package com.google.auth.oauth2;

import com.google.api.client.http.HttpTransport;
import com.google.api.client.json.GenericJson;
import com.google.auth.TestUtils;
import com.google.auth.http.HttpTransportFactory;
import com.google.auth.oauth2.ExternalAccountCredentials;
import com.google.auth.oauth2.IdentityPoolCredentials;
import com.google.auth.oauth2.ImpersonatedCredentials;
import com.google.auth.oauth2.PluggableAuthCredentials;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigDecimal;
import java.net.URI;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.JUnit4;

@RunWith(JUnit4.class)
/* loaded from: input_file:com/google/auth/oauth2/ExternalAccountCredentialsTest.class */
public class ExternalAccountCredentialsTest {
    private static final String STS_URL = "https://sts.googleapis.com";
    private static final Map<String, Object> FILE_CREDENTIAL_SOURCE_MAP = new HashMap<String, Object>() { // from class: com.google.auth.oauth2.ExternalAccountCredentialsTest.1
        {
            put("file", "file");
        }
    };
    private MockExternalAccountCredentialsTransportFactory transportFactory;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/google/auth/oauth2/ExternalAccountCredentialsTest$MockExternalAccountCredentialsTransportFactory.class */
    public static class MockExternalAccountCredentialsTransportFactory implements HttpTransportFactory {
        MockExternalAccountCredentialsTransport transport = new MockExternalAccountCredentialsTransport();

        public HttpTransport create() {
            return this.transport;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/google/auth/oauth2/ExternalAccountCredentialsTest$TestExternalAccountCredentials.class */
    public static class TestExternalAccountCredentials extends ExternalAccountCredentials {

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:com/google/auth/oauth2/ExternalAccountCredentialsTest$TestExternalAccountCredentials$Builder.class */
        public static class Builder extends ExternalAccountCredentials.Builder {
            Builder() {
            }

            /* renamed from: build, reason: merged with bridge method [inline-methods] and merged with bridge method [inline-methods] and merged with bridge method [inline-methods] */
            public TestExternalAccountCredentials m15build() {
                return new TestExternalAccountCredentials(this);
            }
        }

        /* loaded from: input_file:com/google/auth/oauth2/ExternalAccountCredentialsTest$TestExternalAccountCredentials$TestCredentialSource.class */
        static class TestCredentialSource extends IdentityPoolCredentials.IdentityPoolCredentialSource {
            protected TestCredentialSource(Map<String, Object> map) {
                super(map);
            }
        }

        public static Builder newBuilder() {
            return new Builder();
        }

        protected TestExternalAccountCredentials(ExternalAccountCredentials.Builder builder) {
            super(builder);
        }

        public AccessToken refreshAccessToken() {
            return new AccessToken("accessToken", new Date());
        }

        public String retrieveSubjectToken() {
            return "subjectToken";
        }
    }

    @Before
    public void setup() {
        this.transportFactory = new MockExternalAccountCredentialsTransportFactory();
    }

    @Test
    public void fromStream_identityPoolCredentials() throws IOException {
        Assert.assertTrue(ExternalAccountCredentials.fromStream(TestUtils.jsonToInputStream(buildJsonIdentityPoolCredential())) instanceof IdentityPoolCredentials);
    }

    @Test
    public void fromStream_awsCredentials() throws IOException {
        Assert.assertTrue(ExternalAccountCredentials.fromStream(TestUtils.jsonToInputStream(buildJsonAwsCredential())) instanceof AwsCredentials);
    }

    @Test
    public void fromStream_pluggableAuthCredentials() throws IOException {
        Assert.assertTrue(ExternalAccountCredentials.fromStream(TestUtils.jsonToInputStream(buildJsonPluggableAuthCredential())) instanceof PluggableAuthCredentials);
    }

    @Test
    public void fromStream_invalidStream_throws() throws IOException {
        GenericJson buildJsonAwsCredential = buildJsonAwsCredential();
        buildJsonAwsCredential.put("audience", new HashMap());
        try {
            ExternalAccountCredentials.fromStream(TestUtils.jsonToInputStream(buildJsonAwsCredential));
            Assert.fail("Should fail.");
        } catch (CredentialFormatException e) {
            Assert.assertEquals("An invalid input stream was provided.", e.getMessage());
        }
    }

    @Test
    public void fromStream_nullTransport_throws() throws IOException {
        try {
            ExternalAccountCredentials.fromStream(new ByteArrayInputStream("foo".getBytes()), (HttpTransportFactory) null);
            Assert.fail("NullPointerException should be thrown.");
        } catch (NullPointerException e) {
        }
    }

    @Test
    public void fromStream_nullStream_throws() throws IOException {
        try {
            ExternalAccountCredentials.fromStream((InputStream) null, OAuth2Utils.HTTP_TRANSPORT_FACTORY);
            Assert.fail("NullPointerException should be thrown.");
        } catch (NullPointerException e) {
        }
    }

    @Test
    public void fromStream_invalidWorkloadAudience_throws() throws IOException {
        try {
            GenericJson buildJsonIdentityPoolWorkforceCredential = buildJsonIdentityPoolWorkforceCredential();
            buildJsonIdentityPoolWorkforceCredential.put("audience", "invalidAudience");
            ExternalAccountCredentials.fromStream(TestUtils.jsonToInputStream(buildJsonIdentityPoolWorkforceCredential));
            Assert.fail("CredentialFormatException should be thrown.");
        } catch (CredentialFormatException e) {
            Assert.assertEquals("An invalid input stream was provided.", e.getMessage());
        }
    }

