package io.fabric8.maven.docker.util;

import com.google.common.net.UrlEscapers;
import com.google.gson.Gson;
import com.google.gson.JsonObject;
import io.fabric8.maven.docker.access.AuthConfig;
import io.fabric8.maven.docker.access.ecr.EcrExtendedAuth;
import io.fabric8.maven.docker.util.aws.AwsSdkAuthConfigFactory;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.lang.reflect.Method;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.commons.io.IOUtils;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.ConnectTimeoutException;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.settings.Server;
import org.apache.maven.settings.Settings;
import org.codehaus.plexus.PlexusContainer;
import org.codehaus.plexus.component.repository.exception.ComponentLookupException;
import org.codehaus.plexus.util.xml.Xpp3Dom;
import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher;

/* loaded from: input_file:io/fabric8/maven/docker/util/AuthConfigFactory.class */
public class AuthConfigFactory {
    private static final String AUTH_USE_OPENSHIFT_AUTH = "useOpenShiftAuth";
    static final String DOCKER_LOGIN_DEFAULT_REGISTRY = "https://index.docker.io/v1/";
    private final PlexusContainer container;
    private Logger log;
    private static final String[] DEFAULT_REGISTRIES = {"docker.io", "index.docker.io", "registry.hub.docker.com"};

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/fabric8/maven/docker/util/AuthConfigFactory$LookupMode.class */
    public enum LookupMode {
        PUSH("docker.push.", "push"),
        PULL("docker.pull.", "pull"),
        REGISTRY("registry.", null),
        DEFAULT("docker.", null);

        private final String sysPropPrefix;
        private String configMapKey;

        LookupMode(String str, String str2) {
            this.sysPropPrefix = str;
            this.configMapKey = str2;
        }

        public String asSysProperty(String str) {
            return this.sysPropPrefix + str;
        }

        public String getConfigMapKey() {
            return this.configMapKey;
        }
    }

    public AuthConfigFactory(PlexusContainer plexusContainer) {
        this.container = plexusContainer;
    }

    public void setLog(Logger logger) {
        this.log = logger;
    }

    public AuthConfig createAuthConfig(boolean z, boolean z2, Map map, Settings settings, String str, String str2) throws MojoExecutionException {
        AuthConfig createStandardAuthConfig = createStandardAuthConfig(z, map, settings, str, str2);
        if (createStandardAuthConfig == null) {
            AuthConfig authConfigFromDockerConfig = getAuthConfigFromDockerConfig(str2);
            if (authConfigFromDockerConfig == null) {
                this.log.debug("AuthConfig: no credentials found", new Object[0]);
                return null;
            }
            authConfigFromDockerConfig.setRegistry(str2);
            this.log.debug("AuthConfig: credentials from ~/.docker/config.json", new Object[0]);
            return authConfigFromDockerConfig;
        }
        if (str2 == null || z2) {
            createStandardAuthConfig.setRegistry(str2);
            return createStandardAuthConfig;
        }
        try {
            AuthConfig extendedAuthentication = extendedAuthentication(createStandardAuthConfig, str2);
            extendedAuthentication.setRegistry(str2);
            return extendedAuthentication;
        } catch (IOException e) {
            throw new MojoExecutionException(e.getMessage(), e);
        }
    }

    private AuthConfig extendedAuthentication(AuthConfig authConfig, String str) throws IOException, MojoExecutionException {
        EcrExtendedAuth ecrExtendedAuth = new EcrExtendedAuth(this.log, str);
        return ecrExtendedAuth.isAwsRegistry() ? ecrExtendedAuth.extendedAuth(authConfig) : authConfig;
    }

