package com.google.auth.oauth2;

import com.google.auth.oauth2.GoogleCredentials;
import com.google.auth.oauth2.u;
import java.io.IOException;
import java.io.InputStream;
import java.io.Serializable;
import java.math.BigDecimal;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.concurrent.Executor;
import java.util.regex.Pattern;

/* loaded from: classes3.dex */
public abstract class ExternalAccountCredentials extends GoogleCredentials {
    static final String DEFAULT_TOKEN_URL = "https://sts.googleapis.com/v1/token";
    static final String EXECUTABLE_SOURCE_KEY = "executable";
    static final String EXTERNAL_ACCOUNT_FILE_TYPE = "external_account";
    static final String PROGRAMMATIC_METRICS_HEADER_VALUE = "programmatic";
    private static final long serialVersionUID = 8049126194174465023L;
    private final String audience;
    private final String clientId;
    private final String clientSecret;
    private final CredentialSource credentialSource;
    private g environmentProvider;
    protected ImpersonatedCredentials impersonatedCredentials;
    private ExternalAccountMetricsHandler metricsHandler;
    private final Collection<String> scopes;
    private final ServiceAccountImpersonationOptions serviceAccountImpersonationOptions;
    private final String serviceAccountImpersonationUrl;
    private final String subjectTokenType;
    private final String tokenInfoUrl;
    private final String tokenUrl;
    protected transient xd.b transportFactory;
    private final String transportFactoryClassName;
    private final String workforcePoolUserProject;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes3.dex */
    public static abstract class CredentialSource implements Serializable {
        private static final long serialVersionUID = 8204657811562399944L;

        /* JADX INFO: Access modifiers changed from: package-private */
        public CredentialSource(Map<String, Object> map) {
            com.google.common.base.l.o(map);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes3.dex */
    public static final class ServiceAccountImpersonationOptions implements Serializable {
        private static final long serialVersionUID = 4250771921886280953L;
        final boolean customTokenLifetimeRequested;
        private final int lifetime;

        ServiceAccountImpersonationOptions(Map<String, Object> map) {
            boolean containsKey = map.containsKey("token_lifetime_seconds");
            this.customTokenLifetimeRequested = containsKey;
            if (!containsKey) {
                this.lifetime = 3600;
                return;
            }
            try {
                Object obj = map.get("token_lifetime_seconds");
                if (obj instanceof BigDecimal) {
                    this.lifetime = ((BigDecimal) obj).intValue();
                } else if (map.get("token_lifetime_seconds") instanceof Integer) {
                    this.lifetime = ((Integer) obj).intValue();
                } else {
                    this.lifetime = Integer.parseInt((String) obj);
                }
                int i10 = this.lifetime;
                if (i10 < 600 || i10 > 43200) {
                    throw new IllegalArgumentException(String.format("The \"token_lifetime_seconds\" field must be between %s and %s seconds.", 600, 43200));
                }
            } catch (ArithmeticException | NumberFormatException e10) {
                throw new IllegalArgumentException("Value of \"token_lifetime_seconds\" field could not be parsed into an integer.", e10);
            }
        }

        int getLifetime() {
            return this.lifetime;
        }
    }

    /* loaded from: classes3.dex */
    class a implements com.google.auth.a {

        /* renamed from: a, reason: collision with root package name */
        final /* synthetic */ com.google.auth.a f32608a;

        a(com.google.auth.a aVar) {
            this.f32608a = aVar;
        }

        @Override // com.google.auth.a
        public void a(Throwable th2) {
            this.f32608a.a(th2);
        }

        @Override // com.google.auth.a
        public void b(Map map) {
            this.f32608a.b(GoogleCredentials.addQuotaProjectIdToRequestMetadata(ExternalAccountCredentials.this.quotaProjectId, map));
        }
    }

    /* loaded from: classes3.dex */
    public static abstract class b extends GoogleCredentials.a {

        /* renamed from: f, reason: collision with root package name */
        protected String f32610f;

        /* renamed from: g, reason: collision with root package name */
        protected String f32611g;

        /* renamed from: h, reason: collision with root package name */
        protected String f32612h;

        /* renamed from: i, reason: collision with root package name */
        protected String f32613i;

        /* renamed from: j, reason: collision with root package name */
        protected CredentialSource f32614j;

        /* renamed from: k, reason: collision with root package name */
        protected g f32615k;

        /* renamed from: l, reason: collision with root package name */
        protected xd.b f32616l;

        /* renamed from: m, reason: collision with root package name */
        protected String f32617m;

        /* renamed from: n, reason: collision with root package name */
        protected String f32618n;

        /* renamed from: o, reason: collision with root package name */
        protected String f32619o;

