package io.jenkins.plugins.casc.impl.secrets;

import com.bettercloud.vault.Vault;
import com.bettercloud.vault.VaultConfig;
import com.bettercloud.vault.VaultException;
import hudson.Extension;
import io.jenkins.plugins.casc.SecretSource;
import io.jenkins.plugins.casc.impl.secrets.util.VaultAppRoleAuthenticator;
import io.jenkins.plugins.casc.impl.secrets.util.VaultAuthenticator;
import io.jenkins.plugins.casc.impl.secrets.util.VaultSingleTokenAuthenticator;
import io.jenkins.plugins.casc.impl.secrets.util.VaultUserPassAuthenticator;
import java.io.FileInputStream;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import java.util.Properties;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.commons.lang.StringUtils;

@Extension
/* loaded from: input_file:io/jenkins/plugins/casc/impl/secrets/VaultSecretSource.class */
public class VaultSecretSource extends SecretSource {
    private static final Logger LOGGER = Logger.getLogger(VaultSecretSource.class.getName());
    private static final String CASC_VAULT_FILE = "CASC_VAULT_FILE";
    private static final String CASC_VAULT_PW = "CASC_VAULT_PW";
    private static final String CASC_VAULT_USER = "CASC_VAULT_USER";
    private static final String CASC_VAULT_URL = "CASC_VAULT_URL";
    private static final String CASC_VAULT_MOUNT = "CASC_VAULT_MOUNT";
    private static final String CASC_VAULT_TOKEN = "CASC_VAULT_TOKEN";
    private static final String CASC_VAULT_APPROLE = "CASC_VAULT_APPROLE";
    private static final String CASC_VAULT_APPROLE_SECRET = "CASC_VAULT_APPROLE_SECRET";
    private static final String CASC_VAULT_NAMESPACE = "CASC_VAULT_NAMESPACE";
    private static final String CASC_VAULT_ENGINE_VERSION = "CASC_VAULT_ENGINE_VERSION";
    private static final String CASC_VAULT_PATHS = "CASC_VAULT_PATHS";
    private static final String CASC_VAULT_PATH = "CASC_VAULT_PATH";
    private static final String DEFAULT_ENGINE_VERSION = "2";
    private static final String DEFAULT_USER_BACKEND = "userpass";
    private Map<String, String> secrets = new HashMap();
    private Vault vault;
    private VaultConfig vaultConfig;
    private VaultAuthenticator vaultAuthenticator;
    private String[] vaultPaths;

    public VaultSecretSource() {
        Optional ofNullable = Optional.ofNullable(System.getenv(CASC_VAULT_FILE));
        Properties properties = new Properties();
        ofNullable.ifPresent(str -> {
            readPropertiesFromVaultFile(str, properties);
        });
        Optional<String> variable = getVariable(CASC_VAULT_ENGINE_VERSION, properties);
        Optional<String> variable2 = getVariable(CASC_VAULT_URL, properties);
        Optional<String> variable3 = getVariable(CASC_VAULT_NAMESPACE, properties);
        Optional optional = (Optional) getCommaSeparatedVariables(CASC_VAULT_PATHS, properties).map((v0) -> {
            return Optional.of(v0);
        }).orElse(getCommaSeparatedVariables(CASC_VAULT_PATH, properties));
        if (variable2.isPresent() && optional.isPresent()) {
            String orElse = variable.orElse(DEFAULT_ENGINE_VERSION);
            this.vaultPaths = (String[]) optional.get();
            determineAuthenticator(properties);
            this.vaultConfig = new VaultConfig().address(variable2.get());
            try {
                LOGGER.log(Level.FINE, "Attempting to connect to Vault: {0}", variable2);
                if (variable3.isPresent()) {
                    this.vaultConfig.nameSpace(variable3.get());
                    LOGGER.log(Level.FINE, "Using namespace with Vault: {0}", variable3);
                }
                this.vaultConfig.engineVersion(Integer.valueOf(Integer.parseInt(orElse)));
                LOGGER.log(Level.FINE, "Using engine version: {0}", orElse);
                this.vaultConfig = this.vaultConfig.build();
            } catch (VaultException e) {
                LOGGER.log(Level.WARNING, "Could not configure vault connection", e);
            }
            try {
                this.vaultConfig.build();
            } catch (VaultException e2) {
                LOGGER.log(Level.WARNING, "Could not configure vault client", e2);
            }
            this.vault = new Vault(this.vaultConfig);
        }
    }

