package io.quarkus.vault.client.auth;

import io.quarkus.vault.client.VaultClientException;
import io.quarkus.vault.client.api.auth.token.VaultAuthToken;
import io.quarkus.vault.client.api.auth.token.VaultAuthTokenRenewSelfAuthResult;
import io.quarkus.vault.client.logging.LogConfidentialityLevel;
import io.quarkus.vault.client.util.OptionalCompletionStages;
import java.time.Duration;
import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionException;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.atomic.AtomicReference;
import java.util.logging.Logger;

/* loaded from: input_file:io/quarkus/vault/client/auth/VaultCachingTokenProvider.class */
public class VaultCachingTokenProvider implements VaultTokenProvider {
    public static Duration DEFAULT_RENEW_GRACE_PERIOD = Duration.ofSeconds(30);
    private static final Logger log = Logger.getLogger(VaultCachingTokenProvider.class.getName());
    private final VaultTokenProvider delegate;
    private final Duration renewGracePeriod;
    private final AtomicReference<VaultToken> cachedToken = new AtomicReference<>(null);

    public VaultCachingTokenProvider(VaultTokenProvider vaultTokenProvider, Duration duration) {
        this.delegate = vaultTokenProvider;
        this.renewGracePeriod = duration;
    }

    @Override // java.util.function.Function
    public CompletionStage<VaultToken> apply(VaultAuthRequest vaultAuthRequest) {
        return CompletableFuture.completedStage(Optional.ofNullable(this.cachedToken.get()).map(vaultToken -> {
            LogConfidentialityLevel logConfidentialityLevel = vaultAuthRequest.getRequest().getLogConfidentialityLevel();
            if (vaultToken.isExpired()) {
                log.fine("cached token " + vaultToken.getConfidentialInfo(logConfidentialityLevel) + " has expired");
                return null;
            }
            log.fine("using cached token " + vaultToken.getConfidentialInfo(logConfidentialityLevel) + " (expires at " + String.valueOf(vaultToken.getExpiresAt()) + ")");
            return vaultToken;
        })).thenCompose(OptionalCompletionStages.flatMapPresent(vaultToken2 -> {
            return vaultToken2.shouldExtend(this.renewGracePeriod) ? extend(vaultAuthRequest, vaultToken2.getClientToken()) : CompletableFuture.completedStage(vaultToken2);
        })).thenCompose(OptionalCompletionStages.flatMapEmptyGet(() -> {
            return request(vaultAuthRequest);
        })).thenApply(vaultToken3 -> {
            this.cachedToken.set(vaultToken3.cached());
            return vaultToken3;
        });
    }

    @Override // io.quarkus.vault.client.auth.VaultTokenProvider
    public void invalidateCache() {
        this.cachedToken.set(null);
    }

    @Override // io.quarkus.vault.client.auth.VaultTokenProvider
    public VaultTokenProvider caching(Duration duration) {
        return this;
    }

    public CompletionStage<VaultToken> request(VaultAuthRequest vaultAuthRequest) {
        LogConfidentialityLevel logConfidentialityLevel = vaultAuthRequest.getRequest().getLogConfidentialityLevel();
        return this.delegate.apply(vaultAuthRequest).thenApply(vaultToken -> {
            sanityCheck(vaultToken);
            log.fine("created new login token: " + vaultToken.getConfidentialInfo(logConfidentialityLevel));
            return vaultToken;
        });
    }

    public CompletionStage<VaultToken> extend(VaultAuthRequest vaultAuthRequest, String str) {
        LogConfidentialityLevel logConfidentialityLevel = vaultAuthRequest.getRequest().getLogConfidentialityLevel();
        return vaultAuthRequest.getExecutor().execute(VaultAuthToken.FACTORY.renewSelf(null).builder().token(str).rebuild()).thenApply((v0) -> {
            return v0.getResult();
        }).thenApply(vaultAuthTokenRenewSelfResult -> {
            VaultAuthTokenRenewSelfAuthResult auth = vaultAuthTokenRenewSelfResult.getAuth();
            VaultToken from = VaultToken.from(auth.getClientToken(), auth.isRenewable().booleanValue(), auth.getLeaseDuration(), vaultAuthRequest.getInstantSource());
            sanityCheck(from);
            log.fine("extended login token: " + from.getConfidentialInfo(logConfidentialityLevel));
            return from;
        }).exceptionallyCompose(th -> {
            if (th instanceof CompletionException) {
                th = th.getCause();
            }
            if (th instanceof VaultClientException) {
                VaultClientException vaultClientException = (VaultClientException) th;
                if (vaultClientException.isPermissionDenied() || vaultClientException.hasErrorContaining("lease is not renewable")) {
                    log.fine("login token " + str + " has become invalid");
                    return CompletableFuture.completedStage(null);
                }
            }
            return CompletableFuture.failedStage(th);
        });
    }

    private void sanityCheck(VaultToken vaultToken) {
        vaultToken.leaseDurationSanityCheck("auth", this.renewGracePeriod);
    }
}
