package com.hazelcast.spi.impl.securestore.impl;

import com.hazelcast.com.ctc.wstx.cfg.XmlConsts;
import com.hazelcast.config.SSLConfig;
import com.hazelcast.config.VaultSecureStoreConfig;
import com.hazelcast.instance.impl.Node;
import com.hazelcast.internal.json.Json;
import com.hazelcast.internal.json.JsonObject;
import com.hazelcast.internal.json.JsonValue;
import com.hazelcast.internal.nio.ClassLoaderUtil;
import com.hazelcast.internal.nio.IOUtil;
import com.hazelcast.internal.util.StringUtil;
import com.hazelcast.logging.ILogger;
import com.hazelcast.nio.ssl.BasicSSLContextFactory;
import com.hazelcast.nio.ssl.SSLContextFactory;
import com.hazelcast.spi.impl.securestore.SecureStore;
import com.hazelcast.spi.impl.securestore.SecureStoreException;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.annotation.Nonnull;
import javax.net.ssl.HttpsURLConnection;

/* loaded from: input_file:com/hazelcast/spi/impl/securestore/impl/VaultSecureStore.class */
public class VaultSecureStore extends AbstractSecureStore {
    private final VaultClient client;

    /* loaded from: input_file:com/hazelcast/spi/impl/securestore/impl/VaultSecureStore$VaultClient.class */
    private static final class VaultClient {
        private static final int CONNECTION_TIMEOUT_MILLIS = 5000;
        private static final String HEADER_TOKEN = "X-Vault-Token";
        private static final byte[] EMPTY_BYTE_ARRAY;
        private final VaultSecureStoreConfig config;
        private final ClassLoader classLoader;
        private final ILogger logger;
        static final /* synthetic */ boolean $assertionsDisabled;

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:com/hazelcast/spi/impl/securestore/impl/VaultSecureStore$VaultClient$Range.class */
        public static final class Range {
            private final int min;
            private final int max;

            private Range(int i, int i2) {
                this.min = i;
                this.max = i2;
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:com/hazelcast/spi/impl/securestore/impl/VaultSecureStore$VaultClient$Response.class */
        public static final class Response {
            private final int statusCode;
            private final String contentType;
            private final byte[] body;

            private Response(int i, String str, byte[] bArr) {
                this.statusCode = i;
                this.contentType = str;
                this.body = bArr;
            }

            public String toString() {
                return "Response{statusCode: " + this.statusCode + ", contentType: " + this.contentType + ", body: " + StringUtil.bytesToString(this.body) + '}';
            }
        }

        private VaultClient(@Nonnull VaultSecureStoreConfig vaultSecureStoreConfig, ClassLoader classLoader, @Nonnull ILogger iLogger) {
            this.config = vaultSecureStoreConfig;
            this.classLoader = classLoader;
            this.logger = iLogger;
        }

        @Nonnull
        List<byte[]> retrieveEncryptionKeys() {
            try {
                String mountPath = getMountPath();
                Range readVersionRange = readVersionRange(mountPath);
                ArrayList arrayList = new ArrayList((readVersionRange.max - readVersionRange.min) + 1);
                for (int i = readVersionRange.max; i >= readVersionRange.min; i--) {
                    byte[] readKey = readKey(mountPath, i);
                    if (readKey != null) {
                        arrayList.add(readKey);
                    }
                }
                return arrayList;
            } catch (Exception e) {
                this.logger.warning("Failed to retrieve encryption keys", e);
                throw new SecureStoreException("Failed to retrieve encryption keys", e);
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public byte[] retrieveCurrentEncryptionKey() {
            try {
                return readKey(getMountPath(), 0);
            } catch (Exception e) {
                this.logger.warning("Failed to retrieve encryption keys", e);
                throw new SecureStoreException("Failed to retrieve the current encryption key", e);
            }
        }

        private byte[] readKey(String str, int i) throws Exception {
            Response doGet = doGet(String.format("%s/v1/%s?version=%d", this.config.getAddress(), secretPath(this.config.getSecretPath(), str, false), Integer.valueOf(i)));
            if (doGet.statusCode == 404) {
                return null;
            }
            if (doGet.statusCode != 200) {
                throw new SecureStoreException("Unexpected response: " + doGet);
            }
            return parseKeyResponse(doGet, str != null);
        }