        /* renamed from: p, reason: collision with root package name */
        protected Collection f32620p;

        /* renamed from: q, reason: collision with root package name */
        protected String f32621q;

        /* renamed from: r, reason: collision with root package name */
        protected ServiceAccountImpersonationOptions f32622r;

        /* renamed from: s, reason: collision with root package name */
        protected ExternalAccountMetricsHandler f32623s;

        /* JADX INFO: Access modifiers changed from: protected */
        public b() {
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public b(ExternalAccountCredentials externalAccountCredentials) {
            super(externalAccountCredentials);
            this.f32616l = externalAccountCredentials.transportFactory;
            this.f32610f = externalAccountCredentials.audience;
            this.f32611g = externalAccountCredentials.subjectTokenType;
            this.f32612h = externalAccountCredentials.tokenUrl;
            this.f32613i = externalAccountCredentials.tokenInfoUrl;
            this.f32617m = externalAccountCredentials.serviceAccountImpersonationUrl;
            this.f32614j = externalAccountCredentials.credentialSource;
            this.f32618n = externalAccountCredentials.clientId;
            this.f32619o = externalAccountCredentials.clientSecret;
            this.f32620p = externalAccountCredentials.scopes;
            this.f32615k = externalAccountCredentials.environmentProvider;
            this.f32621q = externalAccountCredentials.workforcePoolUserProject;
            this.f32622r = externalAccountCredentials.serviceAccountImpersonationOptions;
            this.f32623s = externalAccountCredentials.metricsHandler;
        }

        public b A(String str) {
            this.f32621q = str;
            return this;
        }

        public b n(String str) {
            this.f32610f = str;
            return this;
        }

        public b o(String str) {
            this.f32618n = str;
            return this;
        }

        public b p(String str) {
            this.f32619o = str;
            return this;
        }

        public b q(CredentialSource credentialSource) {
            this.f32614j = credentialSource;
            return this;
        }

        public b r(xd.b bVar) {
            this.f32616l = bVar;
            return this;
        }

        public b s(String str) {
            super.l(str);
            return this;
        }

        public b t(Collection collection) {
            this.f32620p = collection;
            return this;
        }

        public b u(Map map) {
            this.f32622r = new ServiceAccountImpersonationOptions(map);
            return this;
        }

        public b v(String str) {
            this.f32617m = str;
            return this;
        }

        public b w(String str) {
            this.f32611g = str;
            return this;
        }

        public b x(String str) {
            this.f32613i = str;
            return this;
        }

        public b y(String str) {
            this.f32612h = str;
            return this;
        }

        public b z(String str) {
            super.m(str);
            return this;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ExternalAccountCredentials(b bVar) {
        super(bVar);
        xd.b bVar2 = (xd.b) com.google.common.base.g.a(bVar.f32616l, OAuth2Credentials.getFromServiceLoader(xd.b.class, p.f32764e));
        this.transportFactory = bVar2;
        this.transportFactoryClassName = (String) com.google.common.base.l.o(bVar2.getClass().getName());
        this.audience = (String) com.google.common.base.l.o(bVar.f32610f);
        this.subjectTokenType = (String) com.google.common.base.l.o(bVar.f32611g);
        this.credentialSource = bVar.f32614j;
        this.tokenInfoUrl = bVar.f32613i;
        String str = bVar.f32617m;
        this.serviceAccountImpersonationUrl = str;
        this.clientId = bVar.f32618n;
        this.clientSecret = bVar.f32619o;
        String str2 = bVar.f32612h;
        str2 = str2 == null ? DEFAULT_TOKEN_URL : str2;
        this.tokenUrl = str2;
        Collection collection = bVar.f32620p;
        this.scopes = (collection == null || collection.isEmpty()) ? Arrays.asList("https://www.googleapis.com/auth/cloud-platform") : bVar.f32620p;
        g gVar = bVar.f32615k;
        this.environmentProvider = gVar == null ? SystemEnvironmentProvider.getInstance() : gVar;
        ServiceAccountImpersonationOptions serviceAccountImpersonationOptions = bVar.f32622r;
        this.serviceAccountImpersonationOptions = serviceAccountImpersonationOptions == null ? new ServiceAccountImpersonationOptions(new HashMap()) : serviceAccountImpersonationOptions;
        String str3 = bVar.f32621q;
        this.workforcePoolUserProject = str3;
        if (str3 != null && !isWorkforcePoolConfiguration()) {
            throw new IllegalArgumentException("The workforce_pool_user_project parameter should only be provided for a Workforce Pool configuration.");
        }
        validateTokenUrl(str2);
        if (str != null) {
            validateServiceAccountImpersonationInfoUrl(str);
        }
        ExternalAccountMetricsHandler externalAccountMetricsHandler = bVar.f32623s;
        this.metricsHandler = externalAccountMetricsHandler == null ? new ExternalAccountMetricsHandler(this) : externalAccountMetricsHandler;
    }

