package io.quarkus.vault.runtime;

import io.quarkus.vault.runtime.client.VaultClientException;
import io.quarkus.vault.runtime.client.backend.VaultInternalSystemBackend;
import io.quarkus.vault.runtime.client.dto.dynamic.VaultDynamicCredentialsData;
import io.quarkus.vault.runtime.client.dto.sys.VaultRenewLease;
import io.quarkus.vault.runtime.client.secretengine.VaultInternalDynamicCredentialsSecretEngine;
import io.quarkus.vault.runtime.config.VaultBootstrapConfig;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.inject.Singleton;
import org.jboss.logging.Logger;

@Singleton
/* loaded from: input_file:io/quarkus/vault/runtime/VaultDynamicCredentialsManager.class */
public class VaultDynamicCredentialsManager {
    private static final Logger log = Logger.getLogger(VaultDynamicCredentialsManager.class.getName());
    private ConcurrentHashMap<String, VaultDynamicCredentials> credentialsCache = new ConcurrentHashMap<>();
    private VaultAuthManager vaultAuthManager;
    private VaultConfigHolder vaultConfigHolder;
    private VaultInternalSystemBackend vaultInternalSystemBackend;
    private VaultInternalDynamicCredentialsSecretEngine vaultInternalDynamicCredentialsSecretEngine;

    public VaultDynamicCredentialsManager(VaultConfigHolder vaultConfigHolder, VaultAuthManager vaultAuthManager, VaultInternalSystemBackend vaultInternalSystemBackend, VaultInternalDynamicCredentialsSecretEngine vaultInternalDynamicCredentialsSecretEngine) {
        this.vaultConfigHolder = vaultConfigHolder;
        this.vaultAuthManager = vaultAuthManager;
        this.vaultInternalSystemBackend = vaultInternalSystemBackend;
        this.vaultInternalDynamicCredentialsSecretEngine = vaultInternalDynamicCredentialsSecretEngine;
    }

    private String getCredentialsPath(String str, String str2) {
        return str + "/" + str2;
    }

    private String getCredentialsCacheKey(String str, String str2, String str3) {
        return getCredentialsPath(str, str2) + "@" + str3;
    }

    VaultDynamicCredentials getCachedCredentials(String str, String str2, String str3) {
        return this.credentialsCache.get(getCredentialsCacheKey(str, str2, str3));
    }

    void putCachedCredentials(String str, String str2, String str3, VaultDynamicCredentials vaultDynamicCredentials) {
        this.credentialsCache.put(getCredentialsCacheKey(str, str2, str3), vaultDynamicCredentials);
    }

    private VaultBootstrapConfig getConfig() {
        return this.vaultConfigHolder.getVaultBootstrapConfig();
    }

    public Map<String, String> getDynamicCredentials(String str, String str2, String str3) {
        VaultDynamicCredentials credentials = getCredentials(getCachedCredentials(str, str2, str3), this.vaultAuthManager.getClientToken(), str, str2, str3);
        putCachedCredentials(str, str2, str3, credentials);
        HashMap hashMap = new HashMap();
        hashMap.put("user", credentials.username);
        hashMap.put(VaultAuthManager.USERPASS_WRAPPING_TOKEN_PASSWORD_KEY, credentials.password);
        hashMap.put("expires-at", credentials.getExpireInstant().toString());
        return hashMap;
    }

    public VaultDynamicCredentials getCredentials(VaultDynamicCredentials vaultDynamicCredentials, String str, String str2, String str3, String str4) {
        VaultDynamicCredentials vaultDynamicCredentials2 = vaultDynamicCredentials;
        if (vaultDynamicCredentials2 != null) {
            vaultDynamicCredentials2 = validate(vaultDynamicCredentials2, str);
        }
        if (vaultDynamicCredentials2 != null && vaultDynamicCredentials2.shouldExtend(getConfig().renewGracePeriod)) {
            vaultDynamicCredentials2 = extend(vaultDynamicCredentials2, str, str2, str3, str4);
        }
        if (vaultDynamicCredentials2 == null || vaultDynamicCredentials2.isExpired() || vaultDynamicCredentials2.expiresSoon(getConfig().renewGracePeriod)) {
            vaultDynamicCredentials2 = create(str, str2, str3, str4);
        }
        return vaultDynamicCredentials2;
    }

    private VaultDynamicCredentials validate(VaultDynamicCredentials vaultDynamicCredentials, String str) {
        try {
            this.vaultInternalSystemBackend.lookupLease(str, vaultDynamicCredentials.leaseId);
            return vaultDynamicCredentials;
        } catch (VaultClientException e) {
            if (e.getStatus() != 400) {
                throw e;
            }
            log.debug("lease " + vaultDynamicCredentials.leaseId + " has become invalid");
            return null;
        }
    }

    private VaultDynamicCredentials extend(VaultDynamicCredentials vaultDynamicCredentials, String str, String str2, String str3, String str4) {
        VaultRenewLease renewLease = this.vaultInternalSystemBackend.renewLease(str, vaultDynamicCredentials.leaseId);
        VaultDynamicCredentials vaultDynamicCredentials2 = new VaultDynamicCredentials(new LeaseBase(renewLease.leaseId, renewLease.renewable, renewLease.leaseDurationSecs), vaultDynamicCredentials.username, vaultDynamicCredentials.password);
        sanityCheck(vaultDynamicCredentials2, str2, str3, str4);
        log.debug("extended " + str4 + "(" + getCredentialsPath(str2, str3) + ") credentials:" + vaultDynamicCredentials2.getConfidentialInfo(getConfig().logConfidentialityLevel));
        return vaultDynamicCredentials2;
    }

    private VaultDynamicCredentials create(String str, String str2, String str3, String str4) {
        io.quarkus.vault.runtime.client.dto.dynamic.VaultDynamicCredentials generateCredentials = this.vaultInternalDynamicCredentialsSecretEngine.generateCredentials(str, str2, str3, str4);
        VaultDynamicCredentials vaultDynamicCredentials = new VaultDynamicCredentials(new LeaseBase(generateCredentials.leaseId, generateCredentials.renewable, generateCredentials.leaseDurationSecs), ((VaultDynamicCredentialsData) generateCredentials.data).username, ((VaultDynamicCredentialsData) generateCredentials.data).password);
        log.debug("generated " + str4 + "(" + getCredentialsPath(str2, str3) + ") credentials:" + vaultDynamicCredentials.getConfidentialInfo(getConfig().logConfidentialityLevel));
        sanityCheck(vaultDynamicCredentials, str2, str3, str4);
        return vaultDynamicCredentials;
    }

    private void sanityCheck(VaultDynamicCredentials vaultDynamicCredentials, String str, String str2, String str3) {
        vaultDynamicCredentials.leaseDurationSanityCheck(str3 + " (" + getCredentialsPath(str, str2) + ")", getConfig().renewGracePeriod);
    }
}
