package com.google.cloud.tools.jib.frontend;

import com.google.auth.oauth2.GoogleCredentials;
import com.google.cloud.tools.jib.api.Credential;
import com.google.cloud.tools.jib.api.CredentialRetriever;
import com.google.cloud.tools.jib.api.ImageReference;
import com.google.cloud.tools.jib.api.LogEvent;
import com.google.cloud.tools.jib.registry.credentials.CredentialHelperNotFoundException;
import com.google.cloud.tools.jib.registry.credentials.CredentialHelperUnhandledServerUrlException;
import com.google.cloud.tools.jib.registry.credentials.CredentialRetrievalException;
import com.google.cloud.tools.jib.registry.credentials.DockerConfigCredentialRetriever;
import com.google.cloud.tools.jib.registry.credentials.DockerCredentialHelper;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.UnmodifiableIterator;
import java.io.IOException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.Collections;
import java.util.Map;
import java.util.Optional;
import java.util.function.Consumer;

/* loaded from: input_file:com/google/cloud/tools/jib/frontend/CredentialRetrieverFactory.class */
public class CredentialRetrieverFactory {
    private static final String OAUTH_SCOPE_STORAGE_READ_WRITE = "https://www.googleapis.com/auth/devstorage.read_write";
    private static final ImmutableMap<String, String> WELL_KNOWN_CREDENTIAL_HELPERS = ImmutableMap.of("gcr.io", "docker-credential-gcr", "amazonaws.com", "docker-credential-ecr-login");
    private final ImageReference imageReference;
    private final Consumer<LogEvent> logger;
    private final DockerCredentialHelperFactory dockerCredentialHelperFactory;
    private final GoogleCredentialsProvider googleCredentialsProvider;

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    @FunctionalInterface
    /* loaded from: input_file:com/google/cloud/tools/jib/frontend/CredentialRetrieverFactory$DockerCredentialHelperFactory.class */
    public interface DockerCredentialHelperFactory {
        DockerCredentialHelper create(String str, Path path);
    }

    @VisibleForTesting
    @FunctionalInterface
    /* loaded from: input_file:com/google/cloud/tools/jib/frontend/CredentialRetrieverFactory$GoogleCredentialsProvider.class */
    interface GoogleCredentialsProvider {
        GoogleCredentials get() throws IOException;
    }

    public static CredentialRetrieverFactory forImage(ImageReference imageReference, Consumer<LogEvent> consumer) {
        return new CredentialRetrieverFactory(imageReference, consumer, DockerCredentialHelper::new, GoogleCredentials::getApplicationDefault);
    }

    @VisibleForTesting
    CredentialRetrieverFactory(ImageReference imageReference, Consumer<LogEvent> consumer, DockerCredentialHelperFactory dockerCredentialHelperFactory, GoogleCredentialsProvider googleCredentialsProvider) {
        this.imageReference = imageReference;
        this.logger = consumer;
        this.dockerCredentialHelperFactory = dockerCredentialHelperFactory;
        this.googleCredentialsProvider = googleCredentialsProvider;
    }

    public CredentialRetriever known(Credential credential, String str) {
        return () -> {
            logGotCredentialsFrom("credentials from " + str);
            return Optional.of(credential);
        };
    }

    public CredentialRetriever dockerCredentialHelper(String str) {
        return dockerCredentialHelper(Paths.get(str, new String[0]));
    }

    public CredentialRetriever dockerCredentialHelper(Path path) {
        return () -> {
            try {
                return Optional.of(retrieveFromDockerCredentialHelper(path));
            } catch (CredentialHelperUnhandledServerUrlException e) {
                this.logger.accept(LogEvent.info("No credentials for " + this.imageReference.getRegistry() + " in " + path));
                return Optional.empty();
            } catch (IOException e2) {
                throw new CredentialRetrievalException(e2);
            }
        };
    }

