package org.springframework.vault.core;

import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.time.temporal.ChronoUnit;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.vault.VaultException;
import org.springframework.vault.client.VaultResponses;
import org.springframework.vault.core.VaultPkiOperations;
import org.springframework.vault.support.VaultCertificateRequest;
import org.springframework.vault.support.VaultCertificateResponse;
import org.springframework.vault.support.VaultSignCertificateRequestResponse;
import org.springframework.web.client.HttpStatusCodeException;

/* loaded from: input_file:org/springframework/vault/core/VaultPkiTemplate.class */
public class VaultPkiTemplate implements VaultPkiOperations {
    private final VaultOperations vaultOperations;
    private final String path;

    public VaultPkiTemplate(VaultOperations vaultOperations, String str) {
        Assert.notNull(vaultOperations, "VaultOperations must not be null");
        Assert.hasText(str, "Path must not be empty");
        this.vaultOperations = vaultOperations;
        this.path = str;
    }

    @Override // org.springframework.vault.core.VaultPkiOperations
    public VaultCertificateResponse issueCertificate(String str, VaultCertificateRequest vaultCertificateRequest) throws VaultException {
        Assert.hasText(str, "Role name must not be empty");
        Assert.notNull(vaultCertificateRequest, "Certificate request must not be null");
        return (VaultCertificateResponse) requestCertificate(str, "{path}/issue/{roleName}", createIssueRequest(vaultCertificateRequest), VaultCertificateResponse.class);
    }

    @Override // org.springframework.vault.core.VaultPkiOperations
    public VaultSignCertificateRequestResponse signCertificateRequest(String str, String str2, VaultCertificateRequest vaultCertificateRequest) throws VaultException {
        Assert.hasText(str, "Role name must not be empty");
        Assert.hasText(str2, "CSR name must not be empty");
        Assert.notNull(vaultCertificateRequest, "Certificate request must not be null");
        Map<String, Object> createIssueRequest = createIssueRequest(vaultCertificateRequest);
        createIssueRequest.put("csr", str2);
        return (VaultSignCertificateRequestResponse) requestCertificate(str, "{path}/sign/{roleName}", createIssueRequest, VaultSignCertificateRequestResponse.class);
    }

    private <T> T requestCertificate(String str, String str2, Map<String, Object> map, Class<T> cls) {
        map.put("format", "der");
        T t = (T) this.vaultOperations.doWithSession(restOperations -> {
            try {
                return restOperations.postForObject(str2, map, cls, this.path, str);
            } catch (HttpStatusCodeException e) {
                throw VaultResponses.buildException(e);
            }
        });
        Assert.state(t != null, "VaultCertificateResponse must not be null");
        return t;
    }

    @Override // org.springframework.vault.core.VaultPkiOperations
    public void revoke(String str) throws VaultException {
        Assert.hasText(str, "Serial number must not be null or empty");
        this.vaultOperations.doWithSession(restOperations -> {
            try {
                restOperations.postForObject("{path}/revoke", Collections.singletonMap("serial_number", str), Map.class, this.path);
                return null;
            } catch (HttpStatusCodeException e) {
                throw VaultResponses.buildException(e);
            }
        });
    }

    @Override // org.springframework.vault.core.VaultPkiOperations
    public InputStream getCrl(VaultPkiOperations.Encoding encoding) throws VaultException {
        Assert.notNull(encoding, "Encoding must not be null");
        return (InputStream) this.vaultOperations.doWithSession(restOperations -> {
            try {
                ResponseEntity forEntity = restOperations.getForEntity(encoding == VaultPkiOperations.Encoding.DER ? "{path}/crl" : "{path}/crl/pem", byte[].class, this.path);
                if (forEntity.getStatusCode() == HttpStatus.OK) {
                    return new ByteArrayInputStream((byte[]) forEntity.getBody());
                }
                return null;
            } catch (HttpStatusCodeException e) {
                throw VaultResponses.buildException(e);
            }
        });
    }

    private static Map<String, Object> createIssueRequest(VaultCertificateRequest vaultCertificateRequest) {
        Assert.notNull(vaultCertificateRequest, "Certificate request must not be null");
        HashMap hashMap = new HashMap();
        hashMap.put("common_name", vaultCertificateRequest.getCommonName());
        if (!vaultCertificateRequest.getAltNames().isEmpty()) {
            hashMap.put("alt_names", StringUtils.collectionToDelimitedString(vaultCertificateRequest.getAltNames(), ","));
        }
        if (!vaultCertificateRequest.getIpSubjectAltNames().isEmpty()) {
            hashMap.put("ip_sans", StringUtils.collectionToDelimitedString(vaultCertificateRequest.getIpSubjectAltNames(), ","));
        }
        if (!vaultCertificateRequest.getUriSubjectAltNames().isEmpty()) {
            hashMap.put("uri_sans", StringUtils.collectionToDelimitedString(vaultCertificateRequest.getUriSubjectAltNames(), ","));
        }
        if (vaultCertificateRequest.getTtl() != null) {
            hashMap.put("ttl", Long.valueOf(vaultCertificateRequest.getTtl().get(ChronoUnit.SECONDS)));
        }
        if (vaultCertificateRequest.isExcludeCommonNameFromSubjectAltNames()) {
            hashMap.put("exclude_cn_from_sans", true);
        }
        return hashMap;
    }
}