    private AuthConfig createStandardAuthConfig(boolean z, Map map, Settings settings, String str, String str2) throws MojoExecutionException {
        AuthConfig authConfigFromOpenShiftConfig;
        for (LookupMode lookupMode : new LookupMode[]{getLookupMode(z), LookupMode.DEFAULT, LookupMode.REGISTRY}) {
            AuthConfig authConfigFromSystemProperties = getAuthConfigFromSystemProperties(lookupMode);
            if (authConfigFromSystemProperties != null) {
                this.log.debug("AuthConfig: credentials from system properties", new Object[0]);
                return authConfigFromSystemProperties;
            }
            if (lookupMode != LookupMode.REGISTRY && (authConfigFromOpenShiftConfig = getAuthConfigFromOpenShiftConfig(lookupMode, map)) != null) {
                this.log.debug("AuthConfig: OpenShift credentials", new Object[0]);
                return authConfigFromOpenShiftConfig;
            }
            AuthConfig authConfigFromPluginConfiguration = getAuthConfigFromPluginConfiguration(lookupMode, map);
            if (authConfigFromPluginConfiguration != null) {
                this.log.debug("AuthConfig: credentials from plugin config", new Object[0]);
                return authConfigFromPluginConfiguration;
            }
        }
        AuthConfig authConfigFromSettings = getAuthConfigFromSettings(settings, str, str2);
        if (authConfigFromSettings != null) {
            this.log.debug("AuthConfig: credentials from ~/.m2/setting.xml", new Object[0]);
            return authConfigFromSettings;
        }
        if (!EcrExtendedAuth.isAwsRegistry(str2)) {
            return null;
        }
        AuthConfig authConfigViaAwsSdk = getAuthConfigViaAwsSdk();
        if (authConfigViaAwsSdk != null) {
            this.log.debug("AuthConfig: AWS credentials from AWS SDK", new Object[0]);
            return authConfigViaAwsSdk;
        }
        AuthConfig authConfigFromAwsEnvironmentVariables = getAuthConfigFromAwsEnvironmentVariables();
        if (authConfigFromAwsEnvironmentVariables != null) {
            this.log.debug("AuthConfig: AWS credentials from ENV variables", new Object[0]);
            return authConfigFromAwsEnvironmentVariables;
        }
        try {
            authConfigFromAwsEnvironmentVariables = getAuthConfigFromEC2InstanceRole();
        } catch (ConnectTimeoutException e) {
            this.log.debug("Connection timeout while retrieving instance meta-data, likely not an EC2 instance (%s)", e.getMessage());
        } catch (IOException e2) {
            this.log.warn("Error while retrieving EC2 instance credentials: %s", e2.getMessage());
        }
        if (authConfigFromAwsEnvironmentVariables != null) {
            this.log.debug("AuthConfig: credentials from EC2 instance role", new Object[0]);
            return authConfigFromAwsEnvironmentVariables;
        }
        try {
            authConfigFromAwsEnvironmentVariables = getAuthConfigFromTaskRole();
        } catch (ConnectTimeoutException e3) {
            this.log.debug("Connection timeout while retrieving ECS meta-data, likely not an ECS instance (%s)", e3.getMessage());
        } catch (IOException e4) {
            this.log.warn("Error while retrieving ECS Task role credentials: %s", e4.getMessage());
        }
        if (authConfigFromAwsEnvironmentVariables == null) {
            return null;
        }
        this.log.debug("AuthConfig: credentials from ECS Task role", new Object[0]);
        return authConfigFromAwsEnvironmentVariables;
    }

    private AuthConfig getAuthConfigViaAwsSdk() {
        try {
            Class.forName("com.amazonaws.auth.DefaultAWSCredentialsProviderChain");
            return new AwsSdkAuthConfigFactory(this.log).createAuthConfig();
        } catch (ClassNotFoundException e) {
            this.log.info("It appears that you're using AWS ECR. Consider integrating the AWS SDK in order to make use of common AWS authentication mechanisms, see https://dmp.fabric8.io/#extended-authentication", new Object[0]);
            return null;
        }
    }

