package org.springframework.vault.authentication;

import java.time.Duration;
import java.util.Map;
import java.util.Optional;
import org.springframework.beans.factory.DisposableBean;
import org.springframework.http.HttpEntity;
import org.springframework.scheduling.TaskScheduler;
import org.springframework.util.Assert;
import org.springframework.util.ClassUtils;
import org.springframework.vault.authentication.LifecycleAwareSessionManagerSupport;
import org.springframework.vault.client.VaultHttpHeaders;
import org.springframework.vault.client.VaultResponses;
import org.springframework.vault.support.VaultResponse;
import org.springframework.vault.support.VaultToken;
import org.springframework.web.client.HttpStatusCodeException;
import org.springframework.web.client.RestOperations;

/* loaded from: input_file:org/springframework/vault/authentication/LifecycleAwareSessionManager.class */
public class LifecycleAwareSessionManager extends LifecycleAwareSessionManagerSupport implements SessionManager, DisposableBean {
    private final ClientAuthentication clientAuthentication;
    private final RestOperations restOperations;
    private final Object lock;
    private volatile Optional<TokenWrapper> token;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/springframework/vault/authentication/LifecycleAwareSessionManager$TokenWrapper.class */
    public static class TokenWrapper {
        private final VaultToken token;
        private final boolean revocable;

        public TokenWrapper(VaultToken vaultToken, boolean z) {
            this.token = vaultToken;
            this.revocable = z;
        }

        public VaultToken getToken() {
            return this.token;
        }

        public boolean isRevocable() {
            return this.revocable;
        }
    }

    public LifecycleAwareSessionManager(ClientAuthentication clientAuthentication, TaskScheduler taskScheduler, RestOperations restOperations) {
        super(taskScheduler);
        this.lock = new Object();
        this.token = Optional.empty();
        Assert.notNull(clientAuthentication, "ClientAuthentication must not be null");
        Assert.notNull(taskScheduler, "TaskScheduler must not be null");
        Assert.notNull(restOperations, "RestOperations must not be null");
        this.clientAuthentication = clientAuthentication;
        this.restOperations = restOperations;
    }

    public LifecycleAwareSessionManager(ClientAuthentication clientAuthentication, TaskScheduler taskScheduler, RestOperations restOperations, LifecycleAwareSessionManagerSupport.RefreshTrigger refreshTrigger) {
        super(taskScheduler, refreshTrigger);
        this.lock = new Object();
        this.token = Optional.empty();
        Assert.notNull(clientAuthentication, "ClientAuthentication must not be null");
        Assert.notNull(taskScheduler, "TaskScheduler must not be null");
        Assert.notNull(restOperations, "RestOperations must not be null");
        Assert.notNull(refreshTrigger, "RefreshTrigger must not be null");
        this.clientAuthentication = clientAuthentication;
        this.restOperations = restOperations;
    }

    public void destroy() {
        Optional<TokenWrapper> optional = this.token;
        this.token = Optional.empty();
        optional.filter((v0) -> {
            return v0.isRevocable();
        }).map((v0) -> {
            return v0.getToken();
        }).ifPresent(this::revoke);
    }

    protected void revoke(VaultToken vaultToken) {
        try {
            this.restOperations.postForObject("auth/token/revoke-self", new HttpEntity(VaultHttpHeaders.from(vaultToken)), Map.class, new Object[0]);
        } catch (RuntimeException e) {
            this.logger.warn("Cannot revoke VaultToken: %s", e);
        } catch (HttpStatusCodeException e2) {
            this.logger.warn(format("Cannot revoke VaultToken", e2));
        }
    }

    protected boolean renewToken() {
        this.logger.info("Renewing token");
        Optional<TokenWrapper> optional = this.token;
        if (!optional.isPresent()) {
            getSessionToken();
            return false;
        }
        try {
            return doRenew(optional.get());
        } catch (HttpStatusCodeException e) {
            this.token = Optional.empty();
            if (e.getStatusCode().is4xxClientError()) {
                this.logger.warn(format("Cannot renew token, resetting token and performing re-login", e));
                return false;
            }
            this.logger.debug(format("Cannot renew token, resetting token and performing re-login", e));
            throw new VaultTokenRenewalException(format("Cannot renew token", e), e);
        } catch (RuntimeException e2) {
            this.logger.debug(String.format("Cannot renew token, resetting token and performing re-login: %s", e2.toString()));
            this.token = Optional.empty();
            throw new VaultTokenRenewalException("Cannot renew token", e2);
        }
    }

