package com.spotify.docker.client.gcr;

import com.google.api.client.util.Clock;
import com.google.auth.oauth2.AccessToken;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.auth.oauth2.ServiceAccountCredentials;
import com.google.auth.oauth2.UserCredentials;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.spotify.docker.client.exceptions.DockerException;
import com.spotify.docker.client.messages.RegistryAuth;
import com.spotify.docker.client.messages.RegistryAuthSupplier;
import com.spotify.docker.client.messages.RegistryConfigs;
import java.io.IOException;
import java.io.InputStream;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/spotify/docker/client/gcr/ContainerRegistryAuthSupplier.class */
public class ContainerRegistryAuthSupplier implements RegistryAuthSupplier {
    private static final Logger log = LoggerFactory.getLogger(ContainerRegistryAuthSupplier.class);
    private static final Set<String> GCR_REGISTRIES = ImmutableSet.of("gcr.io", "us.gcr.io", "eu.gcr.io", "asia.gcr.io", "b.gcr.io", "bucket.gcr.io", new String[]{"l.gcr.io", "launcher.gcr.io", "appengine.gcr.io", "us-mirror.gcr.io", "eu-mirror.gcr.io", "asia-mirror.gcr.io", "mirror.gcr.io"});
    private final GoogleCredentials credentials;
    private final Clock clock;
    private final long minimumExpiryMillis;
    private final CredentialRefresher credentialRefresher;

    /* loaded from: input_file:com/spotify/docker/client/gcr/ContainerRegistryAuthSupplier$Builder.class */
    public static class Builder {
        private final GoogleCredentials credentials;
        private Collection<String> scopes = ImmutableList.of("https://www.googleapis.com/auth/devstorage.read_write");
        private long minimumExpiryMillis = TimeUnit.MINUTES.toMillis(1);

        public Builder(GoogleCredentials googleCredentials) {
            this.credentials = googleCredentials;
        }

        public Builder withScopes(Collection<String> collection) {
            this.scopes = collection;
            return this;
        }

        public Builder withMinimumExpiry(long j, TimeUnit timeUnit) {
            this.minimumExpiryMillis = TimeUnit.MILLISECONDS.convert(j, timeUnit);
            return this;
        }

        public ContainerRegistryAuthSupplier build() throws IOException {
            ServiceAccountCredentials createScoped = this.credentials.createScoped(this.scopes);
            if (createScoped instanceof ServiceAccountCredentials) {
                ContainerRegistryAuthSupplier.log.info("loaded credentials for service account with clientEmail={}", createScoped.getClientEmail());
            } else if (createScoped instanceof UserCredentials) {
                ContainerRegistryAuthSupplier.log.info("loaded credentials for user account with clientId={}", ((UserCredentials) createScoped).getClientId());
            }
            return new ContainerRegistryAuthSupplier(createScoped, Clock.SYSTEM, this.minimumExpiryMillis, new DefaultCredentialRefresher());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    /* loaded from: input_file:com/spotify/docker/client/gcr/ContainerRegistryAuthSupplier$CredentialRefresher.class */
    public interface CredentialRefresher {
        void refresh(GoogleCredentials googleCredentials) throws IOException;
    }

    /* loaded from: input_file:com/spotify/docker/client/gcr/ContainerRegistryAuthSupplier$DefaultCredentialRefresher.class */
    private static class DefaultCredentialRefresher implements CredentialRefresher {
        private DefaultCredentialRefresher() {
        }

        @Override // com.spotify.docker.client.gcr.ContainerRegistryAuthSupplier.CredentialRefresher
        public void refresh(GoogleCredentials googleCredentials) throws IOException {
            googleCredentials.refresh();
        }
    }

    public static Builder fromStream(InputStream inputStream) throws IOException {
        return new Builder(GoogleCredentials.fromStream(inputStream));
    }

    public static Builder forApplicationDefaultCredentials() throws IOException {
        return new Builder(GoogleCredentials.getApplicationDefault());
    }

    public static Builder forCredentials(GoogleCredentials googleCredentials) {
        return new Builder(googleCredentials);
    }

    @VisibleForTesting
    ContainerRegistryAuthSupplier(GoogleCredentials googleCredentials, Clock clock, long j, CredentialRefresher credentialRefresher) {
        this.credentials = googleCredentials;
        this.clock = clock;
        this.minimumExpiryMillis = j;
        this.credentialRefresher = credentialRefresher;
    }

    private AccessToken getAccessToken() throws DockerException {
        synchronized (this.credentials) {
            if (needsRefresh(this.credentials.getAccessToken())) {
                try {
                    this.credentialRefresher.refresh(this.credentials);
                } catch (IOException e) {
                    throw new DockerException("Could not refresh access token", e);
                }
            }
        }
        return this.credentials.getAccessToken();
    }

    private boolean needsRefresh(AccessToken accessToken) {
        return accessToken == null || this.credentials.getAccessToken().getExpirationTime().getTime() - this.clock.currentTimeMillis() <= this.minimumExpiryMillis;
    }

    @Override // com.spotify.docker.client.messages.RegistryAuthSupplier
    public RegistryAuth authFor(String str) throws DockerException {
        String[] split = str.split("/", 2);
        if (split.length < 2 || !GCR_REGISTRIES.contains(split[0])) {
            return null;
        }
        return authForAccessToken(getAccessToken());
    }

    private RegistryAuth authForAccessToken(AccessToken accessToken) {
        return RegistryAuth.builder().username("oauth2accesstoken").password(accessToken.getTokenValue()).build();
    }

    @Override // com.spotify.docker.client.messages.RegistryAuthSupplier
    public RegistryAuth authForSwarm() throws DockerException {
        return authForAccessToken(getAccessToken());
    }

    @Override // com.spotify.docker.client.messages.RegistryAuthSupplier
    public RegistryConfigs authForBuild() throws DockerException {
        AccessToken accessToken = getAccessToken();
        HashMap hashMap = new HashMap(GCR_REGISTRIES.size());
        Iterator<String> it = GCR_REGISTRIES.iterator();
        while (it.hasNext()) {
            hashMap.put(it.next(), authForAccessToken(accessToken));
        }
        return RegistryConfigs.create(hashMap);
    }
}
