package io.quarkus.vault.runtime;

import io.quarkus.vault.VaultException;
import io.quarkus.vault.VaultPKISecretReactiveEngine;
import io.quarkus.vault.pki.CAChainData;
import io.quarkus.vault.pki.CRLData;
import io.quarkus.vault.pki.CSRData;
import io.quarkus.vault.pki.CertificateData;
import io.quarkus.vault.pki.CertificateExtendedKeyUsage;
import io.quarkus.vault.pki.CertificateKeyType;
import io.quarkus.vault.pki.CertificateKeyUsage;
import io.quarkus.vault.pki.ConfigCRLOptions;
import io.quarkus.vault.pki.ConfigURLsOptions;
import io.quarkus.vault.pki.DataFormat;
import io.quarkus.vault.pki.GenerateCertificateOptions;
import io.quarkus.vault.pki.GenerateIntermediateCSROptions;
import io.quarkus.vault.pki.GenerateRootOptions;
import io.quarkus.vault.pki.GeneratedCertificate;
import io.quarkus.vault.pki.GeneratedIntermediateCSRResult;
import io.quarkus.vault.pki.GeneratedRootCertificate;
import io.quarkus.vault.pki.PrivateKeyData;
import io.quarkus.vault.pki.PrivateKeyEncoding;
import io.quarkus.vault.pki.RoleOptions;
import io.quarkus.vault.pki.SignIntermediateCAOptions;
import io.quarkus.vault.pki.SignedCertificate;
import io.quarkus.vault.pki.TidyOptions;
import io.quarkus.vault.runtime.client.VaultClient;
import io.quarkus.vault.runtime.client.VaultClientException;
import io.quarkus.vault.runtime.client.dto.AbstractVaultDTO;
import io.quarkus.vault.runtime.client.dto.pki.VaultPKICRLRotateData;
import io.quarkus.vault.runtime.client.dto.pki.VaultPKICertificateData;
import io.quarkus.vault.runtime.client.dto.pki.VaultPKICertificateListData;
import io.quarkus.vault.runtime.client.dto.pki.VaultPKIConfigCABody;
import io.quarkus.vault.runtime.client.dto.pki.VaultPKIConfigCRLData;
import io.quarkus.vault.runtime.client.dto.pki.VaultPKIConfigURLsData;
import io.quarkus.vault.runtime.client.dto.pki.VaultPKIGenerateCertificateBody;
import io.quarkus.vault.runtime.client.dto.pki.VaultPKIGenerateCertificateData;
import io.quarkus.vault.runtime.client.dto.pki.VaultPKIGenerateIntermediateCSRBody;
import io.quarkus.vault.runtime.client.dto.pki.VaultPKIGenerateIntermediateCSRData;
import io.quarkus.vault.runtime.client.dto.pki.VaultPKIGenerateRootBody;
import io.quarkus.vault.runtime.client.dto.pki.VaultPKIGenerateRootData;
import io.quarkus.vault.runtime.client.dto.pki.VaultPKIRevokeCertificateBody;
import io.quarkus.vault.runtime.client.dto.pki.VaultPKIRevokeCertificateData;
import io.quarkus.vault.runtime.client.dto.pki.VaultPKIRoleOptionsData;
import io.quarkus.vault.runtime.client.dto.pki.VaultPKIRolesListData;
import io.quarkus.vault.runtime.client.dto.pki.VaultPKISetSignedIntermediateCABody;
import io.quarkus.vault.runtime.client.dto.pki.VaultPKISignCertificateRequestBody;
import io.quarkus.vault.runtime.client.dto.pki.VaultPKISignCertificateRequestData;
import io.quarkus.vault.runtime.client.dto.pki.VaultPKISignIntermediateCABody;
import io.quarkus.vault.runtime.client.dto.pki.VaultPKITidyBody;
import io.quarkus.vault.runtime.client.secretengine.VaultInternalPKISecretEngine;
import io.smallrye.mutiny.Uni;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import java.nio.charset.StandardCharsets;
import java.time.OffsetDateTime;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.function.Function;
import java.util.stream.Collectors;

@ApplicationScoped
/* loaded from: input_file:io/quarkus/vault/runtime/VaultPKIManager.class */
public class VaultPKIManager implements VaultPKISecretReactiveEngine {
    private final VaultClient vaultClient;
    private final String mount;
    private final VaultAuthManager vaultAuthManager;
    private final VaultInternalPKISecretEngine vaultInternalPKISecretEngine;

