package no.nav.vault.jdbc.hikaricp;

import com.bettercloud.vault.SslConfig;
import com.bettercloud.vault.Vault;
import com.bettercloud.vault.VaultConfig;
import com.bettercloud.vault.VaultException;
import com.bettercloud.vault.response.AuthResponse;
import com.bettercloud.vault.response.LookupResponse;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Paths;
import java.util.Map;
import java.util.Timer;
import java.util.TimerTask;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:no/nav/vault/jdbc/hikaricp/VaultUtil.class */
public class VaultUtil {
    private static final Logger logger = LoggerFactory.getLogger(VaultUtil.class);
    public static final String VAULT_TOKEN_PROPERTY = "VAULT_TOKEN";
    public static final String VAULT_TOKEN_PATH_PROPERTY = "VAULT_TOKEN_PATH";
    private static VaultUtil INSTANCE;
    private Vault vault;
    private Timer timer = new Timer("VaultScheduler", true);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: no.nav.vault.jdbc.hikaricp.VaultUtil$1RefreshTokenTask, reason: invalid class name */
    /* loaded from: input_file:no/nav/vault/jdbc/hikaricp/VaultUtil$1RefreshTokenTask.class */
    public final class C1RefreshTokenTask extends TimerTask {
        C1RefreshTokenTask() {
        }

        @Override // java.util.TimerTask, java.lang.Runnable
        public void run() {
            try {
                VaultUtil.logger.info("Refreshing Vault token (old TTL = " + VaultUtil.this.vault.auth().lookupSelf().getTTL() + " seconds)");
                AuthResponse renewSelf = VaultUtil.this.vault.auth().renewSelf();
                VaultUtil.logger.info("Refreshed Vault token (new TTL = " + VaultUtil.this.vault.auth().lookupSelf().getTTL() + " seconds)");
                VaultUtil.this.timer.schedule(new C1RefreshTokenTask(), VaultUtil.suggestedRefreshInterval(renewSelf.getAuthLeaseDuration() * 1000));
            } catch (VaultException e) {
                VaultUtil.logger.error("Could not refresh the Vault token", e);
            }
        }
    }

    private VaultUtil() {
    }

    public static long suggestedRefreshInterval(long j) {
        return j < 60000 ? j / 2 : j - 30000;
    }

    public static VaultUtil getInstance() throws VaultError {
        if (INSTANCE == null) {
            VaultUtil vaultUtil = new VaultUtil();
            vaultUtil.init();
            INSTANCE = vaultUtil;
        }
        return INSTANCE;
    }

    public Vault getClient() {
        return this.vault;
    }

    public Timer getTimer() {
        return this.timer;
    }

    private void init() throws VaultError {
        try {
            this.vault = new Vault(new VaultConfig().address(System.getenv().getOrDefault("VAULT_ADDR", "https://vault.adeo.no")).token(getVaultToken()).openTimeout(5).readTimeout(30).sslConfig(new SslConfig().build()).build());
            try {
                LookupResponse lookupSelf = this.vault.auth().lookupSelf();
                if (!lookupSelf.isRenewable()) {
                    logger.warn("Vault token is not renewable");
                } else {
                    logger.info("Starting a refresh timer on the vault token (TTL = " + lookupSelf.getTTL() + " seconds");
                    this.timer.schedule(new C1RefreshTokenTask(), suggestedRefreshInterval(lookupSelf.getTTL() * 1000));
                }
            } catch (VaultException e) {
                if (e.getHttpStatusCode() != 403) {
                    throw new VaultError("Could not validate the application's vault token", e);
                }
                throw new VaultError("The application's vault token seems to be invalid", e);
            }
        } catch (VaultException e2) {
            throw new VaultError("Could not instantiate the Vault REST client", e2);
        }
    }

    private static String getVaultToken() {
        try {
            Map<String, String> map = System.getenv();
            if (map.containsKey(VAULT_TOKEN_PROPERTY) && !"".equals(map.get(VAULT_TOKEN_PROPERTY))) {
                return map.get(VAULT_TOKEN_PROPERTY);
            }
            if (map.containsKey(VAULT_TOKEN_PATH_PROPERTY)) {
                return new String(Files.readAllBytes(Paths.get(map.get(VAULT_TOKEN_PATH_PROPERTY), new String[0])), "UTF-8").trim();
            }
            if (Files.exists(Paths.get("/var/run/secrets/nais.io/vault/vault_token", new String[0]), new LinkOption[0])) {
                return new String(Files.readAllBytes(Paths.get("/var/run/secrets/nais.io/vault/vault_token", new String[0])), "UTF-8").trim();
            }
            throw new RuntimeException("Neither VAULT_TOKEN or VAULT_TOKEN_PATH is set");
        } catch (Exception e) {
            throw new RuntimeException("Could not get a vault token for authentication", e);
        }
    }
}
