package com.google.auth.oauth2;

import com.google.api.client.http.HttpTransport;
import com.google.auth.TestUtils;
import com.google.auth.http.HttpTransportFactory;
import com.google.auth.oauth2.CredentialAccessBoundary;
import com.google.auth.oauth2.GoogleCredentialsTest;
import java.io.IOException;
import java.util.Date;
import java.util.Map;
import org.junit.Assert;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.JUnit4;

@RunWith(JUnit4.class)
/* loaded from: input_file:com/google/auth/oauth2/DownscopedCredentialsTest.class */
public class DownscopedCredentialsTest {
    private static final String SA_PRIVATE_KEY_PKCS8 = "-----BEGIN PRIVATE KEY-----\nMIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALX0PQoe1igW12ikv1bN/r9lN749y2ijmbc/mFHPyS3hNTyOCjDvBbXYbDhQJzWVUikh4mvGBA07qTj79Xc3yBDfKP2IeyYQIFe0t0zkd7R9Zdn98Y2rIQC47aAbDfubtkU1U72t4zL11kHvoa0/RuFZjncvlr42X7be7lYh4p3NAgMBAAECgYASk5wDw4Az2ZkmeuN6Fk/y9H+Lcb2pskJIXjrL533vrDWGOC48LrsThMQPv8cxBky8HFSEklPpkfTF95tpD43iVwJRB/GrCtGTw65IfJ4/tI09h6zGc4yqvIo1cHX/LQ+SxKLGyir/dQM925rGt/VojxY5ryJR7GLbCzxPnJm/oQJBANwOCO6D2hy1LQYJhXh7O+RLtA/tSnT1xyMQsGT+uUCMiKS2bSKx2wxo9k7h3OegNJIu1q6nZ6AbxDK8H3+d0dUCQQDTrPSXagBxzp8PecbaCHjzNRSQE2in81qYnrAFNB4o3DpHyMMY6s5ALLeHKscEWnqP8Ur6X4PvzZecCWU9BKAZAkAutLPknAuxSCsUOvUfS1i87ex77Ot+w6POp34pEX+UWb+u5iFn2cQacDTHLV1LtE80L8jVLSbrbrlH43H0DjU5AkEAgidhycxS86dxpEljnOMCw8CKoUBd5I880IUahEiUltk7OLJYS/Ts1wbn3kPOVX3wyJs8WBDtBkFrDHW2ezth2QJADj3e1YhMVdjJW5jqwlD/VNddGjgzyunmiZg0uOXsHXbytYmsA545S8KRQFaJKFXYYFo2kOjqOiC1T2cAzMDjCQ==\n-----END PRIVATE KEY-----\n";
    private static final CredentialAccessBoundary CREDENTIAL_ACCESS_BOUNDARY = CredentialAccessBoundary.newBuilder().addRule(CredentialAccessBoundary.AccessBoundaryRule.newBuilder().setAvailableResource("//storage.googleapis.com/projects/_/buckets/bucket").addAvailablePermission("inRole:roles/storage.objectViewer").build()).build();

    /* loaded from: input_file:com/google/auth/oauth2/DownscopedCredentialsTest$MockStsTransportFactory.class */
    static class MockStsTransportFactory implements HttpTransportFactory {
        MockStsTransport transport = new MockStsTransport();

        MockStsTransportFactory() {
        }

        public HttpTransport create() {
            return this.transport;
        }
    }

    @Test
    public void refreshAccessToken() throws IOException {
        MockStsTransportFactory mockStsTransportFactory = new MockStsTransportFactory();
        Assert.assertEquals(mockStsTransportFactory.transport.getAccessToken(), DownscopedCredentials.newBuilder().setSourceCredential(getServiceAccountSourceCredentials(true)).setCredentialAccessBoundary(CREDENTIAL_ACCESS_BOUNDARY).setHttpTransportFactory(mockStsTransportFactory).build().refreshAccessToken().getTokenValue());
        Map<String, String> parseQuery = TestUtils.parseQuery(mockStsTransportFactory.transport.getRequest().getContentAsString());
        Assert.assertNotNull(parseQuery.get("options"));
        Assert.assertEquals(CREDENTIAL_ACCESS_BOUNDARY.toJson(), parseQuery.get("options"));
        Assert.assertEquals("urn:ietf:params:oauth:token-type:access_token", parseQuery.get("requested_token_type"));
    }

