package io.quarkus.vault.runtime;

import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import io.quarkus.vault.VaultException;
import io.quarkus.vault.runtime.client.VaultClient;
import io.quarkus.vault.runtime.client.VaultClientException;
import io.quarkus.vault.runtime.client.authmethod.VaultInternalAppRoleAuthMethod;
import io.quarkus.vault.runtime.client.authmethod.VaultInternalKubernetesAuthMethod;
import io.quarkus.vault.runtime.client.authmethod.VaultInternalTokenAuthMethod;
import io.quarkus.vault.runtime.client.authmethod.VaultInternalUserpassAuthMethod;
import io.quarkus.vault.runtime.client.backend.VaultInternalSystemBackend;
import io.quarkus.vault.runtime.client.dto.auth.VaultAppRoleAuthAuth;
import io.quarkus.vault.runtime.client.dto.auth.VaultAppRoleGenerateNewSecretID;
import io.quarkus.vault.runtime.client.dto.auth.VaultAppRoleGenerateNewSecretIDData;
import io.quarkus.vault.runtime.client.dto.auth.VaultKubernetesAuthAuth;
import io.quarkus.vault.runtime.client.dto.auth.VaultRenewSelfAuth;
import io.quarkus.vault.runtime.client.dto.auth.VaultTokenCreate;
import io.quarkus.vault.runtime.client.dto.auth.VaultTokenCreateAuth;
import io.quarkus.vault.runtime.client.dto.auth.VaultUserPassAuthAuth;
import io.quarkus.vault.runtime.client.dto.kv.VaultKvSecretV1;
import io.quarkus.vault.runtime.client.dto.kv.VaultKvSecretV2;
import io.quarkus.vault.runtime.client.dto.kv.VaultKvSecretV2Data;
import io.quarkus.vault.runtime.config.VaultAuthenticationType;
import io.quarkus.vault.runtime.config.VaultBootstrapConfig;
import io.smallrye.mutiny.Uni;
import jakarta.inject.Singleton;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.time.Duration;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Function;
import org.jboss.logging.Logger;

@Singleton
/* loaded from: input_file:io/quarkus/vault/runtime/VaultAuthManager.class */
public class VaultAuthManager {
    private static final Logger log = Logger.getLogger(VaultAuthManager.class.getName());
    public static final String USERPASS_WRAPPING_TOKEN_PASSWORD_KEY = "password";
    private AtomicReference<VaultToken> loginCache = new AtomicReference<>(null);
    private Cache<String, Uni<String>> unwrappingCache = Caffeine.newBuilder().expireAfterWrite(Duration.ofHours(1)).build();
    private VaultConfigHolder vaultConfigHolder;
    private VaultInternalSystemBackend vaultInternalSystemBackend;
    private VaultInternalAppRoleAuthMethod vaultInternalAppRoleAuthMethod;
    private VaultInternalKubernetesAuthMethod vaultInternalKubernetesAuthMethod;
    private VaultInternalUserpassAuthMethod vaultInternalUserpassAuthMethod;
    private VaultInternalTokenAuthMethod vaultInternalTokenAuthMethod;

    VaultAuthManager(VaultConfigHolder vaultConfigHolder, VaultInternalSystemBackend vaultInternalSystemBackend, VaultInternalAppRoleAuthMethod vaultInternalAppRoleAuthMethod, VaultInternalKubernetesAuthMethod vaultInternalKubernetesAuthMethod, VaultInternalUserpassAuthMethod vaultInternalUserpassAuthMethod, VaultInternalTokenAuthMethod vaultInternalTokenAuthMethod) {
        this.vaultConfigHolder = vaultConfigHolder;
        this.vaultInternalSystemBackend = vaultInternalSystemBackend;
        this.vaultInternalAppRoleAuthMethod = vaultInternalAppRoleAuthMethod;
        this.vaultInternalKubernetesAuthMethod = vaultInternalKubernetesAuthMethod;
        this.vaultInternalUserpassAuthMethod = vaultInternalUserpassAuthMethod;
        this.vaultInternalTokenAuthMethod = vaultInternalTokenAuthMethod;
    }

    private VaultBootstrapConfig getConfig() {
        return this.vaultConfigHolder.getVaultBootstrapConfig();
    }

    public Uni<String> getClientToken(VaultClient vaultClient) {
        return getConfig().authentication.isDirectClientToken() ? getDirectClientToken(vaultClient) : login(vaultClient).map(vaultToken -> {
            return vaultToken.clientToken;
        });
    }