    private AuthConfig getAuthConfigFromAwsEnvironmentVariables() {
        String str = System.getenv("AWS_ACCESS_KEY_ID");
        if (str == null) {
            this.log.debug("System environment not set for variable AWS_ACCESS_KEY_ID, no AWS credentials found", new Object[0]);
            return null;
        }
        String str2 = System.getenv("AWS_SECRET_ACCESS_KEY");
        if (str2 != null) {
            return new AuthConfig(str, str2, "none", System.getenv("AWS_SESSION_TOKEN"));
        }
        this.log.warn("System environment set for variable AWS_ACCESS_KEY_ID, but NOT for variable AWS_SECRET_ACCESS_KEY!", new Object[0]);
        return null;
    }

    private AuthConfig getAuthConfigFromEC2InstanceRole() throws IOException {
        this.log.debug("No user and password set for ECR, checking EC2 instance role", new Object[0]);
        CloseableHttpClient build = HttpClients.custom().useSystemProperties().build();
        try {
            RequestConfig build2 = RequestConfig.custom().setConnectionRequestTimeout(1000).setConnectTimeout(1000).setSocketTimeout(1000).build();
            HttpGet httpGet = new HttpGet("http://169.254.169.254/latest/meta-data/iam/security-credentials");
            httpGet.setConfig(build2);
            CloseableHttpResponse execute = build.execute(httpGet);
            try {
                if (execute.getStatusLine().getStatusCode() != 200) {
                    this.log.debug("No instance role found, return code was %d", Integer.valueOf(execute.getStatusLine().getStatusCode()));
                    if (execute != null) {
                        execute.close();
                    }
                    if (build != null) {
                        build.close();
                    }
                    return null;
                }
                InputStream content = execute.getEntity().getContent();
                try {
                    String iOUtils = IOUtils.toString(content, StandardCharsets.UTF_8);
                    if (content != null) {
                        content.close();
                    }
                    if (execute != null) {
                        execute.close();
                    }
                    this.log.debug("Found instance role %s, getting temporary security credentials", iOUtils);
                    HttpGet httpGet2 = new HttpGet("http://169.254.169.254/latest/meta-data/iam/security-credentials/" + UrlEscapers.urlPathSegmentEscaper().escape(iOUtils));
                    httpGet2.setConfig(build2);
                    AuthConfig readAwsCredentials = readAwsCredentials(build, httpGet2);
                    if (build != null) {
                        build.close();
                    }
                    return readAwsCredentials;
                } catch (Throwable th) {
                    if (content != null) {
                        try {
                            content.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } finally {
            }
        } catch (Throwable th3) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
            }
            throw th3;
        }
    }

    private AuthConfig getAuthConfigFromTaskRole() throws IOException {
        this.log.debug("No user and password set for ECR, checking ECS Task role", new Object[0]);
        URI metadataEndpointForCredentials = getMetadataEndpointForCredentials();
        if (metadataEndpointForCredentials == null) {
            return null;
        }
        this.log.debug("Getting temporary security credentials from: %s", metadataEndpointForCredentials);
        CloseableHttpClient build = HttpClients.custom().useSystemProperties().build();
        try {
            RequestConfig build2 = RequestConfig.custom().setConnectionRequestTimeout(1000).setConnectTimeout(1000).setSocketTimeout(1000).build();
            HttpGet httpGet = new HttpGet(metadataEndpointForCredentials);
            httpGet.setConfig(build2);
            AuthConfig readAwsCredentials = readAwsCredentials(build, httpGet);
            if (build != null) {
                build.close();
            }
            return readAwsCredentials;
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private AuthConfig readAwsCredentials(CloseableHttpClient closeableHttpClient, HttpGet httpGet) throws IOException {
        CloseableHttpResponse execute = closeableHttpClient.execute(httpGet);
        try {
            if (execute.getStatusLine().getStatusCode() != 200) {
                this.log.debug("No security credential found, return code was %d", Integer.valueOf(execute.getStatusLine().getStatusCode()));
                if (execute != null) {
                    execute.close();
                }
                return null;
            }
            InputStreamReader inputStreamReader = new InputStreamReader(execute.getEntity().getContent(), StandardCharsets.UTF_8);
            try {
                JsonObject jsonObject = (JsonObject) new Gson().fromJson(inputStreamReader, JsonObject.class);
                String asString = jsonObject.getAsJsonPrimitive("AccessKeyId").getAsString();
                String asString2 = jsonObject.getAsJsonPrimitive("SecretAccessKey").getAsString();
                String asString3 = jsonObject.getAsJsonPrimitive("Token").getAsString();
                this.log.debug("Received temporary access key %s...", asString.substring(0, 8));
                AuthConfig authConfig = new AuthConfig(asString, asString2, "none", asString3);
                inputStreamReader.close();
                if (execute != null) {
                    execute.close();
                }
                return authConfig;
            } finally {
            }
        } catch (Throwable th) {
            if (execute != null) {
                try {
                    execute.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private URI getMetadataEndpointForCredentials() {
        String str = System.getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI");
        if (str == null) {
            this.log.debug("System environment not set for variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI, no task role found", new Object[0]);
            return null;
        }
        if (str.charAt(0) != '/') {
            str = "/" + str;
        }
        String str2 = System.getenv("ECS_METADATA_ENDPOINT");
        if (str2 == null) {
            str2 = "http://169.254.170.2";
        }
        try {
            return new URI(str2 + str);
        } catch (URISyntaxException e) {
            this.log.warn("Failed to construct path to ECS metadata endpoint for credentials", e);
            return null;
        }
    }

