package com.google.auth.oauth2;

import com.google.auth.oauth2.ExternalAccountCredentials;
import com.google.auth.oauth2.OooOo;
import com.google.common.annotations.VisibleForTesting;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.Nullable;
import org.apache.http.client.methods.HttpPost;

/* loaded from: classes2.dex */
public class AwsCredentials extends ExternalAccountCredentials {
    private final OooO00o awsCredentialSource;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes2.dex */
    public static class OooO00o extends ExternalAccountCredentials.OooO0OO {

        /* renamed from: OooO00o, reason: collision with root package name */
        private final String f19137OooO00o;

        /* renamed from: OooO0O0, reason: collision with root package name */
        private final String f19138OooO0O0;

        /* renamed from: OooO0OO, reason: collision with root package name */
        private final String f19139OooO0OO;

        /* JADX INFO: Access modifiers changed from: package-private */
        public OooO00o(Map<String, Object> map) {
            super(map);
            if (!map.containsKey("regional_cred_verification_url")) {
                throw new IllegalArgumentException("A regional_cred_verification_url representing the GetCallerIdentity action URL must be specified.");
            }
            Matcher matcher = Pattern.compile("(aws)([\\d]+)").matcher((String) map.get("environment_id"));
            if (!matcher.matches()) {
                throw new IllegalArgumentException("Invalid AWS environment ID.");
            }
            int parseInt = Integer.parseInt(matcher.group(2));
            if (parseInt != 1) {
                throw new IllegalArgumentException(String.format("AWS version %s is not supported in the current build.", Integer.valueOf(parseInt)));
            }
            this.f19137OooO00o = (String) map.get("region_url");
            this.f19138OooO0O0 = (String) map.get("url");
            this.f19139OooO0OO = (String) map.get("regional_cred_verification_url");
        }
    }

    /* loaded from: classes2.dex */
    public static class OooO0O0 extends ExternalAccountCredentials.OooO0O0 {
        OooO0O0() {
        }

        OooO0O0(AwsCredentials awsCredentials) {
            super(awsCredentials);
        }

        @Override // com.google.auth.oauth2.ExternalAccountCredentials.OooO0O0
        /* renamed from: OooOOo, reason: merged with bridge method [inline-methods] and merged with bridge method [inline-methods] */
        public AwsCredentials OooO0o() {
            return new AwsCredentials(this.f19154OooOO0, this.f19149OooO0Oo, this.f19151OooO0o0, this.f19150OooO0o, (OooO00o) this.f19153OooO0oo, this.f19152OooO0oO, this.f19155OooOO0O, this.f19156OooOO0o, this.f19158OooOOO0, this.f19157OooOOO, this.f19159OooOOOO, this.f19148OooO);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AwsCredentials(o0o0Oo.OooO0O0 oooO0O0, String str, String str2, String str3, OooO00o oooO00o, @Nullable String str4, @Nullable String str5, @Nullable String str6, @Nullable String str7, @Nullable String str8, @Nullable Collection<String> collection, @Nullable OooOOO0 oooOOO0) {
        super(oooO0O0, str, str2, str3, oooO00o, str4, str5, str6, str7, str8, collection, oooOOO0);
        this.awsCredentialSource = oooO00o;
    }

    private String buildSubjectToken(OooO0OO oooO0OO) throws UnsupportedEncodingException {
        Map<String, String> OooO0O02 = oooO0OO.OooO0O0();
        ArrayList arrayList = new ArrayList();
        for (String str : OooO0O02.keySet()) {
            arrayList.add(formatTokenHeaderForSts(str, OooO0O02.get(str)));
        }
        arrayList.add(formatTokenHeaderForSts("Authorization", oooO0OO.OooO00o()));
        arrayList.add(formatTokenHeaderForSts("x-goog-cloud-target-resource", getAudience()));
        oo0O.OooO0O0 oooO0O0 = new oo0O.OooO0O0();
        oooO0O0.OooO0OO(OooOOOO.f19243OooO0o);
        oooO0O0.put("headers", (Object) arrayList);
        oooO0O0.put("method", (Object) oooO0OO.OooO0OO());
        oooO0O0.put("url", (Object) this.awsCredentialSource.f19139OooO0OO.replace("{region}", oooO0OO.OooO0Oo()));
        return URLEncoder.encode(oooO0O0.toString(), "UTF-8");
    }

    private static oo0O.OooO0O0 formatTokenHeaderForSts(String str, String str2) {
        oo0O.OooO0O0 oooO0O0 = new oo0O.OooO0O0();
        oooO0O0.OooO0OO(OooOOOO.f19243OooO0o);
        oooO0O0.put("key", (Object) str);
        oooO0O0.put("value", (Object) str2);
        return oooO0O0;
    }

