package com.google.auth.oauth2;

import com.google.api.client.http.HttpResponseException;
import com.google.api.client.http.e0;
import com.google.api.client.http.j;
import com.google.api.client.util.GenericData;
import com.google.api.client.util.l;
import com.google.api.client.util.z;
import com.google.auth.ServiceAccountSigner$SigningException;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.auth.oauth2.JwtClaims;
import com.google.common.collect.ImmutableSet;
import j$.util.Objects;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.SignatureException;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.concurrent.Executor;
import org.apache.http.message.TokenParser;
import wc.a;
import wc.b;

/* loaded from: classes3.dex */
public class ServiceAccountCredentials extends GoogleCredentials {
    static final int DEFAULT_NUMBER_OF_RETRIES = 3;
    private static final long serialVersionUID = 7807543542681217978L;
    private final String clientEmail;
    private final String clientId;
    private final boolean defaultRetriesEnabled;
    private final Collection<String> defaultScopes;
    private final int lifetime;
    private final PrivateKey privateKey;
    private final String privateKeyId;
    private final String projectId;

    /* renamed from: q, reason: collision with root package name */
    private transient ad.b f31598q;
    private final Collection<String> scopes;
    private final String serviceAccountUser;
    private final URI tokenServerUri;
    private final String transportFactoryClassName;
    private final boolean useJwtAccessWithScope;

    /* renamed from: x, reason: collision with root package name */
    private transient JwtCredentials f31599x;

    /* loaded from: classes3.dex */
    public static class a extends GoogleCredentials.a {

        /* renamed from: e, reason: collision with root package name */
        private String f31600e;

        /* renamed from: f, reason: collision with root package name */
        private String f31601f;

        /* renamed from: g, reason: collision with root package name */
        private PrivateKey f31602g;

        /* renamed from: h, reason: collision with root package name */
        private String f31603h;

        /* renamed from: i, reason: collision with root package name */
        private String f31604i;

        /* renamed from: j, reason: collision with root package name */
        private String f31605j;

        /* renamed from: k, reason: collision with root package name */
        private URI f31606k;

        /* renamed from: l, reason: collision with root package name */
        private Collection<String> f31607l;

        /* renamed from: m, reason: collision with root package name */
        private Collection<String> f31608m;

        /* renamed from: n, reason: collision with root package name */
        private ad.b f31609n;

        /* renamed from: o, reason: collision with root package name */
        private int f31610o;

        /* renamed from: p, reason: collision with root package name */
        private boolean f31611p;

        /* renamed from: q, reason: collision with root package name */
        private boolean f31612q;

        protected a() {
            this.f31610o = 3600;
            this.f31611p = false;
            this.f31612q = true;
        }

        protected a(ServiceAccountCredentials serviceAccountCredentials) {
            super(serviceAccountCredentials);
            this.f31610o = 3600;
            this.f31611p = false;
            this.f31612q = true;
            this.f31600e = serviceAccountCredentials.clientId;
            this.f31601f = serviceAccountCredentials.clientEmail;
            this.f31602g = serviceAccountCredentials.privateKey;
            this.f31603h = serviceAccountCredentials.privateKeyId;
            this.f31607l = serviceAccountCredentials.scopes;
            this.f31608m = serviceAccountCredentials.defaultScopes;
            this.f31609n = serviceAccountCredentials.f31598q;
            this.f31606k = serviceAccountCredentials.tokenServerUri;
            this.f31604i = serviceAccountCredentials.serviceAccountUser;
            this.f31605j = serviceAccountCredentials.projectId;
            this.f31610o = serviceAccountCredentials.lifetime;
            this.f31611p = serviceAccountCredentials.useJwtAccessWithScope;
            this.f31612q = serviceAccountCredentials.defaultRetriesEnabled;
        }

        public a A(PrivateKey privateKey) {
            this.f31602g = privateKey;
            return this;
        }

        public a B(String str) {
            this.f31603h = str;
            return this;
        }

        public a C(String str) {
            this.f31605j = str;
            return this;
        }

