package de.otto.messaging.kafka.e2ee.vault;

import de.otto.messaging.kafka.e2ee.vault.VaultConnectionConfig;
import io.github.jopenlibs.vault.Vault;
import io.github.jopenlibs.vault.VaultConfig;
import io.github.jopenlibs.vault.VaultException;
import io.github.jopenlibs.vault.response.AuthResponse;
import io.github.jopenlibs.vault.response.LogicalResponse;
import java.time.LocalDateTime;
import java.util.Objects;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/otto/messaging/kafka/e2ee/vault/RenewableVault.class */
public class RenewableVault {
    private static final Logger log = LoggerFactory.getLogger(RenewableVault.class);
    private final VaultConnectionConfig.VaultAppRole appRoleConfig;
    private Vault vault;
    private VaultConfig configAuth;
    private boolean isAuthRenewable;
    private LocalDateTime authLeaseValidUntil;

    public RenewableVault(VaultConfig vaultConfig, VaultConnectionConfig.VaultAppRole vaultAppRole) {
        Objects.requireNonNull(vaultConfig, "configAuth is required");
        Objects.requireNonNull(vaultAppRole, "appRole is required");
        this.configAuth = vaultConfig;
        this.vault = Vault.create(vaultConfig);
        this.isAuthRenewable = true;
        this.authLeaseValidUntil = LocalDateTime.now().minusSeconds(5L);
        this.appRoleConfig = vaultAppRole;
    }

    public RenewableVault(VaultConfig vaultConfig) {
        Objects.requireNonNull(vaultConfig, "configAuth is required");
        this.configAuth = vaultConfig;
        this.vault = Vault.create(vaultConfig);
        this.isAuthRenewable = false;
        this.authLeaseValidUntil = LocalDateTime.now().plusYears(10L);
        this.appRoleConfig = null;
    }

    public LogicalResponse read(String str) throws VaultException {
        renewAuthTokenIfNeeded();
        return this.vault.logical().read(str);
    }

    public LogicalResponse read(String str, int i) throws VaultException {
        renewAuthTokenIfNeeded();
        return this.vault.logical().read(str, true, Integer.valueOf(i));
    }

    private void renewAuthTokenIfNeeded() throws VaultException {
        if (this.isAuthRenewable && LocalDateTime.now().isAfter(this.authLeaseValidUntil)) {
            log.debug("Try to renew vault auth token ..");
            AuthResponse loginByAppRole = this.vault.auth().loginByAppRole(this.appRoleConfig.path(), this.appRoleConfig.roleid(), this.appRoleConfig.secretid());
            this.configAuth = this.configAuth.token(loginByAppRole.getAuthClientToken());
            this.vault = Vault.create(this.configAuth);
            this.isAuthRenewable = loginByAppRole.isAuthRenewable();
            this.authLeaseValidUntil = LocalDateTime.now().plusSeconds(loginByAppRole.getAuthLeaseDuration());
            log.debug("new vault auth token is valid until {}", this.authLeaseValidUntil);
        }
    }
}
