package com.google.cloud.tools.jib.registry;

import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
import com.google.cloud.tools.jib.api.Credential;
import com.google.cloud.tools.jib.api.DescriptorDigest;
import com.google.cloud.tools.jib.api.LogEvent;
import com.google.cloud.tools.jib.api.RegistryAuthenticationFailedException;
import com.google.cloud.tools.jib.api.RegistryException;
import com.google.cloud.tools.jib.api.RegistryUnauthorizedException;
import com.google.cloud.tools.jib.blob.Blob;
import com.google.cloud.tools.jib.blob.BlobDescriptor;
import com.google.cloud.tools.jib.blob.Blobs;
import com.google.cloud.tools.jib.builder.TimerEventDispatcher;
import com.google.cloud.tools.jib.event.EventHandlers;
import com.google.cloud.tools.jib.global.JibSystemProperties;
import com.google.cloud.tools.jib.http.Authorization;
import com.google.cloud.tools.jib.http.FailoverHttpClient;
import com.google.cloud.tools.jib.image.json.ManifestTemplate;
import com.google.cloud.tools.jib.json.JsonTemplate;
import com.google.cloud.tools.jib.json.JsonTemplateMapper;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Verify;
import com.google.common.collect.ImmutableSetMultimap;
import com.google.common.collect.Multimap;
import java.io.IOException;
import java.net.URL;
import java.util.Base64;
import java.util.List;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Consumer;
import java.util.stream.Stream;
import javax.annotation.Nullable;
import javax.annotation.concurrent.ThreadSafe;

@ThreadSafe
/* loaded from: input_file:com/google/cloud/tools/jib/registry/RegistryClient.class */
public class RegistryClient {
    private static final int MAX_BEARER_TOKEN_REFRESH_TRIES = 5;
    private final EventHandlers eventHandlers;

    @Nullable
    private final Credential credential;
    private final RegistryEndpointRequestProperties registryEndpointRequestProperties;

    @Nullable
    private final String userAgent;
    private final FailoverHttpClient httpClient;
    private final AtomicReference<Authorization> authorization;
    private boolean readOnlyBearerAuth;
    private final AtomicReference<RegistryAuthenticator> initialBearerAuthenticator;

    /* JADX INFO: Access modifiers changed from: private */
    @JsonIgnoreProperties(ignoreUnknown = true)
    /* loaded from: input_file:com/google/cloud/tools/jib/registry/RegistryClient$AccessClaim.class */
    public static class AccessClaim implements JsonTemplate {

        @Nullable
        private String type;

        @Nullable
        private String name;

        @Nullable
        private List<String> actions;

        private AccessClaim() {
        }
    }

    /* loaded from: input_file:com/google/cloud/tools/jib/registry/RegistryClient$Factory.class */
    public static class Factory {
        private final EventHandlers eventHandlers;
        private final RegistryEndpointRequestProperties registryEndpointRequestProperties;
        private final FailoverHttpClient httpClient;

        @Nullable
        private String userAgent;

        @Nullable
        private Credential credential;

        private Factory(EventHandlers eventHandlers, RegistryEndpointRequestProperties registryEndpointRequestProperties, FailoverHttpClient failoverHttpClient) {
            this.eventHandlers = eventHandlers;
            this.registryEndpointRequestProperties = registryEndpointRequestProperties;
            this.httpClient = failoverHttpClient;
        }

        public Factory setCredential(@Nullable Credential credential) {
            this.credential = credential;
            return this;
        }

        public Factory setUserAgent(@Nullable String str) {
            this.userAgent = str;
            return this;
        }

        public RegistryClient newRegistryClient() {
            return new RegistryClient(this.eventHandlers, this.credential, this.registryEndpointRequestProperties, this.userAgent, this.httpClient);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    @JsonIgnoreProperties(ignoreUnknown = true)
    /* loaded from: input_file:com/google/cloud/tools/jib/registry/RegistryClient$TokenPayloadTemplate.class */
    public static class TokenPayloadTemplate implements JsonTemplate {

        @Nullable
        private List<AccessClaim> access;

        private TokenPayloadTemplate() {
        }
    }

    public static Factory factory(EventHandlers eventHandlers, String str, String str2, FailoverHttpClient failoverHttpClient) {
        return new Factory(eventHandlers, new RegistryEndpointRequestProperties(str, str2), failoverHttpClient);
    }

    public static Factory factory(EventHandlers eventHandlers, String str, String str2, String str3, FailoverHttpClient failoverHttpClient) {
        return new Factory(eventHandlers, new RegistryEndpointRequestProperties(str, str2, str3), failoverHttpClient);
    }