    @Test
    public void fromJson_identityPoolCredentialsWorkload() {
        ExternalAccountCredentials fromJson = ExternalAccountCredentials.fromJson(buildJsonIdentityPoolCredential(), OAuth2Utils.HTTP_TRANSPORT_FACTORY);
        Assert.assertTrue(fromJson instanceof IdentityPoolCredentials);
        Assert.assertEquals("//iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/pool/providers/provider", fromJson.getAudience());
        Assert.assertEquals("subjectTokenType", fromJson.getSubjectTokenType());
        Assert.assertEquals(STS_URL, fromJson.getTokenUrl());
        Assert.assertEquals("tokenInfoUrl", fromJson.getTokenInfoUrl());
        Assert.assertNotNull(fromJson.getCredentialSource());
    }

    @Test
    public void fromJson_identityPoolCredentialsWorkforce() {
        ExternalAccountCredentials fromJson = ExternalAccountCredentials.fromJson(buildJsonIdentityPoolWorkforceCredential(), OAuth2Utils.HTTP_TRANSPORT_FACTORY);
        Assert.assertTrue(fromJson instanceof IdentityPoolCredentials);
        Assert.assertEquals("//iam.googleapis.com/locations/global/workforcePools/pool/providers/provider", fromJson.getAudience());
        Assert.assertEquals("subjectTokenType", fromJson.getSubjectTokenType());
        Assert.assertEquals(STS_URL, fromJson.getTokenUrl());
        Assert.assertEquals("tokenInfoUrl", fromJson.getTokenInfoUrl());
        Assert.assertEquals("userProject", fromJson.getWorkforcePoolUserProject());
        Assert.assertNotNull(fromJson.getCredentialSource());
    }

    @Test
    public void fromJson_identityPoolCredentialsWithServiceAccountImpersonationOptions() {
        GenericJson buildJsonIdentityPoolCredential = buildJsonIdentityPoolCredential();
        buildJsonIdentityPoolCredential.set("service_account_impersonation", buildServiceAccountImpersonationOptions(2800));
        ExternalAccountCredentials fromJson = ExternalAccountCredentials.fromJson(buildJsonIdentityPoolCredential, OAuth2Utils.HTTP_TRANSPORT_FACTORY);
        Assert.assertTrue(fromJson instanceof IdentityPoolCredentials);
        Assert.assertEquals("//iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/pool/providers/provider", fromJson.getAudience());
        Assert.assertEquals("subjectTokenType", fromJson.getSubjectTokenType());
        Assert.assertEquals(STS_URL, fromJson.getTokenUrl());
        Assert.assertEquals("tokenInfoUrl", fromJson.getTokenInfoUrl());
        Assert.assertNotNull(fromJson.getCredentialSource());
        Assert.assertEquals(2800L, fromJson.getServiceAccountImpersonationOptions().getLifetime());
    }

    @Test
    public void fromJson_awsCredentials() throws IOException {
        ExternalAccountCredentials fromJson = ExternalAccountCredentials.fromJson(buildJsonAwsCredential(), OAuth2Utils.HTTP_TRANSPORT_FACTORY);
        Assert.assertTrue(fromJson instanceof AwsCredentials);
        Assert.assertEquals("audience", fromJson.getAudience());
        Assert.assertEquals("subjectTokenType", fromJson.getSubjectTokenType());
        Assert.assertEquals(STS_URL, fromJson.getTokenUrl());
        Assert.assertEquals("tokenInfoUrl", fromJson.getTokenInfoUrl());
        Assert.assertNotNull(fromJson.getCredentialSource());
    }

    @Test
    public void fromJson_awsCredentialsWithServiceAccountImpersonationOptions() throws IOException {
        GenericJson buildJsonAwsCredential = buildJsonAwsCredential();
        buildJsonAwsCredential.set("service_account_impersonation", buildServiceAccountImpersonationOptions(2800));
        ExternalAccountCredentials fromJson = ExternalAccountCredentials.fromJson(buildJsonAwsCredential, OAuth2Utils.HTTP_TRANSPORT_FACTORY);
        Assert.assertTrue(fromJson instanceof AwsCredentials);
        Assert.assertEquals("audience", fromJson.getAudience());
        Assert.assertEquals("subjectTokenType", fromJson.getSubjectTokenType());
        Assert.assertEquals(STS_URL, fromJson.getTokenUrl());
        Assert.assertEquals("tokenInfoUrl", fromJson.getTokenInfoUrl());
        Assert.assertNotNull(fromJson.getCredentialSource());
        Assert.assertEquals(2800L, fromJson.getServiceAccountImpersonationOptions().getLifetime());
    }

    @Test
    public void fromJson_pluggableAuthCredentials() {
        ExternalAccountCredentials fromJson = ExternalAccountCredentials.fromJson(buildJsonPluggableAuthCredential(), OAuth2Utils.HTTP_TRANSPORT_FACTORY);
        Assert.assertTrue(fromJson instanceof PluggableAuthCredentials);
        Assert.assertEquals("audience", fromJson.getAudience());
        Assert.assertEquals("subjectTokenType", fromJson.getSubjectTokenType());
        Assert.assertEquals(STS_URL, fromJson.getTokenUrl());
        Assert.assertEquals("tokenInfoUrl", fromJson.getTokenInfoUrl());
        Assert.assertNotNull(fromJson.getCredentialSource());
        PluggableAuthCredentials.PluggableAuthCredentialSource credentialSource = fromJson.getCredentialSource();
        Assert.assertEquals("command", credentialSource.getCommand());
        Assert.assertEquals(30000L, credentialSource.getTimeoutMs());
        Assert.assertNull(credentialSource.getOutputFilePath());
    }

