package com.datapipe.jenkins.vault;

import com.bettercloud.vault.Vault;
import com.bettercloud.vault.VaultConfig;
import com.bettercloud.vault.VaultException;
import com.bettercloud.vault.json.Json;
import com.bettercloud.vault.response.LogicalResponse;
import com.bettercloud.vault.response.VaultResponse;
import com.bettercloud.vault.rest.RestResponse;
import com.cloudbees.plugins.credentials.CredentialsMatchers;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.CredentialsUnavailableException;
import com.cloudbees.plugins.credentials.matchers.IdMatcher;
import com.datapipe.jenkins.vault.configuration.VaultConfigResolver;
import com.datapipe.jenkins.vault.configuration.VaultConfiguration;
import com.datapipe.jenkins.vault.credentials.VaultCredential;
import com.datapipe.jenkins.vault.exception.VaultPluginException;
import com.datapipe.jenkins.vault.model.VaultSecret;
import com.datapipe.jenkins.vault.model.VaultSecretValue;
import hudson.EnvVars;
import hudson.ExtensionList;
import hudson.Util;
import hudson.model.Run;
import hudson.security.ACL;
import java.io.PrintStream;
import java.io.Serializable;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import jenkins.model.Jenkins;
import org.apache.commons.lang.StringUtils;

/* loaded from: input_file:com/datapipe/jenkins/vault/VaultAccessor.class */
public class VaultAccessor implements Serializable {
    private static final long serialVersionUID = 1;
    private VaultConfig config;
    private VaultCredential credential;
    private List<String> policies;
    private int maxRetries;
    private int retryIntervalMilliseconds;
    private transient Vault vault;

    public VaultAccessor() {
        this.maxRetries = 0;
        this.retryIntervalMilliseconds = 1000;
        this.config = new VaultConfig();
    }

    public VaultAccessor(VaultConfig vaultConfig, VaultCredential vaultCredential) {
        this.maxRetries = 0;
        this.retryIntervalMilliseconds = 1000;
        this.config = vaultConfig;
        this.credential = vaultCredential;
    }

    public VaultAccessor init() {
        try {
            this.config.build();
            if (this.credential == null) {
                this.vault = new Vault(this.config);
            } else {
                this.vault = this.credential.authorizeWithVault(this.config, this.policies);
            }
            this.vault.withRetries(this.maxRetries, this.retryIntervalMilliseconds);
            return this;
        } catch (VaultException e) {
            throw new VaultPluginException("failed to connect to vault", e);
        }
    }

    public VaultConfig getConfig() {
        return this.config;
    }

    public void setConfig(VaultConfig vaultConfig) {
        this.config = vaultConfig;
    }

    public VaultCredential getCredential() {
        return this.credential;
    }

    public void setCredential(VaultCredential vaultCredential) {
        this.credential = vaultCredential;
    }

    public List<String> getPolicies() {
        return this.policies;
    }

    public void setPolicies(List<String> list) {
        this.policies = list;
    }

    public int getMaxRetries() {
        return this.maxRetries;
    }

    public void setMaxRetries(int i) {
        this.maxRetries = i;
    }

    public int getRetryIntervalMilliseconds() {
        return this.retryIntervalMilliseconds;
    }

    public void setRetryIntervalMilliseconds(int i) {
        this.retryIntervalMilliseconds = i;
    }

    @Deprecated
    public void init(String str, VaultCredential vaultCredential) {
        this.config.address(str);
        this.credential = vaultCredential;
    }

    public LogicalResponse read(String str, Integer num) {
        try {
            this.config.engineVersion(num);
            return this.vault.logical().read(str);
        } catch (VaultException e) {
            throw new VaultPluginException("could not read from vault: " + e.getMessage() + " at path: " + str, e);
        }
    }

    public VaultResponse revoke(String str) {
        try {
            return this.vault.leases().revoke(str);
        } catch (VaultException e) {
            throw new VaultPluginException("could not revoke vault lease (" + str + "):" + e.getMessage());
        }
    }

    public static String replacePolicyTokens(String str, EnvVars envVars) {
        if (!str.contains("{")) {
            return str;
        }
        String str2 = (String) envVars.get("JOB_NAME");
        String str3 = (String) envVars.get("JOB_BASE_NAME");
        String str4 = "";
        if (!str2.equals(str3) && str2.contains("/")) {
            str4 = (String) Arrays.stream(str2.split("/")).limit(r0.length - 1).collect(Collectors.joining("/"));
        }
        return str.replaceAll("\\{job_base_name}", str3).replaceAll("\\{job_name}", str2).replaceAll("\\{job_name_us}", str2.replaceAll("/", "_")).replaceAll("\\{job_folder}", str4).replaceAll("\\{job_folder_us}", str4.replaceAll("/", "_")).replaceAll("\\{node_name}", (String) envVars.get("NODE_NAME"));
    }

    public static List<String> generatePolicies(String str, EnvVars envVars) {
        if (StringUtils.isBlank(str)) {
            return null;
        }
        return (List) Arrays.stream(str.split("\n")).filter(StringUtils::isNotBlank).map(str2 -> {
            return replacePolicyTokens(str2.trim(), envVars);
        }).collect(Collectors.toList());
    }

