package com.google.cloud.hadoop.repackaged.gcs.com.google.cloud.hadoop.util;

import com.google.cloud.hadoop.repackaged.gcs.com.google.api.client.http.HttpTransport;
import com.google.cloud.hadoop.repackaged.gcs.com.google.auth.oauth2.AccessToken;
import com.google.cloud.hadoop.repackaged.gcs.com.google.auth.oauth2.ComputeEngineCredentials;
import com.google.cloud.hadoop.repackaged.gcs.com.google.auth.oauth2.ExternalAccountCredentials;
import com.google.cloud.hadoop.repackaged.gcs.com.google.auth.oauth2.GoogleCredentials;
import com.google.cloud.hadoop.repackaged.gcs.com.google.auth.oauth2.ImpersonatedCredentials;
import com.google.cloud.hadoop.repackaged.gcs.com.google.auth.oauth2.ServiceAccountCredentials;
import com.google.cloud.hadoop.repackaged.gcs.com.google.auth.oauth2.UserCredentials;
import com.google.cloud.hadoop.repackaged.gcs.com.google.common.annotations.VisibleForTesting;
import com.google.cloud.hadoop.repackaged.gcs.com.google.common.base.Preconditions;
import com.google.cloud.hadoop.repackaged.gcs.com.google.common.base.Strings;
import com.google.cloud.hadoop.repackaged.gcs.com.google.common.base.Suppliers;
import com.google.cloud.hadoop.repackaged.gcs.com.google.common.collect.ImmutableList;
import com.google.cloud.hadoop.repackaged.gcs.com.google.common.collect.ImmutableMap;
import com.google.cloud.hadoop.repackaged.gcs.com.google.common.flogger.GoogleLogger;
import com.google.cloud.hadoop.util.AccessTokenProvider;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.UncheckedIOException;
import java.net.URI;
import java.time.Instant;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Supplier;
import java.util.stream.Stream;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;

/* loaded from: input_file:com/google/cloud/hadoop/repackaged/gcs/com/google/cloud/hadoop/util/HadoopCredentialsConfiguration.class */
public class HadoopCredentialsConfiguration {
    public static final String BASE_KEY_PREFIX = "google.cloud";
    public static final String CLOUD_PLATFORM_SCOPE = "https://www.googleapis.com/auth/cloud-platform";
    private static final GoogleLogger logger = GoogleLogger.forEnclosingClass();
    public static final HadoopConfigurationProperty<AuthenticationType> AUTHENTICATION_TYPE_SUFFIX = new HadoopConfigurationProperty<>(".auth.type", AuthenticationType.COMPUTE_ENGINE, new String[0]);
    public static final HadoopConfigurationProperty<String> SERVICE_ACCOUNT_JSON_KEYFILE_SUFFIX = new HadoopConfigurationProperty<>(".auth.service.account.json.keyfile");
    public static final HadoopConfigurationProperty<String> WORKLOAD_IDENTITY_FEDERATION_CREDENTIAL_CONFIG_FILE_SUFFIX = new HadoopConfigurationProperty<>(".auth.workload.identity.federation.credential.config.file");
    public static final HadoopConfigurationProperty<Class<? extends AccessTokenProvider>> ACCESS_TOKEN_PROVIDER_SUFFIX = new HadoopConfigurationProperty<>(".auth.access.token.provider");
    public static final HadoopConfigurationProperty<String> IMPERSONATION_SERVICE_ACCOUNT_SUFFIX = new HadoopConfigurationProperty<>(".auth.impersonation.service.account");
    public static final HadoopConfigurationProperty<Map<String, String>> USER_IMPERSONATION_SERVICE_ACCOUNT_SUFFIX = new HadoopConfigurationProperty<>(".auth.impersonation.service.account.for.user.", ImmutableMap.of(), new String[0]);
    public static final HadoopConfigurationProperty<Map<String, String>> GROUP_IMPERSONATION_SERVICE_ACCOUNT_SUFFIX = new HadoopConfigurationProperty<>(".auth.impersonation.service.account.for.group.", ImmutableMap.of(), new String[0]);
    public static final HadoopConfigurationProperty<String> TOKEN_SERVER_URL_SUFFIX = new HadoopConfigurationProperty<>(".token.server.url");
    public static final HadoopConfigurationProperty<String> PROXY_ADDRESS_SUFFIX = new HadoopConfigurationProperty<>(".proxy.address");
    public static final HadoopConfigurationProperty<RedactedString> PROXY_USERNAME_SUFFIX = new HadoopConfigurationProperty<>(".proxy.username");
    public static final HadoopConfigurationProperty<RedactedString> PROXY_PASSWORD_SUFFIX = new HadoopConfigurationProperty<>(".proxy.password");
    public static final HadoopConfigurationProperty<Long> READ_TIMEOUT_SUFFIX = new HadoopConfigurationProperty<>(".http.read-timeout", 5000L, new String[0]);
    public static final HadoopConfigurationProperty<String> AUTH_CLIENT_ID_SUFFIX = new HadoopConfigurationProperty<>(".auth.client.id");
    public static final HadoopConfigurationProperty<RedactedString> AUTH_CLIENT_SECRET_SUFFIX = new HadoopConfigurationProperty<>(".auth.client.secret");
    public static final HadoopConfigurationProperty<RedactedString> AUTH_REFRESH_TOKEN_SUFFIX = new HadoopConfigurationProperty<>(".auth.refresh.token");

