package com.google.auth.oauth2;

import com.google.api.client.json.GenericJson;
import com.google.api.client.json.JsonObjectParser;
import com.google.auth.RequestMetadataCallback;
import com.google.auth.http.HttpTransportFactory;
import com.google.auth.oauth2.AwsCredentials;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.auth.oauth2.IdentityPoolCredentials;
import com.google.auth.oauth2.PluggableAuthCredentials;
import com.google.auth.oauth2.StsRequestHandler;
import com.google.common.base.MoreObjects;
import com.google.common.base.Preconditions;
import java.io.IOException;
import java.io.InputStream;
import java.io.Serializable;
import java.math.BigDecimal;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.concurrent.Executor;
import java.util.regex.Pattern;
import javax.annotation.Nullable;

/* loaded from: classes2.dex */
public abstract class ExternalAccountCredentials extends GoogleCredentials {
    private static final String CLOUD_PLATFORM_SCOPE = "https://www.googleapis.com/auth/cloud-platform";
    static final String EXECUTABLE_SOURCE_KEY = "executable";
    static final String EXTERNAL_ACCOUNT_FILE_TYPE = "external_account";
    private static final long serialVersionUID = 8049126194174465023L;
    private final String audience;

    @Nullable
    private final String clientId;

    @Nullable
    private final String clientSecret;
    private final CredentialSource credentialSource;
    private EnvironmentProvider environmentProvider;

    @Nullable
    protected final ImpersonatedCredentials impersonatedCredentials;

    @Nullable
    private ImpersonatedCredentials impersonatedCredentialsOverride;
    private final Collection<String> scopes;
    private final ServiceAccountImpersonationOptions serviceAccountImpersonationOptions;

    @Nullable
    private final String serviceAccountImpersonationUrl;
    private final String subjectTokenType;

    @Nullable
    private final String tokenInfoUrl;
    private final String tokenUrl;
    protected transient HttpTransportFactory transportFactory;
    private final String transportFactoryClassName;

    @Nullable
    private final String universeDomain;

    @Nullable
    private final String workforcePoolUserProject;

    /* loaded from: classes2.dex */
    public static abstract class Builder extends GoogleCredentials.Builder {
        protected String audience;

        @Nullable
        protected String clientId;

        @Nullable
        protected String clientSecret;
        protected CredentialSource credentialSource;
        protected EnvironmentProvider environmentProvider;

        @Nullable
        protected Collection<String> scopes;

        @Nullable
        protected ServiceAccountImpersonationOptions serviceAccountImpersonationOptions;

        @Nullable
        protected String serviceAccountImpersonationUrl;
        protected String subjectTokenType;
        protected String tokenInfoUrl;
        protected String tokenUrl;
        protected HttpTransportFactory transportFactory;

        @Nullable
        protected String universeDomain;

        @Nullable
        protected String workforcePoolUserProject;

        /* JADX INFO: Access modifiers changed from: protected */
        public Builder() {
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public Builder(ExternalAccountCredentials externalAccountCredentials) {
            super(externalAccountCredentials);
            this.transportFactory = externalAccountCredentials.transportFactory;
            this.audience = externalAccountCredentials.audience;
            this.subjectTokenType = externalAccountCredentials.subjectTokenType;
            this.tokenUrl = externalAccountCredentials.tokenUrl;
            this.tokenInfoUrl = externalAccountCredentials.tokenInfoUrl;
            this.serviceAccountImpersonationUrl = externalAccountCredentials.serviceAccountImpersonationUrl;
            this.credentialSource = externalAccountCredentials.credentialSource;
            this.clientId = externalAccountCredentials.clientId;
            this.clientSecret = externalAccountCredentials.clientSecret;
            this.scopes = externalAccountCredentials.scopes;
            this.environmentProvider = externalAccountCredentials.environmentProvider;
            this.workforcePoolUserProject = externalAccountCredentials.workforcePoolUserProject;
            this.serviceAccountImpersonationOptions = externalAccountCredentials.serviceAccountImpersonationOptions;
            this.universeDomain = externalAccountCredentials.universeDomain;
        }

        @Override // com.google.auth.oauth2.GoogleCredentials.Builder, com.google.auth.oauth2.OAuth2Credentials.Builder
        public abstract ExternalAccountCredentials build();

        public Builder setAudience(String str) {
            this.audience = str;
            return this;
        }

        public Builder setClientId(String str) {
            this.clientId = str;
            return this;
        }

        public Builder setClientSecret(String str) {
            this.clientSecret = str;
            return this;
        }

        public Builder setCredentialSource(CredentialSource credentialSource) {
            this.credentialSource = credentialSource;
            return this;
        }

