package io.quarkus.vault.runtime.config;

import io.quarkus.runtime.configuration.DurationConverter;
import io.quarkus.vault.VaultException;
import io.quarkus.vault.runtime.LogConfidentialityLevel;
import io.quarkus.vault.runtime.VaultAuthManager;
import io.quarkus.vault.runtime.VaultManager;
import java.net.MalformedURLException;
import java.net.URL;
import java.time.Duration;
import java.util.AbstractMap;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Supplier;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import java.util.stream.StreamSupport;
import org.eclipse.microprofile.config.spi.ConfigProviderResolver;
import org.eclipse.microprofile.config.spi.ConfigSource;
import org.jboss.logging.Logger;

/* loaded from: input_file:io/quarkus/vault/runtime/config/VaultConfigSource.class */
public class VaultConfigSource implements ConfigSource {
    private static final String PROPERTY_PREFIX = "quarkus.vault.";
    private int ordinal;
    private static final Logger log = Logger.getLogger(VaultConfigSource.class);
    public static final Pattern CREDENTIALS_PATTERN = Pattern.compile("^quarkus\\.vault\\.credentials-provider\\.([^.]+)\\.");
    public static final Pattern TRANSIT_KEY_PATTERN = Pattern.compile("^quarkus\\.vault\\.transit.key\\.([^.]+)\\.");
    public static final Pattern SECRET_CONFIG_KV_PATH_PATTERN = Pattern.compile("^quarkus\\.vault\\.secret-config-kv-path\\.(?:([^.]+)|(?:\"([^\"]+)\"))$");
    public static final Pattern EXPANSION_PATTERN = Pattern.compile("\\$\\{([^}]+)\\}");
    private AtomicReference<VaultCacheEntry<Map<String, String>>> cache = new AtomicReference<>(null);
    private AtomicReference<VaultRuntimeConfig> serverConfig = new AtomicReference<>(null);
    private AtomicReference<VaultBuildTimeConfig> buildServerConfig = new AtomicReference<>(null);
    private AtomicBoolean init = new AtomicBoolean(false);
    private DurationConverter durationConverter = new DurationConverter();

    public VaultConfigSource(int i) {
        this.ordinal = i;
    }

    public String getName() {
        return "vault";
    }

    public int getOrdinal() {
        return this.ordinal;
    }

    public Map<String, String> getProperties() {
        return Collections.emptyMap();
    }

    public String getValue(String str) {
        if (getRuntimeConfig().url.isPresent()) {
            return getSecretConfig().get(str);
        }
        return null;
    }

    private Map<String, String> getSecretConfig() {
        VaultRuntimeConfig runtimeConfig = getRuntimeConfig();
        VaultCacheEntry<Map<String, String>> vaultCacheEntry = this.cache.get();
        if (vaultCacheEntry != null && vaultCacheEntry.youngerThan(runtimeConfig.secretConfigCachePeriod)) {
            return vaultCacheEntry.getValue();
        }
        HashMap hashMap = new HashMap();
        try {
            if (runtimeConfig.secretConfigKvPath.isPresent()) {
                fetchSecrets(runtimeConfig.secretConfigKvPath.get(), null, hashMap);
            }
            runtimeConfig.secretConfigKvPrefixPath.entrySet().forEach(entry -> {
                fetchSecrets((List) entry.getValue(), (String) entry.getKey(), hashMap);
            });
            log.debug("loaded " + hashMap.size() + " properties from vault");
            this.cache.set(new VaultCacheEntry<>(hashMap));
            return hashMap;
        } catch (RuntimeException e) {
            return (Map) VaultCacheEntry.tryReturnLastKnownValue(e, vaultCacheEntry);
        }
    }

    private void fetchSecrets(List<String> list, String str, Map<String, String> map) {
        list.forEach(str2 -> {
            map.putAll(fetchSecrets(str2, str));
        });
    }

    private Map<String, String> fetchSecrets(String str, String str2) {
        VaultManager vaultManager = getVaultManager();
        return vaultManager == null ? Collections.emptyMap() : prefixMap(vaultManager.getVaultKvManager().readSecret(str), str2);
    }

    private Map<String, String> prefixMap(Map<String, String> map, String str) {
        return str == null ? map : (Map) map.entrySet().stream().collect(Collectors.toMap(entry -> {
            return str + "." + ((String) entry.getKey());
        }, (v0) -> {
            return v0.getValue();
        }));
    }