    /* loaded from: input_file:com/google/cloud/hadoop/repackaged/gcs/com/google/cloud/hadoop/util/HadoopCredentialsConfiguration$AccessTokenProviderCredentials.class */
    public static final class AccessTokenProviderCredentials extends GoogleCredentials {
        private final AccessTokenProvider accessTokenProvider;

        public AccessTokenProviderCredentials(AccessTokenProvider accessTokenProvider) {
            super(convertAccessToken(accessTokenProvider.getAccessToken()));
            this.accessTokenProvider = accessTokenProvider;
        }

        private static AccessToken convertAccessToken(AccessTokenProvider.AccessToken accessToken) {
            Preconditions.checkNotNull(accessToken, "AccessToken cannot be null!");
            String str = (String) Preconditions.checkNotNull(accessToken.getToken(), "AccessToken value cannot be null!");
            Instant expirationTime = accessToken.getExpirationTime();
            return new AccessToken(str, expirationTime == null ? null : Date.from(expirationTime));
        }

        public AccessTokenProvider getAccessTokenProvider() {
            return this.accessTokenProvider;
        }

        @Override // com.google.cloud.hadoop.repackaged.gcs.com.google.auth.oauth2.OAuth2Credentials
        public AccessToken refreshAccessToken() throws IOException {
            this.accessTokenProvider.refresh();
            return convertAccessToken(this.accessTokenProvider.getAccessToken());
        }
    }

    /* loaded from: input_file:com/google/cloud/hadoop/repackaged/gcs/com/google/cloud/hadoop/util/HadoopCredentialsConfiguration$AuthenticationType.class */
    public enum AuthenticationType {
        ACCESS_TOKEN_PROVIDER,
        APPLICATION_DEFAULT,
        COMPUTE_ENGINE,
        SERVICE_ACCOUNT_JSON_KEYFILE,
        WORKLOAD_IDENTITY_FEDERATION_CREDENTIAL_CONFIG_FILE,
        UNAUTHENTICATED,
        USER_CREDENTIALS
    }

    public static List<String> getConfigKeyPrefixes(String... strArr) {
        return ImmutableList.builder().add((Object[]) strArr).add((ImmutableList.Builder) BASE_KEY_PREFIX).build();
    }

    public static GoogleCredentials getCredentials(Configuration configuration, String... strArr) throws IOException {
        List<String> configKeyPrefixes = getConfigKeyPrefixes(strArr);
        return getCredentials(getHttpTransport(configuration, configKeyPrefixes), configuration, configKeyPrefixes);
    }

