package fi.evolver.ai.spring.connector;

import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.azure.core.credential.TokenCredential;
import com.azure.core.credential.TokenRequestContext;
import com.azure.identity.ClientSecretCredentialBuilder;
import com.azure.identity.ManagedIdentityCredentialBuilder;
import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
import com.fasterxml.jackson.annotation.JsonProperty;
import fi.evolver.ai.spring.ApiResponseException;
import fi.evolver.ai.spring.config.ApiConfigurationService;
import fi.evolver.ai.spring.util.ConnectorUtils;
import fi.evolver.ai.spring.util.Json;
import fi.evolver.basics.spring.http.LoggingHttpClient;
import fi.evolver.basics.spring.log.MessageLogService;
import fi.evolver.utils.UriUtils;
import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URLEncoder;
import java.net.http.HttpHeaders;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.nio.charset.StandardCharsets;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Base64;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpMethod;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ResponseStatusException;

@Component
/* loaded from: input_file:fi/evolver/ai/spring/connector/GoogleConnector.class */
public class GoogleConnector extends AbstractConnector {
    private static final String AZURE_TENANT_ID = "x-mylly-azure-gcp-tenant-id";
    private static final String AZURE_CLIENT_ID = "x-mylly-azure-gcp-client-id";
    private static final String AZURE_CLIENT_SECRET = "x-mylly-azure-gcp-client-secret";
    private static final String GOOGLE_CLIENT_EMAIL = "x-mylly-google-email";
    private static final String GOOGLE_SECRET = "x-mylly-google-secret";
    private static final String GOOGLE_STS_AUDIENCE = "x-mylly-google-sts-audience";
    private static final URI GOOGLE_OAUTH_URI = URI.create("https://oauth2.googleapis.com/token");
    private static final URI GOOGLE_STS_TOKEN_URI = URI.create("https://sts.googleapis.com/v1/token");
    private static final Map<String, String> headersToOpenAiHeaders = Map.of("google-ratelimit-requests-limit", "x-ratelimit-limit-requests", "google-ratelimit-requests-remaining", "x-ratelimit-remaining-requests", "google-ratelimit-requests-reset", "x-ratelimit-reset-requests", "google-ratelimit-tokens-limit", "x-ratelimit-limit-tokens", "google-ratelimit-tokens-remaining", "x-ratelimit-remaining-tokens", "google-ratelimit-tokens-reset", "x-ratelimit-reset-tokens");
    private final Map<String, AccessTokenCacheEntry> accessTokenCache;
    private final ThreadLocal<KeyFactory> keyFactory;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:fi/evolver/ai/spring/connector/GoogleConnector$AccessTokenCacheEntry.class */
    public static final class AccessTokenCacheEntry extends Record {
        private final String accessToken;
        private final Instant expiresAt;
        private final String tokenType;

        private AccessTokenCacheEntry(String str, Instant instant, String str2) {
            this.accessToken = str;
            this.expiresAt = instant;
            this.tokenType = str2;
        }

        public static AccessTokenCacheEntry fromResponse(GoogleAccessTokenResponse googleAccessTokenResponse) {
            return new AccessTokenCacheEntry(googleAccessTokenResponse.accessToken(), googleAccessTokenResponse.expiresInS() != null ? Instant.now().plusSeconds(googleAccessTokenResponse.expiresInS().longValue()) : Instant.now().plus(50L, (TemporalUnit) ChronoUnit.MINUTES), googleAccessTokenResponse.tokenType());
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, AccessTokenCacheEntry.class), AccessTokenCacheEntry.class, "accessToken;expiresAt;tokenType", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$AccessTokenCacheEntry;->accessToken:Ljava/lang/String;", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$AccessTokenCacheEntry;->expiresAt:Ljava/time/Instant;", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$AccessTokenCacheEntry;->tokenType:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, AccessTokenCacheEntry.class), AccessTokenCacheEntry.class, "accessToken;expiresAt;tokenType", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$AccessTokenCacheEntry;->accessToken:Ljava/lang/String;", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$AccessTokenCacheEntry;->expiresAt:Ljava/time/Instant;", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$AccessTokenCacheEntry;->tokenType:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, AccessTokenCacheEntry.class, Object.class), AccessTokenCacheEntry.class, "accessToken;expiresAt;tokenType", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$AccessTokenCacheEntry;->accessToken:Ljava/lang/String;", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$AccessTokenCacheEntry;->expiresAt:Ljava/time/Instant;", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$AccessTokenCacheEntry;->tokenType:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String accessToken() {
            return this.accessToken;
        }

