package com.google.auth.oauth2;

import com.google.api.client.http.GenericUrl;
import com.google.api.client.json.GenericJson;
import com.google.auth.oauth2.ExternalAccountCredentials;
import com.google.auth.oauth2.StsTokenExchangeRequest;
import com.google.common.annotations.VisibleForTesting;
import com.google.firebase.analytics.FirebaseAnalytics;
import com.google.firebase.sessions.settings.RemoteSettings;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/* loaded from: classes7.dex */
public class AwsCredentials extends ExternalAccountCredentials {
    private final a awsCredentialSource;

    /* loaded from: classes7.dex */
    public static class Builder extends ExternalAccountCredentials.Builder {
        Builder() {
        }

        Builder(AwsCredentials awsCredentials) {
            super(awsCredentials);
        }

        @Override // com.google.auth.oauth2.ExternalAccountCredentials.Builder, com.google.auth.oauth2.GoogleCredentials.Builder, com.google.auth.oauth2.OAuth2Credentials.Builder
        public AwsCredentials build() {
            return new AwsCredentials(this);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes7.dex */
    public static class a extends ExternalAccountCredentials.b {

        /* renamed from: a, reason: collision with root package name */
        private final String f53610a;

        /* renamed from: b, reason: collision with root package name */
        private final String f53611b;

        /* renamed from: c, reason: collision with root package name */
        private final String f53612c;

        /* JADX INFO: Access modifiers changed from: package-private */
        public a(Map<String, Object> map) {
            super(map);
            if (!map.containsKey("regional_cred_verification_url")) {
                throw new IllegalArgumentException("A regional_cred_verification_url representing the GetCallerIdentity action URL must be specified.");
            }
            Matcher matcher = Pattern.compile("(aws)([\\d]+)").matcher((String) map.get("environment_id"));
            if (!matcher.matches()) {
                throw new IllegalArgumentException("Invalid AWS environment ID.");
            }
            int parseInt = Integer.parseInt(matcher.group(2));
            if (parseInt != 1) {
                throw new IllegalArgumentException(String.format("AWS version %s is not supported in the current build.", Integer.valueOf(parseInt)));
            }
            this.f53610a = (String) map.get("region_url");
            this.f53611b = (String) map.get("url");
            this.f53612c = (String) map.get("regional_cred_verification_url");
        }
    }

    AwsCredentials(Builder builder) {
        super(builder);
        this.awsCredentialSource = (a) builder.credentialSource;
    }

    private String E(c cVar) throws UnsupportedEncodingException {
        Map<String, String> b6 = cVar.b();
        ArrayList arrayList = new ArrayList();
        for (String str : b6.keySet()) {
            arrayList.add(F(str, b6.get(str)));
        }
        arrayList.add(F("Authorization", cVar.a()));
        arrayList.add(F("x-goog-cloud-target-resource", getAudience()));
        GenericJson genericJson = new GenericJson();
        genericJson.setFactory(i.f53857f);
        genericJson.put("headers", (Object) arrayList);
        genericJson.put(FirebaseAnalytics.Param.METHOD, (Object) cVar.c());
        genericJson.put("url", (Object) this.awsCredentialSource.f53612c.replace("{region}", cVar.d()));
        return URLEncoder.encode(genericJson.toString(), "UTF-8");
    }

    private static GenericJson F(String str, String str2) {
        GenericJson genericJson = new GenericJson();
        genericJson.setFactory(i.f53857f);
        genericJson.put("key", (Object) str);
        genericJson.put("value", (Object) str2);
        return genericJson;
    }

    private String I(String str, String str2) throws IOException {
        try {
            return this.transportFactory.create().createRequestFactory().buildGetRequest(new GenericUrl(str)).execute().parseAsString();
        } catch (IOException e6) {
            throw new IOException(String.format("Failed to retrieve AWS %s.", str2), e6);
        }
    }

    public static Builder newBuilder() {
        return new Builder();
    }

    public static Builder newBuilder(AwsCredentials awsCredentials) {
        return new Builder(awsCredentials);
    }

    @VisibleForTesting
    String G() throws IOException {
        String a6 = y().a("AWS_REGION");
        if (a6 != null) {
            return a6;
        }
        String a7 = y().a("AWS_DEFAULT_REGION");
        if (a7 != null) {
            return a7;
        }
        if (this.awsCredentialSource.f53610a == null || this.awsCredentialSource.f53610a.isEmpty()) {
            throw new IOException("Unable to determine the AWS region. The credential source does not contain the region URL.");
        }
        return I(this.awsCredentialSource.f53610a, "region").substring(0, r0.length() - 1);
    }

    @VisibleForTesting
    e H() throws IOException {
        String a6 = y().a("AWS_ACCESS_KEY_ID");
        String a7 = y().a("AWS_SECRET_ACCESS_KEY");
        String a8 = y().a("AWS_SESSION_TOKEN");
        if (a6 != null && a7 != null) {
            return new e(a6, a7, a8);
        }
        if (this.awsCredentialSource.f53611b == null || this.awsCredentialSource.f53611b.isEmpty()) {
            throw new IOException("Unable to determine the AWS IAM role name. The credential source does not contain the url field.");
        }
        GenericJson genericJson = (GenericJson) i.f53857f.createJsonParser(I(this.awsCredentialSource.f53611b + RemoteSettings.FORWARD_SLASH_STRING + I(this.awsCredentialSource.f53611b, "IAM role"), "credentials")).parseAndClose(GenericJson.class);
        return new e((String) genericJson.get("AccessKeyId"), (String) genericJson.get("SecretAccessKey"), (String) genericJson.get("Token"));
    }

    @Override // com.google.auth.oauth2.GoogleCredentials
    public GoogleCredentials createScoped(Collection<String> collection) {
        return new AwsCredentials((Builder) newBuilder(this).setScopes(collection));
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials
    public AccessToken refreshAccessToken() throws IOException {
        StsTokenExchangeRequest.Builder audience = StsTokenExchangeRequest.n(retrieveSubjectToken(), getSubjectTokenType()).setAudience(getAudience());
        Collection<String> scopes = getScopes();
        if (scopes != null && !scopes.isEmpty()) {
            audience.setScopes(new ArrayList(scopes));
        }
        return exchangeExternalCredentialForAccessToken(audience.build());
    }

    @Override // com.google.auth.oauth2.ExternalAccountCredentials
    public String retrieveSubjectToken() throws IOException {
        String G = G();
        e H = H();
        HashMap hashMap = new HashMap();
        hashMap.put("x-goog-cloud-target-resource", getAudience());
        return E(d.g(H, "POST", this.awsCredentialSource.f53612c.replace("{region}", G), G).b(hashMap).a().h());
    }
}
