package io.quarkus.vault.runtime;

import io.quarkus.vault.runtime.client.VaultClient;
import io.quarkus.vault.runtime.client.VaultClientException;
import io.quarkus.vault.runtime.client.dto.auth.AbstractVaultAuthAuth;
import io.quarkus.vault.runtime.client.dto.auth.VaultKubernetesAuthAuth;
import io.quarkus.vault.runtime.client.dto.auth.VaultRenewSelfAuth;
import io.quarkus.vault.runtime.config.VaultAuthenticationType;
import io.quarkus.vault.runtime.config.VaultRuntimeConfig;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.concurrent.atomic.AtomicReference;
import org.jboss.logging.Logger;

/* loaded from: input_file:io/quarkus/vault/runtime/VaultAuthManager.class */
public class VaultAuthManager {
    private static final Logger log = Logger.getLogger(VaultAuthManager.class.getName());
    private VaultRuntimeConfig serverConfig;
    private VaultClient vaultClient;
    private AtomicReference<VaultToken> auth = new AtomicReference<>(null);

    public VaultAuthManager(VaultClient vaultClient, VaultRuntimeConfig vaultRuntimeConfig) {
        this.vaultClient = vaultClient;
        this.serverConfig = vaultRuntimeConfig;
    }

    public String getClientToken() {
        return this.serverConfig.authentication.clientToken.orElseGet(() -> {
            return login().clientToken;
        });
    }

    private VaultToken login() {
        VaultToken login = new VaultAuthManager(this.vaultClient, this.serverConfig).login(this.auth.get());
        this.auth.set(login);
        return login;
    }

    public VaultToken login(VaultToken vaultToken) {
        VaultToken vaultToken2 = vaultToken;
        if (vaultToken2 != null) {
            vaultToken2 = validate(vaultToken2);
        }
        if (vaultToken2 != null && vaultToken2.shouldExtend(this.serverConfig.renewGracePeriod)) {
            vaultToken2 = extend(vaultToken2.clientToken);
        }
        if (vaultToken2 == null || vaultToken2.isExpired() || vaultToken2.expiresSoon(this.serverConfig.renewGracePeriod)) {
            vaultToken2 = vaultLogin();
        }
        return vaultToken2;
    }

    private VaultToken validate(VaultToken vaultToken) {
        try {
            this.vaultClient.lookupSelf(vaultToken.clientToken);
            return vaultToken;
        } catch (VaultClientException e) {
            if (e.getStatus() != 403) {
                throw e;
            }
            log.debug("login token " + vaultToken.clientToken + " has become invalid");
            return null;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private VaultToken extend(String str) {
        VaultRenewSelfAuth vaultRenewSelfAuth = (VaultRenewSelfAuth) this.vaultClient.renewSelf(str, null).auth;
        VaultToken vaultToken = new VaultToken(vaultRenewSelfAuth.clientToken, vaultRenewSelfAuth.renewable, vaultRenewSelfAuth.leaseDurationSecs);
        sanityCheck(vaultToken);
        log.debug("extended login token: " + vaultToken.getConfidentialInfo(this.serverConfig.logConfidentialityLevel));
        return vaultToken;
    }

    private VaultToken vaultLogin() {
        VaultToken login = login(this.serverConfig.getAuthenticationType());
        sanityCheck(login);
        log.debug("created new login token: " + login.getConfidentialInfo(this.serverConfig.logConfidentialityLevel));
        return login;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v22, types: [io.quarkus.vault.runtime.client.dto.auth.AbstractVaultAuthAuth] */
    /* JADX WARN: Type inference failed for: r0v41, types: [io.quarkus.vault.runtime.client.dto.auth.AbstractVaultAuthAuth] */
    private VaultToken login(VaultAuthenticationType vaultAuthenticationType) {
        VaultKubernetesAuthAuth vaultKubernetesAuthAuth;
        if (vaultAuthenticationType == VaultAuthenticationType.KUBERNETES) {
            vaultKubernetesAuthAuth = loginKubernetes();
        } else if (vaultAuthenticationType == VaultAuthenticationType.USERPASS) {
            vaultKubernetesAuthAuth = (AbstractVaultAuthAuth) this.vaultClient.loginUserPass(this.serverConfig.authentication.userpass.username.get(), this.serverConfig.authentication.userpass.password.get()).auth;
        } else {
            if (vaultAuthenticationType != VaultAuthenticationType.APPROLE) {
                throw new UnsupportedOperationException("unknown authType " + this.serverConfig.getAuthenticationType());
            }
            vaultKubernetesAuthAuth = (AbstractVaultAuthAuth) this.vaultClient.loginAppRole(this.serverConfig.authentication.appRole.roleId.get(), this.serverConfig.authentication.appRole.secretId.get()).auth;
        }
        return new VaultToken(vaultKubernetesAuthAuth.clientToken, vaultKubernetesAuthAuth.renewable, vaultKubernetesAuthAuth.leaseDurationSecs);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private VaultKubernetesAuthAuth loginKubernetes() {
        String str = new String(read(this.serverConfig.authentication.kubernetes.jwtTokenPath), StandardCharsets.UTF_8);
        log.debug("authenticate with jwt at: " + this.serverConfig.authentication.kubernetes.jwtTokenPath + " => " + this.serverConfig.logConfidentialityLevel.maskWithTolerance(str, LogConfidentialityLevel.LOW));
        return (VaultKubernetesAuthAuth) this.vaultClient.loginKubernetes(this.serverConfig.authentication.kubernetes.role.get(), str).auth;
    }

    private byte[] read(String str) {
        try {
            return Files.readAllBytes(Paths.get(str, new String[0]));
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private void sanityCheck(VaultToken vaultToken) {
        vaultToken.leaseDurationSanityCheck("auth", this.serverConfig.renewGracePeriod);
    }
}
