package io.quarkiverse.googlecloudservices.common;

import com.google.auth.oauth2.AccessToken;
import com.google.auth.oauth2.GoogleCredentials;
import io.quarkus.security.credential.TokenCredential;
import io.quarkus.security.identity.SecurityIdentity;
import java.io.ByteArrayInputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.util.Base64;
import java.util.Date;
import javax.annotation.PostConstruct;
import javax.enterprise.context.ContextNotActiveException;
import javax.enterprise.inject.Default;
import javax.enterprise.inject.Instance;
import javax.enterprise.inject.Produces;
import javax.inject.Inject;
import javax.inject.Singleton;

@Singleton
/* loaded from: input_file:io/quarkiverse/googlecloudservices/common/GcpCredentialProducer.class */
public class GcpCredentialProducer {
    private static final String CLOUD_OAUTH_SCOPE = "https://www.googleapis.com/auth/cloud-platform";

    @Inject
    Instance<SecurityIdentity> securityIdentity;

    @Inject
    GcpConfigHolder gcpConfigHolder;

    @PostConstruct
    public void verifySecurityIdentity() {
        if (this.securityIdentity.isResolvable() && this.securityIdentity.isAmbiguous()) {
            throw new IllegalStateException("Multiple " + SecurityIdentity.class + " beans registered");
        }
    }

    @Singleton
    @Default
    @Produces
    public GoogleCredentials googleCredential() throws IOException {
        GcpBootstrapConfiguration bootstrapConfig = this.gcpConfigHolder.getBootstrapConfig();
        if (bootstrapConfig.serviceAccountLocation.isPresent()) {
            FileInputStream fileInputStream = new FileInputStream(bootstrapConfig.serviceAccountLocation.get());
            try {
                GoogleCredentials createScoped = GoogleCredentials.fromStream(fileInputStream).createScoped(new String[]{CLOUD_OAUTH_SCOPE});
                fileInputStream.close();
                return createScoped;
            } catch (Throwable th) {
                try {
                    fileInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }
        if (bootstrapConfig.serviceAccountEncodedKey.isPresent()) {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Base64.getDecoder().decode(bootstrapConfig.serviceAccountEncodedKey.get()));
            try {
                GoogleCredentials createScoped2 = GoogleCredentials.fromStream(byteArrayInputStream).createScoped(new String[]{CLOUD_OAUTH_SCOPE});
                byteArrayInputStream.close();
                return createScoped2;
            } catch (Throwable th3) {
                try {
                    byteArrayInputStream.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
                throw th3;
            }
        }
        if (bootstrapConfig.accessTokenEnabled && this.securityIdentity.isResolvable() && !isAnonymous((SecurityIdentity) this.securityIdentity.get())) {
            for (TokenCredential tokenCredential : ((SecurityIdentity) this.securityIdentity.get()).getCredentials()) {
                if ((tokenCredential instanceof TokenCredential) && "bearer".equals(tokenCredential.getType())) {
                    return GoogleCredentials.create(new AccessToken(tokenCredential.getToken(), (Date) null)).createScoped(new String[]{CLOUD_OAUTH_SCOPE});
                }
            }
        }
        return GoogleCredentials.getApplicationDefault().createScoped(new String[]{CLOUD_OAUTH_SCOPE});
    }

    private boolean isAnonymous(SecurityIdentity securityIdentity) {
        try {
            return securityIdentity.isAnonymous();
        } catch (ContextNotActiveException e) {
            return true;
        }
    }
}
