package com.google.firebase.auth.internal;

import com.google.api.client.json.GenericJson;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.webtoken.JsonWebSignature;
import com.google.api.client.util.Base64;
import com.google.api.client.util.Clock;
import com.google.api.client.util.StringUtils;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.firebase.auth.FirebaseAuthException;
import com.google.firebase.auth.internal.FirebaseCustomAuthToken;
import com.google.firebase.internal.Nullable;
import java.io.IOException;
import java.util.Collection;
import java.util.Map;

/* loaded from: input_file:com/google/firebase/auth/internal/FirebaseTokenFactory.class */
public class FirebaseTokenFactory {
    private final JsonFactory jsonFactory;
    private final Clock clock;
    private final CryptoSigner signer;
    private final String tenantId;

    public FirebaseTokenFactory(JsonFactory jsonFactory, Clock clock, CryptoSigner cryptoSigner, @Nullable String str) {
        this.jsonFactory = (JsonFactory) Preconditions.checkNotNull(jsonFactory);
        this.clock = (Clock) Preconditions.checkNotNull(clock);
        this.signer = (CryptoSigner) Preconditions.checkNotNull(cryptoSigner);
        this.tenantId = str;
    }

    @VisibleForTesting
    FirebaseTokenFactory(JsonFactory jsonFactory, Clock clock, CryptoSigner cryptoSigner) {
        this(jsonFactory, clock, cryptoSigner, null);
    }

    String createSignedCustomAuthTokenForUser(String str) throws FirebaseAuthException {
        return createSignedCustomAuthTokenForUser(str, null);
    }

    public String createSignedCustomAuthTokenForUser(String str, Map<String, Object> map) throws FirebaseAuthException {
        Preconditions.checkArgument(!Strings.isNullOrEmpty(str), "Uid must be provided.");
        Preconditions.checkArgument(str.length() <= 128, "Uid must be shorter than 128 characters.");
        JsonWebSignature.Header algorithm = new JsonWebSignature.Header().setAlgorithm("RS256");
        long currentTimeMillis = this.clock.currentTimeMillis() / 1000;
        FirebaseCustomAuthToken.Payload expirationTimeSeconds = new FirebaseCustomAuthToken.Payload().setUid(str).setIssuer(this.signer.getAccount()).setSubject(this.signer.getAccount()).setAudience((Object) "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit").setIssuedAtTimeSeconds(Long.valueOf(currentTimeMillis)).setExpirationTimeSeconds(Long.valueOf(currentTimeMillis + 3600));
        if (!Strings.isNullOrEmpty(this.tenantId)) {
            expirationTimeSeconds.setTenantId(this.tenantId);
        }
        if (map != null) {
            Collection<String> names = expirationTimeSeconds.getClassInfo().getNames();
            for (String str2 : map.keySet()) {
                if (names.contains(str2)) {
                    throw new IllegalArgumentException(String.format("developerClaims must not contain a reserved key: %s", str2));
                }
            }
            GenericJson genericJson = new GenericJson();
            genericJson.putAll(map);
            expirationTimeSeconds.setDeveloperClaims(genericJson);
        }
        return signPayload(algorithm, expirationTimeSeconds);
    }

    private String signPayload(JsonWebSignature.Header header, FirebaseCustomAuthToken.Payload payload) throws FirebaseAuthException {
        String encodePayload = encodePayload(header, payload);
        return encodePayload + "." + Base64.encodeBase64URLSafeString(this.signer.sign(StringUtils.getBytesUtf8(encodePayload)));
    }

    private String encodePayload(JsonWebSignature.Header header, FirebaseCustomAuthToken.Payload payload) {
        try {
            return Base64.encodeBase64URLSafeString(this.jsonFactory.toByteArray(header)) + "." + Base64.encodeBase64URLSafeString(this.jsonFactory.toByteArray(payload));
        } catch (IOException e) {
            throw new IllegalArgumentException("Failed to encode JWT with the given claims: " + e.getMessage(), e);
        }
    }
}