        @Override // com.google.auth.oauth2.GoogleCredentials.a
        /* renamed from: D, reason: merged with bridge method [inline-methods] */
        public a g(String str) {
            super.g(str);
            return this;
        }

        public a E(Collection<String> collection) {
            this.f31607l = collection;
            this.f31608m = ImmutableSet.of();
            return this;
        }

        public a F(Collection<String> collection, Collection<String> collection2) {
            this.f31607l = collection;
            this.f31608m = collection2;
            return this;
        }

        public a G(String str) {
            this.f31604i = str;
            return this;
        }

        public a H(URI uri) {
            this.f31606k = uri;
            return this;
        }

        public a I(boolean z10) {
            this.f31611p = z10;
            return this;
        }

        @Override // com.google.auth.oauth2.GoogleCredentials.a
        /* renamed from: u, reason: merged with bridge method [inline-methods] */
        public ServiceAccountCredentials h() {
            return new ServiceAccountCredentials(this);
        }

        public a v(String str) {
            this.f31601f = str;
            return this;
        }

        public a w(String str) {
            this.f31600e = str;
            return this;
        }

        public a x(boolean z10) {
            this.f31612q = z10;
            return this;
        }

        public a y(ad.b bVar) {
            this.f31609n = bVar;
            return this;
        }

        public a z(int i10) {
            if (i10 == 0) {
                i10 = 3600;
            }
            this.f31610o = i10;
            return this;
        }
    }

    ServiceAccountCredentials(a aVar) {
        super(aVar);
        this.f31599x = null;
        this.clientId = aVar.f31600e;
        this.clientEmail = (String) z.d(aVar.f31601f);
        this.privateKey = (PrivateKey) z.d(aVar.f31602g);
        this.privateKeyId = aVar.f31603h;
        this.scopes = aVar.f31607l == null ? ImmutableSet.of() : ImmutableSet.copyOf(aVar.f31607l);
        this.defaultScopes = aVar.f31608m == null ? ImmutableSet.of() : ImmutableSet.copyOf(aVar.f31608m);
        ad.b bVar = (ad.b) com.google.common.base.g.a(aVar.f31609n, OAuth2Credentials.getFromServiceLoader(ad.b.class, p.f31677e));
        this.f31598q = bVar;
        this.transportFactoryClassName = bVar.getClass().getName();
        this.tokenServerUri = aVar.f31606k == null ? p.f31673a : aVar.f31606k;
        this.serviceAccountUser = aVar.f31604i;
        this.projectId = aVar.f31605j;
        if (aVar.f31610o > 43200) {
            throw new IllegalStateException("lifetime must be less than or equal to 43200");
        }
        this.lifetime = aVar.f31610o;
        this.useJwtAccessWithScope = aVar.f31611p;
        this.defaultRetriesEnabled = aVar.f31612q;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ServiceAccountCredentials fromJson(Map<String, Object> map, ad.b bVar) throws IOException {
        URI uri;
        String str = (String) map.get("client_id");
        String str2 = (String) map.get("client_email");
        String str3 = (String) map.get("private_key");
        String str4 = (String) map.get("private_key_id");
        String str5 = (String) map.get("project_id");
        String str6 = (String) map.get("token_uri");
        String str7 = (String) map.get("quota_project_id");
        if (str6 != null) {
            try {
                uri = new URI(str6);
            } catch (URISyntaxException unused) {
                throw new IOException("Token server URI specified in 'token_uri' could not be parsed.");
            }
        } else {
            uri = null;
        }
        if (str == null || str2 == null || str3 == null || str4 == null) {
            throw new IOException("Error reading service account credential from JSON, expecting  'client_id', 'client_email', 'private_key' and 'private_key_id'.");
        }
        return fromPkcs8(str3, newBuilder().w(str).v(str2).B(str4).y(bVar).H(uri).C(str5).g(str7));
    }

    static ServiceAccountCredentials fromPkcs8(String str, a aVar) throws IOException {
        aVar.A(p.b(str));
        return new ServiceAccountCredentials(aVar);
    }

