package org.springframework.cloud.vault.config;

import java.net.URI;
import java.time.Duration;
import org.springframework.beans.factory.BeanFactory;
import org.springframework.beans.factory.ListableBeanFactory;
import org.springframework.beans.factory.ObjectFactory;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.vault.config.VaultBootstrapConfiguration;
import org.springframework.cloud.vault.config.VaultProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.http.client.reactive.ClientHttpConnector;
import org.springframework.util.Assert;
import org.springframework.util.ObjectUtils;
import org.springframework.util.StringUtils;
import org.springframework.vault.authentication.AuthenticationStepsFactory;
import org.springframework.vault.authentication.AuthenticationStepsOperator;
import org.springframework.vault.authentication.CachingVaultTokenSupplier;
import org.springframework.vault.authentication.ClientAuthentication;
import org.springframework.vault.authentication.ReactiveLifecycleAwareSessionManager;
import org.springframework.vault.authentication.ReactiveSessionManager;
import org.springframework.vault.authentication.SessionManager;
import org.springframework.vault.authentication.TokenAuthentication;
import org.springframework.vault.authentication.VaultTokenSupplier;
import org.springframework.vault.client.ReactiveVaultClients;
import org.springframework.vault.client.VaultEndpoint;
import org.springframework.vault.config.ClientHttpConnectorFactory;
import org.springframework.vault.core.ReactiveVaultOperations;
import org.springframework.vault.core.ReactiveVaultTemplate;
import org.springframework.vault.support.ClientOptions;
import org.springframework.vault.support.SslConfiguration;
import org.springframework.web.reactive.function.client.WebClient;
import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono;

@EnableConfigurationProperties({VaultProperties.class})
@Configuration
@ConditionalOnClass({Flux.class, WebClient.class, ReactiveVaultOperations.class})
@ConditionalOnProperty(name = {"spring.cloud.vault.enabled"}, matchIfMissing = true)
@ConditionalOnExpression("${spring.cloud.vault.reactive.enabled:true}")
@Order(2147483637)
/* loaded from: input_file:org/springframework/cloud/vault/config/VaultReactiveBootstrapConfiguration.class */
public class VaultReactiveBootstrapConfiguration {
    private final VaultProperties vaultProperties;
    private final VaultEndpoint vaultEndpoint;
    private final ClientHttpConnector clientHttpConnector;

    public VaultReactiveBootstrapConfiguration(VaultProperties vaultProperties) {
        this.vaultProperties = vaultProperties;
        this.vaultEndpoint = getVaultEndpoint(vaultProperties);
        this.clientHttpConnector = createConnector(this.vaultProperties);
    }

    private static VaultEndpoint getVaultEndpoint(VaultProperties vaultProperties) {
        if (StringUtils.hasText(vaultProperties.getUri())) {
            return VaultEndpoint.from(URI.create(vaultProperties.getUri()));
        }
        VaultEndpoint vaultEndpoint = new VaultEndpoint();
        vaultEndpoint.setHost(vaultProperties.getHost());
        vaultEndpoint.setPort(vaultProperties.getPort());
        vaultEndpoint.setScheme(vaultProperties.getScheme());
        return vaultEndpoint;
    }

    private static ClientHttpConnector createConnector(VaultProperties vaultProperties) {
        SslConfiguration unconfigured;
        ClientOptions clientOptions = new ClientOptions(Duration.ofMillis(vaultProperties.getConnectionTimeout()), Duration.ofMillis(vaultProperties.getReadTimeout()));
        VaultProperties.Ssl ssl = vaultProperties.getSsl();
        if (ssl != null) {
            SslConfiguration.KeyStoreConfiguration unconfigured2 = SslConfiguration.KeyStoreConfiguration.unconfigured();
            SslConfiguration.KeyStoreConfiguration unconfigured3 = SslConfiguration.KeyStoreConfiguration.unconfigured();
            if (ssl.getKeyStore() != null) {
                unconfigured2 = StringUtils.hasText(ssl.getKeyStorePassword()) ? SslConfiguration.KeyStoreConfiguration.of(ssl.getKeyStore(), ssl.getKeyStorePassword().toCharArray()) : SslConfiguration.KeyStoreConfiguration.of(ssl.getKeyStore());
            }
            if (ssl.getTrustStore() != null) {
                unconfigured3 = StringUtils.hasText(ssl.getTrustStorePassword()) ? SslConfiguration.KeyStoreConfiguration.of(ssl.getTrustStore(), ssl.getTrustStorePassword().toCharArray()) : SslConfiguration.KeyStoreConfiguration.of(ssl.getTrustStore());
            }
            unconfigured = new SslConfiguration(unconfigured2, unconfigured3);
        } else {
            unconfigured = SslConfiguration.unconfigured();
        }
        return ClientHttpConnectorFactory.create(clientOptions, unconfigured);
    }

