package com.google.auth.oauth2;

import com.google.api.client.json.GenericJson;
import com.google.api.client.testing.http.MockLowLevelHttpRequest;
import com.google.api.client.util.Clock;
import com.google.auth.TestUtils;
import com.google.auth.oauth2.AwsCredentials;
import com.google.auth.oauth2.ExternalAccountCredentialsTest;
import com.google.common.collect.ImmutableList;
import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.net.URLDecoder;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.junit.Assert;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.JUnit4;

@RunWith(JUnit4.class)
/* loaded from: input_file:com/google/auth/oauth2/AwsCredentialsTest.class */
public class AwsCredentialsTest extends BaseSerializationTest {
    private static final String AWS_CREDENTIALS_URL = "https://169.254.169.254";
    private static final String AWS_CREDENTIALS_URL_WITH_ROLE = "https://169.254.169.254/roleName";
    private static final String AWS_REGION_URL = "https://169.254.169.254/region";
    private static final String AWS_IMDSV2_SESSION_TOKEN_URL = "https://169.254.169.254/imdsv2";
    private static final String AWS_IMDSV2_SESSION_TOKEN = "sessiontoken";
    private static final String GET_CALLER_IDENTITY_URL = "https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15";
    private static final String SERVICE_ACCOUNT_IMPERSONATION_URL = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/testn@test.iam.gserviceaccount.com:generateAccessToken";
    private static final Map<String, Object> AWS_CREDENTIAL_SOURCE_MAP = new HashMap<String, Object>() { // from class: com.google.auth.oauth2.AwsCredentialsTest.1
        {
            put("environment_id", "aws1");
            put("region_url", AwsCredentialsTest.AWS_REGION_URL);
            put("url", AwsCredentialsTest.AWS_CREDENTIALS_URL);
            put("regional_cred_verification_url", "regionalCredVerificationUrl");
        }
    };
    private static final Map<String, Object> EMPTY_METADATA_HEADERS = Collections.emptyMap();
    private static final Map<String, String> EMPTY_STRING_HEADERS = Collections.emptyMap();
    private static final AwsCredentials.AwsCredentialSource AWS_CREDENTIAL_SOURCE = new AwsCredentials.AwsCredentialSource(AWS_CREDENTIAL_SOURCE_MAP);
    private static final String STS_URL = "https://sts.googleapis.com";
    private static final AwsCredentials AWS_CREDENTIAL = AwsCredentials.newBuilder().setHttpTransportFactory(OAuth2Utils.HTTP_TRANSPORT_FACTORY).setAudience("audience").setSubjectTokenType("subjectTokenType").setTokenUrl(STS_URL).setTokenInfoUrl("tokenInfoUrl").setCredentialSource(AWS_CREDENTIAL_SOURCE).build();

    @Test
    public void test_awsCredentialSource() {
        for (String str : new String[]{"region_url", "url", "imdsv2_session_token_url"}) {
            Map<String, Object> buildAwsIpv6CredentialSourceMap = buildAwsIpv6CredentialSourceMap();
            buildAwsIpv6CredentialSourceMap.put(str, "https://badhost.com/fake");
            new AwsCredentials.AwsCredentialSource(buildAwsIpv6CredentialSourceMap);
        }
    }

    @Test
    public void refreshAccessToken_withoutServiceAccountImpersonation() throws IOException {
        ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory = new ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory();
        Assert.assertEquals(mockExternalAccountCredentialsTransportFactory.transport.getAccessToken(), AwsCredentials.newBuilder(AWS_CREDENTIAL).setTokenUrl(mockExternalAccountCredentialsTransportFactory.transport.getStsUrl()).setHttpTransportFactory(mockExternalAccountCredentialsTransportFactory).setCredentialSource(buildAwsCredentialSource(mockExternalAccountCredentialsTransportFactory)).build().refreshAccessToken().getTokenValue());
    }

    @Test
    public void refreshAccessToken_withServiceAccountImpersonation() throws IOException {
        ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory = new ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory();
        mockExternalAccountCredentialsTransportFactory.transport.setExpireTime(TestUtils.getDefaultExpireTime());
        Assert.assertEquals(mockExternalAccountCredentialsTransportFactory.transport.getServiceAccountAccessToken(), AwsCredentials.newBuilder(AWS_CREDENTIAL).setTokenUrl(mockExternalAccountCredentialsTransportFactory.transport.getStsUrl()).setServiceAccountImpersonationUrl(mockExternalAccountCredentialsTransportFactory.transport.getServiceAccountImpersonationUrl()).setHttpTransportFactory(mockExternalAccountCredentialsTransportFactory).setCredentialSource(buildAwsCredentialSource(mockExternalAccountCredentialsTransportFactory)).build().refreshAccessToken().getTokenValue());
    }