    @VisibleForTesting
    static GoogleCredentials getCredentials(Supplier<HttpTransport> supplier, Configuration configuration, List<String> list) throws IOException {
        GoogleCredentials credentialsInternal = getCredentialsInternal(supplier, configuration, list);
        if (credentialsInternal == null) {
            return null;
        }
        return configureCredentials(configuration, list, credentialsInternal);
    }

    private static GoogleCredentials getCredentialsInternal(Supplier<HttpTransport> supplier, Configuration configuration, List<String> list) throws IOException {
        FileInputStream fileInputStream;
        HadoopConfigurationProperty<AuthenticationType> withPrefixes = AUTHENTICATION_TYPE_SUFFIX.withPrefixes(list);
        Objects.requireNonNull(configuration);
        AuthenticationType authenticationType = withPrefixes.get(configuration, (v1, v2) -> {
            return r2.getEnum(v1, v2);
        });
        switch (authenticationType) {
            case ACCESS_TOKEN_PROVIDER:
                Class<? extends AccessTokenProvider> cls = ACCESS_TOKEN_PROVIDER_SUFFIX.withPrefixes(list).get(configuration, (str, cls2) -> {
                    return configuration.getClass(str, cls2, AccessTokenProvider.class);
                });
                try {
                    AccessTokenProvider newInstance = cls.getDeclaredConstructor(new Class[0]).newInstance(new Object[0]);
                    newInstance.setConf(configuration);
                    return new AccessTokenProviderCredentials(newInstance);
                } catch (ReflectiveOperationException e) {
                    throw new IOException("Can't instantiate " + cls.getName(), e);
                }
            case APPLICATION_DEFAULT:
                Objects.requireNonNull(supplier);
                return GoogleCredentials.getApplicationDefault(supplier::get);
            case COMPUTE_ENGINE:
                ComputeEngineCredentials.Builder newBuilder = ComputeEngineCredentials.newBuilder();
                Objects.requireNonNull(supplier);
                return newBuilder.setHttpTransportFactory(supplier::get).build();
            case SERVICE_ACCOUNT_JSON_KEYFILE:
                HadoopConfigurationProperty<String> withPrefixes2 = SERVICE_ACCOUNT_JSON_KEYFILE_SUFFIX.withPrefixes(list);
                Objects.requireNonNull(configuration);
                fileInputStream = new FileInputStream(withPrefixes2.get(configuration, configuration::get));
                try {
                    Objects.requireNonNull(supplier);
                    ServiceAccountCredentials fromStream = ServiceAccountCredentials.fromStream((InputStream) fileInputStream, supplier::get);
                    fileInputStream.close();
                    return fromStream;
                } finally {
                }
            case USER_CREDENTIALS:
                HadoopConfigurationProperty<String> withPrefixes3 = AUTH_CLIENT_ID_SUFFIX.withPrefixes(list);
                Objects.requireNonNull(configuration);
                UserCredentials.Builder refreshToken = UserCredentials.newBuilder().setClientId(withPrefixes3.get(configuration, configuration::get)).setClientSecret(AUTH_CLIENT_SECRET_SUFFIX.withPrefixes(list).getPassword(configuration).value()).setRefreshToken(AUTH_REFRESH_TOKEN_SUFFIX.withPrefixes(list).getPassword(configuration).value());
                Objects.requireNonNull(supplier);
                return refreshToken.setHttpTransportFactory(supplier::get).build();
            case WORKLOAD_IDENTITY_FEDERATION_CREDENTIAL_CONFIG_FILE:
                HadoopConfigurationProperty<String> withPrefixes4 = WORKLOAD_IDENTITY_FEDERATION_CREDENTIAL_CONFIG_FILE_SUFFIX.withPrefixes(list);
                Objects.requireNonNull(configuration);
                fileInputStream = new FileInputStream(withPrefixes4.get(configuration, configuration::get));
                try {
                    Objects.requireNonNull(supplier);
                    ExternalAccountCredentials fromStream2 = ExternalAccountCredentials.fromStream((InputStream) fileInputStream, supplier::get);
                    fileInputStream.close();
                    return fromStream2;
                } finally {
                }
            case UNAUTHENTICATED:
                return null;
            default:
                throw new IllegalArgumentException("Unknown authentication type: " + authenticationType);
        }
    }