    @ConditionalOnMissingBean({ReactiveVaultOperations.class})
    @Bean
    public ReactiveVaultTemplate reactiveVaultTemplate(ReactiveSessionManager reactiveSessionManager) {
        return new ReactiveVaultTemplate(this.vaultEndpoint, this.clientHttpConnector, reactiveSessionManager);
    }

    @ConditionalOnMissingBean
    @Bean
    public ReactiveSessionManager reactiveVaultSessionManager(BeanFactory beanFactory, ObjectFactory<VaultBootstrapConfiguration.TaskSchedulerWrapper> objectFactory) {
        VaultTokenSupplier vaultTokenSupplier = (VaultTokenSupplier) beanFactory.getBean("vaultTokenSupplier", VaultTokenSupplier.class);
        if (!this.vaultProperties.getConfig().getLifecycle().isEnabled()) {
            return CachingVaultTokenSupplier.of(vaultTokenSupplier);
        }
        return new ReactiveLifecycleAwareSessionManager(vaultTokenSupplier, ((VaultBootstrapConfiguration.TaskSchedulerWrapper) objectFactory.getObject()).getTaskScheduler(), ReactiveVaultClients.createWebClient(this.vaultEndpoint, this.clientHttpConnector));
    }

    @ConditionalOnMissingBean
    @Bean
    public SessionManager vaultSessionManager(ReactiveSessionManager reactiveSessionManager) {
        Mono sessionToken = reactiveSessionManager.getSessionToken();
        sessionToken.getClass();
        return sessionToken::block;
    }

    @ConditionalOnMissingBean(name = {"vaultTokenSupplier"})
    @Bean
    public VaultTokenSupplier vaultTokenSupplier(ListableBeanFactory listableBeanFactory) {
        Assert.notNull(listableBeanFactory, "BeanFactory must not be null");
        if (!ObjectUtils.isEmpty(listableBeanFactory.getBeanNamesForType(AuthenticationStepsFactory.class))) {
            return createAuthenticationStepsOperator((AuthenticationStepsFactory) listableBeanFactory.getBean(AuthenticationStepsFactory.class));
        }
        if (ObjectUtils.isEmpty(listableBeanFactory.getBeanNamesForType(ClientAuthentication.class))) {
            throw new IllegalStateException("Cannot construct VaultTokenSupplier. Please configure VaultTokenSupplier bean named vaultTokenSupplier.");
        }
        TokenAuthentication tokenAuthentication = (ClientAuthentication) listableBeanFactory.getBean(ClientAuthentication.class);
        if (tokenAuthentication instanceof TokenAuthentication) {
            TokenAuthentication tokenAuthentication2 = tokenAuthentication;
            return () -> {
                return Mono.just(tokenAuthentication2.login());
            };
        }
        if (tokenAuthentication instanceof AuthenticationStepsFactory) {
            return createAuthenticationStepsOperator((AuthenticationStepsFactory) tokenAuthentication);
        }
        throw new IllegalStateException(String.format("Cannot construct VaultTokenSupplier from %s. ClientAuthentication must implement AuthenticationStepsFactory or be TokenAuthentication", tokenAuthentication));
    }

    private VaultTokenSupplier createAuthenticationStepsOperator(AuthenticationStepsFactory authenticationStepsFactory) {
        return new AuthenticationStepsOperator(authenticationStepsFactory.getAuthenticationSteps(), ReactiveVaultClients.createWebClient(this.vaultEndpoint, this.clientHttpConnector));
    }
}
