package com.google.auth.oauth2;

import com.facebook.gamingservices.cloudgaming.internal.SDKConstants;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.json.GenericJson;
import com.google.auth.http.HttpTransportFactory;
import com.google.auth.oauth2.ExternalAccountCredentials;
import com.google.auth.oauth2.StsTokenExchangeRequest;
import com.google.common.annotations.VisibleForTesting;
import com.google.firebase.analytics.FirebaseAnalytics;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/* loaded from: classes2.dex */
public class AwsCredentials extends ExternalAccountCredentials {
    private final AwsCredentialSource awsCredentialSource;

    /* loaded from: classes2.dex */
    public static class AwsCredentialSource extends ExternalAccountCredentials.CredentialSource {
        private final String regionUrl;
        private final String regionalCredentialVerificationUrl;
        private final String url;

        public AwsCredentialSource(Map<String, Object> map) {
            super(map);
            if (!map.containsKey("regional_cred_verification_url")) {
                throw new IllegalArgumentException("A regional_cred_verification_url representing the GetCallerIdentity action URL must be specified.");
            }
            Matcher matcher = Pattern.compile("(aws)([\\d]+)").matcher((String) map.get("environment_id"));
            if (!matcher.matches()) {
                throw new IllegalArgumentException("Invalid AWS environment ID.");
            }
            int parseInt = Integer.parseInt(matcher.group(2));
            if (parseInt != 1) {
                throw new IllegalArgumentException(String.format("AWS version %s is not supported in the current build.", Integer.valueOf(parseInt)));
            }
            this.regionUrl = (String) map.get("region_url");
            this.url = (String) map.get("url");
            this.regionalCredentialVerificationUrl = (String) map.get("regional_cred_verification_url");
        }
    }

    /* loaded from: classes2.dex */
    public static class Builder extends ExternalAccountCredentials.Builder {
        public Builder() {
        }

        public Builder(AwsCredentials awsCredentials) {
            super(awsCredentials);
        }

        @Override // com.google.auth.oauth2.ExternalAccountCredentials.Builder, com.google.auth.oauth2.GoogleCredentials.Builder, com.google.auth.oauth2.OAuth2Credentials.Builder
        public AwsCredentials build() {
            return new AwsCredentials(this.transportFactory, this.audience, this.subjectTokenType, this.tokenUrl, (AwsCredentialSource) this.credentialSource, this.tokenInfoUrl, this.serviceAccountImpersonationUrl, this.quotaProjectId, this.clientId, this.clientSecret, this.scopes, this.environmentProvider);
        }
    }

    public AwsCredentials(HttpTransportFactory httpTransportFactory, String str, String str2, String str3, AwsCredentialSource awsCredentialSource, String str4, String str5, String str6, String str7, String str8, Collection<String> collection, EnvironmentProvider environmentProvider) {
        super(httpTransportFactory, str, str2, str3, awsCredentialSource, str4, str5, str6, str7, str8, collection, environmentProvider);
        this.awsCredentialSource = awsCredentialSource;
    }

    private String buildSubjectToken(AwsRequestSignature awsRequestSignature) throws UnsupportedEncodingException {
        Map<String, String> canonicalHeaders = awsRequestSignature.getCanonicalHeaders();
        ArrayList arrayList = new ArrayList();
        for (String str : canonicalHeaders.keySet()) {
            arrayList.add(formatTokenHeaderForSts(str, canonicalHeaders.get(str)));
        }
        arrayList.add(formatTokenHeaderForSts("Authorization", awsRequestSignature.getAuthorizationHeader()));
        arrayList.add(formatTokenHeaderForSts("x-goog-cloud-target-resource", getAudience()));
        GenericJson genericJson = new GenericJson();
        genericJson.setFactory(OAuth2Utils.JSON_FACTORY);
        genericJson.put("headers", (Object) arrayList);
        genericJson.put(FirebaseAnalytics.Param.METHOD, (Object) awsRequestSignature.getHttpMethod());
        genericJson.put("url", (Object) this.awsCredentialSource.regionalCredentialVerificationUrl.replace("{region}", awsRequestSignature.getRegion()));
        return URLEncoder.encode(genericJson.toString(), "UTF-8");
    }