    @Test
    public void refreshAccessToken_withServiceAccountImpersonationOptions() throws IOException {
        ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory = new ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory();
        mockExternalAccountCredentialsTransportFactory.transport.setExpireTime(TestUtils.getDefaultExpireTime());
        Assert.assertEquals(mockExternalAccountCredentialsTransportFactory.transport.getServiceAccountAccessToken(), AwsCredentials.newBuilder(AWS_CREDENTIAL).setTokenUrl(mockExternalAccountCredentialsTransportFactory.transport.getStsUrl()).setServiceAccountImpersonationUrl(mockExternalAccountCredentialsTransportFactory.transport.getServiceAccountImpersonationUrl()).setHttpTransportFactory(mockExternalAccountCredentialsTransportFactory).setCredentialSource(buildAwsCredentialSource(mockExternalAccountCredentialsTransportFactory)).setServiceAccountImpersonationOptions(ExternalAccountCredentialsTest.buildServiceAccountImpersonationOptions(2800)).build().refreshAccessToken().getTokenValue());
        Assert.assertEquals("2800s", ((GenericJson) OAuth2Utils.JSON_FACTORY.createJsonParser(mockExternalAccountCredentialsTransportFactory.transport.getLastRequest().getContentAsString()).parseAndClose(GenericJson.class)).get("lifetime"));
    }

    @Test
    public void retrieveSubjectToken() throws IOException {
        ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory = new ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory();
        AwsCredentials build = AwsCredentials.newBuilder(AWS_CREDENTIAL).setHttpTransportFactory(mockExternalAccountCredentialsTransportFactory).setCredentialSource(buildAwsCredentialSource(mockExternalAccountCredentialsTransportFactory)).build();
        GenericJson genericJson = (GenericJson) OAuth2Utils.JSON_FACTORY.createJsonParser(URLDecoder.decode(build.retrieveSubjectToken(), "UTF-8")).parseAndClose(GenericJson.class);
        List<Map> list = (List) genericJson.get("headers");
        HashMap hashMap = new HashMap();
        for (Map map : list) {
            hashMap.put(map.get("key"), map.get("value"));
        }
        Assert.assertEquals("POST", genericJson.get("method"));
        Assert.assertEquals(GET_CALLER_IDENTITY_URL, genericJson.get("url"));
        Assert.assertEquals(URI.create(GET_CALLER_IDENTITY_URL).getHost(), hashMap.get("host"));
        Assert.assertEquals("token", hashMap.get("x-amz-security-token"));
        Assert.assertEquals(build.getAudience(), hashMap.get("x-goog-cloud-target-resource"));
        Assert.assertTrue(hashMap.containsKey("x-amz-date"));
        Assert.assertNotNull(hashMap.get("Authorization"));
        List<MockLowLevelHttpRequest> requests = mockExternalAccountCredentialsTransportFactory.transport.getRequests();
        Assert.assertEquals(3L, requests.size());
        ValidateRequest(requests.get(0), AWS_REGION_URL, EMPTY_STRING_HEADERS);
        ValidateRequest(requests.get(1), AWS_CREDENTIALS_URL, EMPTY_STRING_HEADERS);
        ValidateRequest(requests.get(2), AWS_CREDENTIALS_URL_WITH_ROLE, EMPTY_STRING_HEADERS);
    }

    @Test
    public void retrieveSubjectTokenWithSessionTokenUrl() throws IOException {
        ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory = new ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory();
        AwsCredentials build = AwsCredentials.newBuilder(AWS_CREDENTIAL).setHttpTransportFactory(mockExternalAccountCredentialsTransportFactory).setCredentialSource(buildAwsImdsv2CredentialSource(mockExternalAccountCredentialsTransportFactory)).build();
        GenericJson genericJson = (GenericJson) OAuth2Utils.JSON_FACTORY.createJsonParser(URLDecoder.decode(build.retrieveSubjectToken(), "UTF-8")).parseAndClose(GenericJson.class);
        List<Map> list = (List) genericJson.get("headers");
        HashMap hashMap = new HashMap();
        for (Map map : list) {
            hashMap.put(map.get("key"), map.get("value"));
        }
        Assert.assertEquals("POST", genericJson.get("method"));
        Assert.assertEquals(GET_CALLER_IDENTITY_URL, genericJson.get("url"));
        Assert.assertEquals(URI.create(GET_CALLER_IDENTITY_URL).getHost(), hashMap.get("host"));
        Assert.assertEquals("token", hashMap.get("x-amz-security-token"));
        Assert.assertEquals(build.getAudience(), hashMap.get("x-goog-cloud-target-resource"));
        Assert.assertTrue(hashMap.containsKey("x-amz-date"));
        Assert.assertNotNull(hashMap.get("Authorization"));
        List<MockLowLevelHttpRequest> requests = mockExternalAccountCredentialsTransportFactory.transport.getRequests();
        Assert.assertEquals(4L, requests.size());
        ValidateRequest(requests.get(0), AWS_IMDSV2_SESSION_TOKEN_URL, new HashMap<String, String>() { // from class: com.google.auth.oauth2.AwsCredentialsTest.2
            {
                put("x-aws-ec2-metadata-token-ttl-seconds", "300");
            }
        });
        HashMap<String, String> hashMap2 = new HashMap<String, String>() { // from class: com.google.auth.oauth2.AwsCredentialsTest.3
            {
                put("x-aws-ec2-metadata-token", AwsCredentialsTest.AWS_IMDSV2_SESSION_TOKEN);
            }
        };
        ValidateRequest(requests.get(1), AWS_REGION_URL, hashMap2);
        ValidateRequest(requests.get(2), AWS_CREDENTIALS_URL, hashMap2);
        ValidateRequest(requests.get(3), AWS_CREDENTIALS_URL_WITH_ROLE, hashMap2);
    }

