package _ss_com.streamsets.datacollector.vault;

import _ss_com.com.google.common.hash.HashFunction;
import _ss_com.com.google.common.hash.Hasher;
import _ss_com.com.google.common.hash.Hashing;
import _ss_com.streamsets.datacollector.util.Configuration;
import _ss_com.streamsets.datacollector.vault.api.VaultException;
import java.io.IOException;
import java.net.InetAddress;
import java.net.NetworkInterface;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import org.eclipse.jetty.util.URIUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:_ss_com/streamsets/datacollector/vault/Vault.class */
public class Vault {
    private static final String VAULT_ADDR = "vault.addr";
    private static String appId;
    private static VaultConfiguration config;
    private static long leaseExpirationBuffer;
    private static long authExpirationTime;
    private static long renewalInterval;
    private static final Logger LOG = LoggerFactory.getLogger(Vault.class);
    private static final HashFunction HASH_FUNCTION = Hashing.sha256();
    private static final ConcurrentMap<String, Secret> SECRETS = new ConcurrentHashMap();
    private static final ConcurrentMap<String, Long> LEASES = new ConcurrentHashMap();
    private static final ScheduledExecutorService EXECUTOR = Executors.newSingleThreadScheduledExecutor();
    private static String userId = null;
    private static boolean initialized = false;

    /* loaded from: input_file:_ss_com/streamsets/datacollector/vault/Vault$VaultRenewalTask.class */
    private static class VaultRenewalTask implements Runnable {
        private static final Logger LOG = LoggerFactory.getLogger(VaultRenewalTask.class);
        private final ConcurrentMap<String, Long> leases;
        private final ConcurrentMap<String, Secret> secrets;

        VaultRenewalTask(ConcurrentMap<String, Long> concurrentMap, ConcurrentMap<String, Secret> concurrentMap2) {
            this.leases = concurrentMap;
            this.secrets = concurrentMap2;
        }

        @Override // java.lang.Runnable
        public void run() {
            try {
                purgeExpiredLeases();
                purgeFailedRenewals(renewLeases());
            } catch (Throwable th) {
                LOG.error("Error in lease renewer: {}", th.toString(), th);
            }
            LOG.debug("Completed lease renewal.");
        }

        private void purgeFailedRenewals(List<String> list) {
            for (String str : list) {
                LOG.debug("Removing lease '{}' as expired.", str);
                this.leases.remove(str);
            }
        }

        private List<String> renewLeases() {
            ArrayList arrayList = new ArrayList();
            for (Map.Entry<String, Long> entry : this.leases.entrySet()) {
                LOG.debug("Attempting renewal for leaseId '{}'", entry.getKey());
                if (!renewLease(this.secrets, entry.getKey())) {
                    arrayList.add(entry.getKey());
                }
            }
            return arrayList;
        }

        private boolean renewLease(Map<String, Secret> map, String str) {
            try {
                Secret renew = new VaultClient(Vault.config).sys().lease().renew(str);
                LOG.debug("Renewed lease '{}' for '{}' seconds", renew.getLeaseId(), Integer.valueOf(renew.getLeaseDuration()));
                this.leases.put(renew.getLeaseId(), Long.valueOf(System.currentTimeMillis() + (renew.getLeaseDuration() * 1000)));
                return true;
            } catch (VaultException | RuntimeException e) {
                LOG.error("Failed to renew lease for '{}'", str, e);
                map.remove(Vault.getPath(str));
                return false;
            }
        }

        private void purgeExpiredLeases() {
            ArrayList<String> arrayList = new ArrayList(this.leases.size());
            for (Map.Entry<String, Long> entry : this.leases.entrySet()) {
                if (entry.getValue().longValue() - System.currentTimeMillis() <= Vault.leaseExpirationBuffer) {
                    arrayList.add(entry.getKey());
                    this.secrets.remove(Vault.getPath(entry.getKey()));
                }
            }
            for (String str : arrayList) {
                this.leases.remove(str);
                LOG.debug("Removing lease '{}' as expired", str);
            }
        }
    }

    private Vault() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String calculateUserId() {
        if (userId != null) {
            return userId;
        }
        try {
            byte[] hardwareAddress = NetworkInterface.getByInetAddress(InetAddress.getLocalHost()).getHardwareAddress();
            Hasher newHasher = HASH_FUNCTION.newHasher(6);
            newHasher.putBytes(hardwareAddress);
            return newHasher.hash().toString();
        } catch (IOException e) {
            LOG.error("Could not compute Vault user-id: '{}'", e.toString(), e);
            throw new VaultRuntimeException("Could not compute Vault user-id: " + e.toString());
        }
    }

