package com.datapipe.jenkins.vault.credentials;

import com.bettercloud.vault.Vault;
import com.bettercloud.vault.VaultConfig;
import com.bettercloud.vault.VaultException;
import com.bettercloud.vault.api.Auth;
import com.cloudbees.plugins.credentials.CredentialsScope;
import com.datapipe.jenkins.vault.exception.VaultPluginException;
import edu.umd.cs.findbugs.annotations.NonNull;
import java.util.Calendar;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;

/* loaded from: input_file:com/datapipe/jenkins/vault/credentials/AbstractVaultTokenCredentialWithExpiration.class */
public abstract class AbstractVaultTokenCredentialWithExpiration extends AbstractVaultTokenCredential {
    protected static final Logger LOGGER = Logger.getLogger(AbstractVaultTokenCredentialWithExpiration.class.getName());
    private Map<String, Calendar> tokenExpiry;
    private Map<String, String> tokenCache;

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractVaultTokenCredentialWithExpiration(CredentialsScope credentialsScope, String str, String str2) {
        super(credentialsScope, str, str2);
        this.tokenExpiry = new HashMap();
        this.tokenCache = new HashMap();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.datapipe.jenkins.vault.credentials.AbstractVaultTokenCredential
    public abstract String getToken(Vault vault);

    protected Auth getVaultAuth(@NonNull Vault vault) {
        return vault.auth();
    }

    protected boolean supportsChildTokens() {
        return false;
    }

    protected String getChildToken(Vault vault, List<String> list) {
        if (!supportsChildTokens() || list == null || list.isEmpty()) {
            return null;
        }
        Auth vaultAuth = getVaultAuth(vault);
        try {
            Auth.TokenRequest polices = new Auth.TokenRequest().polices(list);
            LOGGER.log(Level.FINE, "Requesting child token with policies {0}", new Object[]{list});
            return vaultAuth.createToken(polices).getAuthClientToken();
        } catch (VaultException e) {
            throw new VaultPluginException("Could not retrieve token with policies from vault", e);
        }
    }

    private String getCacheKey(List<String> list) {
        return (list == null || list.isEmpty()) ? "" : String.join(",", list);
    }

    @Override // com.datapipe.jenkins.vault.credentials.AbstractVaultTokenCredential, com.datapipe.jenkins.vault.credentials.VaultCredential
    public Vault authorizeWithVault(VaultConfig vaultConfig, List<String> list) {
        if (this.tokenCache == null) {
            this.tokenCache = new HashMap();
            this.tokenExpiry = new HashMap();
        }
        String cacheKey = getCacheKey(list);
        Vault vault = getVault(vaultConfig);
        if (tokenExpired(cacheKey)) {
            this.tokenCache.put(cacheKey, getToken(vault));
            vaultConfig.token(this.tokenCache.get(cacheKey));
            String childToken = getChildToken(vault, list);
            if (childToken != null) {
                this.tokenCache.put(cacheKey, childToken);
                vaultConfig.token(childToken);
            }
            setTokenExpiry(vault, cacheKey);
        } else {
            vaultConfig.token(this.tokenCache.get(cacheKey));
        }
        return vault;
    }

    protected Vault getVault(VaultConfig vaultConfig) {
        return new Vault(vaultConfig);
    }

    private void setTokenExpiry(Vault vault, String str) {
        int i = 0;
        try {
            i = (int) getVaultAuth(vault).lookupSelf().getTTL();
        } catch (VaultException e) {
            LOGGER.log(Level.WARNING, "Could not determine token expiration for policies '" + str + "'. Check if token is allowed to access auth/token/lookup-self. Assuming token TTL expired.", e);
        }
        Calendar calendar = Calendar.getInstance();
        calendar.add(13, i);
        this.tokenExpiry.put(str, calendar);
    }

    private boolean tokenExpired(String str) {
        Calendar calendar = this.tokenExpiry.get(str);
        if (calendar == null) {
            return true;
        }
        boolean z = true;
        long timeInMillis = Calendar.getInstance().getTimeInMillis() - calendar.getTimeInMillis();
        if (timeInMillis < -2000) {
            z = false;
            LOGGER.log(Level.FINE, "Auth token is still valid for policies '" + str + "'");
        } else {
            LOGGER.log(Level.FINE, "Auth token has to be re-issued for policies '" + str + "' (" + timeInMillis + "ms difference)");
        }
        return z;
    }
}