    private AuthConfig getAuthConfigFromSystemProperties(LookupMode lookupMode) throws MojoExecutionException {
        Properties properties = System.getProperties();
        String asSysProperty = lookupMode.asSysProperty(AuthConfig.AUTH_USERNAME);
        String asSysProperty2 = lookupMode.asSysProperty(AuthConfig.AUTH_PASSWORD);
        if (!properties.containsKey(asSysProperty)) {
            return null;
        }
        if (properties.containsKey(asSysProperty2)) {
            return new AuthConfig(properties.getProperty(asSysProperty), decrypt(properties.getProperty(asSysProperty2)), properties.getProperty(lookupMode.asSysProperty(AuthConfig.AUTH_EMAIL)), getAuthProperty(properties, lookupMode));
        }
        throw new MojoExecutionException("No " + asSysProperty2 + " provided for username " + properties.getProperty(asSysProperty));
    }

    private String getAuthProperty(Properties properties, LookupMode lookupMode) {
        String property = properties.getProperty(lookupMode.asSysProperty(AuthConfig.AUTH_AUTH));
        return property != null ? property : properties.getProperty(lookupMode.asSysProperty("authToken"));
    }

    private AuthConfig getAuthConfigFromOpenShiftConfig(LookupMode lookupMode, Map map) throws MojoExecutionException {
        Properties properties = System.getProperties();
        String asSysProperty = lookupMode.asSysProperty(AUTH_USE_OPENSHIFT_AUTH);
        if (properties.containsKey(asSysProperty)) {
            if (Boolean.valueOf(properties.getProperty(asSysProperty)).booleanValue()) {
                return validateMandatoryOpenShiftLogin(parseOpenShiftConfig(), asSysProperty);
            }
            return null;
        }
        Map authConfigMapToCheck = getAuthConfigMapToCheck(lookupMode, map);
        if (authConfigMapToCheck != null && authConfigMapToCheck.containsKey(AUTH_USE_OPENSHIFT_AUTH) && Boolean.valueOf((String) authConfigMapToCheck.get(AUTH_USE_OPENSHIFT_AUTH)).booleanValue()) {
            return validateMandatoryOpenShiftLogin(parseOpenShiftConfig(), asSysProperty);
        }
        return null;
    }

