package io.scalecube.config.vault;

import com.bettercloud.vault.EnvironmentLoader;
import com.bettercloud.vault.Vault;
import com.bettercloud.vault.VaultConfig;
import com.bettercloud.vault.VaultException;
import com.bettercloud.vault.response.AuthResponse;
import com.bettercloud.vault.response.LookupResponse;
import com.bettercloud.vault.response.VaultResponse;
import com.bettercloud.vault.rest.RestResponse;
import io.scalecube.config.utils.ThrowableUtil;
import java.nio.charset.StandardCharsets;
import java.util.Objects;
import java.util.Timer;
import java.util.TimerTask;
import java.util.concurrent.TimeUnit;
import java.util.function.Function;
import java.util.function.UnaryOperator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/scalecube/config/vault/VaultInvoker.class */
public class VaultInvoker {
    private static final int STATUS_CODE_FORBIDDEN = 403;
    public static final int STATUS_CODE_HELTH_OK = 200;
    public static final int STATUS_CODE_RESPONSE_OK = 200;
    public static final int STATUS_CODE_RESPONSE_NO_DATA = 204;
    private final Builder config;
    private Vault vault;
    private Timer timer;
    private static final Logger LOGGER = LoggerFactory.getLogger(VaultInvoker.class);
    private static final long MIN_REFRESH_MARGIN = TimeUnit.MINUTES.toSeconds(10);

    /* loaded from: input_file:io/scalecube/config/vault/VaultInvoker$Builder.class */
    public static class Builder {
        public static final EnvironmentLoader ENVIRONMENT_LOADER = new EnvironmentLoader();
        public static final VaultTokenSupplier TOKEN_SUPPLIER = new EnvironmentVaultTokenSupplier();
        private Function<VaultConfig, VaultConfig> options = Function.identity();
        private VaultTokenSupplier tokenSupplier = TOKEN_SUPPLIER;
        private EnvironmentLoader environmentLoader;

        /* JADX INFO: Access modifiers changed from: package-private */
        public Builder(EnvironmentLoader environmentLoader) {
            this.environmentLoader = ENVIRONMENT_LOADER;
            if (environmentLoader != null) {
                this.environmentLoader = environmentLoader;
            }
        }

        public Builder options(UnaryOperator<VaultConfig> unaryOperator) {
            this.options = this.options.andThen(unaryOperator);
            return this;
        }

        public Builder tokenSupplier(VaultTokenSupplier vaultTokenSupplier) {
            this.tokenSupplier = vaultTokenSupplier;
            return this;
        }

        public VaultInvoker build() {
            Builder builder = new Builder(this.environmentLoader);
            builder.options = this.options;
            builder.tokenSupplier = this.tokenSupplier;
            return new VaultInvoker(builder);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/scalecube/config/vault/VaultInvoker$RenewTokenTask.class */
    public class RenewTokenTask extends TimerTask {
        private RenewTokenTask() {
        }

        @Override // java.util.TimerTask, java.lang.Runnable
        public void run() {
            try {
                VaultInvoker.this.renewToken();
            } catch (Exception e) {
                throw ThrowableUtil.propagate(e);
            }
        }
    }

    @FunctionalInterface
    /* loaded from: input_file:io/scalecube/config/vault/VaultInvoker$VaultCall.class */
    public interface VaultCall<T extends VaultResponse> {
        T apply(Vault vault) throws VaultException;
    }

    public static Builder builder() {
        return new Builder(Builder.ENVIRONMENT_LOADER);
    }

    private VaultInvoker(Builder builder) {
        this.config = builder;
    }

    public <T extends VaultResponse> T invoke(VaultCall<T> vaultCall) throws VaultException {
        Vault vault = this.vault;
        if (vault == null) {
            try {
                vault = recreateVault(null);
            } catch (VaultException e) {
                if (e.getHttpStatusCode() != STATUS_CODE_FORBIDDEN) {
                    throw e;
                }
                LOGGER.warn("Authentication details are incorrect, occurred during invoking Vault", e);
                return vaultCall.apply(recreateVault(vault));
            }
        }
        T apply = vaultCall.apply(vault);
        checkResponse(apply.getRestResponse());
        return apply;
    }