    protected ExternalAccountCredentials(xd.b bVar, String str, String str2, String str3, CredentialSource credentialSource, String str4, String str5, String str6, String str7, String str8, Collection<String> collection) {
        this(bVar, str, str2, str3, credentialSource, str4, str5, str6, str7, str8, collection, null);
    }

    protected ExternalAccountCredentials(xd.b bVar, String str, String str2, String str3, CredentialSource credentialSource, String str4, String str5, String str6, String str7, String str8, Collection<String> collection, g gVar) {
        super(null, str6);
        xd.b bVar2 = (xd.b) com.google.common.base.g.a(bVar, OAuth2Credentials.getFromServiceLoader(xd.b.class, p.f32764e));
        this.transportFactory = bVar2;
        this.transportFactoryClassName = (String) com.google.common.base.l.o(bVar2.getClass().getName());
        this.audience = (String) com.google.common.base.l.o(str);
        this.subjectTokenType = (String) com.google.common.base.l.o(str2);
        this.tokenUrl = (String) com.google.common.base.l.o(str3);
        this.credentialSource = (CredentialSource) com.google.common.base.l.o(credentialSource);
        this.tokenInfoUrl = str4;
        this.serviceAccountImpersonationUrl = str5;
        this.clientId = str7;
        this.clientSecret = str8;
        this.scopes = (collection == null || collection.isEmpty()) ? Arrays.asList("https://www.googleapis.com/auth/cloud-platform") : collection;
        this.environmentProvider = gVar == null ? SystemEnvironmentProvider.getInstance() : gVar;
        this.workforcePoolUserProject = null;
        this.serviceAccountImpersonationOptions = new ServiceAccountImpersonationOptions(new HashMap());
        validateTokenUrl(str3);
        if (str5 != null) {
            validateServiceAccountImpersonationInfoUrl(str5);
        }
        this.metricsHandler = new ExternalAccountMetricsHandler(this);
    }

    private static boolean f(Map map) {
        return map.containsKey("environment_id") && ((String) map.get("environment_id")).startsWith("aws");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ExternalAccountCredentials fromJson(Map<String, Object> map, xd.b bVar) {
        com.google.common.base.l.o(map);
        com.google.common.base.l.o(bVar);
        String str = (String) map.get("audience");
        String str2 = (String) map.get("subject_token_type");
        String str3 = (String) map.get("token_url");
        Map map2 = (Map) map.get("credential_source");
        String str4 = (String) map.get("service_account_impersonation_url");
        String str5 = (String) map.get("token_info_url");
        String str6 = (String) map.get("client_id");
        String str7 = (String) map.get("client_secret");
        String str8 = (String) map.get("quota_project_id");
        String str9 = (String) map.get("workforce_pool_user_project");
        String str10 = (String) map.get("universe_domain");
        Map map3 = (Map) map.get("service_account_impersonation");
        if (map3 == null) {
            map3 = new HashMap();
        }
        return f(map2) ? AwsCredentials.newBuilder().I(bVar).E(str).N(str2).P(str3).O(str5).H(new AwsCredentialSource(map2)).M(str4).l(str8).F(str6).G(str7).L(map3).m(str10).h() : g(map2) ? PluggableAuthCredentials.newBuilder().H(bVar).D(str).M(str2).O(str3).N(str5).G(new PluggableAuthCredentialSource(map2)).L(str4).l(str8).E(str6).F(str7).Q(str9).K(map3).m(str10).h() : IdentityPoolCredentials.newBuilder().H(bVar).D(str).M(str2).O(str3).N(str5).G(new IdentityPoolCredentialSource(map2)).L(str4).l(str8).E(str6).F(str7).Q(str9).K(map3).m(str10).h();
    }

    public static ExternalAccountCredentials fromStream(InputStream inputStream) throws IOException {
        return fromStream(inputStream, p.f32764e);
    }

    public static ExternalAccountCredentials fromStream(InputStream inputStream, xd.b bVar) throws IOException {
        com.google.common.base.l.o(inputStream);
        com.google.common.base.l.o(bVar);
        try {
            return fromJson((qd.b) new qd.e(p.f32765f).a(inputStream, StandardCharsets.UTF_8, qd.b.class), bVar);
        } catch (ClassCastException | IllegalArgumentException e10) {
            throw new CredentialFormatException("An invalid input stream was provided.", e10);
        }
    }

    private static boolean g(Map map) {
        return map.containsKey(EXECUTABLE_SOURCE_KEY);
    }