    public static GoogleCredentials getImpersonatedCredentials(Configuration configuration, GoogleCredentials googleCredentials, String... strArr) throws IOException {
        List<String> configKeyPrefixes = getConfigKeyPrefixes(strArr);
        Map<String, String> propsWithPrefix = USER_IMPERSONATION_SERVICE_ACCOUNT_SUFFIX.withPrefixes(configKeyPrefixes).getPropsWithPrefix(configuration);
        Map<String, String> propsWithPrefix2 = GROUP_IMPERSONATION_SERVICE_ACCOUNT_SUFFIX.withPrefixes(configKeyPrefixes).getPropsWithPrefix(configuration);
        HadoopConfigurationProperty<String> withPrefixes = IMPERSONATION_SERVICE_ACCOUNT_SUFFIX.withPrefixes(configKeyPrefixes);
        Objects.requireNonNull(configuration);
        String str = withPrefixes.get(configuration, configuration::get);
        if (propsWithPrefix.isEmpty() && propsWithPrefix2.isEmpty() && Strings.isNullOrEmpty(str)) {
            return null;
        }
        Preconditions.checkNotNull(googleCredentials, "credentials can not be null");
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        Optional findFirst = Stream.of((Object[]) new Supplier[]{() -> {
            return getServiceAccountToImpersonateForUserGroup(propsWithPrefix, ImmutableList.of(currentUser.getShortUserName()));
        }, () -> {
            return getServiceAccountToImpersonateForUserGroup(propsWithPrefix2, ImmutableList.copyOf(currentUser.getGroupNames()));
        }, () -> {
            return Optional.ofNullable(str);
        }}).map((v0) -> {
            return v0.get();
        }).filter((v0) -> {
            return v0.isPresent();
        }).map((v0) -> {
            return v0.get();
        }).filter(str2 -> {
            return !Strings.isNullOrEmpty(str2);
        }).findFirst();
        if (!findFirst.isPresent()) {
            return null;
        }
        Supplier<HttpTransport> httpTransport = getHttpTransport(configuration, configKeyPrefixes);
        ImpersonatedCredentials.Builder scopes = ImpersonatedCredentials.newBuilder().setSourceCredentials(googleCredentials).setTargetPrincipal((String) findFirst.get()).setScopes(ImmutableList.of(CLOUD_PLATFORM_SCOPE));
        Objects.requireNonNull(httpTransport);
        ImpersonatedCredentials build = scopes.setHttpTransportFactory(httpTransport::get).build();
        logger.atFine().log("Impersonating '%s' service account for '%s' user", findFirst.get(), currentUser);
        return build;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Optional<String> getServiceAccountToImpersonateForUserGroup(Map<String, String> map, List<String> list) {
        return map.entrySet().stream().filter(entry -> {
            return list.contains(entry.getKey());
        }).map((v0) -> {
            return v0.getValue();
        }).findFirst();
    }

    private static Supplier<HttpTransport> getHttpTransport(Configuration configuration, List<String> list) {
        return Suppliers.memoize(() -> {
            try {
                HadoopConfigurationProperty<String> withPrefixes = PROXY_ADDRESS_SUFFIX.withPrefixes(list);
                Objects.requireNonNull(configuration);
                return HttpTransportFactory.createHttpTransport(withPrefixes.get(configuration, configuration::get), PROXY_USERNAME_SUFFIX.withPrefixes(list).getPassword(configuration), PROXY_PASSWORD_SUFFIX.withPrefixes(list).getPassword(configuration), READ_TIMEOUT_SUFFIX.withPrefixes(list).getTimeDuration(configuration));
            } catch (IOException e) {
                throw new UncheckedIOException(e);
            }
        });
    }

    private static GoogleCredentials configureCredentials(Configuration configuration, List<String> list, GoogleCredentials googleCredentials) {
        GoogleCredentials createScoped = googleCredentials.createScoped(CLOUD_PLATFORM_SCOPE);
        HadoopConfigurationProperty<String> withPrefixes = TOKEN_SERVER_URL_SUFFIX.withPrefixes(list);
        Objects.requireNonNull(configuration);
        String str = withPrefixes.get(configuration, configuration::get);
        return str == null ? createScoped : createScoped instanceof ServiceAccountCredentials ? ((ServiceAccountCredentials) createScoped).toBuilder().setTokenServerUri(URI.create(str)).build() : createScoped instanceof UserCredentials ? ((UserCredentials) createScoped).toBuilder().setTokenServerUri(URI.create(str)).build() : createScoped;
    }
}