        public Instant expiresAt() {
            return this.expiresAt;
        }

        public String tokenType() {
            return this.tokenType;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:fi/evolver/ai/spring/connector/GoogleConnector$GoogleAccessTokenResponse.class */
    public static final class GoogleAccessTokenResponse extends Record {

        @JsonProperty("access_token")
        private final String accessToken;

        @JsonProperty("expires_in")
        private final Long expiresInS;

        @JsonProperty("token_type")
        private final String tokenType;

        private GoogleAccessTokenResponse(@JsonProperty("access_token") String str, @JsonProperty("expires_in") Long l, @JsonProperty("token_type") String str2) {
            this.accessToken = str;
            this.expiresInS = l;
            this.tokenType = str2;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, GoogleAccessTokenResponse.class), GoogleAccessTokenResponse.class, "accessToken;expiresInS;tokenType", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleAccessTokenResponse;->accessToken:Ljava/lang/String;", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleAccessTokenResponse;->expiresInS:Ljava/lang/Long;", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleAccessTokenResponse;->tokenType:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, GoogleAccessTokenResponse.class), GoogleAccessTokenResponse.class, "accessToken;expiresInS;tokenType", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleAccessTokenResponse;->accessToken:Ljava/lang/String;", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleAccessTokenResponse;->expiresInS:Ljava/lang/Long;", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleAccessTokenResponse;->tokenType:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, GoogleAccessTokenResponse.class, Object.class), GoogleAccessTokenResponse.class, "accessToken;expiresInS;tokenType", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleAccessTokenResponse;->accessToken:Ljava/lang/String;", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleAccessTokenResponse;->expiresInS:Ljava/lang/Long;", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleAccessTokenResponse;->tokenType:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        @JsonProperty("access_token")
        public String accessToken() {
            return this.accessToken;
        }

        @JsonProperty("expires_in")
        public Long expiresInS() {
            return this.expiresInS;
        }

        @JsonProperty("token_type")
        public String tokenType() {
            return this.tokenType;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:fi/evolver/ai/spring/connector/GoogleConnector$GoogleServiceAccountAccessTokenResponse.class */
    public static final class GoogleServiceAccountAccessTokenResponse extends Record {
        private final String accessToken;
        private final Instant expireTime;

        private GoogleServiceAccountAccessTokenResponse(String str, Instant instant) {
            this.accessToken = str;
            this.expireTime = instant;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, GoogleServiceAccountAccessTokenResponse.class), GoogleServiceAccountAccessTokenResponse.class, "accessToken;expireTime", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleServiceAccountAccessTokenResponse;->accessToken:Ljava/lang/String;", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleServiceAccountAccessTokenResponse;->expireTime:Ljava/time/Instant;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, GoogleServiceAccountAccessTokenResponse.class), GoogleServiceAccountAccessTokenResponse.class, "accessToken;expireTime", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleServiceAccountAccessTokenResponse;->accessToken:Ljava/lang/String;", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleServiceAccountAccessTokenResponse;->expireTime:Ljava/time/Instant;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, GoogleServiceAccountAccessTokenResponse.class, Object.class), GoogleServiceAccountAccessTokenResponse.class, "accessToken;expireTime", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleServiceAccountAccessTokenResponse;->accessToken:Ljava/lang/String;", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleServiceAccountAccessTokenResponse;->expireTime:Ljava/time/Instant;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String accessToken() {
            return this.accessToken;
        }

        public Instant expireTime() {
            return this.expireTime;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    @JsonIgnoreProperties(ignoreUnknown = true)
    /* loaded from: input_file:fi/evolver/ai/spring/connector/GoogleConnector$GoogleStsTokenResponse.class */
    public static final class GoogleStsTokenResponse extends Record {

