package com.google.auth.oauth2;

import com.google.auth.oauth2.ExternalAccountCredentials;
import com.google.auth.oauth2.v;
import com.google.common.collect.ImmutableList;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import org.apache.http.protocol.HTTP;

/* loaded from: classes3.dex */
public class AwsCredentials extends ExternalAccountCredentials {
    static final String AWS_ACCESS_KEY_ID = "AWS_ACCESS_KEY_ID";
    static final String AWS_DEFAULT_REGION = "AWS_DEFAULT_REGION";
    static final String AWS_IMDSV2_SESSION_TOKEN_HEADER = "x-aws-ec2-metadata-token";
    static final String AWS_IMDSV2_SESSION_TOKEN_TTL = "300";
    static final String AWS_IMDSV2_SESSION_TOKEN_TTL_HEADER = "x-aws-ec2-metadata-token-ttl-seconds";
    static final String AWS_REGION = "AWS_REGION";
    static final String AWS_SECRET_ACCESS_KEY = "AWS_SECRET_ACCESS_KEY";
    static final String AWS_SESSION_TOKEN = "AWS_SESSION_TOKEN";
    private static final long serialVersionUID = -3670131891574618105L;
    private final AwsCredentialSource awsCredentialSource;

    /* loaded from: classes3.dex */
    public static class a extends ExternalAccountCredentials.b {
        a() {
        }

        a(AwsCredentials awsCredentials) {
            super(awsCredentials);
        }

        @Override // com.google.auth.oauth2.ExternalAccountCredentials.b
        /* renamed from: w, reason: merged with bridge method [inline-methods] and merged with bridge method [inline-methods] */
        public AwsCredentials h() {
            return new AwsCredentials(this);
        }
    }

    AwsCredentials(a aVar) {
        super(aVar);
        this.awsCredentialSource = (AwsCredentialSource) aVar.f35036i;
    }

    private String i(c cVar) throws UnsupportedEncodingException {
        Map<String, String> b10 = cVar.b();
        ArrayList arrayList = new ArrayList();
        for (String str : b10.keySet()) {
            arrayList.add(l(str, b10.get(str)));
        }
        arrayList.add(l("Authorization", cVar.a()));
        arrayList.add(l("x-goog-cloud-target-resource", getAudience()));
        ze.b bVar = new ze.b();
        bVar.setFactory(p.f35182f);
        bVar.put("headers", (Object) arrayList);
        bVar.put("method", (Object) cVar.c());
        bVar.put("url", (Object) this.awsCredentialSource.regionalCredentialVerificationUrl.replace("{region}", cVar.d()));
        return URLEncoder.encode(bVar.toString(), HTTP.UTF_8);
    }

    private boolean j() {
        Iterator<E> it2 = ImmutableList.of(AWS_REGION, AWS_DEFAULT_REGION).iterator();
        while (it2.hasNext()) {
            String env = getEnvironmentProvider().getEnv((String) it2.next());
            if (env != null && env.trim().length() > 0) {
                return true;
            }
        }
        return false;
    }

    private boolean k() {
        Iterator<E> it2 = ImmutableList.of(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY).iterator();
        while (it2.hasNext()) {
            String env = getEnvironmentProvider().getEnv((String) it2.next());
            if (env == null || env.trim().length() == 0) {
                return false;
            }
        }
        return true;
    }

    private static ze.b l(String str, String str2) {
        ze.b bVar = new ze.b();
        bVar.setFactory(p.f35182f);
        bVar.put("key", (Object) str);
        bVar.put("value", (Object) str2);
        return bVar;
    }

    private String m(String str, String str2, String str3, Map<String, Object> map, com.google.api.client.http.k kVar) throws IOException {
        try {
            com.google.api.client.http.r d10 = this.transportFactory.a().c().d(str3, new com.google.api.client.http.g(str), kVar);
            com.google.api.client.http.o f10 = d10.f();
            for (Map.Entry<String, Object> entry : map.entrySet()) {
                f10.set(entry.getKey(), entry.getValue());
            }
            return d10.b().n();
        } catch (IOException e10) {
            throw new IOException(String.format("Failed to retrieve AWS %s.", str2), e10);
        }
    }

    private String n(String str, String str2, Map<String, Object> map) throws IOException {
        return m(str, str2, "GET", map, null);
    }

    public static a newBuilder() {
        return new a();
    }

    public static a newBuilder(AwsCredentials awsCredentials) {
        return new a(awsCredentials);
    }

