package com.gu.pandomainauth.service;

import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.model.S3ObjectInputStream;
import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.http.HttpRequestInitializer;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.client.util.SecurityUtils;
import com.google.api.services.admin.directory.Directory;
import com.google.api.services.admin.directory.model.Group;
import com.google.api.services.admin.directory.model.Groups;
import com.google.api.services.admin.directory.model.MembersHasMember;
import com.gu.pandomainauth.model.Google2FAGroupSettings;
import java.security.PrivateKey;
import java.util.List;
import scala.Option$;
import scala.Predef$;
import scala.collection.Iterable;
import scala.jdk.CollectionConverters$;
import scala.package$;
import scala.reflect.ScalaSignature;
import scala.runtime.BoxesRunTime;
import scala.runtime.ScalaRunTime$;

/* compiled from: Google2FAGroupChecker.scala */
@ScalaSignature(bytes = "\u0006\u0005\u0005\u001dc\u0001\u0002\n\u0014\u0001qA\u0001b\t\u0001\u0003\u0002\u0003\u0006I\u0001\n\u0005\tU\u0001\u0011\t\u0011)A\u0005W!Aa\u0007\u0001B\u0001B\u0003%q\u0007\u0003\u0005B\u0001\t\u0005\t\u0015!\u0003,\u0011\u0015\u0011\u0005\u0001\"\u0001D\u0011\u001dQ\u0005A1A\u0005\u0002-CaA\u0017\u0001!\u0002\u0013a\u0005bB.\u0001\u0005\u0004%\t\u0001\u0018\u0005\u0007K\u0002\u0001\u000b\u0011B/\t\u000f\u0019\u0004!\u0019!C\u0001O\"1!\u000f\u0001Q\u0001\n!Dqa\u001d\u0001C\u0002\u0013\u0005A\u000f\u0003\u0004~\u0001\u0001\u0006I!\u001e\u0005\u0006}\u0002!Ia \u0005\b\u0003#\u0001A\u0011CA\n\u0011\u001d\t\t\u0002\u0001C\t\u0003_Aq!a\u000e\u0001\t\u0013\tID\u0001\u0007He>,\bo\u00115fG.,'O\u0003\u0002\u0015+\u000591/\u001a:wS\u000e,'B\u0001\f\u0018\u00035\u0001\u0018M\u001c3p[\u0006Lg.Y;uQ*\u0011\u0001$G\u0001\u0003OVT\u0011AG\u0001\u0004G>l7\u0001A\n\u0003\u0001u\u0001\"AH\u0011\u000e\u0003}Q\u0011\u0001I\u0001\u0006g\u000e\fG.Y\u0005\u0003E}\u0011a!\u00118z%\u00164\u0017AB2p]\u001aLw\r\u0005\u0002&Q5\taE\u0003\u0002(+\u0005)Qn\u001c3fY&\u0011\u0011F\n\u0002\u0017\u000f>|w\r\\33\r\u0006;%o\\;q'\u0016$H/\u001b8hg\u0006Q!-^2lKRt\u0015-\\3\u0011\u00051\u001adBA\u00172!\tqs$D\u00010\u0015\t\u00014$\u0001\u0004=e>|GOP\u0005\u0003e}\ta\u0001\u0015:fI\u00164\u0017B\u0001\u001b6\u0005\u0019\u0019FO]5oO*\u0011!gH\u0001\tgN\u001aE.[3oiB\u0011\u0001hP\u0007\u0002s)\u0011!hO\u0001\u0003gNR!\u0001P\u001f\u0002\u0011M,'O^5dKNT!AP\r\u0002\u0013\u0005l\u0017M_8oC^\u001c\u0018B\u0001!:\u0005!\tU.