package org.apache.knox.gateway.services.token.impl;

import java.lang.management.ManagementFactory;
import java.time.Instant;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import javax.management.InstanceAlreadyExistsException;
import javax.management.MBeanRegistrationException;
import javax.management.MalformedObjectNameException;
import javax.management.NotCompliantMBeanException;
import javax.management.ObjectName;
import org.apache.knox.gateway.config.GatewayConfig;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.services.ServiceLifecycleException;
import org.apache.knox.gateway.services.security.token.TokenStateService;
import org.apache.knox.gateway.services.security.token.TokenUtils;
import org.apache.knox.gateway.services.security.token.UnknownTokenException;
import org.apache.knox.gateway.services.security.token.impl.JWT;
import org.apache.knox.gateway.services.security.token.impl.JWTToken;
import org.apache.knox.gateway.services.token.TokenStateServiceStatistics;

/* loaded from: input_file:org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.class */
public class DefaultTokenStateService implements TokenStateService {
    protected static final int MAX_RENEWALS = 7;
    private long tokenEvictionInterval;
    private long tokenEvictionGracePeriod;
    protected boolean permissiveValidationEnabled;
    protected TokenStateServiceStatistics tokenStateServiceStatistics;
    protected static final long DEFAULT_RENEWAL_INTERVAL = TimeUnit.HOURS.toMillis(24);
    protected static final long DEFAULT_MAX_LIFETIME = 7 * DEFAULT_RENEWAL_INTERVAL;
    protected static final TokenStateServiceMessages log = (TokenStateServiceMessages) MessagesFactory.get(TokenStateServiceMessages.class);
    private final Map<String, Long> tokenExpirations = new ConcurrentHashMap();
    private final Map<String, Long> maxTokenLifetimes = new ConcurrentHashMap();
    private final ScheduledExecutorService evictionScheduler = Executors.newScheduledThreadPool(1);

    public void init(GatewayConfig gatewayConfig, Map<String, String> map) throws ServiceLifecycleException {
        this.tokenEvictionInterval = gatewayConfig.getKnoxTokenEvictionInterval();
        this.tokenEvictionGracePeriod = gatewayConfig.getKnoxTokenEvictionGracePeriod();
        this.permissiveValidationEnabled = gatewayConfig.isKnoxTokenPermissiveValidationEnabled();
        if (gatewayConfig.isMetricsEnabled() && gatewayConfig.isJmxMetricsReportingEnabled()) {
            try {
                this.tokenStateServiceStatistics = new TokenStateServiceStatistics();
                ManagementFactory.getPlatformMBeanServer().registerMBean(this.tokenStateServiceStatistics, ObjectName.getInstance("metrics:type=Statistics,name=TokenStateService"));
            } catch (MalformedObjectNameException | InstanceAlreadyExistsException | MBeanRegistrationException | NotCompliantMBeanException e) {
                throw new ServiceLifecycleException("Could not register token state service MBean", e);
            }
        }
    }

    public void start() throws ServiceLifecycleException {
        if (this.tokenEvictionInterval > 0) {
            this.evictionScheduler.scheduleAtFixedRate(this::evictExpiredTokens, this.tokenEvictionInterval, this.tokenEvictionInterval, TimeUnit.SECONDS);
        }
    }

    public void stop() throws ServiceLifecycleException {
        this.evictionScheduler.shutdown();
    }

    public long getDefaultRenewInterval() {
        return DEFAULT_RENEWAL_INTERVAL;
    }

    public long getDefaultMaxLifetimeDuration() {
        return DEFAULT_MAX_LIFETIME;
    }

    public void addToken(JWTToken jWTToken, long j) {
        if (jWTToken == null) {
            throw new IllegalArgumentException("Token cannot be null.");
        }
        addToken(TokenUtils.getTokenId(jWTToken), j, jWTToken.getExpiresDate().getTime());
    }

    public void addToken(String str, long j, long j2) {
        addToken(str, j, j2, getDefaultMaxLifetimeDuration());
    }

    public void addToken(String str, long j, long j2, long j3) {
        validateTokenIdentifier(str);
        this.tokenExpirations.put(str, Long.valueOf(j2));
        setMaxLifetime(str, j, j3);
        log.addedToken(str, getTimestampDisplay(j2));
        if (this.tokenStateServiceStatistics != null) {
            this.tokenStateServiceStatistics.addToken();
        }
    }

    public long getTokenExpiration(JWT jwt) throws UnknownTokenException {
        String expires;
        long j = -1;
        try {
            j = getTokenExpiration(TokenUtils.getTokenId(jwt));
        } catch (UnknownTokenException e) {
            if (this.permissiveValidationEnabled && (expires = jwt.getExpires()) != null) {
                log.permissiveTokenHandling(TokenUtils.getTokenId(jwt), e.getMessage());
                j = Long.parseLong(expires);
            }
            if (j == -1) {
                throw e;
            }
        }
        return j;
    }

