package org.springframework.cloud.vault.config;

import java.net.URI;
import java.util.Collection;
import org.springframework.beans.BeanUtils;
import org.springframework.beans.factory.DisposableBean;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.ObjectFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.vault.config.VaultProperties;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.task.AsyncTaskExecutor;
import org.springframework.scheduling.TaskScheduler;
import org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler;
import org.springframework.util.Assert;
import org.springframework.util.ClassUtils;
import org.springframework.util.StringUtils;
import org.springframework.vault.authentication.AppIdAuthentication;
import org.springframework.vault.authentication.AppIdAuthenticationOptions;
import org.springframework.vault.authentication.AppIdUserIdMechanism;
import org.springframework.vault.authentication.AppRoleAuthentication;
import org.springframework.vault.authentication.AppRoleAuthenticationOptions;
import org.springframework.vault.authentication.AwsEc2Authentication;
import org.springframework.vault.authentication.AwsEc2AuthenticationOptions;
import org.springframework.vault.authentication.ClientAuthentication;
import org.springframework.vault.authentication.ClientCertificateAuthentication;
import org.springframework.vault.authentication.CubbyholeAuthentication;
import org.springframework.vault.authentication.CubbyholeAuthenticationOptions;
import org.springframework.vault.authentication.IpAddressUserId;
import org.springframework.vault.authentication.LifecycleAwareSessionManager;
import org.springframework.vault.authentication.MacAddressUserId;
import org.springframework.vault.authentication.SessionManager;
import org.springframework.vault.authentication.SimpleSessionManager;
import org.springframework.vault.authentication.StaticUserId;
import org.springframework.vault.authentication.TokenAuthentication;
import org.springframework.vault.client.VaultClient;
import org.springframework.vault.client.VaultEndpoint;
import org.springframework.vault.config.AbstractVaultConfiguration;
import org.springframework.vault.config.ClientHttpRequestFactoryFactory;
import org.springframework.vault.core.DefaultVaultClientFactory;
import org.springframework.vault.core.VaultClientFactory;
import org.springframework.vault.core.VaultOperations;
import org.springframework.vault.core.VaultTemplate;
import org.springframework.vault.support.ClientOptions;
import org.springframework.vault.support.SslConfiguration;
import org.springframework.vault.support.VaultToken;

@EnableConfigurationProperties({VaultProperties.class, VaultGenericBackendProperties.class})
@Configuration
@ConditionalOnProperty(name = {"spring.cloud.vault.enabled"}, matchIfMissing = true)
/* loaded from: input_file:org/springframework/cloud/vault/config/VaultBootstrapConfiguration.class */
public class VaultBootstrapConfiguration implements InitializingBean {

    @Autowired
    private ConfigurableApplicationContext applicationContext;

    @Autowired
    private VaultProperties vaultProperties;
    private Collection<VaultSecretBackendDescriptor> vaultSecretBackendDescriptors;
    private Collection<SecretBackendMetadataFactory<? super VaultSecretBackendDescriptor>> factories;

    /* loaded from: input_file:org/springframework/cloud/vault/config/VaultBootstrapConfiguration$TaskSchedulerWrapper.class */
    public static class TaskSchedulerWrapper<T extends AsyncTaskExecutor & TaskScheduler> implements InitializingBean, DisposableBean {
        private final T taskScheduler;

        public TaskSchedulerWrapper(T t) {
            this.taskScheduler = t;
        }

        T getTaskScheduler() {
            return this.taskScheduler;
        }

        public void destroy() throws Exception {
            if (this.taskScheduler instanceof DisposableBean) {
                this.taskScheduler.destroy();
            }
        }

        public void afterPropertiesSet() throws Exception {
            if (this.taskScheduler instanceof InitializingBean) {
                this.taskScheduler.afterPropertiesSet();
            }
        }
    }

    public void afterPropertiesSet() throws Exception {
        this.vaultSecretBackendDescriptors = this.applicationContext.getBeansOfType(VaultSecretBackendDescriptor.class).values();
        this.factories = this.applicationContext.getBeansOfType(SecretBackendMetadataFactory.class).values();
    }