        Builder setEnvironmentProvider(EnvironmentProvider environmentProvider) {
            this.environmentProvider = environmentProvider;
            return this;
        }

        public Builder setHttpTransportFactory(HttpTransportFactory httpTransportFactory) {
            this.transportFactory = httpTransportFactory;
            return this;
        }

        @Override // com.google.auth.oauth2.GoogleCredentials.Builder
        public Builder setQuotaProjectId(String str) {
            super.setQuotaProjectId(str);
            return this;
        }

        public Builder setScopes(Collection<String> collection) {
            this.scopes = collection;
            return this;
        }

        public Builder setServiceAccountImpersonationOptions(Map<String, Object> map) {
            this.serviceAccountImpersonationOptions = new ServiceAccountImpersonationOptions(map);
            return this;
        }

        public Builder setServiceAccountImpersonationUrl(String str) {
            this.serviceAccountImpersonationUrl = str;
            return this;
        }

        public Builder setSubjectTokenType(String str) {
            this.subjectTokenType = str;
            return this;
        }

        public Builder setTokenInfoUrl(String str) {
            this.tokenInfoUrl = str;
            return this;
        }

        public Builder setTokenUrl(String str) {
            this.tokenUrl = str;
            return this;
        }

        public Builder setUniverseDomain(String str) {
            this.universeDomain = str;
            return this;
        }

        public Builder setWorkforcePoolUserProject(String str) {
            this.workforcePoolUserProject = str;
            return this;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes2.dex */
    public static abstract class CredentialSource implements Serializable {
        private static final long serialVersionUID = 8204657811562399944L;

        /* JADX INFO: Access modifiers changed from: package-private */
        public CredentialSource(Map<String, Object> map) {
            Preconditions.checkNotNull(map);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes2.dex */
    public static final class ServiceAccountImpersonationOptions implements Serializable {
        private static final int DEFAULT_TOKEN_LIFETIME_SECONDS = 3600;
        private static final int MAXIMUM_TOKEN_LIFETIME_SECONDS = 43200;
        private static final int MINIMUM_TOKEN_LIFETIME_SECONDS = 600;
        private static final String TOKEN_LIFETIME_SECONDS_KEY = "token_lifetime_seconds";
        private static final long serialVersionUID = 4250771921886280953L;
        private final int lifetime;

        ServiceAccountImpersonationOptions(Map<String, Object> map) {
            if (!map.containsKey(TOKEN_LIFETIME_SECONDS_KEY)) {
                this.lifetime = DEFAULT_TOKEN_LIFETIME_SECONDS;
                return;
            }
            try {
                Object obj = map.get(TOKEN_LIFETIME_SECONDS_KEY);
                if (obj instanceof BigDecimal) {
                    this.lifetime = ((BigDecimal) obj).intValue();
                } else if (map.get(TOKEN_LIFETIME_SECONDS_KEY) instanceof Integer) {
                    this.lifetime = ((Integer) obj).intValue();
                } else {
                    this.lifetime = Integer.parseInt((String) obj);
                }
                int i = this.lifetime;
                if (i < MINIMUM_TOKEN_LIFETIME_SECONDS || i > MAXIMUM_TOKEN_LIFETIME_SECONDS) {
                    throw new IllegalArgumentException(String.format("The \"token_lifetime_seconds\" field must be between %s and %s seconds.", Integer.valueOf(MINIMUM_TOKEN_LIFETIME_SECONDS), Integer.valueOf(MAXIMUM_TOKEN_LIFETIME_SECONDS)));
                }
            } catch (ArithmeticException | NumberFormatException e) {
                throw new IllegalArgumentException("Value of \"token_lifetime_seconds\" field could not be parsed into an integer.", e);
            }
        }

        int getLifetime() {
            return this.lifetime;
        }
    }

    protected ExternalAccountCredentials(HttpTransportFactory httpTransportFactory, String str, String str2, String str3, CredentialSource credentialSource, @Nullable String str4, @Nullable String str5, @Nullable String str6, @Nullable String str7, @Nullable String str8, @Nullable Collection<String> collection) {
        this(httpTransportFactory, str, str2, str3, credentialSource, str4, str5, str6, str7, str8, collection, null);
    }

