package org.springframework.cloud.config.server.environment.secretmanager;

import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.gax.core.FixedCredentialsProvider;
import com.google.api.services.cloudresourcemanager.CloudResourceManager;
import com.google.api.services.cloudresourcemanager.model.TestIamPermissionsRequest;
import com.google.api.services.cloudresourcemanager.model.TestIamPermissionsResponse;
import com.google.auth.http.HttpCredentialsAdapter;
import com.google.auth.oauth2.AccessToken;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.cloud.secretmanager.v1.AccessSecretVersionRequest;
import com.google.cloud.secretmanager.v1.ListSecretVersionsRequest;
import com.google.cloud.secretmanager.v1.ListSecretsRequest;
import com.google.cloud.secretmanager.v1.ProjectName;
import com.google.cloud.secretmanager.v1.Secret;
import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
import com.google.cloud.secretmanager.v1.SecretManagerServiceSettings;
import com.google.cloud.secretmanager.v1.SecretName;
import com.google.cloud.secretmanager.v1.SecretVersion;
import com.google.cloud.secretmanager.v1.SecretVersionName;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Comparator;
import java.util.Date;
import java.util.List;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.cloud.config.server.environment.GoogleSecretManagerEnvironmentProperties;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.web.client.RestTemplate;

/* loaded from: input_file:BOOT-INF/lib/spring-cloud-config-server-3.1.7.jar:org/springframework/cloud/config/server/environment/secretmanager/GoogleSecretManagerV1AccessStrategy.class */
public class GoogleSecretManagerV1AccessStrategy implements GoogleSecretManagerAccessStrategy {
    private final SecretManagerServiceClient client;
    private final RestTemplate rest;
    private final GoogleConfigProvider configProvider;
    private static final String APPLICATION_NAME = "spring-cloud-config-server";
    private static final String ACCESS_SECRET_PERMISSION = "secretmanager.versions.access";
    private static Log logger = LogFactory.getLog(GoogleSecretManagerV1AccessStrategy.class);

    public GoogleSecretManagerV1AccessStrategy(RestTemplate restTemplate, GoogleConfigProvider googleConfigProvider, String str) throws IOException {
        if (StringUtils.isNotEmpty(str)) {
            this.client = SecretManagerServiceClient.create(SecretManagerServiceSettings.newBuilder().setCredentialsProvider(FixedCredentialsProvider.create(GoogleCredentials.fromStream(new FileInputStream(new File(str))))).build());
        } else {
            this.client = SecretManagerServiceClient.create();
        }
        this.rest = restTemplate;
        this.configProvider = googleConfigProvider;
    }

    public GoogleSecretManagerV1AccessStrategy(RestTemplate restTemplate, GoogleConfigProvider googleConfigProvider, SecretManagerServiceClient secretManagerServiceClient) {
        this.client = secretManagerServiceClient;
        this.rest = restTemplate;
        this.configProvider = googleConfigProvider;
    }

    @Override // org.springframework.cloud.config.server.environment.secretmanager.GoogleSecretManagerAccessStrategy
    public List<Secret> getSecrets() {
        SecretManagerServiceClient.ListSecretsPagedResponse listSecrets = this.client.listSecrets(ListSecretsRequest.newBuilder().setParent(ProjectName.of(getProjectId()).toString()).build());
        ArrayList arrayList = new ArrayList();
        Iterable iterateAll = listSecrets.iterateAll();
        arrayList.getClass();
        iterateAll.forEach((v1) -> {
            r1.add(v1);
        });
        return arrayList;
    }

    private List<SecretVersion> getSecretVersions(Secret secret) {
        SecretManagerServiceClient.ListSecretVersionsPagedResponse listSecretVersions = this.client.listSecretVersions(ListSecretVersionsRequest.newBuilder().setParent(SecretName.parse(secret.getName()).toString()).build());
        ArrayList arrayList = new ArrayList();
        Iterable iterateAll = listSecretVersions.iterateAll();
        arrayList.getClass();
        iterateAll.forEach((v1) -> {
            r1.add(v1);
        });
        return arrayList;
    }

    @Override // org.springframework.cloud.config.server.environment.secretmanager.GoogleSecretManagerAccessStrategy
    public String getSecretValue(Secret secret, Comparator<SecretVersion> comparator) {
        SecretVersion secretVersion = null;
        for (SecretVersion secretVersion2 : getSecretVersions(secret)) {
            if (secretVersion2.getState().getNumber() == 1 && comparator.compare(secretVersion2, secretVersion) > 0) {
                secretVersion = secretVersion2;
            }
        }
        return secretVersion != null ? this.client.accessSecretVersion(AccessSecretVersionRequest.newBuilder().setName(SecretVersionName.parse(secretVersion.getName()).toString()).build()).getPayload().getData().toStringUtf8() : null;
    }

    @Override // org.springframework.cloud.config.server.environment.secretmanager.GoogleSecretManagerAccessStrategy
    public String getSecretName(Secret secret) {
        return SecretName.parse(secret.getName()).getSecret();
    }

    @Override // org.springframework.cloud.config.server.environment.secretmanager.GoogleSecretManagerAccessStrategy
    public Boolean checkRemotePermissions() {
        try {
            TestIamPermissionsResponse testIamPermissionsResponse = (TestIamPermissionsResponse) new CloudResourceManager.Builder(GoogleNetHttpTransport.newTrustedTransport(), JacksonFactory.getDefaultInstance(), new HttpCredentialsAdapter(new GoogleCredentials(new AccessToken(getAccessToken(), (Date) null)))).setApplicationName(APPLICATION_NAME).build().projects().testIamPermissions(getProjectId(), new TestIamPermissionsRequest().setPermissions(Arrays.asList(ACCESS_SECRET_PERMISSION))).execute();
            if (testIamPermissionsResponse.getPermissions() != null && testIamPermissionsResponse.size() >= 1) {
                return Boolean.TRUE;
            }
            logger.warn("Access token has no permissions to access secrets in project");
            return Boolean.FALSE;
        } catch (Exception e) {
            logger.info("Unable to check token permissions", e);
            return Boolean.FALSE;
        }
    }

    private String getAccessToken() {
        return this.configProvider.getValue("X-Config-Token", true);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private String getProjectId() {
        String str;
        try {
            str = this.configProvider.getValue(HttpHeaderGoogleConfigProvider.PROJECT_ID_HEADER, true);
        } catch (Exception e) {
            str = (String) this.rest.exchange(GoogleSecretManagerEnvironmentProperties.GOOGLE_METADATA_PROJECT_URL, HttpMethod.GET, new HttpEntity<>("parameters", getMetadataHttpHeaders()), String.class, new Object[0]).getBody();
        }
        return str;
    }

    private static HttpHeaders getMetadataHttpHeaders() {
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.set("Metadata-Flavor", "Google");
        return httpHeaders;
    }
}
