package io.quarkus.vault.client.auth.unwrap;

import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import io.quarkus.vault.client.VaultClientException;
import io.quarkus.vault.client.api.sys.wrapping.VaultSysWrapping;
import io.quarkus.vault.client.api.sys.wrapping.VaultSysWrappingUnwrapResult;
import io.quarkus.vault.client.auth.VaultAuthRequest;
import io.quarkus.vault.client.json.JsonMapping;
import io.quarkus.vault.client.logging.LogConfidentialityLevel;
import java.time.Duration;
import java.util.concurrent.CompletionException;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.ExecutionException;
import java.util.logging.Logger;

/* loaded from: input_file:io/quarkus/vault/client/auth/unwrap/VaultUnwrappingValueProvider.class */
public abstract class VaultUnwrappingValueProvider<UnwrapResult> implements VaultValueProvider {
    private static final Logger log = Logger.getLogger(VaultUnwrappingValueProvider.class.getName());
    private static final Cache<String, CompletionStage<String>> unwrappingCache = Caffeine.newBuilder().expireAfterWrite(Duration.ofHours(1)).build();
    private final String wrappingToken;

    /* JADX INFO: Access modifiers changed from: protected */
    public VaultUnwrappingValueProvider(String str) {
        this.wrappingToken = str;
    }

    public abstract String getType();

    public abstract Class<? extends UnwrapResult> getUnwrapResultType();

    public abstract String extractClientToken(UnwrapResult unwrapresult);

    @Override // java.util.function.Function
    public CompletionStage<String> apply(VaultAuthRequest vaultAuthRequest) {
        return (CompletionStage) unwrappingCache.get(this.wrappingToken, str -> {
            return vaultAuthRequest.getExecutor().execute(VaultSysWrapping.FACTORY.unwrap(str)).thenApply(vaultResponse -> {
                VaultSysWrappingUnwrapResult vaultSysWrappingUnwrapResult = (VaultSysWrappingUnwrapResult) vaultResponse.getResult();
                String extractClientToken = extractClientToken(JsonMapping.mapper.convertValue(vaultSysWrappingUnwrapResult.getAuth() != null ? vaultSysWrappingUnwrapResult.getAuth() : vaultSysWrappingUnwrapResult.getData(), getUnwrapResultType()));
                log.fine("unwrapped " + getType() + ": " + vaultAuthRequest.getRequest().getLogConfidentialityLevel().maskWithTolerance(extractClientToken, LogConfidentialityLevel.LOW));
                return extractClientToken;
            }).exceptionally(th -> {
                if ((th instanceof CompletionException) || (th instanceof ExecutionException)) {
                    th = th.getCause();
                }
                if (th instanceof VaultClientException) {
                    VaultClientException vaultClientException = (VaultClientException) th;
                    if (vaultClientException.getStatus().intValue() == 400) {
                        throw vaultClientException.withError("wrapping token is not valid or does not exist; this means that the token has already expired (if so you can increase the ttl on the wrapping token) or has been consumed by somebody else (potentially indicating that the wrapping token has been stolen)");
                    }
                }
                if (th instanceof RuntimeException) {
                    throw ((RuntimeException) th);
                }
                throw new RuntimeException(th);
            });
        });
    }
}