    protected ExternalAccountCredentials(HttpTransportFactory httpTransportFactory, String str, String str2, String str3, CredentialSource credentialSource, @Nullable String str4, @Nullable String str5, @Nullable String str6, @Nullable String str7, @Nullable String str8, @Nullable Collection<String> collection, @Nullable EnvironmentProvider environmentProvider) {
        super(null, str6);
        HttpTransportFactory httpTransportFactory2 = (HttpTransportFactory) MoreObjects.firstNonNull(httpTransportFactory, getFromServiceLoader(HttpTransportFactory.class, OAuth2Utils.HTTP_TRANSPORT_FACTORY));
        this.transportFactory = httpTransportFactory2;
        this.transportFactoryClassName = (String) Preconditions.checkNotNull(httpTransportFactory2.getClass().getName());
        this.audience = (String) Preconditions.checkNotNull(str);
        this.subjectTokenType = (String) Preconditions.checkNotNull(str2);
        this.tokenUrl = (String) Preconditions.checkNotNull(str3);
        this.credentialSource = (CredentialSource) Preconditions.checkNotNull(credentialSource);
        this.tokenInfoUrl = str4;
        this.serviceAccountImpersonationUrl = str5;
        this.clientId = str7;
        this.clientSecret = str8;
        this.scopes = (collection == null || collection.isEmpty()) ? Arrays.asList(CLOUD_PLATFORM_SCOPE) : collection;
        this.environmentProvider = environmentProvider == null ? SystemEnvironmentProvider.getInstance() : environmentProvider;
        this.workforcePoolUserProject = null;
        this.universeDomain = null;
        this.serviceAccountImpersonationOptions = new ServiceAccountImpersonationOptions(new HashMap());
        validateTokenUrl(str3);
        if (str5 != null) {
            validateServiceAccountImpersonationInfoUrl(str5);
        }
        this.impersonatedCredentials = buildImpersonatedCredentials();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ExternalAccountCredentials(Builder builder) {
        super(builder);
        HttpTransportFactory httpTransportFactory = (HttpTransportFactory) MoreObjects.firstNonNull(builder.transportFactory, getFromServiceLoader(HttpTransportFactory.class, OAuth2Utils.HTTP_TRANSPORT_FACTORY));
        this.transportFactory = httpTransportFactory;
        this.transportFactoryClassName = (String) Preconditions.checkNotNull(httpTransportFactory.getClass().getName());
        this.audience = (String) Preconditions.checkNotNull(builder.audience);
        this.subjectTokenType = (String) Preconditions.checkNotNull(builder.subjectTokenType);
        String str = (String) Preconditions.checkNotNull(builder.tokenUrl);
        this.tokenUrl = str;
        this.credentialSource = (CredentialSource) Preconditions.checkNotNull(builder.credentialSource);
        this.tokenInfoUrl = builder.tokenInfoUrl;
        String str2 = builder.serviceAccountImpersonationUrl;
        this.serviceAccountImpersonationUrl = str2;
        this.clientId = builder.clientId;
        this.clientSecret = builder.clientSecret;
        this.scopes = (builder.scopes == null || builder.scopes.isEmpty()) ? Arrays.asList(CLOUD_PLATFORM_SCOPE) : builder.scopes;
        this.environmentProvider = builder.environmentProvider == null ? SystemEnvironmentProvider.getInstance() : builder.environmentProvider;
        this.serviceAccountImpersonationOptions = builder.serviceAccountImpersonationOptions == null ? new ServiceAccountImpersonationOptions(new HashMap()) : builder.serviceAccountImpersonationOptions;
        String str3 = builder.workforcePoolUserProject;
        this.workforcePoolUserProject = str3;
        if (str3 != null && !isWorkforcePoolConfiguration()) {
            throw new IllegalArgumentException("The workforce_pool_user_project parameter should only be provided for a Workforce Pool configuration.");
        }
        this.universeDomain = builder.universeDomain;
        validateTokenUrl(str);
        if (str2 != null) {
            validateServiceAccountImpersonationInfoUrl(str2);
        }
        this.impersonatedCredentials = buildImpersonatedCredentials();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ExternalAccountCredentials fromJson(Map<String, Object> map, HttpTransportFactory httpTransportFactory) {
        Preconditions.checkNotNull(map);
        Preconditions.checkNotNull(httpTransportFactory);
        String str = (String) map.get("audience");
        String str2 = (String) map.get("subject_token_type");
        String str3 = (String) map.get("token_url");
        Map map2 = (Map) map.get("credential_source");
        String str4 = (String) map.get("service_account_impersonation_url");
        String str5 = (String) map.get("token_info_url");
        String str6 = (String) map.get("client_id");
        String str7 = (String) map.get("client_secret");
        String str8 = (String) map.get("quota_project_id");
        String str9 = (String) map.get("workforce_pool_user_project");
        String str10 = (String) map.get("universe_domain");
        Map<String, Object> map3 = (Map) map.get("service_account_impersonation");
        if (map3 == null) {
            map3 = new HashMap<>();
        }
        return isAwsCredential(map2) ? AwsCredentials.newBuilder().setHttpTransportFactory(httpTransportFactory).setAudience(str).setSubjectTokenType(str2).setTokenUrl(str3).setTokenInfoUrl(str5).setCredentialSource(new AwsCredentials.AwsCredentialSource(map2)).setServiceAccountImpersonationUrl(str4).setQuotaProjectId(str8).setClientId(str6).setClientSecret(str7).setServiceAccountImpersonationOptions(map3).setUniverseDomain(str10).build() : isPluggableAuthCredential(map2) ? PluggableAuthCredentials.newBuilder().setHttpTransportFactory(httpTransportFactory).setAudience(str).setSubjectTokenType(str2).setTokenUrl(str3).setTokenInfoUrl(str5).setCredentialSource(new PluggableAuthCredentials.PluggableAuthCredentialSource(map2)).setServiceAccountImpersonationUrl(str4).setQuotaProjectId(str8).setClientId(str6).setClientSecret(str7).setWorkforcePoolUserProject(str9).setServiceAccountImpersonationOptions(map3).setUniverseDomain(str10).build() : IdentityPoolCredentials.newBuilder().setHttpTransportFactory(httpTransportFactory).setAudience(str).setSubjectTokenType(str2).setTokenUrl(str3).setTokenInfoUrl(str5).setCredentialSource(new IdentityPoolCredentials.IdentityPoolCredentialSource(map2)).setServiceAccountImpersonationUrl(str4).setQuotaProjectId(str8).setClientId(str6).setClientSecret(str7).setWorkforcePoolUserProject(str9).setServiceAccountImpersonationOptions(map3).setUniverseDomain(str10).build();
    }

