package org.apache.camel.component.aws.secretsmanager.vault;

import java.time.Instant;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.camel.CamelContext;
import org.apache.camel.CamelContextAware;
import org.apache.camel.RuntimeCamelException;
import org.apache.camel.component.aws.secretsmanager.SecretsManagerPropertiesFunction;
import org.apache.camel.spi.ContextReloadStrategy;
import org.apache.camel.spi.PropertiesFunction;
import org.apache.camel.spi.annotations.PeriodicTask;
import org.apache.camel.support.PatternHelper;
import org.apache.camel.support.service.ServiceSupport;
import org.apache.camel.util.ObjectHelper;
import org.apache.camel.vault.AwsVaultConfiguration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider;
import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.cloudtrail.CloudTrailClient;
import software.amazon.awssdk.services.cloudtrail.CloudTrailClientBuilder;
import software.amazon.awssdk.services.cloudtrail.model.Event;
import software.amazon.awssdk.services.cloudtrail.model.LookupAttribute;
import software.amazon.awssdk.services.cloudtrail.model.LookupAttributeKey;
import software.amazon.awssdk.services.cloudtrail.model.LookupEventsRequest;
import software.amazon.awssdk.services.cloudtrail.model.Resource;

@PeriodicTask("aws-secret-refresh")
/* loaded from: input_file:org/apache/camel/component/aws/secretsmanager/vault/CloudTrailReloadTriggerTask.class */
public class CloudTrailReloadTriggerTask extends ServiceSupport implements CamelContextAware, Runnable {
    private static final String CAMEL_AWS_VAULT_ACCESS_KEY_ENV = "CAMEL_VAULT_AWS_ACCESS_KEY";
    private static final String CAMEL_AWS_VAULT_SECRET_KEY_ENV = "CAMEL_VAULT_AWS_SECRET_KEY";
    private static final String CAMEL_AWS_VAULT_REGION_ENV = "CAMEL_VAULT_AWS_REGION";
    private static final String CAMEL_AWS_VAULT_USE_DEFAULT_CREDENTIALS_PROVIDER_ENV = "CAMEL_VAULT_AWS_USE_DEFAULT_CREDENTIALS_PROVIDER";
    private static final String CAMEL_AWS_VAULT_USE_PROFILE_CREDENTIALS_PROVIDER_ENV = "CAMEL_VAULT_AWS_USE_PROFILE_CREDENTIALS_PROVIDER";
    private static final String CAMEL_AWS_VAULT_PROFILE_NAME_ENV = "CAMEL_AWS_VAULT_PROFILE_NAME";
    private static final Logger LOG = LoggerFactory.getLogger(CloudTrailReloadTriggerTask.class);
    private static final String SECRETSMANAGER_AMAZONAWS_COM = "secretsmanager.amazonaws.com";
    private static final String SECRETSMANAGER_UPDATE_EVENT = "PutSecretValue";
    private CamelContext camelContext;
    private String secrets;
    private CloudTrailClient cloudTrailClient;
    private SecretsManagerPropertiesFunction propertiesFunction;
    private volatile Instant lastTime;
    private volatile Instant lastCheckTime;
    private volatile Instant lastReloadTime;
    private boolean reloadEnabled = true;
    private final Map<String, Instant> updates = new HashMap();

    public CamelContext getCamelContext() {
        return this.camelContext;
    }

    public void setCamelContext(CamelContext camelContext) {
        this.camelContext = camelContext;
    }

    public boolean isReloadEnabled() {
        return this.reloadEnabled;
    }

    public void setReloadEnabled(boolean z) {
        this.reloadEnabled = z;
    }

    public Map<String, Instant> getUpdates() {
        return Collections.unmodifiableMap(this.updates);
    }