    @Test
    public void fromJson_pluggableAuthCredentialsWorkforce() {
        ExternalAccountCredentials fromJson = ExternalAccountCredentials.fromJson(buildJsonPluggableAuthWorkforceCredential(), OAuth2Utils.HTTP_TRANSPORT_FACTORY);
        Assert.assertTrue(fromJson instanceof PluggableAuthCredentials);
        Assert.assertEquals("//iam.googleapis.com/locations/global/workforcePools/pool/providers/provider", fromJson.getAudience());
        Assert.assertEquals("subjectTokenType", fromJson.getSubjectTokenType());
        Assert.assertEquals(STS_URL, fromJson.getTokenUrl());
        Assert.assertEquals("tokenInfoUrl", fromJson.getTokenInfoUrl());
        Assert.assertEquals("userProject", fromJson.getWorkforcePoolUserProject());
        Assert.assertNotNull(fromJson.getCredentialSource());
        PluggableAuthCredentials.PluggableAuthCredentialSource credentialSource = fromJson.getCredentialSource();
        Assert.assertEquals("command", credentialSource.getCommand());
        Assert.assertEquals(30000L, credentialSource.getTimeoutMs());
        Assert.assertNull(credentialSource.getOutputFilePath());
    }

    @Test
    public void fromJson_pluggableAuthCredentials_allExecutableOptionsSet() {
        GenericJson buildJsonPluggableAuthCredential = buildJsonPluggableAuthCredential();
        Map map = (Map) ((Map) buildJsonPluggableAuthCredential.get("credential_source")).get("executable");
        map.put("timeout_millis", 5000);
        map.put("output_file", "path/to/output/file");
        ExternalAccountCredentials fromJson = ExternalAccountCredentials.fromJson(buildJsonPluggableAuthCredential, OAuth2Utils.HTTP_TRANSPORT_FACTORY);
        Assert.assertTrue(fromJson instanceof PluggableAuthCredentials);
        Assert.assertEquals("audience", fromJson.getAudience());
        Assert.assertEquals("subjectTokenType", fromJson.getSubjectTokenType());
        Assert.assertEquals(STS_URL, fromJson.getTokenUrl());
        Assert.assertEquals("tokenInfoUrl", fromJson.getTokenInfoUrl());
        Assert.assertNotNull(fromJson.getCredentialSource());
        PluggableAuthCredentials.PluggableAuthCredentialSource credentialSource = fromJson.getCredentialSource();
        Assert.assertEquals("command", credentialSource.getCommand());
        Assert.assertEquals("path/to/output/file", credentialSource.getOutputFilePath());
        Assert.assertEquals(5000L, credentialSource.getTimeoutMs());
    }

    @Test
    public void fromJson_pluggableAuthCredentialsWithServiceAccountImpersonationOptions() {
        GenericJson buildJsonPluggableAuthCredential = buildJsonPluggableAuthCredential();
        buildJsonPluggableAuthCredential.set("service_account_impersonation", buildServiceAccountImpersonationOptions(2800));
        ExternalAccountCredentials fromJson = ExternalAccountCredentials.fromJson(buildJsonPluggableAuthCredential, OAuth2Utils.HTTP_TRANSPORT_FACTORY);
        Assert.assertTrue(fromJson instanceof PluggableAuthCredentials);
        Assert.assertEquals("audience", fromJson.getAudience());
        Assert.assertEquals("subjectTokenType", fromJson.getSubjectTokenType());
        Assert.assertEquals(STS_URL, fromJson.getTokenUrl());
        Assert.assertEquals("tokenInfoUrl", fromJson.getTokenInfoUrl());
        Assert.assertNotNull(fromJson.getCredentialSource());
        Assert.assertEquals(2800L, fromJson.getServiceAccountImpersonationOptions().getLifetime());
        PluggableAuthCredentials.PluggableAuthCredentialSource credentialSource = fromJson.getCredentialSource();
        Assert.assertEquals("command", credentialSource.getCommand());
        Assert.assertEquals(30000L, credentialSource.getTimeoutMs());
        Assert.assertNull(credentialSource.getOutputFilePath());
    }

    @Test
    public void fromJson_nullJson_throws() {
        try {
            ExternalAccountCredentials.fromJson((Map) null, OAuth2Utils.HTTP_TRANSPORT_FACTORY);
            Assert.fail("Exception should be thrown.");
        } catch (NullPointerException e) {
        }
    }

    @Test
    public void fromJson_invalidServiceAccountImpersonationUrl_throws() {
        GenericJson buildJsonIdentityPoolCredential = buildJsonIdentityPoolCredential();
        buildJsonIdentityPoolCredential.put("service_account_impersonation_url", "https://iamcredentials.googleapis.com");
        try {
            ExternalAccountCredentials.fromJson(buildJsonIdentityPoolCredential, OAuth2Utils.HTTP_TRANSPORT_FACTORY);
            Assert.fail("Exception should be thrown.");
        } catch (IllegalArgumentException e) {
            Assert.assertEquals("Unable to determine target principal from service account impersonation URL.", e.getMessage());
        }
    }

    @Test
    public void fromJson_nullTransport_throws() {
        try {
            ExternalAccountCredentials.fromJson(new HashMap(), (HttpTransportFactory) null);
            Assert.fail("Exception should be thrown.");
        } catch (NullPointerException e) {
        }
    }

    @Test
    public void fromJson_invalidWorkforceAudiences_throws() {
        for (String str : Arrays.asList("//iam.googleapis.com/locations/global/workloadIdentityPools/pool/providers/provider", "//iam.googleapis.com/locations/global/workforcepools/pool/providers/provider", "//iam.googleapis.com/locations/global/workforcePools/providers/provider", "//iam.googleapis.com/locations/global/workforcePools/providers", "//iam.googleapis.com/locations/global/workforcePools/", "//iam.googleapis.com/locations//workforcePools/providers", "//iam.googleapis.com/notlocations/global/workforcePools/providers", "//iam.googleapis.com/locations/global/workforce/providers")) {
            try {
                GenericJson buildJsonIdentityPoolCredential = buildJsonIdentityPoolCredential();
                buildJsonIdentityPoolCredential.put("audience", str);
                buildJsonIdentityPoolCredential.put("workforce_pool_user_project", "userProject");
                ExternalAccountCredentials.fromJson(buildJsonIdentityPoolCredential, OAuth2Utils.HTTP_TRANSPORT_FACTORY);
                Assert.fail("Exception should be thrown.");
            } catch (IllegalArgumentException e) {
                Assert.assertEquals("The workforce_pool_user_project parameter should only be provided for a Workforce Pool configuration.", e.getMessage());
            }
        }
    }

