package com.netflix.spinnaker.fiat.roles.google;

import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.googleapis.batch.BatchRequest;
import com.google.api.client.googleapis.batch.json.JsonBatchCallback;
import com.google.api.client.googleapis.json.GoogleJsonError;
import com.google.api.client.googleapis.json.GoogleJsonErrorContainer;
import com.google.api.client.http.HttpBackOffUnsuccessfulResponseHandler;
import com.google.api.client.http.HttpHeaders;
import com.google.api.client.http.HttpRequest;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.client.util.ExponentialBackOff;
import com.google.api.services.admin.directory.Directory;
import com.google.api.services.admin.directory.model.Group;
import com.google.api.services.admin.directory.model.Groups;
import com.netflix.spinnaker.fiat.model.resources.Role;
import com.netflix.spinnaker.fiat.permissions.ExternalUser;
import com.netflix.spinnaker.fiat.roles.UserRolesProvider;
import java.io.FileInputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.ConfigurablePropertyAccessor;
import org.springframework.beans.PropertyAccessorFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Configuration;
import org.springframework.stereotype.Component;
import org.springframework.util.Assert;

@ConditionalOnProperty(value = {"auth.group-membership.service"}, havingValue = "google")
@Component
/* loaded from: input_file:com/netflix/spinnaker/fiat/roles/google/GoogleDirectoryUserRolesProvider.class */
public class GoogleDirectoryUserRolesProvider implements UserRolesProvider, InitializingBean {
    public static final String SERVICE_ACCOUNT_SUFFIX = "@managed-service-account";
    public static final String SHARED_SERVICE_ACCOUNT_SUFFIX = "@shared-managed-service-account";

    @Autowired
    private Config config;
    private static final Logger log = LoggerFactory.getLogger(GoogleDirectoryUserRolesProvider.class);
    private static final Collection<String> SERVICE_ACCOUNT_SCOPES = Collections.singleton("https://www.googleapis.com/auth/admin.directory.group.readonly");

    @ConfigurationProperties("auth.group-membership.google")
    @Configuration
    /* loaded from: input_file:com/netflix/spinnaker/fiat/roles/google/GoogleDirectoryUserRolesProvider$Config.class */
    public static class Config {
        private String credentialPath;
        private String adminUsername;
        private String domain;
        private RoleSource[] roleSources = {RoleSource.NAME};

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:com/netflix/spinnaker/fiat/roles/google/GoogleDirectoryUserRolesProvider$Config$RoleSource.class */
        public enum RoleSource {
            NAME,
            EMAIL
        }

        public String getCredentialPath() {
            return this.credentialPath;
        }

        public String getAdminUsername() {
            return this.adminUsername;
        }

        public String getDomain() {
            return this.domain;
        }

        public RoleSource[] getRoleSources() {
            return this.roleSources;
        }

        public Config setCredentialPath(String str) {
            this.credentialPath = str;
            return this;
        }

        public Config setAdminUsername(String str) {
            this.adminUsername = str;
            return this;
        }

        public Config setDomain(String str) {
            this.domain = str;
            return this;
        }

        public Config setRoleSources(RoleSource[] roleSourceArr) {
            this.roleSources = roleSourceArr;
            return this;
        }

        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof Config)) {
                return false;
            }
            Config config = (Config) obj;
            if (!config.canEqual(this)) {
                return false;
            }
            String credentialPath = getCredentialPath();
            String credentialPath2 = config.getCredentialPath();
            if (credentialPath == null) {
                if (credentialPath2 != null) {
                    return false;
                }
            } else if (!credentialPath.equals(credentialPath2)) {
                return false;
            }
            String adminUsername = getAdminUsername();
            String adminUsername2 = config.getAdminUsername();
            if (adminUsername == null) {
                if (adminUsername2 != null) {
                    return false;
                }
            } else if (!adminUsername.equals(adminUsername2)) {
                return false;
            }
            String domain = getDomain();
            String domain2 = config.getDomain();
            if (domain == null) {
                if (domain2 != null) {
                    return false;
                }
            } else if (!domain.equals(domain2)) {
                return false;
            }
            return Arrays.deepEquals(getRoleSources(), config.getRoleSources());
        }

        protected boolean canEqual(Object obj) {
            return obj instanceof Config;
        }

        public int hashCode() {
            String credentialPath = getCredentialPath();
            int hashCode = (1 * 59) + (credentialPath == null ? 43 : credentialPath.hashCode());
            String adminUsername = getAdminUsername();
            int hashCode2 = (hashCode * 59) + (adminUsername == null ? 43 : adminUsername.hashCode());
            String domain = getDomain();
            return (((hashCode2 * 59) + (domain == null ? 43 : domain.hashCode())) * 59) + Arrays.deepHashCode(getRoleSources());
        }

        public String toString() {
            return "GoogleDirectoryUserRolesProvider.Config(credentialPath=" + getCredentialPath() + ", adminUsername=" + getAdminUsername() + ", domain=" + getDomain() + ", roleSources=" + Arrays.deepToString(getRoleSources()) + ")";
        }
    }

