package com.google.cloud.sql.core;

import com.google.api.client.googleapis.json.GoogleJsonResponseException;
import com.google.api.services.sqladmin.SQLAdmin;
import com.google.api.services.sqladmin.model.ConnectSettings;
import com.google.api.services.sqladmin.model.GenerateEphemeralCertRequest;
import com.google.api.services.sqladmin.model.IpMapping;
import com.google.auth.oauth2.AccessToken;
import com.google.cloud.sql.AuthType;
import com.google.common.base.CharMatcher;
import com.google.common.io.BaseEncoding;
import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
import com.google.common.util.concurrent.ListeningScheduledExecutorService;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.HashMap;
import java.util.Optional;
import java.util.concurrent.ExecutionException;
import java.util.logging.Logger;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;

/* loaded from: input_file:com/google/cloud/sql/core/SqlAdminApiFetcher.class */
class SqlAdminApiFetcher implements InstanceDataSupplier {
    private static final Logger logger = Logger.getLogger(SqlAdminApiFetcher.class.getName());
    private final SQLAdmin apiClient;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SqlAdminApiFetcher(SQLAdmin sQLAdmin) {
        this.apiClient = sQLAdmin;
    }

    private void checkDatabaseCompatibility(ConnectSettings connectSettings, AuthType authType, String str) {
        if (authType == AuthType.IAM && connectSettings.getDatabaseVersion().contains("SQLSERVER")) {
            throw new IllegalArgumentException(String.format("[%s] IAM Authentication is not supported for SQL Server instances.", str));
        }
    }

    private Certificate createCertificate(String str) throws CertificateException {
        return CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8)));
    }

    private String generatePublicKeyCert(KeyPair keyPair) {
        return "-----BEGIN RSA PUBLIC KEY-----\n" + BaseEncoding.base64().withSeparator("\n", 64).encode(keyPair.getPublic().getEncoded()) + "\n-----END RSA PUBLIC KEY-----\n";
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // com.google.cloud.sql.core.InstanceDataSupplier
    public InstanceData getInstanceData(CloudSqlInstanceName cloudSqlInstanceName, AccessTokenSupplier accessTokenSupplier, AuthType authType, ListeningScheduledExecutorService listeningScheduledExecutorService, ListenableFuture<KeyPair> listenableFuture) throws ExecutionException, InterruptedException {
        ListenableFuture submit = listeningScheduledExecutorService.submit(() -> {
            return accessTokenSupplier.get();
        });
        ListenableFuture submit2 = listeningScheduledExecutorService.submit(() -> {
            return fetchMetadata(cloudSqlInstanceName, authType);
        });
        ListenableFuture call = Futures.whenAllComplete(listenableFuture, submit).call(() -> {
            return fetchEphemeralCertificate((KeyPair) Futures.getDone(listenableFuture), cloudSqlInstanceName, (Optional) Futures.getDone(submit), authType);
        }, listeningScheduledExecutorService);
        ListenableFuture call2 = Futures.whenAllComplete(submit2, call).call(() -> {
            return createSslData((KeyPair) Futures.getDone(listenableFuture), (Metadata) Futures.getDone(submit2), (Certificate) Futures.getDone(call), cloudSqlInstanceName, authType);
        }, listeningScheduledExecutorService);
        return (InstanceData) Futures.whenAllComplete(submit2, call, call2).call(() -> {
            X509Certificate x509Certificate = (X509Certificate) ((Certificate) Futures.getDone(call));
            Date notAfter = x509Certificate.getNotAfter();
            if (authType == AuthType.IAM) {
                notAfter = DefaultAccessTokenSupplier.getTokenExpirationTime((Optional<AccessToken>) Futures.getDone(submit)).filter(date -> {
                    return x509Certificate.getNotAfter().after(date);
                }).orElse(x509Certificate.getNotAfter());
            }
            return new InstanceData((Metadata) Futures.getDone(submit2), (SslData) Futures.getDone(call2), notAfter);
        }, listeningScheduledExecutorService).get();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getApplicationName() {
        return this.apiClient.getApplicationName();
    }

    private Metadata fetchMetadata(CloudSqlInstanceName cloudSqlInstanceName, AuthType authType) {
        try {
            ConnectSettings execute = this.apiClient.connect().get(cloudSqlInstanceName.getProjectId(), cloudSqlInstanceName.getInstanceId()).execute();
            if (!execute.getRegion().equals(cloudSqlInstanceName.getRegionId())) {
                throw new IllegalArgumentException(String.format("[%s] The region specified for the Cloud SQL instance is incorrect. Please verify the instance connection name.", cloudSqlInstanceName.getConnectionName()));
            }
            if (!execute.getBackendType().equals("SECOND_GEN")) {
                throw new IllegalArgumentException(String.format("[%s] Connections to Cloud SQL instance not supported - not a Second Generation instance.", cloudSqlInstanceName.getConnectionName()));
            }
            checkDatabaseCompatibility(execute, authType, cloudSqlInstanceName.getConnectionName());
            HashMap hashMap = new HashMap();
            if (execute.getIpAddresses() != null) {
                for (IpMapping ipMapping : execute.getIpAddresses()) {
                    hashMap.put(ipMapping.getType(), ipMapping.getIpAddress());
                }
            }
            if (execute.getDnsName() != null && !execute.getDnsName().isEmpty()) {
                hashMap.put("PSC", execute.getDnsName());
            }
            if (hashMap.isEmpty()) {
                throw new IllegalStateException(String.format("[%s] Unable to connect to Cloud SQL instance: instance does not have an assigned IP address.", cloudSqlInstanceName.getConnectionName()));
            }
            try {
                return new Metadata(hashMap, createCertificate(execute.getServerCaCert().getCert()));
            } catch (CertificateException e) {
                throw new RuntimeException(String.format("[%s] Unable to parse the server CA certificate for the Cloud SQL instance.", cloudSqlInstanceName.getConnectionName()), e);
            }
        } catch (IOException e2) {
            throw addExceptionContext(e2, String.format("[%s] Failed to update metadata for Cloud SQL instance.", cloudSqlInstanceName.getConnectionName()), cloudSqlInstanceName);
        }
    }