    @Test
    public void constructor_builder() {
        HashMap hashMap = new HashMap();
        hashMap.put("file", "file");
        ExternalAccountCredentials build = IdentityPoolCredentials.newBuilder().setHttpTransportFactory(this.transportFactory).setAudience("//iam.googleapis.com/locations/global/workforcePools/pool/providers/provider").setSubjectTokenType("subjectTokenType").setTokenUrl(STS_URL).setTokenInfoUrl("https://tokeninfo.com").setServiceAccountImpersonationUrl("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/testn@test.iam.gserviceaccount.com:generateAccessToken").setCredentialSource(new TestExternalAccountCredentials.TestCredentialSource(hashMap)).setScopes(Arrays.asList("scope1", "scope2")).setQuotaProjectId("projectId").setClientId("clientId").setClientSecret("clientSecret").setWorkforcePoolUserProject("workforcePoolUserProject").build();
        Assert.assertEquals("//iam.googleapis.com/locations/global/workforcePools/pool/providers/provider", build.getAudience());
        Assert.assertEquals("subjectTokenType", build.getSubjectTokenType());
        Assert.assertEquals(STS_URL, build.getTokenUrl());
        Assert.assertEquals("https://tokeninfo.com", build.getTokenInfoUrl());
        Assert.assertEquals("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/testn@test.iam.gserviceaccount.com:generateAccessToken", build.getServiceAccountImpersonationUrl());
        Assert.assertEquals(Arrays.asList("scope1", "scope2"), build.getScopes());
        Assert.assertEquals("projectId", build.getQuotaProjectId());
        Assert.assertEquals("clientId", build.getClientId());
        Assert.assertEquals("clientSecret", build.getClientSecret());
        Assert.assertEquals("workforcePoolUserProject", build.getWorkforcePoolUserProject());
        Assert.assertNotNull(build.getCredentialSource());
    }

    @Test
    public void constructor_builder_invalidTokenUrl() {
        try {
            new TestExternalAccountCredentials(TestExternalAccountCredentials.newBuilder().setHttpTransportFactory(this.transportFactory).setAudience("audience").setSubjectTokenType("subjectTokenType").setTokenUrl("tokenUrl").setCredentialSource(new TestExternalAccountCredentials.TestCredentialSource(FILE_CREDENTIAL_SOURCE_MAP)));
            Assert.fail("Should not be able to continue without exception.");
        } catch (IllegalArgumentException e) {
            Assert.assertEquals("The provided token URL is invalid.", e.getMessage());
        }
    }

    @Test
    public void constructor_builder_invalidServiceAccountImpersonationUrl() {
        try {
            new TestExternalAccountCredentials(TestExternalAccountCredentials.newBuilder().setHttpTransportFactory(this.transportFactory).setAudience("audience").setSubjectTokenType("subjectTokenType").setTokenUrl("tokenUrl").setCredentialSource(new TestExternalAccountCredentials.TestCredentialSource(FILE_CREDENTIAL_SOURCE_MAP)).setServiceAccountImpersonationUrl("serviceAccountImpersonationUrl"));
            Assert.fail("Should not be able to continue without exception.");
        } catch (IllegalArgumentException e) {
            Assert.assertEquals("The provided token URL is invalid.", e.getMessage());
        }
    }

    @Test
    public void constructor_builderWithInvalidWorkforceAudiences_throws() {
        List asList = Arrays.asList("", "//iam.googleapis.com/projects/x23/locations/global/workloadIdentityPools/pool/providers/provider", "//iam.googleapis.com/locations/global/workforcepools/pool/providers/provider", "//iam.googleapis.com/locations/global/workforcePools/providers/provider", "//iam.googleapis.com/locations/global/workforcePools/providers", "//iam.googleapis.com/locations/global/workforcePools/", "//iam.googleapis.com/locations//workforcePools/providers", "//iam.googleapis.com/notlocations/global/workforcePools/providers", "//iam.googleapis.com/locations/global/workforce/providers");
        HashMap hashMap = new HashMap();
        hashMap.put("file", "file");
        Iterator it = asList.iterator();
        while (it.hasNext()) {
            try {
                TestExternalAccountCredentials.newBuilder().setWorkforcePoolUserProject("workforcePoolUserProject").setHttpTransportFactory(OAuth2Utils.HTTP_TRANSPORT_FACTORY).setAudience((String) it.next()).setSubjectTokenType("subjectTokenType").setTokenUrl(STS_URL).setCredentialSource(new TestExternalAccountCredentials.TestCredentialSource(hashMap)).build();
                Assert.fail("Should not be able to continue without exception.");
            } catch (IllegalArgumentException e) {
                Assert.assertEquals("The workforce_pool_user_project parameter should only be provided for a Workforce Pool configuration.", e.getMessage());
            }
        }
    }

