package com.spotify.styx.api;

import com.github.rholder.retry.Attempt;
import com.github.rholder.retry.RetryException;
import com.github.rholder.retry.RetryerBuilder;
import com.github.rholder.retry.StopStrategies;
import com.github.rholder.retry.StopStrategy;
import com.github.rholder.retry.WaitStrategies;
import com.github.rholder.retry.WaitStrategy;
import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
import com.google.api.client.googleapis.json.GoogleJsonResponseException;
import com.google.api.client.googleapis.util.Utils;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.services.admin.directory.Directory;
import com.google.api.services.admin.directory.model.MembersHasMember;
import com.google.api.services.cloudresourcemanager.CloudResourceManager;
import com.google.api.services.cloudresourcemanager.model.GetIamPolicyRequest;
import com.google.api.services.cloudresourcemanager.model.Policy;
import com.google.api.services.iam.v1.Iam;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.collect.ImmutableSet;
import com.spotify.apollo.Response;
import com.spotify.apollo.Status;
import com.spotify.styx.model.WorkflowId;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Supplier;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javaslang.Tuple;
import javaslang.Tuple2;
import javaslang.control.Either;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@FunctionalInterface
/* loaded from: input_file:com/spotify/styx/api/ServiceAccountUsageAuthorizer.class */
public interface ServiceAccountUsageAuthorizer {
    public static final ServiceAccountUsageAuthorizer NOP = (workflowId, str, googleIdToken) -> {
    };

    /* loaded from: input_file:com/spotify/styx/api/ServiceAccountUsageAuthorizer$AllAuthorizationPolicy.class */
    public static class AllAuthorizationPolicy implements AuthorizationPolicy {
        @Override // com.spotify.styx.api.ServiceAccountUsageAuthorizer.AuthorizationPolicy
        public boolean shouldEnforceAuthorization(WorkflowId workflowId, String str, GoogleIdToken googleIdToken) {
            return true;
        }
    }

    /* loaded from: input_file:com/spotify/styx/api/ServiceAccountUsageAuthorizer$AuthorizationPolicy.class */
    public interface AuthorizationPolicy {
        boolean shouldEnforceAuthorization(WorkflowId workflowId, String str, GoogleIdToken googleIdToken);
    }

    /* loaded from: input_file:com/spotify/styx/api/ServiceAccountUsageAuthorizer$Impl.class */
    public static class Impl implements ServiceAccountUsageAuthorizer {
        private static final Logger log = LoggerFactory.getLogger(ServiceAccountUsageAuthorizer.class);
        private static final Pattern SERVICE_ACCOUNT_PATTERN = Pattern.compile("^.+\\.gserviceaccount\\.com$");
        private static final Pattern USER_CREATED_SERVICE_ACCOUNT_PATTERN = Pattern.compile("^.+@(.+)\\.iam\\.gserviceaccount\\.com$");
        private static final StopStrategy DEFAULT_RETRY_STOP_STRATEGY = StopStrategies.stopAfterDelay(10, TimeUnit.SECONDS);
        private static final String CACHE_HIT = "hit";
        private static final String CACHE_MISS = "miss";
        private final Iam iam;
        private final CloudResourceManager crm;
        private final Directory directory;
        private final String serviceAccountUserRole;
        private final AuthorizationPolicy authorizationPolicy;
        private final StopStrategy retryStopStrategy;
        private final Cache<Tuple2<String, String>, Either<Response<?>, Optional<String>>> cache = CacheBuilder.newBuilder().expireAfterWrite(60, TimeUnit.SECONDS).maximumSize(10000).build();

