package com.google.cloud.hadoop.repackaged.gcs.com.google.auth.oauth2;

import com.google.cloud.hadoop.repackaged.gcs.com.google.auth.http.HttpTransportFactory;
import com.google.cloud.hadoop.repackaged.gcs.com.google.auth.oauth2.OAuth2Credentials;
import com.google.cloud.hadoop.repackaged.gcs.com.google.common.annotations.VisibleForTesting;
import com.google.cloud.hadoop.repackaged.gcs.com.google.common.base.MoreObjects;
import com.google.cloud.hadoop.repackaged.gcs.com.google.common.base.Preconditions;
import com.google.errorprone.annotations.CanIgnoreReturnValue;
import java.io.IOException;

/* loaded from: input_file:com/google/cloud/hadoop/repackaged/gcs/com/google/auth/oauth2/DownscopedCredentials.class */
public final class DownscopedCredentials extends OAuth2Credentials {
    private static final String TOKEN_EXCHANGE_ENDPOINT = "https://sts.googleapis.com/v1/token";
    private final GoogleCredentials sourceCredential;
    private final CredentialAccessBoundary credentialAccessBoundary;
    private final transient HttpTransportFactory transportFactory;

    /* loaded from: input_file:com/google/cloud/hadoop/repackaged/gcs/com/google/auth/oauth2/DownscopedCredentials$Builder.class */
    public static class Builder extends OAuth2Credentials.Builder {
        private GoogleCredentials sourceCredential;
        private CredentialAccessBoundary credentialAccessBoundary;
        private HttpTransportFactory transportFactory;

        private Builder() {
        }

        @CanIgnoreReturnValue
        public Builder setSourceCredential(GoogleCredentials googleCredentials) {
            this.sourceCredential = googleCredentials;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder setCredentialAccessBoundary(CredentialAccessBoundary credentialAccessBoundary) {
            this.credentialAccessBoundary = credentialAccessBoundary;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder setHttpTransportFactory(HttpTransportFactory httpTransportFactory) {
            this.transportFactory = httpTransportFactory;
            return this;
        }

        @Override // com.google.cloud.hadoop.repackaged.gcs.com.google.auth.oauth2.OAuth2Credentials.Builder
        public DownscopedCredentials build() {
            return new DownscopedCredentials(this.sourceCredential, this.credentialAccessBoundary, this.transportFactory);
        }
    }

    private DownscopedCredentials(GoogleCredentials googleCredentials, CredentialAccessBoundary credentialAccessBoundary, HttpTransportFactory httpTransportFactory) {
        this.transportFactory = (HttpTransportFactory) MoreObjects.firstNonNull(httpTransportFactory, getFromServiceLoader(HttpTransportFactory.class, OAuth2Utils.HTTP_TRANSPORT_FACTORY));
        this.sourceCredential = (GoogleCredentials) Preconditions.checkNotNull(googleCredentials);
        this.credentialAccessBoundary = (CredentialAccessBoundary) Preconditions.checkNotNull(credentialAccessBoundary);
    }

    @Override // com.google.cloud.hadoop.repackaged.gcs.com.google.auth.oauth2.OAuth2Credentials
    public AccessToken refreshAccessToken() throws IOException {
        try {
            this.sourceCredential.refreshIfExpired();
            AccessToken accessToken = StsRequestHandler.newBuilder(TOKEN_EXCHANGE_ENDPOINT, StsTokenExchangeRequest.newBuilder(this.sourceCredential.getAccessToken().getTokenValue(), "urn:ietf:params:oauth:token-type:access_token").setRequestTokenType("urn:ietf:params:oauth:token-type:access_token").build(), this.transportFactory.create().createRequestFactory()).setInternalOptions(this.credentialAccessBoundary.toJson()).build().exchangeToken().getAccessToken();
            if (accessToken.getExpirationTime() == null) {
                AccessToken accessToken2 = this.sourceCredential.getAccessToken();
                if (accessToken2.getExpirationTime() != null) {
                    return new AccessToken(accessToken.getTokenValue(), accessToken2.getExpirationTime());
                }
            }
            return accessToken;
        } catch (IOException e) {
            throw new IOException("Unable to refresh the provided source credential.", e);
        }
    }

    public GoogleCredentials getSourceCredentials() {
        return this.sourceCredential;
    }

    public CredentialAccessBoundary getCredentialAccessBoundary() {
        return this.credentialAccessBoundary;
    }

    @VisibleForTesting
    HttpTransportFactory getTransportFactory() {
        return this.transportFactory;
    }

    public static Builder newBuilder() {
        return new Builder();
    }
}