    @Test
    public void retrieveSubjectToken_imdsv1EnvVariablesSet_metadataServerNotCalled() throws IOException {
        ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory = new ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory();
        TestEnvironmentProvider testEnvironmentProvider = new TestEnvironmentProvider();
        testEnvironmentProvider.setEnv("AWS_REGION", "awsRegion").setEnv("AWS_ACCESS_KEY_ID", "awsAccessKeyId").setEnv("AWS_SECRET_ACCESS_KEY", "awsSecretAccessKey").setEnv("AWS_SESSION_TOKEN", "awsToken");
        AwsCredentials build = AwsCredentials.newBuilder(AWS_CREDENTIAL).setHttpTransportFactory(mockExternalAccountCredentialsTransportFactory).setCredentialSource(buildAwsCredentialSource(mockExternalAccountCredentialsTransportFactory)).setEnvironmentProvider(testEnvironmentProvider).build();
        GenericJson genericJson = (GenericJson) OAuth2Utils.JSON_FACTORY.createJsonParser(URLDecoder.decode(build.retrieveSubjectToken(), "UTF-8")).parseAndClose(GenericJson.class);
        List<Map> list = (List) genericJson.get("headers");
        HashMap hashMap = new HashMap();
        for (Map map : list) {
            hashMap.put(map.get("key"), map.get("value"));
        }
        Assert.assertEquals("POST", genericJson.get("method"));
        Assert.assertEquals(GET_CALLER_IDENTITY_URL, genericJson.get("url"));
        Assert.assertEquals(URI.create(GET_CALLER_IDENTITY_URL).getHost(), hashMap.get("host"));
        Assert.assertEquals("awsToken", hashMap.get("x-amz-security-token"));
        Assert.assertEquals(build.getAudience(), hashMap.get("x-goog-cloud-target-resource"));
        Assert.assertTrue(hashMap.containsKey("x-amz-date"));
        Assert.assertNotNull(hashMap.get("Authorization"));
        Assert.assertEquals(0L, mockExternalAccountCredentialsTransportFactory.transport.getRequests().size());
    }

    @Test
    public void retrieveSubjectToken_imdsv2EnvVariablesSet_metadataServerNotCalled() throws IOException {
        ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory = new ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory();
        TestEnvironmentProvider testEnvironmentProvider = new TestEnvironmentProvider();
        testEnvironmentProvider.setEnv("AWS_REGION", "awsRegion").setEnv("AWS_ACCESS_KEY_ID", "awsAccessKeyId").setEnv("AWS_SECRET_ACCESS_KEY", "awsSecretAccessKey").setEnv("AWS_SESSION_TOKEN", "awsToken");
        AwsCredentials build = AwsCredentials.newBuilder(AWS_CREDENTIAL).setHttpTransportFactory(mockExternalAccountCredentialsTransportFactory).setCredentialSource(buildAwsImdsv2CredentialSource(mockExternalAccountCredentialsTransportFactory)).setEnvironmentProvider(testEnvironmentProvider).build();
        GenericJson genericJson = (GenericJson) OAuth2Utils.JSON_FACTORY.createJsonParser(URLDecoder.decode(build.retrieveSubjectToken(), "UTF-8")).parseAndClose(GenericJson.class);
        List<Map> list = (List) genericJson.get("headers");
        HashMap hashMap = new HashMap();
        for (Map map : list) {
            hashMap.put(map.get("key"), map.get("value"));
        }
        Assert.assertEquals("POST", genericJson.get("method"));
        Assert.assertEquals(GET_CALLER_IDENTITY_URL, genericJson.get("url"));
        Assert.assertEquals(URI.create(GET_CALLER_IDENTITY_URL).getHost(), hashMap.get("host"));
        Assert.assertEquals("awsToken", hashMap.get("x-amz-security-token"));
        Assert.assertEquals(build.getAudience(), hashMap.get("x-goog-cloud-target-resource"));
        Assert.assertTrue(hashMap.containsKey("x-amz-date"));
        Assert.assertNotNull(hashMap.get("Authorization"));
        Assert.assertEquals(0L, mockExternalAccountCredentialsTransportFactory.transport.getRequests().size());
    }

    @Test
    public void retrieveSubjectToken_noRegion_expectThrows() {
        ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory = new ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory();
        mockExternalAccountCredentialsTransportFactory.transport.addResponseErrorSequence(new IOException());
        try {
            AwsCredentials.newBuilder(AWS_CREDENTIAL).setHttpTransportFactory(mockExternalAccountCredentialsTransportFactory).setCredentialSource(buildAwsCredentialSource(mockExternalAccountCredentialsTransportFactory)).build().retrieveSubjectToken();
            Assert.fail("Should not be able to use credential without exception.");
        } catch (IOException e) {
            Assert.assertEquals("Failed to retrieve AWS region.", e.getMessage());
        }
        List<MockLowLevelHttpRequest> requests = mockExternalAccountCredentialsTransportFactory.transport.getRequests();
        Assert.assertEquals(1L, requests.size());
        ValidateRequest(requests.get(0), AWS_REGION_URL, EMPTY_STRING_HEADERS);
    }

