package com.google.cloud.hadoop.util;

import com.google.api.client.auth.oauth2.Credential;
import com.google.api.client.auth.oauth2.CredentialStore;
import com.google.api.client.auth.oauth2.TokenRequest;
import com.google.api.client.auth.oauth2.TokenResponse;
import com.google.api.client.extensions.java6.auth.oauth2.AuthorizationCodeInstalledApp;
import com.google.api.client.extensions.java6.auth.oauth2.FileCredentialStore;
import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeFlow;
import com.google.api.client.googleapis.auth.oauth2.GoogleClientSecrets;
import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.googleapis.compute.ComputeCredential;
import com.google.api.client.googleapis.extensions.java6.auth.oauth2.GooglePromptReceiver;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpBackOffIOExceptionHandler;
import com.google.api.client.http.HttpBackOffUnsuccessfulResponseHandler;
import com.google.api.client.http.HttpRequest;
import com.google.api.client.http.HttpRequestInitializer;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.JsonObjectParser;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.client.json.webtoken.JsonWebSignature;
import com.google.api.client.json.webtoken.JsonWebToken;
import com.google.api.client.util.ExponentialBackOff;
import com.google.api.client.util.PemReader;
import com.google.api.client.util.SecurityUtils;
import com.google.api.services.storage.StorageScopes;
import com.google.cloud.hadoop.util.HttpTransportFactory;
import com.google.common.base.Joiner;
import com.google.common.base.MoreObjects;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableList;
import com.google.common.flogger.GoogleLogger;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.StringReader;
import java.security.GeneralSecurityException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.List;

/* loaded from: input_file:com/google/cloud/hadoop/util/CredentialFactory.class */
public class CredentialFactory {
    static final String CREDENTIAL_ENV_VAR = "GOOGLE_APPLICATION_CREDENTIALS";
    private static final String TOKEN_SERVER_URL_DEFAULT = "https://oauth2.googleapis.com/token";
    private static final GoogleLogger logger = GoogleLogger.forEnclosingClass();
    private static final String TOKEN_SERVER_URL_ENV_VAR = "GOOGLE_OAUTH_TOKEN_SERVER_URL";
    private static final String TOKEN_SERVER_URL = (String) MoreObjects.firstNonNull(System.getenv(TOKEN_SERVER_URL_ENV_VAR), "https://oauth2.googleapis.com/token");
    public static final ImmutableList<String> GCS_SCOPES = ImmutableList.of(StorageScopes.DEVSTORAGE_FULL_CONTROL);
    private static final JsonFactory JSON_FACTORY = new JacksonFactory();
    private static HttpTransport staticHttpTransport = null;

    /* loaded from: input_file:com/google/cloud/hadoop/util/CredentialFactory$ComputeCredentialWithRetry.class */
    public static class ComputeCredentialWithRetry extends ComputeCredential {
        public ComputeCredentialWithRetry(ComputeCredential.Builder builder) {
            super(builder);
        }

        @Override // com.google.api.client.googleapis.compute.ComputeCredential, com.google.api.client.auth.oauth2.Credential
        protected TokenResponse executeRefreshToken() throws IOException {
            HttpRequest parser = getTransport().createRequestFactory(getRequestInitializer()).buildGetRequest(new GenericUrl(getTokenServerEncodedUrl())).setParser(new JsonObjectParser(getJsonFactory()));
            parser.getHeaders().set("Metadata-Flavor", "Google");
            return (TokenResponse) parser.execute().parseAs(TokenResponse.class);
        }
    }

    /* loaded from: input_file:com/google/cloud/hadoop/util/CredentialFactory$CredentialHttpRetryInitializer.class */
    public static class CredentialHttpRetryInitializer implements HttpRequestInitializer {
        @Override // com.google.api.client.http.HttpRequestInitializer
        public void initialize(HttpRequest httpRequest) throws IOException {
            httpRequest.setIOExceptionHandler(new HttpBackOffIOExceptionHandler(new ExponentialBackOff()));
            httpRequest.setUnsuccessfulResponseHandler(new HttpBackOffUnsuccessfulResponseHandler(new ExponentialBackOff()));
        }
    }

