package com.google.cloud.sql.core;

import com.google.api.client.auth.oauth2.Credential;
import com.google.api.client.http.HttpRequestInitializer;
import com.google.api.services.sqladmin.SQLAdmin;
import com.google.auth.Credentials;
import com.google.auth.http.HttpCredentialsAdapter;
import com.google.auth.oauth2.AccessToken;
import com.google.auth.oauth2.GoogleCredentials;
import java.io.IOException;
import java.time.Duration;
import java.time.Instant;
import java.time.ZoneId;
import java.time.format.DateTimeFormatter;
import java.util.Date;
import java.util.Optional;
import java.util.logging.Logger;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/google/cloud/sql/core/DefaultAccessTokenSupplier.class */
public class DefaultAccessTokenSupplier implements AccessTokenSupplier {
    private static final Logger logger = Logger.getLogger(DefaultAccessTokenSupplier.class.getName());
    private static final String SQL_LOGIN_SCOPE = "https://www.googleapis.com/auth/sqlservice.login";
    private final HttpRequestInitializer requestInitializer;
    private final int retryCount;
    private final Duration retryDuration;

    /* JADX INFO: Access modifiers changed from: package-private */
    public DefaultAccessTokenSupplier(HttpRequestInitializer httpRequestInitializer) {
        this(httpRequestInitializer, 3, Duration.ofSeconds(3L));
    }

    DefaultAccessTokenSupplier(HttpRequestInitializer httpRequestInitializer, int i, Duration duration) {
        this.requestInitializer = httpRequestInitializer;
        this.retryCount = i;
        this.retryDuration = duration;
    }

    private GoogleCredentials parseCredentials() {
        if (this.requestInitializer instanceof HttpCredentialsAdapter) {
            Credentials credentials = ((HttpCredentialsAdapter) this.requestInitializer).getCredentials();
            if (credentials instanceof GoogleCredentials) {
                return (GoogleCredentials) credentials;
            }
            throw new RuntimeException(String.format("Unable to connect via automatic IAM authentication: HttpCredentialsAdapter did not create valid credentials. %s, %s", this.requestInitializer.getClass().getName(), credentials));
        }
        if (!(this.requestInitializer instanceof Credential)) {
            throw new RuntimeException(String.format("Unable to connect via automatic IAM authentication: Unsupported credentials of type %s", this.requestInitializer.getClass().getName()));
        }
        final Credential credential = (Credential) this.requestInitializer;
        return new GoogleCredentials(new AccessToken(credential.getAccessToken(), getTokenExpirationTime(credential).orElse(null))) { // from class: com.google.cloud.sql.core.DefaultAccessTokenSupplier.1
            @Override // com.google.auth.oauth2.OAuth2Credentials
            public AccessToken refreshAccessToken() throws IOException {
                credential.refreshToken();
                return new AccessToken(credential.getAccessToken(), (Date) DefaultAccessTokenSupplier.this.getTokenExpirationTime(credential).orElse(null));
            }
        };
    }

    @Override // com.google.cloud.sql.core.AccessTokenSupplier
    public Optional<AccessToken> get() throws IOException {
        if (this.requestInitializer == null) {
            return Optional.empty();
        }
        try {
            return (Optional) new RetryingCallable(() -> {
                GoogleCredentials parseCredentials = parseCredentials();
                try {
                    parseCredentials.refreshIfExpired();
                    if (parseCredentials.getAccessToken() == null || SQLAdmin.DEFAULT_SERVICE_PATH.equals(parseCredentials.getAccessToken().getTokenValue())) {
                        logger.warning("Access Token has length of zero");
                        throw new IllegalStateException("Access Token has length of zero");
                    }
                    validateAccessTokenExpiration(parseCredentials.getAccessToken());
                    GoogleCredentials downscopedCredentials = getDownscopedCredentials(parseCredentials);
                    if (downscopedCredentials.getAccessToken() == null || SQLAdmin.DEFAULT_SERVICE_PATH.equals(downscopedCredentials.getAccessToken().getTokenValue())) {
                        try {
                            downscopedCredentials.refreshIfExpired();
                            if (downscopedCredentials.getAccessToken() == null || SQLAdmin.DEFAULT_SERVICE_PATH.equals(downscopedCredentials.getAccessToken().getTokenValue())) {
                                logger.warning("Downscoped access token has length of zero");
                                throw new IllegalStateException("Downscoped access token has length of zero: " + downscopedCredentials.getClass().getName() + " from " + parseCredentials.getClass().getName());
                            }
                            validateAccessTokenExpiration(downscopedCredentials.getAccessToken());
                        } catch (Exception e) {
                            throw new IllegalStateException("Error refreshing downscoped credentials " + parseCredentials, e);
                        }
                    }
                    return Optional.of(downscopedCredentials.getAccessToken());
                } catch (IllegalStateException e2) {
                    throw new IllegalStateException("Error refreshing credentials " + parseCredentials, e2);
                }
            }, this.retryCount, this.retryDuration).call();
        } catch (IOException | RuntimeException e) {
            throw e;
        } catch (Exception e2) {
            throw new RuntimeException("Unexpected exception refreshing authentication token", e2);
        }
    }

    private void validateAccessTokenExpiration(AccessToken accessToken) {
        Date expirationTime = accessToken.getExpirationTime();
        if (expirationTime != null) {
            Instant instant = expirationTime.toInstant();
            Instant now = Instant.now();
            if (instant.isBefore(now) || instant.equals(now)) {
                DateTimeFormatter withZone = DateTimeFormatter.ISO_INSTANT.withZone(ZoneId.of("UTC"));
                String str = "Access Token expiration time is in the past. Now = " + withZone.format(now) + " Expiration = " + withZone.format(instant);
                logger.warning(str);
                throw new IllegalStateException(str);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Optional<Date> getTokenExpirationTime(Optional<AccessToken> optional) {
        return optional.flatMap(accessToken -> {
            return Optional.ofNullable(accessToken.getExpirationTime());
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Optional<Date> getTokenExpirationTime(Credential credential) {
        return Optional.ofNullable(credential.getExpirationTimeMilliseconds()).map((v1) -> {
            return new Date(v1);
        });
    }

    static GoogleCredentials getDownscopedCredentials(GoogleCredentials googleCredentials) {
        return googleCredentials.createScoped(SQL_LOGIN_SCOPE);
    }
}
