package de.otto.kafka.messaging.e2ee.vault;

import de.otto.kafka.messaging.e2ee.EncryptionKeyProvider;
import io.github.jopenlibs.vault.VaultException;
import io.github.jopenlibs.vault.json.Json;
import io.github.jopenlibs.vault.json.JsonObject;
import io.github.jopenlibs.vault.json.JsonValue;
import io.github.jopenlibs.vault.response.LogicalResponse;
import java.nio.charset.StandardCharsets;
import java.time.OffsetDateTime;
import java.util.Objects;
import java.util.function.Supplier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/otto/kafka/messaging/e2ee/vault/VaultEncryptionKeyProvider.class */
public final class VaultEncryptionKeyProvider implements EncryptionKeyProvider {
    private static final Logger log = LoggerFactory.getLogger(VaultEncryptionKeyProvider.class);
    private final VaultEncryptionKeyProviderConfig config;
    private ReadonlyVaultApi vault = null;

    public VaultEncryptionKeyProvider(VaultEncryptionKeyProviderConfig vaultEncryptionKeyProviderConfig) {
        this.config = vaultEncryptionKeyProviderConfig;
    }

    @Override // de.otto.kafka.messaging.e2ee.EncryptionKeyProvider
    public EncryptionKeyProvider.KeyVersion retrieveKeyForEncryption(String str) {
        if (!isEncryptedTopic(str)) {
            return null;
        }
        String pathForTopic = getPathForTopic(str);
        try {
            LogicalResponse read = getOrCreateVault().read(pathForTopic);
            validateResponse(read, () -> {
                return "path '" + pathForTopic + "'";
            });
            String str2 = (String) Objects.requireNonNullElse(this.config.encryptionKeyAttributeName(str), VaultEncryptionKeyProviderConfig.DEFAULT_ENCRYPTION_KEY_ATTRIBUTE_NAME);
            String extractEncryptionKeyFromResponse = extractEncryptionKeyFromResponse(read, str2);
            OffsetDateTime extractCreationTimeFromResponse = extractCreationTimeFromResponse(read);
            int extractVersionFromResponse = extractVersionFromResponse(read);
            if (log.isTraceEnabled()) {
                log.trace("The latest encryption key is {}, version = {}, created at {}", new Object[]{extractEncryptionKeyFromResponse, Integer.valueOf(extractVersionFromResponse), extractCreationTimeFromResponse});
            } else {
                log.debug("The latest encryption key is ***, version = {}, created at {}", Integer.valueOf(extractVersionFromResponse), extractCreationTimeFromResponse);
            }
            return new EncryptionKeyProvider.KeyVersion(extractVersionFromResponse, str2, extractEncryptionKeyFromResponse);
        } catch (VaultException e) {
            throw new VaultRuntimeException((Exception) e);
        }
    }

    @Override // de.otto.kafka.messaging.e2ee.EncryptionKeyProvider
    public String retrieveKeyForDecryption(String str, int i) {
        return retrieveKeyForDecryption(str, i, this.config.encryptionKeyAttributeName(str));
    }

    @Override // de.otto.kafka.messaging.e2ee.EncryptionKeyProvider
    public String retrieveKeyForDecryption(String str, int i, String str2) {
        String pathForTopic = getPathForTopic(str);
        try {
            LogicalResponse read = getOrCreateVault().read(pathForTopic, i);
            validateResponse(read, () -> {
                return "path '" + pathForTopic + "' and version '" + i + "'";
            });
            return extractEncryptionKeyFromResponse(read, (String) Objects.requireNonNullElse(str2, VaultEncryptionKeyProviderConfig.DEFAULT_ENCRYPTION_KEY_ATTRIBUTE_NAME));
        } catch (VaultException e) {
            throw new VaultRuntimeException((Exception) e);
        }
    }

    @Override // de.otto.kafka.messaging.e2ee.EncryptionKeyProvider
    public boolean isEncryptedTopic(String str) {
        return this.config.isEncryptedTopic(str);
    }

    private void validateResponse(LogicalResponse logicalResponse, Supplier<String> supplier) {
        if (log.isTraceEnabled()) {
            log.trace("status = {} / body = {}", Integer.valueOf(logicalResponse.getRestResponse().getStatus()), new String(logicalResponse.getRestResponse().getBody()));
        } else if (log.isDebugEnabled()) {
            log.debug("status = {} / body = ***", Integer.valueOf(logicalResponse.getRestResponse().getStatus()));
        }
        if (logicalResponse.getRestResponse().getStatus() != 200) {
            if (log.isErrorEnabled()) {
                log.error("Vault response. HttpCode={} Response={}", Integer.valueOf(logicalResponse.getRestResponse().getStatus()), new String(logicalResponse.getRestResponse().getBody()));
            }
            throw new VaultRuntimeException("Vault request failed with HttpCode=" + logicalResponse.getRestResponse().getStatus() + " for " + supplier.get());
        }
    }

    private String extractEncryptionKeyFromResponse(LogicalResponse logicalResponse, String str) {
        JsonValue jsonValue = extractDataObjectFromResponse(logicalResponse).get(str);
        if (jsonValue == null) {
            throw new VaultRuntimeException("Secret does not contain '" + str + "'.");
        }
        return jsonValue.asString();
    }

    private int extractVersionFromResponse(LogicalResponse logicalResponse) {
        Integer num = extractMetaDataObjectFromResponse(logicalResponse).getInt("version");
        if (num == null) {
            throw new VaultRuntimeException("Metadata.Version is not valid.");
        }
        return num.intValue();
    }

    private OffsetDateTime extractCreationTimeFromResponse(LogicalResponse logicalResponse) {
        String string = extractMetaDataObjectFromResponse(logicalResponse).getString("created_time");
        if (string == null) {
            throw new VaultRuntimeException("Metadata.CreatedTime is not valid.");
        }
        return OffsetDateTime.parse(string);
    }

    private JsonObject extractDataObjectFromResponse(LogicalResponse logicalResponse) {
        JsonObject dataObject = logicalResponse.getDataObject();
        if (dataObject == null) {
            throw new VaultRuntimeException("Secret is not valid. KV has not version 2.");
        }
        return dataObject;
    }

    private JsonObject extractMetaDataObjectFromResponse(LogicalResponse logicalResponse) {
        JsonValue jsonValue = Json.parse(new String(logicalResponse.getRestResponse().getBody(), StandardCharsets.UTF_8)).asObject().get("data").asObject().get("metadata");
        if (jsonValue == null) {
            throw new VaultRuntimeException("Secret is not valid - Missing 'metadata'. KV has not version 2.");
        }
        JsonObject asObject = jsonValue.asObject();
        if (asObject == null) {
            throw new VaultRuntimeException("Metadata is not valid.");
        }
        return asObject;
    }

    private String getPathForTopic(String str) {
        return this.config.vaultPath(str);
    }

    private ReadonlyVaultApi getOrCreateVault() throws VaultException {
        if (this.vault == null) {
            this.vault = this.config.createReadonlyVault();
        }
        return this.vault;
    }
}
