package com.google.fleetengine.auth.token.factory.signer;

import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.SignatureVerificationException;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.auth.oauth2.ImpersonatedCredentials;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableList;
import com.google.fleetengine.auth.token.FleetEngineToken;
import com.google.fleetengine.auth.token.factory.signer.util.CommonConstants;
import java.io.IOException;
import java.util.Arrays;

/* loaded from: input_file:com/google/fleetengine/auth/token/factory/signer/ImpersonatedSigner.class */
public class ImpersonatedSigner implements Signer {
    private static final String ALGORITHM_NAME = "RS256";
    private static final String ALGORITHM_DESCRIPTION = "SHA256withRSA";
    static final ImmutableList<String> IAM_SCOPE = ImmutableList.of("https://www.googleapis.com/auth/iam");

    @VisibleForTesting
    final ImpersonatedAccountSignerCredentials impersonatedCredentials;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/google/fleetengine/auth/token/factory/signer/ImpersonatedSigner$ImpersonatedAccountSignerCredentials.class */
    public static class ImpersonatedAccountSignerCredentials {
        private final ImpersonatedCredentials credentials;

        public ImpersonatedCredentials getUnderlyingCredentials() {
            return this.credentials;
        }

        ImpersonatedAccountSignerCredentials(ImpersonatedCredentials impersonatedCredentials) {
            this.credentials = impersonatedCredentials;
        }

        public String getAccount() {
            return this.credentials.getAccount();
        }

        byte[] sign(byte[] bArr, byte[] bArr2) {
            byte[] copyOf = Arrays.copyOf(bArr, bArr.length + 1 + bArr2.length);
            copyOf[bArr.length] = 46;
            System.arraycopy(bArr2, 0, copyOf, bArr.length + 1, bArr2.length);
            return this.credentials.sign(copyOf);
        }
    }

    /* loaded from: input_file:com/google/fleetengine/auth/token/factory/signer/ImpersonatedSigner$ImpersonatedSignerAlgorithm.class */
    static class ImpersonatedSignerAlgorithm extends Algorithm {
        private final ImpersonatedAccountSignerCredentials impersonatedCredentials;

        public ImpersonatedSignerAlgorithm(ImpersonatedAccountSignerCredentials impersonatedAccountSignerCredentials) {
            super(ImpersonatedSigner.ALGORITHM_NAME, ImpersonatedSigner.ALGORITHM_DESCRIPTION);
            this.impersonatedCredentials = impersonatedAccountSignerCredentials;
        }

        public void verify(DecodedJWT decodedJWT) {
            throw new SignatureVerificationException(this, new RuntimeException("Verify not implemented"));
        }

        public byte[] sign(byte[] bArr) {
            throw new SignatureVerificationException(this, new RuntimeException("sign(byte[]) is deprecated and not implemented"));
        }

        public byte[] sign(byte[] bArr, byte[] bArr2) {
            return this.impersonatedCredentials.sign(bArr, bArr2);
        }
    }

    public static ImpersonatedSigner create(String str) throws SignerInitializationException {
        try {
            return create(str, GoogleCredentials.getApplicationDefault().createScoped(IAM_SCOPE));
        } catch (IOException e) {
            throw new SignerInitializationException("Could not retrieve credentials for default application.", e);
        }
    }

    @VisibleForTesting
    static ImpersonatedSigner create(String str, GoogleCredentials googleCredentials) {
        return new ImpersonatedSigner(new ImpersonatedAccountSignerCredentials(createImpersonatedCredentials(str, googleCredentials).build()));
    }

    @VisibleForTesting
    ImpersonatedSigner(ImpersonatedAccountSignerCredentials impersonatedAccountSignerCredentials) {
        this.impersonatedCredentials = impersonatedAccountSignerCredentials;
    }

    private static ImpersonatedCredentials.Builder createImpersonatedCredentials(String str, GoogleCredentials googleCredentials) {
        return ImpersonatedCredentials.newBuilder().setSourceCredentials(googleCredentials).setTargetPrincipal(str).setScopes(IAM_SCOPE);
    }

    @Override // com.google.fleetengine.auth.token.factory.signer.Signer
    public FleetEngineToken sign(FleetEngineToken fleetEngineToken) {
        return fleetEngineToken.toBuilder().setJwt(JWT.create().withIssuer(this.impersonatedCredentials.getAccount()).withSubject(this.impersonatedCredentials.getAccount()).withAudience(new String[]{fleetEngineToken.audience()}).withExpiresAt(fleetEngineToken.expirationTimestamp()).withIssuedAt(fleetEngineToken.creationTimestamp()).withClaim(CommonConstants.JWT_CLAIM_AUTHORIZATION_PROPERTY, fleetEngineToken.authorizationClaims().toMap()).sign(new ImpersonatedSignerAlgorithm(this.impersonatedCredentials))).build();
    }
}
