package com.google.api.server.spi.auth;

import com.google.api.server.spi.auth.common.User;
import com.google.appengine.repackaged.com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.appengine.repackaged.com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.appengine.repackaged.com.google.common.annotations.VisibleForTesting;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;

/* loaded from: input_file:com/google/api/server/spi/auth/GoogleIdTokenUtils.class */
public class GoogleIdTokenUtils {
    private static final Logger logger = Logger.getLogger(GoogleIdTokenUtils.class.getName());
    private static final GoogleIdTokenUtils DEFAULT = new GoogleIdTokenUtils();
    private final GoogleIdTokenVerifier verifier;

    private GoogleIdTokenUtils() {
        this(new GoogleIdTokenVerifier.Builder(AuthUtils.getHttpTransport(), AuthUtils.getJsonFactory()).build());
    }

    private GoogleIdTokenUtils(GoogleIdTokenVerifier googleIdTokenVerifier) {
        this.verifier = googleIdTokenVerifier;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static GoogleIdTokenUtils getInstance() {
        return DEFAULT;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    public static GoogleIdTokenUtils getInstance(GoogleIdTokenVerifier googleIdTokenVerifier) {
        return new GoogleIdTokenUtils(googleIdTokenVerifier);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    public static String extractAudience(GoogleIdToken googleIdToken) {
        return (String) googleIdToken.getPayload().getAudience();
    }

    @VisibleForTesting
    static String extractClientId(GoogleIdToken googleIdToken) {
        return googleIdToken.getPayload().getAuthorizedParty();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    public static String extractEmail(GoogleIdToken googleIdToken) {
        return googleIdToken.getPayload().getEmail();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    public GoogleIdToken verifyToken(String str) {
        if (str == null) {
            return null;
        }
        try {
            return this.verifier.verify(str);
        } catch (IOException | IllegalArgumentException | GeneralSecurityException e) {
            logger.warning("verifyToken: " + e.getMessage());
            return null;
        }
    }

    private static boolean isClientIdAllowed(boolean z, List<String> list, GoogleIdToken googleIdToken) {
        return AuthUtils.isClientIdAllowed(z, extractClientId(googleIdToken), list, false);
    }

    private static boolean isAudienceAllowed(List<String> list, GoogleIdToken googleIdToken) {
        String extractAudience = extractAudience(googleIdToken);
        if (AuthUtils.isEmptyOrWhitespace(extractAudience)) {
            logger.warning("Token contained no audience: " + googleIdToken.getPayload());
            return false;
        }
        if (list != null && list.size() != 0) {
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                if (extractAudience.equals(it.next())) {
                    return true;
                }
            }
        }
        if (extractAudience.equals(extractClientId(googleIdToken))) {
            return true;
        }
        logger.warning("Audience in token was not allowed: " + extractAudience);
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public User getCurrentUser(boolean z, String str, List<String> list, List<String> list2) {
        GoogleIdToken verifyToken = verifyToken(str);
        if (verifyToken == null) {
            logger.warning("getCurrentUser: idToken=null");
            return null;
        }
        if (!isClientIdAllowed(z, list, verifyToken) || !isAudienceAllowed(list2, verifyToken)) {
            return null;
        }
        String extractEmail = extractEmail(verifyToken);
        logger.log(Level.INFO, "getCurrentUser: IdToken; email={0}", extractEmail);
        if (extractEmail == null) {
            return null;
        }
        return new User(extractEmail);
    }
}
