package com.atlassian.bitbucket.internal.mirroring.mirror.client;

import com.atlassian.bitbucket.i18n.I18nService;
import com.atlassian.bitbucket.internal.mirroring.mirror.ExternalRepository;
import com.atlassian.bitbucket.internal.mirroring.mirror.MirroringConfig;
import com.atlassian.bitbucket.internal.mirroring.mirror.auth.DelegatedAuthenticationFailureException;
import com.atlassian.bitbucket.internal.mirroring.mirror.auth.DelegatedAuthorisationException;
import com.atlassian.bitbucket.internal.mirroring.mirror.auth.OAuthAccessToken;
import com.atlassian.bitbucket.internal.mirroring.mirror.jwt.JwtSignedRequestFactory;
import com.atlassian.bitbucket.internal.mirroring.mirror.nav.MirroringNavBuilder;
import com.atlassian.bitbucket.internal.mirroring.mirror.nav.MirroringUrl;
import com.atlassian.bitbucket.internal.mirroring.mirror.rest.RestUnknownEntity;
import com.atlassian.bitbucket.internal.mirroring.mirror.rest.cloud.RestCloudAccount;
import com.atlassian.bitbucket.internal.mirroring.mirror.rest.cloud.RestCloudError;
import com.atlassian.bitbucket.internal.mirroring.mirror.rest.cloud.RestCloudExternalRepository;
import com.atlassian.bitbucket.internal.mirroring.mirror.rest.cloud.RestCloudPage;
import com.atlassian.bitbucket.internal.mirroring.mirror.rest.cloud.RestCloudPermissionRequest;
import com.atlassian.bitbucket.internal.mirroring.mirror.rest.cloud.RestCloudSshKeyExistsRequest;
import com.atlassian.bitbucket.internal.mirroring.mirror.rest.cloud.RestOAuthAccessToken;
import com.atlassian.bitbucket.internal.mirroring.ssh.encoding.PublicKeyEncodingHelper;
import com.atlassian.bitbucket.json.JsonRenderer;
import com.atlassian.bitbucket.mirroring.MirroringCapabilities;
import com.atlassian.bitbucket.mirroring.MirroringRole;
import com.atlassian.bitbucket.mirroring.RepositoryListMode;
import com.atlassian.bitbucket.mirroring.mirror.UpstreamAccount;
import com.atlassian.bitbucket.mirroring.mirror.UpstreamServer;
import com.atlassian.bitbucket.util.MoreStreams;
import com.atlassian.bitbucket.util.ValidationUtils;
import com.atlassian.httpclient.api.DefaultResponseTransformation;
import com.atlassian.httpclient.api.HttpClient;
import com.atlassian.httpclient.api.Request;
import com.atlassian.httpclient.api.Response;
import com.atlassian.stash.internal.auth.HttpAuthUtils;
import com.atlassian.util.concurrent.Promise;
import com.atlassian.util.concurrent.Promises;
import com.google.common.base.Supplier;
import com.google.common.base.Suppliers;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Multimap;
import java.io.IOException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.PublicKey;
import java.util.Base64;
import java.util.Collections;
import java.util.Date;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.function.Function;
import java.util.stream.Stream;
import javax.annotation.Nonnull;
import javax.validation.Validator;
import org.apache.commons.lang3.StringUtils;
import org.codehaus.jackson.map.ObjectMapper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/bitbucket-mirroring-mirror-5.16.0.jar:com/atlassian/bitbucket/internal/mirroring/mirror/client/DefaultCloudUpstreamClient.class */
public class DefaultCloudUpstreamClient extends AbstractUpstreamClient implements CloudUpstreamClient {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) DefaultCloudUpstreamClient.class);
    private static final MirroringCapabilities DEFAULT_CAPABILITIES = new MirroringCapabilities.Builder().roles(ImmutableList.of(MirroringRole.UPSTREAM)).repositoryListModes(ImmutableList.of(RepositoryListMode.ALL, RepositoryListMode.BY_ID)).build();
    private static final int CLOUD_PAGE_MAX_SIZE = 100;
    private static final String KEY_FORBIDDEN = "key_forbidden";
    private static final String KEY_UNKNOWN = "key_unknown";
    private Supplier<OAuthAccessToken> accessToken;
    private final MirroringConfig config;
    private final PublicKeyEncodingHelper publicKeyHelper;

