package com.dbeaver.model.vault;

import com.dbeaver.model.auth.SMAuthUtils;
import com.dbeaver.model.datasource.DataSourceDescriptorPRO;
import com.dbeaver.model.datasource.parameters.DBPAbstractParametersProvider;
import com.dbeaver.model.datasource.parameters.DBPDatasourceExternalParameters;
import com.dbeaver.model.datasource.parameters.DBPParametersConfiguration;
import com.dbeaver.model.vault.VaultParametersProviderConfiguration;
import io.github.jopenlibs.vault.Vault;
import io.github.jopenlibs.vault.VaultConfig;
import io.github.jopenlibs.vault.VaultException;
import io.github.jopenlibs.vault.response.AuthResponse;
import java.io.IOException;
import java.time.LocalDateTime;
import java.util.Map;
import org.jkiss.code.NotNull;
import org.jkiss.code.Nullable;
import org.jkiss.dbeaver.DBException;
import org.jkiss.dbeaver.Log;
import org.jkiss.dbeaver.model.auth.SMSession;
import org.jkiss.dbeaver.model.auth.SMSessionPersistent;
import org.jkiss.dbeaver.model.runtime.DBRProgressMonitor;
import org.jkiss.utils.CommonUtils;
import org.jkiss.utils.oauth.OAuthHandler;

/* loaded from: input_file:com/dbeaver/model/vault/VaultParametersProvider.class */
public class VaultParametersProvider extends DBPAbstractParametersProvider<VaultParametersProviderConfiguration> {
    private static final Log log = Log.getLog(VaultParametersProvider.class);
    public static final String VAULT_PROVIDER_ID = "vault-parameters-provider";
    private static final String VAULT_TOKEN_ATTRIBUTE = "vault-token-";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/dbeaver/model/vault/VaultParametersProvider$VaultTokenAdapter.class */
    public static class VaultTokenAdapter {

        @NotNull
        private final String userToken;

        @NotNull
        private final LocalDateTime expirationTime;

        private VaultTokenAdapter(@NotNull String str, @NotNull LocalDateTime localDateTime) {
            this.userToken = str;
            this.expirationTime = localDateTime;
        }

        boolean isExpired() {
            return LocalDateTime.now().isAfter(this.expirationTime);
        }
    }

    @Nullable
    public Map<String, ?> readParameters(@NotNull DBRProgressMonitor dBRProgressMonitor, @NotNull DataSourceDescriptorPRO dataSourceDescriptorPRO) throws DBException {
        DBPDatasourceExternalParameters externalParametersConfig = dataSourceDescriptorPRO.getExternalParametersConfig();
        if (externalParametersConfig == null) {
            return null;
        }
        VaultParametersProviderConfiguration vaultParametersProviderConfiguration = (VaultParametersProviderConfiguration) getConfiguration(externalParametersConfig, VaultParametersProviderConfiguration.class);
        VaultConfig address = new VaultConfig().address(vaultParametersProviderConfiguration.getVaultUrl());
        try {
            String resolveVaultToken = resolveVaultToken(dBRProgressMonitor, address, vaultParametersProviderConfiguration, dataSourceDescriptorPRO);
            if (resolveVaultToken == null) {
                throw new DBException("Vault token not resolved");
            }
            return Vault.create(address.token(resolveVaultToken).build()).logical().read(externalParametersConfig.getSecretName()).getData();
        } catch (Exception e) {
            throw new DBException("Error reading Vault secret: " + e.getMessage(), e);
        }
    }