    public static ServiceAccountCredentials fromPkcs8(String str, String str2, String str3, String str4, Collection<String> collection) throws IOException {
        return fromPkcs8(str3, newBuilder().w(str).v(str2).B(str4).E(collection));
    }

    public static ServiceAccountCredentials fromPkcs8(String str, String str2, String str3, String str4, Collection<String> collection, ad.b bVar, URI uri) throws IOException {
        return fromPkcs8(str3, newBuilder().w(str).v(str2).B(str4).E(collection).y(bVar).H(uri));
    }

    public static ServiceAccountCredentials fromPkcs8(String str, String str2, String str3, String str4, Collection<String> collection, ad.b bVar, URI uri, String str5) throws IOException {
        return fromPkcs8(str3, newBuilder().w(str).v(str2).B(str4).E(collection).y(bVar).H(uri).G(str5));
    }

    public static ServiceAccountCredentials fromPkcs8(String str, String str2, String str3, String str4, Collection<String> collection, Collection<String> collection2) throws IOException {
        return fromPkcs8(str3, newBuilder().w(str).v(str2).B(str4).F(collection, collection2));
    }

    public static ServiceAccountCredentials fromPkcs8(String str, String str2, String str3, String str4, Collection<String> collection, Collection<String> collection2, ad.b bVar, URI uri) throws IOException {
        return fromPkcs8(str3, newBuilder().w(str).v(str2).B(str4).F(collection, collection2).y(bVar).H(uri));
    }

    public static ServiceAccountCredentials fromPkcs8(String str, String str2, String str3, String str4, Collection<String> collection, Collection<String> collection2, ad.b bVar, URI uri, String str5) throws IOException {
        return fromPkcs8(str3, newBuilder().w(str).v(str2).B(str4).F(collection, collection2).y(bVar).H(uri).G(str5));
    }

    public static ServiceAccountCredentials fromStream(InputStream inputStream) throws IOException {
        return fromStream(inputStream, p.f31677e);
    }

    public static ServiceAccountCredentials fromStream(InputStream inputStream, ad.b bVar) throws IOException {
        z.d(inputStream);
        z.d(bVar);
        tc.b bVar2 = (tc.b) new tc.e(p.f31678f).a(inputStream, StandardCharsets.UTF_8, tc.b.class);
        String str = (String) bVar2.get("type");
        if (str == null) {
            throw new IOException("Error reading credentials from stream, 'type' field not specified.");
        }
        if ("service_account".equals(str)) {
            return fromJson(bVar2, bVar);
        }
        throw new IOException(String.format("Error reading credentials from stream, 'type' value '%s' not recognized. Expecting '%s'.", str, "service_account"));
    }

    private String g() {
        return this.clientEmail;
    }

    static URI getUriForSelfSignedJWT(URI uri) {
        if (uri != null && uri.getScheme() != null && uri.getHost() != null) {
            try {
                return new URI(uri.getScheme(), uri.getHost(), "/", null);
            } catch (URISyntaxException unused) {
            }
        }
        return uri;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static /* synthetic */ boolean h(com.google.api.client.http.u uVar) {
        return p.f31681i.contains(Integer.valueOf(uVar.h()));
    }

    public static a newBuilder() {
        return new a();
    }

    private void readObject(ObjectInputStream objectInputStream) throws IOException, ClassNotFoundException {
        objectInputStream.defaultReadObject();
        this.f31598q = (ad.b) OAuth2Credentials.newInstance(this.transportFactoryClassName);
    }

