package org.springframework.vault.authentication;

import java.beans.ConstructorProperties;
import java.util.Date;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.DisposableBean;
import org.springframework.http.HttpEntity;
import org.springframework.scheduling.TaskScheduler;
import org.springframework.scheduling.Trigger;
import org.springframework.scheduling.TriggerContext;
import org.springframework.util.Assert;
import org.springframework.vault.VaultException;
import org.springframework.vault.client.VaultHttpHeaders;
import org.springframework.vault.client.VaultResponses;
import org.springframework.vault.support.VaultResponse;
import org.springframework.vault.support.VaultToken;
import org.springframework.web.client.HttpStatusCodeException;
import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestOperations;

/* loaded from: input_file:org/springframework/vault/authentication/LifecycleAwareSessionManager.class */
public class LifecycleAwareSessionManager implements SessionManager, DisposableBean {
    public static final int REFRESH_PERIOD_BEFORE_EXPIRY = 5;
    private static final RefreshTrigger DEFAULT_TRIGGER = new FixedTimeoutRefreshTrigger(5, TimeUnit.SECONDS);
    private static final Log logger = LogFactory.getLog(LifecycleAwareSessionManager.class);
    private final ClientAuthentication clientAuthentication;
    private final RestOperations restOperations;
    private final TaskScheduler taskScheduler;
    private final RefreshTrigger refreshTrigger;
    private final Object lock;
    private volatile VaultToken token;

    /* loaded from: input_file:org/springframework/vault/authentication/LifecycleAwareSessionManager$FixedTimeoutRefreshTrigger.class */
    public static class FixedTimeoutRefreshTrigger implements RefreshTrigger {
        private final long duration;
        private final long validTtlThreshold;
        private final TimeUnit timeUnit;

        public FixedTimeoutRefreshTrigger(long j, TimeUnit timeUnit) {
            Assert.isTrue(j >= 0, "Timeout duration must be greater or equal to zero");
            Assert.notNull(timeUnit, "TimeUnit must not be null");
            this.duration = j;
            this.validTtlThreshold = timeUnit.toMillis(this.duration) + 2000;
            this.timeUnit = timeUnit;
        }

        public FixedTimeoutRefreshTrigger(long j, long j2, TimeUnit timeUnit) {
            Assert.isTrue(j >= 0, "Timeout duration must be greater or equal to zero");
            Assert.notNull(timeUnit, "TimeUnit must not be null");
            this.duration = j;
            this.validTtlThreshold = timeUnit.toMillis(j2);
            this.timeUnit = timeUnit;
        }

        @Override // org.springframework.vault.authentication.LifecycleAwareSessionManager.RefreshTrigger
        public Date nextExecutionTime(LoginToken loginToken) {
            return new Date(System.currentTimeMillis() + Math.max(TimeUnit.SECONDS.toMillis(1L), TimeUnit.SECONDS.toMillis(loginToken.getLeaseDuration()) - this.timeUnit.toMillis(this.duration)));
        }

        @Override // org.springframework.vault.authentication.LifecycleAwareSessionManager.RefreshTrigger
        public long getValidTtlThreshold(LoginToken loginToken) {
            return this.validTtlThreshold;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/springframework/vault/authentication/LifecycleAwareSessionManager$OneShotTrigger.class */
    public static class OneShotTrigger implements Trigger {
        private final AtomicBoolean fired = new AtomicBoolean();
        private final Date nextExecutionTime;

        public Date nextExecutionTime(TriggerContext triggerContext) {
            if (this.fired.compareAndSet(false, true)) {
                return this.nextExecutionTime;
            }
            return null;
        }

        @ConstructorProperties({"nextExecutionTime"})
        public OneShotTrigger(Date date) {
            this.nextExecutionTime = date;
        }
    }

    /* loaded from: input_file:org/springframework/vault/authentication/LifecycleAwareSessionManager$RefreshTrigger.class */
    public interface RefreshTrigger {
        Date nextExecutionTime(LoginToken loginToken);

        long getValidTtlThreshold(LoginToken loginToken);
    }

    public LifecycleAwareSessionManager(ClientAuthentication clientAuthentication, TaskScheduler taskScheduler, RestOperations restOperations) {
        this(clientAuthentication, taskScheduler, restOperations, DEFAULT_TRIGGER);
    }

