package com.google.auth.oauth2;

import androidx.media3.extractor.text.ttml.TtmlNode;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpContent;
import com.google.api.client.http.HttpHeaders;
import com.google.api.client.http.HttpRequest;
import com.google.api.client.json.GenericJson;
import com.google.auth.oauth2.ExternalAccountCredentials;
import com.google.auth.oauth2.StsTokenExchangeRequest;
import com.google.common.collect.ImmutableList;
import com.google.firebase.analytics.FirebaseAnalytics;
import com.google.firebase.sessions.settings.RemoteSettings;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.annotation.Nullable;

/* loaded from: classes11.dex */
public class AwsCredentials extends ExternalAccountCredentials {
    static final String AWS_ACCESS_KEY_ID = "AWS_ACCESS_KEY_ID";
    static final String AWS_DEFAULT_REGION = "AWS_DEFAULT_REGION";
    static final String AWS_IMDSV2_SESSION_TOKEN_HEADER = "x-aws-ec2-metadata-token";
    static final String AWS_IMDSV2_SESSION_TOKEN_TTL = "300";
    static final String AWS_IMDSV2_SESSION_TOKEN_TTL_HEADER = "x-aws-ec2-metadata-token-ttl-seconds";
    static final String AWS_REGION = "AWS_REGION";
    static final String AWS_SECRET_ACCESS_KEY = "AWS_SECRET_ACCESS_KEY";
    static final String AWS_SESSION_TOKEN = "AWS_SESSION_TOKEN";
    private static final long serialVersionUID = -3670131891574618105L;
    private final AwsCredentialSource awsCredentialSource;

    /* loaded from: classes11.dex */
    public static class Builder extends ExternalAccountCredentials.Builder {
        Builder() {
        }

        Builder(AwsCredentials awsCredentials) {
            super(awsCredentials);
        }

        @Override // com.google.auth.oauth2.ExternalAccountCredentials.Builder, com.google.auth.oauth2.GoogleCredentials.Builder, com.google.auth.oauth2.OAuth2Credentials.Builder
        public AwsCredentials build() {
            return new AwsCredentials(this);
        }
    }

    AwsCredentials(Builder builder) {
        super(builder);
        this.awsCredentialSource = (AwsCredentialSource) builder.credentialSource;
    }

    private String buildSubjectToken(AwsRequestSignature awsRequestSignature) throws UnsupportedEncodingException {
        Map<String, String> canonicalHeaders = awsRequestSignature.getCanonicalHeaders();
        ArrayList arrayList = new ArrayList();
        for (String str : canonicalHeaders.keySet()) {
            arrayList.add(formatTokenHeaderForSts(str, canonicalHeaders.get(str)));
        }
        arrayList.add(formatTokenHeaderForSts("Authorization", awsRequestSignature.getAuthorizationHeader()));
        arrayList.add(formatTokenHeaderForSts("x-goog-cloud-target-resource", getAudience()));
        GenericJson genericJson = new GenericJson();
        genericJson.setFactory(OAuth2Utils.JSON_FACTORY);
        genericJson.put("headers", (Object) arrayList);
        genericJson.put(FirebaseAnalytics.Param.METHOD, (Object) awsRequestSignature.getHttpMethod());
        genericJson.put("url", (Object) this.awsCredentialSource.regionalCredentialVerificationUrl.replace("{region}", awsRequestSignature.getRegion()));
        return URLEncoder.encode(genericJson.toString(), "UTF-8");
    }

    private boolean canRetrieveRegionFromEnvironment() {
        Iterator<E> it = ImmutableList.of(AWS_REGION, AWS_DEFAULT_REGION).iterator();
        while (it.hasNext()) {
            String env = getEnvironmentProvider().getEnv((String) it.next());
            if (env != null && env.trim().length() > 0) {
                return true;
            }
        }
        return false;
    }

    private boolean canRetrieveSecurityCredentialsFromEnvironment() {
        Iterator<E> it = ImmutableList.of(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY).iterator();
        while (it.hasNext()) {
            String env = getEnvironmentProvider().getEnv((String) it.next());
            if (env == null || env.trim().length() == 0) {
                return false;
            }
        }
        return true;
    }

    private static GenericJson formatTokenHeaderForSts(String str, String str2) {
        GenericJson genericJson = new GenericJson();
        genericJson.setFactory(OAuth2Utils.JSON_FACTORY);
        genericJson.put("key", (Object) str);
        genericJson.put("value", (Object) str2);
        return genericJson;
    }

    public static Builder newBuilder() {
        return new Builder();
    }

    public static Builder newBuilder(AwsCredentials awsCredentials) {
        return new Builder(awsCredentials);
    }

    private String retrieveResource(String str, String str2, String str3, Map<String, Object> map, @Nullable HttpContent httpContent) throws IOException {
        try {
            HttpRequest buildRequest = this.transportFactory.create().createRequestFactory().buildRequest(str3, new GenericUrl(str), httpContent);
            HttpHeaders headers = buildRequest.getHeaders();
            for (Map.Entry<String, Object> entry : map.entrySet()) {
                headers.set(entry.getKey(), entry.getValue());
            }
            return buildRequest.execute().parseAsString();
        } catch (IOException e) {
            throw new IOException(String.format("Failed to retrieve AWS %s.", str2), e);
        }
    }

    private String retrieveResource(String str, String str2, Map<String, Object> map) throws IOException {
        return retrieveResource(str, str2, "GET", map, null);
    }

