package com.gu.pandomainauth.service;

import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.model.S3ObjectInputStream;
import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.http.HttpRequestInitializer;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.client.util.SecurityUtils;
import com.google.api.services.admin.directory.Directory;
import com.google.api.services.admin.directory.model.Group;
import com.google.api.services.admin.directory.model.Groups;
import com.gu.pandomainauth.model.Google2FAGroupSettings;
import java.security.PrivateKey;
import java.util.List;
import scala.Option$;
import scala.collection.IterableLike;
import scala.collection.JavaConverters$;
import scala.collection.immutable.$colon;
import scala.collection.immutable.Nil$;
import scala.reflect.ScalaSignature;
import scala.runtime.BoxesRunTime;

/* compiled from: Google2FAGroupChecker.scala */
@ScalaSignature(bytes = "\u0006\u0001\u0005ub\u0001B\t\u0013\u0001mA\u0001B\t\u0001\u0003\u0002\u0003\u0006Ia\t\u0005\tS\u0001\u0011\t\u0011)A\u0005U!AQ\u0007\u0001B\u0001B\u0003%a\u0007\u0003\u0005A\u0001\t\u0005\t\u0015!\u0003+\u0011\u0015\t\u0005\u0001\"\u0001C\u0011\u001dI\u0005A1A\u0005\u0002)Ca!\u0017\u0001!\u0002\u0013Y\u0005b\u0002.\u0001\u0005\u0004%\ta\u0017\u0005\u0007I\u0002\u0001\u000b\u0011\u0002/\t\u000f\u0015\u0004!\u0019!C\u0001M\"1\u0011\u000f\u0001Q\u0001\n\u001dDqA\u001d\u0001C\u0002\u0013\u00051\u000f\u0003\u0004}\u0001\u0001\u0006I\u0001\u001e\u0005\u0006{\u0002!IA \u0005\b\u0003\u001f\u0001A\u0011CA\t\u0011\u001d\ti\u0003\u0001C\u0005\u0003_\u0011Ab\u0012:pkB\u001c\u0005.Z2lKJT!a\u0005\u000b\u0002\u000fM,'O^5dK*\u0011QCF\u0001\u000ea\u0006tGm\\7bS:\fW\u000f\u001e5\u000b\u0005]A\u0012AA4v\u0015\u0005I\u0012aA2p[\u000e\u00011C\u0001\u0001\u001d!\ti\u0002%D\u0001\u001f\u0015\u0005y\u0012!B:dC2\f\u0017BA\u0011\u001f\u0005\u0019\te.\u001f*fM\u000611m\u001c8gS\u001e\u0004\"\u0001J\u0014\u000e\u0003\u0015R!A\n\u000b\u0002\u000b5|G-\u001a7\n\u0005!*#AF$p_\u001edWM\r$B\u000fJ|W\u000f]*fiRLgnZ:\u0002\u0015\t,8m[3u\u001d\u0006lW\r\u0005\u0002,e9\u0011A\u0006\r\t\u0003[yi\u0011A\f\u0006\u0003_i\ta\u0001\u0010:p_Rt\u0014BA\u0019\u001f\u0003\u0019\u0001&/\u001a3fM&\u00111\u0007\u000e\u0002\u0007'R\u0014\u0018N\\4\u000b\u0005Er\u0012\u0001C:4\u00072LWM\u001c;\u0011\u0005]rT\"\u0001\u001d\u000b\u0005eR\u0014AA:4\u0015\tYD(\u0001\u0005tKJ4\u0018nY3t\u0015\ti\u0004$A\u0005b[\u0006TxN\\1xg&\u0011q\b\u000f\u0002\t\u00036\f'p\u001c8Tg\u00059\u0011\r\u001d9OC6,\u0017A\u0002\u001fj]&$h\bF\u0003D\u000b\u001a;\u0005\n\u0005\u0002E\u00015\t!\u0003C\u0003#\u000b\u0001\u00071\u0005C\u0003*\u000b\u0001\u0007!\u0006C\u00036\u000b\u0001\u0007a\u0007C\u0003A\u000b\u0001\u0007!&A\u0005ue\u0006t7\u000f]8siV\t1\n\u0005\u0002M/6\tQJ\u0003\u0002O\u001f\u00069!.\u0019<b]\u0016$(B\u0001)R\u0003\u0011AG\u000f\u001e9\u000b\u0005I\u001b\u0016AB2mS\u0016tGO\u0003\u0002U+\u0006\u0019\u0011\r]5\u000b\u0005YC\u0012AB4p_\u001edW-\u0003\u0002Y\u001b\n\u0001b*\u001a;IiR\u0004HK]1ogB|'\u000f^\u0001\u000biJ\fgn\u001d9peR\u0004\u0013a\u00036t_:4\u0015m\u0019;pef,\u0012\u0001\u0018\t\u0003;\nl\u0011A\u0018\u0006\u0003?\u0002\f\u0001B[1dWN|gN\r\u0006\u0003CF\u000bAA[:p]&\u00111M\u0018\u0002\u000f\u0015\u0006\u001c7n]8o\r\u0006\u001cGo\u001c:z\u00031Q7o\u001c8GC\u000e$xN]=!\u0003)\u0019'/\u001a3f]RL\u0017\r\\\u000b\u0002OB\u0011\u0001n\\\u0007\u0002S*\u0011!n[\u0001\u0007_\u0006,H\u000f\u001b\u001a\u000b\u00051l\u0017\u0001B1vi\"T!A\\)\u0002\u0015\u001d|wn\u001a7fCBL7/\u0003\u0002qS\n\u0001ri\\8hY\u0016\u001c%/\u001a3f]RL\u0017\r\\\u0001\fGJ,G-\u001a8uS\u0006d\u0007%A\u0005eSJ,7\r^8ssV\tA\u000f\u0005\u0002vu6\taO\u0003\u0002so*\u0011\u00010_\u0001\u0006C\u0012l\u0017N\u001c\u0006\u0003wMK!a\u001f<\u0003\u0013\u0011K'/Z2u_JL\u0018A\u00033je\u0016\u001cGo\u001c:zA\u0005aBn\\1e'\u0016\u0014h/[2f\u0003\u000e\u001cw.\u001e8u!JLg/\u0019;f\u0017\u0016LX#A@\u0011\t\u0005\u0005\u00111B\u0007\u0003\u0003\u0007QA!!\u0002\u0002\b\u0005A1/Z2ve&$\u0018P\u0003\u0002\u0002\n\u0005!!.\u0019<b\u0013\u0011\ti!a\u0001\u0003\u0015A\u0013\u0018N^1uK.+\u00170\u0001\u0005iCN<%o\\;q)\u0019\t\u0019\"!\u0007\u0002*A\u0019Q$!\u0006\n\u0007\u0005]aDA\u0004C_>dW-\u00198\t\u000f\u0005mq\u00021\u0001\u0002\u001e\u0005)\u0011/^3ssB!\u0011qDA\u0013!\r!\u0018\u0011E\u0005\u0004\u0003GQ(AB$s_V\u00048/\u0003\u0003\u0002(\u0005\u0005\"\u0001\u0002'jgRDa!a\u000b\u0010\u0001\u0004Q\u0013aB4s_V\u0004\u0018\nZ\u0001\u000eQ\u0006\u001cXj\u001c:f\u000fJ|W\u000f]:\u0015\t\u0005M\u0011\u0011\u0007\u0005\b\u0003g\u0001\u0002\u0019AA\u001b\u000399'o\\;qgJ+7\u000f]8og\u0016\u0004B!a\u000e\u0002<5\u0011\u0011\u0011\b\u0006\u0003MYLA!a\t\u0002:\u0001")
/* loaded from: input_file:com/gu/pandomainauth/service/GroupChecker.class */
public class GroupChecker {
    private final Google2FAGroupSettings config;
    private final String bucketName;
    private final AmazonS3 s3Client;
    private final NetHttpTransport transport = new NetHttpTransport();
    private final JacksonFactory jsonFactory = new JacksonFactory();
    private final GoogleCredential credential;
    private final Directory directory;

