package land.oras.auth;

import java.io.InputStream;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.net.CookieManager;
import java.net.CookiePolicy;
import java.net.Socket;
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.ZonedDateTime;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509ExtendedTrustManager;
import land.oras.ContainerRef;
import land.oras.OrasModel;
import land.oras.exception.OrasException;
import land.oras.utils.Const;
import land.oras.utils.JsonUtils;
import land.oras.utils.Versions;
import org.jspecify.annotations.NullMarked;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@NullMarked
/* loaded from: input_file:WEB-INF/lib/oras-java-sdk-0.2.9.jar:land/oras/auth/HttpClient.class */
public final class HttpClient {
    private static final Logger LOG = LoggerFactory.getLogger(HttpClient.class);
    private static final Pattern WWW_AUTH_VALUE_PATTERN = Pattern.compile("Bearer realm=\"([^\"]+)\",service=\"([^\"]+)\",scope=\"([^\"]+)\"(,error=\"([^\"]+)\")?");
    private final HttpClient.Builder builder = java.net.http.HttpClient.newBuilder();
    private java.net.http.HttpClient client;
    private boolean skipTlsVerify;
    private Integer timeout;

    /* loaded from: input_file:WEB-INF/lib/oras-java-sdk-0.2.9.jar:land/oras/auth/HttpClient$Builder.class */
    public static class Builder {
        private final HttpClient client = new HttpClient();

        private Builder() {
        }

        public Builder withTimeout(Integer num) {
            this.client.setTimeout(num);
            return this;
        }

        public Builder withSkipTlsVerify(boolean z) {
            this.client.setTlsVerify(z);
            return this;
        }

        public static Builder builder() {
            return new Builder();
        }

        public HttpClient build() {
            return this.client.build();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/oras-java-sdk-0.2.9.jar:land/oras/auth/HttpClient$InsecureTrustManager.class */
    public static class InsecureTrustManager extends X509ExtendedTrustManager {
        private InsecureTrustManager() {
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) {
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) {
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) {
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) {
        }
    }

    /* loaded from: input_file:WEB-INF/lib/oras-java-sdk-0.2.9.jar:land/oras/auth/HttpClient$ResponseWrapper.class */
    public static final class ResponseWrapper<T> extends Record {
        private final T response;
        private final int statusCode;
        private final Map<String, String> headers;

        public ResponseWrapper(T t, int i, Map<String, String> map) {
            this.response = t;
            this.statusCode = i;
            this.headers = map;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, ResponseWrapper.class), ResponseWrapper.class, "response;statusCode;headers", "FIELD:Lland/oras/auth/HttpClient$ResponseWrapper;->response:Ljava/lang/Object;", "FIELD:Lland/oras/auth/HttpClient$ResponseWrapper;->statusCode:I", "FIELD:Lland/oras/auth/HttpClient$ResponseWrapper;->headers:Ljava/util/Map;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, ResponseWrapper.class), ResponseWrapper.class, "response;statusCode;headers", "FIELD:Lland/oras/auth/HttpClient$ResponseWrapper;->response:Ljava/lang/Object;", "FIELD:Lland/oras/auth/HttpClient$ResponseWrapper;->statusCode:I", "FIELD:Lland/oras/auth/HttpClient$ResponseWrapper;->headers:Ljava/util/Map;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, ResponseWrapper.class, Object.class), ResponseWrapper.class, "response;statusCode;headers", "FIELD:Lland/oras/auth/HttpClient$ResponseWrapper;->response:Ljava/lang/Object;", "FIELD:Lland/oras/auth/HttpClient$ResponseWrapper;->statusCode:I", "FIELD:Lland/oras/auth/HttpClient$ResponseWrapper;->headers:Ljava/util/Map;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public T response() {
            return this.response;
        }

        public int statusCode() {
            return this.statusCode;
        }

        public Map<String, String> headers() {
            return this.headers;
        }
    }

