package com.google.auth.oauth2;

import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpRequest;
import com.google.api.client.http.HttpRequestFactory;
import com.google.api.client.http.UrlEncodedContent;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.GenericJson;
import com.google.api.client.json.JsonObjectParser;
import com.google.api.client.json.gson.GsonFactory;
import com.google.api.client.util.GenericData;
import com.google.auth.http.HttpCredentialsAdapter;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.time.Instant;
import java.util.HashMap;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:com/google/auth/oauth2/ITWorkloadIdentityFederationTest.class */
public final class ITWorkloadIdentityFederationTest {
    private static final String AUDIENCE_PREFIX = "//iam.googleapis.com/projects/1016721519174/locations/global/workloadIdentityPools/pool-1/providers/";
    private static final String AWS_ROLE_NAME = "ci-java-test";
    private static final String AWS_ROLE_ARN = "arn:aws:iam::027472800722:role/ci-java-test";
    private static final String AWS_AUDIENCE = "//iam.googleapis.com/projects/1016721519174/locations/global/workloadIdentityPools/pool-1/providers/aws-1";
    private static final String OIDC_AUDIENCE = "//iam.googleapis.com/projects/1016721519174/locations/global/workloadIdentityPools/pool-1/providers/oidc-1";
    private String clientEmail;

    @Before
    public void setup() throws IOException {
        this.clientEmail = (String) getServiceAccountKeyFileAsJson().get("client_email");
    }

    @Test
    public void identityPoolCredentials() throws IOException {
        callGcs(ExternalAccountCredentials.fromJson(buildIdentityPoolCredentialConfig(), OAuth2Utils.HTTP_TRANSPORT_FACTORY));
    }

    @Test
    public void awsCredentials() throws Exception {
        HttpRequest buildGetRequest = new NetHttpTransport().createRequestFactory().buildGetRequest(new GenericUrl(String.format("https://sts.amazonaws.com/?Action=AssumeRoleWithWebIdentity&Version=2011-06-15&DurationSeconds=3600&RoleSessionName=%s&RoleArn=%s&WebIdentityToken=%s", AWS_ROLE_NAME, AWS_ROLE_ARN, generateGoogleIdToken(AWS_AUDIENCE))));
        buildGetRequest.setParser(new JsonObjectParser(GsonFactory.getDefaultInstance()));
        String parseAsString = buildGetRequest.execute().parseAsString();
        String xmlValueByTagName = getXmlValueByTagName(parseAsString, "AccessKeyId");
        String xmlValueByTagName2 = getXmlValueByTagName(parseAsString, "SecretAccessKey");
        String xmlValueByTagName3 = getXmlValueByTagName(parseAsString, "SessionToken");
        AwsCredentials fromJson = AwsCredentials.fromJson(buildAwsCredentialConfig(), OAuth2Utils.HTTP_TRANSPORT_FACTORY);
        TestEnvironmentProvider testEnvironmentProvider = new TestEnvironmentProvider();
        testEnvironmentProvider.setEnv("AWS_ACCESS_KEY_ID", xmlValueByTagName).setEnv("AWS_SECRET_ACCESS_KEY", xmlValueByTagName2).setEnv("AWS_SESSION_TOKEN", xmlValueByTagName3).setEnv("AWS_REGION", "us-east-2");
        callGcs(AwsCredentials.newBuilder(fromJson).setEnvironmentProvider(testEnvironmentProvider).build());
    }

    @Test
    public void pluggableAuthCredentials() throws IOException {
        callGcs(ExternalAccountCredentials.fromJson(buildPluggableCredentialConfig(), OAuth2Utils.HTTP_TRANSPORT_FACTORY));
    }

    @Test
    public void identityPoolCredentials_withServiceAccountImpersonationOptions() throws IOException {
        GenericJson buildIdentityPoolCredentialConfig = buildIdentityPoolCredentialConfig();
        HashMap hashMap = new HashMap();
        hashMap.put("token_lifetime_seconds", 2800);
        buildIdentityPoolCredentialConfig.put("service_account_impersonation", hashMap);
        IdentityPoolCredentials fromJson = ExternalAccountCredentials.fromJson(buildIdentityPoolCredentialConfig, OAuth2Utils.HTTP_TRANSPORT_FACTORY);
        long epochMilli = Instant.now().plusSeconds(2805L).toEpochMilli();
        long epochMilli2 = Instant.now().plusSeconds(2795L).toEpochMilli();
        callGcs(fromJson);
        long longValue = fromJson.getAccessToken().getExpirationTimeMillis().longValue();
        Assert.assertTrue(epochMilli2 <= longValue && longValue <= epochMilli);
    }

    private GenericJson buildIdentityPoolCredentialConfig() throws IOException {
        String generateGoogleIdToken = generateGoogleIdToken(OIDC_AUDIENCE);
        File createTempFile = File.createTempFile("ITWorkloadIdentityFederation", null, null);
        createTempFile.deleteOnExit();
        OAuth2Utils.writeInputStreamToFile(new ByteArrayInputStream(generateGoogleIdToken.getBytes(StandardCharsets.UTF_8)), createTempFile.getAbsolutePath());
        GenericJson genericJson = new GenericJson();
        genericJson.put("type", "external_account");
        genericJson.put("audience", OIDC_AUDIENCE);
        genericJson.put("subject_token_type", "urn:ietf:params:oauth:token-type:jwt");
        genericJson.put("token_url", "https://sts.googleapis.com/v1/token");
        genericJson.put("service_account_impersonation_url", String.format("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s:generateAccessToken", this.clientEmail));
        GenericJson genericJson2 = new GenericJson();
        genericJson2.put("file", createTempFile.getAbsolutePath());
        genericJson.put("credential_source", genericJson2);
        return genericJson;
    }