    public DefaultCloudUpstreamClient(MirroringConfig mirroringConfig, HttpClient httpClient, I18nService i18nService, JsonRenderer jsonRenderer, MirroringNavBuilder mirroringNavBuilder, PublicKeyEncodingHelper publicKeyEncodingHelper, JwtSignedRequestFactory jwtSignedRequestFactory, UpstreamServer upstreamServer, Validator validator) {
        super(httpClient, i18nService, jsonRenderer, mirroringNavBuilder, jwtSignedRequestFactory, upstreamServer, validator);
        this.config = mirroringConfig;
        this.publicKeyHelper = publicKeyEncodingHelper;
    }

    @Override // com.atlassian.bitbucket.internal.mirroring.mirror.client.CloudUpstreamClient
    @Nonnull
    public Promise<Void> checkRepositoryReadAccess(@Nonnull String str, @Nonnull PublicKey publicKey) {
        MirroringUrl repositoryPermissionBySlug = this.mirroringNavBuilder.cloudUpstream(this.upstream).repositoryPermissionBySlug(str);
        String render = this.jsonRenderer.render(new RestCloudPermissionRequest("ssh_key", this.publicKeyHelper.encodeAsOpenSsh(publicKey)), Collections.emptyMap());
        return newAuthenticatedJsonRequest(repositoryPermissionBySlug).setEntity2(render).post().transform(DefaultResponseTransformation.builder().successful(response -> {
            return null;
        }).others(this::parseRepositoryReadAccessCheckResponse).fail(this::ensureIsRequestFailedOrAuthException).build2());
    }

    @Override // com.atlassian.bitbucket.internal.mirroring.mirror.client.CloudUpstreamClient
    @Nonnull
    public Promise<Void> checkRepositoryReadAccess(@Nonnull String str, @Nonnull String str2, @Nonnull String str3) {
        MirroringUrl repositoryBySlug = this.mirroringNavBuilder.cloudUpstream(this.upstream).repositoryBySlug(str);
        return newUnauthenticatedRequest(repositoryBySlug).setHeader2("Authorization", basicAuthHeaderFor(str2, str3)).head().transform(DefaultResponseTransformation.builder().ok(response -> {
            return null;
        }).unauthorized(this::throwAuthFailedException).forbidden(this::throwRequestUntrusted).others(this::throwRequestFailedUnexpectedResponse).fail(this::ensureIsRequestFailedOrAuthException).build2());
    }

    @Override // com.atlassian.bitbucket.internal.mirroring.mirror.client.CloudUpstreamClient
    @Nonnull
    public Promise<Boolean> isRegisteredSshKey(@Nonnull PublicKey publicKey) {
        MirroringUrl isRegisteredSshKey = this.mirroringNavBuilder.cloudUpstream(this.upstream).isRegisteredSshKey();
        String render = this.jsonRenderer.render(new RestCloudSshKeyExistsRequest(this.publicKeyHelper.encodeAsOpenSsh(publicKey)), Collections.emptyMap());
        return newAuthenticatedJsonRequest(isRegisteredSshKey).setEntity2(render).post().transform(standardResponseBuilder(isRegisteredSshKey).noContent(response -> {
            return true;
        }).notFound(ensureEntityErrorResponseIsFromUpstreamAndThen(response2 -> {
            return false;
        })).build2());
    }

