package org.springframework.vault.authentication;

import java.time.Duration;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicReference;
import org.springframework.beans.factory.DisposableBean;
import org.springframework.scheduling.TaskScheduler;
import org.springframework.util.Assert;
import org.springframework.util.ClassUtils;
import org.springframework.vault.VaultException;
import org.springframework.vault.authentication.LifecycleAwareSessionManagerSupport;
import org.springframework.vault.client.VaultHttpHeaders;
import org.springframework.vault.client.VaultResponses;
import org.springframework.vault.support.VaultResponse;
import org.springframework.vault.support.VaultToken;
import org.springframework.web.reactive.function.client.WebClient;
import org.springframework.web.reactive.function.client.WebClientResponseException;
import reactor.core.publisher.Mono;

/* loaded from: input_file:org/springframework/vault/authentication/ReactiveLifecycleAwareSessionManager.class */
public class ReactiveLifecycleAwareSessionManager extends LifecycleAwareSessionManagerSupport implements ReactiveSessionManager, DisposableBean {
    private static final Mono<TokenWrapper> EMPTY = Mono.empty();
    private static final Mono<TokenWrapper> TERMINATED = Mono.error(new TerminatedException());
    private final VaultTokenSupplier clientAuthentication;
    private final WebClient webClient;
    private volatile AtomicReference<Mono<TokenWrapper>> token;

    /* loaded from: input_file:org/springframework/vault/authentication/ReactiveLifecycleAwareSessionManager$TerminatedException.class */
    static class TerminatedException extends IllegalStateException {
        TerminatedException() {
            super("Session manager terminated");
            setStackTrace(new StackTraceElement[0]);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/springframework/vault/authentication/ReactiveLifecycleAwareSessionManager$TokenWrapper.class */
    public static class TokenWrapper {
        private final VaultToken token;
        private final boolean revocable;

        public TokenWrapper(VaultToken vaultToken, boolean z) {
            this.token = vaultToken;
            this.revocable = z;
        }

        public VaultToken getToken() {
            return this.token;
        }

        public boolean isRevocable() {
            return this.revocable;
        }
    }

    public ReactiveLifecycleAwareSessionManager(VaultTokenSupplier vaultTokenSupplier, TaskScheduler taskScheduler, WebClient webClient) {
        super(taskScheduler);
        this.token = new AtomicReference<>(EMPTY);
        Assert.notNull(vaultTokenSupplier, "VaultTokenSupplier must not be null");
        Assert.notNull(taskScheduler, "TaskScheduler must not be null");
        Assert.notNull(webClient, "RestOperations must not be null");
        this.clientAuthentication = vaultTokenSupplier;
        this.webClient = webClient;
    }

    public ReactiveLifecycleAwareSessionManager(VaultTokenSupplier vaultTokenSupplier, TaskScheduler taskScheduler, WebClient webClient, LifecycleAwareSessionManagerSupport.RefreshTrigger refreshTrigger) {
        super(taskScheduler, refreshTrigger);
        this.token = new AtomicReference<>(EMPTY);
        Assert.notNull(vaultTokenSupplier, "VaultTokenSupplier must not be null");
        Assert.notNull(taskScheduler, "TaskScheduler must not be null");
        Assert.notNull(webClient, "WebClient must not be null");
        Assert.notNull(refreshTrigger, "RefreshTrigger must not be null");
        this.clientAuthentication = vaultTokenSupplier;
        this.webClient = webClient;
    }

    public void destroy() {
        Mono<TokenWrapper> mono = this.token.get();
        this.token.set(TERMINATED);
        revokeNow(mono);
    }

    protected void revokeNow(Mono<TokenWrapper> mono) {
        doRevoke(mono).block(Duration.ofSeconds(5L));
    }

    protected Mono<Void> doRevoke(Mono<TokenWrapper> mono) {
        return mono.filter((v0) -> {
            return v0.isRevocable();
        }).map((v0) -> {
            return v0.getToken();
        }).flatMap(this::revoke);
    }

    protected Mono<Void> revoke(VaultToken vaultToken) {
        return this.webClient.post().uri("auth/token/revoke-self", new Object[0]).headers(httpHeaders -> {
            httpHeaders.addAll(VaultHttpHeaders.from(vaultToken));
        }).retrieve().bodyToMono(String.class).then().onErrorResume(WebClientResponseException.class, webClientResponseException -> {
            this.logger.warn(format("Could not revoke token", webClientResponseException));
            return Mono.empty();
        }).onErrorResume(Exception.class, exc -> {
            this.logger.warn("Could not revoke token", exc);
            return Mono.empty();
        }).then();
    }

    protected Mono<VaultToken> renewToken() {
        this.logger.info("Renewing token");
        Mono<TokenWrapper> mono = this.token.get();
        return mono == TERMINATED ? mono.map((v0) -> {
            return v0.getToken();
        }) : mono == EMPTY ? getVaultToken() : mono.flatMap(this::doRenew).onErrorResume(WebClientResponseException.class, webClientResponseException -> {
            dropCurrentToken();
            if (webClientResponseException.getStatusCode().is4xxClientError()) {
                this.logger.warn(format("Cannot renew token, resetting token and performing re-login on next token access", webClientResponseException));
                return EMPTY;
            }
            this.logger.debug(format("Cannot renew token, resetting token and performing re-login on next token access", webClientResponseException));
            return Mono.error(new VaultTokenRenewalException(format("Cannot renew token", webClientResponseException), webClientResponseException));
        }).onErrorMap(th -> {
            return !VaultTokenRenewalException.class.isInstance(th);
        }, th2 -> {
            dropCurrentToken();
            this.logger.debug(String.format("Cannot renew token, resetting token and performing re-login on next token access: %s", th2.toString()));
            return new VaultTokenRenewalException("Cannot renew token", th2);
        }).map((v0) -> {
            return v0.getToken();
        });
    }

