package com.google.firebase.auth.internal;

import com.google.api.client.auth.openidconnect.IdToken;
import com.google.api.client.auth.openidconnect.IdTokenVerifier;
import com.google.api.client.googleapis.auth.oauth2.GooglePublicKeysManager;
import com.google.api.client.json.webtoken.JsonWebSignature;
import com.google.api.client.util.ArrayMap;
import com.google.api.client.util.Clock;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.firebase.auth.FirebaseAuthException;
import com.google.firebase.internal.NonNull;
import java.io.IOException;
import java.math.BigDecimal;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;

/* loaded from: input_file:com/google/firebase/auth/internal/FirebaseTokenVerifier.class */
public final class FirebaseTokenVerifier extends IdTokenVerifier {
    static final String ID_TOKEN_CERT_URL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
    static final String ID_TOKEN_ISSUER_PREFIX = "https://securetoken.google.com/";
    static final String SESSION_COOKIE_CERT_URL = "https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys";
    static final String SESSION_COOKIE_ISSUER_PREFIX = "https://session.firebase.google.com/";
    private static final String FIREBASE_AUDIENCE = "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit";
    private static final String ERROR_INVALID_CREDENTIAL = "ERROR_INVALID_CREDENTIAL";
    private static final String ERROR_RUNTIME_EXCEPTION = "ERROR_RUNTIME_EXCEPTION";
    private static final String PROJECT_ID_MATCH_MESSAGE = "Make sure the %s comes from the same Firebase project as the service account used to authenticate this SDK.";
    private static final String VERIFY_TOKEN_DOCS_MESSAGE = "See %s for details on how to retrieve %s.";
    private static final String ALGORITHM = "RS256";
    private final String projectId;
    private final GooglePublicKeysManager publicKeysManager;
    private final String method;
    private final String shortName;
    private final String articledShortName;
    private final String projectIdMatchMessage;
    private final String verifyTokenMessage;

    /* loaded from: input_file:com/google/firebase/auth/internal/FirebaseTokenVerifier$Builder.class */
    public static class Builder extends IdTokenVerifier.Builder {
        private String projectId;
        private String shortName;
        private String method;
        private String docUrl;
        private GooglePublicKeysManager publicKeysManager;

        public String getProjectId() {
            return this.projectId;
        }

        public Builder setProjectId(String str, String str2) {
            this.projectId = str2;
            setAudience(Collections.singleton(str2));
            setIssuer(str + str2);
            return this;
        }

        public Builder setShortName(String str) {
            this.shortName = str;
            return this;
        }

        public Builder setMethod(String str) {
            this.method = str;
            return this;
        }

        public Builder setDocUrl(String str) {
            this.docUrl = str;
            return this;
        }

        /* renamed from: setClock, reason: merged with bridge method [inline-methods] */
        public Builder m21setClock(Clock clock) {
            return (Builder) super.setClock(clock);
        }

        public Builder setPublicKeysManager(GooglePublicKeysManager googlePublicKeysManager) {
            this.publicKeysManager = googlePublicKeysManager;
            return this;
        }

        /* renamed from: build, reason: merged with bridge method [inline-methods] */
        public FirebaseTokenVerifier m22build() {
            return new FirebaseTokenVerifier(this);
        }
    }

    private FirebaseTokenVerifier(Builder builder) {
        super(builder);
        Preconditions.checkArgument(!Strings.isNullOrEmpty(builder.projectId), "projectId must be set");
        Preconditions.checkArgument(!Strings.isNullOrEmpty(builder.shortName), "shortName must be set");
        Preconditions.checkArgument(!Strings.isNullOrEmpty(builder.method), "method must be set");
        this.projectId = builder.projectId;
        this.shortName = builder.shortName;
        this.articledShortName = prefixWithIndefiniteArticle(this.shortName);
        this.method = builder.method;
        this.publicKeysManager = (GooglePublicKeysManager) Preconditions.checkNotNull(builder.publicKeysManager, "publicKeysManager must be set");
        this.projectIdMatchMessage = String.format(PROJECT_ID_MATCH_MESSAGE, this.shortName);
        this.verifyTokenMessage = String.format(VERIFY_TOKEN_DOCS_MESSAGE, builder.docUrl, this.articledShortName);
    }