    @OrasModel
    /* loaded from: input_file:WEB-INF/lib/oras-java-sdk-0.2.9.jar:land/oras/auth/HttpClient$TokenResponse.class */
    public static final class TokenResponse extends Record {
        private final String token;
        private final String access_token;
        private final Integer expires_in;
        private final ZonedDateTime issued_at;

        public TokenResponse(String str, String str2, Integer num, ZonedDateTime zonedDateTime) {
            this.token = str;
            this.access_token = str2;
            this.expires_in = num;
            this.issued_at = zonedDateTime;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, TokenResponse.class), TokenResponse.class, "token;access_token;expires_in;issued_at", "FIELD:Lland/oras/auth/HttpClient$TokenResponse;->token:Ljava/lang/String;", "FIELD:Lland/oras/auth/HttpClient$TokenResponse;->access_token:Ljava/lang/String;", "FIELD:Lland/oras/auth/HttpClient$TokenResponse;->expires_in:Ljava/lang/Integer;", "FIELD:Lland/oras/auth/HttpClient$TokenResponse;->issued_at:Ljava/time/ZonedDateTime;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, TokenResponse.class), TokenResponse.class, "token;access_token;expires_in;issued_at", "FIELD:Lland/oras/auth/HttpClient$TokenResponse;->token:Ljava/lang/String;", "FIELD:Lland/oras/auth/HttpClient$TokenResponse;->access_token:Ljava/lang/String;", "FIELD:Lland/oras/auth/HttpClient$TokenResponse;->expires_in:Ljava/lang/Integer;", "FIELD:Lland/oras/auth/HttpClient$TokenResponse;->issued_at:Ljava/time/ZonedDateTime;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, TokenResponse.class, Object.class), TokenResponse.class, "token;access_token;expires_in;issued_at", "FIELD:Lland/oras/auth/HttpClient$TokenResponse;->token:Ljava/lang/String;", "FIELD:Lland/oras/auth/HttpClient$TokenResponse;->access_token:Ljava/lang/String;", "FIELD:Lland/oras/auth/HttpClient$TokenResponse;->expires_in:Ljava/lang/Integer;", "FIELD:Lland/oras/auth/HttpClient$TokenResponse;->issued_at:Ljava/time/ZonedDateTime;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String token() {
            return this.token;
        }

        public String access_token() {
            return this.access_token;
        }

        public Integer expires_in() {
            return this.expires_in;
        }

        public ZonedDateTime issued_at() {
            return this.issued_at;
        }
    }

    private HttpClient() {
        this.builder.followRedirects(HttpClient.Redirect.NEVER);
        this.skipTlsVerify = false;
        this.builder.cookieHandler(new CookieManager(null, CookiePolicy.ACCEPT_NONE));
        setTimeout(60);
    }

    private void setTimeout(Integer num) {
        if (num != null) {
            this.timeout = num;
            this.builder.connectTimeout(Duration.ofSeconds(num.intValue()));
        }
    }

    private void setTlsVerify(boolean z) {
        this.skipTlsVerify = z;
        if (z) {
            try {
                SSLContext sSLContext = SSLContext.getInstance("TLS");
                sSLContext.init(null, new TrustManager[]{new InsecureTrustManager()}, new SecureRandom());
                this.builder.sslContext(sSLContext);
            } catch (Exception e) {
                throw new OrasException("Unable to skip TLS verification", e);
            }
        }
    }

    public HttpClient build() {
        this.client = this.builder.build();
        return this;
    }

    public ResponseWrapper<String> get(URI uri, Map<String, String> map, Scopes scopes, AuthProvider authProvider) {
        return executeRequest("GET", uri, map, new byte[0], HttpResponse.BodyHandlers.ofString(), HttpRequest.BodyPublishers.noBody(), scopes, authProvider);
    }

    public ResponseWrapper<Path> download(URI uri, Map<String, String> map, Path path, Scopes scopes, AuthProvider authProvider) {
        return executeRequest("GET", uri, map, new byte[0], HttpResponse.BodyHandlers.ofFile(path), HttpRequest.BodyPublishers.noBody(), scopes, authProvider);
    }

    public ResponseWrapper<InputStream> download(URI uri, Map<String, String> map, Scopes scopes, AuthProvider authProvider) {
        return executeRequest("GET", uri, map, new byte[0], HttpResponse.BodyHandlers.ofInputStream(), HttpRequest.BodyPublishers.noBody(), scopes, authProvider);
    }

    public ResponseWrapper<String> upload(String str, URI uri, Map<String, String> map, Path path, Scopes scopes, AuthProvider authProvider) {
        try {
            return executeRequest(str, uri, map, new byte[0], HttpResponse.BodyHandlers.ofString(), HttpRequest.BodyPublishers.ofFile(path), scopes, authProvider);
        } catch (Exception e) {
            throw new OrasException("Unable to upload file", e);
        }
    }

    public ResponseWrapper<String> head(URI uri, Map<String, String> map, Scopes scopes, AuthProvider authProvider) {
        return executeRequest("HEAD", uri, map, new byte[0], HttpResponse.BodyHandlers.ofString(), HttpRequest.BodyPublishers.noBody(), scopes, authProvider);
    }