    @Bean
    public VaultPropertySourceLocator vaultPropertySourceLocator(VaultOperations vaultOperations, VaultProperties vaultProperties, VaultGenericBackendProperties vaultGenericBackendProperties, ObjectFactory<TaskSchedulerWrapper<? extends TaskScheduler>> objectFactory) {
        Collection<SecretBackendMetadata> createSecretBackendMetadata = SecretBackendFactories.createSecretBackendMetadata(this.vaultSecretBackendDescriptors, this.factories);
        VaultConfigTemplate vaultConfigTemplate = new VaultConfigTemplate(vaultOperations, vaultProperties);
        if (!vaultProperties.getConfig().getLifecycle().isEnabled()) {
            return new VaultPropertySourceLocator(vaultConfigTemplate, vaultProperties, vaultGenericBackendProperties, createSecretBackendMetadata);
        }
        this.applicationContext.registerShutdownHook();
        return new LeasingVaultPropertySourceLocator(vaultConfigTemplate, vaultProperties, vaultGenericBackendProperties, createSecretBackendMetadata, ((TaskSchedulerWrapper) objectFactory.getObject()).getTaskScheduler());
    }

    @ConditionalOnMissingBean
    @Bean
    public AbstractVaultConfiguration.ClientFactoryWrapper clientHttpRequestFactoryWrapper() {
        ClientOptions clientOptions = new ClientOptions(this.vaultProperties.getConnectionTimeout(), this.vaultProperties.getReadTimeout());
        VaultProperties.Ssl ssl = this.vaultProperties.getSsl();
        return new AbstractVaultConfiguration.ClientFactoryWrapper(ClientHttpRequestFactoryFactory.create(clientOptions, ssl != null ? new SslConfiguration(ssl.getKeyStore(), ssl.getKeyStorePassword(), ssl.getTrustStore(), ssl.getTrustStorePassword()) : SslConfiguration.NONE));
    }

    @ConditionalOnMissingBean
    @Bean
    public VaultClient vaultClient() {
        VaultEndpoint vaultEndpoint = new VaultEndpoint();
        vaultEndpoint.setHost(this.vaultProperties.getHost());
        vaultEndpoint.setPort(this.vaultProperties.getPort());
        vaultEndpoint.setScheme(this.vaultProperties.getScheme());
        return new VaultClient(clientHttpRequestFactoryWrapper().getClientHttpRequestFactory(), vaultEndpoint);
    }

    @ConditionalOnMissingBean
    @Bean
    public VaultClientFactory vaultClientFactory() {
        return new DefaultVaultClientFactory(vaultClient());
    }

    @ConditionalOnMissingBean
    @Bean
    public VaultTemplate vaultTemplate(ClientAuthentication clientAuthentication, SessionManager sessionManager) {
        return new VaultTemplate(vaultClientFactory(), sessionManager);
    }

    @ConditionalOnMissingBean({TaskSchedulerWrapper.class})
    @Bean
    public TaskSchedulerWrapper<ThreadPoolTaskScheduler> vaultTaskScheduler() {
        ThreadPoolTaskScheduler threadPoolTaskScheduler = new ThreadPoolTaskScheduler();
        threadPoolTaskScheduler.setPoolSize(2);
        threadPoolTaskScheduler.setThreadNamePrefix("Spring-Cloud-Vault-");
        return new TaskSchedulerWrapper<>(threadPoolTaskScheduler);
    }

    @ConditionalOnMissingBean
    @Bean
    public SessionManager sessionManager(ClientAuthentication clientAuthentication, ObjectFactory<TaskSchedulerWrapper<? extends AsyncTaskExecutor>> objectFactory) {
        return this.vaultProperties.getConfig().getLifecycle().isEnabled() ? new LifecycleAwareSessionManager(clientAuthentication, ((TaskSchedulerWrapper) objectFactory.getObject()).getTaskScheduler(), vaultClient()) : new SimpleSessionManager(clientAuthentication);
    }

