package commands.refreshAwsTokens;

import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient;
import com.amazonaws.services.identitymanagement.model.GetRoleRequest;
import goo.Config$Aws$;
import goo.Config$gOAuth$;
import java.net.URLDecoder;
import play.api.libs.json.JsValue;
import play.api.libs.json.Json$;
import scala.Predef$;
import scala.StringContext;
import scala.collection.Seq$;
import scala.collection.TraversableOnce;
import scala.collection.immutable.List;
import scala.collection.immutable.List$;
import scala.runtime.BoxedUnit;
import scala.util.Failure;
import scala.util.Try$;

/* compiled from: AwsSts.scala */
/* loaded from: input_file:commands/refreshAwsTokens/AwsIam$.class */
public final class AwsIam$ {
    public static final AwsIam$ MODULE$ = null;

    static {
        new AwsIam$();
    }

    public List<String> listEmails() {
        return getEmailsFromRolePolicy(getExistingPolicy());
    }

    public void grantUserAccessToFederatedRole(String str) {
        List<String> listEmails = listEmails();
        if (listEmails.contains(str)) {
            Logging$logger$.MODULE$.info("Policy already contained the given email.");
        } else {
            updateAssumeRolePolicyDocument(generateRolePolicyDocument(listEmails.$colon$colon(str)));
        }
    }

    public void revokeUserAccessToFederatedRole(String str) {
        List<String> listEmails = listEmails();
        if (listEmails.contains(str)) {
            updateAssumeRolePolicyDocument(generateRolePolicyDocument((List) listEmails.diff(List$.MODULE$.apply(Predef$.MODULE$.wrapRefArray(new String[]{str})))));
        } else {
            Logging$logger$.MODULE$.info("Policy did not contain the given email.");
        }
    }

    private JsValue getExistingPolicy() {
        AmazonIdentityManagementClient createClient = createClient();
        String assumeRolePolicyDocument = createClient.getRole(new GetRoleRequest().withRoleName(Config$Aws$.MODULE$.roleName())).getRole().getAssumeRolePolicyDocument();
        createClient.shutdown();
        return Json$.MODULE$.parse(URLDecoder.decode(assumeRolePolicyDocument, "utf8"));
    }

    private String generateRolePolicyDocument(List<String> list) {
        String policyDocumentTpl$1 = policyDocumentTpl$1(((TraversableOnce) list.map(new AwsIam$$anonfun$3(), List$.MODULE$.canBuildFrom())).mkString(","));
        Logging$logger$.MODULE$.debug(new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"New policy:\\n", ""})).s(Predef$.MODULE$.genericWrapArray(new Object[]{policyDocumentTpl$1})));
        return policyDocumentTpl$1;
    }

    private AmazonIdentityManagementClient createClient() {
        return new AmazonIdentityManagementClient(new ProfileCredentialsProvider(Config$Aws$.MODULE$.credentialsLocation(), GooSessionCredentials$.MODULE$.adminProfile()));
    }

    private List<String> getEmailsFromRolePolicy(JsValue jsValue) {
        return ((TraversableOnce) jsValue.$bslash$bslash("accounts.google.com:email").flatMap(new AwsIam$$anonfun$getEmailsFromRolePolicy$1(), Seq$.MODULE$.canBuildFrom())).toList();
    }

    private void updateAssumeRolePolicyDocument(String str) {
        AmazonIdentityManagementClient createClient = createClient();
        Logging$logger$.MODULE$.debug("Updating IAM policy");
        Failure apply = Try$.MODULE$.apply(new AwsIam$$anonfun$1(str, createClient));
        if (apply instanceof Failure) {
            Logging$logger$.MODULE$.error(new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"Error updating policy (check permissions)\\n", ""})).s(Predef$.MODULE$.genericWrapArray(new Object[]{str})), apply.exception());
            BoxedUnit boxedUnit = BoxedUnit.UNIT;
        } else {
            Logging$logger$.MODULE$.info("Policy successfully updated");
            BoxedUnit boxedUnit2 = BoxedUnit.UNIT;
        }
        createClient.shutdown();
    }

    private final String policyDocumentTpl$1(String str) {
        return new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"{\"Version\":\"2012-10-17\",\"Statement\":[", "]}"})).s(Predef$.MODULE$.genericWrapArray(new Object[]{str}));
    }

    public final String commands$refreshAwsTokens$AwsIam$$emailPolicyTpl$1(String str) {
        return new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"Federated\":\"accounts.google.com\"},\"Action\":\"sts:AssumeRoleWithWebIdentity\",\"Condition\":{\"StringLike\":{\"accounts.google.com:email\":\"", "\"},\"StringEquals\":{\"accounts.google.com:aud\":\"", "\"}}}"})).s(Predef$.MODULE$.genericWrapArray(new Object[]{str, Config$gOAuth$.MODULE$.clientId()}));
    }

    private AwsIam$() {
        MODULE$ = this;
    }
}