        Impl(Iam iam, CloudResourceManager cloudResourceManager, Directory directory, String str, AuthorizationPolicy authorizationPolicy, StopStrategy stopStrategy) {
            this.iam = (Iam) Objects.requireNonNull(iam, "iam");
            this.crm = (CloudResourceManager) Objects.requireNonNull(cloudResourceManager, "crm");
            this.directory = (Directory) Objects.requireNonNull(directory, "directory");
            this.serviceAccountUserRole = (String) Objects.requireNonNull(str, "serviceAccountUserRole");
            this.authorizationPolicy = (AuthorizationPolicy) Objects.requireNonNull(authorizationPolicy, "authorizationPolicy");
            this.retryStopStrategy = (StopStrategy) Objects.requireNonNull(stopStrategy, "retryStopStrategy");
        }

        @Override // com.spotify.styx.api.ServiceAccountUsageAuthorizer
        public void authorizeServiceAccountUsage(WorkflowId workflowId, String str, GoogleIdToken googleIdToken) {
            String email = googleIdToken.getPayload().getEmail();
            String serviceAccountProjectId = serviceAccountProjectId(workflowId, str);
            AtomicBoolean atomicBoolean = new AtomicBoolean(true);
            Either either = (Either) get(this.cache, Tuple.of(email, str), () -> {
                atomicBoolean.set(false);
                try {
                    return Either.right(firstPresent(() -> {
                        return projectPolicyAccess(serviceAccountProjectId, email).map(str2 -> {
                            return String.format("Principal %s has role %s on service account %s %s", email, this.serviceAccountUserRole, str, str2);
                        });
                    }, () -> {
                        return serviceAccountPolicyAccess(str, email).map(str2 -> {
                            return String.format("Principal %s has role %s on service account %s %s", email, this.serviceAccountUserRole, str, str2);
                        });
                    }));
                } catch (ResponseException e) {
                    return Either.left(e.getResponse());
                }
            });
            if (either.isLeft()) {
                throw new ResponseException((Response) either.left().get());
            }
            boolean shouldEnforceAuthorization = this.authorizationPolicy.shouldEnforceAuthorization(workflowId, str, googleIdToken);
            Optional optional = (Optional) either.right().get();
            if (optional.isPresent()) {
                logAuthorization(workflowId, str, shouldEnforceAuthorization, (String) optional.get(), atomicBoolean.get());
                return;
            }
            logDenial(workflowId, str, shouldEnforceAuthorization, email, atomicBoolean.get());
            if (shouldEnforceAuthorization) {
                throw denialResponseException(str, email, serviceAccountProjectId);
            }
        }

        private static <K, V> V get(Cache<K, V> cache, K k, Callable<V> callable) {
            try {
                return (V) cache.get(k, callable);
            } catch (ExecutionException e) {
                throw new RuntimeException(e);
            }
        }

        private ResponseException denialResponseException(String str, String str2, String str3) {
            return new ResponseException(Response.forStatus(Status.FORBIDDEN.withReasonPhrase("The user " + str2 + " must have the role " + this.serviceAccountUserRole + " on the project " + str3 + " or the service account " + str + ", either through a group membership (recommended) or directly")));
        }

        private void logDenial(WorkflowId workflowId, String str, boolean z, String str2, boolean z2) {
            Logger logger = log;
            Object[] objArr = new Object[5];
            objArr[0] = str2;
            objArr[1] = str;
            objArr[2] = workflowId.toKey();
            objArr[3] = Boolean.valueOf(z);
            objArr[4] = z2 ? CACHE_HIT : CACHE_MISS;
            logger.info("[AUDIT] Principal {} denied use of service account {} in workflow {} (Enforcing: {}, Cache: {})", objArr);
        }

        private void logAuthorization(WorkflowId workflowId, String str, boolean z, String str2, boolean z2) {
            Logger logger = log;
            Object[] objArr = new Object[5];
            objArr[0] = str2;
            objArr[1] = str;
            objArr[2] = workflowId.toKey();
            objArr[3] = Boolean.valueOf(z);
            objArr[4] = z2 ? CACHE_HIT : CACHE_MISS;
            logger.info("[AUDIT] {}, authorizing use of service account {} in workflow {} (Enforcing: {}, Cache: {})", objArr);
        }