        private Range readVersionRange(String str) throws Exception {
            if (str == null) {
                return new Range(0, 0);
            }
            String secretPath = secretPath(this.config.getSecretPath(), str, true);
            Response doGet = doGet(String.format("%s/v1/%s", this.config.getAddress(), secretPath));
            if (doGet.statusCode == 404) {
                this.logger.warning("No key metadata found at secret path: " + secretPath);
                return new Range(0, 0);
            }
            if (doGet.statusCode != 200) {
                throw new SecureStoreException("Unexpected response: " + doGet);
            }
            return parseVersionResponse(doGet);
        }

        private static Range parseVersionResponse(Response response) {
            int i = 1;
            int i2 = 0;
            Iterator<JsonObject.Member> it = Json.parse(StringUtil.bytesToString(response.body)).asObject().get("data").asObject().iterator();
            while (it.hasNext()) {
                JsonObject.Member next = it.next();
                String name = next.getName();
                if ("oldest_version".equals(name)) {
                    i = Math.max(intValue(next), 1);
                } else if ("current_version".equals(name)) {
                    i2 = intValue(next);
                }
            }
            if (i2 == 0) {
                throw new SecureStoreException("Failed to parse version range: " + response);
            }
            return new Range(i, i2);
        }

        private static int intValue(JsonObject.Member member) {
            JsonValue value = member.getValue();
            if (value == null || !value.isNumber()) {
                return 0;
            }
            return value.asInt();
        }

        private static byte[] parseKeyResponse(Response response, boolean z) {
            JsonObject asObject = Json.parse(StringUtil.bytesToString(response.body)).asObject().get("data").asObject();
            if (z) {
                asObject = asObject.get("data").asObject();
            }
            String str = null;
            Iterator<JsonObject.Member> it = asObject.iterator();
            while (it.hasNext()) {
                JsonObject.Member next = it.next();
                if (str != null) {
                    throw new SecureStoreException("Multiple key/value mappings found under secret path");
                }
                JsonValue value = next.getValue();
                if (value != null && !value.isNull()) {
                    str = value.isString() ? value.asString() : value.toString();
                }
            }
            if (str == null) {
                return null;
            }
            return decodeKey(str);
        }

        private static byte[] decodeKey(String str) {
            try {
                return Base64.getDecoder().decode(str.trim());
            } catch (Exception e) {
                throw new SecureStoreException("Failed to Base64-decode encryption key", e);
            }
        }

        private String getMountPath() throws Exception {
            Response doGet = doGet(String.format("%s/v1/sys/internal/ui/mounts/%s", this.config.getAddress(), this.config.getSecretPath()));
            if (doGet.statusCode == 404) {
                this.logger.fine("The Vault /sys/internal/ui/mounts endpoint not found, assuming V1");
                return null;
            }
            if (doGet.statusCode != 200) {
                throw new SecureStoreException("Failed to determine the secrets engine mount path for secret path: " + this.config.getSecretPath() + ": " + doGet);
            }
            return parseMountsResponse(doGet);
        }

        private static String parseMountsResponse(Response response) {
            JsonObject asObject = Json.parse(StringUtil.bytesToString(response.body)).asObject().get("data").asObject();
            String string = asObject.getString("type", null);
            if (!"kv".equals(string)) {
                throw new SecureStoreException("Unsupported secrets engine type: " + string);
            }
            if ("2".equals(asObject.get("options").asObject().getString(XmlConsts.XML_DECL_KW_VERSION, "0"))) {
                return asObject.getString("path", null);
            }
            return null;
        }

        private static String secretPath(String str, String str2, boolean z) {
            if (str2 == null) {
                return str;
            }
            StringBuilder sb = new StringBuilder(str2);
            sb.append(z ? "metadata/" : "data/");
            int indexOf = str.indexOf(str2);
            if (!$assertionsDisabled && indexOf == -1) {
                throw new AssertionError();
            }
            sb.append(str.substring(indexOf + str2.length()));
            return sb.toString();
        }

        private Response doGet(String str) throws Exception {
            HashMap hashMap = new HashMap();
            hashMap.put(HEADER_TOKEN, this.config.getToken());
            HttpURLConnection httpURLConnection = null;
            try {
                httpURLConnection = getConnection(str, this.config.getSSLConfig());
                httpURLConnection.setRequestMethod("GET");
                httpURLConnection.setRequestProperty("Connection", "close");
                httpURLConnection.setConnectTimeout(CONNECTION_TIMEOUT_MILLIS);
                httpURLConnection.setReadTimeout(CONNECTION_TIMEOUT_MILLIS);
                for (Map.Entry entry : hashMap.entrySet()) {
                    httpURLConnection.setRequestProperty((String) entry.getKey(), (String) entry.getValue());
                }
                Response response = new Response(httpURLConnection.getResponseCode(), httpURLConnection.getContentType(), responseBody(httpURLConnection));
                if (httpURLConnection != null) {
                    httpURLConnection.disconnect();
                }
                return response;
            } catch (Throwable th) {
                if (httpURLConnection != null) {
                    httpURLConnection.disconnect();
                }
                throw th;
            }
        }

