package org.springframework.vault.authentication;

import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpMethod;
import org.springframework.http.ResponseEntity;
import org.springframework.lang.Nullable;
import org.springframework.util.Assert;
import org.springframework.vault.VaultException;
import org.springframework.vault.authentication.AuthenticationSteps;
import org.springframework.vault.client.VaultHttpHeaders;
import org.springframework.vault.support.VaultResponse;
import org.springframework.vault.support.VaultToken;
import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestOperations;

/* loaded from: input_file:org/springframework/vault/authentication/CubbyholeAuthentication.class */
public class CubbyholeAuthentication implements ClientAuthentication, AuthenticationStepsFactory {
    private static final Log logger = LogFactory.getLog(CubbyholeAuthentication.class);
    private final CubbyholeAuthenticationOptions options;
    private final RestOperations restOperations;

    public CubbyholeAuthentication(CubbyholeAuthenticationOptions cubbyholeAuthenticationOptions, RestOperations restOperations) {
        Assert.notNull(cubbyholeAuthenticationOptions, "CubbyholeAuthenticationOptions must not be null");
        Assert.notNull(restOperations, "RestOperations must not be null");
        this.options = cubbyholeAuthenticationOptions;
        this.restOperations = restOperations;
    }

    public static AuthenticationSteps createAuthenticationSteps(CubbyholeAuthenticationOptions cubbyholeAuthenticationOptions) {
        Assert.notNull(cubbyholeAuthenticationOptions, "CubbyholeAuthenticationOptions must not be null");
        String requestPath = getRequestPath(cubbyholeAuthenticationOptions);
        HttpMethod requestMethod = getRequestMethod(cubbyholeAuthenticationOptions);
        return AuthenticationSteps.fromHttpRequest(AuthenticationSteps.HttpRequestBuilder.method(requestMethod, requestPath, new String[0]).with(getRequestEntity(cubbyholeAuthenticationOptions)).as(VaultResponse.class)).login(vaultResponse -> {
            return getToken(cubbyholeAuthenticationOptions, vaultResponse, requestPath);
        });
    }

    @Override // org.springframework.vault.authentication.ClientAuthentication
    public VaultToken login() throws VaultException {
        String requestPath = getRequestPath(this.options);
        VaultToken token = getToken(this.options, lookupToken(requestPath), requestPath);
        if (shouldEnhanceTokenWithSelfLookup(token)) {
            token = new LoginTokenAdapter(new TokenAuthentication(token), this.restOperations).login();
        }
        logger.debug("Login successful using Cubbyhole authentication");
        return token;
    }

    @Override // org.springframework.vault.authentication.AuthenticationStepsFactory
    public AuthenticationSteps getAuthenticationSteps() {
        return createAuthenticationSteps(this.options);
    }

    @Nullable
    private VaultResponse lookupToken(String str) {
        try {
            ResponseEntity exchange = this.restOperations.exchange(str, getRequestMethod(this.options), getRequestEntity(this.options), VaultResponse.class, new Object[0]);
            Assert.state(exchange.getBody() != null, "Auth response must not be null");
            return (VaultResponse) exchange.getBody();
        } catch (RestClientException e) {
            throw VaultLoginException.create("Cubbyhole", e);
        }
    }

    private boolean shouldEnhanceTokenWithSelfLookup(VaultToken vaultToken) {
        if (this.options.isSelfLookup()) {
            return ((vaultToken instanceof LoginToken) && ((LoginToken) vaultToken).getLeaseDuration().isZero()) ? false : true;
        }
        return false;
    }

    private static HttpEntity<Object> getRequestEntity(CubbyholeAuthenticationOptions cubbyholeAuthenticationOptions) {
        return new HttpEntity<>(VaultHttpHeaders.from(cubbyholeAuthenticationOptions.getInitialToken()));
    }

    private static HttpMethod getRequestMethod(CubbyholeAuthenticationOptions cubbyholeAuthenticationOptions) {
        return cubbyholeAuthenticationOptions.isWrappedToken() ? cubbyholeAuthenticationOptions.getUnwrappingEndpoints().getUnwrapRequestMethod() : HttpMethod.GET;
    }

    private static String getRequestPath(CubbyholeAuthenticationOptions cubbyholeAuthenticationOptions) {
        return cubbyholeAuthenticationOptions.isWrappedToken() ? cubbyholeAuthenticationOptions.getUnwrappingEndpoints().getPath() : cubbyholeAuthenticationOptions.getPath();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static VaultToken getToken(CubbyholeAuthenticationOptions cubbyholeAuthenticationOptions, VaultResponse vaultResponse, String str) {
        if (cubbyholeAuthenticationOptions.isWrappedToken()) {
            VaultResponse unwrap = cubbyholeAuthenticationOptions.getUnwrappingEndpoints().unwrap(vaultResponse);
            Assert.state(unwrap.getAuth() != null, "Auth field must not be null");
            return LoginTokenUtil.from(unwrap.getAuth());
        }
        Map<String, Object> data = vaultResponse.getData();
        if (data == null || data.isEmpty()) {
            throw new VaultLoginException(String.format("Cannot retrieve Token from Cubbyhole: Response at %s does not contain a token", cubbyholeAuthenticationOptions.getPath()));
        }
        if (data.size() == 1) {
            return VaultToken.of((String) data.get(data.keySet().iterator().next()));
        }
        throw new VaultLoginException(String.format("Cannot retrieve Token from Cubbyhole: Response at %s does not contain an unique token", str));
    }
}
