package org.curioswitch.curiostack.gcloud.core.auth;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.base.Splitter;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Streams;
import com.linecorp.armeria.client.WebClient;
import com.linecorp.armeria.common.CommonPools;
import com.linecorp.armeria.common.HttpHeaderNames;
import com.linecorp.armeria.common.HttpStatus;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.nio.charset.StandardCharsets;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.CompletableFuture;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.inject.Inject;
import javax.inject.Singleton;
import org.curioswitch.curiostack.gcloud.core.RetryingGoogleApis;
import org.curioswitch.curiostack.gcloud.core.util.AsyncRefreshingValue;
import org.immutables.value.Value;

@Singleton
/* loaded from: input_file:org/curioswitch/curiostack/gcloud/core/auth/GooglePublicKeysManager.class */
public class GooglePublicKeysManager {
    private static final String CERTS_PATH = "/oauth2/v1/certs";
    private static final Duration EXPIRATION_SKEW = Duration.ofMinutes(5);
    private static final Splitter CACHE_CONTROL_SPLITTER = Splitter.on(',');
    private static final Pattern MAX_AGE_PATTERN = Pattern.compile("\\s*max-age\\s*=\\s*(\\d+)\\s*");
    private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
    private static final CertificateFactory CERTIFICATE_FACTORY;
    private final WebClient googleApisClient;
    private final Clock clock;
    private final AsyncRefreshingValue<CachedPublicKeys> keysCache;

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Style(deepImmutablesDetection = true, defaultAsDefault = true, builderVisibility = Value.Style.BuilderVisibility.PACKAGE, visibility = Value.Style.ImplementationVisibility.PACKAGE)
    @Value.Immutable
    /* loaded from: input_file:org/curioswitch/curiostack/gcloud/core/auth/GooglePublicKeysManager$CachedPublicKeys.class */
    public interface CachedPublicKeys {
        Instant expirationTime();

        /* renamed from: keys */
        List<PublicKey> mo19keys();
    }

    @Inject
    public GooglePublicKeysManager(@RetryingGoogleApis WebClient webClient, Clock clock) {
        this.googleApisClient = webClient;
        this.clock = clock;
        this.keysCache = new AsyncRefreshingValue<>(this::refresh, (v0) -> {
            return v0.expirationTime();
        }, CommonPools.workerGroup().next(), clock);
    }

    public CompletableFuture<List<PublicKey>> getKeys() {
        return this.keysCache.get().thenApply((v0) -> {
            return v0.mo19keys();
        });
    }

    private CompletableFuture<CachedPublicKeys> refresh() {
        return this.googleApisClient.get(CERTS_PATH).aggregate().handle((aggregatedHttpResponse, th) -> {
            if (th != null) {
                throw new IllegalStateException("Failed to refresh Google public keys.", th);
            }
            if (!aggregatedHttpResponse.status().equals(HttpStatus.OK)) {
                throw new IllegalStateException("Non-200 status code when fetching certificates.");
            }
            String str = aggregatedHttpResponse.headers().get(HttpHeaderNames.CACHE_CONTROL);
            long j = 0;
            if (str != null) {
                Iterator it = CACHE_CONTROL_SPLITTER.split(str).iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    Matcher matcher = MAX_AGE_PATTERN.matcher((String) it.next());
                    if (matcher.matches()) {
                        j = Long.valueOf(matcher.group(1)).longValue();
                        break;
                    }
                }
            }
            try {
                return ImmutableCachedPublicKeys.builder().expirationTime(this.clock.instant().plusSeconds(Math.max(0L, j - r0.getInt(HttpHeaderNames.AGE, 0))).minus((TemporalAmount) EXPIRATION_SKEW)).addAllKeys((List) Streams.stream(OBJECT_MAPPER.readTree(aggregatedHttpResponse.content().array()).elements()).map(jsonNode -> {
                    try {
                        return CERTIFICATE_FACTORY.generateCertificate(new ByteArrayInputStream(jsonNode.textValue().getBytes(StandardCharsets.UTF_8))).getPublicKey();
                    } catch (CertificateException e) {
                        throw new IllegalArgumentException("Could not decode certificate.", e);
                    }
                }).collect(ImmutableList.toImmutableList())).build();
            } catch (IOException e) {
                throw new UncheckedIOException("Could not parse certificates.", e);
            }
        });
    }

    static {
        try {
            CERTIFICATE_FACTORY = CertificateFactory.getInstance("X.509");
        } catch (CertificateException e) {
            throw new Error("Could not get certificate factory.", e);
        }
    }
}