    private GenericJson buildPluggableCredentialConfig() throws IOException {
        String generateGoogleIdToken = generateGoogleIdToken(OIDC_AUDIENCE);
        Instant plusSeconds = Instant.now().plusSeconds(3600L);
        GenericJson genericJson = new GenericJson();
        genericJson.setFactory(OAuth2Utils.JSON_FACTORY);
        genericJson.put("success", true);
        genericJson.put("version", 1);
        genericJson.put("expiration_time", Long.valueOf(plusSeconds.toEpochMilli()));
        genericJson.put("token_type", "urn:ietf:params:oauth:token-type:jwt");
        genericJson.put("id_token", generateGoogleIdToken);
        String str = "#!/bin/bash\necho \"" + genericJson.toPrettyString().replace("\"", "\\\"") + "\"\n";
        File createTempFile = File.createTempFile("ITWorkloadIdentityFederation", null, null);
        createTempFile.deleteOnExit();
        if (!createTempFile.setExecutable(true, true)) {
            throw new IOException("Unable to make script executable");
        }
        OAuth2Utils.writeInputStreamToFile(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8)), createTempFile.getAbsolutePath());
        GenericJson genericJson2 = new GenericJson();
        genericJson2.put("type", "external_account");
        genericJson2.put("audience", OIDC_AUDIENCE);
        genericJson2.put("subject_token_type", "urn:ietf:params:oauth:token-type:jwt");
        genericJson2.put("token_url", "https://sts.googleapis.com/v1/token");
        genericJson2.put("service_account_impersonation_url", String.format("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s:generateAccessToken", this.clientEmail));
        GenericJson genericJson3 = new GenericJson();
        genericJson2.put("credential_source", genericJson3);
        GenericJson genericJson4 = new GenericJson();
        genericJson3.put("executable", genericJson4);
        genericJson4.put("command", createTempFile.getAbsolutePath());
        return genericJson2;
    }

    private GenericJson buildAwsCredentialConfig() {
        GenericJson genericJson = new GenericJson();
        genericJson.put("type", "external_account");
        genericJson.put("audience", AWS_AUDIENCE);
        genericJson.put("subject_token_type", "urn:ietf:params:aws:token-type:aws4_request");
        genericJson.put("token_url", "https://sts.googleapis.com/v1/token");
        genericJson.put("service_account_impersonation_url", String.format("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s:generateAccessToken", this.clientEmail));
        GenericJson genericJson2 = new GenericJson();
        genericJson2.put("environment_id", "aws1");
        genericJson2.put("regional_cred_verification_url", "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15");
        genericJson.put("credential_source", genericJson2);
        return genericJson;
    }

    private void callGcs(GoogleCredentials googleCredentials) throws IOException {
        String str = System.getenv("GCS_BUCKET");
        if (str == null) {
            Assert.fail("GCS bucket name not set through GCS_BUCKET env variable.");
        }
        HttpRequest buildGetRequest = new NetHttpTransport().createRequestFactory(new HttpCredentialsAdapter(googleCredentials)).buildGetRequest(new GenericUrl("https://storage.googleapis.com/storage/v1/b/" + str));
        buildGetRequest.setParser(new JsonObjectParser(GsonFactory.getDefaultInstance()));
        Assert.assertTrue(buildGetRequest.execute().isSuccessStatusCode());
    }

    private String generateGoogleIdToken(String str) throws IOException {
        HttpRequestFactory createRequestFactory = new NetHttpTransport().createRequestFactory(new HttpCredentialsAdapter(GoogleCredentials.getApplicationDefault().createScoped(new String[]{"https://www.googleapis.com/auth/cloud-platform"})));
        String format = String.format("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s:generateIdToken", this.clientEmail);
        GenericData genericData = new GenericData();
        genericData.set("audience", str);
        genericData.set("includeEmail", true);
        HttpRequest buildPostRequest = createRequestFactory.buildPostRequest(new GenericUrl(format), new UrlEncodedContent(genericData));
        buildPostRequest.setParser(new JsonObjectParser(GsonFactory.getDefaultInstance()));
        return (String) ((GenericData) buildPostRequest.execute().parseAs(GenericData.class)).get("token");
    }

    private GenericJson getServiceAccountKeyFileAsJson() throws IOException {
        return (GenericJson) new JsonObjectParser(OAuth2Utils.JSON_FACTORY).parseAndClose(new FileInputStream(System.getenv("GOOGLE_APPLICATION_CREDENTIALS")), StandardCharsets.UTF_8, GenericJson.class);
    }

    private String getXmlValueByTagName(String str, String str2) {
        int indexOf = str.indexOf("<" + str2 + ">");
        int indexOf2 = str.indexOf("</" + str2 + ">", indexOf);
        if (indexOf < 0 || indexOf2 <= indexOf) {
            return null;
        }
        return str.substring(indexOf + str2.length() + 2, indexOf2);
    }
}
