package com.google.apphosting.client.datastoreservice.app.mobile;

import com.google.appengine.api.oauth.OAuthRequestException;
import com.google.appengine.api.oauth.OAuthServiceFactory;
import com.google.appengine.repackaged.com.google.common.annotations.VisibleForTesting;
import com.google.appengine.repackaged.com.google.net.util.error.Codes;
import com.google.appengine.repackaged.com.google.protobuf.MessageLite;
import com.google.apphosting.api.ApiProxy;
import com.google.apphosting.client.datastoreservice.mobile.DatastoreMobileService;
import com.google.apphosting.client.serviceapp.AuthService;
import com.google.apphosting.client.serviceapp.AuthServiceImpl;
import com.google.apphosting.client.serviceapp.BaseApiServlet;
import com.google.apphosting.client.serviceapp.Clock;
import com.google.apphosting.client.serviceapp.RpcException;
import com.google.apphosting.client.serviceapp.RpcHandler;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.Nullable;

/* loaded from: input_file:WEB-INF/lib/appengine-api-1.0-sdk-1.9.19.jar:com/google/apphosting/client/datastoreservice/app/mobile/DatastoreMobileApiServlet.class */
public class DatastoreMobileApiServlet extends BaseApiServlet {

    @VisibleForTesting
    static final String API_HEADER = "X-AppEngine-DatastoreMobile-API";
    private static final int MAX_APP_ID_SECTION_LENGTH = 100;
    public static final String INVALID_CLIENT_ID_ERROR = "Invalid Client ID.";
    public static final String INVALID_USER_CRED_ERROR = "Unauthorized.";
    private IdTokenAuthenticator idTokenAuth;

    @VisibleForTesting
    public static final String[] OAUTH2_SCOPE_STRINGS = {"https://www.googleapis.com/auth/datastoremobile", "https://www.googleapis.com/auth/cloud-platform"};

    @VisibleForTesting
    public static final String[] OAUTH2_SCOPE_CODES = {"43610", "35600"};
    private static final String APP_ID_PARTITION_STRING = String.format("[a-z\\d\\-]{1,%d}", 100);
    private static final String APP_ID_DOMAIN_STRING = String.format("[a-z\\d][a-z\\d\\-\\.]{0,%d}", 99);
    private static final String APP_ID_DISPLAY_STRING = String.format("[a-z\\d][a-z\\d\\-]{0,%d}", 99);
    private static final String PROJECT_ID_STRING = String.format("(?:(?:%s):)?(?:%s)", APP_ID_DOMAIN_STRING, APP_ID_DISPLAY_STRING);
    private static final String APP_ID_STRING = String.format("(?:(?<cluster>%s)~)?(?<project>%s)", APP_ID_PARTITION_STRING, PROJECT_ID_STRING);
    private static final Pattern APP_ID_REGEX = Pattern.compile(APP_ID_STRING);
    private static final Pattern CLIENT_ID_TOKEN_REGEX = Pattern.compile("Bearer\\s+(?<token>.*)", 8);

    public DatastoreMobileApiServlet() {
        this(new AuthServiceImpl(OAuthServiceFactory.getOAuthService()), new IdTokenAuthenticator());
    }

    @VisibleForTesting
    public DatastoreMobileApiServlet(AuthService authService, IdTokenAuthenticator idTokenAuthenticator) {
        this(new DatastoreMobileRpcService(ApiProxy.getCurrentEnvironment().getAppId(), authService, idTokenAuthenticator), idTokenAuthenticator);
    }

    DatastoreMobileApiServlet(DatastoreMobileRpcService datastoreMobileRpcService, IdTokenAuthenticator idTokenAuthenticator) {
        super(datastoreMobileRpcService.getAuthService(), Clock.SYSTEM_CLOCK, datastoreMobileRpcService);
        this.idTokenAuth = idTokenAuthenticator;
    }

    @Override // com.google.apphosting.client.serviceapp.BaseApiServlet
    protected String getApiHeader() {
        return API_HEADER;
    }

    @Override // com.google.apphosting.client.serviceapp.BaseApiServlet
    protected String[] getOAuthScopeStrings() {
        return OAUTH2_SCOPE_STRINGS;
    }

    @Override // com.google.apphosting.client.serviceapp.BaseApiServlet
    protected String[] getOAuthScopeCodes() {
        return OAUTH2_SCOPE_CODES;
    }

