package com.google.auth.oauth2;

import androidx.core.app.NotificationCompat;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpHeaders;
import com.google.api.client.http.HttpRequest;
import com.google.api.client.http.HttpResponse;
import com.google.api.client.http.json.JsonHttpContent;
import com.google.api.client.json.JsonObjectParser;
import com.google.api.client.util.GenericData;
import com.google.auth.ServiceAccountSigner;
import com.google.auth.http.HttpTransportFactory;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.common.base.l;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.net.SocketTimeoutException;
import java.net.UnknownHostException;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.logging.Level;
import java.util.logging.Logger;
import l4.a;
import org.apache.http.client.config.CookieSpecs;

/* loaded from: classes2.dex */
public class ComputeEngineCredentials extends GoogleCredentials implements ServiceAccountSigner {
    static final int COMPUTE_PING_CONNECTION_TIMEOUT_MS = 500;
    static final String DEFAULT_METADATA_SERVER_URL = "http://metadata.google.internal";
    private static final String GOOGLE = "Google";
    private static final Logger LOGGER = Logger.getLogger(ComputeEngineCredentials.class.getName());
    static final int MAX_COMPUTE_PING_TRIES = 3;
    private static final String METADATA_FLAVOR = "Metadata-Flavor";
    private static final String PARSE_ERROR_ACCOUNT = "Error parsing service account response. ";
    private static final String PARSE_ERROR_MESSAGE = "Error parsing error message response. ";
    private static final String PARSE_ERROR_PREFIX = "Error parsing token refresh response. ";
    private static final String PARSE_ERROR_SIGNATURE = "Error parsing signature response. ";
    static final String SIGN_BLOB_URL_FORMAT = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s:signBlob";
    private static final long serialVersionUID = -4113476462526554235L;
    private transient String serviceAccountEmail;
    private transient HttpTransportFactory transportFactory;
    private final String transportFactoryClassName;

    /* loaded from: classes2.dex */
    public static class Builder extends GoogleCredentials.Builder {
        private HttpTransportFactory transportFactory;

        protected Builder() {
        }

        protected Builder(ComputeEngineCredentials computeEngineCredentials) {
            this.transportFactory = computeEngineCredentials.transportFactory;
        }

        @Override // com.google.auth.oauth2.GoogleCredentials.Builder, com.google.auth.oauth2.OAuth2Credentials.Builder
        public ComputeEngineCredentials build() {
            return new ComputeEngineCredentials(this.transportFactory);
        }

        public HttpTransportFactory getHttpTransportFactory() {
            return this.transportFactory;
        }

        public Builder setHttpTransportFactory(HttpTransportFactory httpTransportFactory) {
            this.transportFactory = httpTransportFactory;
            return this;
        }
    }

    private ComputeEngineCredentials(HttpTransportFactory httpTransportFactory) {
        HttpTransportFactory httpTransportFactory2 = (HttpTransportFactory) l.a(httpTransportFactory, OAuth2Credentials.getFromServiceLoader(HttpTransportFactory.class, OAuth2Utils.HTTP_TRANSPORT_FACTORY));
        this.transportFactory = httpTransportFactory2;
        this.transportFactoryClassName = httpTransportFactory2.getClass().getName();
    }

    public static ComputeEngineCredentials create() {
        return new ComputeEngineCredentials(null);
    }

    private String getDefaultServiceAccount() {
        HttpResponse metadataResponse = getMetadataResponse(getServiceAccountsUrl());
        int statusCode = metadataResponse.getStatusCode();
        if (statusCode == 404) {
            throw new IOException(String.format("Error code %s trying to get service accounts from Compute Engine metadata. This may be because the virtual machine instance does not have permission scopes specified.", Integer.valueOf(statusCode)));
        }
        if (statusCode != 200) {
            throw new IOException(String.format("Unexpected Error code %s trying to get service accounts from Compute Engine metadata: %s", Integer.valueOf(statusCode), metadataResponse.parseAsString()));
        }
        if (metadataResponse.getContent() != null) {
            return OAuth2Utils.validateString(OAuth2Utils.validateMap((GenericData) metadataResponse.parseAs(GenericData.class), CookieSpecs.DEFAULT, PARSE_ERROR_ACCOUNT), NotificationCompat.CATEGORY_EMAIL, PARSE_ERROR_ACCOUNT);
        }
        throw new IOException("Empty content from metadata token server request.");
    }

