package org.springframework.vault.authentication;

import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Supplier;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.vault.VaultException;
import org.springframework.vault.authentication.AuthenticationSteps;
import org.springframework.vault.client.VaultResponses;
import org.springframework.vault.support.VaultResponse;
import org.springframework.vault.support.VaultToken;
import org.springframework.web.client.HttpStatusCodeException;
import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestOperations;

/* loaded from: input_file:org/springframework/vault/authentication/AwsEc2Authentication.class */
public class AwsEc2Authentication implements ClientAuthentication, AuthenticationStepsFactory {
    private static final Log logger = LogFactory.getLog(AwsEc2Authentication.class);
    private static final char[] EMPTY = new char[0];
    private final AwsEc2AuthenticationOptions options;
    private final RestOperations vaultRestOperations;
    private final RestOperations awsMetadataRestOperations;
    private final AtomicReference<char[]> nonce;

    public AwsEc2Authentication(RestOperations restOperations) {
        this(AwsEc2AuthenticationOptions.DEFAULT, restOperations, restOperations);
    }

    public AwsEc2Authentication(AwsEc2AuthenticationOptions awsEc2AuthenticationOptions, RestOperations restOperations, RestOperations restOperations2) {
        this.nonce = new AtomicReference<>(EMPTY);
        Assert.notNull(awsEc2AuthenticationOptions, "AwsEc2AuthenticationOptions must not be null");
        Assert.notNull(restOperations, "Vault RestOperations must not be null");
        Assert.notNull(restOperations2, "AWS Metadata RestOperations must not be null");
        this.options = awsEc2AuthenticationOptions;
        this.vaultRestOperations = restOperations;
        this.awsMetadataRestOperations = restOperations2;
    }

    public static AuthenticationSteps createAuthenticationSteps(AwsEc2AuthenticationOptions awsEc2AuthenticationOptions) {
        Assert.notNull(awsEc2AuthenticationOptions, "AwsEc2AuthenticationOptions must not be null");
        return createAuthenticationSteps(awsEc2AuthenticationOptions, new AtomicReference(EMPTY), () -> {
            return doCreateNonce(awsEc2AuthenticationOptions);
        });
    }

    protected static AuthenticationSteps createAuthenticationSteps(AwsEc2AuthenticationOptions awsEc2AuthenticationOptions, AtomicReference<char[]> atomicReference, Supplier<char[]> supplier) {
        return AuthenticationSteps.fromHttpRequest(AuthenticationSteps.HttpRequestBuilder.get(awsEc2AuthenticationOptions.getIdentityDocumentUri().toString(), new String[0]).as(String.class)).map(str -> {
            return str.replaceAll("\\r", "");
        }).map(str2 -> {
            return str2.replace("\\n", "");
        }).map(str3 -> {
            HashMap hashMap = new HashMap();
            if (StringUtils.hasText(awsEc2AuthenticationOptions.getRole())) {
                hashMap.put("role", awsEc2AuthenticationOptions.getRole());
            }
            if (Objects.equals(atomicReference.get(), EMPTY)) {
                atomicReference.compareAndSet(EMPTY, supplier.get());
            }
            hashMap.put("nonce", new String((char[]) atomicReference.get()));
            hashMap.put("pkcs7", str3);
            return hashMap;
        }).login("auth/{mount}/login", awsEc2AuthenticationOptions.getPath());
    }

    @Override // org.springframework.vault.authentication.ClientAuthentication
    public VaultToken login() throws VaultException {
        return createTokenUsingAwsEc2();
    }

    @Override // org.springframework.vault.authentication.AuthenticationStepsFactory
    public AuthenticationSteps getAuthenticationSteps() {
        return createAuthenticationSteps(this.options, this.nonce, this::createNonce);
    }

    private VaultToken createTokenUsingAwsEc2() {
        try {
            VaultResponse vaultResponse = (VaultResponse) this.vaultRestOperations.postForObject("auth/{mount}/login", getEc2Login(), VaultResponse.class, new Object[]{this.options.getPath()});
            Assert.state((vaultResponse == null || vaultResponse.getAuth() == null) ? false : true, "Auth field must not be null");
            if (logger.isDebugEnabled()) {
                if (vaultResponse.getAuth().get("metadata") instanceof Map) {
                    Map map = (Map) vaultResponse.getAuth().get("metadata");
                    logger.debug(String.format("Login successful using AWS-EC2 authentication for instance %s, AMI %s", map.get("instance_id"), map.get("instance_id")));
                } else {
                    logger.debug("Login successful using AWS-EC2 authentication");
                }
            }
            return LoginTokenUtil.from(vaultResponse.getAuth());
        } catch (HttpStatusCodeException e) {
            throw new VaultException(String.format("Cannot login using AWS-EC2: %s", VaultResponses.getError(e.getResponseBodyAsString())));
        }
    }

    protected Map<String, String> getEc2Login() {
        HashMap hashMap = new HashMap();
        if (StringUtils.hasText(this.options.getRole())) {
            hashMap.put("role", this.options.getRole());
        }
        if (Objects.equals(this.nonce.get(), EMPTY)) {
            this.nonce.compareAndSet(EMPTY, createNonce());
        }
        hashMap.put("nonce", new String(this.nonce.get()));
        try {
            String str = (String) this.awsMetadataRestOperations.getForObject(this.options.getIdentityDocumentUri(), String.class);
            if (StringUtils.hasText(str)) {
                hashMap.put("pkcs7", str.replaceAll("\\r", "").replace("\\n", ""));
            }
            return hashMap;
        } catch (RestClientException e) {
            throw new VaultException(String.format("Cannot obtain Identity Document from %s", this.options.getIdentityDocumentUri()), e);
        }
    }

    protected char[] createNonce() {
        return doCreateNonce(this.options);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static char[] doCreateNonce(AwsEc2AuthenticationOptions awsEc2AuthenticationOptions) {
        return awsEc2AuthenticationOptions.getNonce().getValue();
    }
}
