package io.scalecube.security.vault;

import com.bettercloud.vault.json.Json;
import com.bettercloud.vault.rest.Rest;
import com.bettercloud.vault.rest.RestException;
import java.io.InputStream;
import java.util.Base64;
import java.util.List;
import java.util.Objects;
import java.util.StringJoiner;
import java.util.function.Function;
import java.util.function.Supplier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.yaml.snakeyaml.Yaml;
import org.yaml.snakeyaml.constructor.Constructor;
import reactor.core.Exceptions;
import reactor.core.publisher.Mono;
import reactor.core.scheduler.Schedulers;

/* loaded from: input_file:io/scalecube/security/vault/VaultServiceRolesInstaller.class */
public final class VaultServiceRolesInstaller {
    private static final Logger LOGGER = LoggerFactory.getLogger(VaultServiceRolesInstaller.class);
    private static final String VAULT_TOKEN_HEADER = "X-Vault-Token";
    private String vaultAddress;
    private Mono<String> vaultTokenSupplier;
    private Supplier<String> keyNameSupplier;
    private Function<String, String> roleNameBuilder;
    private String inputFileName;
    private String keyAlgorithm;
    private String keyRotationPeriod;
    private String keyVerificationTtl;
    private String roleTtl;

    /* loaded from: input_file:io/scalecube/security/vault/VaultServiceRolesInstaller$ServiceRoles.class */
    public static class ServiceRoles {
        private List<Role> roles;

        /* loaded from: input_file:io/scalecube/security/vault/VaultServiceRolesInstaller$ServiceRoles$Role.class */
        public static class Role {
            private String role;
            private List<String> permissions;

            public String getRole() {
                return this.role;
            }

            public void setRole(String str) {
                this.role = str;
            }

            public List<String> getPermissions() {
                return this.permissions;
            }

            public void setPermissions(List<String> list) {
                this.permissions = list;
            }
        }

        public List<Role> getRoles() {
            return this.roles;
        }

        public void setRoles(List<Role> list) {
            this.roles = list;
        }
    }

    public VaultServiceRolesInstaller() {
        this.inputFileName = "service-roles.yaml";
        this.keyAlgorithm = "RS256";
        this.keyRotationPeriod = "1h";
        this.keyVerificationTtl = "1h";
        this.roleTtl = "1m";
    }

    private VaultServiceRolesInstaller(VaultServiceRolesInstaller vaultServiceRolesInstaller) {
        this.inputFileName = "service-roles.yaml";
        this.keyAlgorithm = "RS256";
        this.keyRotationPeriod = "1h";
        this.keyVerificationTtl = "1h";
        this.roleTtl = "1m";
        this.vaultAddress = vaultServiceRolesInstaller.vaultAddress;
        this.vaultTokenSupplier = vaultServiceRolesInstaller.vaultTokenSupplier;
        this.keyNameSupplier = vaultServiceRolesInstaller.keyNameSupplier;
        this.roleNameBuilder = vaultServiceRolesInstaller.roleNameBuilder;
        this.inputFileName = vaultServiceRolesInstaller.inputFileName;
        this.keyAlgorithm = vaultServiceRolesInstaller.keyAlgorithm;
        this.keyRotationPeriod = vaultServiceRolesInstaller.keyRotationPeriod;
        this.keyVerificationTtl = vaultServiceRolesInstaller.keyVerificationTtl;
        this.roleTtl = vaultServiceRolesInstaller.roleTtl;
    }

    private VaultServiceRolesInstaller copy() {
        return new VaultServiceRolesInstaller(this);
    }

    public VaultServiceRolesInstaller vaultAddress(String str) {
        VaultServiceRolesInstaller copy = copy();
        copy.vaultAddress = str;
        return copy;
    }

    public VaultServiceRolesInstaller vaultTokenSupplier(Mono<String> mono) {
        VaultServiceRolesInstaller copy = copy();
        copy.vaultTokenSupplier = mono;
        return copy;
    }

    public VaultServiceRolesInstaller keyNameSupplier(Supplier<String> supplier) {
        VaultServiceRolesInstaller copy = copy();
        copy.keyNameSupplier = supplier;
        return copy;
    }

    public VaultServiceRolesInstaller roleNameBuilder(Function<String, String> function) {
        VaultServiceRolesInstaller copy = copy();
        copy.roleNameBuilder = function;
        return copy;
    }

    public VaultServiceRolesInstaller inputFileName(String str) {
        VaultServiceRolesInstaller copy = copy();
        copy.inputFileName = str;
        return copy;
    }

