package org.apache.hadoop.ozone.s3.remote.vault;

import com.bettercloud.vault.SslConfig;
import com.bettercloud.vault.Vault;
import com.bettercloud.vault.VaultConfig;
import com.bettercloud.vault.VaultException;
import com.bettercloud.vault.response.LogicalResponse;
import java.io.IOException;
import java.util.Collections;
import java.util.Map;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.ozone.om.S3Batcher;
import org.apache.hadoop.ozone.om.S3SecretStore;
import org.apache.hadoop.ozone.om.helpers.S3SecretValue;
import org.apache.hadoop.ozone.s3.remote.S3SecretRemoteStoreConfigurationKeys;
import org.apache.hadoop.ozone.s3.remote.vault.auth.Auth;
import org.apache.hadoop.ozone.s3.remote.vault.auth.AuthType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/ozone/s3/remote/vault/VaultS3SecretStore.class */
public class VaultS3SecretStore implements S3SecretStore {
    private static final Logger LOG = LoggerFactory.getLogger(VaultS3SecretStore.class);
    private final VaultConfig config;
    private Vault vault;
    private final String secretPath;
    private final Auth auth;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/ozone/s3/remote/vault/VaultS3SecretStore$RestCall.class */
    public interface RestCall {
        LogicalResponse call() throws VaultException;
    }

    public VaultS3SecretStore(String str, String str2, String str3, int i, Auth auth, SslConfig sslConfig) throws IOException {
        try {
            this.config = new VaultConfig().address(str).engineVersion(Integer.valueOf(i)).nameSpace(str2).sslConfig(sslConfig).build();
            this.auth = auth;
            this.vault = auth.auth(this.config);
            this.secretPath = str3.endsWith("/") ? str3.substring(0, str3.length() - 1) : str3;
        } catch (VaultException e) {
            throw new IOException("Failed to initialize remote secret store", e);
        }
    }

    private void auth() throws VaultException {
        this.vault = this.auth.auth(this.config);
    }

    public void storeSecret(String str, S3SecretValue s3SecretValue) throws IOException {
        try {
            callWithReAuth(() -> {
                return this.vault.logical().write(this.secretPath + '/' + str, Collections.singletonMap(str, s3SecretValue.getAwsSecret()));
            });
        } catch (VaultException e) {
            LOG.error("Failed to store secret", e);
            throw new IOException("Failed to store secret", e);
        }
    }

    public S3SecretValue getSecret(String str) throws IOException {
        String str2;
        try {
            Map data = callWithReAuth(() -> {
                return this.vault.logical().read(this.secretPath + '/' + str);
            }).getData();
            if (data == null || (str2 = (String) data.get(str)) == null) {
                return null;
            }
            return new S3SecretValue(str, str2);
        } catch (VaultException e) {
            LOG.error("Failed to read secret", e);
            throw new IOException("Failed to read secret", e);
        }
    }

    public void revokeSecret(String str) throws IOException {
        try {
            callWithReAuth(() -> {
                return this.vault.logical().delete(this.secretPath + '/' + str);
            });
        } catch (VaultException e) {
            LOG.error("Failed to delete secret", e);
            throw new IOException("Failed to revoke secret", e);
        }
    }

    private LogicalResponse callWithReAuth(RestCall restCall) throws VaultException {
        LogicalResponse call = restCall.call();
        if (isAuthFailed(call.getRestResponse().getStatus())) {
            auth();
            call = restCall.call();
            int status = call.getRestResponse().getStatus();
            if (isAuthFailed(status)) {
                throw new VaultException("Failed to re-authenticate", status);
            }
        }
        return call;
    }

    private static boolean isAuthFailed(int i) {
        return i == 403 || i == 401 || i == 400;
    }

    public S3Batcher batcher() {
        return null;
    }

    public static VaultS3SecretStore fromConf(Configuration configuration) throws IOException {
        VaultS3SecretStoreBuilder engineVersion = builder().setAuth(AuthType.fromConf(configuration)).setAddress(configuration.get(S3SecretRemoteStoreConfigurationKeys.ADDRESS)).setNameSpace(configuration.get(S3SecretRemoteStoreConfigurationKeys.NAMESPACE)).setSecretPath(configuration.get(S3SecretRemoteStoreConfigurationKeys.SECRET_PATH)).setEngineVersion(configuration.getInt(S3SecretRemoteStoreConfigurationKeys.ENGINE_VER, 1));
        String str = configuration.get(S3SecretRemoteStoreConfigurationKeys.TRUST_STORE_TYPE);
        if (str != null) {
            engineVersion.setTrustStoreType(str).setTrustStore(configuration.get(S3SecretRemoteStoreConfigurationKeys.TRUST_STORE_PATH)).setTrustStorePassword(configuration.get(S3SecretRemoteStoreConfigurationKeys.TRUST_STORE_PASSWORD));
        }
        String str2 = configuration.get(S3SecretRemoteStoreConfigurationKeys.KEY_STORE_TYPE);
        if (str2 != null) {
            engineVersion.setKeyStoreType(str2).setKeyStore(configuration.get(S3SecretRemoteStoreConfigurationKeys.KEY_STORE_PATH)).setKeyStorePassword(configuration.get(S3SecretRemoteStoreConfigurationKeys.KEY_STORE_PASSWORD));
        }
        return engineVersion.build();
    }

    public static VaultS3SecretStoreBuilder builder() {
        return new VaultS3SecretStoreBuilder();
    }
}
