package org.springframework.vault.authentication;

import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.services.iam.v1.Iam;
import com.google.api.services.iam.v1.model.SignJwtRequest;
import com.google.api.services.iam.v1.model.SignJwtResponse;
import java.io.IOException;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.LinkedHashMap;
import java.util.Map;
import org.springframework.util.Assert;
import org.springframework.vault.VaultException;
import org.springframework.vault.support.VaultToken;
import org.springframework.web.client.RestOperations;

/* loaded from: input_file:org/springframework/vault/authentication/GcpIamAuthentication.class */
public class GcpIamAuthentication extends GcpJwtAuthenticationSupport implements ClientAuthentication {
    private static final JsonFactory JSON_FACTORY = new JacksonFactory();
    private final GcpIamAuthenticationOptions options;
    private final HttpTransport httpTransport;
    private final GoogleCredential credential;

    public GcpIamAuthentication(GcpIamAuthenticationOptions gcpIamAuthenticationOptions, RestOperations restOperations) {
        this(gcpIamAuthenticationOptions, restOperations, new NetHttpTransport());
    }

    public GcpIamAuthentication(GcpIamAuthenticationOptions gcpIamAuthenticationOptions, RestOperations restOperations, HttpTransport httpTransport) {
        super(restOperations);
        Assert.notNull(gcpIamAuthenticationOptions, "GcpIamAuthenticationOptions must not be null");
        Assert.notNull(restOperations, "RestOperations must not be null");
        Assert.notNull(httpTransport, "HttpTransport must not be null");
        this.options = gcpIamAuthenticationOptions;
        this.httpTransport = httpTransport;
        this.credential = gcpIamAuthenticationOptions.getCredentialSupplier().get();
    }

    @Override // org.springframework.vault.authentication.ClientAuthentication
    public VaultToken login() throws VaultException {
        return doLogin("GCP-IAM", signJwt(), this.options.getPath(), this.options.getRole());
    }

    protected String signJwt() {
        String projectId = getProjectId();
        String serviceAccountId = getServiceAccountId();
        Map<String, Object> jwtPayload = getJwtPayload(this.options, serviceAccountId);
        Iam build = new Iam.Builder(this.httpTransport, JSON_FACTORY, this.credential).setApplicationName("Spring Vault/" + getClass().getName()).build();
        try {
            String jsonFactory = JSON_FACTORY.toString(jwtPayload);
            SignJwtRequest signJwtRequest = new SignJwtRequest();
            signJwtRequest.setPayload(jsonFactory);
            return ((SignJwtResponse) build.projects().serviceAccounts().signJwt(String.format("projects/%s/serviceAccounts/%s", projectId, serviceAccountId), signJwtRequest).execute()).getSignedJwt();
        } catch (IOException e) {
            throw new VaultLoginException("Cannot sign JWT", e);
        }
    }

    private String getServiceAccountId() {
        return this.options.getServiceAccountIdAccessor().getServiceAccountId(this.credential);
    }

    private String getProjectId() {
        return this.options.getProjectIdAccessor().getProjectId(this.credential);
    }

    private static Map<String, Object> getJwtPayload(GcpIamAuthenticationOptions gcpIamAuthenticationOptions, String str) {
        Instant plus = gcpIamAuthenticationOptions.getClock().instant().plus((TemporalAmount) gcpIamAuthenticationOptions.getJwtValidity());
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("sub", str);
        linkedHashMap.put("aud", "vault/" + gcpIamAuthenticationOptions.getRole());
        linkedHashMap.put("exp", Long.valueOf(plus.getEpochSecond()));
        return linkedHashMap;
    }
}