    private Uni<String> getDirectClientToken(VaultClient vaultClient) {
        Optional<String> optional = getConfig().authentication.clientToken;
        return optional.isPresent() ? Uni.createFrom().item(optional.get()) : unwrapWrappingTokenOnce(vaultClient, "client token", getConfig().authentication.clientTokenWrappingToken.get(), vaultTokenCreate -> {
            return ((VaultTokenCreateAuth) vaultTokenCreate.auth).clientToken;
        }, VaultTokenCreate.class);
    }

    private Uni<VaultToken> login(VaultClient vaultClient) {
        return login(vaultClient, this.loginCache.get()).map(vaultToken -> {
            this.loginCache.set(vaultToken);
            return vaultToken;
        });
    }

    public Uni<VaultToken> login(VaultClient vaultClient, VaultToken vaultToken) {
        return Uni.createFrom().item(Optional.ofNullable(vaultToken)).flatMap(optional -> {
            return validate(vaultClient, optional);
        }).flatMap(optional2 -> {
            return (optional2.isPresent() && ((VaultToken) optional2.get()).shouldExtend(getConfig().renewGracePeriod)) ? extend(vaultClient, ((VaultToken) optional2.get()).clientToken).map((v0) -> {
                return Optional.of(v0);
            }) : Uni.createFrom().item(optional2);
        }).flatMap(optional3 -> {
            return (optional3.isEmpty() || ((VaultToken) optional3.get()).isExpired() || ((VaultToken) optional3.get()).expiresSoon(getConfig().renewGracePeriod)) ? vaultLogin(vaultClient) : Uni.createFrom().item((VaultToken) optional3.get());
        });
    }

    private Uni<Optional<VaultToken>> validate(VaultClient vaultClient, Optional<VaultToken> optional) {
        return optional.isEmpty() ? Uni.createFrom().item(Optional.empty()) : this.vaultInternalTokenAuthMethod.lookupSelf(vaultClient, optional.get().clientToken).map(vaultLookupSelf -> {
            return optional;
        }).onFailure(VaultClientException.class).recoverWithUni(th -> {
            if (((VaultClientException) th).getStatus() != 403) {
                return Uni.createFrom().failure(th);
            }
            log.debug("login token " + ((VaultToken) optional.get()).clientToken + " has become invalid");
            return Uni.createFrom().item(Optional.empty());
        });
    }

    private Uni<VaultToken> extend(VaultClient vaultClient, String str) {
        return this.vaultInternalTokenAuthMethod.renewSelf(vaultClient, str, null).map(vaultRenewSelf -> {
            VaultToken vaultToken = new VaultToken(((VaultRenewSelfAuth) vaultRenewSelf.auth).clientToken, ((VaultRenewSelfAuth) vaultRenewSelf.auth).renewable, ((VaultRenewSelfAuth) vaultRenewSelf.auth).leaseDurationSecs);
            sanityCheck(vaultToken);
            log.debug("extended login token: " + vaultToken.getConfidentialInfo(getConfig().logConfidentialityLevel));
            return vaultToken;
        });
    }

    private Uni<VaultToken> vaultLogin(VaultClient vaultClient) {
        return login(vaultClient, getConfig().getAuthenticationType()).map(vaultToken -> {
            sanityCheck(vaultToken);
            log.debug("created new login token: " + vaultToken.getConfidentialInfo(getConfig().logConfidentialityLevel));
            return vaultToken;
        });
    }

    private Uni<VaultToken> login(VaultClient vaultClient, VaultAuthenticationType vaultAuthenticationType) {
        Uni<VaultKubernetesAuthAuth> map;
        if (vaultAuthenticationType == VaultAuthenticationType.KUBERNETES) {
            map = loginKubernetes(vaultClient);
        } else if (vaultAuthenticationType == VaultAuthenticationType.USERPASS) {
            String str = getConfig().authentication.userpass.username.get();
            map = getPassword(vaultClient).flatMap(str2 -> {
                return this.vaultInternalUserpassAuthMethod.login(vaultClient, str, str2).map(vaultUserPassAuth -> {
                    return (VaultUserPassAuthAuth) vaultUserPassAuth.auth;
                });
            });
        } else {
            if (vaultAuthenticationType != VaultAuthenticationType.APPROLE) {
                throw new UnsupportedOperationException("unknown authType " + getConfig().getAuthenticationType());
            }
            String str3 = getConfig().authentication.appRole.roleId.get();
            map = getSecretId(vaultClient).flatMap(str4 -> {
                return this.vaultInternalAppRoleAuthMethod.login(vaultClient, str3, str4);
            }).map(vaultAppRoleAuth -> {
                return (VaultAppRoleAuthAuth) vaultAppRoleAuth.auth;
            });
        }
        return map.map(abstractVaultAuthAuth -> {
            return new VaultToken(abstractVaultAuthAuth.clientToken, abstractVaultAuthAuth.renewable, abstractVaultAuthAuth.leaseDurationSecs);
        });
    }

