCredentials sourceCredential;
    private final transient HttpTransportFactory transportFactory;
    private final String tokenExchangeEndpoint;
    private final Duration minimumTokenLifetime;
    private final Duration refreshMargin;
    private RefreshTask refreshTask;
    private final Object refreshLock;
    private IntermediateCredentials intermediateCredentials;
    private final Clock clock;
    private final CelCompiler celCompiler;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.google.auth.credentialaccessboundary.ClientSideCredentialAccessBoundaryFactory$1, reason: invalid class name */
    /* loaded from: input_file:com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$google$auth$credentialaccessboundary$ClientSideCredentialAccessBoundaryFactory$RefreshType = new int[RefreshType.values().length];

        static {
            try {
                $SwitchMap$com$google$auth$credentialaccessboundary$ClientSideCredentialAccessBoundaryFactory$RefreshType[RefreshType.BLOCKING.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$google$auth$credentialaccessboundary$ClientSideCredentialAccessBoundaryFactory$RefreshType[RefreshType.ASYNC.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* loaded from: input_file:com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory$Builder.class */
    public static class Builder {
        private GoogleCredentials sourceCredential;
        private HttpTransportFactory transportFactory;
        private String universeDomain;
        private String tokenExchangeEndpoint;
        private Duration minimumTokenLifetime;
        private Duration refreshMargin;
        private Clock clock;

        private Builder() {
            this.clock = Clock.SYSTEM;
        }

        @CanIgnoreReturnValue
        public Builder setSourceCredential(GoogleCredentials googleCredentials) {
            Preconditions.checkNotNull(googleCredentials, "Source credential must not be null.");
            this.sourceCredential = googleCredentials;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder setMinimumTokenLifetime(Duration duration) {
            Preconditions.checkNotNull(duration, "Minimum token lifetime must not be null.");
            if (duration.isNegative() || duration.isZero()) {
                throw new IllegalArgumentException("Minimum token lifetime must be greater than zero.");
            }
            this.minimumTokenLifetime = duration;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder setRefreshMargin(Duration duration) {
            Preconditions.checkNotNull(duration, "Refresh margin must not be null.");
            if (duration.isNegative() || duration.isZero()) {
                throw new IllegalArgumentException("Refresh margin must be greater than zero.");
            }
            this.refreshMargin = duration;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder setHttpTransportFactory(HttpTransportFactory httpTransportFactory) {
            this.transportFactory = httpTransportFactory;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder setUniverseDomain(String str) {
            this.universeDomain = str;
            return this;
        }

        public Builder setClock(Clock clock) {
            this.clock = clock;
            return this;
        }

        public ClientSideCredentialAccessBoundaryFactory build() {
            Preconditions.checkNotNull(this.sourceCredential, "Source credential must not be null.");
            if (this.transportFactory == null) {
                this.transportFactory = (HttpTransportFactory) OAuth2Credentials.getFromServiceLoader(HttpTransportFactory.class, OAuth2Utils.HTTP_TRANSPORT_FACTORY);
            }
            if (Strings.isNullOrEmpty(this.universeDomain)) {
                this.universeDomain = "googleapis.com";
            }
            try {
                if (!this.universeDomain.equals(this.sourceCredential.getUniverseDomain())) {
                    throw new IllegalArgumentException("The client side access boundary credential's universe domain must be the same as the source credential.");
                }
                if (this.refreshMargin == null) {
                    this.refreshMargin = ClientSideCredentialAccessBoundaryFactory.DEFAULT_REFRESH_MARGIN;
                }
                if (this.minimumTokenLifetime == null) {
                    this.minimumTokenLifetime = ClientSideCredentialAccessBoundaryFactory.DEFAULT_MINIMUM_TOKEN_LIFETIME;
                }
                if (this.refreshMargin.compareTo(this.minimumTokenLifetime.plusMinutes(1L)) < 0) {
                    throw new IllegalArgumentException("Refresh margin must be at least one minute longer than the minimum token lifetime.");
                }
                this.tokenExchangeEndpoint = String.format("https://sts.%s/v1/token", this.universeDomain);
                return new ClientSideCredentialAccessBoundaryFactory(this, null);
            } catch (IOException e) {
                throw new IllegalStateException("Error occurred when attempting to retrieve source credential universe domain.", e);
            }
        }

