package org.flyte.jflyte.gcp;

import com.google.api.client.auth.oauth2.ClientParametersAuthentication;
import com.google.api.client.auth.oauth2.RefreshTokenRequest;
import com.google.api.client.auth.openidconnect.IdTokenResponse;
import com.google.api.client.googleapis.util.Utils;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.auth.http.HttpCredentialsAdapter;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.auth.oauth2.IdToken;
import com.google.auth.oauth2.IdTokenCredentials;
import com.google.auth.oauth2.IdTokenProvider;
import com.google.auth.oauth2.UserCredentials;
import java.io.IOException;
import java.time.Clock;
import java.time.Instant;
import java.util.Objects;
import java.util.logging.Logger;
import org.flyte.jflyte.api.Token;

/* loaded from: input_file:org/flyte/jflyte/gcp/GoogleAuthHelper.class */
class GoogleAuthHelper {
    private static final Logger LOG = Logger.getLogger(GoogleAuthHelper.class.getName());
    private static final JsonFactory JSON_FACTORY = Utils.getDefaultJsonFactory();
    private final HttpTransport httpTransport;
    private final GoogleCredentials credentials;
    private final Clock clock;

    /* JADX INFO: Access modifiers changed from: package-private */
    public GoogleAuthHelper(HttpTransport httpTransport, GoogleCredentials googleCredentials, Clock clock) {
        this.httpTransport = (HttpTransport) Objects.requireNonNull(httpTransport, "httpTransport");
        this.credentials = (GoogleCredentials) Objects.requireNonNull(googleCredentials, "credentials");
        this.clock = (Clock) Objects.requireNonNull(clock, "clock");
    }

    public Token getToken(String str) throws IOException {
        if (this.credentials instanceof IdTokenProvider) {
            return getIdTokenFromIdTokenProvider(str);
        }
        if (this.credentials instanceof UserCredentials) {
            return getUserToken((UserCredentials) this.credentials);
        }
        throw new UnsupportedOperationException("Don't support credentials: " + this.credentials.getClass());
    }

    private Token getIdTokenFromIdTokenProvider(String str) throws IOException {
        LOG.info("Fetching token from provider");
        IdTokenCredentials build = IdTokenCredentials.newBuilder().setIdTokenProvider(this.credentials).setTargetAudience(str).build();
        build.refresh();
        IdToken idToken = build.getIdToken();
        if (idToken == null || idToken.getTokenValue() == null) {
            throw new IOException("Couldn't get id token for credential");
        }
        return Token.builder().accessToken(idToken.getTokenValue()).expiry(idToken.getExpirationTime().toInstant()).tokenType("Bearer").build();
    }

    private Token getUserToken(UserCredentials userCredentials) throws IOException {
        LOG.info("Fetching user id token for user credential: " + userCredentials.getClientId());
        RefreshTokenRequest refreshTokenRequest = getRefreshTokenRequest(userCredentials);
        Instant instant = this.clock.instant();
        IdTokenResponse idTokenResponse = (IdTokenResponse) refreshTokenRequest.executeUnparsed().parseAs(IdTokenResponse.class);
        if (idTokenResponse == null || idTokenResponse.getIdToken() == null) {
            throw new IOException(String.format("Couldn't get id token for user credential: [%s].%nUserCredentials can obtain an id token only when authenticated through gcloud running 'gcloud auth login --update-adc' or 'gcloud auth application-default login'", userCredentials.getClientId()));
        }
        return Token.builder().accessToken(idTokenResponse.getIdToken()).expiry(instant.plusSeconds(idTokenResponse.getExpiresInSeconds().longValue())).tokenType(idTokenResponse.getTokenType()).build();
    }

    private RefreshTokenRequest getRefreshTokenRequest(UserCredentials userCredentials) {
        return new RefreshTokenRequest(this.httpTransport, JSON_FACTORY, new GenericUrl(userCredentials.toBuilder().getTokenServerUri()), userCredentials.getRefreshToken()).setClientAuthentication(new ClientParametersAuthentication(userCredentials.getClientId(), userCredentials.getClientSecret())).setRequestInitializer(new HttpCredentialsAdapter(userCredentials));
    }
}