    private HttpResponse getMetadataResponse(String str) {
        HttpRequest buildGetRequest = this.transportFactory.create().createRequestFactory().buildGetRequest(new GenericUrl(str));
        buildGetRequest.setParser(new JsonObjectParser(OAuth2Utils.JSON_FACTORY));
        buildGetRequest.getHeaders().set(METADATA_FLAVOR, (Object) GOOGLE);
        buildGetRequest.setThrowExceptionOnExecuteError(false);
        try {
            return buildGetRequest.execute();
        } catch (UnknownHostException e10) {
            throw new IOException("ComputeEngineCredentials cannot find the metadata server. This is likely because code is not running on Google Compute Engine.", e10);
        }
    }

    public static String getMetadataServerUrl() {
        return getMetadataServerUrl(DefaultCredentialsProvider.DEFAULT);
    }

    public static String getMetadataServerUrl(DefaultCredentialsProvider defaultCredentialsProvider) {
        String env = defaultCredentialsProvider.getEnv("GCE_METADATA_HOST");
        if (env == null) {
            return DEFAULT_METADATA_SERVER_URL;
        }
        return "http://" + env;
    }

    public static String getServiceAccountsUrl() {
        return getMetadataServerUrl(DefaultCredentialsProvider.DEFAULT) + "/computeMetadata/v1/instance/service-accounts/?recursive=true";
    }

    private String getSignature(String str) {
        GenericUrl genericUrl = new GenericUrl(String.format(SIGN_BLOB_URL_FORMAT, getAccount()));
        GenericData genericData = new GenericData();
        genericData.set("payload", str);
        HttpRequest buildPostRequest = this.transportFactory.create().createRequestFactory().buildPostRequest(genericUrl, new JsonHttpContent(OAuth2Utils.JSON_FACTORY, genericData));
        Map<String, List<String>> requestMetadata = getRequestMetadata();
        HttpHeaders headers = buildPostRequest.getHeaders();
        for (Map.Entry<String, List<String>> entry : requestMetadata.entrySet()) {
            headers.put(entry.getKey(), (Object) entry.getValue());
        }
        buildPostRequest.setParser(new JsonObjectParser(OAuth2Utils.JSON_FACTORY));
        buildPostRequest.setThrowExceptionOnExecuteError(false);
        HttpResponse execute = buildPostRequest.execute();
        int statusCode = execute.getStatusCode();
        if (statusCode >= 400 && statusCode < 500) {
            throw new IOException(String.format("Error code %s trying to sign provided bytes: %s", Integer.valueOf(statusCode), OAuth2Utils.validateString(OAuth2Utils.validateMap((GenericData) execute.parseAs(GenericData.class), "error", PARSE_ERROR_MESSAGE), "message", PARSE_ERROR_MESSAGE)));
        }
        if (statusCode != 200) {
            throw new IOException(String.format("Unexpected Error code %s trying to sign provided bytes: %s", Integer.valueOf(statusCode), execute.parseAsString()));
        }
        if (execute.getContent() != null) {
            return OAuth2Utils.validateString((GenericData) execute.parseAs(GenericData.class), "signedBlob", PARSE_ERROR_SIGNATURE);
        }
        throw new IOException("Empty content from sign blob server request.");
    }

    public static String getTokenServerEncodedUrl() {
        return getTokenServerEncodedUrl(DefaultCredentialsProvider.DEFAULT);
    }

    public static String getTokenServerEncodedUrl(DefaultCredentialsProvider defaultCredentialsProvider) {
        return getMetadataServerUrl(defaultCredentialsProvider) + "/computeMetadata/v1/instance/service-accounts/default/token";
    }

