package com.datapipe.jenkins.vault.jcasc.secrets;

import com.bettercloud.vault.Vault;
import com.bettercloud.vault.VaultConfig;
import com.bettercloud.vault.VaultException;
import hudson.Extension;
import io.jenkins.plugins.casc.SecretSource;
import java.io.FileInputStream;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import java.util.Properties;
import java.util.function.BiConsumer;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.commons.lang.StringUtils;

@Extension(optional = true)
/* loaded from: input_file:com/datapipe/jenkins/vault/jcasc/secrets/VaultSecretSource.class */
public class VaultSecretSource extends SecretSource {
    private static final Logger LOGGER = Logger.getLogger(VaultSecretSource.class.getName());
    private static final String CASC_VAULT_FILE = "CASC_VAULT_FILE";
    private static final String CASC_VAULT_PW = "CASC_VAULT_PW";
    private static final String CASC_VAULT_USER = "CASC_VAULT_USER";
    private static final String CASC_VAULT_URL = "CASC_VAULT_URL";
    private static final String CASC_VAULT_AGENT_ADDR = "CASC_VAULT_AGENT_ADDR";
    private static final String CASC_VAULT_MOUNT = "CASC_VAULT_MOUNT";
    private static final String CASC_VAULT_TOKEN = "CASC_VAULT_TOKEN";
    private static final String CASC_VAULT_APPROLE = "CASC_VAULT_APPROLE";
    private static final String CASC_VAULT_APPROLE_SECRET = "CASC_VAULT_APPROLE_SECRET";
    private static final String CASC_VAULT_KUBERNETES_ROLE = "CASC_VAULT_KUBERNETES_ROLE";
    private static final String CASC_VAULT_AWS_IAM_ROLE = "CASC_VAULT_AWS_IAM_ROLE";
    private static final String CASC_VAULT_AWS_IAM_SERVER_ID = "CASC_VAULT_AWS_IAM_SERVER_ID";
    private static final String CASC_VAULT_NAMESPACE = "CASC_VAULT_NAMESPACE";
    private static final String CASC_VAULT_PREFIX_PATH = "CASC_VAULT_PREFIX_PATH";
    private static final String CASC_VAULT_ENGINE_VERSION = "CASC_VAULT_ENGINE_VERSION";
    private static final String CASC_VAULT_PATHS = "CASC_VAULT_PATHS";
    private static final String CASC_VAULT_PATH = "CASC_VAULT_PATH";
    private static final String DEFAULT_ENGINE_VERSION = "2";
    private static final String DEFAULT_USER_BACKEND = "userpass";
    private static final String DEFAULT_APPROLE_BACKEND = "approle";
    private static final String DEFAULT_KUBERNETES_BACKEND = "kubernetes";
    private static final String DEFAULT_AWS_IAM_BACKEND = "aws";
    private Map<String, String> secrets = new HashMap();
    private Vault vault;
    private VaultConfig vaultConfig;
    private VaultAuthenticator vaultAuthenticator;
    private String[] vaultPaths;
    private Properties prop;
    private boolean usingVaultAgent;

    private void configureVault() {
        this.prop = new Properties();
        Optional.ofNullable(System.getenv(CASC_VAULT_FILE)).ifPresent(this::readPropertiesFromVaultFile);
        Optional<String> variable = getVariable(CASC_VAULT_ENGINE_VERSION);
        Optional optional = (Optional) getVariable(CASC_VAULT_AGENT_ADDR).map((v0) -> {
            return Optional.of(v0);
        }).orElseGet(() -> {
            return getVariable(CASC_VAULT_URL);
        });
        Optional<String> variable2 = getVariable(CASC_VAULT_NAMESPACE);
        Optional<String> variable3 = getVariable(CASC_VAULT_PREFIX_PATH);
        Optional<String[]> commaSeparatedVariables = getCommaSeparatedVariables(CASC_VAULT_PATHS);
        getVariable(CASC_VAULT_PATH).ifPresent(str -> {
            LOGGER.log(Level.SEVERE, "{0} is deprecated, please switch to {1}", new Object[]{CASC_VAULT_PATH, CASC_VAULT_PATHS});
        });
        if (optional.isPresent() && commaSeparatedVariables.isPresent()) {
            if (getVariable(CASC_VAULT_AGENT_ADDR).isPresent()) {
                this.usingVaultAgent = true;
            }
            String orElse = variable.orElse(DEFAULT_ENGINE_VERSION);
            this.vaultPaths = commaSeparatedVariables.get();
            determineAuthenticator();
            this.vaultConfig = new VaultConfig().address((String) optional.get());
            try {
                LOGGER.log(Level.FINE, "Attempting to connect to Vault: {0}", optional);
                if (variable2.isPresent()) {
                    this.vaultConfig.nameSpace(variable2.get());
                    LOGGER.log(Level.FINE, "Using namespace with Vault: {0}", variable2);
                }
                this.vaultConfig.engineVersion(Integer.valueOf(Integer.parseInt(orElse)));
                LOGGER.log(Level.FINE, "Using engine version: {0}", orElse);
                if (variable3.isPresent()) {
                    this.vaultConfig.prefixPath(variable3.get());
                    LOGGER.log(Level.FINE, "Using prefixPath with Vault: {0}", variable3);
                }
            } catch (VaultException e) {
                LOGGER.log(Level.WARNING, "Could not configure vault connection", e);
            }
            try {
                this.vaultConfig.build();
            } catch (VaultException e2) {
                LOGGER.log(Level.WARNING, "Could not configure vault client", e2);
            }
            this.vault = new Vault(this.vaultConfig);
        }
    }

