package org.apache.drill.exec.store.security.vault;

import com.bettercloud.vault.Vault;
import com.bettercloud.vault.VaultConfig;
import com.bettercloud.vault.VaultException;
import com.bettercloud.vault.response.LogicalResponse;
import com.fasterxml.jackson.annotation.JacksonInject;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.annotation.OptBoolean;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import org.apache.drill.common.config.DrillConfig;
import org.apache.drill.common.exceptions.UserException;
import org.apache.drill.common.logical.security.CredentialsProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/drill/exec/store/security/vault/VaultCredentialsProvider.class */
public class VaultCredentialsProvider implements CredentialsProvider {
    private static final Logger logger = LoggerFactory.getLogger(VaultCredentialsProvider.class);
    public static final String VAULT_ADDRESS = "drill.exec.storage.vault.address";
    public static final String VAULT_APP_ROLE_ID = "drill.exec.storage.vault.app_role_id";
    public static final String VAULT_SECRET_ID = "drill.exec.storage.vault.secret_id";
    public static final String QUERY_USER_VAR = "$user";
    private final String secretPath;
    private final String appRoleId;
    private final String secretId;
    private final Map<String, String> propertyNames;
    private final VaultConfig vaultConfig;
    private Vault vault;

    @JsonCreator
    public VaultCredentialsProvider(@JsonProperty("secretPath") String str, @JsonProperty("propertyNames") Map<String, String> map, @JacksonInject(useInput = OptBoolean.FALSE) DrillConfig drillConfig) throws VaultException {
        this.propertyNames = map;
        this.secretPath = str;
        this.appRoleId = (String) Objects.requireNonNull(drillConfig.getString(VAULT_APP_ROLE_ID), String.format("Vault app role id is not specified. Please set [%s] config property.", VAULT_APP_ROLE_ID));
        this.secretId = (String) Objects.requireNonNull(drillConfig.getString(VAULT_SECRET_ID), String.format("Vault secret id is not specified. Please set [%s] config property.", VAULT_SECRET_ID));
        this.vaultConfig = new VaultConfig().address((String) Objects.requireNonNull(drillConfig.getString(VAULT_ADDRESS), String.format("Vault address is not specified. Please set [%s] config property.", VAULT_ADDRESS))).build();
        this.vault = new Vault(this.vaultConfig);
    }

    private Map<String, String> extractCredentials(Map<String, String> map) {
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, String> entry : this.propertyNames.entrySet()) {
            if (map.get(entry.getValue()) != null) {
                hashMap.put(entry.getKey(), map.get(entry.getValue()));
            }
        }
        return hashMap;
    }

    private Map<String, String> getCredentialsAt(String str) {
        Vault vault = this.vault;
        try {
            logger.debug("Attempting to fetch secrets from Vault path {}.", str);
            LogicalResponse read = vault.logical().read(str);
            if (read.getRestResponse().getStatus() == 403) {
                logger.info("Attempt to fetch secrets received HTTP 403 from Vault.");
                synchronized (this) {
                    if (vault == this.vault) {
                        logger.info("Attempting to reauthenticate.");
                        this.vault = new Vault(this.vaultConfig.token(this.vault.auth().loginByAppRole(this.appRoleId, this.secretId).getAuthClientToken()));
                    } else {
                        logger.debug("Another caller has already attempted reauthentication.");
                    }
                }
                logger.debug("Reattempting to fetch secrets from Vault path {}", str);
                read = this.vault.logical().read(str);
            }
            return extractCredentials(read.getData());
        } catch (VaultException e) {
            throw UserException.systemError(e).message("Error while fetching credentials from vault", new Object[0]).build(logger);
        }
    }

    public Map<String, String> getCredentials() {
        Map<String, String> credentialsAt = getCredentialsAt(this.secretPath);
        if (credentialsAt.isEmpty()) {
            logger.warn("No credentials matching the configured property names were readable at {}", this.secretPath);
        }
        return credentialsAt;
    }

    public Map<String, String> getUserCredentials(String str) {
        String replace = this.secretPath.replace(QUERY_USER_VAR, str);
        Map<String, String> credentialsAt = getCredentialsAt(replace);
        if (credentialsAt.isEmpty()) {
            logger.warn("No credentials for {} matching the configured property names were readable at {}", str, replace);
        }
        return credentialsAt;
    }

    public String getSecretPath() {
        return this.secretPath;
    }

    public Map<String, String> getPropertyNames() {
        return this.propertyNames;
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        VaultCredentialsProvider vaultCredentialsProvider = (VaultCredentialsProvider) obj;
        return Objects.equals(this.secretPath, vaultCredentialsProvider.secretPath) && Objects.equals(this.propertyNames, vaultCredentialsProvider.propertyNames);
    }

    public int hashCode() {
        return Objects.hash(this.secretPath, this.propertyNames);
    }
}
