package io.configrd.core.hashicorp;

import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import com.jsoniter.JsonIterator;
import com.jsoniter.output.JsonStream;
import io.configrd.core.exception.AuthenticationException;
import io.configrd.core.hashicorp.util.VaultUtil;
import io.configrd.core.source.SecuredRepo;
import io.configrd.core.util.StringUtils;
import java.io.IOException;
import java.net.URI;
import java.util.HashMap;
import java.util.Optional;
import okhttp3.MediaType;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.RequestBody;
import okhttp3.Response;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/configrd/core/hashicorp/VaultAuthenticator.class */
public class VaultAuthenticator {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) VaultAuthenticator.class);
    private AmazonS3 s3;
    private final MediaType mediaType = MediaType.parse(javax.ws.rs.core.MediaType.APPLICATION_JSON);
    private final String PASSWORD = SecuredRepo.PASSWORD_FIELD;
    private final String TOKEN_HEADER = "X-Vault-Token";
    private final OkHttpClient client = new OkHttpClient.Builder().retryOnConnectionFailure(true).followRedirects(true).build();

    public Optional<AuthResponse> authenticate(URI uri, VaultRepoDef vaultRepoDef, AuthResponse authResponse) {
        AuthResponse authResponse2 = null;
        if (vaultRepoDef.getAuthMethod() == null) {
            throw new AuthenticationException("No authentication method specified");
        }
        String lowerCase = vaultRepoDef.getAuthMethod().toLowerCase();
        boolean z = -1;
        switch (lowerCase.hashCode()) {
            case -478193110:
                if (lowerCase.equals("aws_pkcs7")) {
                    z = true;
                    break;
                }
                break;
            case -265653668:
                if (lowerCase.equals("userpass")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                authResponse2 = loginByUserPass(uri, vaultRepoDef.getUsername(), vaultRepoDef.getPassword());
                break;
            case true:
                authResponse2 = loginByAWSPkcs7(uri, vaultRepoDef.getAwsRoleArn(), null);
                break;
        }
        if (authResponse2 == null || authResponse2.auth == null || !StringUtils.hasText(authResponse2.auth.client_token)) {
            throw new AuthenticationException("Unable to authenticate via method: " + vaultRepoDef.getAuthMethod() + "No client token returned");
        }
        return Optional.ofNullable(authResponse2);
    }

