package com.google.auth.oauth2;

import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpRequest;
import com.google.api.client.http.HttpResponseException;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonObjectParser;
import com.google.api.client.json.gson.GsonFactory;
import com.google.auth.Credentials;
import com.google.auth.http.HttpCredentialsAdapter;
import com.google.auth.oauth2.CredentialAccessBoundary;
import com.google.auth.oauth2.OAuth2CredentialsWithRefresh;
import java.io.IOException;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:com/google/auth/oauth2/ITDownscopingTest.class */
class ITDownscopingTest {
    private static final String GCS_OBJECT_NAME_WITHOUT_PERMISSION = "cab-second-cbi3qrv5.txt";
    private static final String GCS_BUCKET_NAME = "cab-int-bucket-cbi3qrv5";
    private static final String GCS_OBJECT_NAME_WITH_PERMISSION = "cab-first-cbi3qrv5.txt";
    private static final CredentialAccessBoundary CREDENTIAL_ACCESS_BOUNDARY = CredentialAccessBoundary.newBuilder().addRule(CredentialAccessBoundary.AccessBoundaryRule.newBuilder().setAvailableResource(String.format("//storage.googleapis.com/projects/_/buckets/%s", GCS_BUCKET_NAME)).addAvailablePermission("inRole:roles/storage.objectViewer").setAvailabilityCondition(CredentialAccessBoundary.AccessBoundaryRule.AvailabilityCondition.newBuilder().setExpression(String.format("resource.name.startsWith('projects/_/buckets/%s/objects/%s')", GCS_BUCKET_NAME, GCS_OBJECT_NAME_WITH_PERMISSION)).build()).build()).build();

    ITDownscopingTest() {
    }

    @Test
    void downscoping_serviceAccountSourceWithRefresh() throws IOException {
        OAuth2CredentialsWithRefresh build = OAuth2CredentialsWithRefresh.newBuilder().setRefreshHandler(new OAuth2CredentialsWithRefresh.OAuth2RefreshHandler() { // from class: com.google.auth.oauth2.ITDownscopingTest.1
            public AccessToken refreshAccessToken() throws IOException {
                return DownscopedCredentials.newBuilder().setSourceCredential(GoogleCredentials.getApplicationDefault().createScoped(new String[]{"https://www.googleapis.com/auth/cloud-platform"})).setCredentialAccessBoundary(ITDownscopingTest.CREDENTIAL_ACCESS_BOUNDARY).build().refreshAccessToken();
            }
        }).build();
        retrieveObjectFromGcs(build, GCS_OBJECT_NAME_WITH_PERMISSION);
        Assertions.assertEquals(403, Assertions.assertThrows(HttpResponseException.class, () -> {
            retrieveObjectFromGcs(build, GCS_OBJECT_NAME_WITHOUT_PERMISSION);
        }, "Call to GCS should have failed.").getStatusCode());
    }

    private void retrieveObjectFromGcs(Credentials credentials, String str) throws IOException {
        HttpRequest buildGetRequest = new NetHttpTransport().createRequestFactory(new HttpCredentialsAdapter(credentials)).buildGetRequest(new GenericUrl(String.format("https://storage.googleapis.com/storage/v1/b/%s/o/%s", GCS_BUCKET_NAME, str)));
        buildGetRequest.setParser(new JsonObjectParser(GsonFactory.getDefaultInstance()));
        Assertions.assertTrue(buildGetRequest.execute().isSuccessStatusCode());
    }
}