    public ResponseWrapper<String> delete(URI uri, Map<String, String> map, Scopes scopes, AuthProvider authProvider) {
        return executeRequest("DELETE", uri, map, new byte[0], HttpResponse.BodyHandlers.ofString(), HttpRequest.BodyPublishers.noBody(), scopes, authProvider);
    }

    public ResponseWrapper<String> post(URI uri, byte[] bArr, Map<String, String> map, Scopes scopes, AuthProvider authProvider) {
        return executeRequest("POST", uri, map, bArr, HttpResponse.BodyHandlers.ofString(), HttpRequest.BodyPublishers.ofByteArray(bArr), scopes, authProvider);
    }

    public ResponseWrapper<String> patch(URI uri, byte[] bArr, Map<String, String> map, Scopes scopes, AuthProvider authProvider) {
        return executeRequest("PATCH", uri, map, bArr, HttpResponse.BodyHandlers.ofString(), HttpRequest.BodyPublishers.ofByteArray(bArr), scopes, authProvider);
    }

    public ResponseWrapper<String> put(URI uri, byte[] bArr, Map<String, String> map, Scopes scopes, AuthProvider authProvider) {
        return executeRequest("PUT", uri, map, bArr, HttpResponse.BodyHandlers.ofString(), HttpRequest.BodyPublishers.ofByteArray(bArr), scopes, authProvider);
    }

    public <T> TokenResponse refreshToken(ResponseWrapper<T> responseWrapper, Scopes scopes, AuthProvider authProvider) {
        String orDefault = responseWrapper.headers().getOrDefault(Const.WWW_AUTHENTICATE_HEADER.toLowerCase(), "");
        LOG.debug("WWW-Authenticate header: {}", orDefault);
        if (orDefault.isEmpty()) {
            throw new OrasException("No WWW-Authenticate header found in response");
        }
        Matcher matcher = WWW_AUTH_VALUE_PATTERN.matcher(orDefault);
        if (!matcher.matches()) {
            throw new OrasException("Invalid WWW-Authenticate header value: " + orDefault);
        }
        String group = matcher.group(1);
        String group2 = matcher.group(2);
        String group3 = matcher.group(3);
        String group4 = matcher.group(5);
        LOG.debug("New scopes with server: {}", scopes.withNewScope(group3).getScopes());
        LOG.debug("WWW-Authenticate header: realm={}, service={}, scope={}, error={}", new Object[]{group, group2, group3, group4});
        ResponseWrapper<String> responseWrapper2 = get(URI.create(group + "?scope=" + group3 + "&service=" + group2), new HashMap(), scopes, authProvider);
        LOG.debug("Response: {}", responseWrapper2.response().replaceAll("\"token\"\\s*:\\s*\"([A-Za-z0-9\\-_\\.]+)\"", "\"token\":\"<redacted>\"").replaceAll("\"access_token\"\\s*:\\s*\"([A-Za-z0-9\\-_\\.]+)\"", "\"access_token\":\"<redacted>\""));
        LOG.debug("Headers: {}", responseWrapper2.headers().entrySet().stream().collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, entry -> {
            return Const.AUTHORIZATION_HEADER.equalsIgnoreCase((String) entry.getKey()) ? "<redacted" : (String) entry.getValue();
        })));
        return (TokenResponse) JsonUtils.fromJson(responseWrapper2.response(), TokenResponse.class);
    }