    @Test
    public void constructor_builderWithEmptyWorkforceUserProjectAndWorkforceAudience() {
        HashMap hashMap = new HashMap();
        hashMap.put("file", "file");
        TestExternalAccountCredentials.newBuilder().setWorkforcePoolUserProject("").setHttpTransportFactory(OAuth2Utils.HTTP_TRANSPORT_FACTORY).setAudience("//iam.googleapis.com/locations/global/workforcePools/pool/providers/provider").setSubjectTokenType("subjectTokenType").setTokenUrl(STS_URL).setCredentialSource(new TestExternalAccountCredentials.TestCredentialSource(hashMap)).build();
    }

    @Test
    public void constructor_builder_invalidTokenLifetime_throws() {
        HashMap hashMap = new HashMap();
        hashMap.put("token_lifetime_seconds", "thisIsAString");
        try {
            IdentityPoolCredentials.newBuilder().setHttpTransportFactory(this.transportFactory).setAudience("//iam.googleapis.com/locations/global/workforcePools/pool/providers/provider").setSubjectTokenType("subjectTokenType").setTokenUrl(STS_URL).setTokenInfoUrl("https://tokeninfo.com").setServiceAccountImpersonationUrl("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/testn@test.iam.gserviceaccount.com:generateAccessToken").setCredentialSource(new TestExternalAccountCredentials.TestCredentialSource(FILE_CREDENTIAL_SOURCE_MAP)).setScopes(Arrays.asList("scope1", "scope2")).setQuotaProjectId("projectId").setClientId("clientId").setClientSecret("clientSecret").setWorkforcePoolUserProject("workforcePoolUserProject").setServiceAccountImpersonationOptions(hashMap).build();
            Assert.fail("Should not be able to continue without exception.");
        } catch (IllegalArgumentException e) {
            Assert.assertEquals("Value of \"token_lifetime_seconds\" field could not be parsed into an integer.", e.getMessage());
            Assert.assertEquals(NumberFormatException.class, e.getCause().getClass());
        }
    }

    @Test
    public void constructor_builder_stringTokenLifetime() {
        new HashMap().put("token_lifetime_seconds", "2800");
        Assert.assertEquals(2800L, IdentityPoolCredentials.newBuilder().setHttpTransportFactory(this.transportFactory).setAudience("//iam.googleapis.com/locations/global/workforcePools/pool/providers/provider").setSubjectTokenType("subjectTokenType").setTokenUrl(STS_URL).setTokenInfoUrl("https://tokeninfo.com").setServiceAccountImpersonationUrl("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/testn@test.iam.gserviceaccount.com:generateAccessToken").setCredentialSource(new TestExternalAccountCredentials.TestCredentialSource(FILE_CREDENTIAL_SOURCE_MAP)).setScopes(Arrays.asList("scope1", "scope2")).setQuotaProjectId("projectId").setClientId("clientId").setClientSecret("clientSecret").setWorkforcePoolUserProject("workforcePoolUserProject").setServiceAccountImpersonationOptions(r0).build().getServiceAccountImpersonationOptions().getLifetime());
    }

    @Test
    public void constructor_builder_bigDecimalTokenLifetime() {
        new HashMap().put("token_lifetime_seconds", new BigDecimal("2800"));
        Assert.assertEquals(2800L, IdentityPoolCredentials.newBuilder().setHttpTransportFactory(this.transportFactory).setAudience("//iam.googleapis.com/locations/global/workforcePools/pool/providers/provider").setSubjectTokenType("subjectTokenType").setTokenUrl(STS_URL).setTokenInfoUrl("https://tokeninfo.com").setServiceAccountImpersonationUrl("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/testn@test.iam.gserviceaccount.com:generateAccessToken").setCredentialSource(new TestExternalAccountCredentials.TestCredentialSource(FILE_CREDENTIAL_SOURCE_MAP)).setScopes(Arrays.asList("scope1", "scope2")).setQuotaProjectId("projectId").setClientId("clientId").setClientSecret("clientSecret").setWorkforcePoolUserProject("workforcePoolUserProject").setServiceAccountImpersonationOptions(r0).build().getServiceAccountImpersonationOptions().getLifetime());
    }

    @Test
    public void constructor_builder_integerTokenLifetime() {
        new HashMap().put("token_lifetime_seconds", 2800);
        Assert.assertEquals(2800L, IdentityPoolCredentials.newBuilder().setHttpTransportFactory(this.transportFactory).setAudience("//iam.googleapis.com/locations/global/workforcePools/pool/providers/provider").setSubjectTokenType("subjectTokenType").setTokenUrl(STS_URL).setTokenInfoUrl("https://tokeninfo.com").setServiceAccountImpersonationUrl("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/testn@test.iam.gserviceaccount.com:generateAccessToken").setCredentialSource(new TestExternalAccountCredentials.TestCredentialSource(FILE_CREDENTIAL_SOURCE_MAP)).setScopes(Arrays.asList("scope1", "scope2")).setQuotaProjectId("projectId").setClientId("clientId").setClientSecret("clientSecret").setWorkforcePoolUserProject("workforcePoolUserProject").setServiceAccountImpersonationOptions(r0).build().getServiceAccountImpersonationOptions().getLifetime());
    }

    @Test
    public void constructor_builder_lowTokenLifetime_throws() {
        HashMap hashMap = new HashMap();
        hashMap.put("token_lifetime_seconds", 599);
        try {
            IdentityPoolCredentials.newBuilder().setHttpTransportFactory(this.transportFactory).setAudience("//iam.googleapis.com/locations/global/workforcePools/pool/providers/provider").setSubjectTokenType("subjectTokenType").setTokenUrl(STS_URL).setTokenInfoUrl("https://tokeninfo.com").setServiceAccountImpersonationUrl("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/testn@test.iam.gserviceaccount.com:generateAccessToken").setCredentialSource(new TestExternalAccountCredentials.TestCredentialSource(FILE_CREDENTIAL_SOURCE_MAP)).setScopes(Arrays.asList("scope1", "scope2")).setQuotaProjectId("projectId").setClientId("clientId").setClientSecret("clientSecret").setWorkforcePoolUserProject("workforcePoolUserProject").setServiceAccountImpersonationOptions(hashMap).build();
        } catch (IllegalArgumentException e) {
            Assert.assertEquals("The \"token_lifetime_seconds\" field must be between 600 and 43200 seconds.", e.getMessage());
        }
    }