        /* synthetic */ Builder(AnonymousClass1 anonymousClass1) {
            this();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    /* loaded from: input_file:com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory$IntermediateCredentials.class */
    public static class IntermediateCredentials {
        private final AccessToken intermediateAccessToken;
        private final String accessBoundarySessionKey;

        IntermediateCredentials(AccessToken accessToken, String str) {
            this.intermediateAccessToken = accessToken;
            this.accessBoundarySessionKey = str;
        }

        String getAccessBoundarySessionKey() {
            return this.accessBoundarySessionKey;
        }

        AccessToken getIntermediateAccessToken() {
            return this.intermediateAccessToken;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory$RefreshTask.class */
    public class RefreshTask extends AbstractFuture<IntermediateCredentials> implements Runnable {
        private final ListenableFutureTask<IntermediateCredentials> task;
        final boolean isNew;

        RefreshTask(ListenableFutureTask<IntermediateCredentials> listenableFutureTask, boolean z) {
            this.task = listenableFutureTask;
            this.isNew = z;
            listenableFutureTask.addListener(() -> {
                try {
                    ClientSideCredentialAccessBoundaryFactory.this.finishRefreshTask(listenableFutureTask);
                } catch (ExecutionException e) {
                    setException(e.getCause());
                }
            }, MoreExecutors.directExecutor());
            Futures.addCallback(listenableFutureTask, new FutureCallback<IntermediateCredentials>() { // from class: com.google.auth.credentialaccessboundary.ClientSideCredentialAccessBoundaryFactory.RefreshTask.1
                public void onSuccess(IntermediateCredentials intermediateCredentials) {
                    RefreshTask.this.set(intermediateCredentials);
                }

                public void onFailure(@Nullable Throwable th) {
                    RefreshTask.this.setException(th != null ? th : new IOException("Refresh failed with null Throwable."));
                }
            }, MoreExecutors.directExecutor());
        }

        @Override // java.lang.Runnable
        public void run() {
            this.task.run();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory$RefreshType.class */
    public enum RefreshType {
        NONE,
        ASYNC,
        BLOCKING
    }

    private ClientSideCredentialAccessBoundaryFactory(Builder builder) {
        this.refreshLock = new byte[0];
        this.intermediateCredentials = null;
        this.transportFactory = builder.transportFactory;
        this.sourceCredential = builder.sourceCredential;
        this.tokenExchangeEndpoint = builder.tokenExchangeEndpoint;
        this.refreshMargin = builder.refreshMargin;
        this.minimumTokenLifetime = builder.minimumTokenLifetime;
        this.clock = builder.clock;
        try {
            AeadConfig.register();
            this.celCompiler = CelCompilerFactory.standardCelCompilerBuilder().setOptions(CelOptions.current().build()).build();
        } catch (GeneralSecurityException e) {
            throw new IllegalStateException("Error occurred when registering Tink", e);
        }
    }

    public AccessToken generateToken(CredentialAccessBoundary credentialAccessBoundary) throws IOException, CelValidationException, GeneralSecurityException {
        String tokenValue;
        Date expirationTime;
        String str;
        refreshCredentialsIfRequired();
        synchronized (this.refreshLock) {
            tokenValue = this.intermediateCredentials.intermediateAccessToken.getTokenValue();
            expirationTime = this.intermediateCredentials.intermediateAccessToken.getExpirationTime();
            str = this.intermediateCredentials.accessBoundarySessionKey;
        }
        return new AccessToken(tokenValue + "." + Base64.getUrlEncoder().encodeToString(encryptRestrictions(serializeCredentialAccessBoundary(credentialAccessBoundary), str)), expirationTime);
    }

