package io.quarkus.vault.runtime;

import io.quarkus.vault.client.VaultClient;
import io.quarkus.vault.client.VaultClientException;
import io.quarkus.vault.client.api.common.VaultAnyResult;
import io.quarkus.vault.client.common.VaultLeasedResultExtractor;
import io.quarkus.vault.client.common.VaultRequest;
import io.quarkus.vault.runtime.config.VaultRuntimeConfig;
import io.smallrye.mutiny.Uni;
import jakarta.inject.Singleton;
import java.time.Duration;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import org.jboss.logging.Logger;

@Singleton
/* loaded from: input_file:io/quarkus/vault/runtime/VaultDynamicCredentialsManager.class */
public class VaultDynamicCredentialsManager {
    private static final Logger log = Logger.getLogger(VaultDynamicCredentialsManager.class.getName());
    private final ConcurrentHashMap<String, VaultDynamicCredentials> credentialsCache = new ConcurrentHashMap<>();
    private final VaultClient vaultClient;
    private final VaultConfigHolder vaultConfigHolder;

    public VaultDynamicCredentialsManager(VaultClient vaultClient, VaultConfigHolder vaultConfigHolder) {
        this.vaultClient = vaultClient;
        this.vaultConfigHolder = vaultConfigHolder;
    }

    private String getCredentialsPath(String str, String str2) {
        return str + "/" + str2;
    }

    private String getCredentialsCacheKey(String str, String str2, String str3) {
        return getCredentialsPath(str, str2) + "@" + str3;
    }

    VaultDynamicCredentials getCachedCredentials(String str, String str2, String str3) {
        return this.credentialsCache.get(getCredentialsCacheKey(str, str2, str3));
    }

    void putCachedCredentials(String str, String str2, String str3, VaultDynamicCredentials vaultDynamicCredentials) {
        this.credentialsCache.put(getCredentialsCacheKey(str, str2, str3), vaultDynamicCredentials);
    }

    private VaultRuntimeConfig getConfig() {
        return this.vaultConfigHolder.getVaultRuntimeConfig();
    }

    public Uni<Map<String, String>> getDynamicCredentials(String str, String str2, String str3) {
        return getCredentials(getCachedCredentials(str, str2, str3), str, str2, str3).map(vaultDynamicCredentials -> {
            putCachedCredentials(str, str2, str3, vaultDynamicCredentials);
            HashMap hashMap = new HashMap();
            hashMap.put("user", vaultDynamicCredentials.username);
            hashMap.put("password", vaultDynamicCredentials.password);
            hashMap.put("expires-at", vaultDynamicCredentials.getExpireInstant().toString());
            return hashMap;
        });
    }

    public Uni<VaultDynamicCredentials> getCredentials(VaultDynamicCredentials vaultDynamicCredentials, String str, String str2, String str3) {
        return Uni.createFrom().item(Optional.ofNullable(vaultDynamicCredentials)).flatMap(this::validate).flatMap(optional -> {
            return (optional.isPresent() && ((VaultDynamicCredentials) optional.get()).shouldExtend(getConfig().renewGracePeriod())) ? extend((VaultDynamicCredentials) optional.get(), str, str2, str3).map((v0) -> {
                return Optional.of(v0);
            }) : Uni.createFrom().item(optional);
        }).flatMap(optional2 -> {
            return (optional2.isEmpty() || ((VaultDynamicCredentials) optional2.get()).isExpired() || ((VaultDynamicCredentials) optional2.get()).expiresSoon(getConfig().renewGracePeriod())) ? create(str, str2, str3) : Uni.createFrom().item((VaultDynamicCredentials) optional2.get());
        });
    }

    private Uni<Optional<VaultDynamicCredentials>> validate(Optional<VaultDynamicCredentials> optional) {
        return optional.isEmpty() ? Uni.createFrom().item(Optional.empty()) : Uni.createFrom().completionStage(this.vaultClient.sys().leases().read(optional.get().leaseId)).map(vaultSysLeasesReadResultData -> {
            return optional;
        }).onFailure(VaultClientException.class).recoverWithUni(th -> {
            if (((VaultClientException) th).getStatus().intValue() != 400) {
                return Uni.createFrom().failure(th);
            }
            log.debug("lease " + ((VaultDynamicCredentials) optional.get()).leaseId + " has become invalid");
            return Uni.createFrom().item(Optional.empty());
        });
    }

    private Uni<VaultDynamicCredentials> extend(VaultDynamicCredentials vaultDynamicCredentials, String str, String str2, String str3) {
        return Uni.createFrom().completionStage(this.vaultClient.sys().leases().renew(vaultDynamicCredentials.leaseId, (Duration) null)).map(vaultSysLeasesRenewResult -> {
            VaultDynamicCredentials vaultDynamicCredentials2 = new VaultDynamicCredentials(new LeaseBase(vaultSysLeasesRenewResult.getLeaseId(), vaultSysLeasesRenewResult.isRenewable().booleanValue(), vaultSysLeasesRenewResult.getLeaseDuration().toSeconds()), vaultDynamicCredentials.username, vaultDynamicCredentials.password);
            sanityCheck(vaultDynamicCredentials2, str, str2, str3);
            log.debug("extended " + str3 + "(" + getCredentialsPath(str, str2) + ") credentials:" + vaultDynamicCredentials2.getConfidentialInfo(getConfig().logConfidentialityLevel()));
            return vaultDynamicCredentials2;
        });
    }

    private Uni<VaultDynamicCredentials> create(String str, String str2, String str3) {
        return Uni.createFrom().completionStage(this.vaultClient.execute(VaultRequest.get(String.format("[DYN-CREDS (%s)] Generate for %s", str, str3)).path(new Object[]{str, str2, str3}).expectOkStatus().build(VaultLeasedResultExtractor.of(VaultAnyResult.class)))).map((v0) -> {
            return v0.getResult();
        }).map(vaultAnyResult -> {
            Map map = (Map) vaultAnyResult.getData();
            VaultDynamicCredentials vaultDynamicCredentials = new VaultDynamicCredentials(new LeaseBase(vaultAnyResult.getLeaseId(), vaultAnyResult.isRenewable().booleanValue(), vaultAnyResult.getLeaseDuration().toSeconds()), map.get("username").toString(), map.get("password").toString());
            log.debug("generated " + str3 + "(" + getCredentialsPath(str, str2) + ") credentials:" + vaultDynamicCredentials.getConfidentialInfo(getConfig().logConfidentialityLevel()));
            sanityCheck(vaultDynamicCredentials, str, str2, str3);
            return vaultDynamicCredentials;
        });
    }

    private void sanityCheck(VaultDynamicCredentials vaultDynamicCredentials, String str, String str2, String str3) {
        vaultDynamicCredentials.leaseDurationSanityCheck(str3 + " (" + getCredentialsPath(str, str2) + ")", getConfig().renewGracePeriod());
    }
}