    public CredentialRetriever wellKnownCredentialHelpers() {
        return () -> {
            UnmodifiableIterator it = WELL_KNOWN_CREDENTIAL_HELPERS.entrySet().iterator();
            while (it.hasNext()) {
                Map.Entry entry = (Map.Entry) it.next();
                try {
                } catch (CredentialHelperNotFoundException | CredentialHelperUnhandledServerUrlException e) {
                    if (e.getMessage() != null) {
                        this.logger.accept(LogEvent.info(e.getMessage()));
                        if (e.getCause() != null && e.getCause().getMessage() != null) {
                            this.logger.accept(LogEvent.info("  Caused by: " + e.getCause().getMessage()));
                        }
                    }
                } catch (IOException e2) {
                    throw new CredentialRetrievalException(e2);
                }
                if (this.imageReference.getRegistry().endsWith((String) entry.getKey())) {
                    return Optional.of(retrieveFromDockerCredentialHelper(Paths.get((String) entry.getValue(), new String[0])));
                }
                continue;
            }
            return Optional.empty();
        };
    }

    public CredentialRetriever dockerConfig() {
        return dockerConfig(DockerConfigCredentialRetriever.create(this.imageReference.getRegistry(), Paths.get(System.getProperty("user.home"), ".docker", "config.json")));
    }

    public CredentialRetriever dockerConfig(Path path) {
        return dockerConfig(DockerConfigCredentialRetriever.create(this.imageReference.getRegistry(), path));
    }

    public CredentialRetriever legacyDockerConfig(Path path) {
        return dockerConfig(DockerConfigCredentialRetriever.createForLegacyFormat(this.imageReference.getRegistry(), path));
    }

    public CredentialRetriever googleApplicationDefaultCredentials() {
        return () -> {
            try {
                if (this.imageReference.getRegistry().endsWith("gcr.io") || this.imageReference.getRegistry().endsWith("docker.pkg.dev")) {
                    GoogleCredentials googleCredentials = this.googleCredentialsProvider.get();
                    this.logger.accept(LogEvent.info("Google ADC found"));
                    if (googleCredentials.createScopedRequired()) {
                        this.logger.accept(LogEvent.info("ADC is a service account. Setting GCS read-write scope"));
                        googleCredentials = googleCredentials.createScoped(Collections.singletonList(OAUTH_SCOPE_STORAGE_READ_WRITE));
                    }
                    googleCredentials.refreshIfExpired();
                    logGotCredentialsFrom("Google Application Default Credentials");
                    return Optional.of(Credential.from("oauth2accesstoken", googleCredentials.getAccessToken().getTokenValue()));
                }
            } catch (IOException e) {
                this.logger.accept(LogEvent.info("ADC not present or error fetching access token: " + e.getMessage()));
            }
            return Optional.empty();
        };
    }

    @VisibleForTesting
    CredentialRetriever dockerConfig(DockerConfigCredentialRetriever dockerConfigCredentialRetriever) {
        return () -> {
            Path dockerConfigFile = dockerConfigCredentialRetriever.getDockerConfigFile();
            try {
                Optional<Credential> retrieve = dockerConfigCredentialRetriever.retrieve(this.logger);
                if (retrieve.isPresent()) {
                    logGotCredentialsFrom("credentials from Docker config (" + dockerConfigFile + ")");
                    return retrieve;
                }
            } catch (IOException e) {
                this.logger.accept(LogEvent.info("Unable to parse Docker config file: " + dockerConfigFile));
            }
            return Optional.empty();
        };
    }

    private Credential retrieveFromDockerCredentialHelper(Path path) throws CredentialHelperUnhandledServerUrlException, CredentialHelperNotFoundException, IOException {
        Credential retrieve = this.dockerCredentialHelperFactory.create(this.imageReference.getRegistry(), path).retrieve();
        logGotCredentialsFrom("credential helper " + path.getFileName().toString());
        return retrieve;
    }

    private void logGotCredentialsFrom(String str) {
        this.logger.accept(LogEvent.lifecycle("Using " + str + " for " + this.imageReference));
    }
}
