package co.elastic.gradle.vault;

import co.elastic.gradle.vault.VaultAuthenticationExtension;
import com.bettercloud.vault.Vault;
import com.bettercloud.vault.VaultException;
import com.bettercloud.vault.response.LogicalResponse;
import java.io.File;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.nio.file.attribute.PosixFilePermissions;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import javax.inject.Inject;
import org.gradle.api.Action;
import org.gradle.api.GradleException;
import org.gradle.api.logging.Logger;
import org.gradle.api.logging.Logging;
import org.gradle.api.plugins.ExtensionAware;
import org.gradle.api.provider.Property;
import org.gradle.api.provider.Provider;
import org.gradle.api.provider.ProviderFactory;

/* loaded from: input_file:co/elastic/gradle/vault/VaultExtension.class */
public abstract class VaultExtension implements ExtensionAware {
    private static final Logger logger = Logging.getLogger(VaultExtension.class);
    public static final long EXPIRATION_BUFFER = TimeUnit.MILLISECONDS.convert(2, TimeUnit.SECONDS);
    private final File cacheDir;

    public VaultExtension(File file) {
        this.cacheDir = file;
        getEngineVersion().convention(1);
        getRetries().convention(5);
        getRetryDelayMillis().convention(1000);
    }

    public abstract Property<String> getAddress();

    public abstract Property<Integer> getEngineVersion();

    public abstract Property<Integer> getRetries();

    public abstract Property<Integer> getRetryDelayMillis();

    @Inject
    protected abstract ProviderFactory getProviderFactory();

    public void auth(Action<VaultAuthenticationExtension> action) {
        action.execute(getAuthExtension());
    }

    private VaultAuthenticationExtension getAuthExtension() {
        return (VaultAuthenticationExtension) getExtensions().getByType(VaultAuthenticationExtension.class);
    }

    public boolean isAuthAvailable() {
        return getAuthExtension().getAuthMethods().stream().anyMatch((v0) -> {
            return v0.isMethodUsable();
        });
    }

    public Provider<Map<String, String>> readSecret(String str) {
        return getProviderFactory().provider(() -> {
            logger.lifecycle("Reading " + str + " from vault");
            getDriver();
            Map data = getDataFromVault(str).getData();
            if (data.isEmpty()) {
                throw new GradleException("No data was available in vault path " + str);
            }
            return data;
        });
    }

    public Provider<Map<String, String>> readAndCacheSecret(String str) {
        Path resolve = this.cacheDir.toPath().resolve(str).resolve("leaseExpiration");
        Path resolve2 = this.cacheDir.toPath().resolve(str).resolve("data");
        Map<String, String> tryReadCache = tryReadCache(resolve, resolve2);
        return tryReadCache != null ? getProviderFactory().provider(() -> {
            return tryReadCache;
        }) : getProviderFactory().provider(() -> {
            logger.lifecycle("Reading " + str + " from vault (cached value not available or expired)");
            LogicalResponse dataFromVault = getDataFromVault(str);
            writeCacheDir(resolve, String.valueOf(System.currentTimeMillis() + TimeUnit.MILLISECONDS.convert(dataFromVault.getLeaseDuration().longValue() == 0 ? TimeUnit.SECONDS.convert(1L, TimeUnit.DAYS) : dataFromVault.getLeaseDuration().longValue(), TimeUnit.SECONDS)));
            Map data = dataFromVault.getData();
            data.forEach((str2, str3) -> {
                writeCacheDir(resolve2.resolve(str2), str3);
            });
            return data;
        });
    }

    protected LogicalResponse getDataFromVault(String str) throws VaultException {
        Vault driver = getDriver();
        LogicalResponse logicalResponse = null;
        for (int i = 0; i < 5; i++) {
            logicalResponse = driver.logical().read(str);
            if (!logicalResponse.getData().isEmpty()) {
                break;
            }
            if (i == 4) {
                throw new GradleException("No data was available in vault path " + str);
            }
            try {
                TimeUnit.MILLISECONDS.sleep(((long) Math.pow(2.0d, i + 2)) * 500);
            } catch (InterruptedException e) {
                Thread.currentThread().interrupt();
                throw new GradleException("Retry interrupted for vault path " + str, e);
            }
        }
        return logicalResponse;
    }

    private Map<String, String> tryReadCache(Path path, Path path2) {
        if (!Files.exists(path, new LinkOption[0])) {
            return null;
        }
        try {
            if (isValidLease(Long.valueOf(Long.parseLong(Files.readString(path))))) {
                return (Map) Files.list(path2).collect(Collectors.toMap(path3 -> {
                    return path3.getFileName().toString();
                }, path4 -> {
                    try {
                        return Files.readString(path4);
                    } catch (IOException e) {
                        throw new UncheckedIOException(e);
                    }
                }));
            }
            return null;
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    private void writeCacheDir(Path path, String str) {
        try {
            Files.createDirectories(path.getParent(), new FileAttribute[0]);
            Files.writeString(path, str, new OpenOption[0]);
            if (path.getFileSystem().supportedFileAttributeViews().contains("posix")) {
                Files.setPosixFilePermissions(path, PosixFilePermissions.fromString("rw-------"));
            } else {
                logger.warn("Not able to set {} to read only because the filesystem is not posix.", path);
            }
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    private Vault getDriver() {
        if (getAuthExtension().getAuthMethods().isEmpty()) {
            throw new GradleException("No authentication configured to access " + ((String) getAddress().get()) + "\nUse an `auth {}` block to configure at least one authentication method");
        }
        Path resolve = this.cacheDir.toPath().resolve("token/expiration");
        Path resolve2 = this.cacheDir.toPath().resolve("token/value");
        Long l = 0L;
        if (Files.exists(resolve, new LinkOption[0])) {
            try {
                l = Long.valueOf(Long.parseLong(Files.readString(resolve)));
            } catch (IOException e) {
                throw new UncheckedIOException(e);
            }
        }
        VaultAuthenticationExtension.VaultTokenFile internalCachedTokenFile = getAuthExtension().internalCachedTokenFile(resolve2.toFile());
        if (internalCachedTokenFile.isMethodUsable() && isValidLease(l)) {
            return new VaultAccessStrategy().access(this, internalCachedTokenFile, (str, l2) -> {
            });
        }
        logger.lifecycle("Authenticating to vault at " + ((String) getAddress().get()));
        for (VaultAuthenticationExtension.VaultAuthMethod vaultAuthMethod : getAuthExtension().getAuthMethods()) {
            logger.lifecycle(vaultAuthMethod.getExplanation());
            if (vaultAuthMethod.isMethodUsable()) {
                return new VaultAccessStrategy().access(this, vaultAuthMethod, (str2, l3) -> {
                    writeCacheDir(resolve2, str2);
                    writeCacheDir(resolve, l3.toString());
                });
            }
        }
        throw new GradleException("Could not find a suitable auth strategy");
    }

    private boolean isValidLease(Long l) {
        return l.longValue() - EXPIRATION_BUFFER > System.currentTimeMillis();
    }
}
