package org.eclipse.jkube.kit.resource.helm.oci;

import io.fabric8.kubernetes.client.http.BasicBuilder;
import io.fabric8.kubernetes.client.http.HttpClient;
import io.fabric8.kubernetes.client.http.HttpRequest;
import io.fabric8.kubernetes.client.http.HttpResponse;
import io.fabric8.kubernetes.client.http.Interceptor;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.time.Duration;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.CompletableFuture;
import org.apache.commons.lang3.StringUtils;
import org.eclipse.jkube.kit.common.util.AsyncUtil;
import org.eclipse.jkube.kit.common.util.Base64Util;
import org.eclipse.jkube.kit.common.util.Fabric8HttpUtil;
import org.eclipse.jkube.kit.common.util.Serialization;
import org.eclipse.jkube.kit.resource.helm.HelmRepository;

/* loaded from: input_file:org/eclipse/jkube/kit/resource/helm/oci/OCIRegistryInterceptor.class */
public class OCIRegistryInterceptor implements Interceptor {
    private static final String TOKEN_KEY = "token";
    private static final String ACCESS_TOKEN_KEY = "access_token";
    private static final long OCI_REGISTRY_AUTH_REQUEST_TIMEOUT_MINUTES = 1;
    private static final String WWW_AUTHENTICATE = "WWW-Authenticate";
    public static final String NAME = "OCI_TOKEN";
    private static final String AUTHORIZATION = "Authorization";
    private static final String BEARER = "Bearer ";
    private final HelmRepository repository;
    private final HttpClient httpClient;
    private String accessToken;

    public OCIRegistryInterceptor(HttpClient.Factory factory, HelmRepository helmRepository) {
        this(factory, helmRepository, null);
    }

    OCIRegistryInterceptor(HttpClient.Factory factory, HelmRepository helmRepository, String str) {
        this.repository = helmRepository;
        this.httpClient = factory.newBuilder().build();
        this.accessToken = str;
    }

    public void before(BasicBuilder basicBuilder, HttpRequest httpRequest, Interceptor.RequestTags requestTags) {
        if (StringUtils.isNotBlank(this.accessToken)) {
            basicBuilder.setHeader(AUTHORIZATION, BEARER + this.accessToken);
        }
    }

    public CompletableFuture<Boolean> afterFailure(BasicBuilder basicBuilder, HttpResponse<?> httpResponse, Interceptor.RequestTags requestTags) {
        if (httpResponse.code() != 401) {
            return CompletableFuture.completedFuture(false);
        }
        if (StringUtils.isBlank(httpResponse.header(WWW_AUTHENTICATE))) {
            throw new IllegalStateException("Got 401 but no WWW-Authenticate found in response headers ");
        }
        return refreshToken(basicBuilder, httpResponse);
    }

    private CompletableFuture<Boolean> refreshToken(BasicBuilder basicBuilder, HttpResponse<?> httpResponse) {
        try {
            String submitHttpRequestForAuthenticationChallenge = submitHttpRequestForAuthenticationChallenge(httpResponse);
            if (!StringUtils.isNotBlank(submitHttpRequestForAuthenticationChallenge)) {
                return CompletableFuture.completedFuture(false);
            }
            this.accessToken = submitHttpRequestForAuthenticationChallenge;
            basicBuilder.setHeader(AUTHORIZATION, BEARER + this.accessToken);
            return CompletableFuture.completedFuture(true);
        } catch (IOException e) {
            throw new IllegalStateException("Failure while refreshing token from OCI registry: ", e);
        }
    }

    private String submitHttpRequestForAuthenticationChallenge(HttpResponse<?> httpResponse) throws IOException {
        Map map = (Map) Fabric8HttpUtil.extractAuthenticationChallengeIntoMap(httpResponse).stream().filter(map2 -> {
            return ((String) map2.get("scheme")).equals("Bearer");
        }).findFirst().orElse(Collections.emptyMap());
        String str = (String) map.get("realm");
        String str2 = (String) map.get("scope");
        if (!str2.contains("push")) {
            str2 = str2 + ",push";
        }
        return submitGetRequest(str, str2, (String) map.get("service"));
    }

    private String submitGetRequest(String str, String str2, String str3) throws IOException {
        HttpResponse httpResponse = (HttpResponse) AsyncUtil.get(this.httpClient.sendAsync(this.httpClient.newHttpRequestBuilder().header(AUTHORIZATION, String.format("Basic %s", Base64Util.encodeToString(this.repository.getUsername() + ":" + this.repository.getPassword()))).uri(String.format("%s?service=%s&scope=%s", str, str3, str2)).build(), byte[].class), Duration.ofMinutes(OCI_REGISTRY_AUTH_REQUEST_TIMEOUT_MINUTES));
        int code = httpResponse.code();
        if (code == 200) {
            return parseAccessTokenFromResponse(new String((byte[]) httpResponse.body()));
        }
        if (code == 405) {
            return submitPostRequest(str, str2, str3);
        }
        return null;
    }

    private String submitPostRequest(String str, String str2, String str3) throws IOException {
        String createPostFormDataForDockerAuth = createPostFormDataForDockerAuth(str2, str3);
        HttpResponse httpResponse = (HttpResponse) AsyncUtil.get(this.httpClient.sendAsync(this.httpClient.newHttpRequestBuilder().header("Content-Length", Integer.toString(createPostFormDataForDockerAuth.getBytes().length)).method("POST", "application/x-www-form-urlencoded", createPostFormDataForDockerAuth).uri(str).build(), byte[].class), Duration.ofMinutes(OCI_REGISTRY_AUTH_REQUEST_TIMEOUT_MINUTES));
        if (httpResponse.isSuccessful()) {
            return parseAccessTokenFromResponse(httpResponse.bodyString());
        }
        return null;
    }

    private String parseAccessTokenFromResponse(String str) {
        Map map = (Map) Serialization.unmarshal(str, Map.class);
        String str2 = null;
        if (map.containsKey(TOKEN_KEY)) {
            str2 = (String) map.get(TOKEN_KEY);
        }
        if (map.containsKey(ACCESS_TOKEN_KEY)) {
            str2 = (String) map.get(ACCESS_TOKEN_KEY);
        }
        if (StringUtils.isNotBlank(str2)) {
            return str2;
        }
        return null;
    }

    private String createPostFormDataForDockerAuth(String str, String str2) throws UnsupportedEncodingException {
        HashMap hashMap = new HashMap();
        hashMap.put("grant_type", "password");
        hashMap.put("refresh_token", this.repository.getPassword());
        hashMap.put("service", str2);
        hashMap.put("scope", str);
        hashMap.put("client_id", "EclipseJKube");
        hashMap.put("username", this.repository.getUsername());
        hashMap.put("password", this.repository.getPassword());
        return Fabric8HttpUtil.toFormData(hashMap);
    }
}