    @VisibleForTesting
    void refreshCredentialsIfRequired() throws IOException {
        RefreshType determineRefreshType = determineRefreshType();
        if (determineRefreshType == RefreshType.NONE) {
            return;
        }
        RefreshTask orCreateRefreshTask = getOrCreateRefreshTask();
        switch (AnonymousClass1.$SwitchMap$com$google$auth$credentialaccessboundary$ClientSideCredentialAccessBoundaryFactory$RefreshType[determineRefreshType.ordinal()]) {
            case 1:
                if (orCreateRefreshTask.isNew) {
                    MoreExecutors.directExecutor().execute(orCreateRefreshTask.task);
                }
                try {
                    orCreateRefreshTask.task.get();
                    return;
                } catch (InterruptedException e) {
                    Thread.currentThread().interrupt();
                    throw new IOException("Interrupted while asynchronously refreshing the intermediate credentials", e);
                } catch (ExecutionException e2) {
                    Throwable cause = e2.getCause();
                    if (cause instanceof IOException) {
                        throw ((IOException) cause);
                    }
                    if (!(cause instanceof RuntimeException)) {
                        throw new IOException("Unexpected error refreshing intermediate credentials", cause);
                    }
                    throw ((RuntimeException) cause);
                }
            case ClientSideAccessBoundaryProto.ClientSideAccessBoundaryRule.AVAILABLE_PERMISSIONS_FIELD_NUMBER /* 2 */:
                if (orCreateRefreshTask.isNew) {
                    new Thread((Runnable) orCreateRefreshTask.task).start();
                    return;
                }
                return;
            default:
                throw new IllegalStateException("Unexpected refresh type: " + determineRefreshType);
        }
    }

    private RefreshType determineRefreshType() {
        synchronized (this.refreshLock) {
            if (this.intermediateCredentials == null || this.intermediateCredentials.intermediateAccessToken == null) {
                return RefreshType.BLOCKING;
            }
            Date expirationTime = this.intermediateCredentials.intermediateAccessToken.getExpirationTime();
            if (expirationTime == null) {
                return RefreshType.NONE;
            }
            Duration ofMillis = Duration.ofMillis(expirationTime.getTime() - this.clock.currentTimeMillis());
            return ofMillis.compareTo(this.minimumTokenLifetime) <= 0 ? RefreshType.BLOCKING : ofMillis.compareTo(this.refreshMargin) <= 0 ? RefreshType.ASYNC : RefreshType.NONE;
        }
    }

    private RefreshTask getOrCreateRefreshTask() {
        synchronized (this.refreshLock) {
            if (this.refreshTask != null) {
                return new RefreshTask(this.refreshTask.task, false);
            }
            this.refreshTask = new RefreshTask(ListenableFutureTask.create(this::fetchIntermediateCredentials), true);
            return this.refreshTask;
        }
    }

    @VisibleForTesting
    IntermediateCredentials fetchIntermediateCredentials() throws IOException {
        try {
            this.sourceCredential.refresh();
            AccessToken accessToken = this.sourceCredential.getAccessToken();
            if (accessToken == null || Strings.isNullOrEmpty(accessToken.getTokenValue())) {
                throw new IllegalStateException("The source credential does not have an access token.");
            }
            StsTokenExchangeResponse exchangeToken = StsRequestHandler.newBuilder(this.tokenExchangeEndpoint, StsTokenExchangeRequest.newBuilder(accessToken.getTokenValue(), "urn:ietf:params:oauth:token-type:access_token").setRequestTokenType("urn:ietf:params:oauth:token-type:access_boundary_intermediary_token").build(), this.transportFactory.create().createRequestFactory()).build().exchangeToken();
            return new IntermediateCredentials(getTokenFromResponse(exchangeToken, accessToken), exchangeToken.getAccessBoundarySessionKey());
        } catch (IOException e) {
            throw new IOException("Unable to refresh the provided source credential.", e);
        }
    }