    private static boolean h(String str) {
        URI create;
        try {
            create = URI.create(str);
        } catch (Exception unused) {
        }
        return (create.getScheme() == null || create.getHost() == null || !"https".equals(create.getScheme().toLowerCase(Locale.US))) ? false : true;
    }

    private boolean i() {
        return this.serviceAccountImpersonationUrl != null && this.impersonatedCredentials == null;
    }

    static void validateServiceAccountImpersonationInfoUrl(String str) {
        if (!h(str)) {
            throw new IllegalArgumentException("The provided service account impersonation URL is invalid.");
        }
    }

    static void validateTokenUrl(String str) {
        if (!h(str)) {
            throw new IllegalArgumentException("The provided token URL is invalid.");
        }
    }

    ImpersonatedCredentials buildImpersonatedCredentials() {
        if (this.serviceAccountImpersonationUrl == null) {
            return null;
        }
        return ImpersonatedCredentials.newBuilder().D(this instanceof AwsCredentials ? AwsCredentials.newBuilder((AwsCredentials) this).M(null).h() : this instanceof PluggableAuthCredentials ? PluggableAuthCredentials.newBuilder((PluggableAuthCredentials) this).L(null).h() : IdentityPoolCredentials.newBuilder((IdentityPoolCredentials) this).L(null).h()).y(this.transportFactory).E(ImpersonatedCredentials.extractTargetPrincipal(this.serviceAccountImpersonationUrl)).C(new ArrayList(this.scopes)).A(this.serviceAccountImpersonationOptions.lifetime).z(this.serviceAccountImpersonationUrl).h();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AccessToken exchangeExternalCredentialForAccessToken(v vVar) throws IOException {
        if (i()) {
            this.impersonatedCredentials = buildImpersonatedCredentials();
        }
        ImpersonatedCredentials impersonatedCredentials = this.impersonatedCredentials;
        if (impersonatedCredentials != null) {
            return impersonatedCredentials.refreshAccessToken();
        }
        u.b d10 = u.d(this.tokenUrl, vVar, this.transportFactory.a().c());
        if (isWorkforcePoolConfiguration()) {
            qd.b bVar = new qd.b();
            bVar.setFactory(p.f32765f);
            bVar.put("userProject", (Object) this.workforcePoolUserProject);
            d10.c(bVar.toString());
        }
        com.google.api.client.http.o oVar = new com.google.api.client.http.o();
        oVar.set("x-goog-api-client", this.metricsHandler.getExternalAccountMetricsHeader());
        d10.b(oVar);
        if (vVar.c() != null) {
            d10.c(vVar.c());
        }
        return d10.a().c().a();
    }

    public String getAudience() {
        return this.audience;
    }

    public String getClientId() {
        return this.clientId;
    }

    public String getClientSecret() {
        return this.clientSecret;
    }

    public CredentialSource getCredentialSource() {
        return this.credentialSource;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getCredentialSourceType() {
        return "unknown";
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public g getEnvironmentProvider() {
        return this.environmentProvider;
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials, com.google.auth.Credentials
    public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException {
        return GoogleCredentials.addQuotaProjectIdToRequestMetadata(this.quotaProjectId, super.getRequestMetadata(uri));
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials, com.google.auth.Credentials
    public void getRequestMetadata(URI uri, Executor executor, com.google.auth.a aVar) {
        super.getRequestMetadata(uri, executor, new a(aVar));
    }

    public Collection<String> getScopes() {
        return this.scopes;
    }

    public String getServiceAccountEmail() {
        String str = this.serviceAccountImpersonationUrl;
        if (str == null || str.isEmpty()) {
            return null;
        }
        return ImpersonatedCredentials.extractTargetPrincipal(this.serviceAccountImpersonationUrl);
    }

    public ServiceAccountImpersonationOptions getServiceAccountImpersonationOptions() {
        return this.serviceAccountImpersonationOptions;
    }

    public String getServiceAccountImpersonationUrl() {
        return this.serviceAccountImpersonationUrl;
    }

    public String getSubjectTokenType() {
        return this.subjectTokenType;
    }

    public String getTokenInfoUrl() {
        return this.tokenInfoUrl;
    }

    public String getTokenUrl() {
        return this.tokenUrl;
    }

    public String getWorkforcePoolUserProject() {
        return this.workforcePoolUserProject;
    }

    public boolean isWorkforcePoolConfiguration() {
        return this.workforcePoolUserProject != null && Pattern.compile("^//iam.googleapis.com/locations/.+/workforcePools/.+/providers/.+$").matcher(getAudience()).matches();
    }

    public abstract String retrieveSubjectToken() throws IOException;
}