    @VisibleForTesting
    @Nullable
    static Multimap<String, String> decodeTokenRepositoryGrants(String str) {
        String[] split = str.split("\\.", -1);
        if (split.length != 3) {
            return null;
        }
        try {
            TokenPayloadTemplate tokenPayloadTemplate = (TokenPayloadTemplate) JsonTemplateMapper.readJson(Base64.getDecoder().decode(split[1]), TokenPayloadTemplate.class);
            if (tokenPayloadTemplate.access == null) {
                return null;
            }
            return (Multimap) tokenPayloadTemplate.access.stream().filter(accessClaim -> {
                return "repository".equals(accessClaim.type);
            }).collect(ImmutableSetMultimap.flatteningToImmutableSetMultimap(accessClaim2 -> {
                return accessClaim2.name;
            }, accessClaim3 -> {
                return accessClaim3.actions == null ? Stream.empty() : accessClaim3.actions.stream();
            }));
        } catch (IOException e) {
            return null;
        }
    }

    private RegistryClient(EventHandlers eventHandlers, @Nullable Credential credential, RegistryEndpointRequestProperties registryEndpointRequestProperties, @Nullable String str, FailoverHttpClient failoverHttpClient) {
        this.authorization = new AtomicReference<>();
        this.initialBearerAuthenticator = new AtomicReference<>();
        this.eventHandlers = eventHandlers;
        this.credential = credential;
        this.registryEndpointRequestProperties = registryEndpointRequestProperties;
        this.userAgent = str;
        this.httpClient = failoverHttpClient;
    }

    public void configureBasicAuth() {
        Preconditions.checkNotNull(this.credential);
        Preconditions.checkState(!this.credential.isOAuth2RefreshToken());
        this.authorization.set(Authorization.fromBasicCredentials(this.credential.getUsername(), this.credential.getPassword()));
        this.eventHandlers.dispatch(LogEvent.debug("configured basic auth for " + this.registryEndpointRequestProperties.getServerUrl() + "/" + this.registryEndpointRequestProperties.getImageName()));
    }

    public boolean doPullBearerAuth() throws IOException, RegistryException {
        return doBearerAuth(true);
    }

    public boolean doPushBearerAuth() throws IOException, RegistryException {
        return doBearerAuth(false);
    }

    private boolean doBearerAuth(boolean z) throws IOException, RegistryException {
        String str = this.registryEndpointRequestProperties.getServerUrl() + "/" + this.registryEndpointRequestProperties.getImageName();
        this.eventHandlers.dispatch(LogEvent.debug("attempting bearer auth for " + str + "..."));
        Optional optional = (Optional) callRegistryEndpoint(new AuthenticationMethodRetriever(this.registryEndpointRequestProperties, getUserAgent(), this.httpClient));
        if (optional.isPresent()) {
            doBearerAuth(z, (RegistryAuthenticator) optional.get());
            return true;
        }
        this.eventHandlers.dispatch(LogEvent.debug("server requires basic auth for " + str));
        return false;
    }

    private void doBearerAuth(boolean z, RegistryAuthenticator registryAuthenticator) throws RegistryException {
        this.initialBearerAuthenticator.set(registryAuthenticator);
        if (z) {
            this.authorization.set(registryAuthenticator.authenticatePull(this.credential));
        } else {
            this.authorization.set(registryAuthenticator.authenticatePush(this.credential));
        }
        this.readOnlyBearerAuth = z;
        this.eventHandlers.dispatch(LogEvent.debug("bearer auth succeeded for " + this.registryEndpointRequestProperties.getServerUrl() + "/" + this.registryEndpointRequestProperties.getImageName()));
    }

    private Authorization refreshBearerAuth(@Nullable String str) throws RegistryAuthenticationFailedException, RegistryCredentialsNotSentException {
        Preconditions.checkState(isBearerAuth(this.authorization.get()));
        this.eventHandlers.dispatch(LogEvent.debug("refreshing bearer auth token for " + this.registryEndpointRequestProperties.getServerUrl() + "/" + this.registryEndpointRequestProperties.getImageName() + "..."));
        if (str != null) {
            Optional<RegistryAuthenticator> fromAuthenticationMethod = RegistryAuthenticator.fromAuthenticationMethod(str, this.registryEndpointRequestProperties, getUserAgent(), this.httpClient);
            if (fromAuthenticationMethod.isPresent()) {
                return this.readOnlyBearerAuth ? fromAuthenticationMethod.get().authenticatePull(this.credential) : fromAuthenticationMethod.get().authenticatePush(this.credential);
            }
        }
        this.eventHandlers.dispatch(LogEvent.debug("server did not return 'WWW-Authenticate: Bearer' header. Actual: " + str));
        return this.readOnlyBearerAuth ? ((RegistryAuthenticator) Verify.verifyNotNull(this.initialBearerAuthenticator.get())).authenticatePull(this.credential) : ((RegistryAuthenticator) Verify.verifyNotNull(this.initialBearerAuthenticator.get())).authenticatePush(this.credential);
    }

    public void authPullByWwwAuthenticate(String str) throws RegistryException {
        Optional<RegistryAuthenticator> fromAuthenticationMethod = RegistryAuthenticator.fromAuthenticationMethod(str, this.registryEndpointRequestProperties, getUserAgent(), this.httpClient);
        if (fromAuthenticationMethod.isPresent()) {
            doBearerAuth(true, fromAuthenticationMethod.get());
        } else {
            if (this.credential == null || this.credential.isOAuth2RefreshToken()) {
                return;
            }
            configureBasicAuth();
        }
    }