    private VaultManager getVaultManager() {
        VaultBuildTimeConfig buildtimeConfig = getBuildtimeConfig();
        VaultRuntimeConfig runtimeConfig = getRuntimeConfig();
        if (this.init.compareAndSet(false, true)) {
            VaultManager.init(buildtimeConfig, runtimeConfig);
        }
        return VaultManager.getInstance();
    }

    private VaultRuntimeConfig getRuntimeConfig() {
        return (VaultRuntimeConfig) getConfig(this.serverConfig, () -> {
            return loadRuntimeConfig();
        }, "runtime");
    }

    private VaultBuildTimeConfig getBuildtimeConfig() {
        return (VaultBuildTimeConfig) getConfig(this.buildServerConfig, () -> {
            return loadBuildtimeConfig();
        }, "buildtime");
    }

    private <T> T getConfig(AtomicReference<T> atomicReference, Supplier<T> supplier, String str) {
        T t = atomicReference.get();
        if (t != null) {
            return t;
        }
        T t2 = supplier.get();
        log.debug("loaded vault " + str + " config " + t2);
        atomicReference.set(t2);
        return atomicReference.get();
    }

    private VaultBuildTimeConfig loadBuildtimeConfig() {
        VaultBuildTimeConfig vaultBuildTimeConfig = new VaultBuildTimeConfig();
        vaultBuildTimeConfig.health = new HealthConfig();
        vaultBuildTimeConfig.health.enabled = Boolean.parseBoolean(getVaultProperty("health.enabled", VaultRuntimeConfig.DEFAULT_TLS_SKIP_VERIFY));
        vaultBuildTimeConfig.health.standByOk = Boolean.parseBoolean(getVaultProperty("health.stand-by-ok", VaultRuntimeConfig.DEFAULT_TLS_SKIP_VERIFY));
        vaultBuildTimeConfig.health.performanceStandByOk = Boolean.parseBoolean(getVaultProperty("health.performance-stand-by-ok", VaultRuntimeConfig.DEFAULT_TLS_SKIP_VERIFY));
        return vaultBuildTimeConfig;
    }

