package land.oras.auth;

import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.net.URI;
import java.time.ZonedDateTime;
import java.util.HashMap;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import land.oras.ContainerRef;
import land.oras.exception.OrasException;
import land.oras.utils.Const;
import land.oras.utils.JsonUtils;
import land.oras.utils.OrasHttpClient;
import org.jspecify.annotations.NullMarked;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@NullMarked
/* loaded from: input_file:WEB-INF/lib/oras-java-sdk-0.2.4.jar:land/oras/auth/BearerTokenProvider.class */
public final class BearerTokenProvider implements AuthProvider {
    private static final Pattern WWW_AUTH_VALUE_PATTERN = Pattern.compile("Bearer realm=\"([^\"]+)\",service=\"([^\"]+)\",scope=\"([^\"]+)\"(,error=\"([^\"]+)\")?");
    private static final Logger LOG = LoggerFactory.getLogger(BearerTokenProvider.class);
    private TokenResponse token;
    private final AuthProvider provider;

    @NullMarked
    /* loaded from: input_file:WEB-INF/lib/oras-java-sdk-0.2.4.jar:land/oras/auth/BearerTokenProvider$TokenResponse.class */
    public static final class TokenResponse extends Record {
        private final String token;
        private final String access_token;
        private final Integer expire_in;
        private final ZonedDateTime issued_at;

        public TokenResponse(String str, String str2, Integer num, ZonedDateTime zonedDateTime) {
            this.token = str;
            this.access_token = str2;
            this.expire_in = num;
            this.issued_at = zonedDateTime;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, TokenResponse.class), TokenResponse.class, "token;access_token;expire_in;issued_at", "FIELD:Lland/oras/auth/BearerTokenProvider$TokenResponse;->token:Ljava/lang/String;", "FIELD:Lland/oras/auth/BearerTokenProvider$TokenResponse;->access_token:Ljava/lang/String;", "FIELD:Lland/oras/auth/BearerTokenProvider$TokenResponse;->expire_in:Ljava/lang/Integer;", "FIELD:Lland/oras/auth/BearerTokenProvider$TokenResponse;->issued_at:Ljava/time/ZonedDateTime;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, TokenResponse.class), TokenResponse.class, "token;access_token;expire_in;issued_at", "FIELD:Lland/oras/auth/BearerTokenProvider$TokenResponse;->token:Ljava/lang/String;", "FIELD:Lland/oras/auth/BearerTokenProvider$TokenResponse;->access_token:Ljava/lang/String;", "FIELD:Lland/oras/auth/BearerTokenProvider$TokenResponse;->expire_in:Ljava/lang/Integer;", "FIELD:Lland/oras/auth/BearerTokenProvider$TokenResponse;->issued_at:Ljava/time/ZonedDateTime;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, TokenResponse.class, Object.class), TokenResponse.class, "token;access_token;expire_in;issued_at", "FIELD:Lland/oras/auth/BearerTokenProvider$TokenResponse;->token:Ljava/lang/String;", "FIELD:Lland/oras/auth/BearerTokenProvider$TokenResponse;->access_token:Ljava/lang/String;", "FIELD:Lland/oras/auth/BearerTokenProvider$TokenResponse;->expire_in:Ljava/lang/Integer;", "FIELD:Lland/oras/auth/BearerTokenProvider$TokenResponse;->issued_at:Ljava/time/ZonedDateTime;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String token() {
            return this.token;
        }

        public String access_token() {
            return this.access_token;
        }

        public Integer expire_in() {
            return this.expire_in;
        }

        public ZonedDateTime issued_at() {
            return this.issued_at;
        }
    }

    public BearerTokenProvider(AuthProvider authProvider) {
        this.provider = authProvider;
    }

    public BearerTokenProvider refreshToken(ContainerRef containerRef, OrasHttpClient orasHttpClient, OrasHttpClient.ResponseWrapper<String> responseWrapper) {
        String orDefault = responseWrapper.headers().getOrDefault(Const.WWW_AUTHENTICATE_HEADER.toLowerCase(), "");
        LOG.debug("WWW-Authenticate header: {}", orDefault);
        if (orDefault.isEmpty()) {
            throw new OrasException("No WWW-Authenticate header found in response");
        }
        Matcher matcher = WWW_AUTH_VALUE_PATTERN.matcher(orDefault);
        if (!matcher.matches()) {
            throw new OrasException("Invalid WWW-Authenticate header value: " + orDefault);
        }
        String group = matcher.group(1);
        String group2 = matcher.group(2);
        String group3 = matcher.group(3);
        LOG.debug("WWW-Authenticate header: realm={}, service={}, scope={}, error={}", new Object[]{group, group2, group3, matcher.group(5)});
        URI create = URI.create(group + "?scope=" + group3 + "&service=" + group2);
        HashMap hashMap = new HashMap();
        String authHeader = this.provider.getAuthHeader(containerRef);
        if (authHeader != null) {
            hashMap.put(Const.AUTHORIZATION_HEADER, authHeader);
        }
        OrasHttpClient.ResponseWrapper<String> responseWrapper2 = orasHttpClient.get(create, hashMap);
        LOG.debug("Response: {}", responseWrapper2.response().replaceAll("\"token\"\\s*:\\s*\"([A-Za-z0-9\\-_\\.]+)\"", "\"token\":\"<redacted>\"").replaceAll("\"access_token\"\\s*:\\s*\"([A-Za-z0-9\\-_\\.]+)\"", "\"access_token\":\"<redacted>\""));
        LOG.debug("Headers: {}", responseWrapper2.headers().entrySet().stream().collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, entry -> {
            return Const.AUTHORIZATION_HEADER.equalsIgnoreCase((String) entry.getKey()) ? "<redacted" : (String) entry.getValue();
        })));
        this.token = (TokenResponse) JsonUtils.fromJson(responseWrapper2.response(), TokenResponse.class);
        return this;
    }

    public TokenResponse getToken() {
        return this.token;
    }

    @Override // land.oras.auth.AuthProvider
    public String getAuthHeader(ContainerRef containerRef) {
        if (this.token == null) {
            return null;
        }
        return "Bearer " + this.token.token;
    }
}
