package org.springframework.cloud.config.server.environment.vault.authentication;

import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import java.io.ByteArrayInputStream;
import java.util.Base64;
import org.springframework.cloud.config.server.environment.VaultEnvironmentProperties;
import org.springframework.cloud.config.server.environment.vault.SpringVaultClientAuthenticationProvider;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.vault.authentication.ClientAuthentication;
import org.springframework.vault.authentication.GcpCredentialSupplier;
import org.springframework.vault.authentication.GcpIamAuthentication;
import org.springframework.vault.authentication.GcpIamAuthenticationOptions;
import org.springframework.web.client.RestOperations;

/* loaded from: input_file:BOOT-INF/lib/spring-cloud-config-server-3.1.7.jar:org/springframework/cloud/config/server/environment/vault/authentication/GcpIamClientAuthenticationProvider.class */
public class GcpIamClientAuthenticationProvider extends SpringVaultClientAuthenticationProvider {

    /* loaded from: input_file:BOOT-INF/lib/spring-cloud-config-server-3.1.7.jar:org/springframework/cloud/config/server/environment/vault/authentication/GcpIamClientAuthenticationProvider$GcpCredentialProvider.class */
    private static class GcpCredentialProvider {
        private GcpCredentialProvider() {
        }

        public static GcpCredentialSupplier getGoogleCredential(VaultEnvironmentProperties.GcpIamProperties gcpIamProperties) {
            return () -> {
                VaultEnvironmentProperties.GcpCredentials credentials = gcpIamProperties.getCredentials();
                return credentials.getLocation() != null ? GoogleCredential.fromStream(credentials.getLocation().getInputStream()) : StringUtils.hasText(credentials.getEncodedKey()) ? GoogleCredential.fromStream(new ByteArrayInputStream(Base64.getDecoder().decode(credentials.getEncodedKey()))) : GoogleCredential.getApplicationDefault();
            };
        }
    }

    public GcpIamClientAuthenticationProvider() {
        super(VaultEnvironmentProperties.AuthenticationMethod.GCP_IAM);
    }

    @Override // org.springframework.cloud.config.server.environment.vault.SpringVaultClientAuthenticationProvider
    public ClientAuthentication getClientAuthentication(VaultEnvironmentProperties vaultEnvironmentProperties, RestOperations restOperations, RestOperations restOperations2) {
        assertClassPresent("com.google.api.client.googleapis.auth.oauth2.GoogleCredential", missingClassForAuthMethod("GoogleCredential", "google-api-client", VaultEnvironmentProperties.AuthenticationMethod.GCP_IAM));
        VaultEnvironmentProperties.GcpIamProperties gcpIam = vaultEnvironmentProperties.getGcpIam();
        Assert.hasText(gcpIam.getRole(), missingPropertyForAuthMethod("gcp-iam.role", VaultEnvironmentProperties.AuthenticationMethod.GCP_IAM));
        GcpIamAuthenticationOptions.GcpIamAuthenticationOptionsBuilder jwtValidity = GcpIamAuthenticationOptions.builder().path(gcpIam.getGcpPath()).role(gcpIam.getRole()).jwtValidity(gcpIam.getJwtValidity());
        if (StringUtils.hasText(gcpIam.getProjectId())) {
            jwtValidity.projectId(gcpIam.getProjectId());
        }
        if (StringUtils.hasText(gcpIam.getServiceAccountId())) {
            jwtValidity.serviceAccountId(gcpIam.getServiceAccountId());
        }
        jwtValidity.credential(GcpCredentialProvider.getGoogleCredential(gcpIam).get());
        return new GcpIamAuthentication(jwtValidity.build(), restOperations);
    }
}
