package org.apache.knox.gateway.backend.hashicorp.vault;

import java.net.URI;
import java.security.cert.Certificate;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.ServiceLoader;
import java.util.Set;
import org.apache.knox.gateway.backend.hashicorp.vault.authentication.HashicorpVaultClientAuthenticationProvider;
import org.apache.knox.gateway.config.GatewayConfig;
import org.apache.knox.gateway.services.ServiceLifecycleException;
import org.apache.knox.gateway.services.security.AbstractAliasService;
import org.apache.knox.gateway.services.security.AliasService;
import org.apache.knox.gateway.services.security.AliasServiceException;
import org.apache.knox.gateway.util.PasswordUtils;
import org.springframework.vault.VaultException;
import org.springframework.vault.authentication.ClientAuthentication;
import org.springframework.vault.client.VaultEndpoint;
import org.springframework.vault.core.VaultTemplate;
import org.springframework.vault.core.VaultVersionedKeyValueOperations;
import org.springframework.vault.support.Versioned;

/* loaded from: input_file:org/apache/knox/gateway/backend/hashicorp/vault/HashicorpVaultAliasService.class */
public class HashicorpVaultAliasService extends AbstractAliasService {
    public static final String TYPE = "hashicorp.vault";
    public static final String VAULT_CONFIG_PREFIX = "hashicorp.vault.";
    public static final String VAULT_ADDRESS_KEY = "hashicorp.vault.address";
    private static final String KEY = "data";
    static final String VAULT_SEPARATOR = "/";
    static final String VAULT_SECRETS_ENGINE_KEY = "hashicorp.vault.secrets.engine";
    static final String VAULT_PATH_PREFIX_KEY = "hashicorp.vault.path.prefix";
    private final AliasService localAliasService;
    private VaultVersionedKeyValueOperations vault;
    private String vaultPathPrefix;
    private GatewayConfig config;

    public HashicorpVaultAliasService(AliasService aliasService) {
        this.localAliasService = aliasService;
    }

    private String getPath(String str) {
        return this.vaultPathPrefix + str;
    }

    private String getPath(String str, String str2) {
        return getPath(str) + VAULT_SEPARATOR + str2;
    }

    public List<String> getAliasesForCluster(String str) throws AliasServiceException {
        try {
            List<String> list = this.vault.list(getPath(str));
            if (list == null) {
                return Collections.emptyList();
            }
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                if (getPasswordFromAliasForCluster(str, it.next()) == null) {
                    it.remove();
                }
            }
            return list;
        } catch (VaultException e) {
            throw new AliasServiceException(e);
        }
    }

    public void addAliasForCluster(String str, String str2, String str3) throws AliasServiceException {
        try {
            this.vault.put(getPath(str, str2), Collections.singletonMap(KEY, str3));
        } catch (VaultException e) {
            throw new AliasServiceException(e);
        }
    }

    public void addAliasesForCluster(String str, Map<String, String> map) throws AliasServiceException {
        for (Map.Entry<String, String> entry : map.entrySet()) {
            addAliasForCluster(str, entry.getKey(), entry.getValue());
        }
    }

    public void removeAliasForCluster(String str, String str2) throws AliasServiceException {
        try {
            this.vault.delete(getPath(str, str2));
        } catch (VaultException e) {
            throw new AliasServiceException(e);
        }
    }

    public void removeAliasesForCluster(String str, Set<String> set) throws AliasServiceException {
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            removeAliasForCluster(str, it.next());
        }
    }

    public char[] getPasswordFromAliasForCluster(String str, String str2) throws AliasServiceException {
        Map map;
        try {
            Versioned versioned = this.vault.get(getPath(str, str2));
            if (versioned == null || !versioned.hasData() || (map = (Map) versioned.getData()) == null || !map.containsKey(KEY)) {
                return null;
            }
            return String.valueOf(map.get(KEY)).toCharArray();
        } catch (VaultException e) {
            throw new AliasServiceException(e);
        }
    }