    /* loaded from: input_file:com/netflix/spinnaker/fiat/roles/google/GoogleDirectoryUserRolesProvider$GroupBatchCallback.class */
    private class GroupBatchCallback extends JsonBatchCallback<Groups> {
        Map<String, Collection<Role>> emailGroupsMap;
        String email;

        public void onFailure(GoogleJsonError googleJsonError, HttpHeaders httpHeaders) throws IOException {
            GoogleDirectoryUserRolesProvider.log.warn("Failed to fetch groups for user " + this.email + ": " + googleJsonError.getMessage());
        }

        public void onSuccess(Groups groups, HttpHeaders httpHeaders) throws IOException {
            if (groups == null || groups.getGroups() == null || groups.getGroups().isEmpty()) {
                GoogleDirectoryUserRolesProvider.log.debug("No groups found for user " + this.email);
            } else {
                this.emailGroupsMap.put(this.email, (Set) groups.getGroups().stream().flatMap(GoogleDirectoryUserRolesProvider.this.toRoleFn()).collect(Collectors.toSet()));
            }
        }

        public GroupBatchCallback() {
        }

        public Map<String, Collection<Role>> getEmailGroupsMap() {
            return this.emailGroupsMap;
        }

        public String getEmail() {
            return this.email;
        }

        public GroupBatchCallback setEmailGroupsMap(Map<String, Collection<Role>> map) {
            this.emailGroupsMap = map;
            return this;
        }

        public GroupBatchCallback setEmail(String str) {
            this.email = str;
            return this;
        }

        public String toString() {
            return "GoogleDirectoryUserRolesProvider.GroupBatchCallback(emailGroupsMap=" + getEmailGroupsMap() + ", email=" + getEmail() + ")";
        }

        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof GroupBatchCallback)) {
                return false;
            }
            GroupBatchCallback groupBatchCallback = (GroupBatchCallback) obj;
            if (!groupBatchCallback.canEqual(this) || !GoogleDirectoryUserRolesProvider.super.equals(obj)) {
                return false;
            }
            Map<String, Collection<Role>> emailGroupsMap = getEmailGroupsMap();
            Map<String, Collection<Role>> emailGroupsMap2 = groupBatchCallback.getEmailGroupsMap();
            if (emailGroupsMap == null) {
                if (emailGroupsMap2 != null) {
                    return false;
                }
            } else if (!emailGroupsMap.equals(emailGroupsMap2)) {
                return false;
            }
            String email = getEmail();
            String email2 = groupBatchCallback.getEmail();
            return email == null ? email2 == null : email.equals(email2);
        }

        protected boolean canEqual(Object obj) {
            return obj instanceof GroupBatchCallback;
        }

        public int hashCode() {
            int hashCode = GoogleDirectoryUserRolesProvider.super.hashCode();
            Map<String, Collection<Role>> emailGroupsMap = getEmailGroupsMap();
            int hashCode2 = (hashCode * 59) + (emailGroupsMap == null ? 43 : emailGroupsMap.hashCode());
            String email = getEmail();
            return (hashCode2 * 59) + (email == null ? 43 : email.hashCode());
        }
    }

    public void afterPropertiesSet() throws Exception {
        Assert.state(this.config.getDomain() != null, "Supply a domain");
        Assert.state(this.config.getAdminUsername() != null, "Supply an admin username");
    }