\u0019>p]N\u001b\u0014aB1qa:\u000bW.Z\u0001\u0007y%t\u0017\u000e\u001e \u0015\u000b\u00113u\tS%\u0011\u0005\u0015\u0003Q\"A\n\t\u000b\r*\u0001\u0019\u0001\u0013\t\u000b)*\u0001\u0019A\u0016\t\u000bY*\u0001\u0019A\u001c\t\u000b\u0005+\u0001\u0019A\u0016\u0002\u0013Q\u0014\u0018M\\:q_J$X#\u0001'\u0011\u00055CV\"\u0001(\u000b\u0005=\u0003\u0016a\u00026bm\u0006tW\r\u001e\u0006\u0003#J\u000bA\u0001\u001b;ua*\u00111\u000bV\u0001\u0007G2LWM\u001c;\u000b\u0005U3\u0016aA1qS*\u0011q+G\u0001\u0007O>|w\r\\3\n\u0005es%\u0001\u0005(fi\"#H\u000f\u001d+sC:\u001c\bo\u001c:u\u0003)!(/\u00198ta>\u0014H\u000fI\u0001\fUN|gNR1di>\u0014\u00180F\u0001^!\tq6-D\u0001`\u0015\t\u0001\u0017-\u0001\u0005kC\u000e\\7o\u001c83\u0015\t\u0011'+\u0001\u0003kg>t\u0017B\u00013`\u00059Q\u0015mY6t_:4\u0015m\u0019;pef\fAB[:p]\u001a\u000b7\r^8ss\u0002\n!b\u0019:fI\u0016tG/[1m+\u0005A\u0007CA5q\u001b\u0005Q'BA6m\u0003\u0019y\u0017-\u001e;ie)\u0011QN\\\u0001\u0005CV$\bN\u0003\u0002p%\u0006Qqm\\8hY\u0016\f\u0007/[:\n\u0005ET'\u0001E$p_\u001edWm\u0011:fI\u0016tG/[1m\u0003-\u0019'/\u001a3f]RL\u0017\r\u001c\u0011\u0002\u0013\u0011L'/Z2u_JLX#A;\u0011\u0005Y\\X\"A<\u000b\u0005MD(BA={\u0003\u0015\tG-\\5o\u0015\taD+\u0003\u0002}o\nIA)\u001b:fGR|'/_\u0001\u000bI&\u0014Xm\u0019;pef\u0004\u0013\u0001\b7pC\u0012\u001cVM\u001d<jG\u0016\f5mY8v]R\u0004&/\u001b<bi\u0016\\U-_\u000b\u0003\u0003\u0003\u0001B!a\u0001\u0002\u000e5\u0011\u0011Q\u0001\u0006\u0005\u0003\u000f\tI!\u0001\u0005tK\u000e,(/\u001b;z\u0015\t\tY!\u0001\u0003kCZ\f\u0017\u0002BA\b\u0003\u000b\u0011!\u0002\u0015:jm\u0006$XmS3z\u0003!A\u0017m]$s_V\u0004HCBA\u000b\u00037\tY\u0003E\u0002\u001f\u0003/I1!!\u0007 \u0005\u001d\u0011un\u001c7fC:Dq!!\b\u0010\u0001\u0004\ty\"A\u0003rk\u0016\u0014\u0018\u0010\u0005\u0003\u0002\"\u0005\u001d\u0002cA;\u0002$%\u0019\u0011QE>\u0003\r\u001d\u0013x.\u001e9t\u0013\u0011\tI#a\t\u0003\t1K7\u000f\u001e\u0005\u0007\u0003[y\u0001\u0019A\u0016\u0002\u000f\u001d\u0014x.\u001e9JIR1\u0011QCA\u0019\u0003kAa!a\r\u0011\u0001\u0004Y\u0013!C;tKJ,U.Y5m\u0011\u0019\ti\u0003\u0005a\u0001W\u0005i\u0001.Y:N_J,wI]8vaN$B!!\u0006\u0002<!9\u0011QH\tA\u0002\u0005}\u0012AD4s_V\u00048OU3ta>t7/\u001a\t\u0005\u0003\u0003\n)%\u0004\u0002\u0002D)\u0011qe^\u0005\u0005\u0003K\t\u0019\u0005")
/* loaded from: input_file:com/gu/pandomainauth/service/GroupChecker.class */
public class GroupChecker {
    private final Google2FAGroupSettings config;
    private final String bucketName;
    private final AmazonS3 s3Client;
    private final NetHttpTransport transport = new NetHttpTransport();
    private final JacksonFactory jsonFactory = new JacksonFactory();
    private final GoogleCredential credential;
    private final Directory directory;