    private static AccessToken getTokenFromResponse(StsTokenExchangeResponse stsTokenExchangeResponse, AccessToken accessToken) {
        AccessToken accessToken2 = stsTokenExchangeResponse.getAccessToken();
        return (accessToken2.getExpirationTime() != null || accessToken.getExpirationTime() == null) ? accessToken2 : new AccessToken(accessToken2.getTokenValue(), accessToken.getExpirationTime());
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Finally extract failed */
    public void finishRefreshTask(ListenableFuture<IntermediateCredentials> listenableFuture) throws ExecutionException {
        synchronized (this.refreshLock) {
            try {
                this.intermediateCredentials = (IntermediateCredentials) Futures.getDone(listenableFuture);
                if (this.refreshTask != null && this.refreshTask.task == listenableFuture) {
                    this.refreshTask = null;
                }
            } catch (Throwable th) {
                if (this.refreshTask != null && this.refreshTask.task == listenableFuture) {
                    this.refreshTask = null;
                }
                throw th;
            }
        }
    }

    @VisibleForTesting
    String getTokenExchangeEndpoint() {
        return this.tokenExchangeEndpoint;
    }

    @VisibleForTesting
    HttpTransportFactory getTransportFactory() {
        return this.transportFactory;
    }

    @VisibleForTesting
    Duration getRefreshMargin() {
        return this.refreshMargin;
    }

    @VisibleForTesting
    Duration getMinimumTokenLifetime() {
        return this.minimumTokenLifetime;
    }

    @VisibleForTesting
    byte[] serializeCredentialAccessBoundary(CredentialAccessBoundary credentialAccessBoundary) throws CelValidationException {
        List<CredentialAccessBoundary.AccessBoundaryRule> accessBoundaryRules = credentialAccessBoundary.getAccessBoundaryRules();
        ClientSideAccessBoundaryProto.ClientSideAccessBoundary.Builder newBuilder = ClientSideAccessBoundaryProto.ClientSideAccessBoundary.newBuilder();
        for (CredentialAccessBoundary.AccessBoundaryRule accessBoundaryRule : accessBoundaryRules) {
            ClientSideAccessBoundaryProto.ClientSideAccessBoundaryRule.Builder availableResource = newBuilder.addAccessBoundaryRulesBuilder().addAllAvailablePermissions(accessBoundaryRule.getAvailablePermissions()).setAvailableResource(accessBoundaryRule.getAvailableResource());
            if (accessBoundaryRule.getAvailabilityCondition() != null) {
                availableResource.setCompiledAvailabilityCondition(compileCel(accessBoundaryRule.getAvailabilityCondition().getExpression()));
            }
        }
        return newBuilder.m44build().toByteArray();
    }

    private Expr compileCel(String str) throws CelValidationException {
        return CelProtoAbstractSyntaxTree.fromCelAst(this.celCompiler.parse(str).getAst()).getExpr();
    }

    private byte[] encryptRestrictions(byte[] bArr, String str) throws GeneralSecurityException {
        try {
            return ((Aead) TinkProtoKeysetFormat.parseKeyset(Base64.getDecoder().decode(str), InsecureSecretKeyAccess.get()).getPrimitive(RegistryConfiguration.get(), Aead.class)).encrypt(bArr, new byte[0]);
        } catch (IllegalArgumentException e) {
            throw new IllegalStateException("Session key is not Base64 encoded", e);
        }
    }

    public static Builder newBuilder() {
        return new Builder(null);
    }

    /* synthetic */ ClientSideCredentialAccessBoundaryFactory(Builder builder, AnonymousClass1 anonymousClass1) {
        this(builder);
    }
}
