package org.curioswitch.curiostack.gcloud.core.auth;

import com.google.api.client.json.gson.GsonFactory;
import com.google.api.client.json.webtoken.JsonWebSignature;
import com.google.api.client.json.webtoken.JsonWebToken;
import com.google.auth.oauth2.ServiceAccountCredentials;
import com.google.common.base.MoreObjects;
import com.linecorp.armeria.client.WebClient;
import com.linecorp.armeria.common.RequestContext;
import io.netty.buffer.ByteBuf;
import io.netty.buffer.ByteBufAllocator;
import io.netty.buffer.ByteBufUtil;
import io.netty.buffer.PooledByteBufAllocator;
import io.netty.handler.codec.http.QueryStringEncoder;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.time.Clock;
import java.util.concurrent.TimeUnit;
import org.curioswitch.curiostack.gcloud.core.auth.AbstractAccessTokenProvider;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/curioswitch/curiostack/gcloud/core/auth/ServiceAccountAccessTokenProvider.class */
public class ServiceAccountAccessTokenProvider extends AbstractAccessTokenProvider {
    private static final String GRANT_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer";
    private static final String AUDIENCE = "https://www.googleapis.com/oauth2/v4/token";
    private final ServiceAccountCredentials credentials;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ServiceAccountAccessTokenProvider(WebClient webClient, Clock clock, ServiceAccountCredentials serviceAccountCredentials) {
        super(webClient, clock);
        this.credentials = serviceAccountCredentials;
    }

    @Override // org.curioswitch.curiostack.gcloud.core.auth.AbstractAccessTokenProvider
    ByteBuf refreshRequestContent(AbstractAccessTokenProvider.Type type) {
        String createAssertion = createAssertion(type, clock().millis());
        QueryStringEncoder queryStringEncoder = new QueryStringEncoder("");
        queryStringEncoder.addParam("grant_type", GRANT_TYPE);
        queryStringEncoder.addParam("assertion", createAssertion);
        String queryStringEncoder2 = queryStringEncoder.toString();
        ByteBufAllocator byteBufAllocator = (ByteBufAllocator) RequestContext.mapCurrent((v0) -> {
            return v0.alloc();
        }, () -> {
            return PooledByteBufAllocator.DEFAULT;
        });
        if (!$assertionsDisabled && byteBufAllocator == null) {
            throw new AssertionError();
        }
        ByteBuf buffer = byteBufAllocator.buffer(queryStringEncoder2.length() - 1);
        ByteBufUtil.writeAscii(buffer, queryStringEncoder2.substring(1));
        return buffer;
    }

    private String createAssertion(AbstractAccessTokenProvider.Type type, long j) {
        JsonWebSignature.Header header = new JsonWebSignature.Header();
        header.setAlgorithm("RS256");
        header.setType("JWT");
        header.setKeyId(this.credentials.getPrivateKeyId());
        long seconds = TimeUnit.MILLISECONDS.toSeconds(j);
        JsonWebToken.Payload payload = new JsonWebToken.Payload();
        String str = (String) MoreObjects.firstNonNull(this.credentials.getServiceAccountUser(), this.credentials.getClientEmail());
        payload.setIssuer(str);
        payload.setAudience(AUDIENCE);
        payload.setIssuedAtTimeSeconds(Long.valueOf(seconds));
        payload.setExpirationTimeSeconds(Long.valueOf(seconds + 3600));
        payload.setSubject(str);
        payload.put("scope", type == AbstractAccessTokenProvider.Type.ID_TOKEN ? this.credentials.getClientEmail() : String.join(" ", this.credentials.getScopes()));
        try {
            return JsonWebSignature.signUsingRsaSha256(this.credentials.getPrivateKey(), GsonFactory.getDefaultInstance(), header, payload);
        } catch (IOException | GeneralSecurityException e) {
            throw new IllegalStateException("Error signing service account access token request with private key.", e);
        }
    }

    static {
        $assertionsDisabled = !ServiceAccountAccessTokenProvider.class.desiredAssertionStatus();
    }
}
