package org.wso2.carbon.securevault.azure.repository;

import com.azure.core.credential.TokenCredential;
import com.azure.identity.AzureCliCredentialBuilder;
import com.azure.identity.ClientSecretCredentialBuilder;
import com.azure.identity.DefaultAzureCredentialBuilder;
import com.azure.identity.EnvironmentCredentialBuilder;
import com.azure.identity.ManagedIdentityCredentialBuilder;
import com.azure.security.keyvault.secrets.SecretClient;
import com.azure.security.keyvault.secrets.SecretClientBuilder;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.io.BufferedReader;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
import java.util.Properties;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.securevault.azure.commons.ConfigUtils;
import org.wso2.carbon.securevault.azure.commons.Constants;
import org.wso2.carbon.securevault.azure.exception.AzureSecretRepositoryException;

/* loaded from: input_file:org/wso2/carbon/securevault/azure/repository/SecretClientFactory.class */
public class SecretClientFactory {
    private static final Log log = LogFactory.getLog(SecretClientFactory.class);
    private static final String CLIENT_ID = "clientId";
    private static final String CLIENT_SECRET_FILE_PATH = "clientSecretFilePath";
    private static final String TENANT_ID = "tenantId";
    private static final String CREDENTIAL_TYPE = "credentialType";
    private static final String CREDENTIAL_TYPE_CHAIN = "chain";
    private static final String CREDENTIAL_TYPE_CLI = "cli";
    private static final String CREDENTIAL_TYPE_ENV = "env";
    private static final String CREDENTIAL_TYPE_FILE = "file";
    private static final String CREDENTIAL_TYPE_MI = "mi";
    private static final String HTTPS_COLON_DOUBLE_SLASH = "https://";
    private static final String KEY_VAULT_NAME = "keyVaultName";
    private static final String MANAGED_IDENTITY_CLIENT_ID = "managedIdentityClientId";
    private static final String NET = "net";
    private static ConfigUtils configUtils;
    private static SecretClient secretClient;
    private static String keyVaultName;
    private static String managedIdentityClientId;
    private static Properties properties;

    /* JADX INFO: Access modifiers changed from: package-private */
    public static synchronized SecretClient getSecretClient(Properties properties2) throws AzureSecretRepositoryException {
        if (secretClient == null) {
            secretClient = buildSecretClient(properties2);
        }
        return secretClient;
    }

    private static SecretClient buildSecretClient(Properties properties2) throws AzureSecretRepositoryException {
        if (log.isDebugEnabled()) {
            log.debug("Building secret client.");
        }
        properties = properties2;
        configUtils = ConfigUtils.getInstance();
        keyVaultName = configUtils.getAzureSecretRepositoryConfig(properties, KEY_VAULT_NAME);
        if (StringUtils.isEmpty(keyVaultName)) {
            throw new AzureSecretRepositoryException("Key Vault name not provided.");
        }
        secretClient = new SecretClientBuilder().vaultUrl(HTTPS_COLON_DOUBLE_SLASH + keyVaultName + Constants.DOT + Constants.VAULT + Constants.DOT + Constants.AZURE + Constants.DOT + NET).credential(buildChosenCredential()).buildClient();
        return secretClient;
    }

    private static TokenCredential buildChosenCredential() throws AzureSecretRepositoryException {
        TokenCredential build;
        String azureSecretRepositoryConfig = configUtils.getAzureSecretRepositoryConfig(properties, CREDENTIAL_TYPE);
        if (StringUtils.isEmpty(azureSecretRepositoryConfig)) {
            azureSecretRepositoryConfig = "";
        }
        String str = azureSecretRepositoryConfig;
        boolean z = -1;
        switch (str.hashCode()) {
            case 3484:
                if (str.equals(CREDENTIAL_TYPE_MI)) {
                    z = true;
                    break;
                }
                break;
            case 98592:
                if (str.equals(CREDENTIAL_TYPE_CLI)) {
                    z = 2;
                    break;
                }
                break;
            case 100589:
                if (str.equals(CREDENTIAL_TYPE_ENV)) {
                    z = false;
                    break;
                }
                break;
            case 3143036:
                if (str.equals(CREDENTIAL_TYPE_FILE)) {
                    z = 3;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                build = new EnvironmentCredentialBuilder().build();
                break;
            case true:
                build = new ManagedIdentityCredentialBuilder().clientId(configUtils.getAzureSecretRepositoryConfig(properties, MANAGED_IDENTITY_CLIENT_ID)).build();
                break;
            case true:
                build = new AzureCliCredentialBuilder().build();
                break;
            case true:
                build = buildClientSecretCredential();
                break;
            default:
                if (!CREDENTIAL_TYPE_CHAIN.equals(azureSecretRepositoryConfig)) {
                    log.info("Valid authentication credential type not provided. Using default chain.");
                }
                managedIdentityClientId = configUtils.getAzureSecretRepositoryConfig(properties, MANAGED_IDENTITY_CLIENT_ID);
                build = new DefaultAzureCredentialBuilder().managedIdentityClientId(managedIdentityClientId).build();
                break;
        }
        return build;
    }

    private static TokenCredential buildClientSecretCredential() throws AzureSecretRepositoryException {
        if (log.isDebugEnabled()) {
            log.debug("Authenticating to Azure Key Vault via file credentials.");
        }
        ConfigUtils configUtils2 = ConfigUtils.getInstance();
        return new ClientSecretCredentialBuilder().clientId(configUtils2.getAzureSecretRepositoryConfig(properties, CLIENT_ID)).clientSecret(readCredential(CLIENT_SECRET_FILE_PATH)).tenantId(configUtils2.getAzureSecretRepositoryConfig(properties, TENANT_ID)).build();
    }

    @SuppressFBWarnings({"PATH_TRAVERSAL_IN"})
    private static String readCredential(String str) throws AzureSecretRepositoryException {
        String azureSecretRepositoryConfig = ConfigUtils.getInstance().getAzureSecretRepositoryConfig(properties, str);
        if (StringUtils.isEmpty(azureSecretRepositoryConfig)) {
            throw new AzureSecretRepositoryException(str.replaceAll(Constants.CRLF_SANITATION_REGEX, "") + " not provided.");
        }
        try {
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(new FileInputStream(azureSecretRepositoryConfig), StandardCharsets.UTF_8));
            Throwable th = null;
            try {
                try {
                    String readLine = bufferedReader.readLine();
                    if (StringUtils.isEmpty(readLine)) {
                        throw new AzureSecretRepositoryException(str.replaceAll(Constants.CRLF_SANITATION_REGEX, "") + " not found in file.");
                    }
                    if (bufferedReader != null) {
                        if (0 != 0) {
                            try {
                                bufferedReader.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            bufferedReader.close();
                        }
                    }
                    return readLine;
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new AzureSecretRepositoryException("Error while loading " + str.replaceAll(Constants.CRLF_SANITATION_REGEX, "") + " from file.", e);
        }
    }
}