    public NetHttpTransport transport() {
        return this.transport;
    }

    public JacksonFactory jsonFactory() {
        return this.jsonFactory;
    }

    public GoogleCredential credential() {
        return this.credential;
    }

    public Directory directory() {
        return this.directory;
    }

    private PrivateKey loadServiceAccountPrivateKey() {
        S3ObjectInputStream objectContent = this.s3Client.getObject(this.bucketName, this.config.serviceAccountCert()).getObjectContent();
        PrivateKey loadPrivateKeyFromKeyStore = SecurityUtils.loadPrivateKeyFromKeyStore(SecurityUtils.getPkcs12KeyStore(), objectContent, "notasecret", "privatekey", "notasecret");
        try {
            objectContent.close();
        } catch (Throwable unused) {
        }
        return loadPrivateKeyFromKeyStore;
    }

    public boolean hasGroup(Directory.Groups.List list, String str) {
        Groups groups = (Groups) list.execute();
        if (!Option$.MODULE$.apply(groups.getGroups()).exists(list2 -> {
            return BoxesRunTime.boxToBoolean($anonfun$hasGroup$1(str, list2));
        })) {
            if (!(hasMoreGroups(groups) ? hasGroup(list.setPageToken(groups.getNextPageToken()), str) : false)) {
                return false;
            }
        }
        return true;
    }

    private boolean hasMoreGroups(Groups groups) {
        String nextPageToken = groups.getNextPageToken();
        return nextPageToken != null && nextPageToken.length() > 0;
    }

    public static final /* synthetic */ boolean $anonfun$hasGroup$2(String str, Group group) {
        String email = group.getEmail();
        return email != null ? email.equals(str) : str == null;
    }

    public static final /* synthetic */ boolean $anonfun$hasGroup$1(String str, List list) {
        return ((IterableLike) JavaConverters$.MODULE$.asScalaBufferConverter(list).asScala()).exists(group -> {
            return BoxesRunTime.boxToBoolean($anonfun$hasGroup$2(str, group));
        });
    }

    public GroupChecker(Google2FAGroupSettings google2FAGroupSettings, String str, AmazonS3 amazonS3, String str2) {
        this.config = google2FAGroupSettings;
        this.bucketName = str;
        this.s3Client = amazonS3;
        this.credential = new GoogleCredential.Builder().setTransport(transport()).setJsonFactory(jsonFactory()).setServiceAccountId(google2FAGroupSettings.serviceAccountId()).setServiceAccountScopes(JavaConverters$.MODULE$.asJavaCollectionConverter(new $colon.colon("https://www.googleapis.com/auth/admin.directory.group.readonly", Nil$.MODULE$)).asJavaCollection()).setServiceAccountUser(google2FAGroupSettings.adminUserEmail()).setServiceAccountPrivateKey(loadServiceAccountPrivateKey()).build();
        this.directory = new Directory.Builder(transport(), jsonFactory(), (HttpRequestInitializer) null).setApplicationName(str2).setHttpRequestInitializer(credential()).build();
    }
}