    public long getTokenExpiration(String str) throws UnknownTokenException {
        return getTokenExpiration(str, true);
    }

    public long getTokenExpiration(String str, boolean z) throws UnknownTokenException {
        if (z) {
            validateToken(str);
        }
        Long l = this.tokenExpirations.get(str);
        if (l == null) {
            throw new UnknownTokenException(str);
        }
        return l.longValue();
    }

    public long renewToken(JWTToken jWTToken) throws UnknownTokenException {
        return renewToken(jWTToken, DEFAULT_RENEWAL_INTERVAL);
    }

    public long renewToken(JWTToken jWTToken, long j) throws UnknownTokenException {
        if (jWTToken == null) {
            throw new IllegalArgumentException("Token cannot be null.");
        }
        return renewToken(TokenUtils.getTokenId(jWTToken), j);
    }

    public long renewToken(String str) throws UnknownTokenException {
        return renewToken(str, DEFAULT_RENEWAL_INTERVAL);
    }

    public long renewToken(String str, long j) throws UnknownTokenException {
        validateToken(str);
        if (!hasRemainingRenewals(str, j)) {
            log.renewalLimitExceeded(str);
            throw new IllegalArgumentException("The renewal limit for the token has been exceeded");
        }
        long currentTimeMillis = System.currentTimeMillis() + j;
        updateExpiration(str, currentTimeMillis);
        log.renewedToken(str, getTimestampDisplay(currentTimeMillis));
        if (this.tokenStateServiceStatistics != null) {
            this.tokenStateServiceStatistics.renewToken();
        }
        return currentTimeMillis;
    }

    public void revokeToken(JWTToken jWTToken) throws UnknownTokenException {
        if (jWTToken == null) {
            throw new IllegalArgumentException("Token cannot be null.");
        }
        revokeToken(TokenUtils.getTokenId(jWTToken));
    }

    public void revokeToken(String str) throws UnknownTokenException {
        removeToken(str);
        log.revokedToken(str);
    }

    public boolean isExpired(JWTToken jWTToken) throws UnknownTokenException {
        return getTokenExpiration((JWT) jWTToken) <= System.currentTimeMillis();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setMaxLifetime(String str, long j) {
        this.maxTokenLifetimes.put(str, Long.valueOf(j));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setMaxLifetime(String str, long j, long j2) {
        this.maxTokenLifetimes.put(str, Long.valueOf(j + j2));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isUnknown(String str) {
        return !this.tokenExpirations.containsKey(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void updateExpiration(String str, long j) {
        this.tokenExpirations.put(str, Long.valueOf(j));
    }

    protected void removeToken(String str) throws UnknownTokenException {
        validateToken(str);
        removeTokens(Collections.singleton(str));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void removeTokens(Set<String> set) throws UnknownTokenException {
        removeTokenState(set);
    }

    private void removeTokenState(Set<String> set) {
        this.tokenExpirations.keySet().removeAll(set);
        this.maxTokenLifetimes.keySet().removeAll(set);
        log.removedTokenState(String.join(", ", set));
    }

    protected boolean hasRemainingRenewals(String str, long j) {
        return (System.currentTimeMillis() + TimeUnit.SECONDS.toMillis(30L)) + j < getMaxLifetime(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public long getMaxLifetime(String str) {
        return this.maxTokenLifetimes.getOrDefault(str, 0L).longValue();
    }

    private void validateTokenIdentifier(String str) {
        if (str == null || str.isEmpty()) {
            throw new IllegalArgumentException("Token identifier cannot be null or empty.");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateToken(String str) throws IllegalArgumentException, UnknownTokenException {
        validateTokenIdentifier(str);
        if (isUnknown(str)) {
            log.unknownToken(str);
            throw new UnknownTokenException(str);
        }
    }

    private String getTimestampDisplay(long j) {
        return Instant.ofEpochMilli(j).toString();
    }

    protected void evictExpiredTokens() {
        if (!readyForEviction()) {
            log.skipEviction();
            return;
        }
        HashSet hashSet = new HashSet();
        for (String str : getTokenIds()) {
            try {
                if (needsEviction(str)) {
                    log.evictToken(str);
                    hashSet.add(str);
                }
            } catch (Exception e) {
                log.failedExpiredTokenEviction(str, e);
            }
        }
        if (hashSet.isEmpty()) {
            return;
        }
        try {
            removeTokens(hashSet);
        } catch (UnknownTokenException e2) {
            log.failedExpiredTokenEviction(e2);
        }
    }

    protected boolean readyForEviction() {
        return true;
    }

    protected boolean needsEviction(String str) throws UnknownTokenException {
        return getTokenExpiration(str, false) + TimeUnit.SECONDS.toMillis(this.tokenEvictionGracePeriod) <= System.currentTimeMillis();
    }

    private List<String> getTokenIds() {
        return (List) this.tokenExpirations.keySet().stream().collect(Collectors.toList());
    }
}
