package io.quarkus.vault.runtime.client;

import io.quarkus.runtime.TlsConfig;
import io.quarkus.vault.client.VaultClient;
import io.quarkus.vault.client.VaultException;
import io.quarkus.vault.client.auth.VaultAppRoleAuthOptions;
import io.quarkus.vault.client.auth.VaultKubernetesAuthOptions;
import io.quarkus.vault.client.auth.VaultStaticClientTokenAuthOptions;
import io.quarkus.vault.client.auth.VaultUserPassAuthOptions;
import io.quarkus.vault.client.http.VaultHttpClient;
import io.quarkus.vault.client.http.jdk.JDKVaultHttpClient;
import io.quarkus.vault.client.http.vertx.VertxVaultHttpClient;
import io.quarkus.vault.runtime.VaultConfigHolder;
import io.quarkus.vault.runtime.config.VaultAppRoleAuthenticationConfig;
import io.quarkus.vault.runtime.config.VaultAuthenticationConfig;
import io.quarkus.vault.runtime.config.VaultRuntimeConfig;
import io.quarkus.vault.runtime.config.VaultUserpassAuthenticationConfig;
import io.vertx.core.Vertx;
import jakarta.enterprise.inject.Produces;
import jakarta.inject.Singleton;
import java.nio.file.Path;

@Singleton
/* loaded from: input_file:io/quarkus/vault/runtime/client/VaultClientProducer.class */
public class VaultClientProducer {
    @Singleton
    @Produces
    @Private
    public VaultClient privateVaultClient(VaultConfigHolder vaultConfigHolder, TlsConfig tlsConfig) {
        VaultRuntimeConfig vaultRuntimeConfig = vaultConfigHolder.getVaultRuntimeConfig();
        return createVaultClient(new JDKVaultHttpClient(JDKClientFactory.createHttpClient(vaultRuntimeConfig, tlsConfig)), vaultRuntimeConfig);
    }

    @Singleton
    @Produces
    public VaultClient sharedVaultClient(Vertx vertx, VaultConfigHolder vaultConfigHolder, TlsConfig tlsConfig) {
        VaultRuntimeConfig vaultRuntimeConfig = vaultConfigHolder.getVaultRuntimeConfig();
        return createVaultClient(new VertxVaultHttpClient(MutinyVertxClientFactory.createHttpClient(vertx, vaultRuntimeConfig, tlsConfig)), vaultRuntimeConfig);
    }

    VaultClient createVaultClient(VaultHttpClient vaultHttpClient, VaultRuntimeConfig vaultRuntimeConfig) {
        VaultClient.Builder logConfidentialityLevel = VaultClient.builder().baseUrl(vaultRuntimeConfig.url().orElseThrow(() -> {
            return new VaultException("no vault url provided");
        })).executor(vaultHttpClient).requestTimeout(vaultRuntimeConfig.readTimeout()).logConfidentialityLevel(vaultRuntimeConfig.logConfidentialityLevel());
        configureAuthentication(logConfidentialityLevel, vaultRuntimeConfig);
        if (vaultRuntimeConfig.enterprise().namespace().isPresent()) {
            logConfidentialityLevel.namespace(vaultRuntimeConfig.enterprise().namespace().orElseThrow());
        }
        return logConfidentialityLevel.build();
    }

    void configureAuthentication(VaultClient.Builder builder, VaultRuntimeConfig vaultRuntimeConfig) {
        VaultAuthenticationConfig authentication = vaultRuntimeConfig.authentication();
        if (authentication.isDirectClientToken()) {
            if (authentication.clientTokenWrappingToken().isPresent()) {
                builder.clientToken(VaultStaticClientTokenAuthOptions.builder().unwrappingToken(authentication.clientTokenWrappingToken().orElseThrow()).build());
                return;
            } else {
                builder.clientToken(authentication.clientToken().orElseThrow());
                return;
            }
        }
        switch (vaultRuntimeConfig.getAuthenticationType()) {
            case KUBERNETES:
                builder.kubernetes(VaultKubernetesAuthOptions.builder().role(authentication.kubernetes().role().orElseThrow()).jwtTokenPath(Path.of(authentication.kubernetes().jwtTokenPath(), new String[0])).caching(vaultRuntimeConfig.renewGracePeriod()).build());
                return;
            case APPROLE:
                VaultAppRoleAuthenticationConfig appRole = authentication.appRole();
                VaultAppRoleAuthOptions.Builder roleId = VaultAppRoleAuthOptions.builder().roleId(appRole.roleId().orElseThrow());
                if (appRole.secretIdWrappingToken().isPresent()) {
                    roleId.unwrappingSecretId(appRole.secretIdWrappingToken().orElseThrow());
                } else {
                    roleId.secretId(appRole.secretId().orElseThrow());
                }
                builder.appRole(roleId.build());
                return;
            case USERPASS:
                VaultUserpassAuthenticationConfig userpass = authentication.userpass();
                VaultUserPassAuthOptions.Builder username = VaultUserPassAuthOptions.builder().username(userpass.username().orElseThrow());
                if (userpass.passwordWrappingToken().isPresent()) {
                    username.unwrappingPassword(userpass.passwordWrappingToken().orElseThrow(), vaultRuntimeConfig.kvSecretEngineVersion());
                } else {
                    username.password(userpass.password().orElseThrow());
                }
                username.caching(vaultRuntimeConfig.renewGracePeriod());
                builder.userPass(username.build());
                return;
            default:
                throw new VaultException("Unsupported authentication type: " + vaultRuntimeConfig.getAuthenticationType());
        }
    }
}