        @JsonProperty("access_token")
        private final String accessToken;

        private GoogleStsTokenResponse(@JsonProperty("access_token") String str) {
            this.accessToken = str;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, GoogleStsTokenResponse.class), GoogleStsTokenResponse.class, "accessToken", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleStsTokenResponse;->accessToken:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, GoogleStsTokenResponse.class), GoogleStsTokenResponse.class, "accessToken", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleStsTokenResponse;->accessToken:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, GoogleStsTokenResponse.class, Object.class), GoogleStsTokenResponse.class, "accessToken", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleStsTokenResponse;->accessToken:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        @JsonProperty("access_token")
        public String accessToken() {
            return this.accessToken;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:fi/evolver/ai/spring/connector/GoogleConnector$GoogleTokenConfig.class */
    public static final class GoogleTokenConfig extends Record {
        private final String clientEmail;
        private final String privateKey;

        private GoogleTokenConfig(String str, String str2) {
            this.clientEmail = str;
            this.privateKey = str2;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, GoogleTokenConfig.class), GoogleTokenConfig.class, "clientEmail;privateKey", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleTokenConfig;->clientEmail:Ljava/lang/String;", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleTokenConfig;->privateKey:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, GoogleTokenConfig.class), GoogleTokenConfig.class, "clientEmail;privateKey", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleTokenConfig;->clientEmail:Ljava/lang/String;", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleTokenConfig;->privateKey:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, GoogleTokenConfig.class, Object.class), GoogleTokenConfig.class, "clientEmail;privateKey", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleTokenConfig;->clientEmail:Ljava/lang/String;", "FIELD:Lfi/evolver/ai/spring/connector/GoogleConnector$GoogleTokenConfig;->privateKey:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String clientEmail() {
            return this.clientEmail;
        }

        public String privateKey() {
            return this.privateKey;
        }
    }

    @Autowired
    public GoogleConnector(ApiConfigurationService apiConfigurationService, MessageLogService messageLogService, @Value("${evolver.ai-api.google-client.connection.timeout.seconds:5}") int i) {
        super(apiConfigurationService, messageLogService, Duration.ofSeconds(i));
        this.accessTokenCache = new ConcurrentHashMap();
        this.keyFactory = ThreadLocal.withInitial(() -> {
            try {
                return KeyFactory.getInstance("RSA");
            } catch (NoSuchAlgorithmException e) {
                throw new IllegalStateException("Unable to obtain RSA KeyFactory", e);
            }
        });
    }

    @Override // fi.evolver.ai.spring.connector.AbstractConnector
    protected HttpRequest buildRequest(Map<String, String> map, URI uri, Duration duration, HttpMethod httpMethod, Optional<byte[]> optional) {
        HttpRequest.Builder method = HttpRequest.newBuilder(uri).timeout(duration).method(httpMethod.name(), (HttpRequest.BodyPublisher) optional.map(bArr -> {
            return ConnectorUtils.addHeadersToBody(bArr, map);
        }).map(HttpRequest.BodyPublishers::ofByteArray).orElseGet(HttpRequest.BodyPublishers::noBody));
        Objects.requireNonNull(method);
        map.forEach(method::header);
        method.header("Authorization", getAuthHeader(map));
        return method.build();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // fi.evolver.ai.spring.connector.AbstractConnector
    public HttpResponse.BodyHandler<Void> addHeaderConsumer(HttpResponse.BodyHandler<Void> bodyHandler, Consumer<HttpHeaders> consumer) {
        return consumer == null ? super.addHeaderConsumer(bodyHandler, consumer) : super.addHeaderConsumer(bodyHandler, httpHeaders -> {
            consumer.accept(HttpHeaders.of((Map) httpHeaders.map().entrySet().stream().collect(Collectors.toMap(entry -> {
                return headersToOpenAiHeaders.getOrDefault(entry.getKey(), (String) entry.getKey());
            }, (v0) -> {
                return v0.getValue();
            })), (str, str2) -> {
                return true;
            }));
        });
    }

    private String getAuthHeader(Map<String, String> map) {
        return map.containsKey(GOOGLE_STS_AUDIENCE) ? fetchAccessTokenUsingWorkloadIdentityFederation(map) : fetchAccessTokenUsingServiceAccount(map);
    }