    @Test
    public void retrieveSubjectToken_noRole_expectThrows() {
        ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory = new ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory();
        mockExternalAccountCredentialsTransportFactory.transport.addResponseErrorSequence(new IOException());
        mockExternalAccountCredentialsTransportFactory.transport.addResponseSequence(true, false);
        try {
            AwsCredentials.newBuilder(AWS_CREDENTIAL).setHttpTransportFactory(mockExternalAccountCredentialsTransportFactory).setCredentialSource(buildAwsCredentialSource(mockExternalAccountCredentialsTransportFactory)).build().retrieveSubjectToken();
            Assert.fail("Should not be able to use credential without exception.");
        } catch (IOException e) {
            Assert.assertEquals("Failed to retrieve AWS IAM role.", e.getMessage());
        }
        List<MockLowLevelHttpRequest> requests = mockExternalAccountCredentialsTransportFactory.transport.getRequests();
        Assert.assertEquals(2L, requests.size());
        ValidateRequest(requests.get(0), AWS_REGION_URL, EMPTY_STRING_HEADERS);
        ValidateRequest(requests.get(1), AWS_CREDENTIALS_URL, EMPTY_STRING_HEADERS);
    }

    @Test
    public void retrieveSubjectToken_noCredentials_expectThrows() {
        ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory = new ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory();
        mockExternalAccountCredentialsTransportFactory.transport.addResponseErrorSequence(new IOException());
        mockExternalAccountCredentialsTransportFactory.transport.addResponseSequence(true, true, false);
        try {
            AwsCredentials.newBuilder(AWS_CREDENTIAL).setHttpTransportFactory(mockExternalAccountCredentialsTransportFactory).setCredentialSource(buildAwsCredentialSource(mockExternalAccountCredentialsTransportFactory)).build().retrieveSubjectToken();
            Assert.fail("Should not be able to use credential without exception.");
        } catch (IOException e) {
            Assert.assertEquals("Failed to retrieve AWS credentials.", e.getMessage());
        }
        List<MockLowLevelHttpRequest> requests = mockExternalAccountCredentialsTransportFactory.transport.getRequests();
        Assert.assertEquals(3L, requests.size());
        ValidateRequest(requests.get(0), AWS_REGION_URL, EMPTY_STRING_HEADERS);
        ValidateRequest(requests.get(1), AWS_CREDENTIALS_URL, EMPTY_STRING_HEADERS);
        ValidateRequest(requests.get(2), AWS_CREDENTIALS_URL_WITH_ROLE, EMPTY_STRING_HEADERS);
    }

    @Test
    public void retrieveSubjectToken_noRegionUrlProvided() {
        ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory = new ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory();
        HashMap hashMap = new HashMap();
        hashMap.put("environment_id", "aws1");
        hashMap.put("regional_cred_verification_url", GET_CALLER_IDENTITY_URL);
        try {
            AwsCredentials.newBuilder(AWS_CREDENTIAL).setHttpTransportFactory(mockExternalAccountCredentialsTransportFactory).setCredentialSource(new AwsCredentials.AwsCredentialSource(hashMap)).build().retrieveSubjectToken();
            Assert.fail("Should not be able to use credential without exception.");
        } catch (IOException e) {
            Assert.assertEquals("Unable to determine the AWS region. The credential source does not contain the region URL.", e.getMessage());
        }
        Assert.assertTrue(mockExternalAccountCredentialsTransportFactory.transport.getRequests().isEmpty());
    }

    @Test
    public void getAwsSecurityCredentials_fromEnvironmentVariablesNoToken() throws IOException {
        TestEnvironmentProvider testEnvironmentProvider = new TestEnvironmentProvider();
        testEnvironmentProvider.setEnv("AWS_ACCESS_KEY_ID", "awsAccessKeyId").setEnv("AWS_SECRET_ACCESS_KEY", "awsSecretAccessKey");
        AwsSecurityCredentials awsSecurityCredentials = AwsCredentials.newBuilder(AWS_CREDENTIAL).setEnvironmentProvider(testEnvironmentProvider).build().getAwsSecurityCredentials(EMPTY_METADATA_HEADERS);
        Assert.assertEquals("awsAccessKeyId", awsSecurityCredentials.getAccessKeyId());
        Assert.assertEquals("awsSecretAccessKey", awsSecurityCredentials.getSecretAccessKey());
        Assert.assertNull(awsSecurityCredentials.getToken());
    }