    @Override // com.atlassian.bitbucket.internal.mirroring.mirror.client.CloudUpstreamClient
    @Nonnull
    public Promise<OAuthAccessToken> getAccessToken() {
        MirroringUrl accessToken = this.mirroringNavBuilder.cloudUpstream(this.upstream).oauth2().accessToken();
        return newAuthenticatedJsonRequest(accessToken).setEntity2("grant_type=urn:bitbucket:oauth2:jwt").setContentType2("application/x-www-form-urlencoded").post().transform(standardResponseBuilder(accessToken).ok(this::parseAccessToken).build2());
    }

    @Override // com.atlassian.bitbucket.internal.mirroring.mirror.client.CloudUpstreamClient
    @Nonnull
    public Promise<UpstreamAccount> getAccount() {
        MirroringUrl account = this.mirroringNavBuilder.cloudUpstream(this.upstream).account();
        return newUnauthenticatedJsonRequest(account.getAbsolute()).get().transform(standardResponseBuilder(account).notFound(ensureEntityErrorResponseIsFromUpstreamAndThen(returnNull())).ok(response -> {
            return (RestCloudAccount) parseEntity(response, RestCloudAccount.class).orElseThrow(requestFailedUnexpectedResponseSupplier(response));
        }).build2());
    }

    @Override // com.atlassian.bitbucket.internal.mirroring.mirror.client.InternalUpstreamClient
    @Nonnull
    public Promise<MirroringCapabilities> getCapabilities() {
        return Promises.promise(DEFAULT_CAPABILITIES);
    }

    @Override // com.atlassian.bitbucket.internal.mirroring.mirror.client.InternalUpstreamClient
    @Nonnull
    public Stream<ExternalRepository> getRepositories() {
        MirroringUrl repositories = this.mirroringNavBuilder.cloudUpstream(this.upstream).repositories(getPageSize());
        return MoreStreams.streamIterable(new CloudPageIterable(() -> {
            return getRepoPage(repositories);
        }, str -> {
            return getRepoPage(toMirroringUrl(str));
        }));
    }

    @Override // com.atlassian.bitbucket.internal.mirroring.mirror.client.InternalUpstreamClient
    @Nonnull
    public Stream<ExternalRepository> getRepositoriesByProjectId(@Nonnull String str) {
        throw new UnsupportedOperationException();
    }

    @Override // com.atlassian.bitbucket.internal.mirroring.mirror.client.InternalUpstreamClient
    @Nonnull
    public Promise<ExternalRepository> getRepository(@Nonnull String str) {
        MirroringUrl repositoryById = this.mirroringNavBuilder.upstream(this.upstream).repositoryById(str);
        return newAuthenticatedJsonRequest(repositoryById).get().transform(repositoryEndpointResponseBuilder(repositoryById).notFound(ensureEntityErrorResponseIsFromUpstreamAndThen(returnNull())).ok(response -> {
            return (RestCloudExternalRepository) parseEntity(response, RestCloudExternalRepository.class).orElseThrow(requestFailedUnexpectedResponseSupplier(response));
        }).build2());
    }

    @Override // com.atlassian.bitbucket.internal.mirroring.mirror.client.InternalUpstreamClient
    @Nonnull
    public Promise<Boolean> isMirrorInstalled() {
        MirroringUrl addonStatus = this.mirroringNavBuilder.cloudUpstream(this.upstream).addonStatus(this.config.getAddonKey());
        return newAuthenticatedJsonRequest(addonStatus).get().transform(DefaultResponseTransformation.builder().noContent(response -> {
            return true;
        }).unauthorized(ensureEntityErrorResponseIsFromUpstreamAndThen(response2 -> {
            return false;
        })).notFound(ensureEntityErrorResponseIsFromUpstreamAndThen(response3 -> {
            return false;
        })).others(this::throwRequestFailedUnexpectedResponse).fail(this::ensureIsRequestFailedOrAuthException).build2());
    }