    public Map<String, Collection<Role>> multiLoadRoles(Collection<ExternalUser> collection) {
        if (collection == null || collection.isEmpty()) {
            return new HashMap();
        }
        Collection collection2 = (Collection) collection.stream().map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toList());
        HashMap hashMap = new HashMap();
        Directory directoryService = getDirectoryService();
        BatchRequest batch = directoryService.batch();
        collection2.forEach(str -> {
            try {
                if (str.endsWith(SERVICE_ACCOUNT_SUFFIX) || str.endsWith(SHARED_SERVICE_ACCOUNT_SUFFIX)) {
                    return;
                }
                GroupBatchCallback email = new GroupBatchCallback().setEmailGroupsMap(hashMap).setEmail(str);
                HttpRequest buildHttpRequest = directoryService.groups().list().setDomain(this.config.getDomain()).setUserKey(str).buildHttpRequest();
                HttpBackOffUnsuccessfulResponseHandler httpBackOffUnsuccessfulResponseHandler = new HttpBackOffUnsuccessfulResponseHandler(new ExponentialBackOff());
                httpBackOffUnsuccessfulResponseHandler.setBackOffRequired(httpResponse -> {
                    int statusCode = httpResponse.getStatusCode();
                    return statusCode == 403 || statusCode / 100 == 5;
                });
                buildHttpRequest.setUnsuccessfulResponseHandler(httpBackOffUnsuccessfulResponseHandler);
                batch.queue(buildHttpRequest, Groups.class, GoogleJsonErrorContainer.class, email);
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        });
        try {
            batch.execute();
            return hashMap;
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public List<Role> loadRoles(ExternalUser externalUser) {
        if (externalUser == null || externalUser.getId().isEmpty()) {
            return new ArrayList();
        }
        String id = externalUser.getId();
        if (id.endsWith(SERVICE_ACCOUNT_SUFFIX) || id.endsWith(SHARED_SERVICE_ACCOUNT_SUFFIX)) {
            return new ArrayList();
        }
        try {
            Groups groupsFromEmail = getGroupsFromEmail(id);
            return (groupsFromEmail == null || groupsFromEmail.getGroups() == null || groupsFromEmail.getGroups().isEmpty()) ? new ArrayList() : (List) groupsFromEmail.getGroups().stream().flatMap(toRoleFn()).collect(Collectors.toList());
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    protected Groups getGroupsFromEmail(String str) throws IOException {
        Directory directoryService = getDirectoryService();
        Groups groups = (Groups) directoryService.groups().list().setDomain(this.config.getDomain()).setUserKey(str).execute();
        String nextPageToken = groups.getNextPageToken();
        while (true) {
            String str2 = nextPageToken;
            if (str2 == null) {
                return groups;
            }
            Groups groups2 = (Groups) directoryService.groups().list().setDomain(this.config.getDomain()).setUserKey(str).setPageToken(str2).execute();
            groups.getGroups().addAll(groups2.getGroups());
            nextPageToken = groups2.getNextPageToken();
        }
    }

    private GoogleCredential getGoogleCredential() {
        try {
            return StringUtils.isNotEmpty(this.config.getCredentialPath()) ? GoogleCredential.fromStream(new FileInputStream(this.config.getCredentialPath())) : GoogleCredential.getApplicationDefault();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private Directory getDirectoryService() {
        NetHttpTransport netHttpTransport = new NetHttpTransport();
        JacksonFactory jacksonFactory = new JacksonFactory();
        GoogleCredential googleCredential = getGoogleCredential();
        ConfigurablePropertyAccessor forDirectFieldAccess = PropertyAccessorFactory.forDirectFieldAccess(googleCredential);
        forDirectFieldAccess.setPropertyValue("serviceAccountUser", this.config.getAdminUsername());
        forDirectFieldAccess.setPropertyValue("serviceAccountScopes", SERVICE_ACCOUNT_SCOPES);
        return new Directory.Builder(netHttpTransport, jacksonFactory, googleCredential).setApplicationName("Spinnaker-Fiat").build();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Role toRole(Group group, Config.RoleSource roleSource) {
        if (roleSource == Config.RoleSource.EMAIL) {
            if (group.getEmail() == null) {
                return null;
            }
            return new Role().setName(group.getEmail().toLowerCase()).setSource(Role.Source.GOOGLE_GROUPS);
        }
        if (roleSource != Config.RoleSource.NAME) {
            throw new RuntimeException("Unexpected Google role source: " + roleSource);
        }
        if (group.getName() == null) {
            return null;
        }
        return new Role().setName(group.getName().toLowerCase()).setSource(Role.Source.GOOGLE_GROUPS);
    }

    private Function<Group, Stream<Role>> toRoleFn() {
        return group -> {
            return Arrays.stream(this.config.roleSources).map(roleSource -> {
                return toRole(group, roleSource);
            });
        };
    }

    public GoogleDirectoryUserRolesProvider setConfig(Config config) {
        this.config = config;
        return this;
    }
}