    @Test
    public void getAwsSecurityCredentials_fromEnvironmentVariablesWithToken() throws IOException {
        TestEnvironmentProvider testEnvironmentProvider = new TestEnvironmentProvider();
        testEnvironmentProvider.setEnv("AWS_ACCESS_KEY_ID", "awsAccessKeyId").setEnv("AWS_SECRET_ACCESS_KEY", "awsSecretAccessKey").setEnv("AWS_SESSION_TOKEN", "awsSessionToken");
        AwsSecurityCredentials awsSecurityCredentials = AwsCredentials.newBuilder(AWS_CREDENTIAL).setEnvironmentProvider(testEnvironmentProvider).setCredentialSource(new AwsCredentials.AwsCredentialSource(new HashMap<String, Object>() { // from class: com.google.auth.oauth2.AwsCredentialsTest.4
            {
                put("environment_id", "aws1");
                put("region_url", "");
                put("url", "");
                put("regional_cred_verification_url", "regionalCredVerificationUrl");
            }
        })).build().getAwsSecurityCredentials(EMPTY_METADATA_HEADERS);
        Assert.assertEquals("awsAccessKeyId", awsSecurityCredentials.getAccessKeyId());
        Assert.assertEquals("awsSecretAccessKey", awsSecurityCredentials.getSecretAccessKey());
        Assert.assertEquals("awsSessionToken", awsSecurityCredentials.getToken());
    }

    @Test
    public void getAwsSecurityCredentials_fromEnvironmentVariables_noMetadataServerCall() throws IOException {
        TestEnvironmentProvider testEnvironmentProvider = new TestEnvironmentProvider();
        testEnvironmentProvider.setEnv("AWS_ACCESS_KEY_ID", "awsAccessKeyId").setEnv("AWS_SECRET_ACCESS_KEY", "awsSecretAccessKey").setEnv("AWS_SESSION_TOKEN", "awsSessionToken");
        AwsSecurityCredentials awsSecurityCredentials = AwsCredentials.newBuilder(AWS_CREDENTIAL).setEnvironmentProvider(testEnvironmentProvider).build().getAwsSecurityCredentials(EMPTY_METADATA_HEADERS);
        Assert.assertEquals("awsAccessKeyId", awsSecurityCredentials.getAccessKeyId());
        Assert.assertEquals("awsSecretAccessKey", awsSecurityCredentials.getSecretAccessKey());
        Assert.assertEquals("awsSessionToken", awsSecurityCredentials.getToken());
    }

    @Test
    public void getAwsSecurityCredentials_fromMetadataServer() throws IOException {
        ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory = new ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory();
        AwsSecurityCredentials awsSecurityCredentials = AwsCredentials.newBuilder(AWS_CREDENTIAL).setHttpTransportFactory(mockExternalAccountCredentialsTransportFactory).setCredentialSource(buildAwsCredentialSource(mockExternalAccountCredentialsTransportFactory)).build().getAwsSecurityCredentials(EMPTY_METADATA_HEADERS);
        Assert.assertEquals("accessKeyId", awsSecurityCredentials.getAccessKeyId());
        Assert.assertEquals("secretAccessKey", awsSecurityCredentials.getSecretAccessKey());
        Assert.assertEquals("token", awsSecurityCredentials.getToken());
        List<MockLowLevelHttpRequest> requests = mockExternalAccountCredentialsTransportFactory.transport.getRequests();
        Assert.assertEquals(2L, requests.size());
        ValidateRequest(requests.get(0), AWS_CREDENTIALS_URL, EMPTY_STRING_HEADERS);
        ValidateRequest(requests.get(1), AWS_CREDENTIALS_URL_WITH_ROLE, EMPTY_STRING_HEADERS);
    }

    @Test
    public void getAwsSecurityCredentials_fromMetadataServer_noUrlProvided() {
        ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory = new ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory();
        HashMap hashMap = new HashMap();
        hashMap.put("environment_id", "aws1");
        hashMap.put("regional_cred_verification_url", GET_CALLER_IDENTITY_URL);
        try {
            AwsCredentials.newBuilder(AWS_CREDENTIAL).setHttpTransportFactory(mockExternalAccountCredentialsTransportFactory).setCredentialSource(new AwsCredentials.AwsCredentialSource(hashMap)).build().getAwsSecurityCredentials(EMPTY_METADATA_HEADERS);
            Assert.fail("Should not be able to use credential without exception.");
        } catch (IOException e) {
            Assert.assertEquals("Unable to determine the AWS IAM role name. The credential source does not contain the url field.", e.getMessage());
        }
        Assert.assertTrue(mockExternalAccountCredentialsTransportFactory.transport.getRequests().isEmpty());
    }

    @Test
    public void getAwsRegion_awsRegionEnvironmentVariable() throws IOException {
        TestEnvironmentProvider testEnvironmentProvider = new TestEnvironmentProvider();
        testEnvironmentProvider.setEnv("AWS_REGION", "region");
        testEnvironmentProvider.setEnv("AWS_DEFAULT_REGION", "defaultRegion");
        ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory = new ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory();
        Assert.assertEquals("region", AwsCredentials.newBuilder(AWS_CREDENTIAL).setHttpTransportFactory(mockExternalAccountCredentialsTransportFactory).setCredentialSource(buildAwsCredentialSource(mockExternalAccountCredentialsTransportFactory)).setEnvironmentProvider(testEnvironmentProvider).build().getAwsRegion(EMPTY_METADATA_HEADERS));
        Assert.assertTrue(mockExternalAccountCredentialsTransportFactory.transport.getRequests().isEmpty());
    }

