package org.springframework.cloud.vault.config;

import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
import java.beans.ConstructorProperties;
import java.net.URI;
import java.util.concurrent.atomic.AtomicReference;
import org.springframework.beans.BeanUtils;
import org.springframework.cloud.vault.config.VaultProperties;
import org.springframework.util.Assert;
import org.springframework.util.ClassUtils;
import org.springframework.util.StringUtils;
import org.springframework.vault.authentication.AppIdAuthentication;
import org.springframework.vault.authentication.AppIdAuthenticationOptions;
import org.springframework.vault.authentication.AppIdUserIdMechanism;
import org.springframework.vault.authentication.AppRoleAuthentication;
import org.springframework.vault.authentication.AppRoleAuthenticationOptions;
import org.springframework.vault.authentication.AwsEc2Authentication;
import org.springframework.vault.authentication.AwsEc2AuthenticationOptions;
import org.springframework.vault.authentication.AwsIamAuthentication;
import org.springframework.vault.authentication.AwsIamAuthenticationOptions;
import org.springframework.vault.authentication.ClientAuthentication;
import org.springframework.vault.authentication.ClientCertificateAuthentication;
import org.springframework.vault.authentication.CubbyholeAuthentication;
import org.springframework.vault.authentication.CubbyholeAuthenticationOptions;
import org.springframework.vault.authentication.IpAddressUserId;
import org.springframework.vault.authentication.KubernetesAuthentication;
import org.springframework.vault.authentication.KubernetesAuthenticationOptions;
import org.springframework.vault.authentication.KubernetesServiceAccountTokenFile;
import org.springframework.vault.authentication.MacAddressUserId;
import org.springframework.vault.authentication.StaticUserId;
import org.springframework.vault.authentication.TokenAuthentication;
import org.springframework.vault.support.VaultToken;
import org.springframework.web.client.RestOperations;

/* loaded from: input_file:org/springframework/cloud/vault/config/ClientAuthenticationFactory.class */
class ClientAuthenticationFactory {
    private final VaultProperties vaultProperties;
    private final RestOperations restOperations;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/springframework/cloud/vault/config/ClientAuthenticationFactory$AwsCredentialProvider.class */
    public static class AwsCredentialProvider {
        private AwsCredentialProvider() {
        }

        private static AWSCredentialsProvider getAwsCredentialsProvider() {
            final DefaultAWSCredentialsProviderChain defaultAWSCredentialsProviderChain = DefaultAWSCredentialsProviderChain.getInstance();
            final AWSCredentials credentials = defaultAWSCredentialsProviderChain.getCredentials();
            final AtomicReference atomicReference = new AtomicReference(credentials);
            return new AWSCredentialsProvider() { // from class: org.springframework.cloud.vault.config.ClientAuthenticationFactory.AwsCredentialProvider.1
                public AWSCredentials getCredentials() {
                    return atomicReference.compareAndSet(credentials, null) ? credentials : defaultAWSCredentialsProviderChain.getCredentials();
                }

                public void refresh() {
                    defaultAWSCredentialsProviderChain.refresh();
                }
            };
        }

        static /* synthetic */ AWSCredentialsProvider access$000() {
            return getAwsCredentialsProvider();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ClientAuthentication createClientAuthentication() {
        switch (this.vaultProperties.getAuthentication()) {
            case TOKEN:
                Assert.hasText(this.vaultProperties.getToken(), "Token (spring.cloud.vault.token) must not be empty");
                return new TokenAuthentication(this.vaultProperties.getToken());
            case APPID:
                return appIdAuthentication(this.vaultProperties);
            case APPROLE:
                return appRoleAuthentication(this.vaultProperties);
            case CERT:
                return new ClientCertificateAuthentication(this.restOperations);
            case AWS_EC2:
                return awsEc2Authentication(this.vaultProperties);
            case AWS_IAM:
                return awsIamAuthentication(this.vaultProperties);
            case CUBBYHOLE:
                return cubbyholeAuthentication();
            case KUBERNETES:
                return kubernetesAuthentication(this.vaultProperties);
            default:
                throw new UnsupportedOperationException(String.format("Client authentication %s not supported", this.vaultProperties.getAuthentication()));
        }
    }