    private Uni<String> getSecretId(VaultClient vaultClient) {
        Optional<String> optional = getConfig().authentication.appRole.secretId;
        return optional.isPresent() ? Uni.createFrom().item(optional.get()) : unwrapWrappingTokenOnce(vaultClient, "secret id", getConfig().authentication.appRole.secretIdWrappingToken.get(), vaultAppRoleGenerateNewSecretID -> {
            return ((VaultAppRoleGenerateNewSecretIDData) vaultAppRoleGenerateNewSecretID.data).secretId;
        }, VaultAppRoleGenerateNewSecretID.class);
    }

    private Uni<String> getPassword(VaultClient vaultClient) {
        Optional<String> optional = getConfig().authentication.userpass.password;
        if (optional.isPresent()) {
            return Uni.createFrom().item(optional.get());
        }
        String str = getConfig().authentication.userpass.passwordWrappingToken.get();
        return getConfig().kvSecretEngineVersion == 1 ? unwrapWrappingTokenOnce(vaultClient, USERPASS_WRAPPING_TOKEN_PASSWORD_KEY, str, vaultKvSecretV1 -> {
            return (String) ((Map) vaultKvSecretV1.data).get(USERPASS_WRAPPING_TOKEN_PASSWORD_KEY);
        }, VaultKvSecretV1.class) : unwrapWrappingTokenOnce(vaultClient, USERPASS_WRAPPING_TOKEN_PASSWORD_KEY, str, vaultKvSecretV2 -> {
            return (String) ((VaultKvSecretV2Data) vaultKvSecretV2.data).data.get(USERPASS_WRAPPING_TOKEN_PASSWORD_KEY);
        }, VaultKvSecretV2.class);
    }

    private <T> Uni<String> unwrapWrappingTokenOnce(VaultClient vaultClient, String str, String str2, Function<T, String> function, Class<T> cls) {
        return (Uni) this.unwrappingCache.get(str2, str3 -> {
            return this.vaultInternalSystemBackend.unwrap(vaultClient, str3, cls).map(obj -> {
                String str3 = (String) function.apply(obj);
                log.debug("unwrapped " + str + ": " + getConfig().logConfidentialityLevel.maskWithTolerance(str3, LogConfidentialityLevel.LOW));
                return str3;
            }).onFailure(VaultClientException.class).transform(th -> {
                return ((VaultClientException) th).getStatus() == 400 ? new VaultException("wrapping token is not valid or does not exist; this means that the token has already expired (if so you can increase the ttl on the wrapping token) or has been consumed by somebody else (potentially indicating that the wrapping token has been stolen)", th) : th;
            }).memoize().indefinitely();
        });
    }

    private Uni<VaultKubernetesAuthAuth> loginKubernetes(VaultClient vaultClient) {
        String str = new String(read(getConfig().authentication.kubernetes.jwtTokenPath), StandardCharsets.UTF_8);
        log.debug("authenticate with jwt at: " + getConfig().authentication.kubernetes.jwtTokenPath + " => " + getConfig().logConfidentialityLevel.maskWithTolerance(str, LogConfidentialityLevel.LOW));
        return this.vaultInternalKubernetesAuthMethod.login(vaultClient, getConfig().authentication.kubernetes.role.get(), str).map(vaultKubernetesAuth -> {
            return (VaultKubernetesAuthAuth) vaultKubernetesAuth.auth;
        });
    }

    private byte[] read(String str) {
        try {
            return Files.readAllBytes(Paths.get(str, new String[0]));
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private void sanityCheck(VaultToken vaultToken) {
        vaultToken.leaseDurationSanityCheck("auth", getConfig().renewGracePeriod);
    }
}