    public static ExternalAccountCredentials fromStream(InputStream inputStream) throws IOException {
        return fromStream(inputStream, OAuth2Utils.HTTP_TRANSPORT_FACTORY);
    }

    public static ExternalAccountCredentials fromStream(InputStream inputStream, HttpTransportFactory httpTransportFactory) throws IOException {
        Preconditions.checkNotNull(inputStream);
        Preconditions.checkNotNull(httpTransportFactory);
        try {
            return fromJson((GenericJson) new JsonObjectParser(OAuth2Utils.JSON_FACTORY).parseAndClose(inputStream, StandardCharsets.UTF_8, GenericJson.class), httpTransportFactory);
        } catch (ClassCastException | IllegalArgumentException e) {
            throw new CredentialFormatException("An invalid input stream was provided.", e);
        }
    }

    private static boolean isAwsCredential(Map<String, Object> map) {
        return map.containsKey("environment_id") && ((String) map.get("environment_id")).startsWith("aws");
    }

    private static boolean isPluggableAuthCredential(Map<String, Object> map) {
        return map.containsKey(EXECUTABLE_SOURCE_KEY);
    }

    private static boolean isValidUrl(String str) {
        URI create;
        try {
            create = URI.create(str);
        } catch (Exception unused) {
        }
        return (create.getScheme() == null || create.getHost() == null || !"https".equals(create.getScheme().toLowerCase(Locale.US))) ? false : true;
    }

    static void validateServiceAccountImpersonationInfoUrl(String str) {
        if (!isValidUrl(str)) {
            throw new IllegalArgumentException("The provided service account impersonation URL is invalid.");
        }
    }