    private ClientAuthentication appIdAuthentication(VaultProperties vaultProperties) {
        VaultProperties.AppIdProperties appId = vaultProperties.getAppId();
        Assert.hasText(appId.getUserId(), "UserId (spring.cloud.vault.app-id.user-id) must not be empty");
        return new AppIdAuthentication(AppIdAuthenticationOptions.builder().appId(vaultProperties.getApplicationName()).path(appId.getAppIdPath()).userIdMechanism(getClientAuthentication(appId)).build(), this.restOperations);
    }

    private AppIdUserIdMechanism getClientAuthentication(VaultProperties.AppIdProperties appIdProperties) {
        try {
            return (AppIdUserIdMechanism) BeanUtils.instantiateClass(ClassUtils.forName(appIdProperties.getUserId(), (ClassLoader) null));
        } catch (ClassNotFoundException e) {
            String upperCase = appIdProperties.getUserId().toUpperCase();
            boolean z = -1;
            switch (upperCase.hashCode()) {
                case 273373380:
                    if (upperCase.equals(VaultProperties.AppIdProperties.MAC_ADDRESS)) {
                        z = true;
                        break;
                    }
                    break;
                case 1900462268:
                    if (upperCase.equals(VaultProperties.AppIdProperties.IP_ADDRESS)) {
                        z = false;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    return new IpAddressUserId();
                case true:
                    if (!StringUtils.hasText(appIdProperties.getNetworkInterface())) {
                        return new MacAddressUserId();
                    }
                    try {
                        return new MacAddressUserId(Integer.parseInt(appIdProperties.getNetworkInterface()));
                    } catch (NumberFormatException e2) {
                        return new MacAddressUserId(appIdProperties.getNetworkInterface());
                    }
                default:
                    return new StaticUserId(appIdProperties.getUserId());
            }
        }
    }

    private ClientAuthentication appRoleAuthentication(VaultProperties vaultProperties) {
        return new AppRoleAuthentication(getAppRoleAuthenticationOptions(vaultProperties), this.restOperations);
    }

    static AppRoleAuthenticationOptions getAppRoleAuthenticationOptions(VaultProperties vaultProperties) {
        VaultProperties.AppRoleProperties appRole = vaultProperties.getAppRole();
        AppRoleAuthenticationOptions.AppRoleAuthenticationOptionsBuilder path = AppRoleAuthenticationOptions.builder().path(appRole.getAppRolePath());
        if (StringUtils.hasText(appRole.getRole())) {
            path.appRole(appRole.getRole());
        }
        AppRoleAuthenticationOptions.RoleId roleId = getRoleId(vaultProperties, appRole);
        path.roleId(roleId).secretId(getSecretId(vaultProperties, appRole));
        return path.build();
    }

    private static AppRoleAuthenticationOptions.RoleId getRoleId(VaultProperties vaultProperties, VaultProperties.AppRoleProperties appRoleProperties) {
        if (StringUtils.hasText(appRoleProperties.getRoleId())) {
            return AppRoleAuthenticationOptions.RoleId.provided(appRoleProperties.getRoleId());
        }
        if (StringUtils.hasText(vaultProperties.getToken()) && StringUtils.hasText(appRoleProperties.getRole())) {
            return AppRoleAuthenticationOptions.RoleId.pull(VaultToken.of(vaultProperties.getToken()));
        }
        if (StringUtils.hasText(vaultProperties.getToken())) {
            return AppRoleAuthenticationOptions.RoleId.wrapped(VaultToken.of(vaultProperties.getToken()));
        }
        throw new IllegalArgumentException("Cannot configure RoleId. Any of role-id, initial token, or initial toke and role name must be configured.");
    }