        private String serviceAccountProjectId(WorkflowId workflowId, String str) {
            Matcher matcher = USER_CREATED_SERVICE_ACCOUNT_PATTERN.matcher(str);
            if (matcher.matches()) {
                return matcher.group(1);
            }
            log.info("Attempted to use non user created service account {} in workflow {}", str, workflowId.toKey());
            throw new ResponseException(Response.forStatus(Status.BAD_REQUEST.withReasonPhrase("Not a user created service account: " + str)));
        }

        private Optional<String> projectPolicyAccess(String str, String str2) {
            return memberStatus(str2, (List) getProjectPolicy(str).orElseThrow(() -> {
                return new ResponseException(Response.forStatus(Status.BAD_REQUEST.withReasonPhrase("Project does not exist: " + str)));
            }).getBindings().stream().filter(binding -> {
                return this.serviceAccountUserRole.equals(binding.getRole());
            }).flatMap(binding2 -> {
                return binding2.getMembers().stream();
            }).collect(Collectors.toList()));
        }

        private Optional<String> serviceAccountPolicyAccess(String str, String str2) {
            return memberStatus(str2, (List) getServiceAccountPolicy(str).orElseThrow(() -> {
                return new ResponseException(Response.forStatus(Status.BAD_REQUEST.withReasonPhrase("Service account does not exist: " + str)));
            }).getBindings().stream().filter(binding -> {
                return this.serviceAccountUserRole.equals(binding.getRole());
            }).flatMap(binding2 -> {
                return binding2.getMembers().stream();
            }).collect(Collectors.toList()));
        }

        private Optional<String> memberStatus(String str, List<String> list) {
            return list.contains(memberEntry(str)) ? Optional.of("directly") : list.stream().filter(str2 -> {
                return str2.startsWith("group:");
            }).map(str3 -> {
                return str3.substring("group:".length());
            }).filter(str4 -> {
                return isMemberOfGroup(str, str4);
            }).findFirst().map(str5 -> {
                return "via group " + str5;
            });
        }

        private boolean isMemberOfGroup(String str, String str2) {
            try {
                return Boolean.TRUE.equals((Boolean) retry(() -> {
                    return ((MembersHasMember) this.directory.members().hasMember(str2, str).execute()).getIsMember();
                }));
            } catch (ExecutionException e) {
                GoogleJsonResponseException cause = e.getCause();
                if ((cause instanceof GoogleJsonResponseException) && cause.getStatusCode() == 404) {
                    return false;
                }
                throw new RuntimeException(e);
            } catch (RetryException e2) {
                throw new RuntimeException((Throwable) e2);
            }
        }

        private Optional<Policy> getProjectPolicy(String str) {
            try {
                return (Optional) retry(() -> {
                    return Optional.of((Policy) this.crm.projects().getIamPolicy(str, new GetIamPolicyRequest()).execute());
                });
            } catch (RetryException e) {
                throw new RuntimeException((Throwable) e);
            } catch (ExecutionException e2) {
                GoogleJsonResponseException cause = e2.getCause();
                if ((cause instanceof GoogleJsonResponseException) && cause.getStatusCode() == 404) {
                    return Optional.empty();
                }
                throw new RuntimeException(e2);
            }
        }

        private Optional<com.google.api.services.iam.v1.model.Policy> getServiceAccountPolicy(String str) {
            try {
                return (Optional) retry(() -> {
                    return Optional.of((com.google.api.services.iam.v1.model.Policy) this.iam.projects().serviceAccounts().getIamPolicy("projects/-/serviceAccounts/" + str).execute());
                });
            } catch (RetryException e) {
                throw new RuntimeException((Throwable) e);
            } catch (ExecutionException e2) {
                GoogleJsonResponseException cause = e2.getCause();
                if ((cause instanceof GoogleJsonResponseException) && cause.getStatusCode() == 404) {
                    return Optional.empty();
                }
                throw new RuntimeException(e2);
            }
        }