    @Test
    public void constructor_builder_highTokenLifetime_throws() {
        HashMap hashMap = new HashMap();
        hashMap.put("token_lifetime_seconds", 43201);
        try {
            IdentityPoolCredentials.newBuilder().setHttpTransportFactory(this.transportFactory).setAudience("//iam.googleapis.com/locations/global/workforcePools/pool/providers/provider").setSubjectTokenType("subjectTokenType").setTokenUrl(STS_URL).setTokenInfoUrl("https://tokeninfo.com").setServiceAccountImpersonationUrl("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/testn@test.iam.gserviceaccount.com:generateAccessToken").setCredentialSource(new TestExternalAccountCredentials.TestCredentialSource(FILE_CREDENTIAL_SOURCE_MAP)).setScopes(Arrays.asList("scope1", "scope2")).setQuotaProjectId("projectId").setClientId("clientId").setClientSecret("clientSecret").setWorkforcePoolUserProject("workforcePoolUserProject").setServiceAccountImpersonationOptions(hashMap).build();
        } catch (IllegalArgumentException e) {
            Assert.assertEquals("The \"token_lifetime_seconds\" field must be between 600 and 43200 seconds.", e.getMessage());
        }
    }

    @Test
    public void exchangeExternalCredentialForAccessToken() throws IOException {
        Assert.assertEquals(this.transportFactory.transport.getAccessToken(), ExternalAccountCredentials.fromJson(buildJsonIdentityPoolCredential(), this.transportFactory).exchangeExternalCredentialForAccessToken(StsTokenExchangeRequest.newBuilder("credential", "subjectTokenType").build()).getTokenValue());
        Assert.assertNull(TestUtils.parseQuery(this.transportFactory.transport.getLastRequest().getContentAsString()).get("options"));
    }

    @Test
    public void exchangeExternalCredentialForAccessToken_withInternalOptions() throws IOException {
        ExternalAccountCredentials fromJson = ExternalAccountCredentials.fromJson(buildJsonIdentityPoolCredential(), this.transportFactory);
        GenericJson genericJson = new GenericJson();
        genericJson.setFactory(OAuth2Utils.JSON_FACTORY);
        genericJson.put("key", "value");
        Assert.assertEquals(this.transportFactory.transport.getAccessToken(), fromJson.exchangeExternalCredentialForAccessToken(StsTokenExchangeRequest.newBuilder("credential", "subjectTokenType").setInternalOptions(genericJson.toString()).build()).getTokenValue());
        Map<String, String> parseQuery = TestUtils.parseQuery(this.transportFactory.transport.getLastRequest().getContentAsString());
        Assert.assertNotNull(parseQuery.get("options"));
        Assert.assertEquals(genericJson.toString(), parseQuery.get("options"));
    }

    @Test
    public void exchangeExternalCredentialForAccessToken_workforceCred_expectUserProjectPassedToSts() throws IOException {
        List asList = Arrays.asList(ExternalAccountCredentials.fromJson(buildJsonIdentityPoolWorkforceCredential(), this.transportFactory), ExternalAccountCredentials.fromJson(buildJsonPluggableAuthWorkforceCredential(), this.transportFactory));
        for (int i = 0; i < asList.size(); i++) {
            Assert.assertEquals(this.transportFactory.transport.getAccessToken(), ((ExternalAccountCredentials) asList.get(i)).exchangeExternalCredentialForAccessToken(StsTokenExchangeRequest.newBuilder("credential", "subjectTokenType").build()).getTokenValue());
            Map<String, String> parseQuery = TestUtils.parseQuery(this.transportFactory.transport.getLastRequest().getContentAsString());
            GenericJson genericJson = new GenericJson();
            genericJson.setFactory(OAuth2Utils.JSON_FACTORY);
            genericJson.put("userProject", "userProject");
            Assert.assertEquals(genericJson.toString(), parseQuery.get("options"));
            Assert.assertEquals(i + 1, this.transportFactory.transport.getRequests().size());
        }
    }

    @Test
    public void exchangeExternalCredentialForAccessToken_workforceCredWithInternalOptions_expectOverridden() throws IOException {
        ExternalAccountCredentials fromJson = ExternalAccountCredentials.fromJson(buildJsonIdentityPoolWorkforceCredential(), this.transportFactory);
        GenericJson genericJson = new GenericJson();
        genericJson.put("key", "value");
        Assert.assertEquals(this.transportFactory.transport.getAccessToken(), fromJson.exchangeExternalCredentialForAccessToken(StsTokenExchangeRequest.newBuilder("credential", "subjectTokenType").setInternalOptions(genericJson.toString()).build()).getTokenValue());
        Map<String, String> parseQuery = TestUtils.parseQuery(this.transportFactory.transport.getLastRequest().getContentAsString());
        Assert.assertNotNull(parseQuery.get("options"));
        Assert.assertEquals(genericJson.toString(), parseQuery.get("options"));
    }

