package com.google.auth.oauth2;

import com.google.android.gms.measurement.AppMeasurement;
import com.google.api.client.json.GenericJson;
import com.google.api.client.json.JsonObjectParser;
import com.google.api.client.json.webtoken.JsonWebSignature;
import com.google.api.client.json.webtoken.JsonWebToken;
import com.google.api.client.util.Clock;
import com.google.api.client.util.Preconditions;
import com.google.auth.Credentials;
import com.google.auth.RequestMetadataCallback;
import com.google.auth.ServiceAccountSigner;
import com.google.common.base.MoreObjects;
import com.google.common.base.Throwables;
import com.google.common.base.Ticker;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.util.concurrent.UncheckedExecutionException;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.net.URI;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.SignatureException;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.Executor;
import java.util.concurrent.TimeUnit;

/* loaded from: classes14.dex */
public class ServiceAccountJwtAccessCredentials extends Credentials implements ServiceAccountSigner {
    static final String JWT_ACCESS_PREFIX = "Bearer ";
    static final long LIFE_SPAN_SECS = TimeUnit.HOURS.toSeconds(1);
    private static final long serialVersionUID = -7274955171379494197L;
    private final String clientEmail;
    private final String clientId;
    transient Clock clock;
    private final URI defaultAudience;
    private final PrivateKey privateKey;
    private final String privateKeyId;
    private transient LoadingCache<URI, String> tokenCache;

    /* loaded from: classes14.dex */
    public static class Builder {
        private String clientEmail;
        private String clientId;
        private URI defaultAudience;
        private PrivateKey privateKey;
        private String privateKeyId;

        protected Builder() {
        }

        protected Builder(ServiceAccountJwtAccessCredentials serviceAccountJwtAccessCredentials) {
            this.clientId = serviceAccountJwtAccessCredentials.clientId;
            this.clientEmail = serviceAccountJwtAccessCredentials.clientEmail;
            this.privateKey = serviceAccountJwtAccessCredentials.privateKey;
            this.privateKeyId = serviceAccountJwtAccessCredentials.privateKeyId;
            this.defaultAudience = serviceAccountJwtAccessCredentials.defaultAudience;
        }

        public ServiceAccountJwtAccessCredentials build() {
            return new ServiceAccountJwtAccessCredentials(this.clientId, this.clientEmail, this.privateKey, this.privateKeyId, this.defaultAudience);
        }

        public String getClientEmail() {
            return this.clientEmail;
        }

        public String getClientId() {
            return this.clientId;
        }

        public URI getDefaultAudience() {
            return this.defaultAudience;
        }

        public PrivateKey getPrivateKey() {
            return this.privateKey;
        }

        public String getPrivateKeyId() {
            return this.privateKeyId;
        }

        public Builder setClientEmail(String str) {
            this.clientEmail = str;
            return this;
        }

        public Builder setClientId(String str) {
            this.clientId = str;
            return this;
        }

        public Builder setDefaultAudience(URI uri) {
            this.defaultAudience = uri;
            return this;
        }

        public Builder setPrivateKey(PrivateKey privateKey) {
            this.privateKey = privateKey;
            return this;
        }

        public Builder setPrivateKeyId(String str) {
            this.privateKeyId = str;
            return this;
        }
    }

    @Deprecated
    public ServiceAccountJwtAccessCredentials(String str, String str2, PrivateKey privateKey, String str3) {
        this(str, str2, privateKey, str3, null);
    }