    @Override // com.atlassian.bitbucket.mirroring.mirror.client.UpstreamClient
    @Nonnull
    public Request.Builder newScmHttpRequest(@Nonnull String str) {
        OAuthAccessToken oAuthAccessToken;
        if (this.accessToken == null) {
            oAuthAccessToken = getAccessToken().claim();
            this.accessToken = Suppliers.memoizeWithExpiration(() -> {
                return getAccessToken().claim();
            }, getTokenExpiry(oAuthAccessToken), TimeUnit.MILLISECONDS);
        } else {
            oAuthAccessToken = this.accessToken.get();
        }
        return newUnauthenticatedRequest(this.mirroringNavBuilder.upstream(this.upstream).relativeToBase(str)).setHeader2("Authorization", String.format("Basic %s", Base64.getEncoder().encodeToString(String.format("x-token-auth:%s", oAuthAccessToken.getValue()).getBytes())));
    }

    @Override // com.atlassian.bitbucket.internal.mirroring.mirror.client.AbstractUpstreamClient
    protected void ensureEntityErrorResponseIsFromUpstream(Response response) {
    }

    private String basicAuthHeaderFor(String str, String str2) {
        if (StringUtils.isBlank(str)) {
            return null;
        }
        return HttpAuthUtils.AUTH_PREFIX_BASIC + Base64.getEncoder().encodeToString((str + ":" + ((String) StringUtils.defaultIfEmpty(str2, ""))).getBytes(StandardCharsets.UTF_8));
    }

    private int getPageSize() {
        return Math.min(100, this.config.getUpstreamRepositoryRequestPageSize());
    }

    private RestCloudPage<ExternalRepository> getRepoPage(MirroringUrl mirroringUrl) {
        int pageSize = getPageSize();
        log.debug("Retrieving page [limit={}] of upstream repositories", Integer.valueOf(pageSize));
        Promise transform = newAuthenticatedJsonRequest(mirroringUrl).get().transform(repositoryEndpointResponseBuilder(mirroringUrl).notFound(this::throwRequestFailedUnexpectedResponse).ok(this::parseRepoPage).build2());
        transform.done(restCloudPage -> {
            log.debug("Finished retrieving page [limit={}] of upstream repositories", Integer.valueOf(pageSize));
        });
        transform.fail(th -> {
            log.debug("Failed retrieving page [limit={}] of upstream repositories", Integer.valueOf(pageSize), th);
        });
        return (RestCloudPage) transform.claim();
    }

    private static long getTokenExpiry(OAuthAccessToken oAuthAccessToken) {
        return new Date(oAuthAccessToken.getExpiryTimestamp()).getTime() - System.currentTimeMillis();
    }

    private OAuthAccessToken parseAccessToken(Response response) {
        return new OAuthAccessToken(((RestOAuthAccessToken) parseEntity(response, RestOAuthAccessToken.class).orElseThrow(requestFailedUnexpectedResponseSupplier(response))).getAccessToken(), new Date(System.currentTimeMillis() + TimeUnit.SECONDS.toMillis(r0.getExpiresIn())));
    }

    private <T> Optional<RestCloudPage<T>> parseEntityPage(Response response, Function<Map<String, ?>, T> function, Class<T> cls) {
        String entity = response.getEntity();
        if (StringUtils.isBlank(entity)) {
            log.debug("The upstream server responded with code {} but the response entity was empty", Integer.valueOf(response.getStatusCode()));
            return Optional.empty();
        }
        if (log.isTraceEnabled()) {
            log.trace("The upstream server responded with code and entity: {}", Integer.valueOf(response.getStatusCode()), entity);
        }
        try {
            Map map = (Map) new ObjectMapper().readValue(entity, Map.class);
            return map == null ? Optional.empty() : Optional.of(new RestCloudPage(map, map2 -> {
                return ValidationUtils.validate(this.validator, function.apply(map2), new Class[0]);
            }));
        } catch (IOException e) {
            log.warn("Failed to deserialize an instance of {} from the response", cls.getName(), e);
            return Optional.empty();
        }
    }

