package org.wso2.carbon.mediation.security.vault.external.hashicorp;

import com.bettercloud.vault.SslConfig;
import com.bettercloud.vault.Vault;
import com.bettercloud.vault.VaultConfig;
import com.bettercloud.vault.VaultException;
import com.bettercloud.vault.api.Logical;
import com.bettercloud.vault.rest.RestException;
import java.io.File;
import java.util.Calendar;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.synapse.MessageContext;
import org.wso2.carbon.mediation.security.vault.SecureVaultCacheContext;
import org.wso2.carbon.mediation.security.vault.external.ExternalVaultConfigLoader;
import org.wso2.carbon.mediation.security.vault.external.ExternalVaultException;
import org.wso2.carbon.mediation.security.vault.external.ExternalVaultLookupHandler;
import org.wso2.carbon.mediation.security.vault.xpath.VaultLookupFunction;
import org.wso2.carbon.utils.CarbonUtils;

/* loaded from: input_file:org/wso2/carbon/mediation/security/vault/external/hashicorp/HashiCorpVaultLookupHandlerImpl.class */
public class HashiCorpVaultLookupHandlerImpl implements ExternalVaultLookupHandler {
    private static Log log = LogFactory.getLog(HashiCorpVaultLookupHandlerImpl.class);
    private static HashiCorpVaultLookupHandlerImpl instance = null;
    private Vault vaultConnection;
    private VaultConfig vaultConfig;
    private String vaultNamespace;
    private String currentAuthToken;
    private Calendar tokenExpiration;
    private String secretId;
    private String roleId;
    private String currentAliasPassword;
    private String cachableDuration = "15000";
    private String engineVersion = "2";
    private boolean isAppRolePullAuthentication = true;

    private HashiCorpVaultLookupHandlerImpl() throws ExternalVaultException {
        try {
            initialize();
        } catch (ExternalVaultException e) {
            throw new ExternalVaultException("Error while initializing the secure vault configs", e);
        }
    }

    public static HashiCorpVaultLookupHandlerImpl getDefaultSecurityService() throws ExternalVaultException {
        if (instance == null) {
            instance = new HashiCorpVaultLookupHandlerImpl();
        }
        return instance;
    }

    @Override // org.wso2.carbon.mediation.security.vault.external.ExternalVaultLookupHandler
    public String name() {
        return "hashicorp";
    }

    private void initialize() throws ExternalVaultException {
        Map<String, String> vaultParameters = ExternalVaultConfigLoader.getVaultParameters(name());
        if (vaultParameters == null || vaultParameters.size() < 2) {
            throw new ExternalVaultException("Required configurations of the " + name() + " secure vault can not found");
        }
        if (!vaultParameters.containsKey("address")) {
            throw new ExternalVaultException("address parameter can not found in " + name() + " secure vault configurations");
        }
        if (!vaultParameters.containsKey("rootToken") && (!vaultParameters.containsKey("roleId") || !vaultParameters.containsKey("secretId"))) {
            throw new ExternalVaultException("Static RootToken parameter or RoleID and SecretID parameters can not found in " + name() + " secure vault configurations");
        }
        processHashiCorpParameters(vaultParameters);
        try {
            this.vaultConfig = createHashiCorpVaultConfig(vaultParameters);
            this.vaultConnection = new Vault(this.vaultConfig);
            if (!vaultParameters.containsKey("rootToken") && vaultParameters.containsKey("roleId") && vaultParameters.containsKey("secretId")) {
                authenticateHashiCorpVault();
            }
        } catch (VaultException e) {
            if (!(e.getCause() instanceof RestException)) {
                throw new ExternalVaultException("Error while connecting the HashiCorp vault", e);
            }
            throw new ExternalVaultException("Error in connecting to HashiCorp vault. Vault address: " + vaultParameters.get("address"), e);
        }
    }

