package com.google.cloud.tools.jib.registry;

import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.google.cloud.tools.jib.api.Credential;
import com.google.cloud.tools.jib.api.RegistryAuthenticationFailedException;
import com.google.cloud.tools.jib.blob.Blobs;
import com.google.cloud.tools.jib.global.JibSystemProperties;
import com.google.cloud.tools.jib.http.Authorization;
import com.google.cloud.tools.jib.http.BlobHttpContent;
import com.google.cloud.tools.jib.http.FailoverHttpClient;
import com.google.cloud.tools.jib.http.Request;
import com.google.cloud.tools.jib.http.Response;
import com.google.cloud.tools.jib.http.ResponseException;
import com.google.cloud.tools.jib.json.JsonTemplate;
import com.google.cloud.tools.jib.json.JsonTemplateMapper;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Verify;
import com.google.common.collect.ImmutableMap;
import com.google.common.net.MediaType;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Map;
import java.util.Optional;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.Nullable;

/* loaded from: input_file:com/google/cloud/tools/jib/registry/RegistryAuthenticator.class */
public class RegistryAuthenticator {
    private final RegistryEndpointRequestProperties registryEndpointRequestProperties;
    private final String realm;
    private final String service;

    @Nullable
    private final String userAgent;
    private final FailoverHttpClient httpClient;

    /* JADX INFO: Access modifiers changed from: package-private */
    @JsonIgnoreProperties(ignoreUnknown = true)
    @VisibleForTesting
    /* loaded from: input_file:com/google/cloud/tools/jib/registry/RegistryAuthenticator$AuthenticationResponseTemplate.class */
    public static class AuthenticationResponseTemplate implements JsonTemplate {

        @Nullable
        private String token;

        @JsonProperty("access_token")
        @Nullable
        private String accessToken;

        AuthenticationResponseTemplate() {
        }

        @VisibleForTesting
        @Nullable
        String getToken() {
            return this.token != null ? this.token : this.accessToken;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Optional<RegistryAuthenticator> fromAuthenticationMethod(String str, RegistryEndpointRequestProperties registryEndpointRequestProperties, @Nullable String str2, FailoverHttpClient failoverHttpClient) throws RegistryAuthenticationFailedException {
        if (str.matches("^(?i)(basic) .*")) {
            return Optional.empty();
        }
        String serverUrl = registryEndpointRequestProperties.getServerUrl();
        String imageName = registryEndpointRequestProperties.getImageName();
        if (!str.matches("^(?i)(bearer) .*")) {
            throw newRegistryAuthenticationFailedException(serverUrl, imageName, str, "Bearer");
        }
        Matcher matcher = Pattern.compile("realm=\"(.*?)\"").matcher(str);
        if (!matcher.find()) {
            throw newRegistryAuthenticationFailedException(serverUrl, imageName, str, "realm");
        }
        String group = matcher.group(1);
        Matcher matcher2 = Pattern.compile("service=\"(.*?)\"").matcher(str);
        return Optional.of(new RegistryAuthenticator(group, matcher2.find() ? matcher2.group(1) : serverUrl, registryEndpointRequestProperties, str2, failoverHttpClient));
    }

    private static RegistryAuthenticationFailedException newRegistryAuthenticationFailedException(String str, String str2, String str3, String str4) {
        return new RegistryAuthenticationFailedException(str, str2, "'" + str4 + "' was not found in the 'WWW-Authenticate' header, tried to parse: " + str3);
    }

    private RegistryAuthenticator(String str, String str2, RegistryEndpointRequestProperties registryEndpointRequestProperties, @Nullable String str3, FailoverHttpClient failoverHttpClient) {
        this.realm = str;
        this.service = str2;
        this.registryEndpointRequestProperties = registryEndpointRequestProperties;
        this.userAgent = str3;
        this.httpClient = failoverHttpClient;
    }

    public Authorization authenticatePull(@Nullable Credential credential) throws RegistryAuthenticationFailedException, RegistryCredentialsNotSentException {
        return authenticate(credential, "pull");
    }

    public Authorization authenticatePush(@Nullable Credential credential) throws RegistryAuthenticationFailedException, RegistryCredentialsNotSentException {
        return authenticate(credential, "pull,push");
    }

    private String getServiceScopeRequestParameters(Map<String, String> map) {
        StringBuilder append = new StringBuilder("service=").append(this.service);
        for (Map.Entry<String, String> entry : map.entrySet()) {
            append.append("&scope=repository:").append(entry.getKey()).append(":").append(entry.getValue());
        }
        return append.toString();
    }