    private <T> ResponseWrapper<T> executeRequest(String str, URI uri, Map<String, String> map, byte[] bArr, HttpResponse.BodyHandler<T> bodyHandler, HttpRequest.BodyPublisher bodyPublisher, Scopes scopes, AuthProvider authProvider) {
        Scopes withNewRegistryScopes;
        try {
            HttpRequest.Builder method = HttpRequest.newBuilder().uri(uri).method(str, bodyPublisher);
            ContainerRef containerRef = scopes.getContainerRef();
            boolean z = -1;
            switch (str.hashCode()) {
                case 70454:
                    if (str.equals("GET")) {
                        z = false;
                        break;
                    }
                    break;
                case 79599:
                    if (str.equals("PUT")) {
                        z = 3;
                        break;
                    }
                    break;
                case 2213344:
                    if (str.equals("HEAD")) {
                        z = true;
                        break;
                    }
                    break;
                case 2461856:
                    if (str.equals("POST")) {
                        z = 2;
                        break;
                    }
                    break;
                case 75900968:
                    if (str.equals("PATCH")) {
                        z = 4;
                        break;
                    }
                    break;
                case 2012838315:
                    if (str.equals("DELETE")) {
                        z = 5;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                case true:
                    withNewRegistryScopes = scopes.withNewRegistryScopes(Scope.PULL);
                    break;
                case true:
                case true:
                case true:
                    withNewRegistryScopes = scopes.withNewRegistryScopes(Scope.PUSH);
                    break;
                case true:
                    withNewRegistryScopes = scopes.withNewRegistryScopes(Scope.DELETE);
                    break;
                default:
                    throw new OrasException("Unsupported HTTP method: " + str);
            }
            Scopes scopes2 = withNewRegistryScopes;
            LOG.debug("Existing scopes: {}", scopes.getScopes());
            LOG.debug("New scopes: {}", scopes2.getScopes());
            if (authProvider.getAuthHeader(containerRef) != null && !authProvider.getAuthScheme().equals(AuthScheme.NONE)) {
                method = method.header(Const.AUTHORIZATION_HEADER, authProvider.getAuthHeader(containerRef));
            }
            HttpRequest.Builder builder = method;
            Objects.requireNonNull(builder);
            map.forEach(builder::header);
            HttpRequest.Builder header = method.header(Const.USER_AGENT_HEADER, Versions.USER_AGENT_VALUE);
            HttpRequest build = header.build();
            logRequest(build, bArr);
            HttpResponse<T> send = this.client.send(build, bodyHandler);
            if (send.statusCode() != 301 && send.statusCode() != 302 && send.statusCode() != 307) {
                return redoRequest(send, header, bodyHandler, scopes2, authProvider);
            }
            LOG.debug("Redirecting to {}", send.headers().firstValue(Const.LOCATION_HEADER).orElseThrow());
            HttpRequest.Builder method2 = HttpRequest.newBuilder().uri(new URI((String) send.headers().firstValue(Const.LOCATION_HEADER).orElseThrow())).method(str, bodyPublisher);
            HttpRequest build2 = method2.build();
            logRequest(build2, bArr);
            return redoRequest(this.client.send(build2, bodyHandler), method2, bodyHandler, scopes2, authProvider);
        } catch (Exception e) {
            LOG.error("Failed to execute request", e);
            throw new OrasException("Unable to create HTTP request", e);
        }
    }

    private <T> ResponseWrapper<T> redoRequest(HttpResponse<T> httpResponse, HttpRequest.Builder builder, HttpResponse.BodyHandler<T> bodyHandler, Scopes scopes, AuthProvider authProvider) {
        if (httpResponse.statusCode() != 401 && httpResponse.statusCode() != 403) {
            return toResponseWrapper(httpResponse);
        }
        LOG.debug("Requesting new token...");
        TokenResponse refreshToken = refreshToken(toResponseWrapper(httpResponse), scopes, authProvider);
        if (refreshToken.issued_at() != null && refreshToken.expires_in() != null) {
            LOG.debug("Found token issued_at {}, expire_id {} and expiring at {} ", new Object[]{refreshToken.issued_at(), refreshToken.expires_in(), refreshToken.issued_at().plusSeconds(refreshToken.expires_in().intValue())});
        }
        try {
            return toResponseWrapper(this.client.send(builder.header(Const.AUTHORIZATION_HEADER, "Bearer " + refreshToken.token()).build(), bodyHandler));
        } catch (Exception e) {
            LOG.error("Failed to redo request", e);
            throw new OrasException("Unable to redo HTTP request", e);
        }
    }

    private <T> ResponseWrapper<T> toResponseWrapper(HttpResponse<T> httpResponse) {
        return new ResponseWrapper<>(httpResponse.body(), httpResponse.statusCode(), (Map) httpResponse.headers().map().entrySet().stream().collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, entry -> {
            return (String) ((List) entry.getValue()).get(0);
        })));
    }

    private void logRequest(HttpRequest httpRequest, byte[] bArr) {
        LOG.debug("Executing {} request to {}", httpRequest.method(), httpRequest.uri());
        LOG.debug("Headers: {}", httpRequest.headers().map().entrySet().stream().collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, entry -> {
            return Const.AUTHORIZATION_HEADER.equalsIgnoreCase((String) entry.getKey()) ? List.of("<redacted>") : (List) entry.getValue();
        })));
        if (LOG.isTraceEnabled()) {
            LOG.trace("Body: {}", new String(bArr, StandardCharsets.UTF_8));
        }
    }
}