    private VaultRuntimeConfig loadRuntimeConfig() {
        VaultRuntimeConfig vaultRuntimeConfig = new VaultRuntimeConfig();
        vaultRuntimeConfig.tls = new VaultTlsConfig();
        vaultRuntimeConfig.transit = new VaultTransitConfig();
        vaultRuntimeConfig.authentication = new VaultAuthenticationConfig();
        vaultRuntimeConfig.authentication.userpass = new VaultUserpassAuthenticationConfig();
        vaultRuntimeConfig.authentication.appRole = new VaultAppRoleAuthenticationConfig();
        vaultRuntimeConfig.authentication.kubernetes = new VaultKubernetesAuthenticationConfig();
        vaultRuntimeConfig.url = newURL(getOptionalVaultProperty("url"));
        vaultRuntimeConfig.authentication.clientToken = getOptionalVaultProperty("authentication.client-token");
        vaultRuntimeConfig.authentication.clientTokenWrappingToken = getOptionalVaultProperty("authentication.client-token-wrapping-token");
        vaultRuntimeConfig.authentication.kubernetes.role = getOptionalVaultProperty("authentication.kubernetes.role");
        vaultRuntimeConfig.authentication.kubernetes.jwtTokenPath = getVaultProperty("authentication.kubernetes.jwt-token-path", VaultRuntimeConfig.DEFAULT_KUBERNETES_JWT_TOKEN_PATH);
        vaultRuntimeConfig.authentication.kubernetes.authMountPath = getVaultProperty("authentication.kubernetes.auth-mount-path", VaultRuntimeConfig.DEFAULT_KUBERNETES_AUTH_MOUNT_PATH);
        vaultRuntimeConfig.authentication.userpass.username = getOptionalVaultProperty("authentication.userpass.username");
        vaultRuntimeConfig.authentication.userpass.password = getOptionalVaultProperty("authentication.userpass.password");
        vaultRuntimeConfig.authentication.userpass.passwordWrappingToken = getOptionalVaultProperty("authentication.userpass.password-wrapping-token");
        vaultRuntimeConfig.authentication.appRole.roleId = getOptionalVaultProperty("authentication.app-role.role-id");
        vaultRuntimeConfig.authentication.appRole.secretId = getOptionalVaultProperty("authentication.app-role.secret-id");
        vaultRuntimeConfig.authentication.appRole.secretIdWrappingToken = getOptionalVaultProperty("authentication.app-role.secret-id-wrapping-token");
        vaultRuntimeConfig.renewGracePeriod = getVaultDuration("renew-grace-period", VaultRuntimeConfig.DEFAULT_RENEW_GRACE_PERIOD);
        vaultRuntimeConfig.secretConfigCachePeriod = getVaultDuration("secret-config-cache-period", VaultRuntimeConfig.DEFAULT_SECRET_CONFIG_CACHE_PERIOD);
        vaultRuntimeConfig.logConfidentialityLevel = LogConfidentialityLevel.valueOf(getVaultProperty("log-confidentiality-level", LogConfidentialityLevel.MEDIUM.name()).toUpperCase());
        vaultRuntimeConfig.kvSecretEngineVersion = Integer.parseInt(getVaultProperty("kv-secret-engine-version", VaultRuntimeConfig.KV_SECRET_ENGINE_VERSION_V2));
        vaultRuntimeConfig.kvSecretEngineMountPath = getVaultProperty("kv-secret-engine-mount-path", VaultRuntimeConfig.DEFAULT_KV_SECRET_ENGINE_MOUNT_PATH);
        vaultRuntimeConfig.secretConfigKvPath = getOptionalListProperty("secret-config-kv-path");
        vaultRuntimeConfig.tls.skipVerify = Boolean.parseBoolean(getVaultProperty("tls.skip-verify", VaultRuntimeConfig.DEFAULT_TLS_SKIP_VERIFY));
        vaultRuntimeConfig.tls.useKubernetesCaCert = Boolean.parseBoolean(getVaultProperty("tls.use-kubernetes-ca-cert", VaultRuntimeConfig.DEFAULT_TLS_USE_KUBERNETES_CACERT));
        vaultRuntimeConfig.tls.caCert = getOptionalVaultProperty("tls.ca-cert");
        vaultRuntimeConfig.connectTimeout = getVaultDuration("connect-timeout", VaultRuntimeConfig.DEFAULT_CONNECT_TIMEOUT);
        vaultRuntimeConfig.readTimeout = getVaultDuration("read-timeout", VaultRuntimeConfig.DEFAULT_READ_TIMEOUT);
        vaultRuntimeConfig.credentialsProvider = createCredentialProviderConfigParser().getConfig();
        vaultRuntimeConfig.transit.key = createTransitKeyConfigParser().getConfig();
        vaultRuntimeConfig.secretConfigKvPrefixPath = getSecretConfigKvPrefixPaths();
        return vaultRuntimeConfig;
    }

    private VaultMapConfigParser<CredentialsProviderConfig> createCredentialProviderConfigParser() {
        return new VaultMapConfigParser<>(CREDENTIALS_PATTERN, this::getCredentialsProviderConfig, getConfigSourceStream());
    }

    private CredentialsProviderConfig getCredentialsProviderConfig(String str) {
        String str2 = "credentials-provider." + str;
        CredentialsProviderConfig credentialsProviderConfig = new CredentialsProviderConfig();
        credentialsProviderConfig.databaseCredentialsRole = getOptionalVaultProperty(str2 + ".database-credentials-role");
        credentialsProviderConfig.kvPath = getOptionalVaultProperty(str2 + ".kv-path");
        credentialsProviderConfig.kvKey = getVaultProperty(str2 + ".kv-key", VaultAuthManager.USERPASS_WRAPPING_TOKEN_PASSWORD_KEY);
        return credentialsProviderConfig;
    }

    private VaultMapConfigParser<TransitKeyConfig> createTransitKeyConfigParser() {
        return new VaultMapConfigParser<>(TRANSIT_KEY_PATTERN, this::getTransitKeyConfig, getConfigSourceStream());
    }