    public VaultServiceRolesInstaller keyAlgorithm(String str) {
        VaultServiceRolesInstaller copy = copy();
        copy.keyAlgorithm = str;
        return copy;
    }

    public VaultServiceRolesInstaller keyRotationPeriod(String str) {
        VaultServiceRolesInstaller copy = copy();
        copy.keyRotationPeriod = str;
        return copy;
    }

    public VaultServiceRolesInstaller keyVerificationTtl(String str) {
        VaultServiceRolesInstaller copy = copy();
        copy.keyVerificationTtl = str;
        return copy;
    }

    public VaultServiceRolesInstaller roleTtl(String str) {
        VaultServiceRolesInstaller copy = copy();
        copy.roleTtl = str;
        return copy;
    }

    public Mono<Void> install() {
        return Mono.defer(this::install0).subscribeOn(Schedulers.boundedElastic()).doOnSubscribe(subscription -> {
            LOGGER.debug("[install] Installing vault service roles");
        }).doOnSuccess(r3 -> {
            LOGGER.debug("[install][success] Installed vault service roles");
        }).doOnError(th -> {
            LOGGER.error("[install][error] Failed to install vault service roles, cause: {}", th.toString());
        }).then();
    }

    private Mono<Void> install0() {
        if (isNullOrNoneOrEmpty(this.vaultAddress)) {
            return Mono.empty();
        }
        ServiceRoles loadServiceRoles = loadServiceRoles();
        return (loadServiceRoles == null || loadServiceRoles.roles.isEmpty()) ? Mono.empty() : Mono.defer(() -> {
            return this.vaultTokenSupplier;
        }).doOnSuccess(str -> {
            Rest header = new Rest().header(VAULT_TOKEN_HEADER, str);
            String str = this.keyNameSupplier.get();
            createVaultIdentityKey(header.url(buildVaultIdentityKeyUri(str)), str);
            for (ServiceRoles.Role role : loadServiceRoles.roles) {
                String apply = this.roleNameBuilder.apply(role.role);
                createVaultIdentityRole(header.url(buildVaultIdentityRoleUri(apply)), str, apply, role.permissions);
            }
        }).then();
    }

    private ServiceRoles loadServiceRoles() {
        InputStream resourceAsStream = Thread.currentThread().getContextClassLoader().getResourceAsStream(this.inputFileName);
        if (resourceAsStream != null) {
            return (ServiceRoles) new Yaml(new Constructor(ServiceRoles.class)).load(resourceAsStream);
        }
        return null;
    }

    private static void verifyOk(int i, String str) {
        if (i == 200 || i == 204) {
            return;
        }
        LOGGER.error("Not expected status ({}) returned on [{}]", Integer.valueOf(i), str);
        throw new IllegalStateException("Not expected status returned, status=" + i);
    }

    private void createVaultIdentityKey(Rest rest, String str) {
        LOGGER.debug("[createVaultIdentityKey] {}", str);
        try {
            verifyOk(rest.body(Json.object().add("rotation_period", this.keyRotationPeriod).add("verification_ttl", this.keyVerificationTtl).add("allowed_client_ids", "*").add("algorithm", this.keyAlgorithm).toString().getBytes()).post().getStatus(), "createVaultIdentityKey");
        } catch (RestException e) {
            throw Exceptions.propagate(e);
        }
    }

    private void createVaultIdentityRole(Rest rest, String str, String str2, List<String> list) {
        LOGGER.debug("[createVaultIdentityRole] {}", str2);
        try {
            verifyOk(rest.body(Json.object().add("key", str).add("template", createTemplate(list)).add("ttl", this.roleTtl).toString().getBytes()).post().getStatus(), "createVaultIdentityRole");
        } catch (RestException e) {
            throw Exceptions.propagate(e);
        }
    }

    private static String createTemplate(List<String> list) {
        return Base64.getUrlEncoder().encodeToString(Json.object().add("permissions", String.join(",", list)).toString().getBytes());
    }

    private String buildVaultIdentityKeyUri(String str) {
        return new StringJoiner("/", this.vaultAddress, "").add("/v1/identity/oidc/key").add(str).toString();
    }

    private String buildVaultIdentityRoleUri(String str) {
        return new StringJoiner("/", this.vaultAddress, "").add("/v1/identity/oidc/role").add(str).toString();
    }

    private static boolean isNullOrNoneOrEmpty(String str) {
        return Objects.isNull(str) || "none".equalsIgnoreCase(str) || "null".equals(str) || str.isEmpty();
    }
}
