package io.unitycatalog.server.service.credential.gcp;

import com.google.auth.oauth2.AccessToken;
import com.google.auth.oauth2.CredentialAccessBoundary;
import com.google.auth.oauth2.DownscopedCredentials;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.auth.oauth2.OAuth2Credentials;
import com.google.auth.oauth2.ServiceAccountCredentials;
import com.google.common.base.CharMatcher;
import io.unitycatalog.server.exception.BaseException;
import io.unitycatalog.server.exception.ErrorCode;
import io.unitycatalog.server.persist.utils.ServerPropertiesUtils;
import io.unitycatalog.server.service.credential.CredentialContext;
import java.io.IOException;
import java.net.URI;
import java.sql.Date;
import java.time.Instant;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.iceberg.Files;

/* loaded from: input_file:io/unitycatalog/server/service/credential/gcp/GcpCredentialVendor.class */
public class GcpCredentialVendor {
    public static final List<String> INITIAL_SCOPES = List.of("https://www.googleapis.com/auth/cloud-platform");
    private final Map<String, String> gcsConfigurations = ServerPropertiesUtils.getInstance().getGcsConfigurations();

    public AccessToken vendGcpToken(CredentialContext credentialContext) {
        ServiceAccountCredentials applicationDefault;
        String str = this.gcsConfigurations.get(credentialContext.getStorageBase());
        if (str == null || str.isEmpty()) {
            try {
                applicationDefault = GoogleCredentials.getApplicationDefault();
            } catch (IOException e) {
                throw new BaseException(ErrorCode.FAILED_PRECONDITION, "GCS credentials not found.", e);
            }
        } else {
            if (str.startsWith("testing://")) {
                return AccessToken.newBuilder().setTokenValue(str).setExpirationTime(Date.from(Instant.ofEpochMilli(253370790000000L))).build();
            }
            applicationDefault = ServiceAccountCredentials.fromStream(Files.localInput(str).newStream());
        }
        return downscopeGcpCreds(applicationDefault.createScoped(INITIAL_SCOPES), credentialContext).refreshAccessToken();
    }

    OAuth2Credentials downscopeGcpCreds(GoogleCredentials googleCredentials, CredentialContext credentialContext) {
        CredentialAccessBoundary.Builder newBuilder = CredentialAccessBoundary.newBuilder();
        List<String> resolvePrivilegesToRoles = resolvePrivilegesToRoles(credentialContext.getPrivileges());
        credentialContext.getLocations().forEach(str -> {
            URI create = URI.create(str);
            String trimLeadingFrom = CharMatcher.is('/').trimLeadingFrom(create.getPath());
            newBuilder.addRule(CredentialAccessBoundary.AccessBoundaryRule.newBuilder().setAvailablePermissions(resolvePrivilegesToRoles).setAvailabilityCondition(CredentialAccessBoundary.AccessBoundaryRule.AvailabilityCondition.newBuilder().setExpression(String.format("resource.name.startsWith('projects/_/buckets/%s/objects/%s')", create.getHost(), trimLeadingFrom) + " || " + String.format("api.getAttribute('storage.googleapis.com/objectListPrefix', '').startsWith('%s')", trimLeadingFrom)).build()).setAvailableResource(String.format("//storage.googleapis.com/projects/_/buckets/%s", create.getHost())).build());
        });
        return DownscopedCredentials.newBuilder().setSourceCredential(googleCredentials).setCredentialAccessBoundary(newBuilder.build()).build();
    }

    List<String> resolvePrivilegesToRoles(Set<CredentialContext.Privilege> set) {
        return set.contains(CredentialContext.Privilege.UPDATE) ? List.of("inRole:roles/storage.objectAdmin") : set.contains(CredentialContext.Privilege.SELECT) ? List.of("inRole:roles/storage.objectViewer") : List.of();
    }
}