    private String fetchAccessTokenUsingWorkloadIdentityFederation(Map<String, String> map) {
        String str = map.get(GOOGLE_CLIENT_EMAIL);
        if (str == null) {
            throw new IllegalArgumentException("Missing client email for google client");
        }
        AccessTokenCacheEntry accessTokenCacheEntry = this.accessTokenCache.get(str);
        if (accessTokenCacheEntry == null || Instant.now().plusSeconds(5L).isAfter(accessTokenCacheEntry.expiresAt())) {
            accessTokenCacheEntry = fetchAccessToken(map);
            this.accessTokenCache.put(str, accessTokenCacheEntry);
        }
        return "%s %s".formatted(accessTokenCacheEntry.tokenType(), accessTokenCacheEntry.accessToken());
    }

    private String fetchAccessTokenUsingServiceAccount(Map<String, String> map) {
        GoogleTokenConfig resolveTokenConfig = resolveTokenConfig(map);
        AccessTokenCacheEntry accessTokenCacheEntry = this.accessTokenCache.get(resolveTokenConfig.clientEmail());
        if (accessTokenCacheEntry == null || Instant.now().plusSeconds(5L).isAfter(accessTokenCacheEntry.expiresAt())) {
            accessTokenCacheEntry = fetchAccessToken(resolveTokenConfig);
            this.accessTokenCache.put(resolveTokenConfig.clientEmail(), accessTokenCacheEntry);
        }
        return "%s %s".formatted(accessTokenCacheEntry.tokenType(), accessTokenCacheEntry.accessToken());
    }

    private static GoogleTokenConfig resolveTokenConfig(Map<String, String> map) {
        boolean containsKey = map.containsKey(GOOGLE_CLIENT_EMAIL);
        boolean containsKey2 = map.containsKey(GOOGLE_SECRET);
        if (containsKey && containsKey2) {
            return new GoogleTokenConfig(map.get(GOOGLE_CLIENT_EMAIL), map.get(GOOGLE_SECRET));
        }
        if (containsKey || containsKey2) {
            throw new IllegalArgumentException("Only client email or client secret was provided for google client. Both are needed");
        }
        throw new IllegalArgumentException("Missing client email and client secret for google client");
    }

    private AccessTokenCacheEntry fetchAccessToken(Map<String, String> map) {
        String azureIdToken = getAzureIdToken(map.get(AZURE_TENANT_ID), map.get(AZURE_CLIENT_ID), map.get(AZURE_CLIENT_SECRET));
        if (azureIdToken == null) {
            throw new IllegalStateException("Failed fetching Azure ID token");
        }
        String googleStsToken = getGoogleStsToken(azureIdToken, map.get(GOOGLE_STS_AUDIENCE));
        if (googleStsToken == null) {
            throw new IllegalStateException("Failed fetching Google STS token");
        }
        GoogleServiceAccountAccessTokenResponse accessToken = getAccessToken(googleStsToken, map.get(GOOGLE_CLIENT_EMAIL));
        if (accessToken == null) {
            throw new IllegalStateException("Failed fetching Google access token");
        }
        return new AccessTokenCacheEntry(accessToken.accessToken(), accessToken.expireTime(), "Bearer");
    }

    private AccessTokenCacheEntry fetchAccessToken(GoogleTokenConfig googleTokenConfig) {
        try {
            HttpResponse send = this.httpClient.send(HttpRequest.newBuilder().uri(GOOGLE_OAUTH_URI).header("Content-Type", "application/x-www-form-urlencoded").POST(HttpRequest.BodyPublishers.ofString(buildTokenRequestBody(googleTokenConfig))).build(), HttpResponse.BodyHandlers.ofString(), new LoggingHttpClient.LogParameters("FetchAccessToken"));
            if (send.statusCode() == 200) {
                return AccessTokenCacheEntry.fromResponse((GoogleAccessTokenResponse) Json.OBJECT_MAPPER.readValue((String) send.body(), GoogleAccessTokenResponse.class));
            }
            throw new ApiResponseException("Failed to fetch access token: %s".formatted(send.body()), new Object[0]);
        } catch (ResponseStatusException | IOException | InterruptedException e) {
            LOG.error("Failed to fetch access token", e);
            throw new ApiResponseException("Failed to fetch access token", e);
        }
    }