    private static GenericJson formatTokenHeaderForSts(String str, String str2) {
        GenericJson genericJson = new GenericJson();
        genericJson.setFactory(OAuth2Utils.JSON_FACTORY);
        genericJson.put(SDKConstants.PARAM_KEY, (Object) str);
        genericJson.put("value", (Object) str2);
        return genericJson;
    }

    public static Builder newBuilder() {
        return new Builder();
    }

    public static Builder newBuilder(AwsCredentials awsCredentials) {
        return new Builder(awsCredentials);
    }

    private String retrieveResource(String str, String str2) throws IOException {
        try {
            return this.transportFactory.create().createRequestFactory().buildGetRequest(new GenericUrl(str)).execute().parseAsString();
        } catch (IOException e2) {
            throw new IOException(String.format("Failed to retrieve AWS %s.", str2), e2);
        }
    }

    @Override // com.google.auth.oauth2.GoogleCredentials
    public GoogleCredentials createScoped(Collection<String> collection) {
        return new AwsCredentials(this.transportFactory, getAudience(), getSubjectTokenType(), getTokenUrl(), this.awsCredentialSource, getTokenInfoUrl(), getServiceAccountImpersonationUrl(), getQuotaProjectId(), getClientId(), getClientSecret(), collection, getEnvironmentProvider());
    }

    @VisibleForTesting
    public String getAwsRegion() throws IOException {
        String env = getEnvironmentProvider().getEnv("AWS_REGION");
        if (env != null) {
            return env;
        }
        String env2 = getEnvironmentProvider().getEnv("AWS_DEFAULT_REGION");
        if (env2 != null) {
            return env2;
        }
        if (this.awsCredentialSource.regionUrl == null || this.awsCredentialSource.regionUrl.isEmpty()) {
            throw new IOException("Unable to determine the AWS region. The credential source does not contain the region URL.");
        }
        return retrieveResource(this.awsCredentialSource.regionUrl, "region").substring(0, r0.length() - 1);
    }

    @VisibleForTesting
    public AwsSecurityCredentials getAwsSecurityCredentials() throws IOException {
        String env = getEnvironmentProvider().getEnv("AWS_ACCESS_KEY_ID");
        String env2 = getEnvironmentProvider().getEnv("AWS_SECRET_ACCESS_KEY");
        String env3 = getEnvironmentProvider().getEnv("Token");
        if (env != null && env2 != null) {
            return new AwsSecurityCredentials(env, env2, env3);
        }
        if (this.awsCredentialSource.url == null || this.awsCredentialSource.url.isEmpty()) {
            throw new IOException("Unable to determine the AWS IAM role name. The credential source does not contain the url field.");
        }
        GenericJson genericJson = (GenericJson) OAuth2Utils.JSON_FACTORY.createJsonParser(retrieveResource(this.awsCredentialSource.url + "/" + retrieveResource(this.awsCredentialSource.url, "IAM role"), "credentials")).parseAndClose(GenericJson.class);
        return new AwsSecurityCredentials((String) genericJson.get("AccessKeyId"), (String) genericJson.get("SecretAccessKey"), (String) genericJson.get("Token"));
    }

    @VisibleForTesting
    public String getEnv(String str) {
        return System.getenv(str);
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials
    public AccessToken refreshAccessToken() throws IOException {
        StsTokenExchangeRequest.Builder audience = StsTokenExchangeRequest.newBuilder(retrieveSubjectToken(), getSubjectTokenType()).setAudience(getAudience());
        Collection<String> scopes = getScopes();
        if (scopes != null && !scopes.isEmpty()) {
            audience.setScopes(new ArrayList(scopes));
        }
        return exchangeExternalCredentialForAccessToken(audience.build());
    }

    @Override // com.google.auth.oauth2.ExternalAccountCredentials
    public String retrieveSubjectToken() throws IOException {
        String awsRegion = getAwsRegion();
        AwsSecurityCredentials awsSecurityCredentials = getAwsSecurityCredentials();
        HashMap hashMap = new HashMap();
        hashMap.put("x-goog-cloud-target-resource", getAudience());
        return buildSubjectToken(AwsRequestSigner.newBuilder(awsSecurityCredentials, "POST", this.awsCredentialSource.regionalCredentialVerificationUrl.replace("{region}", awsRegion), awsRegion).setAdditionalHeaders(hashMap).build().sign());
    }
}