    protected AuthResponse loginByUserPass(URI uri, String str, String str2) {
        HashMap hashMap = new HashMap();
        hashMap.put(SecuredRepo.PASSWORD_FIELD, str2);
        try {
            Response execute = this.client.newCall(new Request.Builder().post(RequestBody.create(this.mediaType, JsonStream.serialize(hashMap))).url(VaultUtil.extractBaseURL(uri) + "/v1/auth/userpass/login/" + str).build()).execute();
            Throwable th = null;
            try {
                try {
                    AuthResponse handleLoginResponse = handleLoginResponse(execute);
                    if (execute != null) {
                        if (0 != 0) {
                            try {
                                execute.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            execute.close();
                        }
                    }
                    return handleLoginResponse;
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    /* JADX WARN: Failed to calculate best type for var: r11v0 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Failed to calculate best type for var: r12v0 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Multi-variable type inference failed. Error: java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.RegisterArg.getSVar()" because the return value of "jadx.core.dex.nodes.InsnNode.getResult()" is null
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.collectRelatedVars(AbstractTypeConstraint.java:31)
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.<init>(AbstractTypeConstraint.java:19)
    	at jadx.core.dex.visitors.typeinference.TypeSearch$1.<init>(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeMoveConstraint(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeConstraint(TypeSearch.java:361)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.collectConstraints(TypeSearch.java:341)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.run(TypeSearch.java:60)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.runMultiVariableSearch(FixTypesVisitor.java:116)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Not initialized variable reg: 11, insn: 0x00c0: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r11 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:81:0x00c0 */
    /* JADX WARN: Not initialized variable reg: 12, insn: 0x00c5: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r12 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:83:0x00c5 */
    /* JADX WARN: Type inference failed for: r11v0, types: [okhttp3.Response] */
    /* JADX WARN: Type inference failed for: r12v0, types: [java.lang.Throwable] */
    protected AuthResponse loginByAWSPkcs7(URI uri, String str, AuthResponse authResponse) {
        if (this.s3 == null) {
            this.s3 = AmazonS3ClientBuilder.defaultClient();
            if (!StringUtils.hasText(this.s3.getRegion().getFirstRegionId())) {
                throw new AuthenticationException("Unable to determine AWS region. Are you running in AWS?");
            }
        }
        if (!StringUtils.hasText(str)) {
            throw new AuthenticationException("Aws pkcs7 authentication ethod relies on AWS role ARN. None supplied");
        }
        try {
            try {
                Response execute = this.client.newCall(new Request.Builder().url("http://169.254.169.254/latest/dynamic/instance-identity/pkcs7").get().build()).execute();
                Throwable th = null;
                if (!execute.isSuccessful()) {
                    throw new AuthenticationException("Unable to authenticate using aws pkcs7. Couldn't obtain EC2 instance signature from host.");
                }
                String str2 = new String(execute.body().bytes());
                if (execute != null) {
                    if (0 != 0) {
                        try {
                            execute.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        execute.close();
                    }
                }
                HashMap hashMap = new HashMap();
                hashMap.put("role", str);
                hashMap.put("pkcs7", str2);
                if (authResponse.renewable && StringUtils.hasText(authResponse.nonce)) {
                    hashMap.put("nonce", authResponse.nonce);
                }
                try {
                    Response execute2 = this.client.newCall(new Request.Builder().url(VaultUtil.extractBaseURL(uri) + "/v1/auth/aws/login/").post(RequestBody.create(this.mediaType, JsonStream.serialize(hashMap))).build()).execute();
                    Throwable th3 = null;
                    try {
                        try {
                            AuthResponse handleLoginResponse = handleLoginResponse(execute2);
                            if (execute2 != null) {
                                if (0 != 0) {
                                    try {
                                        execute2.close();
                                    } catch (Throwable th4) {
                                        th3.addSuppressed(th4);
                                    }
                                } else {
                                    execute2.close();
                                }
                            }
                            return handleLoginResponse;
                        } finally {
                        }
                    } finally {
                    }
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            } finally {
            }
        } catch (Exception e2) {
            throw new AuthenticationException(e2.getMessage());
        }
    }

    private AuthResponse handleLoginResponse(Response response) {
        try {
            try {
                if (response.isSuccessful() && response.body().contentLength() > 0) {
                    String str = new String(response.body().bytes());
                    logger.debug(str);
                    return (AuthResponse) JsonIterator.deserialize(str, AuthResponse.class);
                }
                if (response.body().contentLength() <= 0) {
                    throw new AuthenticationException("Unable to authenticate with username/password. Response: " + response.message());
                }
                String str2 = new String(response.body().bytes());
                logger.debug(str2);
                throw new AuthenticationException("Unable to authenticate with username/password. Response: " + ((AuthResponse) JsonIterator.deserialize(str2, AuthResponse.class)).errors[0]);
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        } finally {
            response.close();
        }
    }

    protected AuthResponse renewToken(URI uri, AuthResponse authResponse) {
        try {
            Response execute = this.client.newCall(new Request.Builder().post(RequestBody.create(this.mediaType, "{}")).url(VaultUtil.extractBaseURL(uri) + "/v1/auth/token/renew-self").addHeader("X-Vault-Token", authResponse.auth.client_token).build()).execute();
            String str = new String(execute.body().bytes());
            logger.debug(str);
            AuthResponse authResponse2 = (AuthResponse) JsonIterator.deserialize(str, AuthResponse.class);
            if (execute.isSuccessful()) {
                return authResponse2;
            }
            throw new AuthenticationException("Unable to renew token. Response: " + authResponse2.errors[0]);
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }
}