    private RestCloudPage<RestCloudExternalRepository> parseRepoPage(Response response) {
        return (RestCloudPage) parseEntityPage(response, RestCloudExternalRepository::new, RestCloudExternalRepository.class).orElseThrow(requestFailedUnexpectedResponseSupplier(response));
    }

    private Void parseRepositoryReadAccessCheckResponse(Response response) {
        Optional map = parseEntity(response, RestUnknownEntity.class).map((v0) -> {
            return RestCloudError.valueOf(v0);
        });
        if (map.isPresent()) {
            RestCloudError.RestCloudErrorData data = ((RestCloudError) map.get()).getData();
            if (KEY_UNKNOWN.equals(data.getErrorCode())) {
                log.debug("The provided SSH key is not known on the upstream.");
                throw new DelegatedAuthenticationFailureException(this.i18nService.createKeyedMessage("bitbucket.mirroring.authentication.delegation.failed", this.i18nService.getMessage("bitbucket.mirroring.authentication.delegation.invalid.credentials", new Object[0])));
            }
            if (KEY_FORBIDDEN.equals(data.getErrorCode())) {
                log.debug("The provided SSH key is not permitted to access the requested resource.");
                throw new DelegatedAuthorisationException(this.i18nService.createKeyedMessage("bitbucket.mirroring.operation.not.permitted", new Object[0]));
            }
        }
        log.error("Unexpected delegated authentication failure. (Response: {})", response);
        throw newRequestFailedUnexpectedResponseException(response);
    }

    private MirroringUrl toMirroringUrl(final String str) {
        return new MirroringUrl() { // from class: com.atlassian.bitbucket.internal.mirroring.mirror.client.DefaultCloudUpstreamClient.1
            @Override // com.atlassian.bitbucket.internal.mirroring.mirror.nav.MirroringUrl
            @Nonnull
            public String getAbsolute() {
                return str;
            }

            @Override // com.atlassian.bitbucket.internal.mirroring.mirror.nav.MirroringUrl
            @Nonnull
            public String getRelative() {
                URI create = URI.create(DefaultCloudUpstreamClient.this.upstream.getApiBaseUrl());
                String path = create.getPath();
                if (str.startsWith(path)) {
                    return str.substring(str.indexOf(path) + path.length());
                }
                throw new IllegalArgumentException(String.format("Unable to calculate relative path of next page URL %s from API base URL %s", str, create));
            }

            @Override // com.atlassian.bitbucket.internal.mirroring.mirror.nav.MirroringUrl
            @Nonnull
            public MirroringUrl parameter(@Nonnull String str2, Object obj) {
                throw new UnsupportedOperationException();
            }

            @Override // com.atlassian.bitbucket.internal.mirroring.mirror.nav.MirroringUrl
            @Nonnull
            public MirroringUrl parameters(@Nonnull Multimap<String, ?> multimap) {
                throw new UnsupportedOperationException();
            }

            @Override // com.atlassian.bitbucket.internal.mirroring.mirror.nav.MirroringUrl
            @Nonnull
            public MirroringUrl parameterNotEncoded(@Nonnull String str2, Object obj) {
                throw new UnsupportedOperationException();
            }

            @Override // com.atlassian.bitbucket.internal.mirroring.mirror.nav.MirroringUrl
            @Nonnull
            public MirroringUrl path(@Nonnull String... strArr) {
                throw new UnsupportedOperationException();
            }

            @Override // com.atlassian.bitbucket.internal.mirroring.mirror.nav.MirroringUrl
            @Nonnull
            public MirroringUrl pathNotEncoded(@Nonnull String... strArr) {
                throw new UnsupportedOperationException();
            }
        };
    }

    private <T> T throwAuthFailedException(Response response) {
        throw new DelegatedAuthenticationFailureException(this.i18nService.createKeyedMessage("bitbucket.mirroring.authentication.delegation.failed", this.i18nService.getMessage("bitbucket.mirroring.authentication.delegation.invalid.credentials", new Object[0])));
    }
}