    private Mono<TokenWrapper> doRenew(TokenWrapper tokenWrapper) {
        return this.webClient.post().uri("auth/token/renew-self", new Object[0]).headers(httpHeaders -> {
            httpHeaders.putAll(VaultHttpHeaders.from(tokenWrapper.token));
        }).retrieve().bodyToMono(VaultResponse.class).flatMap(vaultResponse -> {
            LoginToken from = LoginTokenUtil.from(vaultResponse.getRequiredAuth());
            if (!isExpired(from)) {
                return Mono.just(new TokenWrapper(from, tokenWrapper.revocable));
            }
            if (this.logger.isDebugEnabled()) {
                this.logger.info(String.format("Token TTL (%s) exceeded validity TTL threshold (%s). Dropping token.", from.getLeaseDuration(), getRefreshTrigger().getValidTtlThreshold(from)));
            } else {
                this.logger.info("Token TTL exceeded validity TTL threshold. Dropping token.");
            }
            dropCurrentToken();
            return EMPTY;
        });
    }

    private void dropCurrentToken() {
        Mono<TokenWrapper> mono = this.token.get();
        if (mono != TERMINATED) {
            this.token.compareAndSet(mono, EMPTY);
        }
    }

    @Override // org.springframework.vault.authentication.VaultTokenSupplier
    public Mono<VaultToken> getVaultToken() throws VaultException {
        Mono<TokenWrapper> mono = this.token.get();
        if (mono == EMPTY) {
            this.token.compareAndSet(mono, this.clientAuthentication.getVaultToken().flatMap(this::doSelfLookup).doOnNext(tokenWrapper -> {
                if (isTokenRenewable(tokenWrapper.getToken())) {
                    scheduleRenewal(tokenWrapper.getToken());
                }
            }).cache());
        }
        return this.token.get().map((v0) -> {
            return v0.getToken();
        });
    }

    private Mono<TokenWrapper> doSelfLookup(VaultToken vaultToken) {
        return (!isTokenSelfLookupEnabled() || ClassUtils.isAssignableValue(LoginToken.class, vaultToken)) ? Mono.just(new TokenWrapper(vaultToken, vaultToken instanceof LoginToken)) : augmentWithSelfLookup(this.webClient, vaultToken).onErrorResume(th -> {
            this.logger.warn(String.format("Cannot enhance VaultToken to a LoginToken: %s", th.getMessage()));
            return Mono.just(vaultToken);
        }).map(vaultToken2 -> {
            return new TokenWrapper(vaultToken2, false);
        });
    }

    protected boolean isTokenRenewable(VaultToken vaultToken) {
        Optional of = Optional.of(vaultToken);
        Class<LoginToken> cls = LoginToken.class;
        LoginToken.class.getClass();
        return of.filter((v1) -> {
            return r1.isInstance(v1);
        }).filter(vaultToken2 -> {
            LoginToken loginToken = (LoginToken) vaultToken2;
            return !loginToken.getLeaseDuration().isZero() && loginToken.isRenewable();
        }).isPresent();
    }

    private void scheduleRenewal(VaultToken vaultToken) {
        this.logger.info("Scheduling Token renewal");
        getTaskScheduler().schedule(() -> {
            try {
                Mono<TokenWrapper> mono = this.token.get();
                if (mono == EMPTY || mono == TERMINATED) {
                    return;
                }
                if (isTokenRenewable(vaultToken)) {
                    renewToken().subscribe(this::scheduleRenewal, th -> {
                        this.logger.error("Cannot renew VaultToken", th);
                    });
                }
            } catch (Exception e) {
                this.logger.error("Cannot renew VaultToken", e);
            }
        }, createTrigger(vaultToken));
    }

    private LifecycleAwareSessionManagerSupport.OneShotTrigger createTrigger(VaultToken vaultToken) {
        return new LifecycleAwareSessionManagerSupport.OneShotTrigger(getRefreshTrigger().nextExecutionTime((LoginToken) vaultToken));
    }

    private static Mono<VaultToken> augmentWithSelfLookup(WebClient webClient, VaultToken vaultToken) {
        return lookupSelf(webClient, vaultToken).map(map -> {
            Boolean bool = (Boolean) map.get("renewable");
            Number number = (Number) map.get("ttl");
            return (bool == null || !bool.booleanValue()) ? LoginToken.of(vaultToken.toCharArray(), LoginTokenAdapter.getLeaseDuration(number)) : LoginToken.renewable(vaultToken.toCharArray(), LoginTokenAdapter.getLeaseDuration(number));
        });
    }

    private static Mono<Map<String, Object>> lookupSelf(WebClient webClient, VaultToken vaultToken) {
        return webClient.get().uri("auth/token/lookup-self", new Object[0]).headers(httpHeaders -> {
            httpHeaders.putAll(VaultHttpHeaders.from(vaultToken));
        }).retrieve().bodyToMono(VaultResponse.class).map(vaultResponse -> {
            Assert.state(vaultResponse.getData() != null, "Token response is null");
            return vaultResponse.getRequiredData();
        }).onErrorMap(WebClientResponseException.class, webClientResponseException -> {
            return new VaultTokenLookupException(format("Token self-lookup", webClientResponseException), webClientResponseException);
        });
    }

    private static String format(String str, WebClientResponseException webClientResponseException) {
        return String.format("%s: Status %s %s %s", str, Integer.valueOf(webClientResponseException.getRawStatusCode()), webClientResponseException.getStatusText(), VaultResponses.getError(webClientResponseException.getResponseBodyAsString()));
    }
}