    private String buildTokenRequestBody(GoogleTokenConfig googleTokenConfig) {
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        try {
            return "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=" + URLEncoder.encode(JWT.create().withPayload(Map.of("aud", "https://oauth2.googleapis.com/token", "scope", "https://www.googleapis.com/auth/cloud-platform", "iss", googleTokenConfig.clientEmail(), "iat", Long.valueOf(currentTimeMillis), "exp", Long.valueOf(currentTimeMillis + 3600))).sign(Algorithm.RSA256((RSAPublicKey) null, getRsaPrivateKey(googleTokenConfig.privateKey()))), StandardCharsets.UTF_8);
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            LOG.error("Failed to build access token request", e);
            throw new ApiResponseException("Failed to build access token request", e);
        }
    }

    private RSAPrivateKey getRsaPrivateKey(String str) throws NoSuchAlgorithmException, InvalidKeySpecException {
        return (RSAPrivateKey) this.keyFactory.get().generatePrivate(new PKCS8EncodedKeySpec(Base64.getDecoder().decode(str.replace("-----BEGIN PRIVATE KEY-----", "").replaceAll("[\\r\\n]|\\\\[rn]", "").replace("-----END PRIVATE KEY-----", ""))));
    }

    private static String getAzureIdToken(String str, String str2, String str3) {
        return getTokenCredential(str, str2, str3).getTokenSync(new TokenRequestContext().addScopes(new String[]{"api://%s/.default".formatted(str2)})).getToken();
    }

    private static TokenCredential getTokenCredential(String str, String str2, String str3) {
        return str == null ? new ManagedIdentityCredentialBuilder().build() : new ClientSecretCredentialBuilder().tenantId(str).clientId(str2).clientSecret(str3).build();
    }

    private String getGoogleStsToken(String str, String str2) {
        try {
            return ((GoogleStsTokenResponse) Json.OBJECT_MAPPER.readValue((String) this.httpClient.send(HttpRequest.newBuilder(GOOGLE_STS_TOKEN_URI).header("Content-Type", "application/x-www-form-urlencoded").timeout(Duration.ofSeconds(30L)).POST(HttpRequest.BodyPublishers.ofString((String) Map.of("audience", str2, "grant_type", "urn:ietf:params:oauth:grant-type:token-exchange", "requested_token_type", "urn:ietf:params:oauth:token-type:access_token", "scope", "https://www.googleapis.com/auth/cloud-platform", "subject_token_type", "urn:ietf:params:oauth:token-type:jwt", "subject_token", str).entrySet().stream().map(entry -> {
                return "%s=%s".formatted(URLEncoder.encode((String) entry.getKey(), StandardCharsets.UTF_8), URLEncoder.encode((String) entry.getValue(), StandardCharsets.UTF_8));
            }).collect(Collectors.joining("&")))).build(), HttpResponse.BodyHandlers.ofString(), new LoggingHttpClient.LogParameters("FetchGoogleSTSToken")).body(), GoogleStsTokenResponse.class)).accessToken();
        } catch (IOException | InterruptedException e) {
            throw new IllegalStateException("Failed fetching STS token", e);
        }
    }

    private GoogleServiceAccountAccessTokenResponse getAccessToken(String str, String str2) {
        try {
            return (GoogleServiceAccountAccessTokenResponse) Json.OBJECT_MAPPER.readValue((String) this.httpClient.send(HttpRequest.newBuilder(new URI("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s:generateAccessToken".formatted(UriUtils.encode(str2)))).header("Content-Type", "application/json").header("Authorization", "Bearer %s".formatted(str)).timeout(Duration.ofSeconds(30L)).POST(HttpRequest.BodyPublishers.ofString(Json.OBJECT_MAPPER.writeValueAsString(Map.of("scope", List.of("https://www.googleapis.com/auth/cloud-platform"))))).build(), HttpResponse.BodyHandlers.ofString(), new LoggingHttpClient.LogParameters("FetchAccessToken")).body(), GoogleServiceAccountAccessTokenResponse.class);
        } catch (IOException | InterruptedException | URISyntaxException e) {
            throw new IllegalStateException("Failed fetching access token", e);
        }
    }
}
