package net.snowflake.client.core.auth.wif;

import java.util.Collections;
import net.snowflake.client.core.SFLoginInput;
import net.snowflake.client.core.SnowflakeJdbcInternalApi;
import net.snowflake.client.core.auth.wif.WorkloadIdentityUtil;
import net.snowflake.client.log.SFLogger;
import net.snowflake.client.log.SFLoggerFactory;
import org.apache.http.client.methods.HttpGet;

@SnowflakeJdbcInternalApi
/* loaded from: input_file:net/snowflake/client/core/auth/wif/GcpIdentityAttestationCreator.class */
public class GcpIdentityAttestationCreator implements WorkloadIdentityAttestationCreator {
    private static final String METADATA_FLAVOR_HEADER_NAME = "Metadata-Flavor";
    private static final String METADATA_FLAVOR = "Google";
    private static final String EXPECTED_GCP_TOKEN_ISSUER = "https://accounts.google.com";
    private static final String DEFAULT_GCP_METADATA_SERVICE_BASE_URL = "http://169.254.169.254";
    private final String gcpMetadataServiceBaseUrl;
    private static final SFLogger logger = SFLoggerFactory.getLogger((Class<?>) GcpIdentityAttestationCreator.class);
    private final SFLoginInput loginInput;

    public GcpIdentityAttestationCreator(SFLoginInput sFLoginInput) {
        this.loginInput = sFLoginInput;
        this.gcpMetadataServiceBaseUrl = DEFAULT_GCP_METADATA_SERVICE_BASE_URL;
    }

    GcpIdentityAttestationCreator(SFLoginInput sFLoginInput, String str) {
        this.loginInput = sFLoginInput;
        this.gcpMetadataServiceBaseUrl = str;
    }

    @Override // net.snowflake.client.core.auth.wif.WorkloadIdentityAttestationCreator
    public WorkloadIdentityAttestation createAttestation() {
        logger.debug("Creating GCP identity attestation...", new Object[0]);
        String fetchTokenFromMetadataService = fetchTokenFromMetadataService();
        if (fetchTokenFromMetadataService == null) {
            logger.debug("No GCP token was found.", new Object[0]);
            return null;
        }
        WorkloadIdentityUtil.SubjectAndIssuer extractClaimsWithoutVerifyingSignature = WorkloadIdentityUtil.extractClaimsWithoutVerifyingSignature(fetchTokenFromMetadataService);
        if (extractClaimsWithoutVerifyingSignature == null) {
            logger.error("Could not extract claims from token", new Object[0]);
            return null;
        }
        if (EXPECTED_GCP_TOKEN_ISSUER.equalsIgnoreCase(extractClaimsWithoutVerifyingSignature.getIssuer())) {
            return new WorkloadIdentityAttestation(WorkloadIdentityProviderType.GCP, fetchTokenFromMetadataService, Collections.singletonMap("sub", extractClaimsWithoutVerifyingSignature.getSubject()));
        }
        logger.error("Unexpected token issuer: {}, should be {}", extractClaimsWithoutVerifyingSignature.getIssuer(), EXPECTED_GCP_TOKEN_ISSUER);
        return null;
    }

    private String fetchTokenFromMetadataService() {
        HttpGet httpGet = new HttpGet(this.gcpMetadataServiceBaseUrl + "/computeMetadata/v1/instance/service-accounts/default/identity?audience=snowflakecomputing.com");
        httpGet.setHeader(METADATA_FLAVOR_HEADER_NAME, METADATA_FLAVOR);
        try {
            return WorkloadIdentityUtil.performIdentityRequest(httpGet, this.loginInput);
        } catch (Exception e) {
            logger.debug("GCP metadata server request was not successful: {}" + e, new Object[0]);
            return null;
        }
    }
}
