package io.quarkus.vault.runtime;

import io.quarkus.vault.VaultException;
import io.quarkus.vault.runtime.client.VaultClient;
import io.quarkus.vault.runtime.client.VaultClientException;
import io.quarkus.vault.runtime.client.dto.auth.AbstractVaultAuthAuth;
import io.quarkus.vault.runtime.client.dto.auth.VaultAppRoleGenerateNewSecretID;
import io.quarkus.vault.runtime.client.dto.auth.VaultAppRoleGenerateNewSecretIDData;
import io.quarkus.vault.runtime.client.dto.auth.VaultKubernetesAuthAuth;
import io.quarkus.vault.runtime.client.dto.auth.VaultRenewSelfAuth;
import io.quarkus.vault.runtime.client.dto.auth.VaultTokenCreate;
import io.quarkus.vault.runtime.client.dto.auth.VaultTokenCreateAuth;
import io.quarkus.vault.runtime.client.dto.kv.VaultKvSecretV1;
import io.quarkus.vault.runtime.client.dto.kv.VaultKvSecretV2;
import io.quarkus.vault.runtime.client.dto.kv.VaultKvSecretV2Data;
import io.quarkus.vault.runtime.config.VaultAuthenticationType;
import io.quarkus.vault.runtime.config.VaultRuntimeConfig;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.Semaphore;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Function;
import org.jboss.logging.Logger;

/* loaded from: input_file:io/quarkus/vault/runtime/VaultAuthManager.class */
public class VaultAuthManager {
    private static final Logger log = Logger.getLogger(VaultAuthManager.class.getName());
    public static final String USERPASS_WRAPPING_TOKEN_PASSWORD_KEY = "password";
    private VaultRuntimeConfig serverConfig;
    private VaultClient vaultClient;
    private AtomicReference<VaultToken> loginCache = new AtomicReference<>(null);
    private Map<String, String> wrappedCache = new ConcurrentHashMap();
    private Semaphore unwrapSem = new Semaphore(1);

    public VaultAuthManager(VaultClient vaultClient, VaultRuntimeConfig vaultRuntimeConfig) {
        this.vaultClient = vaultClient;
        this.serverConfig = vaultRuntimeConfig;
    }

    public String getClientToken() {
        return this.serverConfig.authentication.isDirectClientToken() ? getDirectClientToken() : login().clientToken;
    }

    private String getDirectClientToken() {
        Optional<String> optional = this.serverConfig.authentication.clientToken;
        return optional.isPresent() ? optional.get() : unwrapWrappingTokenOnce("client token", this.serverConfig.authentication.clientTokenWrappingToken.get(), vaultTokenCreate -> {
            return ((VaultTokenCreateAuth) vaultTokenCreate.auth).clientToken;
        }, VaultTokenCreate.class);
    }

    private VaultToken login() {
        VaultToken login = login(this.loginCache.get());
        this.loginCache.set(login);
        return login;
    }

    public VaultToken login(VaultToken vaultToken) {
        VaultToken vaultToken2 = vaultToken;
        if (vaultToken2 != null) {
            vaultToken2 = validate(vaultToken2);
        }
        if (vaultToken2 != null && vaultToken2.shouldExtend(this.serverConfig.renewGracePeriod)) {
            vaultToken2 = extend(vaultToken2.clientToken);
        }
        if (vaultToken2 == null || vaultToken2.isExpired() || vaultToken2.expiresSoon(this.serverConfig.renewGracePeriod)) {
            vaultToken2 = vaultLogin();
        }
        return vaultToken2;
    }

    private VaultToken validate(VaultToken vaultToken) {
        try {
            this.vaultClient.lookupSelf(vaultToken.clientToken);
            return vaultToken;
        } catch (VaultClientException e) {
            if (e.getStatus() != 403) {
                throw e;
            }
            log.debug("login token " + vaultToken.clientToken + " has become invalid");
            return null;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private VaultToken extend(String str) {
        VaultRenewSelfAuth vaultRenewSelfAuth = (VaultRenewSelfAuth) this.vaultClient.renewSelf(str, null).auth;
        VaultToken vaultToken = new VaultToken(vaultRenewSelfAuth.clientToken, vaultRenewSelfAuth.renewable, vaultRenewSelfAuth.leaseDurationSecs);
        sanityCheck(vaultToken);
        log.debug("extended login token: " + vaultToken.getConfidentialInfo(this.serverConfig.logConfidentialityLevel));
        return vaultToken;
    }

