package com.google.firebase.auth.internal;

import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpRequest;
import com.google.api.client.http.HttpRequestFactory;
import com.google.api.client.http.HttpResponse;
import com.google.api.client.http.HttpResponseInterceptor;
import com.google.api.client.http.json.JsonHttpContent;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.JsonObjectParser;
import com.google.api.client.util.Key;
import com.google.api.client.util.StringUtils;
import com.google.auth.ServiceAccountSigner;
import com.google.auth.oauth2.ServiceAccountCredentials;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableMap;
import com.google.common.io.BaseEncoding;
import com.google.common.io.ByteStreams;
import com.google.firebase.FirebaseApp;
import com.google.firebase.FirebaseOptions;
import com.google.firebase.ImplFirebaseTrampolines;
import com.google.firebase.internal.FirebaseRequestInitializer;
import com.google.firebase.internal.NonNull;
import java.io.IOException;

/* loaded from: input_file:com/google/firebase/auth/internal/CryptoSigners.class */
public class CryptoSigners {
    private static final String METADATA_SERVICE_URL = "http://metadata/computeMetadata/v1/instance/service-accounts/default/email";

    /* loaded from: input_file:com/google/firebase/auth/internal/CryptoSigners$IAMCryptoSigner.class */
    static class IAMCryptoSigner implements CryptoSigner {
        private static final String IAM_SIGN_BLOB_URL = "https://iam.googleapis.com/v1/projects/-/serviceAccounts/%s:signBlob";
        private final HttpRequestFactory requestFactory;
        private final JsonFactory jsonFactory;
        private final String serviceAccount;
        private HttpResponseInterceptor interceptor;

        IAMCryptoSigner(@NonNull HttpRequestFactory httpRequestFactory, @NonNull JsonFactory jsonFactory, @NonNull String str) {
            this.requestFactory = (HttpRequestFactory) Preconditions.checkNotNull(httpRequestFactory);
            this.jsonFactory = (JsonFactory) Preconditions.checkNotNull(jsonFactory);
            Preconditions.checkArgument(!Strings.isNullOrEmpty(str));
            this.serviceAccount = str;
        }

        void setInterceptor(HttpResponseInterceptor httpResponseInterceptor) {
            this.interceptor = httpResponseInterceptor;
        }

        @Override // com.google.firebase.auth.internal.CryptoSigner
        public byte[] sign(byte[] bArr) throws IOException {
            HttpResponse httpResponse = null;
            try {
                HttpRequest buildPostRequest = this.requestFactory.buildPostRequest(new GenericUrl(String.format(IAM_SIGN_BLOB_URL, this.serviceAccount)), new JsonHttpContent(this.jsonFactory, ImmutableMap.of("bytesToSign", BaseEncoding.base64().encode(bArr))));
                buildPostRequest.setParser(new JsonObjectParser(this.jsonFactory));
                buildPostRequest.setResponseInterceptor(this.interceptor);
                httpResponse = buildPostRequest.execute();
                byte[] decode = BaseEncoding.base64().decode(((SignBlobResponse) httpResponse.parseAs(SignBlobResponse.class)).signature);
                if (httpResponse != null) {
                    try {
                        httpResponse.disconnect();
                    } catch (IOException e) {
                    }
                }
                return decode;
            } catch (Throwable th) {
                if (httpResponse != null) {
                    try {
                        httpResponse.disconnect();
                    } catch (IOException e2) {
                    }
                }
                throw th;
            }
        }

        @Override // com.google.firebase.auth.internal.CryptoSigner
        public String getAccount() {
            return this.serviceAccount;
        }
    }

    /* loaded from: input_file:com/google/firebase/auth/internal/CryptoSigners$ServiceAccountCryptoSigner.class */
    static class ServiceAccountCryptoSigner implements CryptoSigner {
        private final ServiceAccountSigner signer;

        ServiceAccountCryptoSigner(@NonNull ServiceAccountSigner serviceAccountSigner) {
            this.signer = (ServiceAccountSigner) Preconditions.checkNotNull(serviceAccountSigner);
        }

        @Override // com.google.firebase.auth.internal.CryptoSigner
        public byte[] sign(byte[] bArr) {
            return this.signer.sign(bArr);
        }

        @Override // com.google.firebase.auth.internal.CryptoSigner
        public String getAccount() {
            return this.signer.getAccount();
        }
    }

    /* loaded from: input_file:com/google/firebase/auth/internal/CryptoSigners$SignBlobResponse.class */
    public static class SignBlobResponse {

        @Key("signature")
        private String signature;
    }

    public static CryptoSigner getCryptoSigner(FirebaseApp firebaseApp) throws IOException {
        Object credentials = ImplFirebaseTrampolines.getCredentials(firebaseApp);
        if (credentials instanceof ServiceAccountCredentials) {
            return new ServiceAccountCryptoSigner((ServiceAccountCredentials) credentials);
        }
        FirebaseOptions options = firebaseApp.getOptions();
        HttpRequestFactory createRequestFactory = options.getHttpTransport().createRequestFactory(new FirebaseRequestInitializer(firebaseApp));
        JsonFactory jsonFactory = options.getJsonFactory();
        String serviceAccountId = options.getServiceAccountId();
        if (!Strings.isNullOrEmpty(serviceAccountId)) {
            return new IAMCryptoSigner(createRequestFactory, jsonFactory, serviceAccountId);
        }
        if (credentials instanceof ServiceAccountSigner) {
            return new ServiceAccountCryptoSigner((ServiceAccountSigner) credentials);
        }
        HttpRequest buildGetRequest = createRequestFactory.buildGetRequest(new GenericUrl(METADATA_SERVICE_URL));
        buildGetRequest.getHeaders().set("Metadata-Flavor", "Google");
        HttpResponse execute = buildGetRequest.execute();
        try {
            IAMCryptoSigner iAMCryptoSigner = new IAMCryptoSigner(createRequestFactory, jsonFactory, StringUtils.newStringUtf8(ByteStreams.toByteArray(execute.getContent())).trim());
            execute.disconnect();
            return iAMCryptoSigner;
        } catch (Throwable th) {
            execute.disconnect();
            throw th;
        }
    }
}
