package org.finos.legend.engine.authentication.flows;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URISyntaxException;
import java.text.SimpleDateFormat;
import java.time.Clock;
import java.time.ZoneOffset;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.SimpleTimeZone;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.utils.URIBuilder;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.eclipse.collections.impl.list.mutable.FastList;
import org.finos.legend.engine.authentication.DatabaseAuthenticationFlow;
import org.finos.legend.engine.authentication.LegendDefaultDatabaseAuthenticationFlowProviderConfiguration;
import org.finos.legend.engine.protocol.pure.v1.model.packageableElement.store.relational.connection.DatabaseType;
import org.finos.legend.engine.protocol.pure.v1.model.packageableElement.store.relational.connection.authentication.GCPWorkloadIdentityFederationAuthenticationStrategy;
import org.finos.legend.engine.protocol.pure.v1.model.packageableElement.store.relational.connection.specification.BigQueryDatasourceSpecification;
import org.finos.legend.engine.shared.core.identity.Credential;
import org.finos.legend.engine.shared.core.identity.Identity;
import org.finos.legend.engine.shared.core.identity.credential.OAuthCredential;
import org.finos.legend.engine.shared.core.vault.Vault;
import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
import software.amazon.awssdk.auth.signer.Aws4Signer;
import software.amazon.awssdk.auth.signer.params.Aws4SignerParams;
import software.amazon.awssdk.http.SdkHttpFullRequest;
import software.amazon.awssdk.http.SdkHttpMethod;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;
import software.amazon.awssdk.services.sts.model.Credentials;
import software.amazon.awssdk.utils.http.SdkHttpUtils;

/* loaded from: input_file:org/finos/legend/engine/authentication/flows/BigQueryWithGCPWorkloadIdentityFederationFlow.class */
public class BigQueryWithGCPWorkloadIdentityFederationFlow implements DatabaseAuthenticationFlow<BigQueryDatasourceSpecification, GCPWorkloadIdentityFederationAuthenticationStrategy> {
    private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
    public static final String STS = "sts";
    public static final String HTTPS = "https";
    public static final String AWS_STS_HOST = "sts.amazonaws.com";
    public static final String GCP_STS_HOST = "sts.googleapis.com";
    public static final String GCP_IAM_CREDENTIALS_HOST = "iamcredentials.googleapis.com";
    public static final String ISO8601BasicFormat = "yyyyMMdd'T'HHmmss'Z'";
    private final LegendDefaultDatabaseAuthenticationFlowProviderConfiguration flowProviderConfiguration;

    public BigQueryWithGCPWorkloadIdentityFederationFlow(LegendDefaultDatabaseAuthenticationFlowProviderConfiguration legendDefaultDatabaseAuthenticationFlowProviderConfiguration) {
        this.flowProviderConfiguration = legendDefaultDatabaseAuthenticationFlowProviderConfiguration;
    }

    @Override // org.finos.legend.engine.authentication.DatabaseAuthenticationFlow
    public Class<BigQueryDatasourceSpecification> getDatasourceClass() {
        return BigQueryDatasourceSpecification.class;
    }

    @Override // org.finos.legend.engine.authentication.DatabaseAuthenticationFlow
    public Class<GCPWorkloadIdentityFederationAuthenticationStrategy> getAuthenticationStrategyClass() {
        return GCPWorkloadIdentityFederationAuthenticationStrategy.class;
    }

    @Override // org.finos.legend.engine.authentication.DatabaseAuthenticationFlow
    public DatabaseType getDatabaseType() {
        return DatabaseType.BigQuery;
    }

    @Override // org.finos.legend.engine.authentication.DatabaseAuthenticationFlow
    public Credential makeCredential(Identity identity, BigQueryDatasourceSpecification bigQueryDatasourceSpecification, GCPWorkloadIdentityFederationAuthenticationStrategy gCPWorkloadIdentityFederationAuthenticationStrategy) throws Exception {
        Credentials assumeAWSRoleAndGetCredentials = assumeAWSRoleAndGetCredentials(String.format("arn:aws:iam::%s:role/%s", this.flowProviderConfiguration.getAwsConfig().getAccountId(), this.flowProviderConfiguration.getAwsConfig().getRole()), this.flowProviderConfiguration.getAwsConfig().getRole(), this.flowProviderConfiguration.getAwsConfig().getRegion(), this.flowProviderConfiguration.getAwsConfig().getAwsAccessKeyIdVaultReference(), this.flowProviderConfiguration.getAwsConfig().getAwsSecretAccessKeyVaultReference());
        Date date = new Date();
        String uTCDate = getUTCDate(date);
        String computeCanonicalAWSRequestSignature = computeCanonicalAWSRequestSignature(assumeAWSRoleAndGetCredentials, date, this.flowProviderConfiguration.getAwsConfig().getRegion());
        String format = String.format("//iam.googleapis.com/projects/%s/locations/global/workloadIdentityPools/%s/providers/%s", this.flowProviderConfiguration.getGcpWorkloadConfig().getProjectNumber(), this.flowProviderConfiguration.getGcpWorkloadConfig().getPoolId(), this.flowProviderConfiguration.getGcpWorkloadConfig().getProviderId());
        return new OAuthCredential(getGCPServiceAccountAccessToken(getGCPFederatedAccessToken(SdkHttpUtils.urlEncode(makeAWSCallerIdentityToken(assumeAWSRoleAndGetCredentials, uTCDate, computeCanonicalAWSRequestSignature, format)), format, "urn:ietf:params:aws:token-type:aws4_request"), gCPWorkloadIdentityFederationAuthenticationStrategy.serviceAccountEmail, gCPWorkloadIdentityFederationAuthenticationStrategy.additionalGcpScopes));
    }