    @Inject
    public VaultPKIManager(VaultClient vaultClient, VaultAuthManager vaultAuthManager, VaultInternalPKISecretEngine vaultInternalPKISecretEngine) {
        this(vaultClient, "pki", vaultAuthManager, vaultInternalPKISecretEngine);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public VaultPKIManager(VaultClient vaultClient, String str, VaultAuthManager vaultAuthManager, VaultInternalPKISecretEngine vaultInternalPKISecretEngine) {
        this.vaultClient = vaultClient;
        this.mount = str;
        this.vaultAuthManager = vaultAuthManager;
        this.vaultInternalPKISecretEngine = vaultInternalPKISecretEngine;
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<CertificateData.PEM> getCertificateAuthority() {
        return getCertificateAuthority(DataFormat.PEM).map(certificateData -> {
            return (CertificateData.PEM) certificateData;
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<CertificateData> getCertificateAuthority(DataFormat dataFormat) {
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str -> {
            return this.vaultInternalPKISecretEngine.getCertificateAuthority(this.vaultClient, str, this.mount, dataFormat == DataFormat.PEM ? dataFormat.name().toLowerCase(Locale.ROOT) : null).map(buffer -> {
                switch (dataFormat) {
                    case PEM:
                        return new CertificateData.PEM(buffer.toString(StandardCharsets.UTF_8));
                    case DER:
                        return new CertificateData.DER(buffer.getBytes());
                    default:
                        throw new VaultException("Unsupported Data Format");
                }
            });
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<Void> configCertificateAuthority(String str) {
        VaultPKIConfigCABody vaultPKIConfigCABody = new VaultPKIConfigCABody();
        vaultPKIConfigCABody.pemBundle = str;
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str2 -> {
            return this.vaultInternalPKISecretEngine.configCertificateAuthority(this.vaultClient, str2, this.mount, vaultPKIConfigCABody);
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<Void> configURLs(ConfigURLsOptions configURLsOptions) {
        VaultPKIConfigURLsData vaultPKIConfigURLsData = new VaultPKIConfigURLsData();
        vaultPKIConfigURLsData.issuingCertificates = configURLsOptions.issuingCertificates;
        vaultPKIConfigURLsData.crlDistributionPoints = configURLsOptions.crlDistributionPoints;
        vaultPKIConfigURLsData.ocspServers = configURLsOptions.ocspServers;
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str -> {
            return this.vaultInternalPKISecretEngine.configURLs(this.vaultClient, str, this.mount, vaultPKIConfigURLsData);
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<ConfigURLsOptions> readURLsConfig() {
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str -> {
            return this.vaultInternalPKISecretEngine.readURLs(this.vaultClient, str, this.mount).map(vaultPKIConfigURLsResult -> {
                checkDataValid(vaultPKIConfigURLsResult);
                VaultPKIConfigURLsData vaultPKIConfigURLsData = (VaultPKIConfigURLsData) vaultPKIConfigURLsResult.data;
                ConfigURLsOptions configURLsOptions = new ConfigURLsOptions();
                configURLsOptions.issuingCertificates = vaultPKIConfigURLsData.issuingCertificates;
                configURLsOptions.crlDistributionPoints = vaultPKIConfigURLsData.crlDistributionPoints;
                configURLsOptions.ocspServers = vaultPKIConfigURLsData.ocspServers;
                return configURLsOptions;
            });
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<Void> configCRL(ConfigCRLOptions configCRLOptions) {
        VaultPKIConfigCRLData vaultPKIConfigCRLData = new VaultPKIConfigCRLData();
        vaultPKIConfigCRLData.expiry = configCRLOptions.expiry;
        vaultPKIConfigCRLData.disable = configCRLOptions.disable;
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str -> {
            return this.vaultInternalPKISecretEngine.configCRL(this.vaultClient, str, this.mount, vaultPKIConfigCRLData);
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<ConfigCRLOptions> readCRLConfig() {
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str -> {
            return this.vaultInternalPKISecretEngine.readCRL(this.vaultClient, str, this.mount).map(vaultPKIConfigCRLResult -> {
                checkDataValid(vaultPKIConfigCRLResult);
                VaultPKIConfigCRLData vaultPKIConfigCRLData = (VaultPKIConfigCRLData) vaultPKIConfigCRLResult.data;
                ConfigCRLOptions configCRLOptions = new ConfigCRLOptions();
                configCRLOptions.expiry = vaultPKIConfigCRLData.expiry;
                configCRLOptions.disable = vaultPKIConfigCRLData.disable;
                return configCRLOptions;
            });
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<CAChainData.PEM> getCertificateAuthorityChain() {
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str -> {
            return this.vaultInternalPKISecretEngine.getCertificateAuthorityChain(this.vaultClient, str, this.mount).map(buffer -> {
                return new CAChainData.PEM(buffer.toString(StandardCharsets.UTF_8));
            });
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<CRLData.PEM> getCertificateRevocationList() {
        return getCertificateRevocationList(DataFormat.PEM).map(cRLData -> {
            return (CRLData.PEM) cRLData;
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<CRLData> getCertificateRevocationList(DataFormat dataFormat) {
        String lowerCase = dataFormat == DataFormat.PEM ? dataFormat.name().toLowerCase(Locale.ROOT) : null;
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str -> {
            return this.vaultInternalPKISecretEngine.getCertificateRevocationList(this.vaultClient, str, this.mount, lowerCase).map(buffer -> {
                switch (dataFormat) {
                    case PEM:
                        return new CRLData.PEM(buffer.toString(StandardCharsets.UTF_8));
                    case DER:
                        return new CRLData.DER(buffer.getBytes());
                    default:
                        throw new VaultException("Unsupported Data Format");
                }
            });
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<Boolean> rotateCertificateRevocationList() {
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str -> {
            return this.vaultInternalPKISecretEngine.rotateCertificateRevocationList(this.vaultClient, str, this.mount).map(vaultPKICRLRotateResult -> {
                checkDataValid(vaultPKICRLRotateResult);
                return Boolean.valueOf(((VaultPKICRLRotateData) vaultPKICRLRotateResult.data).success);
            });
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<List<String>> getCertificates() {
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str -> {
            return this.vaultInternalPKISecretEngine.listCertificates(this.vaultClient, str, this.mount).map(vaultPKICertificateListResult -> {
                checkDataValid(vaultPKICertificateListResult);
                return (List) ((VaultPKICertificateListData) vaultPKICertificateListResult.data).keys.stream().map(str -> {
                    return str.replaceAll("-", ":");
                }).collect(Collectors.toList());
            });
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<CertificateData.PEM> getCertificate(String str) {
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str2 -> {
            return this.vaultInternalPKISecretEngine.getCertificate(this.vaultClient, str2, this.mount, str).map(vaultPKICertificateResult -> {
                checkDataValid(vaultPKICertificateResult);
                return new CertificateData.PEM(((VaultPKICertificateData) vaultPKICertificateResult.data).certificate);
            });
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<GeneratedCertificate> generateCertificate(String str, GenerateCertificateOptions generateCertificateOptions) {
        VaultPKIGenerateCertificateBody vaultPKIGenerateCertificateBody = new VaultPKIGenerateCertificateBody();
        vaultPKIGenerateCertificateBody.format = dataFormatToFormat(generateCertificateOptions.format);
        vaultPKIGenerateCertificateBody.privateKeyFormat = privateKeyFormat(generateCertificateOptions.format, generateCertificateOptions.privateKeyEncoding);
        vaultPKIGenerateCertificateBody.subjectCommonName = generateCertificateOptions.subjectCommonName;
        vaultPKIGenerateCertificateBody.subjectAlternativeNames = stringListToCommaString(generateCertificateOptions.subjectAlternativeNames);
        vaultPKIGenerateCertificateBody.ipSubjectAlternativeNames = stringListToCommaString(generateCertificateOptions.ipSubjectAlternativeNames);
        vaultPKIGenerateCertificateBody.uriSubjectAlternativeNames = stringListToCommaString(generateCertificateOptions.uriSubjectAlternativeNames);
        vaultPKIGenerateCertificateBody.otherSubjectAlternativeNames = generateCertificateOptions.otherSubjectAlternativeNames;
        vaultPKIGenerateCertificateBody.timeToLive = generateCertificateOptions.timeToLive;
        vaultPKIGenerateCertificateBody.excludeCommonNameFromSubjectAlternativeNames = generateCertificateOptions.excludeCommonNameFromSubjectAlternativeNames;
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str2 -> {
            return this.vaultInternalPKISecretEngine.generateCertificate(this.vaultClient, str2, this.mount, str, vaultPKIGenerateCertificateBody).map(vaultPKIGenerateCertificateResult -> {
                checkDataValid(vaultPKIGenerateCertificateResult);
                VaultPKIGenerateCertificateData vaultPKIGenerateCertificateData = (VaultPKIGenerateCertificateData) vaultPKIGenerateCertificateResult.data;
                GeneratedCertificate generatedCertificate = new GeneratedCertificate();
                generatedCertificate.certificate = createCertificateData(vaultPKIGenerateCertificateData.certificate, vaultPKIGenerateCertificateBody.format);
                generatedCertificate.issuingCA = createCertificateData(vaultPKIGenerateCertificateData.issuingCA, vaultPKIGenerateCertificateBody.format);
                generatedCertificate.caChain = createCertificateDataList(vaultPKIGenerateCertificateData.caChain, vaultPKIGenerateCertificateBody.format);
                generatedCertificate.serialNumber = vaultPKIGenerateCertificateData.serialNumber;
                generatedCertificate.privateKeyType = stringToCertificateKeyType(vaultPKIGenerateCertificateData.privateKeyType);
                generatedCertificate.privateKey = createPrivateKeyData(vaultPKIGenerateCertificateData.privateKey, vaultPKIGenerateCertificateBody.format, vaultPKIGenerateCertificateBody.privateKeyFormat);
                return generatedCertificate;
            });
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<SignedCertificate> signRequest(String str, String str2, GenerateCertificateOptions generateCertificateOptions) {
        VaultPKISignCertificateRequestBody vaultPKISignCertificateRequestBody = new VaultPKISignCertificateRequestBody();
        vaultPKISignCertificateRequestBody.format = dataFormatToFormat(generateCertificateOptions.format);
        vaultPKISignCertificateRequestBody.csr = str2;
        vaultPKISignCertificateRequestBody.subjectCommonName = generateCertificateOptions.subjectCommonName;
        vaultPKISignCertificateRequestBody.subjectAlternativeNames = stringListToCommaString(generateCertificateOptions.subjectAlternativeNames);
        vaultPKISignCertificateRequestBody.ipSubjectAlternativeNames = stringListToCommaString(generateCertificateOptions.ipSubjectAlternativeNames);
        vaultPKISignCertificateRequestBody.uriSubjectAlternativeNames = stringListToCommaString(generateCertificateOptions.uriSubjectAlternativeNames);
        vaultPKISignCertificateRequestBody.otherSubjectAlternativeNames = generateCertificateOptions.otherSubjectAlternativeNames;
