package org.springframework.vault.authentication;

import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.gax.rpc.TransportChannelProvider;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.cloud.iam.credentials.v1.IamCredentialsClient;
import com.google.cloud.iam.credentials.v1.IamCredentialsSettings;
import com.google.cloud.iam.credentials.v1.ServiceAccountName;
import com.google.cloud.iam.credentials.v1.stub.IamCredentialsStubSettings;
import java.io.IOException;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.Map;
import org.springframework.util.Assert;
import org.springframework.vault.VaultException;
import org.springframework.vault.support.VaultToken;
import org.springframework.web.client.RestOperations;

/* loaded from: input_file:org/springframework/vault/authentication/GcpIamCredentialsAuthentication.class */
public class GcpIamCredentialsAuthentication extends GcpJwtAuthenticationSupport implements ClientAuthentication {
    private static final JsonFactory JSON_FACTORY = new JacksonFactory();
    private final GcpIamCredentialsAuthenticationOptions options;
    private final TransportChannelProvider transportChannelProvider;
    private final GoogleCredentials credentials;

    public GcpIamCredentialsAuthentication(GcpIamCredentialsAuthenticationOptions gcpIamCredentialsAuthenticationOptions, RestOperations restOperations) {
        this(gcpIamCredentialsAuthenticationOptions, restOperations, IamCredentialsStubSettings.defaultGrpcTransportProviderBuilder().build());
    }

    public GcpIamCredentialsAuthentication(GcpIamCredentialsAuthenticationOptions gcpIamCredentialsAuthenticationOptions, RestOperations restOperations, TransportChannelProvider transportChannelProvider) {
        super(restOperations);
        Assert.notNull(gcpIamCredentialsAuthenticationOptions, "GcpAuthenticationOptions must not be null");
        Assert.notNull(restOperations, "RestOperations must not be null");
        Assert.notNull(transportChannelProvider, "TransportChannelProvider must not be null");
        this.options = gcpIamCredentialsAuthenticationOptions;
        this.transportChannelProvider = transportChannelProvider;
        this.credentials = gcpIamCredentialsAuthenticationOptions.getCredentialSupplier().get();
    }

    @Override // org.springframework.vault.authentication.ClientAuthentication
    public VaultToken login() throws VaultException {
        return doLogin("GCP-IAM", signJwt(), this.options.getPath(), this.options.getRole());
    }

    protected String signJwt() {
        String serviceAccountId = getServiceAccountId();
        Map<String, Object> jwtPayload = getJwtPayload(this.options, serviceAccountId);
        try {
            IamCredentialsClient create = IamCredentialsClient.create(IamCredentialsSettings.newBuilder().setCredentialsProvider(() -> {
                return this.credentials;
            }).setTransportChannelProvider(this.transportChannelProvider).build());
            Throwable th = null;
            try {
                try {
                    String signedJwt = create.signJwt(ServiceAccountName.of("-", serviceAccountId), Collections.emptyList(), JSON_FACTORY.toString(jwtPayload)).getSignedJwt();
                    if (create != null) {
                        if (0 != 0) {
                            try {
                                create.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            create.close();
                        }
                    }
                    return signedJwt;
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new VaultLoginException("Cannot sign JWT", e);
        }
    }

    private String getServiceAccountId() {
        return this.options.getServiceAccountIdAccessor().getServiceAccountId(this.credentials);
    }

    private static Map<String, Object> getJwtPayload(GcpIamCredentialsAuthenticationOptions gcpIamCredentialsAuthenticationOptions, String str) {
        Instant plus = gcpIamCredentialsAuthenticationOptions.getClock().instant().plus((TemporalAmount) gcpIamCredentialsAuthenticationOptions.getJwtValidity());
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("sub", str);
        linkedHashMap.put("aud", "vault/" + gcpIamCredentialsAuthenticationOptions.getRole());
        linkedHashMap.put("exp", Long.valueOf(plus.getEpochSecond()));
        return linkedHashMap;
    }
}