    @Override // com.google.apphosting.client.serviceapp.BaseApiServlet
    protected void authenticate(RpcHandler.RequestPermissions requestPermissions, @Nullable MessageLite messageLite) throws RpcException {
        String str;
        String str2;
        String str3;
        String str4;
        String peerAuthorization = getPeerAuthorization(messageLite);
        String authorization = getAuthorization(messageLite);
        if (peerAuthorization.isEmpty()) {
            try {
                this.authService.getUserPermissions(OAUTH2_SCOPE_CODES, false);
                str2 = matchProjectId(ApiProxy.getCurrentEnvironment().getAppId(), getClientTokenProjectId(messageLite));
            } catch (OAuthRequestException e) {
                String valueOf = String.valueOf("Unauthorized.: ");
                String valueOf2 = String.valueOf(e.getMessage());
                if (valueOf2.length() != 0) {
                    str4 = valueOf.concat(valueOf2);
                } else {
                    str4 = r1;
                    String str5 = new String(valueOf);
                }
                str2 = str4;
            }
        } else {
            try {
                Matcher matcher = CLIENT_ID_TOKEN_REGEX.matcher(authorization);
                if (!matcher.matches()) {
                    String valueOf3 = String.valueOf("Invalid Client ID.: invalid client id token=");
                    String valueOf4 = String.valueOf(authorization);
                    if (valueOf4.length() != 0) {
                        str3 = valueOf3.concat(valueOf4);
                    } else {
                        str3 = r3;
                        String str6 = new String(valueOf3);
                    }
                    throw new GeneralSecurityException(str3);
                }
                this.idTokenAuth.authenticate(peerAuthorization, matcher.group("token"));
                str2 = matchProjectId(ApiProxy.getCurrentEnvironment().getAppId(), this.idTokenAuth.getProjectId());
            } catch (IOException | GeneralSecurityException e2) {
                String valueOf5 = String.valueOf("Unauthorized.: ");
                String valueOf6 = String.valueOf(e2.getMessage());
                if (valueOf6.length() != 0) {
                    str = valueOf5.concat(valueOf6);
                } else {
                    str = r1;
                    String str7 = new String(valueOf5);
                }
                str2 = str;
            }
        }
        if (str2 != null) {
            throw new RpcException(Codes.Code.PERMISSION_DENIED, str2);
        }
    }

    @VisibleForTesting
    static String matchProjectId(String str, String str2) {
        Matcher matcher = APP_ID_REGEX.matcher(str);
        if (!matcher.matches()) {
            String valueOf = String.valueOf("Invalid Client ID.: invalid project id=");
            String valueOf2 = String.valueOf(str);
            return valueOf2.length() != 0 ? valueOf.concat(valueOf2) : new String(valueOf);
        }
        if (matcher.group("project").equals(str2)) {
            return null;
        }
        String valueOf3 = String.valueOf("Invalid Client ID.: expected=");
        String valueOf4 = String.valueOf(matcher.group("project"));
        return new StringBuilder(6 + String.valueOf(valueOf3).length() + String.valueOf(valueOf4).length() + String.valueOf(str2).length()).append(valueOf3).append(valueOf4).append(", got=").append(str2).toString();
    }

    @VisibleForTesting
    public String getPeerAuthorization(MessageLite messageLite) {
        return messageLite == null ? "" : ((DatastoreMobileService.RequestHeader) messageLite).getApiaryIdToken();
    }

    @VisibleForTesting
    public String getAuthorization(MessageLite messageLite) {
        return messageLite == null ? "" : ((DatastoreMobileService.RequestHeader) messageLite).getClientIdToken();
    }

    private String getClientTokenProjectId(MessageLite messageLite) {
        return messageLite == null ? "" : ((DatastoreMobileService.RequestHeader) messageLite).getClientTokenProjectId();
    }

    @VisibleForTesting(productionVisibility = VisibleForTesting.Visibility.NONE)
    public byte[] injectRequestHeaderForTest(String str, byte[] bArr, DatastoreMobileService.RequestHeader requestHeader) throws IOException {
        return ((DatastoreMobileRpcHandler) getHandler(str)).deserializeWithHeader(bArr, requestHeader).toByteArray();
    }
}