        vaultPKISignCertificateRequestBody.timeToLive = generateCertificateOptions.timeToLive;
        vaultPKISignCertificateRequestBody.excludeCommonNameFromSubjectAlternativeNames = generateCertificateOptions.excludeCommonNameFromSubjectAlternativeNames;
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str3 -> {
            return this.vaultInternalPKISecretEngine.signCertificate(this.vaultClient, str3, this.mount, str, vaultPKISignCertificateRequestBody).map(vaultPKISignCertificateRequestResult -> {
                checkDataValid(vaultPKISignCertificateRequestResult);
                VaultPKISignCertificateRequestData vaultPKISignCertificateRequestData = (VaultPKISignCertificateRequestData) vaultPKISignCertificateRequestResult.data;
                SignedCertificate signedCertificate = new SignedCertificate();
                signedCertificate.certificate = createCertificateData(vaultPKISignCertificateRequestData.certificate, vaultPKISignCertificateRequestBody.format);
                signedCertificate.issuingCA = createCertificateData(vaultPKISignCertificateRequestData.issuingCA, vaultPKISignCertificateRequestBody.format);
                signedCertificate.caChain = createCertificateDataList(vaultPKISignCertificateRequestData.caChain, vaultPKISignCertificateRequestBody.format);
                signedCertificate.serialNumber = vaultPKISignCertificateRequestData.serialNumber;
                return signedCertificate;
            });
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<OffsetDateTime> revokeCertificate(String str) {
        VaultPKIRevokeCertificateBody vaultPKIRevokeCertificateBody = new VaultPKIRevokeCertificateBody();
        vaultPKIRevokeCertificateBody.serialNumber = str;
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str2 -> {
            return this.vaultInternalPKISecretEngine.revokeCertificate(this.vaultClient, str2, this.mount, vaultPKIRevokeCertificateBody).map(vaultPKIRevokeCertificateResult -> {
                checkDataValid(vaultPKIRevokeCertificateResult);
                return ((VaultPKIRevokeCertificateData) vaultPKIRevokeCertificateResult.data).revocationTime;
            });
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<Void> updateRole(String str, RoleOptions roleOptions) {
        VaultPKIRoleOptionsData vaultPKIRoleOptionsData = new VaultPKIRoleOptionsData();
        vaultPKIRoleOptionsData.timeToLive = roleOptions.timeToLive;
        vaultPKIRoleOptionsData.maxTimeToLive = roleOptions.maxTimeToLive;
        vaultPKIRoleOptionsData.allowLocalhost = roleOptions.allowLocalhost;
        vaultPKIRoleOptionsData.allowedDomains = roleOptions.allowedDomains;
        vaultPKIRoleOptionsData.allowTemplatesInAllowedDomains = roleOptions.allowTemplatesInAllowedDomains;
        vaultPKIRoleOptionsData.allowBareDomains = roleOptions.allowBareDomains;
        vaultPKIRoleOptionsData.allowSubdomains = roleOptions.allowSubdomains;
        vaultPKIRoleOptionsData.allowGlobsInAllowedDomains = roleOptions.allowGlobsInAllowedDomains;
        vaultPKIRoleOptionsData.allowAnyName = roleOptions.allowAnyName;
        vaultPKIRoleOptionsData.enforceHostnames = roleOptions.enforceHostnames;
        vaultPKIRoleOptionsData.allowIpSubjectAlternativeNames = roleOptions.allowIpSubjectAlternativeNames;
        vaultPKIRoleOptionsData.allowedUriSubjectAlternativeNames = roleOptions.allowedUriSubjectAlternativeNames;
        vaultPKIRoleOptionsData.allowedOtherSubjectAlternativeNames = roleOptions.allowedOtherSubjectAlternativeNames;
        vaultPKIRoleOptionsData.serverFlag = roleOptions.serverFlag;
        vaultPKIRoleOptionsData.clientFlag = roleOptions.clientFlag;
        vaultPKIRoleOptionsData.codeSigningFlag = roleOptions.codeSigningFlag;
        vaultPKIRoleOptionsData.emailProtectionFlag = roleOptions.emailProtectionFlag;
        vaultPKIRoleOptionsData.keyType = certificateKeyTypeToString(roleOptions.keyType);
        vaultPKIRoleOptionsData.keyBits = roleOptions.keyBits;
        vaultPKIRoleOptionsData.keyUsages = enumListToStringList(roleOptions.keyUsages, (v0) -> {
            return v0.name();
        });
        vaultPKIRoleOptionsData.extendedKeyUsages = enumListToStringList(roleOptions.extendedKeyUsages, (v0) -> {
            return v0.name();
        });
        vaultPKIRoleOptionsData.extendedKeyUsageOIDs = roleOptions.extendedKeyUsageOIDs;
        vaultPKIRoleOptionsData.useCSRCommonName = roleOptions.useCSRCommonName;
        vaultPKIRoleOptionsData.useCSRSubjectAlternativeNames = roleOptions.useCSRSubjectAlternativeNames;
        vaultPKIRoleOptionsData.subjectOrganization = commaStringToStringList(roleOptions.subjectOrganization);
        vaultPKIRoleOptionsData.subjectOrganizationalUnit = commaStringToStringList(roleOptions.subjectOrganizationalUnit);
        vaultPKIRoleOptionsData.subjectStreetAddress = commaStringToStringList(roleOptions.subjectStreetAddress);
        vaultPKIRoleOptionsData.subjectPostalCode = commaStringToStringList(roleOptions.subjectPostalCode);
        vaultPKIRoleOptionsData.subjectLocality = commaStringToStringList(roleOptions.subjectLocality);
        vaultPKIRoleOptionsData.subjectProvince = commaStringToStringList(roleOptions.subjectProvince);
        vaultPKIRoleOptionsData.subjectCountry = commaStringToStringList(roleOptions.subjectCountry);
        vaultPKIRoleOptionsData.allowedSubjectSerialNumbers = roleOptions.allowedSubjectSerialNumbers;
        vaultPKIRoleOptionsData.generateLease = roleOptions.generateLease;
        vaultPKIRoleOptionsData.noStore = roleOptions.noStore;
        vaultPKIRoleOptionsData.requireCommonName = roleOptions.requireCommonName;
        vaultPKIRoleOptionsData.policyOIDs = roleOptions.policyOIDs;
        vaultPKIRoleOptionsData.basicConstraintsValidForNonCA = roleOptions.basicConstraintsValidForNonCA;
        vaultPKIRoleOptionsData.notBeforeDuration = roleOptions.notBeforeDuration;
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str2 -> {