    public static String token() {
        return getConfig().getToken();
    }

    public static String read(String str, String str2) {
        return read(str, str2, 0L);
    }

    public static String read(String str, String str2, long j) {
        if (!initialized) {
            throw new VaultRuntimeException("Cannot call read() until Vault is initialized.");
        }
        if (!SECRETS.containsKey(str)) {
            try {
                Secret read = new VaultClient(getConfig()).logical().read(str);
                LEASES.put(read.isRenewable() ? read.getLeaseId() : str + URIUtil.SLASH, Long.valueOf(System.currentTimeMillis() + (read.getLeaseDuration() * 1000)));
                SECRETS.put(str, read);
                try {
                    Thread.sleep(j);
                } catch (InterruptedException e) {
                    Thread.currentThread().interrupt();
                }
            } catch (VaultException e2) {
                LOG.error(e2.toString(), e2);
                throw new VaultRuntimeException(e2.toString());
            }
        }
        String obj = SECRETS.get(str).getData().get(str2).toString();
        LOG.trace("Retrieved value for key '{}'", str2);
        return obj;
    }

    public static void loadRuntimeConfiguration(Configuration configuration) {
        if (!configuration.hasName(VAULT_ADDR) || configuration.get(VAULT_ADDR, "").isEmpty()) {
            return;
        }
        config = parseVaultConfigs(configuration);
        LOG.debug("Scheduling renewal every '{}' seconds.", Long.valueOf(renewalInterval));
        EXECUTOR.scheduleWithFixedDelay(new VaultRenewalTask(LEASES, SECRETS), renewalInterval, renewalInterval, TimeUnit.SECONDS);
        initialized = true;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String getPath(String str) {
        return str.substring(0, str.lastIndexOf(47) - 1);
    }

    private static VaultConfiguration getConfig() {
        if (authExpirationTime - System.currentTimeMillis() <= 1000) {
            try {
                Secret appId2 = new VaultClient(config).authenticate().appId(appId, calculateUserId());
                authExpirationTime = System.currentTimeMillis() + (appId2.getAuth().getLeaseDuration() * 1000);
                config = VaultConfigurationBuilder.newVaultConfiguration().fromVaultConfiguration(config).withToken(appId2.getAuth().getClientToken()).build();
            } catch (VaultException e) {
                LOG.error(e.toString(), e);
                throw new VaultRuntimeException(e.toString());
            }
        }
        return config;
    }

    private static VaultConfiguration parseVaultConfigs(Configuration configuration) {
        leaseExpirationBuffer = Long.parseLong(configuration.get("vault.lease.expiration.buffer.sec", "120"));
        renewalInterval = Long.parseLong(configuration.get("vault.lease.renewal.interval.sec", "60"));
        appId = configuration.get("vault.app.id", "");
        if (appId.isEmpty()) {
            throw new VaultRuntimeException("vault.app.id must be specified in sdc.properties");
        }
        config = VaultConfigurationBuilder.newVaultConfiguration().withAddress(configuration.get(VAULT_ADDR, VaultConfigurationBuilder.DEFAULT_ADDRESS)).withOpenTimeout(Integer.parseInt(configuration.get("vault.open.timeout", "0"))).withProxyOptions(ProxyOptionsBuilder.newProxyOptions().withProxyAddress(configuration.get("vault.proxy.address", "")).withProxyPort(Integer.parseInt(configuration.get("vault.proxy.port", "8080"))).withProxyUsername(configuration.get("vault.proxy.username", "")).withProxyPassword(configuration.get("vault.proxy.password", "")).build()).withReadTimeout(Integer.parseInt(configuration.get("vault.read.timeout", "0"))).withSslOptions(SslOptionsBuilder.newSslOptions().withEnabledProtocols(configuration.get("vault.ssl.enabled.protocols", "TLSv1.2,TLSv1.3")).withTrustStoreFile(configuration.get("vault.ssl.truststore.file", "")).withTrustStorePassword(configuration.get("vault.ssl.truststore.password", "")).withSslVerify(Boolean.parseBoolean(configuration.get("vault.ssl.verify", "true"))).withSslTimeout(Integer.parseInt(configuration.get("vault.ssl.timeout", "0"))).build()).withTimeout(Integer.parseInt(configuration.get("vault.timeout", "0"))).build();
        return config;
    }
}