    @Deprecated
    public ServiceAccountJwtAccessCredentials(String str, String str2, PrivateKey privateKey, String str3, URI uri) {
        this.clock = Clock.SYSTEM;
        this.clientId = str;
        this.clientEmail = (String) Preconditions.checkNotNull(str2);
        this.privateKey = (PrivateKey) Preconditions.checkNotNull(privateKey);
        this.privateKeyId = str3;
        this.defaultAudience = uri;
        this.tokenCache = createCache();
    }

    private LoadingCache<URI, String> createCache() {
        return CacheBuilder.newBuilder().maximumSize(100L).expireAfterWrite(LIFE_SPAN_SECS - 300, TimeUnit.SECONDS).ticker(new Ticker() { // from class: com.google.auth.oauth2.ServiceAccountJwtAccessCredentials.2
            @Override // com.google.common.base.Ticker
            public long read() {
                return TimeUnit.MILLISECONDS.toNanos(ServiceAccountJwtAccessCredentials.this.clock.currentTimeMillis());
            }
        }).build(new CacheLoader<URI, String>() { // from class: com.google.auth.oauth2.ServiceAccountJwtAccessCredentials.1
            @Override // com.google.common.cache.CacheLoader
            public String load(URI uri) throws Exception {
                return ServiceAccountJwtAccessCredentials.this.generateJwtAccess(uri);
            }
        });
    }

    static ServiceAccountJwtAccessCredentials fromJson(Map<String, Object> map) throws IOException {
        return fromJson(map, null);
    }

    static ServiceAccountJwtAccessCredentials fromJson(Map<String, Object> map, URI uri) throws IOException {
        String str = (String) map.get("client_id");
        String str2 = (String) map.get("client_email");
        String str3 = (String) map.get("private_key");
        String str4 = (String) map.get("private_key_id");
        if (str == null || str2 == null || str3 == null || str4 == null) {
            throw new IOException("Error reading service account credential from JSON, expecting  'client_id', 'client_email', 'private_key' and 'private_key_id'.");
        }
        return fromPkcs8(str, str2, str3, str4, uri);
    }

    public static ServiceAccountJwtAccessCredentials fromPkcs8(String str, String str2, String str3, String str4) throws IOException {
        return fromPkcs8(str, str2, str3, str4, null);
    }

    public static ServiceAccountJwtAccessCredentials fromPkcs8(String str, String str2, String str3, String str4, URI uri) throws IOException {
        return new ServiceAccountJwtAccessCredentials(str, str2, ServiceAccountCredentials.privateKeyFromPkcs8(str3), str4, uri);
    }

    public static ServiceAccountJwtAccessCredentials fromStream(InputStream inputStream) throws IOException {
        return fromStream(inputStream, null);
    }

    public static ServiceAccountJwtAccessCredentials fromStream(InputStream inputStream, URI uri) throws IOException {
        Preconditions.checkNotNull(inputStream);
        GenericJson genericJson = (GenericJson) new JsonObjectParser(OAuth2Utils.JSON_FACTORY).parseAndClose(inputStream, OAuth2Utils.UTF_8, GenericJson.class);
        String str = (String) genericJson.get(AppMeasurement.Param.TYPE);
        if (str == null) {
            throw new IOException("Error reading credentials from stream, 'type' field not specified.");
        }
        if ("service_account".equals(str)) {
            return fromJson(genericJson, uri);
        }
        throw new IOException(String.format("Error reading credentials from stream, 'type' value '%s' not recognized. Expecting '%s'.", str, "service_account"));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String generateJwtAccess(URI uri) throws IOException {
        JsonWebSignature.Header header = new JsonWebSignature.Header();
        header.setAlgorithm("RS256");
        header.setType("JWT");
        header.setKeyId(this.privateKeyId);
        JsonWebToken.Payload payload = new JsonWebToken.Payload();
        long currentTimeMillis = this.clock.currentTimeMillis();
        payload.setIssuer(this.clientEmail);
        payload.setSubject(this.clientEmail);
        payload.setAudience(uri.toString());
        payload.setIssuedAtTimeSeconds(Long.valueOf(currentTimeMillis / 1000));
        payload.setExpirationTimeSeconds(Long.valueOf((currentTimeMillis / 1000) + LIFE_SPAN_SECS));
        try {
            return JsonWebSignature.signUsingRsaSha256(this.privateKey, OAuth2Utils.JSON_FACTORY, header, payload);
        } catch (GeneralSecurityException e) {
            throw new IOException("Error signing service account JWT access header with private key.", e);
        }
    }