    private void determineAuthenticator() {
        Optional<String> variable = getVariable(CASC_VAULT_PW);
        Optional<String> variable2 = getVariable(CASC_VAULT_USER);
        Optional<String> variable3 = getVariable(CASC_VAULT_TOKEN);
        Optional<String> variable4 = getVariable(CASC_VAULT_APPROLE);
        Optional<String> variable5 = getVariable(CASC_VAULT_APPROLE_SECRET);
        Optional<String> variable6 = getVariable(CASC_VAULT_KUBERNETES_ROLE);
        Optional<String> variable7 = getVariable(CASC_VAULT_AWS_IAM_ROLE);
        variable3.ifPresent(this::token);
        allPresent(variable2, variable, this::userPass);
        allPresent(variable4, variable5, this::approle);
        variable6.ifPresent(this::kubernetes);
        variable7.ifPresent(this::awsIam);
        if (this.vaultAuthenticator != null || this.usingVaultAgent) {
            return;
        }
        LOGGER.log(Level.WARNING, "Could not determine vault authentication method. Not able to read secrets from vault.");
    }

    private void setAuthenticator(VaultAuthenticator vaultAuthenticator) {
        if (vaultAuthenticator == null || vaultAuthenticator.equals(this.vaultAuthenticator)) {
            return;
        }
        this.vaultAuthenticator = vaultAuthenticator;
    }

    public static <T, U> void allPresent(Optional<T> optional, Optional<U> optional2, BiConsumer<T, U> biConsumer) {
        optional.ifPresent(obj -> {
            optional2.ifPresent(obj -> {
                biConsumer.accept(obj, obj);
            });
        });
    }

    private void token(String str) {
        setAuthenticator(VaultAuthenticator.of(str));
    }

    private void userPass(String str, String str2) {
        setAuthenticator(VaultAuthenticator.of(new VaultUsernamePassword(str, str2), getVariable(CASC_VAULT_MOUNT).orElse(DEFAULT_USER_BACKEND)));
    }

    private void approle(String str, String str2) {
        setAuthenticator(VaultAuthenticator.of(new VaultAppRole(str, str2), getVariable(CASC_VAULT_MOUNT).orElse(DEFAULT_APPROLE_BACKEND)));
    }

    private void kubernetes(String str) {
        setAuthenticator(VaultAuthenticator.of(new VaultKubernetes(str), getVariable(CASC_VAULT_MOUNT).orElse("kubernetes")));
    }

    private void awsIam(String str) {
        setAuthenticator(VaultAuthenticator.of(new VaultAwsIam(str, getVariable(CASC_VAULT_AWS_IAM_SERVER_ID).orElse("")), getVariable(CASC_VAULT_MOUNT).orElse("aws")));
    }

    private void readSecretsFromVault() {
        Optional ofNullable = Optional.ofNullable(this.vaultPaths);
        if (ofNullable.isPresent()) {
            try {
                this.secrets = new HashMap();
                for (String str : (String[]) ofNullable.get()) {
                    Map<? extends String, ? extends String> data = this.vault.logical().read(str).getData();
                    HashMap hashMap = new HashMap();
                    for (Map.Entry<? extends String, ? extends String> entry : data.entrySet()) {
                        hashMap.put(str + "/" + entry.getKey(), entry.getValue());
                    }
                    for (String str2 : data.keySet()) {
                        if (this.secrets.containsKey(str2)) {
                            LOGGER.log(Level.FINE, "Key {0} exists in multiple vault paths. Use full path ({1}) to access value.", new Object[]{str2, str + "/" + str2});
                        }
                    }
                    this.secrets.putAll(data);
                    this.secrets.putAll(hashMap);
                }
            } catch (VaultException e) {
                LOGGER.log(Level.WARNING, "Unable to fetch secret from Vault", e);
            }
        }
    }

    private void readPropertiesFromVaultFile(String str) {
        try {
            FileInputStream fileInputStream = new FileInputStream(str);
            try {
                this.prop.load(fileInputStream);
                if (this.prop.isEmpty()) {
                    LOGGER.log(Level.WARNING, "Vault secret file is empty");
                }
                fileInputStream.close();
            } finally {
            }
        } catch (IOException e) {
            LOGGER.log(Level.WARNING, "Failed to load Vault secrets from file", (Throwable) e);
        }
    }

    public Optional<String> reveal(String str) {
        return StringUtils.isBlank(str) ? Optional.empty() : Optional.ofNullable(this.secrets.get(str));
    }

    public Map<String, String> getSecrets() {
        return this.secrets;
    }

    public void setSecrets(Map<String, String> map) {
        this.secrets = map;
    }

    private Optional<String> getVariable(String str) {
        return Optional.ofNullable(this.prop.getProperty(str, System.getenv(str)));
    }

    private Optional<String[]> getCommaSeparatedVariables(String str) {
        return getVariable(str).map(str2 -> {
            return str2.split(",");
        });
    }

    public void init() {
        configureVault();
        if (this.vaultAuthenticator != null) {
            try {
                this.vaultAuthenticator.authenticate(this.vault, this.vaultConfig);
            } catch (VaultException e) {
                LOGGER.log(Level.WARNING, "Could not authenticate with vault client", e);
            }
        }
        if (this.vaultAuthenticator != null || this.usingVaultAgent) {
            readSecretsFromVault();
        }
    }
}
