package com.gu.pandomainauth.service;

import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.model.S3ObjectInputStream;
import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.http.HttpRequestInitializer;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.client.util.SecurityUtils;
import com.google.api.services.admin.directory.Directory;
import com.google.api.services.admin.directory.model.Group;
import com.google.api.services.admin.directory.model.Groups;
import com.gu.pandomainauth.model.Google2FAGroupSettings;
import java.security.PrivateKey;
import java.util.List;
import scala.Option$;
import scala.collection.IterableLike;
import scala.collection.JavaConverters$;
import scala.collection.immutable.$colon;
import scala.collection.immutable.Nil$;
import scala.reflect.ScalaSignature;
import scala.runtime.BoxesRunTime;

/* compiled from: Google2FAGroupChecker.scala */
@ScalaSignature(bytes = "\u0006\u0001\u0005]b\u0001\u0002\t\u0012\u0001iA\u0001\"\t\u0001\u0003\u0002\u0003\u0006IA\t\u0005\tQ\u0001\u0011\t\u0011)A\u0005S!AA\u0007\u0001B\u0001B\u0003%Q\u0007C\u0003@\u0001\u0011\u0005\u0001\tC\u0004G\u0001\t\u0007I\u0011A$\t\rY\u0003\u0001\u0015!\u0003I\u0011\u001d9\u0006A1A\u0005\u0002aCa!\u0019\u0001!\u0002\u0013I\u0006b\u00022\u0001\u0005\u0004%\ta\u0019\u0005\u0007]\u0002\u0001\u000b\u0011\u00023\t\u000f=\u0004!\u0019!C\u0001a\"1\u0011\u0010\u0001Q\u0001\nEDQA\u001f\u0001\u0005\nmDq!!\u0003\u0001\t#\tY\u0001C\u0004\u0002(\u0001!I!!\u000b\u0003\u0019\u001d\u0013x.\u001e9DQ\u0016\u001c7.\u001a:\u000b\u0005I\u0019\u0012aB:feZL7-\u001a\u0006\u0003)U\tQ\u0002]1oI>l\u0017-\u001b8bkRD'B\u0001\f\u0018\u0003\t9WOC\u0001\u0019\u0003\r\u0019w.\\\u0002\u0001'\t\u00011\u0004\u0005\u0002\u001d?5\tQDC\u0001\u001f\u0003\u0015\u00198-\u00197b\u0013\t\u0001SD\u0001\u0004B]f\u0014VMZ\u0001\u0007G>tg-[4\u0011\u0005\r2S\"\u0001\u0013\u000b\u0005\u0015\u001a\u0012!B7pI\u0016d\u0017BA\u0014%\u0005Y9un\\4mKJ2\u0015i\u0012:pkB\u001cV\r\u001e;j]\u001e\u001c\u0018A\u00032vG.,GOT1nKB\u0011!&\r\b\u0003W=\u0002\"\u0001L\u000f\u000e\u00035R!AL\r\u0002\rq\u0012xn\u001c;?\u0013\t\u0001T$\u0001\u0004Qe\u0016$WMZ\u0005\u0003eM\u0012aa\u0015;sS:<'B\u0001\u0019\u001e\u0003!\u00198g\u00117jK:$\bC\u0001\u001c>\u001b\u00059$B\u0001\u001d:\u0003\t\u00198G\u0003\u0002;w\u0005A1/\u001a:wS\u000e,7O\u0003\u0002=/\u0005I\u0011-\\1{_:\fwo]\u0005\u0003}]\u0012\u0001\"Q7bu>t7kM\u0001\u0007y%t\u0017\u000e\u001e \u0015\t\u0005\u001bE)\u0012\t\u0003\u0005\u0002i\u0011!\u0005\u0005\u0006C\u0011\u0001\rA\t\u0005\u0006Q\u0011\u0001\r!\u000b\u0005\u0006i\u0011\u0001\r!N\u0001\niJ\fgn\u001d9peR,\u0012\u0001\u0013\t\u0003\u0013Rk\u0011A\u0013\u0006\u0003\u00172\u000bqA[1wC:,GO\u0003\u0002N\u001d\u0006!\u0001\u000e\u001e;q\u0015\ty\u0005+\u0001\u0004dY&,g\u000e\u001e\u0006\u0003#J\u000b1!\u00199j\u0015\t\u0019v#\u0001\u0004h_><G.Z\u0005\u0003+*\u0013\u0001CT3u\u0011R$\b\u000f\u0016:b]N\u0004xN\u001d;\u0002\u0015Q\u0014\u0018M\\:q_J$\b%A\u0006kg>tg)Y2u_JLX#A-\u0011\u0005i{V\"A.\u000b\u0005qk\u0016\u0001\u00036bG.\u001cxN\u001c\u001a\u000b\u0005ys\u0015\u0001\u00026t_:L!\u0001Y.\u0003\u001d)\u000b7m[:p]\u001a\u000b7\r^8ss\u0006a!n]8o\r\u0006\u001cGo\u001c:zA\u0005Q1M]3eK:$\u0018.\u00197\u0016\u0003\u0011\u0004\"!\u001a7\u000e\u0003\u0019T!a\u001a5\u0002\r=\fW\u000f\u001e53\u0015\tI'.\u0001\u0003bkRD'BA6O\u0003)9wn\\4mK\u0006\u0004\u0018n]\u0005\u0003[\u001a\u0014\u0001cR8pO2,7I]3eK:$\u0018.\u00197\u0002\u0017\r\u0014X\rZ3oi&\fG\u000eI\u0001\nI&\u0014Xm\u0019;pef,\u0012!\u001d\t\u0003e^l\u0011a\u001d\u0006\u0003_RT!!\u001e<\u0002\u000b\u0005$W.\u001b8\u000b\u0005i\u0002\u0016B\u0001=t\u0005%!\u0015N]3di>\u0014\u00180\u0001\u0006eSJ,7\r^8ss\u0002\nA\u0004\\8bIN+'O^5dK\u0006\u001b7m\\;oiB\u0013\u0018N^1uK.+\u00170F\u0001}!\ri\u0018QA\u0007\u0002}*\u0019q0!\u0001\u0002\u0011M,7-\u001e:jifT!!a\u0001\u0002\t)\fg/Y\u0005\u0004\u0003\u000fq(A\u0003)sSZ\fG/Z&fs\u0006A\u0001.Y:He>,\b\u000f\u0006\u0004\u0002\u000e\u0005M\u00111\u0005\t\u00049\u0005=\u0011bAA\t;\t9!i\\8mK\u0006t\u0007bBA\u000b\u001d\u0001\u0007\u0011qC\u0001\u0006cV,'/\u001f\t\u0005\u00033\ty\u0002E\u0002r\u00037I1!!\bx\u0005\u00199%o\\;qg&!\u0011\u0011EA\u000e\u0005\u0011a\u0015n\u001d;\t\r\u0005\u0015b\u00021\u0001*\u0003\u001d9'o\\;q\u0013\u0012\fQ\u0002[1t\u001b>\u0014Xm\u0012:pkB\u001cH\u0003BA\u0007\u0003WAq!!\f\u0010\u0001\u0004\ty#\u0001\bhe>,\bo\u001d*fgB|gn]3\u0011\t\u0005E\u0012QG\u0007\u0003\u0003gQ!!J:\n\t\u0005u\u00111\u0007")
/* loaded from: input_file:com/gu/pandomainauth/service/GroupChecker.class */
public class GroupChecker {
    private final Google2FAGroupSettings config;
    private final String bucketName;
    private final AmazonS3 s3Client;
    private final GoogleCredential credential;
    private final NetHttpTransport transport = new NetHttpTransport();
    private final JacksonFactory jsonFactory = new JacksonFactory();
    private final Directory directory = new Directory.Builder(transport(), jsonFactory(), (HttpRequestInitializer) null).setHttpRequestInitializer(credential()).build();