    public char[] getPasswordFromAliasForCluster(String str, String str2, boolean z) throws AliasServiceException {
        char[] passwordFromAliasForCluster = getPasswordFromAliasForCluster(str, str2);
        if (passwordFromAliasForCluster == null && z) {
            generateAliasForCluster(str, str2);
            passwordFromAliasForCluster = getPasswordFromAliasForCluster(str, str2);
        }
        return passwordFromAliasForCluster;
    }

    public void generateAliasForCluster(String str, String str2) throws AliasServiceException {
        addAliasForCluster(str, str2, PasswordUtils.generatePassword(16));
    }

    public char[] getPasswordFromAliasForGateway(String str) throws AliasServiceException {
        return getPasswordFromAliasForCluster("__gateway", str);
    }

    public char[] getGatewayIdentityPassphrase() throws AliasServiceException {
        return getPasswordFromAliasForGateway(this.config.getIdentityKeyPassphraseAlias());
    }

    public char[] getGatewayIdentityKeystorePassword() throws AliasServiceException {
        return getPasswordFromAliasForGateway(this.config.getIdentityKeystorePasswordAlias());
    }

    public char[] getSigningKeyPassphrase() throws AliasServiceException {
        return getPasswordFromAliasForGateway(this.config.getSigningKeyPassphraseAlias());
    }

    public char[] getSigningKeystorePassword() throws AliasServiceException {
        return getPasswordFromAliasForGateway(this.config.getSigningKeystorePasswordAlias());
    }

    public void generateAliasForGateway(String str) throws AliasServiceException {
        generateAliasForCluster("__gateway", str);
    }

    public Certificate getCertificateForGateway(String str) throws AliasServiceException {
        throw new AliasServiceException(new UnsupportedOperationException());
    }

    public void init(GatewayConfig gatewayConfig, Map<String, String> map) throws ServiceLifecycleException {
        this.config = gatewayConfig;
        Map remoteAliasServiceConfiguration = gatewayConfig.getRemoteAliasServiceConfiguration();
        HashMap hashMap = new HashMap();
        for (Map.Entry entry : remoteAliasServiceConfiguration.entrySet()) {
            if (((String) entry.getKey()).startsWith(VAULT_CONFIG_PREFIX)) {
                hashMap.put(entry.getKey(), entry.getValue());
            }
        }
        String str = (String) hashMap.get(VAULT_ADDRESS_KEY);
        String str2 = (String) hashMap.get(VAULT_SECRETS_ENGINE_KEY);
        this.vaultPathPrefix = getVaultPathPrefix(hashMap);
        try {
            this.vault = new VaultTemplate(VaultEndpoint.from(new URI(str)), getClientAuthentication(hashMap)).opsForVersionedKeyValue(str2);
        } catch (Exception e) {
            throw new ServiceLifecycleException("Failed to init", e);
        }
    }

    private String getVaultPathPrefix(Map<String, String> map) {
        String str = map.get(VAULT_PATH_PREFIX_KEY);
        if (str == null) {
            return "";
        }
        if (str.startsWith(VAULT_SEPARATOR)) {
            str = str.replaceFirst(VAULT_SEPARATOR, "");
        }
        return str.endsWith(VAULT_SEPARATOR) ? str : str + VAULT_SEPARATOR;
    }

    private ClientAuthentication getClientAuthentication(Map<String, String> map) throws Exception {
        String str = map.get(HashicorpVaultClientAuthenticationProvider.AUTHENTICATION_TYPE_KEY);
        Iterator it = ServiceLoader.load(HashicorpVaultClientAuthenticationProvider.class).iterator();
        while (it.hasNext()) {
            HashicorpVaultClientAuthenticationProvider hashicorpVaultClientAuthenticationProvider = (HashicorpVaultClientAuthenticationProvider) it.next();
            if (str.equals(hashicorpVaultClientAuthenticationProvider.getType())) {
                return hashicorpVaultClientAuthenticationProvider.newInstance(this.localAliasService, map);
            }
        }
        throw new IllegalStateException("Not able to find client authentication provider");
    }

    public void start() throws ServiceLifecycleException {
    }

    public void stop() throws ServiceLifecycleException {
    }
}