    private TransitKeyConfig getTransitKeyConfig(String str) {
        String str2 = "transit.key." + str;
        TransitKeyConfig transitKeyConfig = new TransitKeyConfig();
        transitKeyConfig.name = getOptionalVaultProperty(str2 + ".name");
        transitKeyConfig.hashAlgorithm = getOptionalVaultProperty(str2 + ".hash-algorithm");
        transitKeyConfig.signatureAlgorithm = getOptionalVaultProperty(str2 + ".signature-algorithm");
        transitKeyConfig.type = getOptionalVaultProperty(str2 + ".type");
        transitKeyConfig.convergentEncryption = getOptionalVaultProperty(str2 + ".convergent-encryption");
        Optional<String> optionalVaultProperty = getOptionalVaultProperty(str2 + ".prehashed");
        transitKeyConfig.prehashed = Optional.ofNullable(optionalVaultProperty.isPresent() ? Boolean.valueOf(Boolean.parseBoolean(optionalVaultProperty.get())) : null);
        return transitKeyConfig;
    }

    private Optional<List<String>> getOptionalListProperty(String str) {
        Optional<String> optionalVaultProperty = getOptionalVaultProperty(str);
        return !optionalVaultProperty.isPresent() ? Optional.empty() : Optional.of(Arrays.stream(optionalVaultProperty.get().split(",")).map((v0) -> {
            return v0.trim();
        }).filter(str2 -> {
            return !str2.isEmpty();
        }).collect(Collectors.toList()));
    }

    private Optional<URL> newURL(Optional<String> optional) {
        try {
            return Optional.ofNullable(optional.isPresent() ? new URL(optional.get()) : null);
        } catch (MalformedURLException e) {
            throw new VaultException(e);
        }
    }

    private Optional<String> getOptionalVaultProperty(String str) {
        return Optional.ofNullable(getVaultProperty(str, null));
    }

    private Duration getVaultDuration(String str, String str2) {
        return this.durationConverter.convert(getVaultProperty(str, str2));
    }

    private String getVaultProperty(String str, String str2) {
        return getProperty(PROPERTY_PREFIX + str, str2, 0);
    }

    protected String getProperty(String str, String str2, int i) {
        if (i == 3) {
            throw new RuntimeException("max expansion depth reached when looking for key " + str);
        }
        String baseProperty = getBaseProperty(str, str2);
        if (baseProperty != null) {
            Matcher matcher = EXPANSION_PATTERN.matcher(baseProperty);
            while (true) {
                Matcher matcher2 = matcher;
                if (!matcher2.find()) {
                    break;
                }
                String group = matcher2.group(1);
                String property = getProperty(group, null, i + 1);
                if (property == null) {
                    throw new RuntimeException("unable to find expansion key " + group + " when fetching " + str);
                }
                baseProperty = baseProperty.substring(0, matcher2.start()) + property + baseProperty.substring(matcher2.end());
                matcher = EXPANSION_PATTERN.matcher(baseProperty);
            }
        }
        return baseProperty;
    }

    protected String getBaseProperty(String str, String str2) {
        return (String) getConfigSourceStream().map(configSource -> {
            return configSource.getValue(str);
        }).filter(str3 -> {
            return (str3 == null || str3.length() == 0) ? false : true;
        }).map((v0) -> {
            return v0.trim();
        }).findFirst().orElse(str2);
    }

    private Map<String, List<String>> getSecretConfigKvPrefixPaths() {
        return (Map) getConfigSourceStream().flatMap(configSource -> {
            return configSource.getPropertyNames().stream();
        }).map(this::getSecretConfigKvPrefixPathName).filter((v0) -> {
            return Objects.nonNull(v0);
        }).distinct().map(this::createNameSecretConfigKvPrefixPathPair).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
    }

    private Stream<ConfigSource> getConfigSourceStream() {
        return StreamSupport.stream(ConfigProviderResolver.instance().getConfig().getConfigSources().spliterator(), false).filter(this::retain);
    }

    private boolean retain(ConfigSource configSource) {
        String str;
        try {
            str = configSource.getName();
        } catch (NullPointerException e) {
            str = null;
        }
        return !getName().equals(str);
    }

    private AbstractMap.SimpleEntry<String, List<String>> createNameSecretConfigKvPrefixPathPair(String str) {
        return new AbstractMap.SimpleEntry<>(str, getSecretConfigKvPrefixPath(str));
    }

    private String getSecretConfigKvPrefixPathName(String str) {
        Matcher matcher = SECRET_CONFIG_KV_PATH_PATTERN.matcher(str);
        if (matcher.matches()) {
            return matcher.group(1) != null ? matcher.group(1) : matcher.group(2);
        }
        return null;
    }

    private List<String> getSecretConfigKvPrefixPath(String str) {
        return getOptionalListProperty("secret-config-kv-path." + str).get();
    }
}