    @Test
    public void refreshAccessToken_userCredentials_expectExpiresInCopied() throws IOException {
        MockStsTransportFactory mockStsTransportFactory = new MockStsTransportFactory();
        mockStsTransportFactory.transport.setReturnExpiresIn(false);
        GoogleCredentials userSourceCredentials = getUserSourceCredentials();
        AccessToken refreshAccessToken = DownscopedCredentials.newBuilder().setSourceCredential(userSourceCredentials).setCredentialAccessBoundary(CREDENTIAL_ACCESS_BOUNDARY).setHttpTransportFactory(mockStsTransportFactory).build().refreshAccessToken();
        Assert.assertEquals(mockStsTransportFactory.transport.getAccessToken(), refreshAccessToken.getTokenValue());
        Assert.assertEquals(userSourceCredentials.getAccessToken().getExpirationTime(), refreshAccessToken.getExpirationTime());
    }

    @Test
    public void refreshAccessToken_cantRefreshSourceCredentials_throws() throws IOException {
        try {
            DownscopedCredentials.newBuilder().setSourceCredential(getServiceAccountSourceCredentials(false)).setCredentialAccessBoundary(CREDENTIAL_ACCESS_BOUNDARY).setHttpTransportFactory(new MockStsTransportFactory()).build().refreshAccessToken();
            Assert.fail("Should fail as the source credential should not be able to be refreshed.");
        } catch (IOException e) {
            Assert.assertEquals("Unable to refresh the provided source credential.", e.getMessage());
        }
    }

    @Test
    public void builder_noSourceCredential_throws() {
        try {
            DownscopedCredentials.newBuilder().setHttpTransportFactory(OAuth2Utils.HTTP_TRANSPORT_FACTORY).setCredentialAccessBoundary(CREDENTIAL_ACCESS_BOUNDARY).build();
            Assert.fail("Should fail as the source credential is null.");
        } catch (NullPointerException e) {
        }
    }

    @Test
    public void builder_noCredentialAccessBoundary_throws() throws IOException {
        try {
            DownscopedCredentials.newBuilder().setHttpTransportFactory(OAuth2Utils.HTTP_TRANSPORT_FACTORY).setSourceCredential(getServiceAccountSourceCredentials(true)).build();
            Assert.fail("Should fail as no access boundary was provided.");
        } catch (NullPointerException e) {
        }
    }

    @Test
    public void builder_noTransport_defaults() throws IOException {
        GoogleCredentials serviceAccountSourceCredentials = getServiceAccountSourceCredentials(true);
        DownscopedCredentials build = DownscopedCredentials.newBuilder().setSourceCredential(serviceAccountSourceCredentials).setCredentialAccessBoundary(CREDENTIAL_ACCESS_BOUNDARY).build();
        Assert.assertEquals(serviceAccountSourceCredentials.createScoped(new String[]{"https://www.googleapis.com/auth/cloud-platform"}), build.getSourceCredentials());
        Assert.assertEquals(CREDENTIAL_ACCESS_BOUNDARY, build.getCredentialAccessBoundary());
        Assert.assertEquals(OAuth2Utils.HTTP_TRANSPORT_FACTORY, build.getTransportFactory());
    }

    private static GoogleCredentials getServiceAccountSourceCredentials(boolean z) throws IOException {
        GoogleCredentialsTest.MockTokenServerTransportFactory mockTokenServerTransportFactory = new GoogleCredentialsTest.MockTokenServerTransportFactory();
        ServiceAccountCredentials build = ServiceAccountCredentials.newBuilder().setClientEmail("service-account@google.com").setPrivateKey(ServiceAccountCredentials.privateKeyFromPkcs8(SA_PRIVATE_KEY_PKCS8)).setPrivateKeyId("privateKeyId").setProjectId("projectId").setHttpTransportFactory(mockTokenServerTransportFactory).build();
        mockTokenServerTransportFactory.transport.addServiceAccount("service-account@google.com", "accessToken");
        if (!z) {
            mockTokenServerTransportFactory.transport.setError(new IOException());
        }
        return build.createScoped(new String[]{"https://www.googleapis.com/auth/cloud-platform"});
    }

    private static GoogleCredentials getUserSourceCredentials() {
        GoogleCredentialsTest.MockTokenServerTransportFactory mockTokenServerTransportFactory = new GoogleCredentialsTest.MockTokenServerTransportFactory();
        mockTokenServerTransportFactory.transport.addClient("clientId", "clientSecret");
        mockTokenServerTransportFactory.transport.addRefreshToken("refreshToken", "accessToken");
        return UserCredentials.newBuilder().setClientId("clientId").setClientSecret("clientSecret").setRefreshToken("refreshToken").setAccessToken(new AccessToken("accessToken", new Date())).setHttpTransportFactory(mockTokenServerTransportFactory).build();
    }
}
