package com.google.auth.oauth2;

import com.google.android.gms.common.internal.ImagesContract;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpContent;
import com.google.api.client.http.HttpHeaders;
import com.google.api.client.http.HttpRequest;
import com.google.api.client.json.GenericJson;
import com.google.auth.oauth2.ExternalAccountCredentials;
import com.google.auth.oauth2.StsTokenExchangeRequest;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableList;
import com.google.firebase.analytics.FirebaseAnalytics;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.Nullable;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpPut;

/* loaded from: classes3.dex */
public class AwsCredentials extends ExternalAccountCredentials {
    public final AwsCredentialSource W;

    /* loaded from: classes3.dex */
    public static class AwsCredentialSource extends ExternalAccountCredentials.CredentialSource {

        /* renamed from: a, reason: collision with root package name */
        public final String f5989a;
        public final String b;
        public final String c;
        public final String d;

        public AwsCredentialSource(Map<String, Object> map) {
            super(map);
            if (!map.containsKey("regional_cred_verification_url")) {
                throw new IllegalArgumentException("A regional_cred_verification_url representing the GetCallerIdentity action URL must be specified.");
            }
            Matcher matcher = Pattern.compile("(aws)([\\d]+)").matcher((String) map.get("environment_id"));
            if (!matcher.matches()) {
                throw new IllegalArgumentException("Invalid AWS environment ID.");
            }
            int parseInt = Integer.parseInt(matcher.group(2));
            if (parseInt != 1) {
                throw new IllegalArgumentException(String.format("AWS version %s is not supported in the current build.", Integer.valueOf(parseInt)));
            }
            this.f5989a = (String) map.get("region_url");
            this.b = (String) map.get(ImagesContract.URL);
            this.c = (String) map.get("regional_cred_verification_url");
            if (map.containsKey("imdsv2_session_token_url")) {
                this.d = (String) map.get("imdsv2_session_token_url");
            } else {
                this.d = null;
            }
            f();
        }

        @VisibleForTesting
        public static void e(String str, String str2) {
            if (str == null || str.trim().length() == 0) {
                return;
            }
            try {
                String host = new URL(str).getHost();
                if (!host.equals("169.254.169.254") && !host.equals("[fd00:ec2::254]")) {
                    throw new IllegalArgumentException(String.format("Invalid host %s for %s.", host, str2));
                }
            } catch (MalformedURLException e) {
                throw new IllegalArgumentException(e);
            }
        }

        public final void f() {
            e(this.f5989a, "region_url");
            e(this.b, ImagesContract.URL);
            e(this.d, "imdsv2_session_token_url");
        }
    }

    /* loaded from: classes3.dex */
    public static class Builder extends ExternalAccountCredentials.Builder {
        public Builder() {
        }

        public Builder(AwsCredentials awsCredentials) {
            super(awsCredentials);
        }

        @Override // com.google.auth.oauth2.ExternalAccountCredentials.Builder
        /* renamed from: u, reason: merged with bridge method [inline-methods] */
        public AwsCredentials c() {
            return new AwsCredentials(this);
        }
    }

    public AwsCredentials(Builder builder) {
        super(builder);
        this.W = (AwsCredentialSource) builder.i;
    }

    public static GenericJson h0(String str, String str2) {
        GenericJson genericJson = new GenericJson();
        genericJson.g(OAuth2Utils.f);
        genericJson.put("key", str);
        genericJson.put("value", str2);
        return genericJson;
    }

    public static Builder l0() {
        return new Builder();
    }

    public static Builder m0(AwsCredentials awsCredentials) {
        return new Builder(awsCredentials);
    }

    public final String d0(AwsRequestSignature awsRequestSignature) throws UnsupportedEncodingException {
        Map<String, String> b = awsRequestSignature.b();
        ArrayList arrayList = new ArrayList();
        for (String str : b.keySet()) {
            arrayList.add(h0(str, b.get(str)));
        }
        arrayList.add(h0("Authorization", awsRequestSignature.a()));
        arrayList.add(h0("x-goog-cloud-target-resource", R()));
        GenericJson genericJson = new GenericJson();
        genericJson.g(OAuth2Utils.f);
        genericJson.put("headers", arrayList);
        genericJson.put(FirebaseAnalytics.Param.METHOD, awsRequestSignature.c());
        genericJson.put(ImagesContract.URL, this.W.c.replace("{region}", awsRequestSignature.d()));
        return URLEncoder.encode(genericJson.toString(), "UTF-8");
    }

    public final boolean e0() {
        Iterator<E> it = ImmutableList.L("AWS_REGION", "AWS_DEFAULT_REGION").iterator();
        while (it.hasNext()) {
            String a2 = S().a((String) it.next());
            if (a2 != null && a2.trim().length() > 0) {
                return true;
            }
        }
        return false;
    }

    public final boolean f0() {
        Iterator<E> it = ImmutableList.L("AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY").iterator();
        while (it.hasNext()) {
            String a2 = S().a((String) it.next());
            if (a2 == null || a2.trim().length() == 0) {
                return false;
            }
        }
        return true;
    }