    public Optional<ManifestAndDigest<ManifestTemplate>> checkManifest(String str) throws IOException, RegistryException {
        return (Optional) callRegistryEndpoint(new ManifestChecker(this.registryEndpointRequestProperties, str, ManifestTemplate.class));
    }

    public <T extends ManifestTemplate> ManifestAndDigest<T> pullManifest(String str, Class<T> cls) throws IOException, RegistryException {
        return (ManifestAndDigest) callRegistryEndpoint(new ManifestPuller(this.registryEndpointRequestProperties, str, cls));
    }

    public ManifestAndDigest<ManifestTemplate> pullManifest(String str) throws IOException, RegistryException {
        return pullManifest(str, ManifestTemplate.class);
    }

    public DescriptorDigest pushManifest(ManifestTemplate manifestTemplate, String str) throws IOException, RegistryException {
        if (isBearerAuth(this.authorization.get()) && this.readOnlyBearerAuth) {
            throw new IllegalStateException("push may fail with pull-only bearer auth token");
        }
        return (DescriptorDigest) callRegistryEndpoint(new ManifestPusher(this.registryEndpointRequestProperties, manifestTemplate, str, this.eventHandlers));
    }

    public Optional<BlobDescriptor> checkBlob(DescriptorDigest descriptorDigest) throws IOException, RegistryException {
        return (Optional) callRegistryEndpoint(new BlobChecker(this.registryEndpointRequestProperties, descriptorDigest));
    }

    public Blob pullBlob(DescriptorDigest descriptorDigest, Consumer<Long> consumer, Consumer<Long> consumer2) {
        return Blobs.from(outputStream -> {
            try {
                callRegistryEndpoint(new BlobPuller(this.registryEndpointRequestProperties, descriptorDigest, outputStream, consumer, consumer2));
            } catch (RegistryException e) {
                throw new IOException(e);
            }
        }, false);
    }

    public boolean pushBlob(DescriptorDigest descriptorDigest, Blob blob, @Nullable String str, Consumer<Long> consumer) throws IOException, RegistryException {
        if (isBearerAuth(this.authorization.get()) && this.readOnlyBearerAuth) {
            throw new IllegalStateException("push may fail with pull-only bearer auth token");
        }
        if (str != null && (!JibSystemProperties.useCrossRepositoryBlobMounts() || !canAttemptBlobMount(this.authorization.get(), str))) {
            str = null;
        }
        BlobPusher blobPusher = new BlobPusher(this.registryEndpointRequestProperties, descriptorDigest, blob, str);
        TimerEventDispatcher timerEventDispatcher = new TimerEventDispatcher(this.eventHandlers, "pushBlob");
        try {
            TimerEventDispatcher subTimer = timerEventDispatcher.subTimer("pushBlob POST " + descriptorDigest);
            try {
                Optional optional = (Optional) callRegistryEndpoint(blobPusher.initializer());
                if (!optional.isPresent()) {
                    if (subTimer != null) {
                        subTimer.close();
                    }
                    timerEventDispatcher.close();
                    return true;
                }
                subTimer.lap("pushBlob PATCH " + descriptorDigest);
                URL url = (URL) callRegistryEndpoint(blobPusher.writer((URL) optional.get(), consumer));
                subTimer.lap("pushBlob PUT " + descriptorDigest);
                callRegistryEndpoint(blobPusher.committer(url));
                if (subTimer != null) {
                    subTimer.close();
                }
                timerEventDispatcher.close();
                return false;
            } finally {
            }
        } catch (Throwable th) {
            try {
                timerEventDispatcher.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @VisibleForTesting
    static boolean canAttemptBlobMount(@Nullable Authorization authorization, String str) {
        Multimap<String, String> decodeTokenRepositoryGrants;
        return !isBearerAuth(authorization) || (decodeTokenRepositoryGrants = decodeTokenRepositoryGrants(((Authorization) Verify.verifyNotNull(authorization)).getToken())) == null || decodeTokenRepositoryGrants.containsEntry(str, "pull");
    }

    private static boolean isBearerAuth(@Nullable Authorization authorization) {
        return authorization != null && "bearer".equalsIgnoreCase(authorization.getScheme());
    }

    @VisibleForTesting
    @Nullable
    String getUserAgent() {
        return this.userAgent;
    }

    private <T> T callRegistryEndpoint(RegistryEndpointProvider<T> registryEndpointProvider) throws IOException, RegistryException {
        int i = 0;
        while (true) {
            try {
                return (T) new RegistryEndpointCaller(this.eventHandlers, getUserAgent(), registryEndpointProvider, this.authorization.get(), this.registryEndpointRequestProperties, this.httpClient).call();
            } catch (RegistryUnauthorizedException e) {
                if (e.getHttpResponseException().getStatusCode() != 401 || !isBearerAuth(this.authorization.get())) {
                    break;
                }
                i++;
                if (i >= MAX_BEARER_TOKEN_REFRESH_TRIES) {
                    break;
                }
                this.authorization.set(refreshBearerAuth(e.getHttpResponseException().getHeaders().getAuthenticate()));
                throw e;
            }
        }
        throw e;
    }
}