    static void validateTokenUrl(String str) {
        if (!isValidUrl(str)) {
            throw new IllegalArgumentException("The provided token URL is invalid.");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ImpersonatedCredentials buildImpersonatedCredentials() {
        if (this.serviceAccountImpersonationUrl == null) {
            return null;
        }
        return ImpersonatedCredentials.newBuilder().setSourceCredentials(this instanceof AwsCredentials ? AwsCredentials.newBuilder((AwsCredentials) this).setServiceAccountImpersonationUrl(null).build() : this instanceof PluggableAuthCredentials ? PluggableAuthCredentials.newBuilder((PluggableAuthCredentials) this).setServiceAccountImpersonationUrl(null).build() : IdentityPoolCredentials.newBuilder((IdentityPoolCredentials) this).setServiceAccountImpersonationUrl(null).build()).setHttpTransportFactory(this.transportFactory).setTargetPrincipal(ImpersonatedCredentials.extractTargetPrincipal(this.serviceAccountImpersonationUrl)).setScopes(new ArrayList(this.scopes)).setLifetime(this.serviceAccountImpersonationOptions.lifetime).setIamEndpointOverride(this.serviceAccountImpersonationUrl).build();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AccessToken exchangeExternalCredentialForAccessToken(StsTokenExchangeRequest stsTokenExchangeRequest) throws IOException {
        ImpersonatedCredentials impersonatedCredentials = this.impersonatedCredentialsOverride;
        if (impersonatedCredentials != null) {
            return impersonatedCredentials.refreshAccessToken();
        }
        ImpersonatedCredentials impersonatedCredentials2 = this.impersonatedCredentials;
        if (impersonatedCredentials2 != null) {
            return impersonatedCredentials2.refreshAccessToken();
        }
        StsRequestHandler.Builder newBuilder = StsRequestHandler.newBuilder(this.tokenUrl, stsTokenExchangeRequest, this.transportFactory.create().createRequestFactory());
        if (isWorkforcePoolConfiguration()) {
            GenericJson genericJson = new GenericJson();
            genericJson.setFactory(OAuth2Utils.JSON_FACTORY);
            genericJson.put("userProject", (Object) this.workforcePoolUserProject);
            newBuilder.setInternalOptions(genericJson.toString());
        }
        if (stsTokenExchangeRequest.getInternalOptions() != null) {
            newBuilder.setInternalOptions(stsTokenExchangeRequest.getInternalOptions());
        }
        return newBuilder.build().exchangeToken().getAccessToken();
    }

    public String getAudience() {
        return this.audience;
    }

    @Nullable
    public String getClientId() {
        return this.clientId;
    }

    @Nullable
    public String getClientSecret() {
        return this.clientSecret;
    }

    public CredentialSource getCredentialSource() {
        return this.credentialSource;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public EnvironmentProvider getEnvironmentProvider() {
        return this.environmentProvider;
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials, com.google.auth.Credentials
    public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException {
        return addQuotaProjectIdToRequestMetadata(this.quotaProjectId, super.getRequestMetadata(uri));
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials, com.google.auth.Credentials
    public void getRequestMetadata(URI uri, Executor executor, final RequestMetadataCallback requestMetadataCallback) {
        super.getRequestMetadata(uri, executor, new RequestMetadataCallback() { // from class: com.google.auth.oauth2.ExternalAccountCredentials.1
            @Override // com.google.auth.RequestMetadataCallback
            public void onFailure(Throwable th) {
                requestMetadataCallback.onFailure(th);
            }

            @Override // com.google.auth.RequestMetadataCallback
            public void onSuccess(Map<String, List<String>> map) {
                requestMetadataCallback.onSuccess(GoogleCredentials.addQuotaProjectIdToRequestMetadata(ExternalAccountCredentials.this.quotaProjectId, map));
            }
        });
    }

    @Nullable
    public Collection<String> getScopes() {
        return this.scopes;
    }

    @Nullable
    public String getServiceAccountEmail() {
        String str = this.serviceAccountImpersonationUrl;
        if (str == null || str.isEmpty()) {
            return null;
        }
        return ImpersonatedCredentials.extractTargetPrincipal(this.serviceAccountImpersonationUrl);
    }

    @Nullable
    public ServiceAccountImpersonationOptions getServiceAccountImpersonationOptions() {
        return this.serviceAccountImpersonationOptions;
    }

    @Nullable
    public String getServiceAccountImpersonationUrl() {
        return this.serviceAccountImpersonationUrl;
    }

    public String getSubjectTokenType() {
        return this.subjectTokenType;
    }

    public String getTokenInfoUrl() {
        return this.tokenInfoUrl;
    }

    public String getTokenUrl() {
        return this.tokenUrl;
    }

    @Nullable
    String getUniverseDomain() {
        return this.universeDomain;
    }

    @Nullable
    public String getWorkforcePoolUserProject() {
        return this.workforcePoolUserProject;
    }

    public boolean isWorkforcePoolConfiguration() {
        return this.workforcePoolUserProject != null && Pattern.compile("^//iam.googleapis.com/locations/.+/workforcePools/.+/providers/.+$").matcher(getAudience()).matches();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void overrideImpersonatedCredentials(ImpersonatedCredentials impersonatedCredentials) {
        this.impersonatedCredentialsOverride = impersonatedCredentials;
    }

    public abstract String retrieveSubjectToken() throws IOException;
}