    @Test
    public void getAwsRegion_awsDefaultRegionEnvironmentVariable() throws IOException {
        TestEnvironmentProvider testEnvironmentProvider = new TestEnvironmentProvider();
        testEnvironmentProvider.setEnv("AWS_DEFAULT_REGION", "defaultRegion");
        ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory = new ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory();
        Assert.assertEquals("defaultRegion", AwsCredentials.newBuilder(AWS_CREDENTIAL).setHttpTransportFactory(mockExternalAccountCredentialsTransportFactory).setCredentialSource(buildAwsCredentialSource(mockExternalAccountCredentialsTransportFactory)).setEnvironmentProvider(testEnvironmentProvider).build().getAwsRegion(EMPTY_METADATA_HEADERS));
        Assert.assertTrue(mockExternalAccountCredentialsTransportFactory.transport.getRequests().isEmpty());
    }

    @Test
    public void getAwsRegion_metadataServer() throws IOException {
        ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory = new ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory();
        Assert.assertEquals(mockExternalAccountCredentialsTransportFactory.transport.getAwsRegion().substring(0, mockExternalAccountCredentialsTransportFactory.transport.getAwsRegion().length() - 1), AwsCredentials.newBuilder(AWS_CREDENTIAL).setHttpTransportFactory(mockExternalAccountCredentialsTransportFactory).setCredentialSource(buildAwsCredentialSource(mockExternalAccountCredentialsTransportFactory)).build().getAwsRegion(EMPTY_METADATA_HEADERS));
        List<MockLowLevelHttpRequest> requests = mockExternalAccountCredentialsTransportFactory.transport.getRequests();
        Assert.assertEquals(1L, requests.size());
        ValidateRequest(requests.get(0), AWS_REGION_URL, EMPTY_STRING_HEADERS);
    }

    @Test
    public void createdScoped_clonedCredentialWithAddedScopes() {
        AwsCredentials build = AwsCredentials.newBuilder(AWS_CREDENTIAL).setServiceAccountImpersonationUrl(SERVICE_ACCOUNT_IMPERSONATION_URL).setQuotaProjectId("quotaProjectId").setClientId("clientId").setClientSecret("clientSecret").build();
        List asList = Arrays.asList("scope1", "scope2");
        AwsCredentials createScoped = build.createScoped(asList);
        Assert.assertEquals(build.getAudience(), createScoped.getAudience());
        Assert.assertEquals(build.getSubjectTokenType(), createScoped.getSubjectTokenType());
        Assert.assertEquals(build.getTokenUrl(), createScoped.getTokenUrl());
        Assert.assertEquals(build.getTokenInfoUrl(), createScoped.getTokenInfoUrl());
        Assert.assertEquals(build.getServiceAccountImpersonationUrl(), createScoped.getServiceAccountImpersonationUrl());
        Assert.assertEquals(build.getCredentialSource(), createScoped.getCredentialSource());
        Assert.assertEquals(build.getQuotaProjectId(), createScoped.getQuotaProjectId());
        Assert.assertEquals(build.getClientId(), createScoped.getClientId());
        Assert.assertEquals(build.getClientSecret(), createScoped.getClientSecret());
        Assert.assertEquals(asList, createScoped.getScopes());
    }

    @Test
    public void credentialSource_invalidAwsEnvironmentId() {
        HashMap hashMap = new HashMap();
        hashMap.put("regional_cred_verification_url", GET_CALLER_IDENTITY_URL);
        hashMap.put("environment_id", "azure1");
        try {
            new AwsCredentials.AwsCredentialSource(hashMap);
            Assert.fail("Exception should be thrown.");
        } catch (IllegalArgumentException e) {
            Assert.assertEquals("Invalid AWS environment ID.", e.getMessage());
        }
    }

    @Test
    public void credentialSource_invalidAwsEnvironmentVersion() {
        HashMap hashMap = new HashMap();
        hashMap.put("regional_cred_verification_url", GET_CALLER_IDENTITY_URL);
        hashMap.put("environment_id", "aws2");
        try {
            new AwsCredentials.AwsCredentialSource(hashMap);
            Assert.fail("Exception should be thrown.");
        } catch (IllegalArgumentException e) {
            Assert.assertEquals(String.format("AWS version %s is not supported in the current build.", 2), e.getMessage());
        }
    }

    @Test
    public void credentialSource_missingRegionalCredVerificationUrl() {
        try {
            new AwsCredentials.AwsCredentialSource(new HashMap());
            Assert.fail("Exception should be thrown.");
        } catch (IllegalArgumentException e) {
            Assert.assertEquals("A regional_cred_verification_url representing the GetCallerIdentity action URL must be specified.", e.getMessage());
        }
    }

    @Test
    public void shouldUseMetadataServer_withRequiredEnvironmentVariables() {
        ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory = new ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory();
        for (String str : ImmutableList.of("AWS_REGION", "AWS_DEFAULT_REGION")) {
            TestEnvironmentProvider testEnvironmentProvider = new TestEnvironmentProvider();
            testEnvironmentProvider.setEnv(str, "awsRegion").setEnv("AWS_ACCESS_KEY_ID", "awsAccessKeyId").setEnv("AWS_SECRET_ACCESS_KEY", "awsSecretAccessKey");
            Assert.assertFalse(AwsCredentials.newBuilder(AWS_CREDENTIAL).setHttpTransportFactory(mockExternalAccountCredentialsTransportFactory).setCredentialSource(buildAwsImdsv2CredentialSource(mockExternalAccountCredentialsTransportFactory)).setEnvironmentProvider(testEnvironmentProvider).build().shouldUseMetadataServer());
        }
    }