    @Nullable
    private String resolveVaultToken(@NotNull DBRProgressMonitor dBRProgressMonitor, @NotNull VaultConfig vaultConfig, @NotNull VaultParametersProviderConfiguration vaultParametersProviderConfiguration, @NotNull DataSourceDescriptorPRO dataSourceDescriptorPRO) throws DBException, VaultException {
        Map map;
        if (vaultParametersProviderConfiguration.getAuthType() == VaultParametersProviderConfiguration.AuthType.TOKEN) {
            return vaultParametersProviderConfiguration.getToken();
        }
        SMSessionPersistent findSessionPersistent = SMAuthUtils.findSessionPersistent(dBRProgressMonitor, dataSourceDescriptorPRO.getProject());
        if (findSessionPersistent == null) {
            throw new DBException("No persistent session was found for " + dataSourceDescriptorPRO.getProject().getDisplayName());
        }
        String buildTokenAttributeKey = buildTokenAttributeKey(vaultParametersProviderConfiguration);
        VaultTokenAdapter vaultTokenAdapter = (VaultTokenAdapter) findSessionPersistent.getAttribute(buildTokenAttributeKey);
        if (vaultTokenAdapter != null && !vaultTokenAdapter.isExpired()) {
            return vaultTokenAdapter.userToken;
        }
        Vault create = Vault.create(vaultConfig.build());
        LocalDateTime now = LocalDateTime.now();
        AuthResponse authResponse = null;
        if (vaultParametersProviderConfiguration.getAuthType() == VaultParametersProviderConfiguration.AuthType.USERNAME_PASSWORD) {
            if (CommonUtils.isEmpty(vaultParametersProviderConfiguration.getUsername()) || CommonUtils.isEmpty(vaultParametersProviderConfiguration.getPassword())) {
                throw new DBException("Vault username or password not found");
            }
            authResponse = create.auth().loginByUserPass(vaultParametersProviderConfiguration.getUsername(), vaultParametersProviderConfiguration.getPassword());
        } else if (vaultParametersProviderConfiguration.getAuthType() == VaultParametersProviderConfiguration.AuthType.JWT || vaultParametersProviderConfiguration.getAuthType() == VaultParametersProviderConfiguration.AuthType.OAUTH2) {
            String str = null;
            String commonUtils = CommonUtils.toString(SMAuthUtils.findAuthAttribute(findSessionPersistent, "jwt-token"));
            if (CommonUtils.isNotEmpty(vaultParametersProviderConfiguration.getVaultRoleClaim()) && (map = (Map) SMAuthUtils.findAuthAttribute(findSessionPersistent, "user.attributes")) != null) {
                str = CommonUtils.toString(map.get(vaultParametersProviderConfiguration.getVaultRoleClaim()));
            }
            if (vaultParametersProviderConfiguration.getAuthType() == VaultParametersProviderConfiguration.AuthType.OAUTH2) {
                if (CommonUtils.isEmpty(vaultParametersProviderConfiguration.getSsoClientId()) || CommonUtils.isEmpty(vaultParametersProviderConfiguration.getSsoAuthEndpointURL()) || CommonUtils.isEmpty(vaultParametersProviderConfiguration.getSsoTokenEndpointURL())) {
                    throw new DBException("Invalid OAuth configuration");
                }
                try {
                    commonUtils = (String) new OAuthHandler(vaultParametersProviderConfiguration.getSsoClientId(), vaultParametersProviderConfiguration.getSsoClientSecret(), vaultParametersProviderConfiguration.getSsoAuthEndpointURL(), vaultParametersProviderConfiguration.getSsoTokenEndpointURL(), vaultParametersProviderConfiguration.getSsoCallbackPort()).authorize().get("token");
                } catch (IOException e) {
                    throw new DBException("Error while getting auth token", e);
                }
            }
            if (CommonUtils.isEmpty(commonUtils)) {
                throw new DBException("JWT token not found for Vault authentication");
            }
            String nullIfEmpty = CommonUtils.nullIfEmpty(str);
            log.info(nullIfEmpty == null ? "Default provider " : nullIfEmpty + " role will be used for vault authentication in session " + findSessionPersistent.getSessionId());
            authResponse = create.auth().loginByJwt(vaultParametersProviderConfiguration.getVaultJwtProviderId(), CommonUtils.nullIfEmpty(nullIfEmpty), commonUtils);
        }
        if (authResponse == null) {
            throw new DBException("Not authenticated in Vault");
        }
        String authClientToken = authResponse.getAuthClientToken();
        findSessionPersistent.setAttribute(buildTokenAttributeKey, new VaultTokenAdapter(authClientToken, now.plusSeconds(authResponse.getAuthLeaseDuration())));
        return authClientToken;
    }

    private String buildTokenAttributeKey(@NotNull VaultParametersProviderConfiguration vaultParametersProviderConfiguration) {
        return "vault-token-" + vaultParametersProviderConfiguration.getConfigurationId();
    }

    /* renamed from: createDefaultConfiguration, reason: merged with bridge method [inline-methods] */
    public VaultParametersProviderConfiguration m1createDefaultConfiguration() {
        return new VaultParametersProviderConfiguration("");
    }

    public void invalidateCredentials(@NotNull SMSession sMSession, @NotNull DBPParametersConfiguration dBPParametersConfiguration) throws DBException {
        super.invalidateCredentials(sMSession, dBPParametersConfiguration);
        if (sMSession instanceof SMSessionPersistent) {
            SMSessionPersistent sMSessionPersistent = (SMSessionPersistent) sMSession;
            if (dBPParametersConfiguration instanceof VaultParametersProviderConfiguration) {
                sMSessionPersistent.removeAttribute(buildTokenAttributeKey((VaultParametersProviderConfiguration) dBPParametersConfiguration));
            }
        }
    }
}
