package org.projectnessie.catalog.files.gcs;

import com.google.auth.http.HttpTransportFactory;
import com.google.auth.oauth2.AccessToken;
import com.google.auth.oauth2.CredentialAccessBoundary;
import com.google.auth.oauth2.DownscopedCredentials;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.auth.oauth2.OAuth2Credentials;
import com.google.cloud.storage.Storage;
import com.google.common.annotations.VisibleForTesting;
import java.io.IOException;
import java.time.Instant;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.regex.Pattern;
import java.util.stream.Stream;
import org.projectnessie.catalog.files.api.StorageLocations;
import org.projectnessie.catalog.files.config.GcsBucketOptions;
import org.projectnessie.catalog.files.config.GcsConfig;
import org.projectnessie.catalog.files.config.GcsOptions;
import org.projectnessie.catalog.secrets.SecretsProvider;
import org.projectnessie.catalog.secrets.TokenSecret;
import org.projectnessie.storage.uri.StorageUri;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/projectnessie/catalog/files/gcs/GcsStorageSupplier.class */
public final class GcsStorageSupplier {
    private static final Logger LOGGER = LoggerFactory.getLogger(GcsStorageSupplier.class);
    static final String RANDOMIZED_PART = "([A-Za-z0-9=]+/|[01]{4}/[01]{4}/[01]{4}/[01]{8}/)?";
    private final HttpTransportFactory httpTransportFactory;
    private final GcsConfig gcsConfig;
    private final GcsOptions gcsOptions;
    private final SecretsProvider secretsProvider;

    public GcsStorageSupplier(HttpTransportFactory httpTransportFactory, GcsConfig gcsConfig, GcsOptions gcsOptions, SecretsProvider secretsProvider) {
        this.httpTransportFactory = httpTransportFactory;
        this.gcsConfig = gcsConfig;
        this.gcsOptions = gcsOptions;
        this.secretsProvider = secretsProvider;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public GcsOptions gcsOptions() {
        return this.gcsOptions;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SecretsProvider secretsProvider() {
        return this.secretsProvider;
    }

    public GcsBucketOptions bucketOptions(StorageUri storageUri) {
        return this.gcsOptions.resolveOptionsForUri(storageUri);
    }

    public Storage forLocation(GcsBucketOptions gcsBucketOptions) {
        return GcsClients.buildStorage(this.gcsConfig, gcsBucketOptions, this.httpTransportFactory, this.secretsProvider);
    }

    public Optional<TokenSecret> generateDelegationToken(StorageLocations storageLocations, GcsBucketOptions gcsBucketOptions) {
        if (!((Boolean) gcsBucketOptions.downscopedCredentials().flatMap((v0) -> {
            return v0.enable();
        }).orElse(false)).booleanValue()) {
            return Optional.empty();
        }
        DownscopedCredentials.Builder newBuilder = DownscopedCredentials.newBuilder();
        GoogleCredentials buildCredentials = GcsClients.buildCredentials(gcsBucketOptions, this.httpTransportFactory, this.secretsProvider);
        if (buildCredentials instanceof GoogleCredentials) {
            newBuilder.setSourceCredential(buildCredentials);
        } else {
            if (!(buildCredentials instanceof OAuth2Credentials)) {
                LOGGER.warn("No suitable credentials to generate a downscoped token to access warehouse {}", storageLocations.warehouseLocation());
                return Optional.empty();
            }
            newBuilder.setAccessToken(((OAuth2Credentials) buildCredentials).getAccessToken());
        }
        newBuilder.setHttpTransportFactory(this.httpTransportFactory).setCredentialAccessBoundary(generateAccessBoundaryRules(storageLocations));
        Optional flatMap = gcsBucketOptions.downscopedCredentials().flatMap((v0) -> {
            return v0.expirationMargin();
        });
        Objects.requireNonNull(newBuilder);
        flatMap.ifPresent(newBuilder::setExpirationMargin);
        Optional flatMap2 = gcsBucketOptions.downscopedCredentials().flatMap((v0) -> {
            return v0.refreshMargin();
        });
        Objects.requireNonNull(newBuilder);
        flatMap2.ifPresent(newBuilder::setRefreshMargin);
        try {
            AccessToken refreshAccessToken = newBuilder.build().refreshAccessToken();
            return Optional.of(TokenSecret.tokenSecret(refreshAccessToken.getTokenValue(), Instant.ofEpochMilli(refreshAccessToken.getExpirationTime().getTime())));
        } catch (IOException e) {
            LOGGER.error("Failed refresh access token for downscoped credentials for warehouse {}", storageLocations.warehouseLocation(), e);
            throw new RuntimeException("Unable to fetch access credentials " + e.getMessage());
        }
    }