    public NetHttpTransport transport() {
        return this.transport;
    }

    public JacksonFactory jsonFactory() {
        return this.jsonFactory;
    }

    public GoogleCredential credential() {
        return this.credential;
    }

    public Directory directory() {
        return this.directory;
    }

    private PrivateKey loadServiceAccountPrivateKey() {
        S3ObjectInputStream objectContent = this.s3Client.getObject(this.bucketName, this.config.serviceAccountCert()).getObjectContent();
        PrivateKey loadPrivateKeyFromKeyStore = SecurityUtils.loadPrivateKeyFromKeyStore(SecurityUtils.getPkcs12KeyStore(), objectContent, "notasecret", "privatekey", "notasecret");
        try {
            objectContent.close();
        } catch (Throwable unused) {
        }
        return loadPrivateKeyFromKeyStore;
    }

    public boolean hasGroup(Directory.Groups.List list, String str) {
        Groups groups = (Groups) list.execute();
        if (!Option$.MODULE$.apply(groups.getGroups()).exists(list2 -> {
            return BoxesRunTime.boxToBoolean($anonfun$hasGroup$1(str, list2));
        })) {
            if (!(hasMoreGroups(groups) ? hasGroup(list.setPageToken(groups.getNextPageToken()), str) : false)) {
                return false;
            }
        }
        return true;
    }

    private boolean hasMoreGroups(Groups groups) {
        String nextPageToken = groups.getNextPageToken();
        return nextPageToken != null && nextPageToken.length() > 0;
    }

    public static final /* synthetic */ boolean $anonfun$hasGroup$2(String str, Group group) {
        String email = group.getEmail();
        return email != null ? email.equals(str) : str == null;
    }

    public static final /* synthetic */ boolean $anonfun$hasGroup$1(String str, List list) {
        return ((IterableLike) JavaConverters$.MODULE$.asScalaBufferConverter(list).asScala()).exists(group -> {
            return BoxesRunTime.boxToBoolean($anonfun$hasGroup$2(str, group));
        });
    }

    public GroupChecker(Google2FAGroupSettings google2FAGroupSettings, String str, AmazonS3 amazonS3) {
        this.config = google2FAGroupSettings;
        this.bucketName = str;
        this.s3Client = amazonS3;
        this.credential = new GoogleCredential.Builder().setTransport(transport()).setJsonFactory(jsonFactory()).setServiceAccountId(google2FAGroupSettings.serviceAccountId()).setServiceAccountScopes(JavaConverters$.MODULE$.asJavaCollectionConverter(new $colon.colon("https://www.googleapis.com/auth/admin.directory.group.readonly", Nil$.MODULE$)).asJavaCollection()).setServiceAccountUser(google2FAGroupSettings.adminUserEmail()).setServiceAccountPrivateKey(loadServiceAccountPrivateKey()).build();
    }
}