    private AuthConfig getAuthConfigFromPluginConfiguration(LookupMode lookupMode, Map map) throws MojoExecutionException {
        Map authConfigMapToCheck = getAuthConfigMapToCheck(lookupMode, map);
        if (authConfigMapToCheck == null || !authConfigMapToCheck.containsKey(AuthConfig.AUTH_USERNAME)) {
            return null;
        }
        if (!authConfigMapToCheck.containsKey(AuthConfig.AUTH_PASSWORD)) {
            throw new MojoExecutionException("No 'password' given while using <authConfig> in configuration for mode " + lookupMode);
        }
        HashMap hashMap = new HashMap(authConfigMapToCheck);
        hashMap.put(AuthConfig.AUTH_PASSWORD, decrypt((String) hashMap.get(AuthConfig.AUTH_PASSWORD)));
        return new AuthConfig(hashMap);
    }

    private AuthConfig getAuthConfigFromSettings(Settings settings, String str, String str2) throws MojoExecutionException {
        Server server = null;
        for (Server server2 : settings.getServers()) {
            String id = server2.getId();
            if (server == null) {
                server = checkForServer(server2, id, str2, null);
            }
            Server checkForServer = checkForServer(server2, id, str2, str);
            if (checkForServer != null) {
                return createAuthConfigFromServer(checkForServer);
            }
        }
        if (server != null) {
            return createAuthConfigFromServer(server);
        }
        return null;
    }

    private AuthConfig getAuthConfigFromDockerConfig(String str) throws MojoExecutionException {
        JsonObject readDockerConfig = DockerFileUtil.readDockerConfig();
        if (readDockerConfig == null) {
            return null;
        }
        String str2 = str != null ? str : DOCKER_LOGIN_DEFAULT_REGISTRY;
        if (readDockerConfig.has("credHelpers") || readDockerConfig.has("credsStore")) {
            if (readDockerConfig.has("credHelpers")) {
                JsonObject asJsonObject = readDockerConfig.getAsJsonObject("credHelpers");
                if (asJsonObject.has(str2)) {
                    return extractAuthConfigFromCredentialsHelper(str2, asJsonObject.get(str2).getAsString());
                }
            }
            if (readDockerConfig.has("credsStore")) {
                return extractAuthConfigFromCredentialsHelper(str2, readDockerConfig.get("credsStore").getAsString());
            }
        }
        if (readDockerConfig.has("auths")) {
            return extractAuthConfigFromDockerConfigAuths(str2, readDockerConfig.getAsJsonObject("auths"));
        }
        return null;
    }

    private AuthConfig extractAuthConfigFromDockerConfigAuths(String str, JsonObject jsonObject) {
        JsonObject credentialsNode = getCredentialsNode(jsonObject, str);
        if (credentialsNode == null || !credentialsNode.has(AuthConfig.AUTH_AUTH)) {
            return null;
        }
        return new AuthConfig(credentialsNode.get(AuthConfig.AUTH_AUTH).getAsString(), (!credentialsNode.has(AuthConfig.AUTH_EMAIL) || credentialsNode.get(AuthConfig.AUTH_EMAIL).isJsonNull()) ? null : credentialsNode.get(AuthConfig.AUTH_EMAIL).getAsString(), credentialsNode.has("identitytoken") ? credentialsNode.get("identitytoken").getAsString() : null);
    }

    private AuthConfig extractAuthConfigFromCredentialsHelper(String str, String str2) throws MojoExecutionException {
        CredentialHelperClient credentialHelperClient = new CredentialHelperClient(this.log, str2);
        String version = credentialHelperClient.getVersion();
        Logger logger = this.log;
        Object[] objArr = new Object[2];
        objArr[0] = credentialHelperClient.getName();
        objArr[1] = version != null ? " version " + version : "";
        logger.debug("AuthConfig: credentials from credential helper/store %s%s", objArr);
        return credentialHelperClient.getAuthConfig(str);
    }

    private JsonObject getCredentialsNode(JsonObject jsonObject, String str) {
        if (jsonObject.has(str)) {
            return jsonObject.getAsJsonObject(str);
        }
        String ensureRegistryHttpUrl = EnvUtil.ensureRegistryHttpUrl(str);
        if (jsonObject.has(ensureRegistryHttpUrl)) {
            return jsonObject.getAsJsonObject(ensureRegistryHttpUrl);
        }
        return null;
    }