    private boolean authenticateHashiCorpVault() throws VaultException {
        boolean z = false;
        if (isTokenTTLExpired()) {
            try {
                this.currentAuthToken = this.vaultConnection.auth().loginByAppRole(this.roleId, this.secretId).getAuthClientToken();
                this.vaultConfig.token(this.currentAuthToken).build();
                log.debug("Login to Vault using AppRole/SecretID successful");
                getTTLExpiryOfCurrentToken(this.vaultConnection);
                z = true;
            } catch (VaultException e) {
                throw new VaultException("Error while generating a new client token using the roleId and secretId. Please check the secret_id_num_uses parameter value for the troubleshooting purposes.");
            }
        } else {
            this.vaultConfig.token(this.currentAuthToken).build();
        }
        return z;
    }

    private boolean isTokenTTLExpired() {
        if (this.tokenExpiration == null || this.currentAuthToken == null) {
            return true;
        }
        boolean z = true;
        long timeInMillis = Calendar.getInstance().getTimeInMillis() - this.tokenExpiration.getTimeInMillis();
        if (timeInMillis < -2000) {
            z = false;
            log.debug("current client token is still valid.");
        } else if (log.isDebugEnabled()) {
            log.debug("Auth token has to be re-issued" + timeInMillis);
        }
        return z;
    }

    private void getTTLExpiryOfCurrentToken(Vault vault) {
        int i = 0;
        try {
            i = (int) vault.auth().lookupSelf().getTTL();
        } catch (VaultException e) {
            log.warn("Could not determine token expiration. Check if token is allowed to access auth/token/lookup-self. Assuming token TTL is expired.", e);
        }
        this.tokenExpiration = Calendar.getInstance();
        this.tokenExpiration.add(13, i);
    }

    private void processHashiCorpParameters(Map<String, String> map) {
        if (map.containsKey("cacheableDuration") && !map.get("cacheableDuration").isEmpty() && map.get("cacheableDuration").matches("[0-9]+")) {
            this.cachableDuration = map.get("cacheableDuration");
        }
        if (map.containsKey("engineVersion") && !map.get("engineVersion").isEmpty() && map.get("engineVersion").matches("[0-9]+")) {
            this.engineVersion = map.get("engineVersion");
        }
        if (map.containsKey("namespace") && !map.get("namespace").isEmpty()) {
            this.vaultNamespace = map.get("namespace");
        }
        if (map.containsKey("trustStoreFile")) {
            String str = map.get("trustStoreFile");
            if (str.startsWith("${carbon.home}")) {
                map.put("trustStoreFile", str.replace("${carbon.home}", CarbonUtils.getCarbonHome()));
            }
        }
        if (map.containsKey("keyStoreFile")) {
            String str2 = map.get("keyStoreFile");
            if (str2.startsWith("${carbon.home}")) {
                map.put("keyStoreFile", str2.replace("${carbon.home}", CarbonUtils.getCarbonHome()));
            }
        }
        if (map.containsKey("secretId")) {
            this.secretId = map.get("secretId");
        }
        if (map.containsKey("roleId")) {
            this.roleId = map.get("roleId");
        }
    }

    private VaultConfig createHashiCorpVaultConfig(Map<String, String> map) throws VaultException, ExternalVaultException {
        VaultConfig address = new VaultConfig().address(map.get("address"));
        if (map.get("address").startsWith("https")) {
            SslConfig sslConfig = new SslConfig();
            if (!map.containsKey("trustStoreFile") && !map.containsKey("keyStoreFile")) {
                throw new ExternalVaultException("trustStoreFile parameter or trustStoreFileparameter can not found in " + name() + " secure vault configurations");
            }
            if (map.containsKey("trustStoreFile")) {
                sslConfig = sslConfig.trustStoreFile(new File(map.get("trustStoreFile")));
            }
            if (map.containsKey("keyStoreFile") && map.containsKey("keyStorePassword")) {
                sslConfig = sslConfig.keyStoreFile(new File(map.get("keyStoreFile")), map.get("keyStorePassword"));
            } else {
                if (map.containsKey("keyStoreFile") && !map.containsKey("keyStorePassword")) {
                    throw new ExternalVaultException("keyStorePassword parameter can not found in " + name() + " secure vault configurations");
                }
                if (!map.containsKey("keyStoreFile") && map.containsKey("keyStorePassword")) {
                    throw new ExternalVaultException("keyStoreFile parameter can not found in " + name() + " secure vault configurations");
                }
            }
            address = address.sslConfig(sslConfig);
        }
        VaultConfig engineVersion = address.engineVersion(Integer.valueOf(Integer.parseInt(this.engineVersion)));
        if (map.containsKey("rootToken")) {
            engineVersion = engineVersion.token(map.get("rootToken"));
            this.isAppRolePullAuthentication = false;
        }
        if (this.vaultNamespace != null) {
            engineVersion = engineVersion.nameSpace(this.vaultNamespace);
        }
        return engineVersion.build();
    }