    @ConditionalOnMissingBean
    @Bean
    public ClientAuthentication clientAuthentication() {
        VaultClient vaultClient = vaultClient();
        switch (this.vaultProperties.getAuthentication()) {
            case TOKEN:
                Assert.hasText(this.vaultProperties.getToken(), "Token (spring.cloud.vault.token) must not be empty");
                return new TokenAuthentication(this.vaultProperties.getToken());
            case APPID:
                return appIdAuthentication(this.vaultProperties, vaultClient);
            case APPROLE:
                return appRoleAuthentication(this.vaultProperties, vaultClient);
            case CERT:
                return new ClientCertificateAuthentication(vaultClient);
            case AWS_EC2:
                return awsEc2Authentication(this.vaultProperties, vaultClient);
            case CUBBYHOLE:
                return cubbyholeAuthentication(vaultClient);
            default:
                throw new UnsupportedOperationException(String.format("Client authentication %s not supported", this.vaultProperties.getAuthentication()));
        }
    }

    private ClientAuthentication appIdAuthentication(VaultProperties vaultProperties, VaultClient vaultClient) {
        VaultProperties.AppIdProperties appId = vaultProperties.getAppId();
        Assert.hasText(appId.getUserId(), "UserId (spring.cloud.vault.app-id.user-id) must not be empty");
        return new AppIdAuthentication(AppIdAuthenticationOptions.builder().appId(vaultProperties.getApplicationName()).path(appId.getAppIdPath()).userIdMechanism(getClientAuthentication(appId)).build(), vaultClient);
    }

    private AppIdUserIdMechanism getClientAuthentication(VaultProperties.AppIdProperties appIdProperties) {
        try {
            return (AppIdUserIdMechanism) BeanUtils.instantiateClass(ClassUtils.forName(appIdProperties.getUserId(), (ClassLoader) null));
        } catch (ClassNotFoundException e) {
            String upperCase = appIdProperties.getUserId().toUpperCase();
            boolean z = -1;
            switch (upperCase.hashCode()) {
                case 273373380:
                    if (upperCase.equals(VaultProperties.AppIdProperties.MAC_ADDRESS)) {
                        z = true;
                        break;
                    }
                    break;
                case 1900462268:
                    if (upperCase.equals(VaultProperties.AppIdProperties.IP_ADDRESS)) {
                        z = false;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    return new IpAddressUserId();
                case true:
                    if (!StringUtils.hasText(appIdProperties.getNetworkInterface())) {
                        return new MacAddressUserId();
                    }
                    try {
                        return new MacAddressUserId(Integer.parseInt(appIdProperties.getNetworkInterface()));
                    } catch (NumberFormatException e2) {
                        return new MacAddressUserId(appIdProperties.getNetworkInterface());
                    }
                default:
                    return new StaticUserId(appIdProperties.getUserId());
            }
        }
    }

    private ClientAuthentication appRoleAuthentication(VaultProperties vaultProperties, VaultClient vaultClient) {
        VaultProperties.AppRoleProperties appRole = vaultProperties.getAppRole();
        Assert.hasText(appRole.getRoleId(), "RoleId (spring.cloud.vault.app-role.role-id) must not be empty");
        AppRoleAuthenticationOptions.AppRoleAuthenticationOptionsBuilder roleId = AppRoleAuthenticationOptions.builder().path(appRole.getAppRolePath()).roleId(appRole.getRoleId());
        if (StringUtils.hasText(appRole.getSecretId())) {
            roleId = roleId.secretId(appRole.getSecretId());
        }
        return new AppRoleAuthentication(roleId.build(), vaultClient);
    }

    private ClientAuthentication awsEc2Authentication(VaultProperties vaultProperties, VaultClient vaultClient) {
        VaultProperties.AwsEc2Properties awsEc2 = vaultProperties.getAwsEc2();
        return new AwsEc2Authentication(AwsEc2AuthenticationOptions.builder().role(awsEc2.getRole()).path(awsEc2.getAwsEc2Path()).identityDocumentUri(URI.create(awsEc2.getIdentityDocument())).build(), vaultClient, vaultClient.getRestTemplate());
    }

    private ClientAuthentication cubbyholeAuthentication(VaultClient vaultClient) {
        Assert.hasText(this.vaultProperties.getToken(), "Initial Token (spring.cloud.vault.token) for Cubbyhole authentication must not be empty");
        return new CubbyholeAuthentication(CubbyholeAuthenticationOptions.builder().wrapped().initialToken(VaultToken.of(this.vaultProperties.getToken())).build(), vaultClient);
    }
}