            return this.vaultInternalPKISecretEngine.updateRole(this.vaultClient, str2, this.mount, str, vaultPKIRoleOptionsData);
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<RoleOptions> getRole(String str) {
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str2 -> {
            return this.vaultInternalPKISecretEngine.readRole(this.vaultClient, str2, this.mount, str).map(vaultPKIRoleReadResult -> {
                checkDataValid(vaultPKIRoleReadResult);
                VaultPKIRoleOptionsData vaultPKIRoleOptionsData = (VaultPKIRoleOptionsData) vaultPKIRoleReadResult.data;
                RoleOptions roleOptions = new RoleOptions();
                roleOptions.timeToLive = vaultPKIRoleOptionsData.timeToLive;
                roleOptions.maxTimeToLive = vaultPKIRoleOptionsData.maxTimeToLive;
                roleOptions.allowLocalhost = vaultPKIRoleOptionsData.allowLocalhost;
                roleOptions.allowedDomains = vaultPKIRoleOptionsData.allowedDomains;
                roleOptions.allowTemplatesInAllowedDomains = vaultPKIRoleOptionsData.allowTemplatesInAllowedDomains;
                roleOptions.allowBareDomains = vaultPKIRoleOptionsData.allowBareDomains;
                roleOptions.allowSubdomains = vaultPKIRoleOptionsData.allowSubdomains;
                roleOptions.allowGlobsInAllowedDomains = vaultPKIRoleOptionsData.allowGlobsInAllowedDomains;
                roleOptions.allowAnyName = vaultPKIRoleOptionsData.allowAnyName;
                roleOptions.enforceHostnames = vaultPKIRoleOptionsData.enforceHostnames;
                roleOptions.allowIpSubjectAlternativeNames = vaultPKIRoleOptionsData.allowIpSubjectAlternativeNames;
                roleOptions.allowedUriSubjectAlternativeNames = vaultPKIRoleOptionsData.allowedUriSubjectAlternativeNames;
                roleOptions.allowedOtherSubjectAlternativeNames = vaultPKIRoleOptionsData.allowedOtherSubjectAlternativeNames;
                roleOptions.serverFlag = vaultPKIRoleOptionsData.serverFlag;
                roleOptions.clientFlag = vaultPKIRoleOptionsData.clientFlag;
                roleOptions.codeSigningFlag = vaultPKIRoleOptionsData.codeSigningFlag;
                roleOptions.emailProtectionFlag = vaultPKIRoleOptionsData.emailProtectionFlag;
                roleOptions.keyType = stringToCertificateKeyType(vaultPKIRoleOptionsData.keyType);
                roleOptions.keyBits = vaultPKIRoleOptionsData.keyBits;
                roleOptions.keyUsages = stringListToEnumList(vaultPKIRoleOptionsData.keyUsages, CertificateKeyUsage::valueOf);
                roleOptions.extendedKeyUsages = stringListToEnumList(vaultPKIRoleOptionsData.extendedKeyUsages, CertificateExtendedKeyUsage::valueOf);
                roleOptions.extendedKeyUsageOIDs = vaultPKIRoleOptionsData.extendedKeyUsageOIDs;
                roleOptions.useCSRCommonName = vaultPKIRoleOptionsData.useCSRCommonName;
                roleOptions.useCSRSubjectAlternativeNames = vaultPKIRoleOptionsData.useCSRSubjectAlternativeNames;
                roleOptions.subjectOrganization = stringListToCommaString(vaultPKIRoleOptionsData.subjectOrganization);
                roleOptions.subjectOrganizationalUnit = stringListToCommaString(vaultPKIRoleOptionsData.subjectOrganizationalUnit);
                roleOptions.subjectStreetAddress = stringListToCommaString(vaultPKIRoleOptionsData.subjectStreetAddress);
                roleOptions.subjectPostalCode = stringListToCommaString(vaultPKIRoleOptionsData.subjectPostalCode);
                roleOptions.subjectLocality = stringListToCommaString(vaultPKIRoleOptionsData.subjectLocality);
                roleOptions.subjectProvince = stringListToCommaString(vaultPKIRoleOptionsData.subjectProvince);
                roleOptions.subjectCountry = stringListToCommaString(vaultPKIRoleOptionsData.subjectCountry);
                roleOptions.allowedSubjectSerialNumbers = vaultPKIRoleOptionsData.allowedSubjectSerialNumbers;
                roleOptions.generateLease = vaultPKIRoleOptionsData.generateLease;
                roleOptions.noStore = vaultPKIRoleOptionsData.noStore;
                roleOptions.requireCommonName = vaultPKIRoleOptionsData.requireCommonName;
                roleOptions.policyOIDs = vaultPKIRoleOptionsData.policyOIDs;
                roleOptions.basicConstraintsValidForNonCA = vaultPKIRoleOptionsData.basicConstraintsValidForNonCA;
                roleOptions.notBeforeDuration = vaultPKIRoleOptionsData.notBeforeDuration;
                return roleOptions;
            });
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<List<String>> getRoles() {
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str -> {
            return this.vaultInternalPKISecretEngine.listRoles(this.vaultClient, str, this.mount).map(vaultPKIRolesListResult -> {
                checkDataValid(vaultPKIRolesListResult);
                return ((VaultPKIRolesListData) vaultPKIRolesListResult.data).keys;
            }).onFailure(VaultClientException.class).recoverWithUni(th -> {
                return ((VaultClientException) th).getStatus() == 404 ? Uni.createFrom().item(Collections.emptyList()) : Uni.createFrom().failure(th);
            });
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<Void> deleteRole(String str) {
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str2 -> {
            return this.vaultInternalPKISecretEngine.deleteRole(this.vaultClient, str2, this.mount, str);
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<GeneratedRootCertificate> generateRoot(GenerateRootOptions generateRootOptions) {
        String str = generateRootOptions.exportPrivateKey ? "exported" : "internal";
        VaultPKIGenerateRootBody vaultPKIGenerateRootBody = new VaultPKIGenerateRootBody();
        vaultPKIGenerateRootBody.format = dataFormatToFormat(generateRootOptions.format);
        vaultPKIGenerateRootBody.privateKeyFormat = privateKeyFormat(generateRootOptions.format, generateRootOptions.privateKeyEncoding);