    public static Builder newBuilder() {
        return new Builder();
    }

    private void readObject(ObjectInputStream objectInputStream) {
        objectInputStream.defaultReadObject();
        this.transportFactory = (HttpTransportFactory) OAuth2Credentials.newInstance(this.transportFactoryClassName);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean runningOnComputeEngine(HttpTransportFactory httpTransportFactory, DefaultCredentialsProvider defaultCredentialsProvider) {
        if (Boolean.parseBoolean(defaultCredentialsProvider.getEnv("NO_GCE_CHECK"))) {
            return false;
        }
        GenericUrl genericUrl = new GenericUrl(getMetadataServerUrl(defaultCredentialsProvider));
        for (int i10 = 1; i10 <= 3; i10++) {
            try {
                HttpRequest buildGetRequest = httpTransportFactory.create().createRequestFactory().buildGetRequest(genericUrl);
                buildGetRequest.setConnectTimeout(500);
                buildGetRequest.getHeaders().set(METADATA_FLAVOR, GOOGLE);
                HttpResponse execute = buildGetRequest.execute();
                try {
                    return OAuth2Utils.headersContainValue(execute.getHeaders(), METADATA_FLAVOR, GOOGLE);
                } finally {
                    execute.disconnect();
                }
            } catch (SocketTimeoutException unused) {
            } catch (IOException e10) {
                LOGGER.log(Level.FINE, "Encountered an unexpected exception when determining if we are running on Google Compute Engine.", (Throwable) e10);
            }
        }
        LOGGER.log(Level.INFO, "Failed to detect whether we are running on Google Compute Engine.");
        return false;
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials
    public boolean equals(Object obj) {
        if (obj instanceof ComputeEngineCredentials) {
            return Objects.equals(this.transportFactoryClassName, ((ComputeEngineCredentials) obj).transportFactoryClassName);
        }
        return false;
    }

    @Override // com.google.auth.ServiceAccountSigner
    public String getAccount() {
        if (this.serviceAccountEmail == null) {
            try {
                this.serviceAccountEmail = getDefaultServiceAccount();
            } catch (IOException e10) {
                throw new RuntimeException("Failed to to get service account", e10);
            }
        }
        return this.serviceAccountEmail;
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials
    public int hashCode() {
        return Objects.hash(this.transportFactoryClassName);
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials
    public AccessToken refreshAccessToken() {
        HttpResponse metadataResponse = getMetadataResponse(getTokenServerEncodedUrl());
        int statusCode = metadataResponse.getStatusCode();
        if (statusCode == 404) {
            throw new IOException(String.format("Error code %s trying to get security access token from Compute Engine metadata for the default service account. This may be because the virtual machine instance does not have permission scopes specified. It is possible to skip checking for Compute Engine metadata by specifying the environment  variable NO_GCE_CHECK=true.", Integer.valueOf(statusCode)));
        }
        if (statusCode != 200) {
            throw new IOException(String.format("Unexpected Error code %s trying to get security access token from Compute Engine metadata for the default service account: %s", Integer.valueOf(statusCode), metadataResponse.parseAsString()));
        }
        if (metadataResponse.getContent() == null) {
            throw new IOException("Empty content from metadata token server request.");
        }
        return new AccessToken(OAuth2Utils.validateString((GenericData) metadataResponse.parseAs(GenericData.class), "access_token", PARSE_ERROR_PREFIX), new Date(this.clock.currentTimeMillis() + (OAuth2Utils.validateInt32(r0, "expires_in", PARSE_ERROR_PREFIX) * 1000)));
    }

    @Override // com.google.auth.ServiceAccountSigner
    public byte[] sign(byte[] bArr) {
        a b10 = a.b();
        try {
            return b10.d(getSignature(b10.g(bArr)));
        } catch (IOException e10) {
            throw new ServiceAccountSigner.SigningException("Failed to sign the provided bytes", e10);
        }
    }

    @Override // com.google.auth.oauth2.GoogleCredentials, com.google.auth.oauth2.OAuth2Credentials
    public Builder toBuilder() {
        return new Builder(this);
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials
    public String toString() {
        return l.c(this).d("transportFactoryClassName", this.transportFactoryClassName).toString();
    }
}