    @Test
    public void exchangeExternalCredentialForAccessToken_withServiceAccountImpersonation() throws IOException {
        this.transportFactory.transport.setExpireTime(TestUtils.getDefaultExpireTime());
        Assert.assertEquals(this.transportFactory.transport.getServiceAccountAccessToken(), ExternalAccountCredentials.fromStream(IdentityPoolCredentialsTest.writeIdentityPoolCredentialsStream(this.transportFactory.transport.getStsUrl(), this.transportFactory.transport.getMetadataUrl(), this.transportFactory.transport.getServiceAccountImpersonationUrl(), null), this.transportFactory).exchangeExternalCredentialForAccessToken(StsTokenExchangeRequest.newBuilder("credential", "subjectTokenType").build()).getTokenValue());
        Assert.assertEquals("3600s", ((GenericJson) OAuth2Utils.JSON_FACTORY.createJsonParser(this.transportFactory.transport.getLastRequest().getContentAsString()).parseAndClose(GenericJson.class)).get("lifetime"));
    }

    @Test
    public void exchangeExternalCredentialForAccessToken_withServiceAccountImpersonationOptions() throws IOException {
        this.transportFactory.transport.setExpireTime(TestUtils.getDefaultExpireTime());
        Assert.assertEquals(this.transportFactory.transport.getServiceAccountAccessToken(), ExternalAccountCredentials.fromStream(IdentityPoolCredentialsTest.writeIdentityPoolCredentialsStream(this.transportFactory.transport.getStsUrl(), this.transportFactory.transport.getMetadataUrl(), this.transportFactory.transport.getServiceAccountImpersonationUrl(), buildServiceAccountImpersonationOptions(2800)), this.transportFactory).exchangeExternalCredentialForAccessToken(StsTokenExchangeRequest.newBuilder("credential", "subjectTokenType").build()).getTokenValue());
        Assert.assertEquals("2800s", ((GenericJson) OAuth2Utils.JSON_FACTORY.createJsonParser(this.transportFactory.transport.getLastRequest().getContentAsString()).parseAndClose(GenericJson.class)).get("lifetime"));
    }

    @Test
    public void exchangeExternalCredentialForAccessToken_withServiceAccountImpersonationOverride() throws IOException {
        this.transportFactory.transport.setExpireTime(TestUtils.getDefaultExpireTime());
        IdentityPoolCredentials fromStream = ExternalAccountCredentials.fromStream(IdentityPoolCredentialsTest.writeIdentityPoolCredentialsStream(this.transportFactory.transport.getStsUrl(), this.transportFactory.transport.getMetadataUrl(), this.transportFactory.transport.getServiceAccountImpersonationUrl(), null), this.transportFactory);
        ExternalAccountCredentials build = IdentityPoolCredentials.newBuilder(fromStream).setServiceAccountImpersonationUrl((String) null).build();
        fromStream.overrideImpersonatedCredentials(new ImpersonatedCredentials.Builder(build, "different@different.iam.gserviceaccount.com").setScopes(new ArrayList(build.getScopes())).setHttpTransportFactory(this.transportFactory).build());
        fromStream.exchangeExternalCredentialForAccessToken(StsTokenExchangeRequest.newBuilder("credential", "subjectTokenType").build());
        Assert.assertTrue(this.transportFactory.transport.getRequests().get(2).getUrl().contains("different@different.iam.gserviceaccount.com"));
    }

    @Test
    public void exchangeExternalCredentialForAccessToken_throws() throws IOException {
        ExternalAccountCredentials fromJson = ExternalAccountCredentials.fromJson(buildJsonIdentityPoolCredential(), this.transportFactory);
        this.transportFactory.transport.addResponseErrorSequence(TestUtils.buildHttpResponseException("invalidRequest", "errorDescription", "errorUri"));
        try {
            fromJson.exchangeExternalCredentialForAccessToken(StsTokenExchangeRequest.newBuilder("credential", "subjectTokenType").build());
            Assert.fail("Exception should be thrown.");
        } catch (OAuthException e) {
            Assert.assertEquals("invalidRequest", e.getErrorCode());
            Assert.assertEquals("errorDescription", e.getErrorDescription());
            Assert.assertEquals("errorUri", e.getErrorUri());
        }
    }

    @Test
    public void getRequestMetadata_withQuotaProjectId() throws IOException {
        Assert.assertEquals("quotaProjectId", ((List) ((TestExternalAccountCredentials) TestExternalAccountCredentials.newBuilder().setHttpTransportFactory(this.transportFactory).setAudience("audience").setSubjectTokenType("subjectTokenType").setTokenUrl(STS_URL).setCredentialSource(new TestExternalAccountCredentials.TestCredentialSource(FILE_CREDENTIAL_SOURCE_MAP)).setQuotaProjectId("quotaProjectId").build()).getRequestMetadata(URI.create("http://googleapis.com/foo/bar")).get("x-goog-user-project")).get(0));
    }

    @Test
    public void validateTokenUrl_validUrls() {
        for (String str : Arrays.asList(STS_URL, "https://us-east-1.sts.googleapis.com", "https://US-EAST-1.sts.googleapis.com", "https://sts.us-east-1.googleapis.com", "https://sts.US-WEST-1.googleapis.com", "https://us-east-1-sts.googleapis.com", "https://US-WEST-1-sts.googleapis.com", "https://us-west-1-sts.googleapis.com/path?query")) {
            ExternalAccountCredentials.validateTokenUrl(str);
            ExternalAccountCredentials.validateTokenUrl(str.toUpperCase(Locale.US));
        }
    }

    @Test
    public void validateTokenUrl_invalidUrls() {
        Iterator it = Arrays.asList("https://iamcredentials.googleapis.com", "sts.googleapis.com", "https://", "http://sts.googleapis.com", "https://st.s.googleapis.com", "https://us-eas\\t-1.sts.googleapis.com", "https:/us-east-1.sts.googleapis.com", "https://US-WE/ST-1-sts.googleapis.com", "https://sts-us-east-1.googleapis.com", "https://sts-US-WEST-1.googleapis.com", "testhttps://us-east-1.sts.googleapis.com", "https://us-east-1.sts.googleapis.comevil.com", "https://us-east-1.us-east-1.sts.googleapis.com", "https://us-ea.s.t.sts.googleapis.com", "https://sts.googleapis.comevil.com", "hhttps://us-east-1.sts.googleapis.com", "https://us- -1.sts.googleapis.com", "https://-sts.googleapis.com", "https://us-east-1.sts.googleapis.com.evil.com").iterator();
        while (it.hasNext()) {
            try {
                ExternalAccountCredentials.validateTokenUrl((String) it.next());
                Assert.fail("Should have failed since an invalid URL was passed.");
            } catch (IllegalArgumentException e) {
                Assert.assertEquals("The provided token URL is invalid.", e.getMessage());
            }
        }
    }