    @Test
    public void shouldUseMetadataServer_missingRegion() {
        ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory = new ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory();
        TestEnvironmentProvider testEnvironmentProvider = new TestEnvironmentProvider();
        testEnvironmentProvider.setEnv("AWS_ACCESS_KEY_ID", "awsAccessKeyId").setEnv("AWS_SECRET_ACCESS_KEY", "awsSecretAccessKey");
        Assert.assertTrue(AwsCredentials.newBuilder(AWS_CREDENTIAL).setHttpTransportFactory(mockExternalAccountCredentialsTransportFactory).setCredentialSource(buildAwsImdsv2CredentialSource(mockExternalAccountCredentialsTransportFactory)).setEnvironmentProvider(testEnvironmentProvider).build().shouldUseMetadataServer());
    }

    @Test
    public void shouldUseMetadataServer_missingAwsAccessKeyId() {
        ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory = new ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory();
        for (String str : ImmutableList.of("AWS_REGION", "AWS_DEFAULT_REGION")) {
            TestEnvironmentProvider testEnvironmentProvider = new TestEnvironmentProvider();
            testEnvironmentProvider.setEnv(str, "awsRegion").setEnv("AWS_SECRET_ACCESS_KEY", "awsSecretAccessKey");
            Assert.assertTrue(AwsCredentials.newBuilder(AWS_CREDENTIAL).setHttpTransportFactory(mockExternalAccountCredentialsTransportFactory).setCredentialSource(buildAwsImdsv2CredentialSource(mockExternalAccountCredentialsTransportFactory)).setEnvironmentProvider(testEnvironmentProvider).build().shouldUseMetadataServer());
        }
    }

    @Test
    public void shouldUseMetadataServer_missingAwsSecretAccessKey() {
        ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory = new ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory();
        for (String str : ImmutableList.of("AWS_REGION", "AWS_DEFAULT_REGION")) {
            TestEnvironmentProvider testEnvironmentProvider = new TestEnvironmentProvider();
            testEnvironmentProvider.setEnv(str, "awsRegion").setEnv("AWS_ACCESS_KEY_ID", "awsAccessKeyId");
            Assert.assertTrue(AwsCredentials.newBuilder(AWS_CREDENTIAL).setHttpTransportFactory(mockExternalAccountCredentialsTransportFactory).setCredentialSource(buildAwsImdsv2CredentialSource(mockExternalAccountCredentialsTransportFactory)).setEnvironmentProvider(testEnvironmentProvider).build().shouldUseMetadataServer());
        }
    }

    @Test
    public void shouldUseMetadataServer_missingAwsSecurityCreds() {
        ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory = new ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory();
        for (String str : ImmutableList.of("AWS_REGION", "AWS_DEFAULT_REGION")) {
            TestEnvironmentProvider testEnvironmentProvider = new TestEnvironmentProvider();
            testEnvironmentProvider.setEnv(str, "awsRegion");
            Assert.assertTrue(AwsCredentials.newBuilder(AWS_CREDENTIAL).setHttpTransportFactory(mockExternalAccountCredentialsTransportFactory).setCredentialSource(buildAwsImdsv2CredentialSource(mockExternalAccountCredentialsTransportFactory)).setEnvironmentProvider(testEnvironmentProvider).build().shouldUseMetadataServer());
        }
    }

    @Test
    public void shouldUseMetadataServer_noEnvironmentVars() {
        ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory = new ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory();
        Assert.assertTrue(AwsCredentials.newBuilder(AWS_CREDENTIAL).setHttpTransportFactory(mockExternalAccountCredentialsTransportFactory).setCredentialSource(buildAwsImdsv2CredentialSource(mockExternalAccountCredentialsTransportFactory)).build().shouldUseMetadataServer());
    }

    @Test
    public void builder() {
        List asList = Arrays.asList("scope1", "scope2");
        AwsCredentials build = AwsCredentials.newBuilder().setHttpTransportFactory(OAuth2Utils.HTTP_TRANSPORT_FACTORY).setAudience("audience").setSubjectTokenType("subjectTokenType").setTokenUrl(STS_URL).setTokenInfoUrl("tokenInfoUrl").setCredentialSource(AWS_CREDENTIAL_SOURCE).setTokenInfoUrl("tokenInfoUrl").setServiceAccountImpersonationUrl(SERVICE_ACCOUNT_IMPERSONATION_URL).setQuotaProjectId("quotaProjectId").setClientId("clientId").setClientSecret("clientSecret").setScopes(asList).build();
        Assert.assertEquals("audience", build.getAudience());
        Assert.assertEquals("subjectTokenType", build.getSubjectTokenType());
        Assert.assertEquals(build.getTokenUrl(), STS_URL);
        Assert.assertEquals(build.getTokenInfoUrl(), "tokenInfoUrl");
        Assert.assertEquals(build.getServiceAccountImpersonationUrl(), SERVICE_ACCOUNT_IMPERSONATION_URL);
        Assert.assertEquals(build.getCredentialSource(), AWS_CREDENTIAL_SOURCE);
        Assert.assertEquals(build.getQuotaProjectId(), "quotaProjectId");
        Assert.assertEquals(build.getClientId(), "clientId");
        Assert.assertEquals(build.getClientSecret(), "clientSecret");
        Assert.assertEquals(build.getScopes(), asList);
        Assert.assertEquals(build.getEnvironmentProvider(), SystemEnvironmentProvider.getInstance());
    }