    Map<String, Object> createMetadataRequestHeaders(AwsCredentialSource awsCredentialSource) throws IOException {
        HashMap hashMap = new HashMap();
        if (awsCredentialSource.imdsv2SessionTokenUrl != null) {
            hashMap.put(AWS_IMDSV2_SESSION_TOKEN_HEADER, m(awsCredentialSource.imdsv2SessionTokenUrl, "Session Token", "PUT", new HashMap<String, Object>() { // from class: com.google.auth.oauth2.AwsCredentials.1
                {
                    put(AwsCredentials.AWS_IMDSV2_SESSION_TOKEN_TTL_HEADER, AwsCredentials.AWS_IMDSV2_SESSION_TOKEN_TTL);
                }
            }, null));
        }
        return hashMap;
    }

    @Override // com.google.auth.oauth2.GoogleCredentials
    public GoogleCredentials createScoped(Collection<String> collection) {
        return new AwsCredentials((a) newBuilder(this).o(collection));
    }

    String getAwsRegion(Map<String, Object> map) throws IOException {
        if (j()) {
            String env = getEnvironmentProvider().getEnv(AWS_REGION);
            return (env == null || env.trim().length() <= 0) ? getEnvironmentProvider().getEnv(AWS_DEFAULT_REGION) : env;
        }
        String str = this.awsCredentialSource.regionUrl;
        if (str == null || str.isEmpty()) {
            throw new IOException("Unable to determine the AWS region. The credential source does not contain the region URL.");
        }
        return n(this.awsCredentialSource.regionUrl, "region", map).substring(0, r3.length() - 1);
    }

    e getAwsSecurityCredentials(Map<String, Object> map) throws IOException {
        if (k()) {
            return new e(getEnvironmentProvider().getEnv(AWS_ACCESS_KEY_ID), getEnvironmentProvider().getEnv(AWS_SECRET_ACCESS_KEY), getEnvironmentProvider().getEnv(AWS_SESSION_TOKEN));
        }
        String str = this.awsCredentialSource.url;
        if (str == null || str.isEmpty()) {
            throw new IOException("Unable to determine the AWS IAM role name. The credential source does not contain the url field.");
        }
        ze.b bVar = (ze.b) p.f35182f.e(n(this.awsCredentialSource.url + "/" + n(this.awsCredentialSource.url, "IAM role", map), "credentials", map)).B(ze.b.class);
        return new e((String) bVar.get("AccessKeyId"), (String) bVar.get("SecretAccessKey"), (String) bVar.get("Token"));
    }

    @Override // com.google.auth.oauth2.ExternalAccountCredentials
    String getCredentialSourceType() {
        return "aws";
    }

    String getEnv(String str) {
        return System.getenv(str);
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials
    public AccessToken refreshAccessToken() throws IOException {
        v.b b10 = v.n(retrieveSubjectToken(), getSubjectTokenType()).b(getAudience());
        Collection<String> scopes = getScopes();
        if (scopes != null && !scopes.isEmpty()) {
            b10.c(new ArrayList(scopes));
        }
        return exchangeExternalCredentialForAccessToken(b10.a());
    }

    @Override // com.google.auth.oauth2.ExternalAccountCredentials
    public String retrieveSubjectToken() throws IOException {
        Map<String, Object> hashMap = new HashMap<>();
        if (shouldUseMetadataServer()) {
            hashMap = createMetadataRequestHeaders(this.awsCredentialSource);
        }
        String awsRegion = getAwsRegion(hashMap);
        e awsSecurityCredentials = getAwsSecurityCredentials(hashMap);
        HashMap hashMap2 = new HashMap();
        hashMap2.put("x-goog-cloud-target-resource", getAudience());
        return i(d.g(awsSecurityCredentials, "POST", this.awsCredentialSource.regionalCredentialVerificationUrl.replace("{region}", awsRegion), awsRegion).b(hashMap2).a().h());
    }

    boolean shouldUseMetadataServer() {
        return (j() && k()) ? false : true;
    }
}
