package com.yahoo.athenz.instance.provider.impl;

import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.gson.GsonFactory;
import com.google.api.client.util.ArrayMap;
import java.io.IOException;
import java.math.BigDecimal;
import java.security.GeneralSecurityException;
import java.util.List;
import java.util.Map;
import org.eclipse.jetty.util.StringUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/instance/provider/impl/InstanceGCPUtils.class */
public class InstanceGCPUtils {
    private static final Logger LOGGER = LoggerFactory.getLogger(InstanceGCPUtils.class);
    GoogleIdTokenVerifier googleIdTokenVerifier;
    static final String GCP_PROP_EXPECTED_AUDIENCE = "athenz.zts.gcp_identity_expected_audience";
    private static final String GCP_ATTESTATION_KEY_GOOGLE = "google";
    private static final String GCP_ATTESTATION_KEY_COMPUTE_ENGINE = "compute_engine";
    private static final String GCP_SERVICE_ACCOUNT_EMAIL_SEPARATOR = "@";
    private static final String DOT = ".";
    private static final String GCP_REGION_ZONE_SEPARATOR = "-";
    private static final String GCP_OPTIONAL_ATTR_PROJECT_NUMBER = "project_number";
    private static final String GCP_OPTIONAL_ATTR_PROJECT_ID = "project_id";
    private static final String GCP_OPTIONAL_ATTR_ZONE = "zone";
    private static final String GCP_OPTIONAL_ATTR_INSTANCE_NAME = "instance_name";
    private static final String GCP_OPTIONAL_ATTR_INSTANCE_ID = "instance_id";
    private static final String GCP_OPTIONAL_ATTR_INSTANCE_CREATION_TIMESTAMP = "instance_creation_timestamp";

    public InstanceGCPUtils() {
        this(new NetHttpTransport(), new GsonFactory());
    }

    public void setGoogleIdTokenVerifier(GoogleIdTokenVerifier googleIdTokenVerifier) {
        this.googleIdTokenVerifier = googleIdTokenVerifier;
    }

    public InstanceGCPUtils(HttpTransport httpTransport, JsonFactory jsonFactory) {
        String property = System.getProperty(GCP_PROP_EXPECTED_AUDIENCE, "");
        if (StringUtil.isEmpty(property)) {
            LOGGER.error("Expected audience in the GCP Identity token is not specified. No identity will be issued.");
        }
        this.googleIdTokenVerifier = new GoogleIdTokenVerifier.Builder(httpTransport, jsonFactory).setAudience(List.of(property)).build();
    }

    public GoogleIdToken.Payload validateGCPIdentityToken(String str, StringBuilder sb) {
        try {
            GoogleIdToken verify = this.googleIdTokenVerifier.verify(str);
            if (verify != null) {
                return verify.getPayload();
            }
            sb.append("ID token was not verified by GCP. Possible reasons: expired token/invalid issuer or audience/invalid signature");
            return null;
        } catch (IOException | IllegalArgumentException | GeneralSecurityException e) {
            LOGGER.error("unable to validate GCP instance identity token error={} type={}", e.getMessage(), e.getClass());
            sb.append("unable to validate GCP instance identity token. Reason=").append(e.getMessage());
            return null;
        }
    }

    public void populateAttestationData(GoogleIdToken.Payload payload, GCPDerivedAttestationData gCPDerivedAttestationData) {
        gCPDerivedAttestationData.setAudience(payload.getAudienceAsList());
        gCPDerivedAttestationData.setEmail(payload.getEmail());
        gCPDerivedAttestationData.setEmailVerified(payload.getEmailVerified().booleanValue());
        gCPDerivedAttestationData.setIssuer(payload.getIssuer());
        gCPDerivedAttestationData.setAuthorizedParty(payload.getAuthorizedParty());
        Object obj = payload.get(GCP_ATTESTATION_KEY_GOOGLE);
        if (obj instanceof ArrayMap) {
            ArrayMap arrayMap = (ArrayMap) obj;
            if (arrayMap.containsKey(GCP_ATTESTATION_KEY_COMPUTE_ENGINE)) {
                Map map = (Map) arrayMap.get(GCP_ATTESTATION_KEY_COMPUTE_ENGINE);
                GCPAdditionalAttestationData gCPAdditionalAttestationData = new GCPAdditionalAttestationData();
                gCPAdditionalAttestationData.setProjectNumber(map.get(GCP_OPTIONAL_ATTR_PROJECT_NUMBER).toString());
                gCPAdditionalAttestationData.setProjectId((String) map.get(GCP_OPTIONAL_ATTR_PROJECT_ID));
                gCPAdditionalAttestationData.setZone((String) map.get(GCP_OPTIONAL_ATTR_ZONE));
                gCPAdditionalAttestationData.setInstanceName((String) map.get(GCP_OPTIONAL_ATTR_INSTANCE_NAME));
                gCPAdditionalAttestationData.setInstanceId((String) map.get("instance_id"));
                gCPAdditionalAttestationData.setInstanceCreationTimestamp((BigDecimal) map.get(GCP_OPTIONAL_ATTR_INSTANCE_CREATION_TIMESTAMP));
                gCPDerivedAttestationData.setAdditionalAttestationData(gCPAdditionalAttestationData);
            }
        }
    }

    public String getServiceNameFromAttestedData(GCPDerivedAttestationData gCPDerivedAttestationData) {
        String str = "";
        String str2 = "";
        if (gCPDerivedAttestationData.isEmailVerified() && gCPDerivedAttestationData.getEmail().contains(GCP_SERVICE_ACCOUNT_EMAIL_SEPARATOR) && gCPDerivedAttestationData.getEmail().contains(DOT)) {
            str = gCPDerivedAttestationData.getEmail().substring(0, gCPDerivedAttestationData.getEmail().indexOf(GCP_SERVICE_ACCOUNT_EMAIL_SEPARATOR));
            str2 = gCPDerivedAttestationData.getEmail().substring(gCPDerivedAttestationData.getEmail().indexOf(GCP_SERVICE_ACCOUNT_EMAIL_SEPARATOR) + 1, gCPDerivedAttestationData.getEmail().indexOf(DOT));
        }
        return str2 + "." + str;
    }

    public String getProjectIdFromAttestedData(GCPDerivedAttestationData gCPDerivedAttestationData) {
        String str = "";
        if (gCPDerivedAttestationData.isEmailVerified() && gCPDerivedAttestationData.getEmail().contains(GCP_SERVICE_ACCOUNT_EMAIL_SEPARATOR) && gCPDerivedAttestationData.getEmail().contains(DOT)) {
            str = gCPDerivedAttestationData.getEmail().substring(gCPDerivedAttestationData.getEmail().indexOf(GCP_SERVICE_ACCOUNT_EMAIL_SEPARATOR) + 1, gCPDerivedAttestationData.getEmail().indexOf(DOT));
        }
        return str;
    }

    public String getGCPRegionFromZone(String str) {
        int lastIndexOf;
        return (str == null || (lastIndexOf = str.lastIndexOf(GCP_REGION_ZONE_SEPARATOR)) == -1) ? str : str.substring(0, lastIndexOf);
    }
}