    /* loaded from: input_file:com/google/cloud/hadoop/util/CredentialFactory$GoogleCredentialWithRetry.class */
    public static class GoogleCredentialWithRetry extends GoogleCredential {
        private static final int DEFAULT_TOKEN_EXPIRATION_SECONDS = 3600;

        public static GoogleCredentialWithRetry fromGoogleCredential(GoogleCredential googleCredential) {
            GoogleCredentialWithRetry googleCredentialWithRetry = new GoogleCredentialWithRetry(new GoogleCredential.Builder().setServiceAccountPrivateKey(googleCredential.getServiceAccountPrivateKey()).setServiceAccountPrivateKeyId(googleCredential.getServiceAccountPrivateKeyId()).setServiceAccountId(googleCredential.getServiceAccountId()).setServiceAccountUser(googleCredential.getServiceAccountUser()).setServiceAccountScopes(googleCredential.getServiceAccountScopes()).setTokenServerEncodedUrl(googleCredential.getTokenServerEncodedUrl()).setTransport(googleCredential.getTransport()).setClientAuthentication(googleCredential.getClientAuthentication()).setJsonFactory(googleCredential.getJsonFactory()).setClock(googleCredential.getClock()).setRequestInitializer((HttpRequestInitializer) new CredentialHttpRetryInitializer()));
            if (googleCredential.getRefreshToken() != null) {
                googleCredentialWithRetry.setRefreshToken(googleCredential.getRefreshToken());
            }
            return googleCredentialWithRetry;
        }

        public GoogleCredentialWithRetry(GoogleCredential.Builder builder) {
            super(builder.setTokenServerEncodedUrl(CredentialFactory.TOKEN_SERVER_URL));
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // com.google.api.client.googleapis.auth.oauth2.GoogleCredential, com.google.api.client.auth.oauth2.Credential
        public TokenResponse executeRefreshToken() throws IOException {
            if (getServiceAccountPrivateKey() == null) {
                return super.executeRefreshToken();
            }
            JsonWebSignature.Header keyId = new JsonWebSignature.Header().setAlgorithm("RS256").setType("JWT").setKeyId(getServiceAccountPrivateKeyId());
            long currentTimeMillis = getClock().currentTimeMillis();
            JsonWebToken.Payload subject = new JsonWebToken.Payload().setIssuer(getServiceAccountId()).setAudience(getTokenServerEncodedUrl()).setIssuedAtTimeSeconds(Long.valueOf(currentTimeMillis / 1000)).setExpirationTimeSeconds(Long.valueOf((currentTimeMillis / 1000) + 3600)).setSubject(getServiceAccountUser());
            subject.put("scope", (Object) Joiner.on(' ').join(getServiceAccountScopes()));
            try {
                String signUsingRsaSha256 = JsonWebSignature.signUsingRsaSha256(getServiceAccountPrivateKey(), getJsonFactory(), keyId, subject);
                TokenRequest requestInitializer = new TokenRequest(getTransport(), getJsonFactory(), new GenericUrl(getTokenServerEncodedUrl()), "urn:ietf:params:oauth:grant-type:jwt-bearer").setRequestInitializer(getRequestInitializer());
                requestInitializer.put("assertion", (Object) signUsingRsaSha256);
                return requestInitializer.execute();
            } catch (GeneralSecurityException e) {
                throw ((IOException) new IOException().initCause(e));
            }
        }
    }

    private static synchronized HttpTransport getStaticHttpTransport() throws IOException, GeneralSecurityException {
        if (staticHttpTransport == null) {
            staticHttpTransport = HttpTransportFactory.createHttpTransport(HttpTransportFactory.HttpTransportType.JAVA_NET);
        }
        return staticHttpTransport;
    }

    public Credential getCredentialFromMetadataServiceAccount() throws IOException, GeneralSecurityException {
        logger.atFine().log("getCredentialFromMetadataServiceAccount()");
        ComputeCredentialWithRetry computeCredentialWithRetry = new ComputeCredentialWithRetry(new ComputeCredential.Builder(getStaticHttpTransport(), JSON_FACTORY).setRequestInitializer((HttpRequestInitializer) new CredentialHttpRetryInitializer()));
        try {
            computeCredentialWithRetry.refreshToken();
            return computeCredentialWithRetry;
        } catch (IOException e) {
            throw new IOException("Error getting access token from metadata server at: " + computeCredentialWithRetry.getTokenServerEncodedUrl(), e);
        }
    }