        vaultPKIGenerateRootBody.subjectCommonName = generateRootOptions.subjectCommonName;
        vaultPKIGenerateRootBody.subjectAlternativeNames = stringListToCommaString(generateRootOptions.subjectAlternativeNames);
        vaultPKIGenerateRootBody.ipSubjectAlternativeNames = stringListToCommaString(generateRootOptions.ipSubjectAlternativeNames);
        vaultPKIGenerateRootBody.uriSubjectAlternativeNames = stringListToCommaString(generateRootOptions.uriSubjectAlternativeNames);
        vaultPKIGenerateRootBody.otherSubjectAlternativeNames = generateRootOptions.otherSubjectAlternativeNames;
        vaultPKIGenerateRootBody.timeToLive = generateRootOptions.timeToLive;
        vaultPKIGenerateRootBody.keyType = certificateKeyTypeToString(generateRootOptions.keyType);
        vaultPKIGenerateRootBody.keyBits = generateRootOptions.keyBits;
        vaultPKIGenerateRootBody.maxPathLength = generateRootOptions.maxPathLength;
        vaultPKIGenerateRootBody.excludeCommonNameFromSubjectAlternativeNames = generateRootOptions.excludeCommonNameFromSubjectAlternativeNames;
        vaultPKIGenerateRootBody.permittedDnsDomains = generateRootOptions.permittedDnsDomains;
        vaultPKIGenerateRootBody.subjectOrganization = generateRootOptions.subjectOrganization;
        vaultPKIGenerateRootBody.subjectOrganizationalUnit = generateRootOptions.subjectOrganizationalUnit;
        vaultPKIGenerateRootBody.subjectStreetAddress = generateRootOptions.subjectStreetAddress;
        vaultPKIGenerateRootBody.subjectPostalCode = generateRootOptions.subjectPostalCode;
        vaultPKIGenerateRootBody.subjectLocality = generateRootOptions.subjectLocality;
        vaultPKIGenerateRootBody.subjectProvince = generateRootOptions.subjectProvince;
        vaultPKIGenerateRootBody.subjectCountry = generateRootOptions.subjectCountry;
        vaultPKIGenerateRootBody.subjectSerialNumber = generateRootOptions.subjectSerialNumber;
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str2 -> {
            return this.vaultInternalPKISecretEngine.generateRoot(this.vaultClient, str2, this.mount, str, vaultPKIGenerateRootBody).map(vaultPKIGenerateRootResult -> {
                checkDataValid(vaultPKIGenerateRootResult);
                VaultPKIGenerateRootData vaultPKIGenerateRootData = (VaultPKIGenerateRootData) vaultPKIGenerateRootResult.data;
                GeneratedRootCertificate generatedRootCertificate = new GeneratedRootCertificate();
                generatedRootCertificate.certificate = createCertificateData(vaultPKIGenerateRootData.certificate, vaultPKIGenerateRootBody.format);
                generatedRootCertificate.issuingCA = createCertificateData(vaultPKIGenerateRootData.issuingCA, vaultPKIGenerateRootBody.format);
                generatedRootCertificate.serialNumber = vaultPKIGenerateRootData.serialNumber;
                generatedRootCertificate.privateKeyType = stringToCertificateKeyType(vaultPKIGenerateRootData.privateKeyType);
                generatedRootCertificate.privateKey = createPrivateKeyData(vaultPKIGenerateRootData.privateKey, vaultPKIGenerateRootBody.format, vaultPKIGenerateRootBody.privateKeyFormat);
                return generatedRootCertificate;
            });
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<Void> deleteRoot() {
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str -> {
            return this.vaultInternalPKISecretEngine.deleteRoot(this.vaultClient, str, this.mount);
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<SignedCertificate> signIntermediateCA(String str, SignIntermediateCAOptions signIntermediateCAOptions) {
        VaultPKISignIntermediateCABody vaultPKISignIntermediateCABody = new VaultPKISignIntermediateCABody();
        vaultPKISignIntermediateCABody.format = dataFormatToFormat(signIntermediateCAOptions.format);
        vaultPKISignIntermediateCABody.csr = str;
        vaultPKISignIntermediateCABody.subjectCommonName = signIntermediateCAOptions.subjectCommonName;
        vaultPKISignIntermediateCABody.subjectAlternativeNames = stringListToCommaString(signIntermediateCAOptions.subjectAlternativeNames);
        vaultPKISignIntermediateCABody.ipSubjectAlternativeNames = stringListToCommaString(signIntermediateCAOptions.ipSubjectAlternativeNames);
        vaultPKISignIntermediateCABody.uriSubjectAlternativeNames = stringListToCommaString(signIntermediateCAOptions.uriSubjectAlternativeNames);
        vaultPKISignIntermediateCABody.otherSubjectAlternativeNames = signIntermediateCAOptions.otherSubjectAlternativeNames;
        vaultPKISignIntermediateCABody.timeToLive = signIntermediateCAOptions.timeToLive;
        vaultPKISignIntermediateCABody.maxPathLength = signIntermediateCAOptions.maxPathLength;
        vaultPKISignIntermediateCABody.excludeCommonNameFromSubjectAlternativeNames = signIntermediateCAOptions.excludeCommonNameFromSubjectAlternativeNames;
        vaultPKISignIntermediateCABody.useCSRValues = signIntermediateCAOptions.useCSRValues;
        vaultPKISignIntermediateCABody.permittedDnsDomains = signIntermediateCAOptions.permittedDnsDomains;
        vaultPKISignIntermediateCABody.subjectOrganization = signIntermediateCAOptions.subjectOrganization;
        vaultPKISignIntermediateCABody.subjectOrganizationalUnit = signIntermediateCAOptions.subjectOrganizationalUnit;
        vaultPKISignIntermediateCABody.subjectStreetAddress = signIntermediateCAOptions.subjectStreetAddress;
        vaultPKISignIntermediateCABody.subjectPostalCode = signIntermediateCAOptions.subjectPostalCode;
        vaultPKISignIntermediateCABody.subjectLocality = signIntermediateCAOptions.subjectLocality;
        vaultPKISignIntermediateCABody.subjectProvince = signIntermediateCAOptions.subjectProvince;
        vaultPKISignIntermediateCABody.subjectCountry = signIntermediateCAOptions.subjectCountry;
        vaultPKISignIntermediateCABody.subjectSerialNumber = signIntermediateCAOptions.subjectSerialNumber;
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str2 -> {