    @VisibleForTesting
    public static CredentialAccessBoundary generateAccessBoundaryRules(StorageLocations storageLocations) {
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        Stream.concat(storageLocations.readonlyLocations().stream(), storageLocations.writeableLocations().stream()).distinct().forEach(storageUri -> {
            String requiredAuthority = storageUri.requiredAuthority();
            hashSet.add(requiredAuthority);
            String pathWithoutLeadingTrailingSlash = storageUri.pathWithoutLeadingTrailingSlash();
            List list = (List) hashMap.computeIfAbsent(requiredAuthority, str -> {
                return new ArrayList();
            });
            list.add(resourceNameBucketPathExpression(requiredAuthority, pathWithoutLeadingTrailingSlash));
            list.add(String.format("api.getAttribute('storage.googleapis.com/objectListPrefix', '').matches('([A-Za-z0-9=]+/|[01]{4}/[01]{4}/[01]{4}/[01]{8}/)?%s.*')", quoteForCelString(pathWithoutLeadingTrailingSlash)));
            if (storageLocations.writeableLocations().contains(storageUri)) {
                hashSet2.add(requiredAuthority);
                ((List) hashMap2.computeIfAbsent(requiredAuthority, str2 -> {
                    return new ArrayList();
                })).add(resourceNameBucketPathExpression(requiredAuthority, pathWithoutLeadingTrailingSlash));
            }
        });
        CredentialAccessBoundary.Builder newBuilder = CredentialAccessBoundary.newBuilder();
        Stream map = hashSet.stream().map(str -> {
            return accessBoundaryRuleForBucket(hashMap, str);
        }).filter((v0) -> {
            return v0.isPresent();
        }).map((v0) -> {
            return v0.get();
        }).map(builder -> {
            return builder.setAvailablePermissions(List.of("inRole:roles/storage.legacyObjectReader")).addAvailablePermission("inRole:roles/storage.objectViewer");
        }).map((v0) -> {
            return v0.build();
        });
        Objects.requireNonNull(newBuilder);
        map.forEach(newBuilder::addRule);
        Stream map2 = hashSet2.stream().map(str2 -> {
            return accessBoundaryRuleForBucket(hashMap2, str2);
        }).filter((v0) -> {
            return v0.isPresent();
        }).map((v0) -> {
            return v0.get();
        }).map(builder2 -> {
            return builder2.setAvailablePermissions(List.of("inRole:roles/storage.legacyBucketWriter"));
        }).map((v0) -> {
            return v0.build();
        });
        Objects.requireNonNull(newBuilder);
        map2.forEach(newBuilder::addRule);
        return newBuilder.build();
    }

    static String resourceNameBucketPathExpression(String str, String str2) {
        return "resource.name.matches('" + quoteForCelString(String.format("projects/_/buckets/%s/objects/", str)) + "([A-Za-z0-9=]+/|[01]{4}/[01]{4}/[01]{4}/[01]{8}/)?" + quoteForCelString(str2) + ".*')";
    }

    private static String quoteForCelString(String str) {
        String quote = Pattern.quote(str);
        StringBuilder sb = new StringBuilder((quote.length() * 3) / 2);
        int length = quote.length();
        for (int i = 0; i < length; i++) {
            char charAt = quote.charAt(i);
            switch (charAt) {
                case '\"':
                    sb.append("\\\"");
                    break;
                case '\'':
                    sb.append("\\'");
                    break;
                case '\\':
                    sb.append("\\\\");
                    break;
                default:
                    sb.append(charAt);
                    break;
            }
        }
        return sb.toString();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Optional<CredentialAccessBoundary.AccessBoundaryRule.Builder> accessBoundaryRuleForBucket(Map<String, List<String>> map, String str) {
        List<String> list = map.get(str);
        if (list == null || list.isEmpty()) {
            return Optional.empty();
        }
        CredentialAccessBoundary.AccessBoundaryRule.Builder newBuilder = CredentialAccessBoundary.AccessBoundaryRule.newBuilder();
        newBuilder.setAvailableResource(bucketResource(str));
        newBuilder.setAvailabilityCondition(CredentialAccessBoundary.AccessBoundaryRule.AvailabilityCondition.newBuilder().setExpression(String.join(" || ", list)).build());
        return Optional.of(newBuilder);
    }

    private static String bucketResource(String str) {
        return "//storage.googleapis.com/projects/_/buckets/" + str;
    }
}