    private VaultToken vaultLogin() {
        VaultToken login = login(this.serverConfig.getAuthenticationType());
        sanityCheck(login);
        log.debug("created new login token: " + login.getConfidentialInfo(this.serverConfig.logConfidentialityLevel));
        return login;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v17, types: [io.quarkus.vault.runtime.client.dto.auth.AbstractVaultAuthAuth] */
    /* JADX WARN: Type inference failed for: r0v31, types: [io.quarkus.vault.runtime.client.dto.auth.AbstractVaultAuthAuth] */
    private VaultToken login(VaultAuthenticationType vaultAuthenticationType) {
        VaultKubernetesAuthAuth vaultKubernetesAuthAuth;
        if (vaultAuthenticationType == VaultAuthenticationType.KUBERNETES) {
            vaultKubernetesAuthAuth = loginKubernetes();
        } else if (vaultAuthenticationType == VaultAuthenticationType.USERPASS) {
            vaultKubernetesAuthAuth = (AbstractVaultAuthAuth) this.vaultClient.loginUserPass(this.serverConfig.authentication.userpass.username.get(), getPassword()).auth;
        } else {
            if (vaultAuthenticationType != VaultAuthenticationType.APPROLE) {
                throw new UnsupportedOperationException("unknown authType " + this.serverConfig.getAuthenticationType());
            }
            vaultKubernetesAuthAuth = (AbstractVaultAuthAuth) this.vaultClient.loginAppRole(this.serverConfig.authentication.appRole.roleId.get(), getSecretId()).auth;
        }
        return new VaultToken(vaultKubernetesAuthAuth.clientToken, vaultKubernetesAuthAuth.renewable, vaultKubernetesAuthAuth.leaseDurationSecs);
    }

    private String getSecretId() {
        Optional<String> optional = this.serverConfig.authentication.appRole.secretId;
        return optional.isPresent() ? optional.get() : unwrapWrappingTokenOnce("secret id", this.serverConfig.authentication.appRole.secretIdWrappingToken.get(), vaultAppRoleGenerateNewSecretID -> {
            return ((VaultAppRoleGenerateNewSecretIDData) vaultAppRoleGenerateNewSecretID.data).secretId;
        }, VaultAppRoleGenerateNewSecretID.class);
    }

    private String getPassword() {
        Optional<String> optional = this.serverConfig.authentication.userpass.password;
        if (optional.isPresent()) {
            return optional.get();
        }
        String str = this.serverConfig.authentication.userpass.passwordWrappingToken.get();
        return this.serverConfig.kvSecretEngineVersion == 1 ? unwrapWrappingTokenOnce(USERPASS_WRAPPING_TOKEN_PASSWORD_KEY, str, vaultKvSecretV1 -> {
            return (String) ((Map) vaultKvSecretV1.data).get(USERPASS_WRAPPING_TOKEN_PASSWORD_KEY);
        }, VaultKvSecretV1.class) : unwrapWrappingTokenOnce(USERPASS_WRAPPING_TOKEN_PASSWORD_KEY, str, vaultKvSecretV2 -> {
            return ((VaultKvSecretV2Data) vaultKvSecretV2.data).data.get(USERPASS_WRAPPING_TOKEN_PASSWORD_KEY);
        }, VaultKvSecretV2.class);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private <T> String unwrapWrappingTokenOnce(String str, String str2, Function<T, String> function, Class<T> cls) {
        String str3 = this.wrappedCache.get(str2);
        if (str3 != null) {
            return str3;
        }
        try {
            if (!this.unwrapSem.tryAcquire(1, 10L, TimeUnit.SECONDS)) {
                throw new RuntimeException("unable to enter critical section when unwrapping " + str);
            }
            try {
                String str4 = this.wrappedCache.get(str2);
                if (str4 != null) {
                    return str4;
                }
                try {
                    String str5 = (String) function.apply(this.vaultClient.unwrap(str2, cls));
                    this.wrappedCache.put(str2, str5);
                    log.debug("unwrapped " + str + ": " + this.serverConfig.logConfidentialityLevel.maskWithTolerance(str5, LogConfidentialityLevel.LOW));
                    this.unwrapSem.release();
                    return str5;
                } catch (VaultClientException e) {
                    if (e.getStatus() == 400) {
                        throw new VaultException("wrapping token is not valid or does not exist; this means that the token has already expired (if so you can increase the ttl on the wrapping token) or has been consumed by somebody else (potentially indicating that the wrapping token has been stolen)", e);
                    }
                    throw e;
                }
            } finally {
                this.unwrapSem.release();
            }
        } catch (InterruptedException e2) {
            throw new RuntimeException("unable to enter critical section when unwrapping " + str, e2);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private VaultKubernetesAuthAuth loginKubernetes() {
        String str = new String(read(this.serverConfig.authentication.kubernetes.jwtTokenPath), StandardCharsets.UTF_8);
        log.debug("authenticate with jwt at: " + this.serverConfig.authentication.kubernetes.jwtTokenPath + " => " + this.serverConfig.logConfidentialityLevel.maskWithTolerance(str, LogConfidentialityLevel.LOW));
        return (VaultKubernetesAuthAuth) this.vaultClient.loginKubernetes(this.serverConfig.authentication.kubernetes.role.get(), str).auth;
    }

    private byte[] read(String str) {
        try {
            return Files.readAllBytes(Paths.get(str, new String[0]));
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private void sanityCheck(VaultToken vaultToken) {
        vaultToken.leaseDurationSanityCheck("auth", this.serverConfig.renewGracePeriod);
    }
}