            return this.vaultInternalPKISecretEngine.signIntermediateCA(this.vaultClient, str2, this.mount, vaultPKISignIntermediateCABody).map(vaultPKISignCertificateRequestResult -> {
                checkDataValid(vaultPKISignCertificateRequestResult);
                VaultPKISignCertificateRequestData vaultPKISignCertificateRequestData = (VaultPKISignCertificateRequestData) vaultPKISignCertificateRequestResult.data;
                SignedCertificate signedCertificate = new SignedCertificate();
                signedCertificate.certificate = createCertificateData(vaultPKISignCertificateRequestData.certificate, vaultPKISignIntermediateCABody.format);
                signedCertificate.issuingCA = createCertificateData(vaultPKISignCertificateRequestData.issuingCA, vaultPKISignIntermediateCABody.format);
                signedCertificate.caChain = createCertificateDataList(vaultPKISignCertificateRequestData.caChain, vaultPKISignIntermediateCABody.format);
                signedCertificate.serialNumber = vaultPKISignCertificateRequestData.serialNumber;
                return signedCertificate;
            });
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<GeneratedIntermediateCSRResult> generateIntermediateCSR(GenerateIntermediateCSROptions generateIntermediateCSROptions) {
        String str = generateIntermediateCSROptions.exportPrivateKey ? "exported" : "internal";
        VaultPKIGenerateIntermediateCSRBody vaultPKIGenerateIntermediateCSRBody = new VaultPKIGenerateIntermediateCSRBody();
        vaultPKIGenerateIntermediateCSRBody.format = dataFormatToFormat(generateIntermediateCSROptions.format);
        vaultPKIGenerateIntermediateCSRBody.privateKeyFormat = privateKeyFormat(generateIntermediateCSROptions.format, generateIntermediateCSROptions.privateKeyEncoding);
        vaultPKIGenerateIntermediateCSRBody.subjectCommonName = generateIntermediateCSROptions.subjectCommonName;
        vaultPKIGenerateIntermediateCSRBody.subjectAlternativeNames = stringListToCommaString(generateIntermediateCSROptions.subjectAlternativeNames);
        vaultPKIGenerateIntermediateCSRBody.ipSubjectAlternativeNames = stringListToCommaString(generateIntermediateCSROptions.ipSubjectAlternativeNames);
        vaultPKIGenerateIntermediateCSRBody.uriSubjectAlternativeNames = stringListToCommaString(generateIntermediateCSROptions.uriSubjectAlternativeNames);
        vaultPKIGenerateIntermediateCSRBody.otherSubjectAlternativeNames = generateIntermediateCSROptions.otherSubjectAlternativeNames;
        vaultPKIGenerateIntermediateCSRBody.keyType = certificateKeyTypeToString(generateIntermediateCSROptions.keyType);
        vaultPKIGenerateIntermediateCSRBody.keyBits = generateIntermediateCSROptions.keyBits;
        vaultPKIGenerateIntermediateCSRBody.excludeCommonNameFromSubjectAlternativeNames = generateIntermediateCSROptions.excludeCommonNameFromSubjectAlternativeNames;
        vaultPKIGenerateIntermediateCSRBody.subjectOrganization = generateIntermediateCSROptions.subjectOrganization;
        vaultPKIGenerateIntermediateCSRBody.subjectOrganizationalUnit = generateIntermediateCSROptions.subjectOrganizationalUnit;
        vaultPKIGenerateIntermediateCSRBody.subjectStreetAddress = generateIntermediateCSROptions.subjectStreetAddress;
        vaultPKIGenerateIntermediateCSRBody.subjectPostalCode = generateIntermediateCSROptions.subjectPostalCode;
        vaultPKIGenerateIntermediateCSRBody.subjectLocality = generateIntermediateCSROptions.subjectLocality;
        vaultPKIGenerateIntermediateCSRBody.subjectProvince = generateIntermediateCSROptions.subjectProvince;
        vaultPKIGenerateIntermediateCSRBody.subjectCountry = generateIntermediateCSROptions.subjectCountry;
        vaultPKIGenerateIntermediateCSRBody.subjectSerialNumber = generateIntermediateCSROptions.subjectSerialNumber;
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str2 -> {
            return this.vaultInternalPKISecretEngine.generateIntermediateCSR(this.vaultClient, str2, this.mount, str, vaultPKIGenerateIntermediateCSRBody).map(vaultPKIGenerateIntermediateCSRResult -> {
                VaultPKIGenerateIntermediateCSRData vaultPKIGenerateIntermediateCSRData = (VaultPKIGenerateIntermediateCSRData) vaultPKIGenerateIntermediateCSRResult.data;
                GeneratedIntermediateCSRResult generatedIntermediateCSRResult = new GeneratedIntermediateCSRResult();
                generatedIntermediateCSRResult.csr = createCSRData(vaultPKIGenerateIntermediateCSRData.csr, vaultPKIGenerateIntermediateCSRBody.format);
                generatedIntermediateCSRResult.privateKeyType = stringToCertificateKeyType(vaultPKIGenerateIntermediateCSRData.privateKeyType);
                generatedIntermediateCSRResult.privateKey = createPrivateKeyData(vaultPKIGenerateIntermediateCSRData.privateKey, vaultPKIGenerateIntermediateCSRBody.format, vaultPKIGenerateIntermediateCSRBody.privateKeyFormat);
                return generatedIntermediateCSRResult;
            });
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<Void> setSignedIntermediateCA(String str) {
        VaultPKISetSignedIntermediateCABody vaultPKISetSignedIntermediateCABody = new VaultPKISetSignedIntermediateCABody();
        vaultPKISetSignedIntermediateCABody.certificate = str;
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str2 -> {
            return this.vaultInternalPKISecretEngine.setSignedIntermediateCA(this.vaultClient, str2, this.mount, vaultPKISetSignedIntermediateCABody);
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<Void> tidy(TidyOptions tidyOptions) {
        VaultPKITidyBody vaultPKITidyBody = new VaultPKITidyBody();
        vaultPKITidyBody.tidyCertStore = tidyOptions.tidyCertStore;
        vaultPKITidyBody.tidyRevokedCerts = tidyOptions.tidyRevokedCerts;
        vaultPKITidyBody.safetyBuffer = tidyOptions.safetyBuffer;
        return this.vaultAuthManager.getClientToken(this.vaultClient).flatMap(str -> {
            return this.vaultInternalPKISecretEngine.tidy(this.vaultClient, str, this.mount, vaultPKITidyBody);
        });
    }

