package com.google.appengine.tools.cloudstorage.oauth;

import com.google.appengine.api.appidentity.AppIdentityService;
import com.google.appengine.api.appidentity.AppIdentityServiceFactory;
import com.google.appengine.api.urlfetch.URLFetchService;
import com.google.appengine.api.utils.SystemProperty;
import com.google.common.collect.ImmutableList;
import java.util.Collection;
import java.util.List;
import java.util.Random;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.concurrent.atomic.AtomicReference;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;

/* loaded from: input_file:WEB-INF/lib/appengine-gcs-client-0.4.1.jar:com/google/appengine/tools/cloudstorage/oauth/AppIdentityOAuthURLFetchService.class */
final class AppIdentityOAuthURLFetchService extends AbstractOAuthURLFetchService {
    private static final int MAX_CACHE_EXPIRATION_HEADROOM = 300000;
    private static final int MIN_CACHE_EXPIRATION_HEADROOM = 60000;
    private final Random rand;
    private final Lock lock;
    private final AppIdentityService appIdentityService;
    private final List<String> oauthScopes;
    private final AtomicReference<AppIdentityService.GetAccessTokenResult> accessToken;
    private final AtomicInteger cacheExpirationHeadroom;
    private final AtomicBoolean refreshInProgress;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AppIdentityOAuthURLFetchService(URLFetchService uRLFetchService, List<String> list) {
        super(uRLFetchService);
        this.rand = new Random();
        this.lock = new ReentrantLock();
        this.appIdentityService = AppIdentityServiceFactory.getAppIdentityService();
        this.accessToken = new AtomicReference<>();
        this.cacheExpirationHeadroom = new AtomicInteger(getNextCacheExpirationHeadroom());
        this.refreshInProgress = new AtomicBoolean(false);
        this.oauthScopes = ImmutableList.copyOf((Collection) list);
    }

    @Override // com.google.appengine.tools.cloudstorage.oauth.AbstractOAuthURLFetchService
    protected String getToken() {
        verifyProdOnly();
        AppIdentityService.GetAccessTokenResult getAccessTokenResult = this.accessToken.get();
        if (getAccessTokenResult == null || isExpired(getAccessTokenResult) || (isAboutToExpire(getAccessTokenResult) && this.refreshInProgress.compareAndSet(false, true))) {
            this.lock.lock();
            try {
                getAccessTokenResult = this.accessToken.get();
                if (getAccessTokenResult == null || isAboutToExpire(getAccessTokenResult)) {
                    getAccessTokenResult = this.appIdentityService.getAccessToken(this.oauthScopes);
                    this.accessToken.set(getAccessTokenResult);
                    this.cacheExpirationHeadroom.set(getNextCacheExpirationHeadroom());
                }
            } finally {
                this.refreshInProgress.set(false);
                this.lock.unlock();
            }
        }
        return getAccessTokenResult.getAccessToken();
    }

    private void verifyProdOnly() {
        if (SystemProperty.environment.value() == SystemProperty.Environment.Value.Development) {
            throw new IllegalStateException("The access token from the development environment won't work in production");
        }
    }

    private boolean isExpired(AppIdentityService.GetAccessTokenResult getAccessTokenResult) {
        return getAccessTokenResult.getExpirationTime().getTime() < System.currentTimeMillis();
    }

    private boolean isAboutToExpire(AppIdentityService.GetAccessTokenResult getAccessTokenResult) {
        return getAccessTokenResult.getExpirationTime().getTime() - ((long) this.cacheExpirationHeadroom.get()) < System.currentTimeMillis();
    }

    private final int getNextCacheExpirationHeadroom() {
        return this.rand.nextInt(240000) + 60000;
    }
}