    String createAssertion(tc.c cVar, long j10) throws IOException {
        a.C0559a c0559a = new a.C0559a();
        c0559a.k("RS256");
        c0559a.o("JWT");
        c0559a.m(this.privateKeyId);
        b.C0560b c0560b = new b.C0560b();
        c0560b.k(g());
        long j11 = j10 / 1000;
        c0560b.j(Long.valueOf(j11));
        c0560b.h(Long.valueOf(j11 + this.lifetime));
        c0560b.m(this.serviceAccountUser);
        if (this.scopes.isEmpty()) {
            c0560b.put("scope", (Object) com.google.api.client.util.o.b(TokenParser.SP).a(this.defaultScopes));
        } else {
            c0560b.put("scope", (Object) com.google.api.client.util.o.b(TokenParser.SP).a(this.scopes));
        }
        c0560b.d(p.f31673a.toString());
        try {
            return wc.a.f(this.privateKey, cVar, c0559a, c0560b);
        } catch (GeneralSecurityException e10) {
            throw new IOException("Error signing service account access token request with private key.", e10);
        }
    }

    String createAssertionForIdToken(tc.c cVar, long j10, String str, String str2) throws IOException {
        a.C0559a c0559a = new a.C0559a();
        c0559a.k("RS256");
        c0559a.o("JWT");
        c0559a.m(this.privateKeyId);
        b.C0560b c0560b = new b.C0560b();
        c0560b.k(g());
        long j11 = j10 / 1000;
        c0560b.j(Long.valueOf(j11));
        c0560b.h(Long.valueOf(j11 + this.lifetime));
        c0560b.m(this.serviceAccountUser);
        if (str == null) {
            c0560b.d(p.f31673a.toString());
        } else {
            c0560b.d(str);
        }
        try {
            c0560b.set("target_audience", str2);
            return wc.a.f(this.privateKey, cVar, c0559a, c0560b);
        } catch (GeneralSecurityException e10) {
            throw new IOException("Error signing service account access token request with private key.", e10);
        }
    }

    @Override // com.google.auth.oauth2.GoogleCredentials
    public GoogleCredentials createDelegated(String str) {
        return toBuilder().G(str).h();
    }

    @Override // com.google.auth.oauth2.GoogleCredentials
    public GoogleCredentials createScoped(Collection<String> collection) {
        return createScoped(collection, null);
    }

    @Override // com.google.auth.oauth2.GoogleCredentials
    public GoogleCredentials createScoped(Collection<String> collection, Collection<String> collection2) {
        return toBuilder().F(collection, collection2).h();
    }

    @Override // com.google.auth.oauth2.GoogleCredentials
    public boolean createScopedRequired() {
        return this.scopes.isEmpty() && this.defaultScopes.isEmpty();
    }

    JwtCredentials createSelfSignedJwtCredentials(URI uri) {
        JwtClaims.a e10 = JwtClaims.newBuilder().d(this.clientEmail).e(this.clientEmail);
        if (uri == null) {
            e10.b(Collections.singletonMap("scope", !this.scopes.isEmpty() ? com.google.api.client.util.o.b(TokenParser.SP).a(this.scopes) : com.google.api.client.util.o.b(TokenParser.SP).a(this.defaultScopes)));
        } else {
            e10.c(getUriForSelfSignedJWT(uri).toString());
        }
        return JwtCredentials.newBuilder().i(this.privateKey).j(this.privateKeyId).h(e10.a()).g(this.clock).a();
    }

    public ServiceAccountCredentials createWithCustomLifetime(int i10) {
        return toBuilder().z(i10).h();
    }

    @Override // com.google.auth.oauth2.GoogleCredentials
    public ServiceAccountCredentials createWithCustomRetryStrategy(boolean z10) {
        return toBuilder().x(z10).h();
    }