    @Test
    public void serialize() throws IOException, ClassNotFoundException {
        AwsCredentials build = AwsCredentials.newBuilder().setHttpTransportFactory(OAuth2Utils.HTTP_TRANSPORT_FACTORY).setAudience("audience").setSubjectTokenType("subjectTokenType").setTokenUrl(STS_URL).setTokenInfoUrl("tokenInfoUrl").setCredentialSource(AWS_CREDENTIAL_SOURCE).setTokenInfoUrl("tokenInfoUrl").setServiceAccountImpersonationUrl(SERVICE_ACCOUNT_IMPERSONATION_URL).setQuotaProjectId("quotaProjectId").setClientId("clientId").setClientSecret("clientSecret").setScopes(Arrays.asList("scope1", "scope2")).build();
        AwsCredentials awsCredentials = (AwsCredentials) serializeAndDeserialize(build);
        Assert.assertEquals(build, awsCredentials);
        Assert.assertEquals(build.hashCode(), awsCredentials.hashCode());
        Assert.assertEquals(build.toString(), awsCredentials.toString());
        Assert.assertSame(awsCredentials.clock, Clock.SYSTEM);
    }

    private static void ValidateRequest(MockLowLevelHttpRequest mockLowLevelHttpRequest, String str, Map<String, String> map) {
        Assert.assertEquals(str, mockLowLevelHttpRequest.getUrl());
        Map headers = mockLowLevelHttpRequest.getHeaders();
        for (Map.Entry<String, String> entry : map.entrySet()) {
            Assert.assertTrue(headers.containsKey(entry.getKey()));
            List list = (List) headers.get(entry.getKey());
            Assert.assertEquals(1L, list.size());
            Assert.assertEquals(entry.getValue(), list.get(0));
        }
    }

    private static Map<String, Object> buildAwsCredentialSourceMap(ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory) {
        HashMap hashMap = new HashMap();
        hashMap.put("environment_id", "aws1");
        hashMap.put("region_url", mockExternalAccountCredentialsTransportFactory.transport.getAwsRegionUrl());
        hashMap.put("url", mockExternalAccountCredentialsTransportFactory.transport.getAwsCredentialsUrl());
        hashMap.put("regional_cred_verification_url", GET_CALLER_IDENTITY_URL);
        return hashMap;
    }

    private static AwsCredentials.AwsCredentialSource buildAwsCredentialSource(ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory) {
        return new AwsCredentials.AwsCredentialSource(buildAwsCredentialSourceMap(mockExternalAccountCredentialsTransportFactory));
    }

    private static AwsCredentials.AwsCredentialSource buildAwsImdsv2CredentialSource(ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory mockExternalAccountCredentialsTransportFactory) {
        Map<String, Object> buildAwsCredentialSourceMap = buildAwsCredentialSourceMap(mockExternalAccountCredentialsTransportFactory);
        buildAwsCredentialSourceMap.put("imdsv2_session_token_url", mockExternalAccountCredentialsTransportFactory.transport.getAwsImdsv2SessionTokenUrl());
        return new AwsCredentials.AwsCredentialSource(buildAwsCredentialSourceMap);
    }

    private static Map<String, Object> buildAwsIpv6CredentialSourceMap() {
        HashMap hashMap = new HashMap();
        hashMap.put("environment_id", "aws1");
        hashMap.put("region_url", "http://[fd00:ec2::254]/region");
        hashMap.put("url", "http://[fd00:ec2::254]");
        hashMap.put("imdsv2_session_token_url", "http://[fd00:ec2::254]/imdsv2");
        hashMap.put("regional_cred_verification_url", GET_CALLER_IDENTITY_URL);
        return hashMap;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static InputStream writeAwsCredentialsStream(String str, String str2, String str3) throws IOException {
        GenericJson genericJson = new GenericJson();
        genericJson.put("audience", "audience");
        genericJson.put("subject_token_type", "subjectTokenType");
        genericJson.put("token_url", str);
        genericJson.put("token_info_url", "tokenInfoUrl");
        genericJson.put("type", "external_account");
        GenericJson genericJson2 = new GenericJson();
        genericJson2.put("environment_id", "aws1");
        genericJson2.put("region_url", str2);
        genericJson2.put("url", str3);
        genericJson2.put("regional_cred_verification_url", GET_CALLER_IDENTITY_URL);
        genericJson.put("credential_source", genericJson2);
        return TestUtils.jsonToInputStream(genericJson);
    }
}