        private <T> T retry(Callable<T> callable) throws ExecutionException, RetryException {
            return (T) RetryerBuilder.newBuilder().retryIfException(Impl::isRetryableException).withWaitStrategy(WaitStrategies.join(new WaitStrategy[]{WaitStrategies.exponentialWait(), WaitStrategies.randomWait(1L, TimeUnit.SECONDS)})).withStopStrategy(this.retryStopStrategy).withRetryListener(Impl::onRequestAttempt).build().call(callable);
        }

        private static <T> void onRequestAttempt(Attempt<T> attempt) {
            if (attempt.hasException()) {
                log.warn("Failed request attempt {}", Long.valueOf(attempt.getAttemptNumber()), attempt.getExceptionCause());
            }
        }

        private static boolean isRetryableException(Throwable th) {
            if (th instanceof IOException) {
                return !(th instanceof GoogleJsonResponseException) || ((GoogleJsonResponseException) th).getStatusCode() / 100 == 5;
            }
            return false;
        }

        private static String memberEntry(String str) {
            return (SERVICE_ACCOUNT_PATTERN.matcher(str).matches() ? "serviceAccount" : "user") + ":" + str;
        }

        @SafeVarargs
        private static <T> Optional<T> firstPresent(Supplier<Optional<T>>... supplierArr) {
            return (Optional) Stream.of((Object[]) supplierArr).map((v0) -> {
                return v0.get();
            }).filter((v0) -> {
                return v0.isPresent();
            }).findFirst().orElse(Optional.empty());
        }
    }

    /* loaded from: input_file:com/spotify/styx/api/ServiceAccountUsageAuthorizer$NoAuthorizationPolicy.class */
    public static class NoAuthorizationPolicy implements AuthorizationPolicy {
        @Override // com.spotify.styx.api.ServiceAccountUsageAuthorizer.AuthorizationPolicy
        public boolean shouldEnforceAuthorization(WorkflowId workflowId, String str, GoogleIdToken googleIdToken) {
            return false;
        }
    }

    /* loaded from: input_file:com/spotify/styx/api/ServiceAccountUsageAuthorizer$WhitelistAuthorizationPolicy.class */
    public static class WhitelistAuthorizationPolicy implements AuthorizationPolicy {
        private final Set<WorkflowId> whitelist;

        public WhitelistAuthorizationPolicy(Iterable<WorkflowId> iterable) {
            this.whitelist = ImmutableSet.copyOf(iterable);
        }

        @Override // com.spotify.styx.api.ServiceAccountUsageAuthorizer.AuthorizationPolicy
        public boolean shouldEnforceAuthorization(WorkflowId workflowId, String str, GoogleIdToken googleIdToken) {
            return this.whitelist.contains(workflowId);
        }
    }

    void authorizeServiceAccountUsage(WorkflowId workflowId, String str, GoogleIdToken googleIdToken);

    static ServiceAccountUsageAuthorizer create(String str, AuthorizationPolicy authorizationPolicy, GoogleCredential googleCredential, String str2) {
        try {
            NetHttpTransport newTrustedTransport = GoogleNetHttpTransport.newTrustedTransport();
            JsonFactory defaultJsonFactory = Utils.getDefaultJsonFactory();
            return new Impl(new Iam.Builder(newTrustedTransport, defaultJsonFactory, googleCredential).setApplicationName(str2).build(), new CloudResourceManager.Builder(newTrustedTransport, defaultJsonFactory, googleCredential).setApplicationName(str2).build(), new Directory.Builder(newTrustedTransport, defaultJsonFactory, googleCredential).setApplicationName(str2).build(), str, authorizationPolicy, Impl.DEFAULT_RETRY_STOP_STRATEGY);
        } catch (IOException | GeneralSecurityException e) {
            throw new RuntimeException(e);
        }
    }
}
