package io.dekorate.certmanager.decorator;

import io.dekorate.certmanager.config.LocalObjectReference;
import io.dekorate.certmanager.config.Vault;
import io.fabric8.certmanager.api.model.meta.v1.SecretKeySelector;
import io.fabric8.certmanager.api.model.meta.v1.SecretKeySelectorBuilder;
import io.fabric8.certmanager.api.model.v1.IssuerBuilder;
import io.fabric8.certmanager.api.model.v1.IssuerFluent;
import io.fabric8.certmanager.api.model.v1.VaultAppRole;
import io.fabric8.certmanager.api.model.v1.VaultAuthBuilder;
import io.fabric8.certmanager.api.model.v1.VaultIssuerBuilder;
import io.fabric8.certmanager.api.model.v1.VaultKubernetesAuth;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;

/* loaded from: input_file:BOOT-INF/lib/certmanager-annotations-4.1.3.jar:io/dekorate/certmanager/decorator/AddVaultIssuerResourceDecorator.class */
public class AddVaultIssuerResourceDecorator extends BaseAddIssuerResourceDecorator {
    private final Vault config;

    public AddVaultIssuerResourceDecorator(Vault vault, String str) {
        super(str);
        this.config = vault;
    }

    @Override // io.dekorate.certmanager.decorator.BaseAddIssuerResourceDecorator
    protected void visitIssuerSpec(IssuerFluent<?>.SpecNested<IssuerBuilder> specNested) {
        if (noneAuthIsSet(this.config.getAuthAppRole(), this.config.getAuthKubernetes(), this.config.getAuthTokenSecretRef())) {
            throw new IllegalArgumentException("No auth mechanism has been set in the Vault Issuer configuration");
        }
        if (moreThanOneAuthIsSet(this.config.getAuthAppRole(), this.config.getAuthKubernetes(), this.config.getAuthTokenSecretRef())) {
            throw new IllegalArgumentException("More than one auth mechanisms have been set in the Vault Issuer configuration");
        }
        VaultIssuerBuilder withPath = new VaultIssuerBuilder().withCaBundle(this.config.getCaBundle()).withServer(this.config.getServer()).withPath(this.config.getPath());
        Optional ofNullable = Optional.ofNullable(this.config.getNamespace());
        withPath.getClass();
        ofNullable.ifPresent(withPath::withNamespace);
        VaultAuthBuilder vaultAuthBuilder = new VaultAuthBuilder();
        Optional.ofNullable(this.config.getAuthTokenSecretRef()).ifPresent(localObjectReference -> {
            vaultAuthBuilder.withTokenSecretRef(toSecretKeySelector(localObjectReference));
        });
        Optional.ofNullable(this.config.getAuthKubernetes()).ifPresent(vaultKubernetesAuth -> {
            vaultAuthBuilder.withKubernetes(toVaultKubernetesAuth(vaultKubernetesAuth));
        });
        Optional.ofNullable(this.config.getAuthAppRole()).ifPresent(vaultAppRole -> {
            vaultAuthBuilder.withAppRole(toVaultAppRole(vaultAppRole));
        });
        withPath.withAuth(vaultAuthBuilder.build());
        specNested.withVault(withPath.build());
    }

    private VaultAppRole toVaultAppRole(io.dekorate.certmanager.config.VaultAppRole vaultAppRole) {
        VaultAppRole vaultAppRole2 = new VaultAppRole();
        vaultAppRole2.setPath(vaultAppRole.getPath());
        vaultAppRole2.setRoleId(vaultAppRole.getRoleId());
        if (vaultAppRole.getSecretRef() != null) {
            vaultAppRole2.setSecretRef(toSecretKeySelector(vaultAppRole.getSecretRef()));
        }
        return vaultAppRole2;
    }

    private VaultKubernetesAuth toVaultKubernetesAuth(io.dekorate.certmanager.config.VaultKubernetesAuth vaultKubernetesAuth) {
        VaultKubernetesAuth vaultKubernetesAuth2 = new VaultKubernetesAuth();
        vaultKubernetesAuth2.setMountPath(vaultKubernetesAuth.getMountPath());
        vaultKubernetesAuth2.setRole(vaultKubernetesAuth.getRole());
        if (vaultKubernetesAuth.getSecretRef() != null) {
            vaultKubernetesAuth2.setSecretRef(toSecretKeySelector(vaultKubernetesAuth.getSecretRef()));
        }
        return vaultKubernetesAuth2;
    }

    private SecretKeySelector toSecretKeySelector(LocalObjectReference localObjectReference) {
        return new SecretKeySelectorBuilder().withName(localObjectReference.getName()).withKey(localObjectReference.getKey()).build();
    }

    private boolean moreThanOneAuthIsSet(Object... objArr) {
        return Stream.of(objArr).filter(Objects::nonNull).count() > 1;
    }

    private boolean noneAuthIsSet(Object... objArr) {
        return Stream.of(objArr).noneMatch(Objects::nonNull);
    }
}
