package io.quarkus.vault.runtime;

import io.quarkus.vault.runtime.client.VaultClient;
import io.quarkus.vault.runtime.client.VaultClientException;
import io.quarkus.vault.runtime.client.backend.VaultInternalSystemBackend;
import io.quarkus.vault.runtime.client.dto.dynamic.VaultDynamicCredentialsData;
import io.quarkus.vault.runtime.client.secretengine.VaultInternalDynamicCredentialsSecretEngine;
import io.quarkus.vault.runtime.config.VaultBootstrapConfig;
import io.smallrye.mutiny.Uni;
import jakarta.inject.Singleton;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import org.jboss.logging.Logger;

@Singleton
/* loaded from: input_file:io/quarkus/vault/runtime/VaultDynamicCredentialsManager.class */
public class VaultDynamicCredentialsManager {
    private static final Logger log = Logger.getLogger(VaultDynamicCredentialsManager.class.getName());
    private ConcurrentHashMap<String, VaultDynamicCredentials> credentialsCache = new ConcurrentHashMap<>();
    private VaultClient vaultClient;
    private VaultAuthManager vaultAuthManager;
    private VaultConfigHolder vaultConfigHolder;
    private VaultInternalSystemBackend vaultInternalSystemBackend;
    private VaultInternalDynamicCredentialsSecretEngine vaultInternalDynamicCredentialsSecretEngine;

    public VaultDynamicCredentialsManager(VaultClient vaultClient, VaultConfigHolder vaultConfigHolder, VaultAuthManager vaultAuthManager, VaultInternalSystemBackend vaultInternalSystemBackend, VaultInternalDynamicCredentialsSecretEngine vaultInternalDynamicCredentialsSecretEngine) {
        this.vaultClient = vaultClient;
        this.vaultConfigHolder = vaultConfigHolder;
        this.vaultAuthManager = vaultAuthManager;
        this.vaultInternalSystemBackend = vaultInternalSystemBackend;
        this.vaultInternalDynamicCredentialsSecretEngine = vaultInternalDynamicCredentialsSecretEngine;
    }

    private String getCredentialsPath(String str, String str2) {
        return str + "/" + str2;
    }

    private String getCredentialsCacheKey(String str, String str2, String str3) {
        return getCredentialsPath(str, str2) + "@" + str3;
    }

    VaultDynamicCredentials getCachedCredentials(String str, String str2, String str3) {
        return this.credentialsCache.get(getCredentialsCacheKey(str, str2, str3));
    }

    void putCachedCredentials(String str, String str2, String str3, VaultDynamicCredentials vaultDynamicCredentials) {
        this.credentialsCache.put(getCredentialsCacheKey(str, str2, str3), vaultDynamicCredentials);
    }

    private VaultBootstrapConfig getConfig() {
        return this.vaultConfigHolder.getVaultBootstrapConfig();
    }

    public Uni<Map<String, String>> getDynamicCredentials(String str, String str2, String str3) {
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str4 -> {
            return getCredentials(getCachedCredentials(str, str2, str3), str4, str, str2, str3).map(vaultDynamicCredentials -> {
                putCachedCredentials(str, str2, str3, vaultDynamicCredentials);
                HashMap hashMap = new HashMap();
                hashMap.put("user", vaultDynamicCredentials.username);
                hashMap.put(VaultAuthManager.USERPASS_WRAPPING_TOKEN_PASSWORD_KEY, vaultDynamicCredentials.password);
                hashMap.put("expires-at", vaultDynamicCredentials.getExpireInstant().toString());
                return hashMap;
            });
        });
    }

    public Uni<VaultDynamicCredentials> getCredentials(VaultDynamicCredentials vaultDynamicCredentials, String str, String str2, String str3, String str4) {
        return Uni.createFrom().item(Optional.ofNullable(vaultDynamicCredentials)).flatMap(optional -> {
            return validate(optional, str);
        }).flatMap(optional2 -> {
            return (optional2.isPresent() && ((VaultDynamicCredentials) optional2.get()).shouldExtend(getConfig().renewGracePeriod)) ? extend((VaultDynamicCredentials) optional2.get(), str, str2, str3, str4).map((v0) -> {
                return Optional.of(v0);
            }) : Uni.createFrom().item(optional2);
        }).flatMap(optional3 -> {
            return (optional3.isEmpty() || ((VaultDynamicCredentials) optional3.get()).isExpired() || ((VaultDynamicCredentials) optional3.get()).expiresSoon(getConfig().renewGracePeriod)) ? create(str, str2, str3, str4) : Uni.createFrom().item((VaultDynamicCredentials) optional3.get());
        });
    }

    private Uni<Optional<VaultDynamicCredentials>> validate(Optional<VaultDynamicCredentials> optional, String str) {
        return optional.isEmpty() ? Uni.createFrom().item(Optional.empty()) : this.vaultInternalSystemBackend.lookupLease(this.vaultClient, str, optional.get().leaseId).map(vaultLeasesLookup -> {
            return optional;
        }).onFailure(VaultClientException.class).recoverWithUni(th -> {
            if (((VaultClientException) th).getStatus() != 400) {
                return Uni.createFrom().failure(th);
            }
            log.debug("lease " + ((VaultDynamicCredentials) optional.get()).leaseId + " has become invalid");
            return Uni.createFrom().item(Optional.empty());
        });
    }

    private Uni<VaultDynamicCredentials> extend(VaultDynamicCredentials vaultDynamicCredentials, String str, String str2, String str3, String str4) {
        return this.vaultInternalSystemBackend.renewLease(this.vaultClient, str, vaultDynamicCredentials.leaseId).map(vaultRenewLease -> {
            VaultDynamicCredentials vaultDynamicCredentials2 = new VaultDynamicCredentials(new LeaseBase(vaultRenewLease.leaseId, vaultRenewLease.renewable, vaultRenewLease.leaseDurationSecs), vaultDynamicCredentials.username, vaultDynamicCredentials.password);
            sanityCheck(vaultDynamicCredentials2, str2, str3, str4);
            log.debug("extended " + str4 + "(" + getCredentialsPath(str2, str3) + ") credentials:" + vaultDynamicCredentials2.getConfidentialInfo(getConfig().logConfidentialityLevel));
            return vaultDynamicCredentials2;
        });
    }

    private Uni<VaultDynamicCredentials> create(String str, String str2, String str3, String str4) {
        return this.vaultInternalDynamicCredentialsSecretEngine.generateCredentials(this.vaultClient, str, str2, str3, str4).map(vaultDynamicCredentials -> {
            VaultDynamicCredentials vaultDynamicCredentials = new VaultDynamicCredentials(new LeaseBase(vaultDynamicCredentials.leaseId, vaultDynamicCredentials.renewable, vaultDynamicCredentials.leaseDurationSecs), ((VaultDynamicCredentialsData) vaultDynamicCredentials.data).username, ((VaultDynamicCredentialsData) vaultDynamicCredentials.data).password);
            log.debug("generated " + str4 + "(" + getCredentialsPath(str2, str3) + ") credentials:" + vaultDynamicCredentials.getConfidentialInfo(getConfig().logConfidentialityLevel));
            sanityCheck(vaultDynamicCredentials, str2, str3, str4);
            return vaultDynamicCredentials;
        });
    }

    private void sanityCheck(VaultDynamicCredentials vaultDynamicCredentials, String str, String str2, String str3) {
        vaultDynamicCredentials.leaseDurationSanityCheck(str3 + " (" + getCredentialsPath(str, str2) + ")", getConfig().renewGracePeriod);
    }
}