    @VisibleForTesting
    public Map<String, Object> g0(AwsCredentialSource awsCredentialSource) throws IOException {
        HashMap hashMap = new HashMap();
        if (awsCredentialSource.d != null) {
            hashMap.put("x-aws-ec2-metadata-token", n0(awsCredentialSource.d, "Session Token", HttpPut.METHOD_NAME, new HashMap<String, Object>() { // from class: com.google.auth.oauth2.AwsCredentials.1
                {
                    put("x-aws-ec2-metadata-token-ttl-seconds", "300");
                }
            }, null));
        }
        return hashMap;
    }

    @VisibleForTesting
    public String i0(Map<String, Object> map) throws IOException {
        if (e0()) {
            String a2 = S().a("AWS_REGION");
            return (a2 == null || a2.trim().length() <= 0) ? S().a("AWS_DEFAULT_REGION") : a2;
        }
        if (this.W.f5989a == null || this.W.f5989a.isEmpty()) {
            throw new IOException("Unable to determine the AWS region. The credential source does not contain the region URL.");
        }
        return o0(this.W.f5989a, "region", map).substring(0, r3.length() - 1);
    }

    @VisibleForTesting
    public AwsSecurityCredentials j0(Map<String, Object> map) throws IOException {
        if (f0()) {
            return new AwsSecurityCredentials(S().a("AWS_ACCESS_KEY_ID"), S().a("AWS_SECRET_ACCESS_KEY"), S().a("AWS_SESSION_TOKEN"));
        }
        if (this.W.b == null || this.W.b.isEmpty()) {
            throw new IOException("Unable to determine the AWS IAM role name. The credential source does not contain the url field.");
        }
        GenericJson genericJson = (GenericJson) OAuth2Utils.f.f(o0(this.W.b + "/" + o0(this.W.b, "IAM role", map), "credentials", map)).C(GenericJson.class);
        return new AwsSecurityCredentials((String) genericJson.get("AccessKeyId"), (String) genericJson.get("SecretAccessKey"), (String) genericJson.get("Token"));
    }

    public final String n0(String str, String str2, String str3, Map<String, Object> map, @Nullable HttpContent httpContent) throws IOException {
        try {
            HttpRequest c = this.K.a().c().c(str3, new GenericUrl(str), httpContent);
            HttpHeaders e = c.e();
            for (Map.Entry<String, Object> entry : map.entrySet()) {
                e.j(entry.getKey(), entry.getValue());
            }
            return c.b().l();
        } catch (IOException e2) {
            throw new IOException(String.format("Failed to retrieve AWS %s.", str2), e2);
        }
    }

    public final String o0(String str, String str2, Map<String, Object> map) throws IOException {
        return n0(str, str2, HttpGet.METHOD_NAME, map, null);
    }

    public String p0() throws IOException {
        Map<String, Object> hashMap = new HashMap<>();
        if (q0()) {
            hashMap = g0(this.W);
        }
        String i0 = i0(hashMap);
        AwsSecurityCredentials j0 = j0(hashMap);
        HashMap hashMap2 = new HashMap();
        hashMap2.put("x-goog-cloud-target-resource", R());
        return d0(AwsRequestSigner.g(j0, HttpPost.METHOD_NAME, this.W.c.replace("{region}", i0), i0).b(hashMap2).a().h());
    }

    @VisibleForTesting
    public boolean q0() {
        return (e0() && f0()) ? false : true;
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials
    public AccessToken r() throws IOException {
        StsTokenExchangeRequest.Builder b = StsTokenExchangeRequest.n(p0(), V()).b(R());
        Collection<String> T = T();
        if (T != null && !T.isEmpty()) {
            b.d(new ArrayList(T));
        }
        return P(b.a());
    }

    @Override // com.google.auth.oauth2.GoogleCredentials
    public GoogleCredentials v(Collection<String> collection) {
        return new AwsCredentials((Builder) m0(this).n(collection));
    }
}