    @VisibleForTesting
    URL getAuthenticationUrl(@Nullable Credential credential, Map<String, String> map) throws MalformedURLException {
        return isOAuth2Auth(credential) ? new URL(this.realm) : new URL(this.realm + "?" + getServiceScopeRequestParameters(map));
    }

    @VisibleForTesting
    String getAuthRequestParameters(@Nullable Credential credential, Map<String, String> map) {
        String serviceScopeRequestParameters = getServiceScopeRequestParameters(map);
        return isOAuth2Auth(credential) ? serviceScopeRequestParameters + "&client_id=jib.da031fe481a93ac107a95a96462358f9&grant_type=refresh_token&refresh_token=" + ((Credential) Verify.verifyNotNull(credential)).getPassword() : serviceScopeRequestParameters;
    }

    @VisibleForTesting
    boolean isOAuth2Auth(@Nullable Credential credential) {
        return credential != null && credential.isOAuth2RefreshToken();
    }

    private Authorization authenticate(@Nullable Credential credential, String str) throws RegistryAuthenticationFailedException, RegistryCredentialsNotSentException {
        String sourceImageName = this.registryEndpointRequestProperties.getSourceImageName();
        String imageName = this.registryEndpointRequestProperties.getImageName();
        if (sourceImageName != null && !sourceImageName.equals(imageName)) {
            try {
                return authenticate(credential, (Map<String, String>) ImmutableMap.of(imageName, str, sourceImageName, "pull"));
            } catch (RegistryAuthenticationFailedException e) {
            }
        }
        return authenticate(credential, (Map<String, String>) ImmutableMap.of(imageName, str));
    }

    private Authorization authenticate(@Nullable Credential credential, Map<String, String> map) throws RegistryAuthenticationFailedException, RegistryCredentialsNotSentException {
        String serverUrl = this.registryEndpointRequestProperties.getServerUrl();
        String imageName = this.registryEndpointRequestProperties.getImageName();
        try {
            URL authenticationUrl = getAuthenticationUrl(credential, map);
            Request.Builder userAgent = Request.builder().setHttpTimeout(Integer.valueOf(JibSystemProperties.getHttpTimeout())).setUserAgent(this.userAgent);
            if (isOAuth2Auth(credential)) {
                userAgent.setBody(new BlobHttpContent(Blobs.from(getAuthRequestParameters(credential, map)), MediaType.FORM_DATA.toString()));
            } else if (credential != null) {
                userAgent.setAuthorization(Authorization.fromBasicCredentials(credential.getUsername(), credential.getPassword()));
            }
            Response call = this.httpClient.call(isOAuth2Auth(credential) ? "POST" : "GET", authenticationUrl, userAgent.build());
            try {
                AuthenticationResponseTemplate authenticationResponseTemplate = (AuthenticationResponseTemplate) JsonTemplateMapper.readJson(call.getBody(), AuthenticationResponseTemplate.class);
                if (authenticationResponseTemplate.getToken() == null) {
                    throw new RegistryAuthenticationFailedException(serverUrl, imageName, "Did not get token in authentication response from " + getAuthenticationUrl(credential, map) + "; parameters: " + getAuthRequestParameters(credential, map));
                }
                Authorization fromBearerToken = Authorization.fromBearerToken(authenticationResponseTemplate.getToken());
                if (call != null) {
                    call.close();
                }
                return fromBearerToken;
            } catch (Throwable th) {
                if (call != null) {
                    try {
                        call.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (ResponseException e) {
            if (e.getStatusCode() == 401 && e.requestAuthorizationCleared()) {
                throw new RegistryCredentialsNotSentException(serverUrl, imageName);
            }
            throw new RegistryAuthenticationFailedException(serverUrl, imageName, e);
        } catch (IOException e2) {
            throw new RegistryAuthenticationFailedException(serverUrl, imageName, e2);
        }
    }
}