    public Instant getLastCheckTime() {
        return this.lastCheckTime;
    }

    public Instant getLastReloadTime() {
        return this.lastReloadTime;
    }

    protected void doStart() throws Exception {
        super.doStart();
        PropertiesFunction propertiesFunction = this.camelContext.getPropertiesComponent().getPropertiesFunction("aws");
        if (propertiesFunction instanceof SecretsManagerPropertiesFunction) {
            this.propertiesFunction = (SecretsManagerPropertiesFunction) propertiesFunction;
            LOG.debug("Auto-detecting secrets from properties-function: {}", propertiesFunction.getName());
        }
        this.secrets = this.camelContext.getVaultConfiguration().aws().getSecrets();
        if (ObjectHelper.isEmpty(this.secrets) && this.propertiesFunction == null) {
            throw new IllegalArgumentException("Secrets must be configured on AWS vault configuration");
        }
        String str = System.getenv(CAMEL_AWS_VAULT_ACCESS_KEY_ENV);
        String str2 = System.getenv(CAMEL_AWS_VAULT_SECRET_KEY_ENV);
        String str3 = System.getenv(CAMEL_AWS_VAULT_REGION_ENV);
        boolean parseBoolean = Boolean.parseBoolean(System.getenv(CAMEL_AWS_VAULT_USE_DEFAULT_CREDENTIALS_PROVIDER_ENV));
        boolean parseBoolean2 = Boolean.parseBoolean(System.getenv(CAMEL_AWS_VAULT_USE_PROFILE_CREDENTIALS_PROVIDER_ENV));
        String str4 = System.getenv(CAMEL_AWS_VAULT_PROFILE_NAME_ENV);
        if (ObjectHelper.isEmpty(str) && ObjectHelper.isEmpty(str2) && ObjectHelper.isEmpty(str3)) {
            AwsVaultConfiguration aws = getCamelContext().getVaultConfiguration().aws();
            if (ObjectHelper.isNotEmpty(aws)) {
                str = aws.getAccessKey();
                str2 = aws.getSecretKey();
                str3 = aws.getRegion();
                parseBoolean = aws.isDefaultCredentialsProvider();
                parseBoolean2 = aws.isProfileCredentialsProvider();
                str4 = aws.getProfileName();
            }
        }
        if (ObjectHelper.isNotEmpty(str) && ObjectHelper.isNotEmpty(str2) && ObjectHelper.isNotEmpty(str3)) {
            CloudTrailClientBuilder credentialsProvider = CloudTrailClient.builder().credentialsProvider(StaticCredentialsProvider.create(AwsBasicCredentials.create(str, str2)));
            credentialsProvider.region(Region.of(str3));
            this.cloudTrailClient = (CloudTrailClient) credentialsProvider.build();
        } else if (parseBoolean && ObjectHelper.isNotEmpty(str3)) {
            CloudTrailClientBuilder builder = CloudTrailClient.builder();
            builder.region(Region.of(str3));
            this.cloudTrailClient = (CloudTrailClient) builder.build();
        } else {
            if (!parseBoolean2 || !ObjectHelper.isNotEmpty(str4)) {
                throw new RuntimeCamelException("Using the AWS Secrets Refresh Task requires setting AWS credentials as application properties or environment variables");
            }
            CloudTrailClientBuilder builder2 = CloudTrailClient.builder();
            builder2.credentialsProvider(ProfileCredentialsProvider.create(str4));
            builder2.region(Region.of(str3));
            this.cloudTrailClient = (CloudTrailClient) builder2.build();
        }
    }

    protected void doShutdown() throws Exception {
        super.doShutdown();
        if (this.cloudTrailClient != null) {
            try {
                this.cloudTrailClient.close();
            } catch (Exception e) {
            }
            this.cloudTrailClient = null;
        }
        this.updates.clear();
    }

    @Override // java.lang.Runnable
    public void run() {
        ContextReloadStrategy contextReloadStrategy;
        this.lastCheckTime = Instant.now();
        boolean z = false;
        try {
            LookupEventsRequest.Builder lookupAttributes = LookupEventsRequest.builder().maxResults(100).lookupAttributes(new LookupAttribute[]{(LookupAttribute) LookupAttribute.builder().attributeKey(LookupAttributeKey.EVENT_SOURCE).attributeValue(SECRETSMANAGER_AMAZONAWS_COM).build()});
            if (this.lastTime != null) {
                lookupAttributes.startTime(this.lastTime.plusMillis(1000L));
            }
            List<Event> events = this.cloudTrailClient.lookupEvents((LookupEventsRequest) lookupAttributes.build()).events();
            if (!events.isEmpty()) {
                this.lastTime = ((Event) events.get(0)).eventTime();
            }
            LOG.debug("Found {} events", Integer.valueOf(events.size()));
            for (Event event : events) {
                if (event.eventSource().equalsIgnoreCase(SECRETSMANAGER_AMAZONAWS_COM) && event.eventName().equalsIgnoreCase(SECRETSMANAGER_UPDATE_EVENT)) {
                    Iterator it = event.resources().iterator();
                    while (true) {
                        if (it.hasNext()) {
                            String resourceName = ((Resource) it.next()).resourceName();
                            if (matchSecret(resourceName)) {
                                this.updates.put(resourceName, event.eventTime());
                                if (isReloadEnabled()) {
                                    LOG.info("Update for AWS secret: {} detected, triggering CamelContext reload", resourceName);
                                    z = true;
                                }
                            }
                        }
                    }
                }
            }
        } catch (Exception e) {
            LOG.warn("Error during AWS Secrets Refresh Task due to {}. This exception is ignored. Will try again on next run.", e.getMessage(), e);
        }
        if (!z || (contextReloadStrategy = (ContextReloadStrategy) this.camelContext.hasService(ContextReloadStrategy.class)) == null) {
            return;
        }
        this.lastReloadTime = Instant.now();
        contextReloadStrategy.onReload(this);
    }

    protected boolean matchSecret(String str) {
        HashSet<String> hashSet = new HashSet();
        if (this.secrets != null) {
            Collections.addAll(hashSet, this.secrets.split(","));
        }
        if (this.propertiesFunction != null) {
            hashSet.addAll(this.propertiesFunction.getSecrets());
        }
        for (String str2 : hashSet) {
            boolean z = str.contains(str2) || PatternHelper.matchPattern(str, str2);
            LOG.trace("Matching secret id: {}={} -> {}", new Object[]{str, str2, Boolean.valueOf(z)});
            if (z) {
                return true;
            }
        }
        return false;
    }

    public String toString() {
        return "AWS Secrets Refresh Task";
    }
}