    public Credential getCredentialFromPrivateKeyServiceAccount(String str, String str2, List<String> list, HttpTransport httpTransport) throws IOException, GeneralSecurityException {
        logger.atFine().log("getCredentialFromPrivateKeyServiceAccount(%s, %s, %s)", str, str2, list);
        return new GoogleCredentialWithRetry(new GoogleCredential.Builder().setTransport(httpTransport).setJsonFactory(JSON_FACTORY).setServiceAccountId(str).setServiceAccountScopes(list).setServiceAccountPrivateKeyFromP12File(new File(str2)).setRequestInitializer((HttpRequestInitializer) new CredentialHttpRetryInitializer()));
    }

    public Credential getCredentialFromJsonKeyFile(String str, List<String> list, HttpTransport httpTransport) throws IOException, GeneralSecurityException {
        logger.atFine().log("getCredentialFromJsonKeyFile(%s, %s)", str, list);
        FileInputStream fileInputStream = new FileInputStream(str);
        Throwable th = null;
        try {
            GoogleCredentialWithRetry fromGoogleCredential = GoogleCredentialWithRetry.fromGoogleCredential(GoogleCredential.fromStream(fileInputStream, httpTransport, JSON_FACTORY).createScoped(list));
            if (fileInputStream != null) {
                if (0 != 0) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    fileInputStream.close();
                }
            }
            return fromGoogleCredential;
        } catch (Throwable th3) {
            if (fileInputStream != null) {
                if (0 != 0) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    fileInputStream.close();
                }
            }
            throw th3;
        }
    }

    public Credential getCredentialsFromSAParameters(String str, String str2, String str3, List<String> list, HttpTransport httpTransport) throws IOException {
        logger.atFine().log("getServiceAccountCredentialFromHadoopConfiguration(%s)", str3);
        if (str3 == null || str2 == null || str == null) {
            throw new IOException("Error reading service account credential from stream, expecting, 'client_email', 'private_key' and 'private_key_id'.");
        }
        return new GoogleCredentialWithRetry(new GoogleCredential.Builder().setTransport(httpTransport).setJsonFactory(JSON_FACTORY).setServiceAccountId(str3).setServiceAccountScopes(list).setServiceAccountPrivateKey(privateKeyFromPkcs8(str2)).setServiceAccountPrivateKeyId(str));
    }

    public Credential getCredentialFromFileCredentialStoreForInstalledApp(String str, String str2, String str3, List<String> list, HttpTransport httpTransport) throws IOException, GeneralSecurityException {
        logger.atFine().log("getCredentialFromFileCredentialStoreForInstalledApp(%s, %s, %s, %s)", str, str2, str3, list);
        Preconditions.checkArgument(!Strings.isNullOrEmpty(str), "clientId must not be null or empty");
        Preconditions.checkArgument(!Strings.isNullOrEmpty(str2), "clientSecret must not be null or empty");
        Preconditions.checkArgument(!Strings.isNullOrEmpty(str3), "filePath must not be null or empty");
        Preconditions.checkNotNull(list, "scopes must not be null");
        return new AuthorizationCodeInstalledApp(new GoogleAuthorizationCodeFlow.Builder(httpTransport, JSON_FACTORY, new GoogleClientSecrets().setInstalled(new GoogleClientSecrets.Details().setClientId(str).setClientSecret(str2)), list).setCredentialStore((CredentialStore) new FileCredentialStore(new File(str3), JSON_FACTORY)).setRequestInitializer((HttpRequestInitializer) new CredentialHttpRetryInitializer()).setTokenServerUrl(new GenericUrl(TOKEN_SERVER_URL)).build(), new GooglePromptReceiver()).authorize("user");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasApplicationDefaultCredentialsConfigured() {
        return System.getenv(CREDENTIAL_ENV_VAR) != null;
    }

    public Credential getApplicationDefaultCredentials(List<String> list, HttpTransport httpTransport) throws IOException, GeneralSecurityException {
        logger.atFine().log("getApplicationDefaultCredential(%s)", list);
        return GoogleCredentialWithRetry.fromGoogleCredential(GoogleCredential.getApplicationDefault(httpTransport, JSON_FACTORY).createScoped(list));
    }

    private static PrivateKey privateKeyFromPkcs8(String str) throws IOException {
        PemReader.Section readFirstSectionAndClose = PemReader.readFirstSectionAndClose(new StringReader(str), "PRIVATE KEY");
        if (readFirstSectionAndClose == null) {
            throw new IOException("Invalid PKCS8 data.");
        }
        try {
            return SecurityUtils.getRsaKeyFactory().generatePrivate(new PKCS8EncodedKeySpec(readFirstSectionAndClose.getBase64DecodedBytes()));
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new IOException("Unexpected expcetion reading PKCS data", e);
        }
    }
}
