package io.jenkins.plugins.casc.impl.secrets;

import com.bettercloud.vault.Vault;
import com.bettercloud.vault.VaultConfig;
import com.bettercloud.vault.VaultException;
import hudson.Extension;
import io.jenkins.plugins.casc.SecretSource;
import io.jenkins.plugins.casc.impl.secrets.vault.VaultAuthenticator;
import java.io.FileInputStream;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import java.util.Properties;
import java.util.function.BiConsumer;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.commons.lang.StringUtils;

@Extension
/* loaded from: input_file:test-dependencies/configuration-as-code.hpi:WEB-INF/lib/configuration-as-code.jar:io/jenkins/plugins/casc/impl/secrets/VaultSecretSource.class */
public class VaultSecretSource extends SecretSource {
    private static final Logger LOGGER = Logger.getLogger(VaultSecretSource.class.getName());
    private static final String CASC_VAULT_FILE = "CASC_VAULT_FILE";
    private static final String CASC_VAULT_PW = "CASC_VAULT_PW";
    private static final String CASC_VAULT_USER = "CASC_VAULT_USER";
    private static final String CASC_VAULT_URL = "CASC_VAULT_URL";
    private static final String CASC_VAULT_MOUNT = "CASC_VAULT_MOUNT";
    private static final String CASC_VAULT_TOKEN = "CASC_VAULT_TOKEN";
    private static final String CASC_VAULT_APPROLE = "CASC_VAULT_APPROLE";
    private static final String CASC_VAULT_APPROLE_SECRET = "CASC_VAULT_APPROLE_SECRET";
    private static final String CASC_VAULT_NAMESPACE = "CASC_VAULT_NAMESPACE";
    private static final String CASC_VAULT_ENGINE_VERSION = "CASC_VAULT_ENGINE_VERSION";
    private static final String CASC_VAULT_PATHS = "CASC_VAULT_PATHS";
    private static final String CASC_VAULT_PATH = "CASC_VAULT_PATH";
    private static final String DEFAULT_ENGINE_VERSION = "2";
    private static final String DEFAULT_USER_BACKEND = "userpass";
    private Map<String, String> secrets = new HashMap();
    private Vault vault;
    private VaultConfig vaultConfig;
    private VaultAuthenticator vaultAuthenticator;
    private String[] vaultPaths;
    private Properties prop;

    private void configureVault() {
        this.prop = new Properties();
        Optional.ofNullable(System.getenv(CASC_VAULT_FILE)).ifPresent(this::readPropertiesFromVaultFile);
        Optional<String> variable = getVariable(CASC_VAULT_ENGINE_VERSION);
        Optional<String> variable2 = getVariable(CASC_VAULT_URL);
        Optional<String> variable3 = getVariable(CASC_VAULT_NAMESPACE);
        Optional optional = (Optional) getCommaSeparatedVariables(CASC_VAULT_PATHS).map((v0) -> {
            return Optional.of(v0);
        }).orElseGet(() -> {
            return getCommaSeparatedVariables(CASC_VAULT_PATH);
        });
        if (variable2.isPresent() && optional.isPresent()) {
            String orElse = variable.orElse(DEFAULT_ENGINE_VERSION);
            this.vaultPaths = (String[]) optional.get();
            determineAuthenticator();
            this.vaultConfig = new VaultConfig().address(variable2.get());
            try {
                LOGGER.log(Level.FINE, "Attempting to connect to Vault: {0}", variable2);
                if (variable3.isPresent()) {
                    this.vaultConfig.nameSpace(variable3.get());
                    LOGGER.log(Level.FINE, "Using namespace with Vault: {0}", variable3);
                }
                this.vaultConfig.engineVersion(Integer.valueOf(Integer.parseInt(orElse)));
                LOGGER.log(Level.FINE, "Using engine version: {0}", orElse);
            } catch (VaultException e) {
                LOGGER.log(Level.WARNING, "Could not configure vault connection", (Throwable) e);
            }
            try {
                this.vaultConfig.build();
            } catch (VaultException e2) {
                LOGGER.log(Level.WARNING, "Could not configure vault client", (Throwable) e2);
            }
            this.vault = new Vault(this.vaultConfig);
        }
    }