    public void verifyTokenAndSignature(IdToken idToken) throws FirebaseAuthException {
        IdToken.Payload payload = idToken.getPayload();
        JsonWebSignature.Header header = idToken.getHeader();
        String str = null;
        boolean z = payload.getAudience() != null && payload.getAudience().equals(FIREBASE_AUDIENCE);
        boolean z2 = (header.getAlgorithm() == null || !header.getAlgorithm().equals("HS256") || payload.get("v") == null || !payload.get("v").equals(new BigDecimal(0)) || payload.get("d") == null || !(payload.get("d") instanceof ArrayMap) || ((ArrayMap) payload.get("d")).get("uid") == null) ? false : true;
        if (header.getKeyId() == null) {
            str = z ? String.format("%s expects %s, but was given a custom token.", this.method, this.articledShortName) : z2 ? String.format("%s expects %s, but was given a legacy custom token.", this.method, this.articledShortName) : String.format("Firebase %s has no \"kid\" claim.", this.shortName);
        } else if (header.getAlgorithm() == null || !header.getAlgorithm().equals(ALGORITHM)) {
            str = String.format("Firebase %s has incorrect algorithm. Expected \"%s\" but got \"%s\".", this.shortName, ALGORITHM, header.getAlgorithm());
        } else if (!idToken.verifyAudience(getAudience())) {
            str = String.format("Firebase %s has incorrect \"aud\" (audience) claim. Expected \"%s\" but got \"%s\". %s", this.shortName, concat(getAudience()), concat(idToken.getPayload().getAudienceAsList()), this.projectIdMatchMessage);
        } else if (!idToken.verifyIssuer(getIssuers())) {
            str = String.format("Firebase %s has incorrect \"iss\" (issuer) claim. Expected \"%s\" but got \"%s\". %s", this.shortName, concat(getIssuers()), idToken.getPayload().getIssuer(), this.projectIdMatchMessage);
        } else if (payload.getSubject() == null) {
            str = String.format("Firebase %s has no \"sub\" (subject) claim.", this.shortName);
        } else if (payload.getSubject().isEmpty()) {
            str = String.format("Firebase %s has an empty string \"sub\" (subject) claim.", this.shortName);
        } else if (payload.getSubject().length() > 128) {
            str = String.format("Firebase %s has \"sub\" (subject) claim longer than 128 characters.", this.shortName);
        } else if (!idToken.verifyTime(getClock().currentTimeMillis(), getAcceptableTimeSkewSeconds())) {
            str = String.format("Firebase %s has expired or is not yet valid. Get a fresh %s and try again.", this.shortName, this.shortName);
        }
        if (str != null) {
            throw new FirebaseAuthException(ERROR_INVALID_CREDENTIAL, String.format("%s %s", str, this.verifyTokenMessage));
        }
        try {
            if (verifySignature(idToken)) {
            } else {
                throw new FirebaseAuthException(ERROR_INVALID_CREDENTIAL, String.format("Firebase %s isn't signed by a valid public key. %s", this.shortName, this.verifyTokenMessage));
            }
        } catch (IOException | GeneralSecurityException e) {
            throw new FirebaseAuthException(ERROR_RUNTIME_EXCEPTION, "Error while verifying signature.", e);
        }
    }

    private String prefixWithIndefiniteArticle(String str) {
        return "aeiouAEIOU".indexOf(str.charAt(0)) < 0 ? "a " + str : "an " + str;
    }

    private String concat(Collection<String> collection) {
        StringBuilder sb = new StringBuilder();
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            sb.append(it.next().trim()).append(", ");
        }
        return sb.substring(0, sb.length() - 2);
    }

    private boolean verifySignature(IdToken idToken) throws GeneralSecurityException, IOException {
        Iterator it = this.publicKeysManager.getPublicKeys().iterator();
        while (it.hasNext()) {
            if (idToken.verifySignature((PublicKey) it.next())) {
                return true;
            }
        }
        return false;
    }

    public String getProjectId() {
        return this.projectId;
    }

    @NonNull
    public static FirebaseTokenVerifier createIdTokenVerifier(@NonNull String str, @NonNull KeyManagers keyManagers, @NonNull Clock clock) {
        return new Builder().setProjectId(ID_TOKEN_ISSUER_PREFIX, str).setPublicKeysManager(keyManagers.getIdTokenKeysManager()).setShortName("ID token").setMethod("verifyIdToken()").setDocUrl("https://firebase.google.com/docs/auth/admin/verify-id-tokens").m21setClock(clock).m22build();
    }

    @NonNull
    public static FirebaseTokenVerifier createSessionCookieVerifier(@NonNull String str, @NonNull KeyManagers keyManagers, @NonNull Clock clock) {
        return new Builder().setProjectId(SESSION_COOKIE_ISSUER_PREFIX, str).setPublicKeysManager(keyManagers.getSessionCookieKeysManager()).setShortName("session cookie").setMethod("verifySessionCookie()").setDocUrl("https://firebase.google.com/docs/auth/admin/manage-cookies").m21setClock(clock).m22build();
    }
}