        private HttpURLConnection getConnection(String str, SSLConfig sSLConfig) throws Exception {
            HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(str).openConnection();
            if (httpURLConnection instanceof HttpsURLConnection) {
                if (sSLConfig == null || !sSLConfig.isEnabled()) {
                    throw new SecureStoreException("SSL/TLS not enabled in the configuration");
                }
                ((HttpsURLConnection) httpURLConnection).setSSLSocketFactory(loadSSLContextFactory(sSLConfig).getSSLContext().getSocketFactory());
            }
            return httpURLConnection;
        }

        private SSLContextFactory loadSSLContextFactory(SSLConfig sSLConfig) throws Exception {
            Object factoryImplementation = sSLConfig.getFactoryImplementation();
            String factoryClassName = sSLConfig.getFactoryClassName();
            if (factoryImplementation == null && factoryClassName != null) {
                factoryImplementation = ClassLoaderUtil.newInstance(this.classLoader, factoryClassName);
            }
            if (factoryImplementation == null) {
                factoryImplementation = new BasicSSLContextFactory();
            }
            SSLContextFactory sSLContextFactory = (SSLContextFactory) factoryImplementation;
            sSLContextFactory.init(sSLConfig.getProperties());
            return sSLContextFactory;
        }

        private static byte[] responseBody(HttpURLConnection httpURLConnection) throws IOException {
            InputStream inputStream = httpURLConnection.getResponseCode() < 400 ? httpURLConnection.getInputStream() : httpURLConnection.getErrorStream();
            if (inputStream == null) {
                return EMPTY_BYTE_ARRAY;
            }
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            IOUtil.drainTo(inputStream, byteArrayOutputStream);
            return byteArrayOutputStream.toByteArray();
        }

        static {
            $assertionsDisabled = !VaultSecureStore.class.desiredAssertionStatus();
            EMPTY_BYTE_ARRAY = new byte[0];
        }
    }

    /* loaded from: input_file:com/hazelcast/spi/impl/securestore/impl/VaultSecureStore$VaultWatcher.class */
    private final class VaultWatcher implements Runnable {
        private byte[] lastKey;

        private VaultWatcher() {
            this.lastKey = VaultSecureStore.this.client.retrieveCurrentEncryptionKey();
        }

        @Override // java.lang.Runnable
        public void run() {
            try {
                byte[] retrieveCurrentEncryptionKey = VaultSecureStore.this.client.retrieveCurrentEncryptionKey();
                if (retrieveCurrentEncryptionKey != null && !Arrays.equals(retrieveCurrentEncryptionKey, this.lastKey)) {
                    VaultSecureStore.this.logger.info("Vault encryption key change detected");
                    this.lastKey = retrieveCurrentEncryptionKey;
                    VaultSecureStore.this.notifyEncryptionKeyListeners(retrieveCurrentEncryptionKey);
                }
            } catch (Exception e) {
                VaultSecureStore.this.logger.warning("Error while detecting changes in Vault", e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public VaultSecureStore(@Nonnull VaultSecureStoreConfig vaultSecureStoreConfig, @Nonnull Node node) {
        super(vaultSecureStoreConfig.getPollingInterval(), node);
        this.client = new VaultClient(vaultSecureStoreConfig, node.getConfigClassLoader(), this.logger);
    }

    @Override // com.hazelcast.spi.impl.securestore.SecureStore
    @Nonnull
    public List<byte[]> retrieveEncryptionKeys() {
        return this.client.retrieveEncryptionKeys();
    }

    @Override // com.hazelcast.spi.impl.securestore.impl.AbstractSecureStore
    protected Runnable getWatcher() {
        return new VaultWatcher();
    }

    @Override // com.hazelcast.spi.impl.securestore.impl.AbstractSecureStore, com.hazelcast.internal.nio.Disposable
    public /* bridge */ /* synthetic */ void dispose() {
        super.dispose();
    }

    @Override // com.hazelcast.spi.impl.securestore.impl.AbstractSecureStore, com.hazelcast.spi.impl.securestore.SecureStore
    public /* bridge */ /* synthetic */ void addEncryptionKeyListener(@Nonnull SecureStore.EncryptionKeyListener encryptionKeyListener) {
        super.addEncryptionKeyListener(encryptionKeyListener);
    }
}