    public ServiceAccountCredentials createWithUseJwtAccessWithScope(boolean z10) {
        return toBuilder().I(z10).h();
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials
    public boolean equals(Object obj) {
        if (!(obj instanceof ServiceAccountCredentials)) {
            return false;
        }
        ServiceAccountCredentials serviceAccountCredentials = (ServiceAccountCredentials) obj;
        return Objects.equals(this.clientId, serviceAccountCredentials.clientId) && Objects.equals(this.clientEmail, serviceAccountCredentials.clientEmail) && Objects.equals(this.privateKey, serviceAccountCredentials.privateKey) && Objects.equals(this.privateKeyId, serviceAccountCredentials.privateKeyId) && Objects.equals(this.transportFactoryClassName, serviceAccountCredentials.transportFactoryClassName) && Objects.equals(this.tokenServerUri, serviceAccountCredentials.tokenServerUri) && Objects.equals(this.scopes, serviceAccountCredentials.scopes) && Objects.equals(this.defaultScopes, serviceAccountCredentials.defaultScopes) && Objects.equals(this.quotaProjectId, serviceAccountCredentials.quotaProjectId) && Objects.equals(Integer.valueOf(this.lifetime), Integer.valueOf(serviceAccountCredentials.lifetime)) && Objects.equals(Boolean.valueOf(this.useJwtAccessWithScope), Boolean.valueOf(serviceAccountCredentials.useJwtAccessWithScope)) && Objects.equals(Boolean.valueOf(this.defaultRetriesEnabled), Boolean.valueOf(serviceAccountCredentials.defaultRetriesEnabled));
    }

    public String getAccount() {
        return getClientEmail();
    }

    public final String getClientEmail() {
        return this.clientEmail;
    }

    public final String getClientId() {
        return this.clientId;
    }

    public final Collection<String> getDefaultScopes() {
        return this.defaultScopes;
    }

    int getLifetime() {
        return this.lifetime;
    }

    public final PrivateKey getPrivateKey() {
        return this.privateKey;
    }

    public final String getPrivateKeyId() {
        return this.privateKeyId;
    }

    public final String getProjectId() {
        return this.projectId;
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials, com.google.auth.Credentials
    public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException {
        String str;
        JwtCredentials createSelfSignedJwtCredentials;
        if (createScopedRequired() && uri == null) {
            throw new IOException("Scopes and uri are not configured for service account. Specify the scopes by calling createScoped or passing scopes to constructor or providing uri to getRequestMetadata.");
        }
        if ((!createScopedRequired() && !this.useJwtAccessWithScope) || ((str = this.serviceAccountUser) != null && str.length() > 0)) {
            return super.getRequestMetadata(uri);
        }
        if (createScopedRequired() || !this.useJwtAccessWithScope) {
            createSelfSignedJwtCredentials = createSelfSignedJwtCredentials(uri);
        } else {
            if (this.f31599x == null) {
                this.f31599x = createSelfSignedJwtCredentials(null);
            }
            createSelfSignedJwtCredentials = this.f31599x;
        }
        return GoogleCredentials.addQuotaProjectIdToRequestMetadata(this.quotaProjectId, createSelfSignedJwtCredentials.getRequestMetadata(null));
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials, com.google.auth.Credentials
    public void getRequestMetadata(URI uri, Executor executor, com.google.auth.a aVar) {
        if (this.useJwtAccessWithScope) {
            blockingGetToCallback(uri, aVar);
        } else {
            super.getRequestMetadata(uri, executor, aVar);
        }
    }

    public final Collection<String> getScopes() {
        return this.scopes;
    }

    JwtCredentials getSelfSignedJwtCredentialsWithScope() {
        return this.f31599x;
    }

    public final String getServiceAccountUser() {
        return this.serviceAccountUser;
    }

    public final URI getTokenServerUri() {
        return this.tokenServerUri;
    }

    public boolean getUseJwtAccessWithScope() {
        return this.useJwtAccessWithScope;
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials
    public int hashCode() {
        return Objects.hash(this.clientId, this.clientEmail, this.privateKey, this.privateKeyId, this.transportFactoryClassName, this.tokenServerUri, this.scopes, this.defaultScopes, this.quotaProjectId, Integer.valueOf(this.lifetime), Boolean.valueOf(this.useJwtAccessWithScope), Boolean.valueOf(this.defaultRetriesEnabled));
    }

