package org.springframework.cloud.config.server.environment.vault;

import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.cloud.config.server.environment.ConfigTokenProvider;
import org.springframework.cloud.config.server.environment.VaultEnvironmentProperties;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.Resource;
import org.springframework.http.client.ClientHttpRequestFactory;
import org.springframework.util.StringUtils;
import org.springframework.vault.VaultException;
import org.springframework.vault.authentication.ClientAuthentication;
import org.springframework.vault.client.RestTemplateBuilder;
import org.springframework.vault.client.RestTemplateCustomizer;
import org.springframework.vault.client.VaultClients;
import org.springframework.vault.client.VaultEndpoint;
import org.springframework.vault.client.VaultEndpointProvider;
import org.springframework.vault.config.AbstractVaultConfiguration;
import org.springframework.vault.support.SslConfiguration;
import org.springframework.vault.support.VaultToken;
import org.springframework.web.client.RestOperations;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.util.UriComponentsBuilder;

@Configuration
/* loaded from: input_file:BOOT-INF/lib/spring-cloud-config-server-2.2.8.RELEASE.jar:org/springframework/cloud/config/server/environment/vault/SpringVaultClientConfiguration.class */
public class SpringVaultClientConfiguration extends AbstractVaultConfiguration implements InitializingBean {
    private static final String VAULT_PROPERTIES_PREFIX = "spring.cloud.config.server.vault.";
    private final VaultEnvironmentProperties vaultProperties;
    private final ConfigTokenProvider configTokenProvider;
    private RestOperations externalRestOperations;
    private final Log log = LogFactory.getLog(getClass());
    private final List<SpringVaultClientAuthenticationProvider> authProviders;

    /* loaded from: input_file:BOOT-INF/lib/spring-cloud-config-server-2.2.8.RELEASE.jar:org/springframework/cloud/config/server/environment/vault/SpringVaultClientConfiguration$ConfigTokenProviderAuthentication.class */
    static class ConfigTokenProviderAuthentication implements ClientAuthentication {
        private final ConfigTokenProvider tokenProvider;

        ConfigTokenProviderAuthentication(ConfigTokenProvider configTokenProvider) {
            this.tokenProvider = configTokenProvider;
        }

        public VaultToken login() throws VaultException {
            String token = this.tokenProvider.getToken();
            if (StringUtils.hasLength(token)) {
                return VaultToken.of(token);
            }
            throw new IllegalArgumentException("A Vault token must be supplied by a token provider");
        }
    }

    public SpringVaultClientConfiguration(VaultEnvironmentProperties vaultEnvironmentProperties, ConfigTokenProvider configTokenProvider, List<SpringVaultClientAuthenticationProvider> list) {
        this.vaultProperties = vaultEnvironmentProperties;
        this.configTokenProvider = configTokenProvider;
        this.authProviders = list;
    }

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() {
        this.externalRestOperations = new RestTemplate(clientHttpRequestFactoryWrapper().getClientHttpRequestFactory());
    }

    public VaultEndpoint vaultEndpoint() {
        return VaultEndpoint.from(UriComponentsBuilder.newInstance().scheme(this.vaultProperties.getScheme()).host(this.vaultProperties.getHost()).port(this.vaultProperties.getPort().intValue()).build().toUri());
    }

    protected RestTemplateBuilder restTemplateBuilder(VaultEndpointProvider vaultEndpointProvider, ClientHttpRequestFactory clientHttpRequestFactory) {
        RestTemplateBuilder restTemplateBuilder = super.restTemplateBuilder(vaultEndpointProvider, clientHttpRequestFactory);
        if (this.vaultProperties.getNamespace() != null) {
            restTemplateBuilder.customizers(new RestTemplateCustomizer[]{this::applyNamespaceInterceptor});
        }
        return restTemplateBuilder;
    }

    public SslConfiguration sslConfiguration() {
        if (this.vaultProperties.isSkipSslValidation()) {
            this.log.warn("The 'spring.cloud.config.server.vault.skipSslValidation' property is not supported by this Vault environment repository implementation. Use the 'spring.cloud.config.server.vault.ssl` properties to provide custom keyStore and trustStore material instead.");
        }
        VaultEnvironmentProperties.Ssl ssl = this.vaultProperties.getSsl();
        return new SslConfiguration(getKeyStoreConfiguration(ssl.getKeyStore(), ssl.getKeyStorePassword()), getKeyStoreConfiguration(ssl.getTrustStore(), ssl.getTrustStorePassword()));
    }

    public RestOperations restOperations() {
        return restTemplateBuilder(vaultEndpointProvider(), clientHttpRequestFactoryWrapper().getClientHttpRequestFactory()).build();
    }

    private SslConfiguration.KeyStoreConfiguration getKeyStoreConfiguration(Resource resource, String str) {
        return resource == null ? SslConfiguration.KeyStoreConfiguration.unconfigured() : StringUtils.hasText(str) ? SslConfiguration.KeyStoreConfiguration.of(resource, str.toCharArray()) : SslConfiguration.KeyStoreConfiguration.of(resource);
    }

    private RestOperations applyNamespaceInterceptor(RestTemplate restTemplate) {
        if (this.vaultProperties.getNamespace() != null) {
            restTemplate.getInterceptors().add(VaultClients.createNamespaceInterceptor(this.vaultProperties.getNamespace()));
        }
        return restTemplate;
    }

    public ClientAuthentication clientAuthentication() {
        VaultEnvironmentProperties.AuthenticationMethod authentication = this.vaultProperties.getAuthentication();
        if (authentication == null) {
            return new ConfigTokenProviderAuthentication(this.configTokenProvider);
        }
        if (this.authProviders == null || this.authProviders.isEmpty()) {
            throw new UnsupportedOperationException("No Vault client authentication providers are configured");
        }
        for (SpringVaultClientAuthenticationProvider springVaultClientAuthenticationProvider : this.authProviders) {
            if (springVaultClientAuthenticationProvider.supports(this.vaultProperties)) {
                return springVaultClientAuthenticationProvider.getClientAuthentication(this.vaultProperties, restOperations(), this.externalRestOperations);
            }
        }
        throw new UnsupportedOperationException(String.format("Client authentication %s not supported", authentication));
    }
}