    public static OooO0O0 newBuilder() {
        return new OooO0O0();
    }

    public static OooO0O0 newBuilder(AwsCredentials awsCredentials) {
        return new OooO0O0(awsCredentials);
    }

    private String retrieveResource(String str, String str2) throws IOException {
        try {
            return this.transportFactory.create().OooO0OO().OooO00o(new com.google.api.client.http.OooOOO(str)).OooO0O0().OooOOO();
        } catch (IOException e) {
            throw new IOException(String.format("Failed to retrieve AWS %s.", str2), e);
        }
    }

    @Override // com.google.auth.oauth2.GoogleCredentials
    public GoogleCredentials createScoped(Collection<String> collection) {
        return new AwsCredentials(this.transportFactory, getAudience(), getSubjectTokenType(), getTokenUrl(), this.awsCredentialSource, getTokenInfoUrl(), getServiceAccountImpersonationUrl(), getQuotaProjectId(), getClientId(), getClientSecret(), collection, getEnvironmentProvider());
    }

    @VisibleForTesting
    String getAwsRegion() throws IOException {
        String OooO00o2 = getEnvironmentProvider().OooO00o("AWS_REGION");
        if (OooO00o2 != null) {
            return OooO00o2;
        }
        String OooO00o3 = getEnvironmentProvider().OooO00o("AWS_DEFAULT_REGION");
        if (OooO00o3 != null) {
            return OooO00o3;
        }
        if (this.awsCredentialSource.f19137OooO00o == null || this.awsCredentialSource.f19137OooO00o.isEmpty()) {
            throw new IOException("Unable to determine the AWS region. The credential source does not contain the region URL.");
        }
        return retrieveResource(this.awsCredentialSource.f19137OooO00o, "region").substring(0, r0.length() - 1);
    }

    @VisibleForTesting
    OooO getAwsSecurityCredentials() throws IOException {
        String OooO00o2 = getEnvironmentProvider().OooO00o("AWS_ACCESS_KEY_ID");
        String OooO00o3 = getEnvironmentProvider().OooO00o("AWS_SECRET_ACCESS_KEY");
        String OooO00o4 = getEnvironmentProvider().OooO00o("Token");
        if (OooO00o2 != null && OooO00o3 != null) {
            return new OooO(OooO00o2, OooO00o3, OooO00o4);
        }
        if (this.awsCredentialSource.f19138OooO0O0 == null || this.awsCredentialSource.f19138OooO0O0.isEmpty()) {
            throw new IOException("Unable to determine the AWS IAM role name. The credential source does not contain the url field.");
        }
        oo0O.OooO0O0 oooO0O0 = (oo0O.OooO0O0) OooOOOO.f19243OooO0o.OooO0o0(retrieveResource(this.awsCredentialSource.f19138OooO0O0 + "/" + retrieveResource(this.awsCredentialSource.f19138OooO0O0, "IAM role"), "credentials")).OooOooo(oo0O.OooO0O0.class);
        return new OooO((String) oooO0O0.get("AccessKeyId"), (String) oooO0O0.get("SecretAccessKey"), (String) oooO0O0.get("Token"));
    }

    @VisibleForTesting
    String getEnv(String str) {
        return System.getenv(str);
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials
    public AccessToken refreshAccessToken() throws IOException {
        OooOo.OooO0O0 OooO0O02 = OooOo.OooOOO(retrieveSubjectToken(), getSubjectTokenType()).OooO0O0(getAudience());
        Collection<String> scopes = getScopes();
        if (scopes != null && !scopes.isEmpty()) {
            OooO0O02.OooO0o0(new ArrayList(scopes));
        }
        return exchangeExternalCredentialForAccessToken(OooO0O02.OooO00o());
    }

    @Override // com.google.auth.oauth2.ExternalAccountCredentials
    public String retrieveSubjectToken() throws IOException {
        String awsRegion = getAwsRegion();
        OooO awsSecurityCredentials = getAwsSecurityCredentials();
        HashMap hashMap = new HashMap();
        hashMap.put("x-goog-cloud-target-resource", getAudience());
        return buildSubjectToken(OooO0o.OooO0oO(awsSecurityCredentials, HttpPost.METHOD_NAME, this.awsCredentialSource.f19139OooO0OO.replace("{region}", awsRegion), awsRegion).OooO0O0(hashMap).OooO00o().OooO0oo());
    }
}
