package io.scalecube.configuration.tokens;

import com.bettercloud.vault.Vault;
import com.bettercloud.vault.VaultConfig;
import com.bettercloud.vault.VaultException;
import io.scalecube.config.ConfigRegistry;
import io.scalecube.configuration.ConfigRegistryConfiguration;
import java.security.Key;
import java.util.Map;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.bind.DatatypeConverter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/scalecube/configuration/tokens/VaultKeyProvider.class */
public class VaultKeyProvider implements KeyProvider {
    private static final String VAULT_ENTRY_KEY = "key";
    private static final int HTTP_STATUS_NOT_FOUND = 404;
    private static final int MAX_RETRIES = 5;
    private static final String VAULT_RETRY_INTERVAL_MILLISECONDS = "vault.retry.interval.milliseconds";
    private final int maxRetries;
    private static final int RETRY_INTERVAL_MILLISECONDS = 1000;
    private final int retryIntervalMilliseconds;
    private static final String JWT_ALGORITHM = "jwt.algorithm";
    private static final String DEFAULT_JWT_ALGORITHM = "HmacSHA256";
    private static final String VAULT_MAX_RETRIES_KEY = "vault.max.retries";
    private final String algorithm;
    private static final Logger LOGGER = LoggerFactory.getLogger(VaultKeyProvider.class);
    private final VaultPathBuilder vaultPathBuilder = new VaultPathBuilder();
    private final Vault vault;

    /* JADX INFO: Access modifiers changed from: package-private */
    public VaultKeyProvider() {
        try {
            this.vault = new Vault(new VaultConfig().build());
            ConfigRegistry configRegistry = ConfigRegistryConfiguration.configRegistry();
            this.algorithm = configRegistry.stringValue(JWT_ALGORITHM, DEFAULT_JWT_ALGORITHM);
            this.maxRetries = configRegistry.intValue(VAULT_MAX_RETRIES_KEY, MAX_RETRIES);
            this.retryIntervalMilliseconds = configRegistry.intValue(VAULT_RETRY_INTERVAL_MILLISECONDS, RETRY_INTERVAL_MILLISECONDS);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    @Override // io.scalecube.configuration.tokens.KeyProvider
    public Key get(String str) throws KeyProviderException {
        return getSecretKey(str);
    }

    private Key getSecretKey(String str) throws KeyProviderException {
        try {
            return new SecretKeySpec(DatatypeConverter.parseBase64Binary(getVaultEntryValue(str)), this.algorithm);
        } catch (Exception e) {
            LOGGER.error(String.format("Error creating key for alias: '%s'", str), e);
            if (e instanceof KeyProviderException) {
                throw ((KeyProviderException) e);
            }
            throw new KeyProviderException(e);
        }
    }

    private String getVaultEntryValue(String str) throws KeyProviderException {
        String path = this.vaultPathBuilder.getPath(str);
        Map map = null;
        try {
            map = this.vault.withRetries(this.maxRetries, this.retryIntervalMilliseconds).logical().read(path).getData();
        } catch (VaultException e) {
            handleVaultException(e, str);
        }
        if (map == null || map.isEmpty() || !map.containsKey(VAULT_ENTRY_KEY)) {
            throw new KeyProviderException(String.format("'%s' was expected under secret '%s'", VAULT_ENTRY_KEY, path));
        }
        return (String) map.get(VAULT_ENTRY_KEY);
    }

    private void handleVaultException(VaultException vaultException, String str) throws KeyProviderException {
        if (vaultException.getHttpStatusCode() != HTTP_STATUS_NOT_FOUND) {
            throw new KeyProviderException((Exception) vaultException);
        }
        throw new KeyProviderException(String.format("path: '%s' not found", this.vaultPathBuilder.getPath(str)), vaultException);
    }
}