    public IdToken idTokenWithAudience(String str, List<IdTokenProvider$Option> list) throws IOException {
        tc.c cVar = p.f31678f;
        String createAssertionForIdToken = createAssertionForIdToken(cVar, this.clock.a(), this.tokenServerUri.toString(), str);
        GenericData genericData = new GenericData();
        genericData.set("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer");
        genericData.set("assertion", createAssertionForIdToken);
        com.google.api.client.http.r b10 = this.f31598q.a().c().b(new com.google.api.client.http.g(this.tokenServerUri), new e0(genericData));
        b10.A(new tc.e(cVar));
        try {
            return IdToken.create(p.g((GenericData) b10.b().m(GenericData.class), "id_token", "Error parsing token refresh response. "));
        } catch (IOException e10) {
            throw new IOException(String.format("Error getting id token for service account: %s, iss: %s", e10.getMessage(), g()), e10);
        }
    }

    public JwtCredentials jwtWithClaims(JwtClaims jwtClaims) {
        return JwtCredentials.newBuilder().i(this.privateKey).j(this.privateKeyId).h(JwtClaims.newBuilder().d(g()).e(this.clientEmail).a().merge(jwtClaims)).g(this.clock).a();
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials
    public AccessToken refreshAccessToken() throws IOException {
        tc.c cVar = p.f31678f;
        String createAssertion = createAssertion(cVar, this.clock.a());
        GenericData genericData = new GenericData();
        genericData.set("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer");
        genericData.set("assertion", createAssertion);
        com.google.api.client.http.r b10 = this.f31598q.a().c().b(new com.google.api.client.http.g(this.tokenServerUri), new e0(genericData));
        if (this.defaultRetriesEnabled) {
            b10.z(3);
        } else {
            b10.z(0);
        }
        b10.A(new tc.e(cVar));
        com.google.api.client.util.l a10 = new l.a().b(1000).d(0.1d).c(2.0d).a();
        b10.F(new com.google.api.client.http.j(a10).b(new j.a() { // from class: com.google.auth.oauth2.t
            @Override // com.google.api.client.http.j.a
            public final boolean a(com.google.api.client.http.u uVar) {
                boolean h10;
                h10 = ServiceAccountCredentials.h(uVar);
                return h10;
            }
        }));
        b10.x(new com.google.api.client.http.i(a10));
        try {
            return new AccessToken(p.g((GenericData) b10.b().m(GenericData.class), "access_token", "Error parsing token refresh response. "), new Date(this.clock.a() + (p.c(r0, "expires_in", "Error parsing token refresh response. ") * 1000)));
        } catch (HttpResponseException e10) {
            throw GoogleAuthException.createWithTokenEndpointResponseException(e10, String.format("Error getting access token for service account: %s, iss: %s", e10.getMessage(), g()));
        } catch (IOException e11) {
            throw GoogleAuthException.createWithTokenEndpointIOException(e11, String.format("Error getting access token for service account: %s, iss: %s", e11.getMessage(), g()));
        }
    }

    public byte[] sign(byte[] bArr) {
        try {
            Signature signature = Signature.getInstance("SHA256withRSA");
            signature.initSign(getPrivateKey());
            signature.update(bArr);
            return signature.sign();
        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e10) {
            throw new ServiceAccountSigner$SigningException("Failed to sign the provided bytes", e10);
        }
    }

    @Override // com.google.auth.oauth2.GoogleCredentials, com.google.auth.oauth2.OAuth2Credentials
    public a toBuilder() {
        return new a(this);
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials
    public String toString() {
        return com.google.common.base.g.b(this).b("clientId", this.clientId).b("clientEmail", this.clientEmail).b("privateKeyId", this.privateKeyId).b("transportFactoryClassName", this.transportFactoryClassName).b("tokenServerUri", this.tokenServerUri).b("scopes", this.scopes).b("defaultScopes", this.defaultScopes).b("serviceAccountUser", this.serviceAccountUser).b("quotaProjectId", this.quotaProjectId).a("lifetime", this.lifetime).c("useJwtAccessWithScope", this.useJwtAccessWithScope).c("defaultRetriesEnabled", this.defaultRetriesEnabled).toString();
    }
}