    private void determineAuthenticator(Properties properties) {
        Optional<String> variable = getVariable(CASC_VAULT_PW, properties);
        Optional<String> variable2 = getVariable(CASC_VAULT_USER, properties);
        Optional<String> variable3 = getVariable(CASC_VAULT_MOUNT, properties);
        Optional<String> variable4 = getVariable(CASC_VAULT_TOKEN, properties);
        Optional<String> variable5 = getVariable(CASC_VAULT_APPROLE, properties);
        Optional<String> variable6 = getVariable(CASC_VAULT_APPROLE_SECRET, properties);
        variable4.ifPresent(str -> {
            this.vaultAuthenticator = new VaultSingleTokenAuthenticator(str);
        });
        variable2.ifPresent(str2 -> {
            variable.ifPresent(str2 -> {
                this.vaultAuthenticator = new VaultUserPassAuthenticator(str2, str2, (String) variable3.orElse(DEFAULT_USER_BACKEND));
            });
        });
        variable5.ifPresent(str3 -> {
            variable6.ifPresent(str3 -> {
                this.vaultAuthenticator = new VaultAppRoleAuthenticator(str3, str3);
            });
        });
        if (this.vaultAuthenticator == null) {
            LOGGER.log(Level.WARNING, "Could not determine vault authentication method. Not able to read secrets from vault.");
        }
    }

    private void readSecretsFromVault() {
        Optional ofNullable = Optional.ofNullable(this.vaultPaths);
        if (ofNullable.isPresent()) {
            try {
                this.secrets = new HashMap();
                for (String str : (String[]) ofNullable.get()) {
                    Map<? extends String, ? extends String> data = this.vault.logical().read(str).getData();
                    for (String str2 : data.keySet()) {
                        if (this.secrets.containsKey(str2)) {
                            LOGGER.log(Level.WARNING, "Key {0} exists in multiple vault paths.", str2);
                        }
                    }
                    this.secrets.putAll(data);
                }
            } catch (VaultException e) {
                LOGGER.log(Level.WARNING, "Unable to fetch secret from Vault", e);
            }
        }
    }

    private void readPropertiesFromVaultFile(String str, Properties properties) {
        try {
            FileInputStream fileInputStream = new FileInputStream(str);
            Throwable th = null;
            try {
                try {
                    properties.load(fileInputStream);
                    if (properties.isEmpty()) {
                        LOGGER.log(Level.WARNING, "Vault secret file is empty");
                    }
                    if (fileInputStream != null) {
                        if (0 != 0) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                } finally {
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (IOException e) {
            LOGGER.log(Level.WARNING, "Failed to load Vault secrets from file", (Throwable) e);
        }
    }

    @Override // io.jenkins.plugins.casc.SecretSource
    public Optional<String> reveal(String str) {
        if (StringUtils.isBlank(str)) {
            return Optional.empty();
        }
        if (this.vaultAuthenticator != null) {
            try {
                this.vaultAuthenticator.authenticate(this.vault, this.vaultConfig);
            } catch (VaultException e) {
                LOGGER.log(Level.WARNING, "Could not authenticate with vault client", e);
            }
            readSecretsFromVault();
        }
        return Optional.ofNullable(this.secrets.get(str));
    }

    public Map<String, String> getSecrets() {
        return this.secrets;
    }

    public void setSecrets(Map<String, String> map) {
        this.secrets = map;
    }

    private Optional<String> getVariable(String str, Properties properties) {
        return Optional.ofNullable(properties.getProperty(str, System.getenv(str)));
    }

    private Optional<String[]> getCommaSeparatedVariables(String str, Properties properties) {
        if (str.equals(CASC_VAULT_PATH)) {
            LOGGER.log(Level.WARNING, "[Deprecation Warning] CASC_VAULT_PATH will be deprecated. Please use CASC_VAULT_PATHS instead.");
        }
        return getVariable(str, properties).map(str2 -> {
            return str2.split(",");
        });
    }
}
