package org.datatransferproject.cloud.google;

import com.google.auth.oauth2.GoogleCredentials;
import com.google.cloud.storage.Blob;
import com.google.cloud.storage.Bucket;
import com.google.cloud.storage.Storage;
import com.google.cloud.storage.StorageOptions;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import org.datatransferproject.api.launcher.Monitor;
import org.datatransferproject.cloud.google.GoogleCloudExtensionModule;
import org.datatransferproject.spi.cloud.storage.AppCredentialStore;
import org.datatransferproject.types.transfer.auth.AppCredentials;

/* JADX INFO: Access modifiers changed from: package-private */
@Singleton
/* loaded from: input_file:org/datatransferproject/cloud/google/GoogleAppCredentialStore.class */
public final class GoogleAppCredentialStore implements AppCredentialStore {
    private static final Integer CACHE_EXPIRATION_MINUTES = 10;
    private static final String APP_CREDENTIAL_BUCKET_PREFIX = "app-data-";
    private static final String KEYS_DIR = "keys/";
    private static final String KEY_EXTENSION = ".txt";
    private static final String SECRETS_DIR = "encrypted_secrets/";
    private static final String SECRET_EXTENSION = ".encrypted";
    private final GoogleAppSecretDecrypter appSecretDecrypter;
    private final Monitor monitor;
    private final Storage storage;
    private final String bucketName;
    private final LoadingCache<String, String> keys = CacheBuilder.newBuilder().expireAfterWrite(CACHE_EXPIRATION_MINUTES.intValue(), TimeUnit.MINUTES).build(new CacheLoader<String, String>() { // from class: org.datatransferproject.cloud.google.GoogleAppCredentialStore.1
        public String load(String str) throws Exception {
            return GoogleAppCredentialStore.this.lookupKey(str);
        }
    });
    private final LoadingCache<String, String> secrets = CacheBuilder.newBuilder().expireAfterWrite(CACHE_EXPIRATION_MINUTES.intValue(), TimeUnit.MINUTES).build(new CacheLoader<String, String>() { // from class: org.datatransferproject.cloud.google.GoogleAppCredentialStore.2
        public String load(String str) throws Exception {
            return GoogleAppCredentialStore.this.lookupSecret(str);
        }
    });

    @Inject
    GoogleAppCredentialStore(GoogleAppSecretDecrypter googleAppSecretDecrypter, GoogleCredentials googleCredentials, @GoogleCloudExtensionModule.ProjectId String str, Monitor monitor) {
        this.appSecretDecrypter = googleAppSecretDecrypter;
        this.monitor = monitor;
        this.storage = StorageOptions.newBuilder().setProjectId(str).setCredentials(googleCredentials).build().getService();
        this.bucketName = APP_CREDENTIAL_BUCKET_PREFIX + str;
    }

    public AppCredentials getAppCredentials(String str, String str2) throws IOException {
        try {
            try {
                return new AppCredentials((String) this.keys.get(str), (String) this.secrets.get(str2));
            } catch (ExecutionException e) {
                throw new IOException("Couldn't lookup secret: " + str2, e);
            }
        } catch (ExecutionException e2) {
            throw new IOException("Couldn't lookup key: " + str, e2);
        }
    }

    private byte[] getRawBytes(String str) {
        Bucket bucket = this.storage.get(this.bucketName, new Storage.BucketGetOption[0]);
        Preconditions.checkNotNull(bucket, "Bucket [%s] not found", this.bucketName);
        Blob blob = bucket.get(str, new Storage.BlobGetOption[0]);
        Preconditions.checkNotNull(blob, "blob [%s] not found", str);
        return blob.getContent(new Blob.BlobSourceOption[0]);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String lookupKey(String str) {
        String str2 = KEYS_DIR + str + KEY_EXTENSION;
        this.monitor.debug(() -> {
            return String.format("Getting app key for %s (blob %s) from bucket", str, str2);
        }, new Object[0]);
        byte[] rawBytes = getRawBytes(str2);
        Preconditions.checkState(rawBytes != null, "Couldn't look up: " + str);
        return new String(rawBytes).trim();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String lookupSecret(String str) throws IOException {
        String str2 = SECRETS_DIR + str + SECRET_EXTENSION;
        this.monitor.debug(() -> {
            return String.format("Getting app secret for %s (blob %s)", str, str2);
        }, new Object[0]);
        byte[] rawBytes = getRawBytes(str2);
        Preconditions.checkState(rawBytes != null, "Couldn't look up: " + str);
        String trim = new String(this.appSecretDecrypter.decryptAppSecret(rawBytes)).trim();
        Preconditions.checkState(!Strings.isNullOrEmpty(trim), "Couldn't decrypt: " + str);
        return trim;
    }
}