    @Override // org.wso2.carbon.mediation.security.vault.external.ExternalVaultLookupHandler
    public String evaluate(Map<String, String> map, MessageContext messageContext) throws ExternalVaultException {
        SecureVaultCacheContext secureVaultCacheContext;
        Map<String, Object> decryptedCacheMap = messageContext.getConfiguration().getDecryptedCacheMap();
        String str = map.get("path-parameter");
        String str2 = map.get("field-parameter");
        String str3 = str + "-" + str2;
        String str4 = null;
        if (map.containsKey("vault-namespace")) {
            str3 = map.get("vault-namespace") + "-" + str3;
            str4 = map.get("vault-namespace");
        } else if (this.vaultNamespace != null) {
            str3 = this.vaultNamespace + "-" + str3;
            str4 = this.vaultNamespace;
        }
        if (decryptedCacheMap.containsKey(str3) && (secureVaultCacheContext = (SecureVaultCacheContext) decryptedCacheMap.get(str3)) != null) {
            if (secureVaultCacheContext.getDateTime().getTime() + Long.parseLong(this.cachableDuration) >= System.currentTimeMillis()) {
                return secureVaultCacheContext.getDecryptedValue();
            }
            decryptedCacheMap.remove(str3);
            return vaultLookup(str4, str, str2, decryptedCacheMap);
        }
        return vaultLookup(str4, str, str2, decryptedCacheMap);
    }

    private synchronized String vaultLookup(String str, String str2, String str3, Map<String, Object> map) throws ExternalVaultException {
        SecureVaultCacheContext secureVaultCacheContext;
        this.currentAliasPassword = str2 + "-" + str3;
        String str4 = "Cannot read the vault secret from the HashiCorp vault. " + (str != null ? "Namespace: " + str + ", " : VaultLookupFunction.NULL_STRING) + "Path: " + str2 + ", Field: " + str3;
        String str5 = null;
        try {
            str5 = resolveHashiCorpSecret(str, str2, str3);
        } catch (VaultException e) {
            if (!this.isAppRolePullAuthentication) {
                throw new ExternalVaultException(str4, e);
            }
        }
        if (str5 == null && this.isAppRolePullAuthentication) {
            try {
                if (authenticateHashiCorpVault()) {
                    log.warn("Generating a new client token since the current token is expired");
                    str5 = resolveHashiCorpSecret(str, str2, str3);
                }
            } catch (VaultException e2) {
                throw new ExternalVaultException(str4, e2);
            }
        }
        if (map == null || str5 == null) {
            log.warn("Cannot find a vault secret from the HashiCorp vault for, " + (str != null ? "Namespace: " + str + ", " : VaultLookupFunction.NULL_STRING) + "Path: " + str2 + ", Field: " + str3);
            return null;
        }
        if (str5.isEmpty() && (secureVaultCacheContext = (SecureVaultCacheContext) map.get(this.currentAliasPassword)) != null) {
            return secureVaultCacheContext.getDecryptedValue();
        }
        map.put(this.currentAliasPassword, new SecureVaultCacheContext(Calendar.getInstance().getTime(), str5));
        return str5;
    }

    private String resolveHashiCorpSecret(String str, String str2, String str3) throws VaultException {
        Logical logical = this.vaultConnection.logical();
        if (str != null) {
            logical = logical.withNameSpace(str);
            this.currentAliasPassword = str + "-" + this.currentAliasPassword;
        }
        return (String) logical.read(str2).getData().get(str3);
    }

    public void setSecretId(String str) {
        this.secretId = str;
    }
}