    @Test
    public void validateServiceAccountImpersonationUrls_validUrls() {
        for (String str : Arrays.asList("https://iamcredentials.googleapis.com", "https://us-east-1.iamcredentials.googleapis.com", "https://US-EAST-1.iamcredentials.googleapis.com", "https://iamcredentials.us-east-1.googleapis.com", "https://iamcredentials.US-WEST-1.googleapis.com", "https://us-east-1-iamcredentials.googleapis.com", "https://US-WEST-1-iamcredentials.googleapis.com", "https://us-west-1-iamcredentials.googleapis.com/path?query")) {
            ExternalAccountCredentials.validateServiceAccountImpersonationInfoUrl(str);
            ExternalAccountCredentials.validateServiceAccountImpersonationInfoUrl(str.toUpperCase(Locale.US));
        }
    }

    @Test
    public void validateServiceAccountImpersonationUrls_invalidUrls() {
        Iterator it = Arrays.asList(STS_URL, "iamcredentials.googleapis.com", "https://", "http://iamcredentials.googleapis.com", "https://iamcre.dentials.googleapis.com", "https://us-eas\t-1.iamcredentials.googleapis.com", "https:/us-east-1.iamcredentials.googleapis.com", "https://US-WE/ST-1-iamcredentials.googleapis.com", "https://iamcredentials-us-east-1.googleapis.com", "https://iamcredentials-US-WEST-1.googleapis.com", "testhttps://us-east-1.iamcredentials.googleapis.com", "https://us-east-1.iamcredentials.googleapis.comevil.com", "https://us-east-1.us-east-1.iamcredentials.googleapis.com", "https://us-ea.s.t.iamcredentials.googleapis.com", "https://iamcredentials.googleapis.comevil.com", "hhttps://us-east-1.iamcredentials.googleapis.com", "https://us- -1.iamcredentials.googleapis.com", "https://-iamcredentials.googleapis.com", "https://us-east-1.iamcredentials.googleapis.com.evil.com").iterator();
        while (it.hasNext()) {
            try {
                ExternalAccountCredentials.validateServiceAccountImpersonationInfoUrl((String) it.next());
                Assert.fail("Should have failed since an invalid URL was passed.");
            } catch (IllegalArgumentException e) {
                Assert.assertEquals("The provided service account impersonation URL is invalid.", e.getMessage());
            }
        }
    }

    private GenericJson buildJsonIdentityPoolCredential() {
        GenericJson genericJson = new GenericJson();
        genericJson.put("audience", "//iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/pool/providers/provider");
        genericJson.put("subject_token_type", "subjectTokenType");
        genericJson.put("token_url", STS_URL);
        genericJson.put("token_info_url", "tokenInfoUrl");
        HashMap hashMap = new HashMap();
        hashMap.put("file", "file");
        genericJson.put("credential_source", hashMap);
        return genericJson;
    }

    private GenericJson buildJsonIdentityPoolWorkforceCredential() {
        GenericJson buildJsonIdentityPoolCredential = buildJsonIdentityPoolCredential();
        buildJsonIdentityPoolCredential.put("audience", "//iam.googleapis.com/locations/global/workforcePools/pool/providers/provider");
        buildJsonIdentityPoolCredential.put("workforce_pool_user_project", "userProject");
        return buildJsonIdentityPoolCredential;
    }

    private GenericJson buildJsonAwsCredential() {
        GenericJson genericJson = new GenericJson();
        genericJson.put("audience", "audience");
        genericJson.put("subject_token_type", "subjectTokenType");
        genericJson.put("token_url", STS_URL);
        genericJson.put("token_info_url", "tokenInfoUrl");
        HashMap hashMap = new HashMap();
        hashMap.put("environment_id", "aws1");
        hashMap.put("region_url", "regionUrl");
        hashMap.put("url", "url");
        hashMap.put("regional_cred_verification_url", "regionalCredVerificationUrl");
        genericJson.put("credential_source", hashMap);
        return genericJson;
    }

    private GenericJson buildJsonPluggableAuthCredential() {
        GenericJson genericJson = new GenericJson();
        genericJson.put("audience", "audience");
        genericJson.put("subject_token_type", "subjectTokenType");
        genericJson.put("token_url", STS_URL);
        genericJson.put("token_info_url", "tokenInfoUrl");
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        hashMap2.put("command", "command");
        hashMap.put("executable", hashMap2);
        genericJson.put("credential_source", hashMap);
        return genericJson;
    }

    private GenericJson buildJsonPluggableAuthWorkforceCredential() {
        GenericJson buildJsonPluggableAuthCredential = buildJsonPluggableAuthCredential();
        buildJsonPluggableAuthCredential.put("audience", "//iam.googleapis.com/locations/global/workforcePools/pool/providers/provider");
        buildJsonPluggableAuthCredential.put("workforce_pool_user_project", "userProject");
        return buildJsonPluggableAuthCredential;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Map<String, Object> buildServiceAccountImpersonationOptions(Integer num) {
        HashMap hashMap = new HashMap();
        hashMap.put("token_lifetime_seconds", num);
        return hashMap;
    }
}