    Map<String, Object> createMetadataRequestHeaders(AwsCredentialSource awsCredentialSource) throws IOException {
        HashMap hashMap = new HashMap();
        if (awsCredentialSource.imdsv2SessionTokenUrl != null) {
            hashMap.put(AWS_IMDSV2_SESSION_TOKEN_HEADER, retrieveResource(awsCredentialSource.imdsv2SessionTokenUrl, "Session Token", "PUT", new HashMap<String, Object>() { // from class: com.google.auth.oauth2.AwsCredentials.1
                {
                    put(AwsCredentials.AWS_IMDSV2_SESSION_TOKEN_TTL_HEADER, AwsCredentials.AWS_IMDSV2_SESSION_TOKEN_TTL);
                }
            }, null));
        }
        return hashMap;
    }

    @Override // com.google.auth.oauth2.GoogleCredentials
    public GoogleCredentials createScoped(Collection<String> collection) {
        return new AwsCredentials((Builder) newBuilder(this).setScopes(collection));
    }

    String getAwsRegion(Map<String, Object> map) throws IOException {
        if (canRetrieveRegionFromEnvironment()) {
            String env = getEnvironmentProvider().getEnv(AWS_REGION);
            return (env == null || env.trim().length() <= 0) ? getEnvironmentProvider().getEnv(AWS_DEFAULT_REGION) : env;
        }
        if (this.awsCredentialSource.regionUrl == null || this.awsCredentialSource.regionUrl.isEmpty()) {
            throw new IOException("Unable to determine the AWS region. The credential source does not contain the region URL.");
        }
        return retrieveResource(this.awsCredentialSource.regionUrl, TtmlNode.TAG_REGION, map).substring(0, r3.length() - 1);
    }

    AwsSecurityCredentials getAwsSecurityCredentials(Map<String, Object> map) throws IOException {
        if (canRetrieveSecurityCredentialsFromEnvironment()) {
            return new AwsSecurityCredentials(getEnvironmentProvider().getEnv(AWS_ACCESS_KEY_ID), getEnvironmentProvider().getEnv(AWS_SECRET_ACCESS_KEY), getEnvironmentProvider().getEnv(AWS_SESSION_TOKEN));
        }
        if (this.awsCredentialSource.url == null || this.awsCredentialSource.url.isEmpty()) {
            throw new IOException("Unable to determine the AWS IAM role name. The credential source does not contain the url field.");
        }
        GenericJson genericJson = (GenericJson) OAuth2Utils.JSON_FACTORY.createJsonParser(retrieveResource(this.awsCredentialSource.url + RemoteSettings.FORWARD_SLASH_STRING + retrieveResource(this.awsCredentialSource.url, "IAM role", map), "credentials", map)).parseAndClose(GenericJson.class);
        return new AwsSecurityCredentials((String) genericJson.get("AccessKeyId"), (String) genericJson.get("SecretAccessKey"), (String) genericJson.get("Token"));
    }

    @Override // com.google.auth.oauth2.ExternalAccountCredentials
    String getCredentialSourceType() {
        return "aws";
    }

    String getEnv(String str) {
        return System.getenv(str);
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials
    public AccessToken refreshAccessToken() throws IOException {
        StsTokenExchangeRequest.Builder audience = StsTokenExchangeRequest.newBuilder(retrieveSubjectToken(), getSubjectTokenType()).setAudience(getAudience());
        Collection<String> scopes = getScopes();
        if (scopes != null && !scopes.isEmpty()) {
            audience.setScopes(new ArrayList(scopes));
        }
        return exchangeExternalCredentialForAccessToken(audience.build());
    }

    @Override // com.google.auth.oauth2.ExternalAccountCredentials
    public String retrieveSubjectToken() throws IOException {
        Map<String, Object> hashMap = new HashMap<>();
        if (shouldUseMetadataServer()) {
            hashMap = createMetadataRequestHeaders(this.awsCredentialSource);
        }
        String awsRegion = getAwsRegion(hashMap);
        AwsSecurityCredentials awsSecurityCredentials = getAwsSecurityCredentials(hashMap);
        HashMap hashMap2 = new HashMap();
        hashMap2.put("x-goog-cloud-target-resource", getAudience());
        return buildSubjectToken(AwsRequestSigner.newBuilder(awsSecurityCredentials, "POST", this.awsCredentialSource.regionalCredentialVerificationUrl.replace("{region}", awsRegion), awsRegion).setAdditionalHeaders(hashMap2).build().sign());
    }

    boolean shouldUseMetadataServer() {
        return (canRetrieveRegionFromEnvironment() && canRetrieveSecurityCredentialsFromEnvironment()) ? false : true;
    }
}