    private synchronized Vault recreateVault(Vault vault) throws VaultException {
        try {
            if (!Objects.equals(vault, this.vault) && this.vault != null) {
                return this.vault;
            }
            if (this.timer != null) {
                this.timer.cancel();
                this.timer = null;
            }
            this.vault = null;
            VaultConfig build = ((VaultConfig) this.config.options.apply(new VaultConfig())).environmentLoader(this.config.environmentLoader).build();
            Vault vault2 = new Vault(build.token(this.config.tokenSupplier.getToken(this.config.environmentLoader, build)));
            checkVault(vault2);
            LookupResponse lookupSelf = vault2.auth().lookupSelf();
            LOGGER.info("Initialized new Vault");
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("More Vault details: {}", bodyAsString(lookupSelf.getRestResponse()));
            }
            if (lookupSelf.isRenewable()) {
                long ttl = lookupSelf.getTTL();
                long millis = TimeUnit.SECONDS.toMillis(suggestedRefreshInterval(ttl));
                this.timer = new Timer("VaultScheduler", true);
                this.timer.schedule(new RenewTokenTask(), millis);
                LOGGER.info("Renew token timer was set to {}s, (TTL = {}s)", Long.valueOf(millis), Long.valueOf(ttl));
            } else {
                LOGGER.warn("Vault token is not renewable");
            }
            this.vault = vault2;
            return this.vault;
        } catch (VaultException e) {
            LOGGER.error("Could not initialize and validate the vault", e);
            throw e;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void renewToken() throws VaultException {
        Vault vault = this.vault;
        if (vault == null) {
            return;
        }
        try {
            AuthResponse renewSelf = vault.auth().renewSelf();
            long authLeaseDuration = renewSelf.getAuthLeaseDuration();
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Token was successfully renewed (new TTL = {} seconds), response: {}", Long.valueOf(authLeaseDuration), bodyAsString(renewSelf.getRestResponse()));
            }
            if (!renewSelf.isAuthRenewable()) {
                LOGGER.warn("Vault token is not renewable now");
            } else if (authLeaseDuration > 1) {
                this.timer.schedule(new RenewTokenTask(), TimeUnit.SECONDS.toMillis(suggestedRefreshInterval(authLeaseDuration)));
            } else {
                LOGGER.warn("Token TTL ({}) is not enough for scheduling", Long.valueOf(authLeaseDuration));
                recreateVault(vault);
            }
        } catch (VaultException e) {
            if (e.getHttpStatusCode() == STATUS_CODE_FORBIDDEN) {
                LOGGER.warn("Could not renew the Vault token", e);
                recreateVault(vault);
            }
        }
    }

    private void checkVault(Vault vault) throws VaultException {
        RestResponse restResponse = vault.debug().health().getRestResponse();
        if (restResponse.getStatus() != 200) {
            throw new VaultException(bodyAsString(restResponse), restResponse.getStatus());
        }
    }

    private void checkResponse(RestResponse restResponse) throws VaultException {
        if (restResponse == null) {
            return;
        }
        int status = restResponse.getStatus();
        switch (status) {
            case 200:
            case STATUS_CODE_RESPONSE_NO_DATA /* 204 */:
                return;
            default:
                String bodyAsString = bodyAsString(restResponse);
                LOGGER.warn("Vault responded with code: {}, message: {}", Integer.valueOf(status), bodyAsString);
                throw new VaultException(bodyAsString, status);
        }
    }

    private long suggestedRefreshInterval(long j) {
        return j < MIN_REFRESH_MARGIN * 2 ? j / 2 : j - MIN_REFRESH_MARGIN;
    }

    private String bodyAsString(RestResponse restResponse) {
        return new String(restResponse.getBody(), StandardCharsets.UTF_8);
    }
}
