package io.quarkus.vault.runtime;

import io.quarkus.vault.runtime.client.VaultClient;
import io.quarkus.vault.runtime.client.VaultClientException;
import io.quarkus.vault.runtime.client.dto.database.VaultDatabaseCredentials;
import io.quarkus.vault.runtime.client.dto.database.VaultDatabaseCredentialsData;
import io.quarkus.vault.runtime.client.dto.sys.VaultRenewLease;
import io.quarkus.vault.runtime.config.VaultRuntimeConfig;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import org.jboss.logging.Logger;

/* loaded from: input_file:io/quarkus/vault/runtime/VaultDbManager.class */
public class VaultDbManager {
    private static final Logger log = Logger.getLogger(VaultDbManager.class.getName());
    ConcurrentHashMap<String, VaultDynamicDatabaseCredentials> credentialsCache = new ConcurrentHashMap<>();
    private VaultAuthManager vaultAuthManager;
    private VaultClient vaultClient;
    private VaultRuntimeConfig serverConfig;

    public VaultDbManager(VaultAuthManager vaultAuthManager, VaultClient vaultClient, VaultRuntimeConfig vaultRuntimeConfig) {
        this.vaultAuthManager = vaultAuthManager;
        this.vaultClient = vaultClient;
        this.serverConfig = vaultRuntimeConfig;
    }

    public Map<String, String> getDynamicDbCredentials(String str) {
        VaultDynamicDatabaseCredentials credentials = getCredentials(this.credentialsCache.get(str), this.vaultAuthManager.getClientToken(), str);
        this.credentialsCache.put(str, credentials);
        HashMap hashMap = new HashMap();
        hashMap.put("user", credentials.username);
        hashMap.put(VaultAuthManager.USERPASS_WRAPPING_TOKEN_PASSWORD_KEY, credentials.password);
        return hashMap;
    }

    public VaultDynamicDatabaseCredentials getCredentials(VaultDynamicDatabaseCredentials vaultDynamicDatabaseCredentials, String str, String str2) {
        VaultDynamicDatabaseCredentials vaultDynamicDatabaseCredentials2 = vaultDynamicDatabaseCredentials;
        if (vaultDynamicDatabaseCredentials2 != null) {
            vaultDynamicDatabaseCredentials2 = validate(vaultDynamicDatabaseCredentials2, str);
        }
        if (vaultDynamicDatabaseCredentials2 != null && vaultDynamicDatabaseCredentials2.shouldExtend(this.serverConfig.renewGracePeriod)) {
            vaultDynamicDatabaseCredentials2 = extend(vaultDynamicDatabaseCredentials2, str, str2);
        }
        if (vaultDynamicDatabaseCredentials2 == null || vaultDynamicDatabaseCredentials2.isExpired() || vaultDynamicDatabaseCredentials2.expiresSoon(this.serverConfig.renewGracePeriod)) {
            vaultDynamicDatabaseCredentials2 = create(str, str2);
        }
        return vaultDynamicDatabaseCredentials2;
    }

    private VaultDynamicDatabaseCredentials validate(VaultDynamicDatabaseCredentials vaultDynamicDatabaseCredentials, String str) {
        try {
            this.vaultClient.lookupLease(str, vaultDynamicDatabaseCredentials.leaseId);
            return vaultDynamicDatabaseCredentials;
        } catch (VaultClientException e) {
            if (e.getStatus() != 400) {
                throw e;
            }
            log.debug("lease " + vaultDynamicDatabaseCredentials.leaseId + " has become invalid");
            return null;
        }
    }

    private VaultDynamicDatabaseCredentials extend(VaultDynamicDatabaseCredentials vaultDynamicDatabaseCredentials, String str, String str2) {
        VaultRenewLease renewLease = this.vaultClient.renewLease(str, vaultDynamicDatabaseCredentials.leaseId);
        VaultDynamicDatabaseCredentials vaultDynamicDatabaseCredentials2 = new VaultDynamicDatabaseCredentials(new LeaseBase(renewLease.leaseId, renewLease.renewable, renewLease.leaseDurationSecs), vaultDynamicDatabaseCredentials.username, vaultDynamicDatabaseCredentials.password);
        sanityCheck(vaultDynamicDatabaseCredentials2, str2);
        log.debug("extended " + str2 + " credentials with: " + vaultDynamicDatabaseCredentials2.getConfidentialInfo(this.serverConfig.logConfidentialityLevel));
        return vaultDynamicDatabaseCredentials2;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private VaultDynamicDatabaseCredentials create(String str, String str2) {
        VaultDatabaseCredentials generateDatabaseCredentials = this.vaultClient.generateDatabaseCredentials(str, str2);
        VaultDynamicDatabaseCredentials vaultDynamicDatabaseCredentials = new VaultDynamicDatabaseCredentials(new LeaseBase(generateDatabaseCredentials.leaseId, generateDatabaseCredentials.renewable, generateDatabaseCredentials.leaseDurationSecs), ((VaultDatabaseCredentialsData) generateDatabaseCredentials.data).username, ((VaultDatabaseCredentialsData) generateDatabaseCredentials.data).password);
        log.debug("generated " + str2 + " credentials: " + vaultDynamicDatabaseCredentials.getConfidentialInfo(this.serverConfig.logConfidentialityLevel));
        sanityCheck(vaultDynamicDatabaseCredentials, str2);
        return vaultDynamicDatabaseCredentials;
    }

    private void sanityCheck(VaultDynamicDatabaseCredentials vaultDynamicDatabaseCredentials, String str) {
        vaultDynamicDatabaseCredentials.leaseDurationSanityCheck(str, this.serverConfig.renewGracePeriod);
    }
}