    private Certificate fetchEphemeralCertificate(KeyPair keyPair, CloudSqlInstanceName cloudSqlInstanceName, Optional<AccessToken> optional, AuthType authType) {
        GenerateEphemeralCertRequest publicKey = new GenerateEphemeralCertRequest().setPublicKey(generatePublicKeyCert(keyPair));
        if (authType == AuthType.IAM && optional.isPresent()) {
            publicKey.setAccessToken(CharMatcher.is('.').trimTrailingFrom(optional.get().getTokenValue()));
        }
        try {
            try {
                return createCertificate(this.apiClient.connect().generateEphemeralCert(cloudSqlInstanceName.getProjectId(), cloudSqlInstanceName.getInstanceId(), publicKey).execute().getEphemeralCert().getCert());
            } catch (CertificateException e) {
                throw new RuntimeException(String.format("[%s] Unable to parse the ephemeral certificate for the Cloud SQL instance.", cloudSqlInstanceName.getConnectionName()), e);
            }
        } catch (IOException e2) {
            throw addExceptionContext(e2, String.format("[%s] Failed to create ephemeral certificate for the Cloud SQL instance.", cloudSqlInstanceName.getConnectionName()), cloudSqlInstanceName);
        }
    }

    private SslData createSslData(KeyPair keyPair, Metadata metadata, Certificate certificate, CloudSqlInstanceName cloudSqlInstanceName, AuthType authType) {
        SSLContext sSLContext;
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            keyStore.setEntry("ephemeral", new KeyStore.PrivateKeyEntry(keyPair.getPrivate(), new Certificate[]{certificate}), new KeyStore.PasswordProtection(new char[0]));
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, new char[0]);
            KeyStore keyStore2 = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore2.load(null, null);
            keyStore2.setCertificateEntry("instance", metadata.getInstanceCaCertificate());
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X.509");
            trustManagerFactory.init(keyStore2);
            try {
                sSLContext = SSLContext.getInstance("TLSv1.3");
            } catch (NoSuchAlgorithmException e) {
                if (authType == AuthType.IAM) {
                    throw new RuntimeException(String.format("[%s] Unable to create a SSLContext for the Cloud SQL instance.", cloudSqlInstanceName.getConnectionName()) + " TLSv1.3 is not supported for your Java version and is required to connect using IAM authentication", e);
                }
                logger.warning("TLSv1.3 is not supported for your Java version, fallback to TLSv1.2");
                sSLContext = SSLContext.getInstance("TLSv1.2");
            }
            sSLContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom());
            return new SslData(sSLContext, keyManagerFactory, trustManagerFactory);
        } catch (IOException | GeneralSecurityException e2) {
            throw new RuntimeException(String.format("[%s] Unable to create a SSLContext for the Cloud SQL instance.", cloudSqlInstanceName.getConnectionName()), e2);
        }
    }

    private RuntimeException addExceptionContext(IOException iOException, String str, CloudSqlInstanceName cloudSqlInstanceName) {
        GoogleJsonResponseException googleJsonResponseException = iOException instanceof GoogleJsonResponseException ? (GoogleJsonResponseException) iOException : null;
        if (googleJsonResponseException == null || googleJsonResponseException.getDetails() == null || googleJsonResponseException.getDetails().getErrors() == null || googleJsonResponseException.getDetails().getErrors().isEmpty()) {
            return new RuntimeException(str, iOException);
        }
        String reason = googleJsonResponseException.getDetails().getErrors().get(0).getReason();
        return "accessNotConfigured".equals(reason) ? new RuntimeException(String.format("[%s] The Google Cloud SQL Admin API is not enabled for the project \"%s\". Please use the Google Developers Console to enable it: %s", cloudSqlInstanceName.getConnectionName(), cloudSqlInstanceName.getProjectId(), "https://console.cloud.google.com/apis/api/sqladmin/overview?project=" + cloudSqlInstanceName.getProjectId()), iOException) : "notAuthorized".equals(reason) ? new RuntimeException(String.format("[%s] The Cloud SQL Instance does not exist or your account is not authorized to access it. Please verify the instance connection name and check the IAM permissions for project \"%s\" ", cloudSqlInstanceName.getConnectionName(), cloudSqlInstanceName.getProjectId()), iOException) : new RuntimeException(str, iOException);
    }
}