    private Map getAuthConfigMapToCheck(LookupMode lookupMode, Map map) {
        String configMapKey = lookupMode.getConfigMapKey();
        if (configMapKey == null) {
            return map;
        }
        if (map != null) {
            return (Map) map.get(configMapKey);
        }
        return null;
    }

    private AuthConfig parseOpenShiftConfig() {
        String str;
        Map<String, ?> readKubeConfig = DockerFileUtil.readKubeConfig();
        if (readKubeConfig == null || (str = (String) readKubeConfig.get("current-context")) == null) {
            return null;
        }
        for (Map map : (List) readKubeConfig.get("contexts")) {
            if (str.equals(map.get(NamePatternUtil.NAME_FIELD))) {
                return parseContext(readKubeConfig, (Map) map.get("context"));
            }
        }
        return null;
    }

    private AuthConfig parseContext(Map map, Map map2) {
        String str;
        List<Map> list;
        if (map2 == null || (str = (String) map2.get("user")) == null || (list = (List) map.get("users")) == null) {
            return null;
        }
        for (Map map3 : list) {
            if (str.equals(map3.get(NamePatternUtil.NAME_FIELD))) {
                return parseUser(str, (Map) map3.get("user"));
            }
        }
        return null;
    }

    private AuthConfig parseUser(String str, Map map) {
        String str2;
        if (map == null || (str2 = (String) map.get("token")) == null) {
            return null;
        }
        Matcher matcher = Pattern.compile("^([^/]+).*$").matcher(str);
        return new AuthConfig(matcher.matches() ? matcher.group(1) : str, str2, null, null);
    }

    private AuthConfig validateMandatoryOpenShiftLogin(AuthConfig authConfig, String str) throws MojoExecutionException {
        if (authConfig != null) {
            return authConfig;
        }
        String str2 = System.getenv("KUBECONFIG");
        Object[] objArr = new Object[2];
        objArr[0] = str;
        objArr[1] = str2 != null ? str2 : "~/.kube/config";
        throw new MojoExecutionException(String.format("System property %s set, but not active user and/or token found in %s. Please use 'oc login' for connecting to OpenShift.", objArr));
    }

    private Server checkForServer(Server server, String str, String str2, String str3) {
        for (String str4 : str2 != null ? new String[]{str2} : DEFAULT_REGISTRIES) {
            if (str.equals(str3 == null ? str4 : str4 + "/" + str3)) {
                return server;
            }
        }
        return null;
    }

    private String decrypt(String str) throws MojoExecutionException {
        String str2;
        try {
            Object lookup = this.container.lookup(SecDispatcher.ROLE, "maven");
            Method method = lookup.getClass().getMethod("decrypt", String.class);
            synchronized (lookup) {
                str2 = (String) method.invoke(lookup, str);
            }
            return str2;
        } catch (ComponentLookupException e) {
            throw new MojoExecutionException("Error looking security dispatcher", e);
        } catch (ReflectiveOperationException e2) {
            throw new MojoExecutionException("Cannot decrypt password: " + e2.getCause(), e2);
        }
    }

    private AuthConfig createAuthConfigFromServer(Server server) throws MojoExecutionException {
        return new AuthConfig(server.getUsername(), decrypt(server.getPassword()), extractFromServerConfiguration(server.getConfiguration(), AuthConfig.AUTH_EMAIL), extractFromServerConfiguration(server.getConfiguration(), AuthConfig.AUTH_AUTH));
    }

    private String extractFromServerConfiguration(Object obj, String str) {
        Xpp3Dom child;
        if (obj == null || (child = ((Xpp3Dom) obj).getChild(str)) == null) {
            return null;
        }
        return child.getValue();
    }

    private LookupMode getLookupMode(boolean z) {
        return z ? LookupMode.PUSH : LookupMode.PULL;
    }
}