    private String getJwtAccess(URI uri) throws IOException {
        try {
            return this.tokenCache.get(uri);
        } catch (UncheckedExecutionException e) {
            Throwables.propagateIfPossible(e);
            throw new IllegalStateException("generateJwtAccess threw an unchecked exception that couldn't be rethrown", e);
        } catch (ExecutionException e2) {
            Throwables.propagateIfPossible(e2.getCause(), IOException.class);
            throw new IllegalStateException("generateJwtAccess threw an unexpected checked exception", e2.getCause());
        }
    }

    public static Builder newBuilder() {
        return new Builder();
    }

    private void readObject(ObjectInputStream objectInputStream) throws IOException, ClassNotFoundException {
        objectInputStream.defaultReadObject();
        this.clock = Clock.SYSTEM;
        this.tokenCache = createCache();
    }

    public boolean equals(Object obj) {
        if (!(obj instanceof ServiceAccountJwtAccessCredentials)) {
            return false;
        }
        ServiceAccountJwtAccessCredentials serviceAccountJwtAccessCredentials = (ServiceAccountJwtAccessCredentials) obj;
        return Objects.equals(this.clientId, serviceAccountJwtAccessCredentials.clientId) && Objects.equals(this.clientEmail, serviceAccountJwtAccessCredentials.clientEmail) && Objects.equals(this.privateKey, serviceAccountJwtAccessCredentials.privateKey) && Objects.equals(this.privateKeyId, serviceAccountJwtAccessCredentials.privateKeyId) && Objects.equals(this.defaultAudience, serviceAccountJwtAccessCredentials.defaultAudience);
    }

    @Override // com.google.auth.ServiceAccountSigner
    public String getAccount() {
        return getClientEmail();
    }

    @Override // com.google.auth.Credentials
    public String getAuthenticationType() {
        return "JWTAccess";
    }

    public final String getClientEmail() {
        return this.clientEmail;
    }

    public final String getClientId() {
        return this.clientId;
    }

    public final PrivateKey getPrivateKey() {
        return this.privateKey;
    }

    public final String getPrivateKeyId() {
        return this.privateKeyId;
    }

    @Override // com.google.auth.Credentials
    public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException {
        if (uri == null) {
            if (this.defaultAudience == null) {
                throw new IOException("JwtAccess requires Audience uri to be passed in or the defaultAudience to be specified");
            }
            uri = this.defaultAudience;
        }
        return Collections.singletonMap("Authorization", Collections.singletonList(JWT_ACCESS_PREFIX + getJwtAccess(uri)));
    }

    @Override // com.google.auth.Credentials
    public void getRequestMetadata(URI uri, Executor executor, RequestMetadataCallback requestMetadataCallback) {
        blockingGetToCallback(uri, requestMetadataCallback);
    }

    @Override // com.google.auth.Credentials
    public boolean hasRequestMetadata() {
        return true;
    }

    @Override // com.google.auth.Credentials
    public boolean hasRequestMetadataOnly() {
        return true;
    }

    public int hashCode() {
        return Objects.hash(this.clientId, this.clientEmail, this.privateKey, this.privateKeyId, this.defaultAudience);
    }

    @Override // com.google.auth.Credentials
    public void refresh() {
        this.tokenCache.invalidateAll();
    }

    @Override // com.google.auth.ServiceAccountSigner
    public byte[] sign(byte[] bArr) {
        try {
            Signature signature = Signature.getInstance("SHA256withRSA");
            signature.initSign(getPrivateKey());
            signature.update(bArr);
            return signature.sign();
        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
            throw new ServiceAccountSigner.SigningException("Failed to sign the provided bytes", e);
        }
    }

    public Builder toBuilder() {
        return new Builder(this);
    }

    public String toString() {
        return MoreObjects.toStringHelper(this).add("clientId", this.clientId).add("clientEmail", this.clientEmail).add("privateKeyId", this.privateKeyId).add("defaultAudience", this.defaultAudience).toString();
    }
}
