package org.springframework.cloud.config.server.environment.vault.authentication;

import org.springframework.cloud.config.server.environment.VaultEnvironmentProperties;
import org.springframework.cloud.config.server.environment.vault.SpringVaultClientAuthenticationProvider;
import org.springframework.util.StringUtils;
import org.springframework.vault.authentication.AppRoleAuthentication;
import org.springframework.vault.authentication.AppRoleAuthenticationOptions;
import org.springframework.vault.authentication.ClientAuthentication;
import org.springframework.vault.support.VaultToken;
import org.springframework.web.client.RestOperations;

/* loaded from: input_file:org/springframework/cloud/config/server/environment/vault/authentication/AppRoleClientAuthenticationProvider.class */
public class AppRoleClientAuthenticationProvider extends SpringVaultClientAuthenticationProvider {
    public AppRoleClientAuthenticationProvider() {
        super(VaultEnvironmentProperties.AuthenticationMethod.APPROLE);
    }

    @Override // org.springframework.cloud.config.server.environment.vault.SpringVaultClientAuthenticationProvider
    public ClientAuthentication getClientAuthentication(VaultEnvironmentProperties vaultEnvironmentProperties, RestOperations restOperations, RestOperations restOperations2) {
        return new AppRoleAuthentication(getAppRoleAuthenticationOptions(vaultEnvironmentProperties), restOperations);
    }

    static AppRoleAuthenticationOptions getAppRoleAuthenticationOptions(VaultEnvironmentProperties vaultEnvironmentProperties) {
        VaultEnvironmentProperties.AppRoleProperties appRole = vaultEnvironmentProperties.getAppRole();
        AppRoleAuthenticationOptions.AppRoleAuthenticationOptionsBuilder path = AppRoleAuthenticationOptions.builder().path(appRole.getAppRolePath());
        if (StringUtils.hasText(appRole.getRole())) {
            path.appRole(appRole.getRole());
        }
        AppRoleAuthenticationOptions.RoleId roleId = getRoleId(vaultEnvironmentProperties, appRole);
        path.roleId(roleId).secretId(getSecretId(vaultEnvironmentProperties, appRole));
        return path.build();
    }

    private static AppRoleAuthenticationOptions.RoleId getRoleId(VaultEnvironmentProperties vaultEnvironmentProperties, VaultEnvironmentProperties.AppRoleProperties appRoleProperties) {
        if (StringUtils.hasText(appRoleProperties.getRoleId())) {
            return AppRoleAuthenticationOptions.RoleId.provided(appRoleProperties.getRoleId());
        }
        if (StringUtils.hasText(vaultEnvironmentProperties.getToken()) && StringUtils.hasText(appRoleProperties.getRole())) {
            return AppRoleAuthenticationOptions.RoleId.pull(VaultToken.of(vaultEnvironmentProperties.getToken()));
        }
        if (StringUtils.hasText(vaultEnvironmentProperties.getToken())) {
            return AppRoleAuthenticationOptions.RoleId.wrapped(VaultToken.of(vaultEnvironmentProperties.getToken()));
        }
        throw new IllegalArgumentException("Any of 'spring.cloud.config.server.vault.app-role.role-id', '.token', or '.app-role.role' and '.token' must be provided if the " + VaultEnvironmentProperties.AuthenticationMethod.APPROLE + " authentication method is specified.");
    }

    private static AppRoleAuthenticationOptions.SecretId getSecretId(VaultEnvironmentProperties vaultEnvironmentProperties, VaultEnvironmentProperties.AppRoleProperties appRoleProperties) {
        return StringUtils.hasText(appRoleProperties.getSecretId()) ? AppRoleAuthenticationOptions.SecretId.provided(appRoleProperties.getSecretId()) : (StringUtils.hasText(vaultEnvironmentProperties.getToken()) && StringUtils.hasText(appRoleProperties.getRole())) ? AppRoleAuthenticationOptions.SecretId.pull(VaultToken.of(vaultEnvironmentProperties.getToken())) : StringUtils.hasText(vaultEnvironmentProperties.getToken()) ? AppRoleAuthenticationOptions.SecretId.wrapped(VaultToken.of(vaultEnvironmentProperties.getToken())) : AppRoleAuthenticationOptions.SecretId.absent();
    }
}