    private String getUTCDate(Date date) {
        SimpleDateFormat simpleDateFormat = new SimpleDateFormat(ISO8601BasicFormat);
        simpleDateFormat.setTimeZone(new SimpleTimeZone(0, "UTC"));
        return simpleDateFormat.format(date);
    }

    private Credentials assumeAWSRoleAndGetCredentials(String str, String str2, String str3, String str4, String str5) {
        return ((StsClient) StsClient.builder().region(Region.of(str3)).credentialsProvider(StaticCredentialsProvider.create(AwsBasicCredentials.create(Vault.INSTANCE.getValue(str4), Vault.INSTANCE.getValue(str5)))).build()).assumeRole((AssumeRoleRequest) AssumeRoleRequest.builder().roleArn(str).roleSessionName(str2).build()).credentials();
    }

    private String computeCanonicalAWSRequestSignature(Credentials credentials, Date date, String str) {
        return (String) ((List) Aws4Signer.create().sign(SdkHttpFullRequest.builder().method(SdkHttpMethod.POST).host(AWS_STS_HOST).appendRawQueryParameter("Action", "GetCallerIdentity").appendRawQueryParameter("Version", "2011-06-15").protocol(HTTPS).build(), Aws4SignerParams.builder().signingRegion(Region.of(str)).signingName(STS).awsCredentials(AwsSessionCredentials.create(credentials.accessKeyId(), credentials.secretAccessKey(), credentials.sessionToken())).signingClockOverride(Clock.fixed(date.toInstant(), ZoneOffset.UTC)).build()).headers().get("Authorization")).get(0);
    }

    private String makeAWSCallerIdentityToken(Credentials credentials, String str, String str2, String str3) {
        return "{\"url\": \"https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15\",\"method\": \"POST\",\"headers\": [{ \"key\": \"Authorization\", \"value\": \"" + str2 + "\" },{ \"key\": \"host\", \"value\" : \"" + AWS_STS_HOST + "\" },{ \"key\": \"x-amz-date\", \"value\": \"" + str + "\"},{ \"key\": \"x-goog-cloud-target-resource\", \"value\": \"" + str3 + "\" },{ \"key\": \"x-amz-security-token\", \"value\": \"" + credentials.sessionToken() + "\" }]}";
    }

    public String getGCPFederatedAccessToken(String str, String str2, String str3) throws IOException, URISyntaxException {
        HttpPost httpPost = new HttpPost(new URIBuilder().setScheme(HTTPS).setHost(GCP_STS_HOST).setPath("v1beta/token").build());
        StringEntity stringEntity = new StringEntity("{\"audience\": \"" + str2 + "\",\"grantType\": \"urn:ietf:params:oauth:grant-type:token-exchange\",\"requestedTokenType\": \"urn:ietf:params:oauth:token-type:access_token\",\"scope\": \"https://www.googleapis.com/auth/cloud-platform\",\"subjectTokenType\": \"" + str3 + "\",\"subjectToken\": \"" + str + "\"}");
        stringEntity.setContentType("application/json");
        httpPost.setEntity(stringEntity);
        try {
            CloseableHttpClient createDefault = HttpClients.createDefault();
            try {
                CloseableHttpResponse execute = createDefault.execute(httpPost);
                try {
                    String asText = OBJECT_MAPPER.readTree(execute.getEntity().getContent()).path("access_token").asText();
                    if (execute != null) {
                        execute.close();
                    }
                    if (createDefault != null) {
                        createDefault.close();
                    }
                    return asText;
                } catch (Throwable th) {
                    if (execute != null) {
                        try {
                            execute.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } finally {
            }
        } catch (Exception e) {
            throw new RuntimeException("Failed to get Federated Access Token", e);
        }
    }

    public String getGCPServiceAccountAccessToken(String str, String str2, List<String> list) throws URISyntaxException, UnsupportedEncodingException, JsonProcessingException {
        FastList newList = list == null ? FastList.newList() : FastList.newList(list);
        newList.add("https://www.googleapis.com/auth/bigquery");
        HashMap hashMap = new HashMap();
        hashMap.put("scope", newList);
        String writeValueAsString = OBJECT_MAPPER.writeValueAsString(hashMap);
        HttpPost httpPost = new HttpPost(new URIBuilder().setScheme(HTTPS).setHost(GCP_IAM_CREDENTIALS_HOST).setPath(String.format("v1/projects/-/serviceAccounts/%s:generateAccessToken", str2)).build());
        StringEntity stringEntity = new StringEntity(writeValueAsString);
        stringEntity.setContentType("application/json");
        httpPost.setEntity(stringEntity);
        httpPost.setHeader("Authorization", "Bearer " + str);
        try {
            CloseableHttpClient createDefault = HttpClients.createDefault();
            try {
                CloseableHttpResponse execute = createDefault.execute(httpPost);
                try {
                    String asText = OBJECT_MAPPER.readTree(execute.getEntity().getContent()).path("accessToken").asText();
                    if (execute != null) {
                        execute.close();
                    }
                    if (createDefault != null) {
                        createDefault.close();
                    }
                    return asText;
                } catch (Throwable th) {
                    if (execute != null) {
                        try {
                            execute.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } finally {
            }
        } catch (Exception e) {
            throw new RuntimeException("Failed to get Service Account Access Token", e);
        }
    }
}