    public static Map<String, String> retrieveVaultSecrets(Run<?, ?> run, PrintStream printStream, EnvVars envVars, VaultAccessor vaultAccessor, VaultConfiguration vaultConfiguration, List<VaultSecret> list) {
        HashMap hashMap = new HashMap();
        VaultConfiguration pullAndMergeConfiguration = pullAndMergeConfiguration(run, vaultConfiguration);
        if (StringUtils.isBlank(pullAndMergeConfiguration.getVaultUrl())) {
            throw new VaultPluginException("The vault url was not configured - please specify the vault url to use.");
        }
        VaultConfig vaultConfig = pullAndMergeConfiguration.getVaultConfig();
        VaultCredential vaultCredential = pullAndMergeConfiguration.getVaultCredential();
        if (vaultCredential == null) {
            vaultCredential = retrieveVaultCredentials(run, pullAndMergeConfiguration);
        }
        String ensureEndsWith = StringUtils.isBlank(pullAndMergeConfiguration.getPrefixPath()) ? "" : Util.ensureEndsWith(envVars.expand(pullAndMergeConfiguration.getPrefixPath()), "/");
        if (vaultAccessor == null) {
            vaultAccessor = new VaultAccessor();
        }
        vaultAccessor.setConfig(vaultConfig);
        vaultAccessor.setCredential(vaultCredential);
        vaultAccessor.setPolicies(generatePolicies(pullAndMergeConfiguration.getPolicies(), envVars));
        vaultAccessor.setMaxRetries(pullAndMergeConfiguration.getMaxRetries());
        vaultAccessor.setRetryIntervalMilliseconds(pullAndMergeConfiguration.getRetryIntervalMilliseconds());
        vaultAccessor.init();
        for (VaultSecret vaultSecret : list) {
            String str = ensureEndsWith + envVars.expand(vaultSecret.getPath());
            printStream.printf("Retrieving secret: %s%n", str);
            try {
                LogicalResponse read = vaultAccessor.read(str, (Integer) Optional.ofNullable(vaultSecret.getEngineVersion()).orElse(pullAndMergeConfiguration.getEngineVersion()));
                if (!responseHasErrors(pullAndMergeConfiguration, printStream, str, read)) {
                    Map data = read.getData();
                    for (VaultSecretValue vaultSecretValue : vaultSecret.getSecretValues()) {
                        String vaultKey = vaultSecretValue.getVaultKey();
                        String str2 = (String) data.get(vaultKey);
                        if (StringUtils.isBlank(str2) && vaultSecretValue.getIsRequired()) {
                            throw new IllegalArgumentException("Vault Secret " + vaultKey + " at " + str + " is either null or empty. Please check the Secret in Vault.");
                        }
                        hashMap.put(vaultSecretValue.getEnvVar(), str2);
                    }
                }
            } catch (VaultPluginException e) {
                VaultException cause = e.getCause();
                if (cause != null) {
                    throw new VaultPluginException(String.format("Vault response returned %d for secret path %s", Integer.valueOf(cause.getHttpStatusCode()), str), cause);
                }
                throw e;
            }
        }
        return hashMap;
    }

    public static VaultCredential retrieveVaultCredentials(Run run, VaultConfiguration vaultConfiguration) {
        if (Jenkins.getInstanceOrNull() == null) {
            return null;
        }
        String vaultCredentialId = vaultConfiguration.getVaultCredentialId();
        if (StringUtils.isBlank(vaultCredentialId)) {
            throw new VaultPluginException("The credential id was not configured - please specify the credentials to use.");
        }
        VaultCredential firstOrNull = CredentialsMatchers.firstOrNull(CredentialsProvider.lookupCredentials(VaultCredential.class, run.getParent(), ACL.SYSTEM, Collections.emptyList()), new IdMatcher(vaultCredentialId));
        if (firstOrNull == null) {
            throw new CredentialsUnavailableException(vaultCredentialId);
        }
        return firstOrNull;
    }

    public static boolean responseHasErrors(VaultConfiguration vaultConfiguration, PrintStream printStream, String str, LogicalResponse logicalResponse) {
        RestResponse restResponse = logicalResponse.getRestResponse();
        if (restResponse == null) {
            return false;
        }
        int status = restResponse.getStatus();
        if (status == 403) {
            throw new VaultPluginException(String.format("Access denied to Vault path '%s'", str));
        }
        if (status == 404) {
            if (vaultConfiguration.getFailIfNotFound().booleanValue()) {
                throw new VaultPluginException(String.format("Vault credentials not found for '%s'", str));
            }
            printStream.printf("Vault credentials not found for '%s'%n", str);
            return true;
        }
        if (status < 400) {
            return false;
        }
        String str2 = (String) Optional.of(Json.parse(new String(restResponse.getBody(), StandardCharsets.UTF_8))).map((v0) -> {
            return v0.asObject();
        }).map(jsonObject -> {
            return jsonObject.get("errors");
        }).map((v0) -> {
            return v0.asArray();
        }).map((v0) -> {
            return v0.values();
        }).map(list -> {
            return (String) list.stream().map((v0) -> {
                return v0.asString();
            }).collect(Collectors.joining("\n"));
        }).orElse("");
        printStream.printf("Vault responded with %d error code.%n", Integer.valueOf(status));
        if (!StringUtils.isNotBlank(str2)) {
            return true;
        }
        printStream.printf("Vault responded with errors: %s%n", str2);
        return true;
    }

    public static VaultConfiguration pullAndMergeConfiguration(Run<?, ?> run, VaultConfiguration vaultConfiguration) {
        VaultConfiguration vaultConfiguration2 = vaultConfiguration;
        Iterator it = ExtensionList.lookup(VaultConfigResolver.class).iterator();
        while (it.hasNext()) {
            VaultConfigResolver vaultConfigResolver = (VaultConfigResolver) it.next();
            vaultConfiguration2 = vaultConfiguration2 != null ? vaultConfiguration2.mergeWithParent(vaultConfigResolver.forJob(run.getParent())) : vaultConfigResolver.forJob(run.getParent());
        }
        if (vaultConfiguration2 == null) {
            throw new VaultPluginException("No configuration found - please configure the VaultPlugin.");
        }
        vaultConfiguration2.fixDefaults();
        return vaultConfiguration2;
    }
}