    private void determineAuthenticator() {
        Optional<String> variable = getVariable(CASC_VAULT_PW);
        Optional<String> variable2 = getVariable(CASC_VAULT_USER);
        Optional<String> variable3 = getVariable(CASC_VAULT_TOKEN);
        Optional<String> variable4 = getVariable(CASC_VAULT_APPROLE);
        Optional<String> variable5 = getVariable(CASC_VAULT_APPROLE_SECRET);
        variable3.ifPresent(this::token);
        allPresent(variable2, variable, this::userPass);
        allPresent(variable4, variable5, this::approle);
        if (this.vaultAuthenticator == null) {
            LOGGER.log(Level.WARNING, "Could not determine vault authentication method. Not able to read secrets from vault.");
        }
    }

    private void setAuthenticator(VaultAuthenticator vaultAuthenticator) {
        if (vaultAuthenticator == null || vaultAuthenticator.equals(this.vaultAuthenticator)) {
            return;
        }
        this.vaultAuthenticator = vaultAuthenticator;
    }

    public static <T, U> void allPresent(Optional<T> optional, Optional<U> optional2, BiConsumer<T, U> biConsumer) {
        optional.ifPresent(obj -> {
            optional2.ifPresent(obj -> {
                biConsumer.accept(obj, obj);
            });
        });
    }

    private void token(String str) {
        setAuthenticator(VaultAuthenticator.of(str));
    }

    private void userPass(String str, String str2) {
        setAuthenticator(VaultAuthenticator.of(str, str2, getVariable(CASC_VAULT_MOUNT).orElse(DEFAULT_USER_BACKEND)));
    }

    private void approle(String str, String str2) {
        setAuthenticator(VaultAuthenticator.of(str, str2));
    }

    private void readSecretsFromVault() {
        Optional ofNullable = Optional.ofNullable(this.vaultPaths);
        if (ofNullable.isPresent()) {
            try {
                this.secrets = new HashMap();
                for (String str : (String[]) ofNullable.get()) {
                    Map<String, String> data = this.vault.logical().read(str).getData();
                    for (String str2 : data.keySet()) {
                        if (this.secrets.containsKey(str2)) {
                            LOGGER.log(Level.WARNING, "Key {0} exists in multiple vault paths.", str2);
                        }
                    }
                    this.secrets.putAll(data);
                }
            } catch (VaultException e) {
                LOGGER.log(Level.WARNING, "Unable to fetch secret from Vault", (Throwable) e);
            }
        }
    }

    private void readPropertiesFromVaultFile(String str) {
        try {
            FileInputStream fileInputStream = new FileInputStream(str);
            Throwable th = null;
            try {
                this.prop.load(fileInputStream);
                if (this.prop.isEmpty()) {
                    LOGGER.log(Level.WARNING, "Vault secret file is empty");
                }
                if (fileInputStream != null) {
                    if (0 != 0) {
                        try {
                            fileInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        fileInputStream.close();
                    }
                }
            } finally {
            }
        } catch (IOException e) {
            LOGGER.log(Level.WARNING, "Failed to load Vault secrets from file", (Throwable) e);
        }
    }

    @Override // io.jenkins.plugins.casc.SecretSource
    public Optional<String> reveal(String str) {
        return StringUtils.isBlank(str) ? Optional.empty() : Optional.ofNullable(this.secrets.get(str));
    }

    public Map<String, String> getSecrets() {
        return this.secrets;
    }

    public void setSecrets(Map<String, String> map) {
        this.secrets = map;
    }

    private Optional<String> getVariable(String str) {
        return Optional.ofNullable(this.prop.getProperty(str, System.getenv(str)));
    }

    private Optional<String[]> getCommaSeparatedVariables(String str) {
        Optional map = getVariable(str).map(str2 -> {
            return str2.split(",");
        });
        if (str.equals(CASC_VAULT_PATH) && map.isPresent()) {
            LOGGER.log(Level.WARNING, "[Deprecation Warning] CASC_VAULT_PATH is deprecated. Please use CASC_VAULT_PATHS instead.");
        }
        return map;
    }

    @Override // io.jenkins.plugins.casc.SecretSource
    public void init() {
        configureVault();
        if (this.vaultAuthenticator != null) {
            try {
                this.vaultAuthenticator.authenticate(this.vault, this.vaultConfig);
            } catch (VaultException e) {
                LOGGER.log(Level.WARNING, "Could not authenticate with vault client", (Throwable) e);
            }
            readSecretsFromVault();
        }
    }
}