    public LifecycleAwareSessionManager(ClientAuthentication clientAuthentication, TaskScheduler taskScheduler, RestOperations restOperations, RefreshTrigger refreshTrigger) {
        this.lock = new Object();
        Assert.notNull(clientAuthentication, "ClientAuthentication must not be null");
        Assert.notNull(taskScheduler, "TaskScheduler must not be null");
        Assert.notNull(restOperations, "RestOperations must not be null");
        Assert.notNull(refreshTrigger, "RefreshTrigger must not be null");
        this.clientAuthentication = clientAuthentication;
        this.restOperations = restOperations;
        this.taskScheduler = taskScheduler;
        this.refreshTrigger = refreshTrigger;
    }

    public void destroy() {
        VaultToken vaultToken = this.token;
        this.token = null;
        if (vaultToken instanceof LoginToken) {
            revoke(vaultToken);
        }
    }

    private void revoke(VaultToken vaultToken) {
        try {
            this.restOperations.postForObject("auth/token/revoke-self", new HttpEntity(VaultHttpHeaders.from(vaultToken)), Map.class, new Object[0]);
        } catch (HttpStatusCodeException e) {
            logger.warn(String.format("Cannot revoke VaultToken: %s", VaultResponses.getError(e.getResponseBodyAsString())));
        }
    }

    protected boolean renewToken() {
        logger.info("Renewing token");
        VaultToken vaultToken = this.token;
        if (vaultToken == null) {
            getSessionToken();
            return false;
        }
        try {
            LoginToken from = LoginTokenUtil.from(((VaultResponse) this.restOperations.postForObject("auth/token/renew-self", new HttpEntity(VaultHttpHeaders.from(vaultToken)), VaultResponse.class, new Object[0])).getAuth());
            long seconds = TimeUnit.MILLISECONDS.toSeconds(this.refreshTrigger.getValidTtlThreshold(from));
            if (from.getLeaseDuration() > seconds) {
                this.token = from;
                return true;
            }
            if (logger.isDebugEnabled()) {
                logger.info(String.format("Token TTL (%s) exceeded validity TTL threshold (%s). Dropping token.", Long.valueOf(from.getLeaseDuration()), Long.valueOf(seconds)));
            } else {
                logger.info("Token TTL exceeded validity TTL threshold. Dropping token.");
            }
            this.token = null;
            return false;
        } catch (RestClientException e) {
            throw new VaultException("Cannot refresh token", e);
        } catch (HttpStatusCodeException e2) {
            if (!e2.getStatusCode().is4xxClientError()) {
                throw new VaultException(VaultResponses.getError(e2.getResponseBodyAsString()));
            }
            logger.debug(String.format("Cannot refresh token, resetting token and performing re-login: %s", VaultResponses.getError(e2.getResponseBodyAsString())));
            this.token = null;
            return false;
        }
    }

    @Override // org.springframework.vault.authentication.SessionManager
    public VaultToken getSessionToken() {
        if (this.token == null) {
            synchronized (this.lock) {
                if (this.token == null) {
                    this.token = login();
                    if (isTokenRenewable()) {
                        scheduleRenewal();
                    }
                }
            }
        }
        return this.token;
    }

    protected VaultToken login() {
        return this.clientAuthentication.login();
    }

    protected boolean isTokenRenewable() {
        if (!(this.token instanceof LoginToken)) {
            return false;
        }
        LoginToken loginToken = (LoginToken) this.token;
        return loginToken.getLeaseDuration() > 0 && loginToken.isRenewable();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void scheduleRenewal() {
        logger.info("Scheduling Token renewal");
        Runnable runnable = new Runnable() { // from class: org.springframework.vault.authentication.LifecycleAwareSessionManager.1
            @Override // java.lang.Runnable
            public void run() {
                try {
                    if (LifecycleAwareSessionManager.this.token != null && LifecycleAwareSessionManager.this.isTokenRenewable() && LifecycleAwareSessionManager.this.renewToken()) {
                        LifecycleAwareSessionManager.this.scheduleRenewal();
                    }
                } catch (Exception e) {
                    LifecycleAwareSessionManager.logger.error("Cannot renew VaultToken", e);
                }
            }
        };
        VaultToken vaultToken = this.token;
        if (vaultToken != null) {
            this.taskScheduler.schedule(runnable, createTrigger(vaultToken));
        }
    }

    private OneShotTrigger createTrigger(VaultToken vaultToken) {
        return new OneShotTrigger(this.refreshTrigger.nextExecutionTime((LoginToken) vaultToken));
    }
}
