package com.databricks.internal.sdk.core;

import com.databricks.internal.google.auth.oauth2.GoogleCredentials;
import com.databricks.internal.google.auth.oauth2.IdTokenCredentials;
import com.databricks.internal.google.auth.oauth2.IdTokenProvider;
import com.databricks.internal.google.auth.oauth2.ImpersonatedCredentials;
import com.databricks.internal.sdk.core.utils.GoogleUtils;
import com.databricks.internal.slf4j.Logger;
import com.databricks.internal.slf4j.LoggerFactory;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;

/* loaded from: input_file:com/databricks/internal/sdk/core/GoogleIdCredentialsProvider.class */
public class GoogleIdCredentialsProvider implements CredentialsProvider {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) GoogleIdCredentialsProvider.class);

    @Override // com.databricks.internal.sdk.core.CredentialsProvider
    public String authType() {
        return "google-id";
    }

    @Override // com.databricks.internal.sdk.core.CredentialsProvider
    public HeaderFactory configure(DatabricksConfig databricksConfig) {
        String host = databricksConfig.getHost();
        String googleServiceAccount = databricksConfig.getGoogleServiceAccount();
        if (host == null || googleServiceAccount == null || !databricksConfig.isGcp()) {
            return null;
        }
        try {
            GoogleCredentials applicationDefault = GoogleCredentials.getApplicationDefault();
            IdTokenCredentials build = IdTokenCredentials.newBuilder().setIdTokenProvider(ImpersonatedCredentials.create(applicationDefault, googleServiceAccount, null, new ArrayList(), 3600)).setTargetAudience(host).setOptions(Collections.singletonList(IdTokenProvider.Option.INCLUDE_EMAIL)).build();
            ImpersonatedCredentials create = ImpersonatedCredentials.create(applicationDefault, googleServiceAccount, null, GoogleUtils.GCP_SCOPES, 3600);
            return () -> {
                HashMap hashMap = new HashMap();
                try {
                    hashMap.put("Authorization", String.format("Bearer %s", build.refreshAccessToken().getTokenValue()));
                    if (databricksConfig.isAccountClient()) {
                        try {
                            hashMap.put(GoogleUtils.SA_ACCESS_TOKEN_HEADER, create.refreshAccessToken().getTokenValue());
                        } catch (IOException e) {
                            LOG.error("Failed to refresh access token from scoped id token credentials." + e);
                            throw new DatabricksException("Failed to refresh access token from scoped id token credentials.", e);
                        }
                    }
                    return hashMap;
                } catch (IOException e2) {
                    LOG.error("Failed to refresh access token from id token credentials." + e2);
                    throw new DatabricksException("Failed to refresh access token from id token credentials.", e2);
                }
            };
        } catch (IOException e) {
            LOG.warn("Failed to get Google application default credential." + e);
            return null;
        }
    }
}