    private String stringListToCommaString(List<String> list) {
        if (list == null) {
            return null;
        }
        return String.join(",", list);
    }

    private List<String> commaStringToStringList(String str) {
        if (str == null) {
            return null;
        }
        return Arrays.asList(str.split(","));
    }

    private CertificateKeyType stringToCertificateKeyType(String str) {
        if (str == null) {
            return null;
        }
        return CertificateKeyType.valueOf(str.toUpperCase());
    }

    private String certificateKeyTypeToString(CertificateKeyType certificateKeyType) {
        if (certificateKeyType == null) {
            return null;
        }
        return certificateKeyType.name().toLowerCase();
    }

    /* JADX WARN: Multi-variable type inference failed */
    private <T extends Enum<T>> List<String> enumListToStringList(List<T> list, Function<T, String> function) {
        if (list == null) {
            return null;
        }
        return (List) list.stream().map(function).collect(Collectors.toList());
    }

    private <T extends Enum<T>> List<T> stringListToEnumList(List<String> list, Function<String, T> function) {
        if (list == null) {
            return null;
        }
        return (List) list.stream().map(function).collect(Collectors.toList());
    }

    private void checkDataValid(AbstractVaultDTO<?, ?> abstractVaultDTO) {
        if (abstractVaultDTO.data != null) {
            return;
        }
        if (abstractVaultDTO.warnings instanceof List) {
            List list = abstractVaultDTO.warnings;
            if (!list.isEmpty()) {
                throw new VaultException(list.get(0).toString());
            }
        }
        throw new VaultException("Unknown vault error");
    }

    private String dataFormatToFormat(DataFormat dataFormat) {
        return dataFormat == null ? "pem" : dataFormat.name().toLowerCase(Locale.ROOT);
    }

    private String nonNullFormat(String str) {
        return str == null ? "pem" : str;
    }

    private String privateKeyFormat(DataFormat dataFormat, PrivateKeyEncoding privateKeyEncoding) {
        return (privateKeyEncoding == null || privateKeyEncoding == PrivateKeyEncoding.PKCS8) ? "pkcs8" : dataFormatToFormat(dataFormat);
    }

    private CertificateData createCertificateData(String str, String str2) {
        if (str == null) {
            return null;
        }
        String nonNullFormat = nonNullFormat(str2);
        boolean z = -1;
        switch (nonNullFormat.hashCode()) {
            case 99345:
                if (nonNullFormat.equals("der")) {
                    z = false;
                    break;
                }
                break;
            case 110872:
                if (nonNullFormat.equals("pem")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return new CertificateData.DER(Base64.getDecoder().decode(str));
            case true:
                return new CertificateData.PEM(str);
            default:
                throw new VaultException("Unsupported certificate format");
        }
    }

    private List<CertificateData> createCertificateDataList(List<String> list, String str) {
        if (list == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList(list.size());
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(createCertificateData(it.next(), str));
        }
        return arrayList;
    }

    private CSRData createCSRData(String str, String str2) {
        if (str == null) {
            return null;
        }
        String nonNullFormat = nonNullFormat(str2);
        boolean z = -1;
        switch (nonNullFormat.hashCode()) {
            case 99345:
                if (nonNullFormat.equals("der")) {
                    z = false;
                    break;
                }
                break;
            case 110872:
                if (nonNullFormat.equals("pem")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return new CSRData.DER(Base64.getDecoder().decode(str));
            case true:
                return new CSRData.PEM(str);
            default:
                throw new VaultException("Unsupported certification request format");
        }
    }

    private PrivateKeyData createPrivateKeyData(String str, String str2, String str3) {
        if (str == null) {
            return null;
        }
        boolean equals = "pkcs8".equals(str3.toLowerCase(Locale.ROOT));
        String nonNullFormat = nonNullFormat(str2);
        boolean z = -1;
        switch (nonNullFormat.hashCode()) {
            case 99345:
                if (nonNullFormat.equals("der")) {
                    z = false;
                    break;
                }
                break;
            case 110872:
                if (nonNullFormat.equals("pem")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return new PrivateKeyData.DER(Base64.getDecoder().decode(str), equals);
            case true:
                return new PrivateKeyData.PEM(str, equals);
            default:
                throw new VaultException("Unsupported private key format");
        }
    }
}