    public NetHttpTransport transport() {
        return this.transport;
    }

    public JacksonFactory jsonFactory() {
        return this.jsonFactory;
    }

    public GoogleCredential credential() {
        return this.credential;
    }

    public Directory directory() {
        return this.directory;
    }

    private PrivateKey loadServiceAccountPrivateKey() {
        S3ObjectInputStream objectContent = this.s3Client.getObject(this.bucketName, this.config.serviceAccountCert()).getObjectContent();
        PrivateKey loadPrivateKeyFromKeyStore = SecurityUtils.loadPrivateKeyFromKeyStore(SecurityUtils.getPkcs12KeyStore(), objectContent, "notasecret", "privatekey", "notasecret");
        try {
            objectContent.close();
        } catch (Throwable unused) {
        }
        return loadPrivateKeyFromKeyStore;
    }

    public boolean hasGroup(Directory.Groups.List list, String str) {
        Groups groups = (Groups) list.execute();
        if (!Option$.MODULE$.apply(groups.getGroups()).exists(list2 -> {
            return BoxesRunTime.boxToBoolean($anonfun$hasGroup$1(str, list2));
        })) {
            if (!(hasMoreGroups(groups) ? hasGroup(list.setPageToken(groups.getNextPageToken()), str) : false)) {
                return false;
            }
        }
        return true;
    }

    public boolean hasGroup(String str, String str2) {
        return Predef$.MODULE$.Boolean2boolean(((MembersHasMember) directory().members().hasMember(str2, str).execute()).getIsMember());
    }

    private boolean hasMoreGroups(Groups groups) {
        String nextPageToken = groups.getNextPageToken();
        return nextPageToken != null && nextPageToken.length() > 0;
    }

    public static final /* synthetic */ boolean $anonfun$hasGroup$2(String str, Group group) {
        String email = group.getEmail();
        return email != null ? email.equals(str) : str == null;
    }

    public static final /* synthetic */ boolean $anonfun$hasGroup$1(String str, List list) {
        return CollectionConverters$.MODULE$.ListHasAsScala(list).asScala().exists(group -> {
            return BoxesRunTime.boxToBoolean($anonfun$hasGroup$2(str, group));
        });
    }

    public GroupChecker(Google2FAGroupSettings google2FAGroupSettings, String str, AmazonS3 amazonS3, String str2) {
        this.config = google2FAGroupSettings;
        this.bucketName = str;
        this.s3Client = amazonS3;
        this.credential = new GoogleCredential.Builder().setTransport(transport()).setJsonFactory(jsonFactory()).setServiceAccountId(google2FAGroupSettings.serviceAccountId()).setServiceAccountScopes(CollectionConverters$.MODULE$.IterableHasAsJava((Iterable) package$.MODULE$.List().apply(ScalaRunTime$.MODULE$.wrapRefArray(new String[]{"https://www.googleapis.com/auth/admin.directory.group.readonly"}))).asJavaCollection()).setServiceAccountUser(google2FAGroupSettings.adminUserEmail()).setServiceAccountPrivateKey(loadServiceAccountPrivateKey()).build();
        this.directory = new Directory.Builder(transport(), jsonFactory(), (HttpRequestInitializer) null).setApplicationName(str2).setHttpRequestInitializer(credential()).build();
    }
}