    private static AppRoleAuthenticationOptions.SecretId getSecretId(VaultProperties vaultProperties, VaultProperties.AppRoleProperties appRoleProperties) {
        return StringUtils.hasText(appRoleProperties.getSecretId()) ? AppRoleAuthenticationOptions.SecretId.provided(appRoleProperties.getSecretId()) : (StringUtils.hasText(vaultProperties.getToken()) && StringUtils.hasText(appRoleProperties.getRole())) ? AppRoleAuthenticationOptions.SecretId.pull(VaultToken.of(vaultProperties.getToken())) : StringUtils.hasText(vaultProperties.getToken()) ? AppRoleAuthenticationOptions.SecretId.wrapped(VaultToken.of(vaultProperties.getToken())) : AppRoleAuthenticationOptions.SecretId.absent();
    }

    private ClientAuthentication awsEc2Authentication(VaultProperties vaultProperties) {
        VaultProperties.AwsEc2Properties awsEc2 = vaultProperties.getAwsEc2();
        return new AwsEc2Authentication(AwsEc2AuthenticationOptions.builder().role(awsEc2.getRole()).path(awsEc2.getAwsEc2Path()).nonce(StringUtils.hasText(awsEc2.getNonce()) ? AwsEc2AuthenticationOptions.Nonce.provided(awsEc2.getNonce().toCharArray()) : AwsEc2AuthenticationOptions.Nonce.generated()).identityDocumentUri(URI.create(awsEc2.getIdentityDocument())).build(), this.restOperations, this.restOperations);
    }

    private ClientAuthentication awsIamAuthentication(VaultProperties vaultProperties) {
        VaultProperties.AwsIamProperties awsIam = vaultProperties.getAwsIam();
        AWSCredentialsProvider access$000 = AwsCredentialProvider.access$000();
        AwsIamAuthenticationOptions.AwsIamAuthenticationOptionsBuilder builder = AwsIamAuthenticationOptions.builder();
        if (StringUtils.hasText(awsIam.getRole())) {
            builder.role(awsIam.getRole());
        }
        if (StringUtils.hasText(awsIam.getServerName())) {
            builder.serverName(awsIam.getServerName());
        }
        builder.path(awsIam.getAwsPath()).credentialsProvider(access$000);
        return new AwsIamAuthentication(builder.credentialsProvider(access$000).build(), this.restOperations);
    }

    private ClientAuthentication cubbyholeAuthentication() {
        Assert.hasText(this.vaultProperties.getToken(), "Initial Token (spring.cloud.vault.token) for Cubbyhole authentication must not be empty");
        return new CubbyholeAuthentication(CubbyholeAuthenticationOptions.builder().wrapped().initialToken(VaultToken.of(this.vaultProperties.getToken())).build(), this.restOperations);
    }

    private ClientAuthentication kubernetesAuthentication(VaultProperties vaultProperties) {
        VaultProperties.KubernetesProperties kubernetes = vaultProperties.getKubernetes();
        Assert.hasText(kubernetes.getRole(), "Role (spring.cloud.vault.kubernetes.role) must not be empty");
        Assert.hasText(kubernetes.getServiceAccountTokenFile(), "Service account token file (spring.cloud.vault.kubernetes.service-account-token-file) must not be empty");
        return new KubernetesAuthentication(KubernetesAuthenticationOptions.builder().path(kubernetes.getKubernetesPath()).role(kubernetes.getRole()).jwtSupplier(new KubernetesServiceAccountTokenFile(kubernetes.getServiceAccountTokenFile())).build(), this.restOperations);
    }

    @ConstructorProperties({"vaultProperties", "restOperations"})
    public ClientAuthenticationFactory(VaultProperties vaultProperties, RestOperations restOperations) {
        this.vaultProperties = vaultProperties;
        this.restOperations = restOperations;
    }
}