    private boolean doRenew(TokenWrapper tokenWrapper) {
        LoginToken from = LoginTokenUtil.from(((VaultResponse) this.restOperations.postForObject("auth/token/renew-self", new HttpEntity(VaultHttpHeaders.from(tokenWrapper.token)), VaultResponse.class, new Object[0])).getRequiredAuth());
        Duration validTtlThreshold = getRefreshTrigger().getValidTtlThreshold(from);
        if (from.getLeaseDuration().compareTo(validTtlThreshold) > 0) {
            this.token = Optional.of(new TokenWrapper(from, tokenWrapper.revocable));
            return true;
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.info(String.format("Token TTL (%s) exceeded validity TTL threshold (%s). Dropping token.", from.getLeaseDuration(), validTtlThreshold));
        } else {
            this.logger.info("Token TTL exceeded validity TTL threshold. Dropping token.");
        }
        this.token = Optional.empty();
        return false;
    }

    @Override // org.springframework.vault.authentication.SessionManager
    public VaultToken getSessionToken() {
        if (!this.token.isPresent()) {
            synchronized (this.lock) {
                if (!this.token.isPresent()) {
                    doGetSessionToken();
                }
            }
        }
        return (VaultToken) this.token.map((v0) -> {
            return v0.getToken();
        }).orElseThrow(() -> {
            return new IllegalStateException("Cannot obtain VaultToken");
        });
    }

    private void doGetSessionToken() {
        VaultToken login = this.clientAuthentication.login();
        TokenWrapper tokenWrapper = new TokenWrapper(login, login instanceof LoginToken);
        if (isTokenSelfLookupEnabled() && !ClassUtils.isAssignableValue(LoginToken.class, login)) {
            try {
                tokenWrapper = new TokenWrapper(LoginTokenAdapter.augmentWithSelfLookup(this.restOperations, login), false);
            } catch (VaultTokenLookupException e) {
                this.logger.warn(String.format("Cannot enhance VaultToken to a LoginToken: %s", e.getMessage()));
            }
        }
        this.token = Optional.of(tokenWrapper);
        if (isTokenRenewable()) {
            scheduleRenewal();
        }
    }

    protected VaultToken login() {
        return this.clientAuthentication.login();
    }

    protected boolean isTokenRenewable() {
        Optional<U> map = this.token.map((v0) -> {
            return v0.getToken();
        });
        Class<LoginToken> cls = LoginToken.class;
        LoginToken.class.getClass();
        return map.filter((v1) -> {
            return r1.isInstance(v1);
        }).filter(vaultToken -> {
            LoginToken loginToken = (LoginToken) vaultToken;
            return !loginToken.getLeaseDuration().isZero() && loginToken.isRenewable();
        }).isPresent();
    }

    private void scheduleRenewal() {
        this.logger.info("Scheduling Token renewal");
        Runnable runnable = () -> {
            try {
                if (this.token.isPresent() && isTokenRenewable() && renewToken()) {
                    scheduleRenewal();
                }
            } catch (Exception e) {
                this.logger.error("Cannot renew VaultToken", e);
            }
        };
        this.token.ifPresent(tokenWrapper -> {
            getTaskScheduler().schedule(runnable, createTrigger(tokenWrapper));
        });
    }

    private LifecycleAwareSessionManagerSupport.OneShotTrigger createTrigger(TokenWrapper tokenWrapper) {
        return new LifecycleAwareSessionManagerSupport.OneShotTrigger(getRefreshTrigger().nextExecutionTime((LoginToken) tokenWrapper.getToken()));
    }

    private static String format(String str, HttpStatusCodeException httpStatusCodeException) {
        return String.format("%s: Status %s %s %s", str, Integer.valueOf(httpStatusCodeException.getRawStatusCode()), httpStatusCodeException.getStatusText(), VaultResponses.getError(httpStatusCodeException.getResponseBodyAsString()));
    }
}
