package com.datapipe.jenkins.vault.credentials.common;

import com.bettercloud.vault.SslConfig;
import com.bettercloud.vault.VaultConfig;
import com.cloudbees.plugins.credentials.CredentialsMatchers;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.CredentialsUnavailableException;
import com.cloudbees.plugins.credentials.matchers.IdMatcher;
import com.datapipe.jenkins.vault.VaultAccessor;
import com.datapipe.jenkins.vault.VaultBuildWrapper;
import com.datapipe.jenkins.vault.configuration.GlobalVaultConfiguration;
import com.datapipe.jenkins.vault.configuration.VaultConfiguration;
import com.datapipe.jenkins.vault.credentials.VaultCredential;
import com.datapipe.jenkins.vault.exception.VaultPluginException;
import hudson.remoting.Channel;
import hudson.security.ACL;
import java.io.IOException;
import java.util.Collections;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.Nonnull;
import jenkins.model.GlobalConfiguration;
import jenkins.model.Jenkins;
import jenkins.security.SlaveToMasterCallable;
import org.apache.commons.lang.StringUtils;

/* loaded from: input_file:WEB-INF/lib/hashicorp-vault-plugin.jar:com/datapipe/jenkins/vault/credentials/common/VaultHelper.class */
public class VaultHelper {
    private static final Logger LOGGER = Logger.getLogger(VaultHelper.class.getName());

    /* loaded from: input_file:WEB-INF/lib/hashicorp-vault-plugin.jar:com/datapipe/jenkins/vault/credentials/common/VaultHelper$SecretRetrieve.class */
    private static class SecretRetrieve extends SlaveToMasterCallable<String, IOException> {
        private static final long serialVersionUID = 1;
        private final String secretPath;
        private final String secretKey;
        private final Integer engineVersion;

        SecretRetrieve(String str, String str2, Integer num) {
            this.secretPath = str;
            this.secretKey = str2;
            this.engineVersion = num;
        }

        /* renamed from: call, reason: merged with bridge method [inline-methods] */
        public String m11call() throws IOException {
            Jenkins jenkins = Jenkins.get();
            VaultHelper.LOGGER.info(String.format("Retrieving vault secret path=%s key=%s engineVersion=%s", this.secretPath, this.secretKey, this.engineVersion));
            GlobalVaultConfiguration globalVaultConfiguration = (GlobalVaultConfiguration) GlobalConfiguration.all().get(GlobalVaultConfiguration.class);
            if (globalVaultConfiguration == null) {
                throw new IllegalStateException("Vault plugin has not been configured.");
            }
            VaultBuildWrapper.DescriptorImpl descriptorImpl = (VaultBuildWrapper.DescriptorImpl) jenkins.getExtensionList(VaultBuildWrapper.DescriptorImpl.class).get(0);
            VaultConfiguration configuration = globalVaultConfiguration.getConfiguration();
            if (descriptorImpl == null || configuration == null) {
                throw new IllegalStateException("Vault plugin has not been configured.");
            }
            try {
                VaultConfig engineVersion = new VaultConfig().address(configuration.getVaultUrl()).sslConfig(new SslConfig().verify(Boolean.valueOf(configuration.isSkipSslVerification())).build()).engineVersion(this.engineVersion);
                if (StringUtils.isNotEmpty(configuration.getVaultNamespace())) {
                    engineVersion.nameSpace(configuration.getVaultNamespace());
                }
                if (StringUtils.isNotEmpty(configuration.getPrefixPath())) {
                    engineVersion.prefixPath(configuration.getPrefixPath());
                }
                VaultCredential vaultCredential = configuration.getVaultCredential();
                if (vaultCredential == null) {
                    vaultCredential = VaultHelper.retrieveVaultCredentials(configuration.getVaultCredentialId());
                }
                VaultAccessor vaultAccessor = new VaultAccessor(engineVersion, vaultCredential);
                vaultAccessor.setMaxRetries(configuration.getMaxRetries());
                vaultAccessor.setRetryIntervalMilliseconds(configuration.getRetryIntervalMilliseconds());
                vaultAccessor.init();
                Map<String, String> data = vaultAccessor.read(this.secretPath, this.engineVersion).getData();
                if (data.containsKey(this.secretKey)) {
                    return data.get(this.secretKey);
                }
                throw new VaultPluginException(String.format("Key %s could not be found in path %s", this.secretKey, this.secretPath));
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String getVaultSecret(@Nonnull String str, @Nonnull String str2, @Nonnull Integer num) {
        try {
            SecretRetrieve secretRetrieve = new SecretRetrieve(str, str2, num);
            Channel current = Channel.current();
            return current == null ? secretRetrieve.m11call() : (String) current.call(secretRetrieve);
        } catch (IOException | InterruptedException e) {
            throw new IllegalStateException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static VaultCredential retrieveVaultCredentials(String str) {
        if (StringUtils.isBlank(str)) {
            throw new VaultPluginException("The credential id was not configured - please specify the credentials to use.");
        }
        LOGGER.log(Level.INFO, "Retrieving vault credential ID : " + str);
        VaultCredential firstOrNull = CredentialsMatchers.firstOrNull(CredentialsProvider.lookupCredentials(VaultCredential.class, Jenkins.get(), ACL.SYSTEM, Collections.emptyList()), new IdMatcher(str));
        if (firstOrNull == null) {
            throw new CredentialsUnavailableException(str);
        }
        return firstOrNull;
    }
}
