package com.google.auth.oauth2;

import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpContent;
import com.google.api.client.http.HttpHeaders;
import com.google.api.client.http.HttpMethods;
import com.google.api.client.http.HttpRequest;
import com.google.api.client.json.GenericJson;
import com.google.auth.http.HttpTransportFactory;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableList;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes2.dex */
public class InternalAwsSecurityCredentialsSupplier implements AwsSecurityCredentialsSupplier {
    static final String AWS_ACCESS_KEY_ID = "AWS_ACCESS_KEY_ID";
    static final String AWS_DEFAULT_REGION = "AWS_DEFAULT_REGION";
    static final String AWS_IMDSV2_SESSION_TOKEN_HEADER = "x-aws-ec2-metadata-token";
    static final String AWS_IMDSV2_SESSION_TOKEN_TTL = "300";
    static final String AWS_IMDSV2_SESSION_TOKEN_TTL_HEADER = "x-aws-ec2-metadata-token-ttl-seconds";
    static final String AWS_REGION = "AWS_REGION";
    static final String AWS_SECRET_ACCESS_KEY = "AWS_SECRET_ACCESS_KEY";
    static final String AWS_SESSION_TOKEN = "AWS_SESSION_TOKEN";
    private static final long serialVersionUID = 4438370785261365013L;
    private final AwsCredentialSource awsCredentialSource;
    private EnvironmentProvider environmentProvider;
    private transient HttpTransportFactory transportFactory;

    public InternalAwsSecurityCredentialsSupplier(AwsCredentialSource awsCredentialSource, EnvironmentProvider environmentProvider, HttpTransportFactory httpTransportFactory) {
        this.environmentProvider = environmentProvider;
        this.awsCredentialSource = awsCredentialSource;
        this.transportFactory = httpTransportFactory;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private boolean canRetrieveRegionFromEnvironment() {
        ImmutableList of = ImmutableList.of(AWS_REGION, AWS_DEFAULT_REGION);
        int size = of.size();
        int i2 = 0;
        while (i2 < size) {
            E e2 = of.get(i2);
            i2++;
            String env = this.environmentProvider.getEnv((String) e2);
            if (env != null && env.trim().length() > 0) {
                return true;
            }
        }
        return false;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private boolean canRetrieveSecurityCredentialsFromEnvironment() {
        ImmutableList of = ImmutableList.of(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY);
        int size = of.size();
        int i2 = 0;
        while (i2 < size) {
            E e2 = of.get(i2);
            i2++;
            String env = this.environmentProvider.getEnv((String) e2);
            if (env == null || env.trim().length() == 0) {
                return false;
            }
        }
        return true;
    }

    private String retrieveResource(String str, String str2, String str3, Map<String, Object> map, HttpContent httpContent) {
        try {
            HttpRequest buildRequest = this.transportFactory.create().createRequestFactory().buildRequest(str3, new GenericUrl(str), httpContent);
            HttpHeaders headers = buildRequest.getHeaders();
            for (Map.Entry<String, Object> entry : map.entrySet()) {
                headers.set(entry.getKey(), entry.getValue());
            }
            return buildRequest.execute().parseAsString();
        } catch (IOException e2) {
            throw new IOException(String.format("Failed to retrieve AWS %s.", str2), e2);
        }
    }

    private String retrieveResource(String str, String str2, Map<String, Object> map) {
        return retrieveResource(str, str2, HttpMethods.GET, map, null);
    }

    @VisibleForTesting
    public Map<String, Object> createMetadataRequestHeaders(AwsCredentialSource awsCredentialSource) {
        HashMap hashMap = new HashMap();
        if (awsCredentialSource.imdsv2SessionTokenUrl != null) {
            hashMap.put(AWS_IMDSV2_SESSION_TOKEN_HEADER, retrieveResource(awsCredentialSource.imdsv2SessionTokenUrl, "Session Token", HttpMethods.PUT, new HashMap<String, Object>() { // from class: com.google.auth.oauth2.InternalAwsSecurityCredentialsSupplier.1
                {
                    put(InternalAwsSecurityCredentialsSupplier.AWS_IMDSV2_SESSION_TOKEN_TTL_HEADER, InternalAwsSecurityCredentialsSupplier.AWS_IMDSV2_SESSION_TOKEN_TTL);
                }
            }, null));
        }
        return hashMap;
    }

    @Override // com.google.auth.oauth2.AwsSecurityCredentialsSupplier
    public AwsSecurityCredentials getCredentials(ExternalAccountSupplierContext externalAccountSupplierContext) {
        if (canRetrieveSecurityCredentialsFromEnvironment()) {
            return new AwsSecurityCredentials(this.environmentProvider.getEnv(AWS_ACCESS_KEY_ID), this.environmentProvider.getEnv(AWS_SECRET_ACCESS_KEY), this.environmentProvider.getEnv(AWS_SESSION_TOKEN));
        }
        Map<String, Object> createMetadataRequestHeaders = createMetadataRequestHeaders(this.awsCredentialSource);
        String str = this.awsCredentialSource.url;
        if (str == null || str.isEmpty()) {
            throw new IOException("Unable to determine the AWS IAM role name. The credential source does not contain the url field.");
        }
        GenericJson genericJson = (GenericJson) OAuth2Utils.JSON_FACTORY.createJsonParser(retrieveResource(this.awsCredentialSource.url + "/" + retrieveResource(this.awsCredentialSource.url, "IAM role", createMetadataRequestHeaders), "credentials", createMetadataRequestHeaders)).parseAndClose(GenericJson.class);
        return new AwsSecurityCredentials((String) genericJson.get("AccessKeyId"), (String) genericJson.get("SecretAccessKey"), (String) genericJson.get("Token"));
    }

    @Override // com.google.auth.oauth2.AwsSecurityCredentialsSupplier
    public String getRegion(ExternalAccountSupplierContext externalAccountSupplierContext) {
        if (canRetrieveRegionFromEnvironment()) {
            String env = this.environmentProvider.getEnv(AWS_REGION);
            return (env == null || env.trim().length() <= 0) ? this.environmentProvider.getEnv(AWS_DEFAULT_REGION) : env;
        }
        Map<String, Object> createMetadataRequestHeaders = createMetadataRequestHeaders(this.awsCredentialSource);
        String str = this.awsCredentialSource.regionUrl;
        if (str == null || str.isEmpty()) {
            throw new IOException("Unable to determine the AWS region. The credential source does not contain the region URL.");
        }
        return retrieveResource(this.awsCredentialSource.regionUrl, "region", createMetadataRequestHeaders).substring(0, r3.length() - 1);
    }

    @VisibleForTesting
    public boolean shouldUseMetadataServer() {
        return (canRetrieveRegionFromEnvironment() && canRetrieveSecurityCredentialsFromEnvironment()) ? false : true;
    }
}
