package org.apache.knox.gateway.services.token.impl;

import java.io.IOException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import org.apache.commons.lang3.builder.EqualsBuilder;
import org.apache.commons.lang3.builder.HashCodeBuilder;
import org.apache.commons.lang3.concurrent.BasicThreadFactory;
import org.apache.knox.gateway.config.GatewayConfig;
import org.apache.knox.gateway.services.ServiceLifecycleException;
import org.apache.knox.gateway.services.security.AliasService;
import org.apache.knox.gateway.services.security.AliasServiceException;
import org.apache.knox.gateway.services.security.token.UnknownTokenException;
import org.apache.knox.gateway.services.token.TokenStateServiceStatistics;
import org.apache.knox.gateway.services.token.impl.state.TokenStateJournalFactory;
import org.apache.knox.gateway.services.token.state.JournalEntry;
import org.apache.knox.gateway.services.token.state.TokenStateJournal;

/* loaded from: input_file:org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.class */
public class AliasBasedTokenStateService extends DefaultTokenStateService {
    static final String TOKEN_MAX_LIFETIME_POSTFIX = "--max";
    private AliasService aliasService;
    private ScheduledExecutorService statePersistenceScheduler;
    private TokenStateJournal journal;
    private Path gatewayCredentialsFilePath;
    private long statePersistenceInterval = TimeUnit.SECONDS.toSeconds(15);
    private final List<TokenState> unpersistedState = new ArrayList();
    private final AtomicBoolean readyForEviction = new AtomicBoolean(false);

    /* loaded from: input_file:org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService$TokenExpiration.class */
    private static final class TokenExpiration implements TokenState {
        private String tokenId;
        private long expiration;

        TokenExpiration(String str, long j) {
            this.tokenId = str;
            this.expiration = j;
        }

        @Override // org.apache.knox.gateway.services.token.impl.AliasBasedTokenStateService.TokenState
        public String getTokenId() {
            return this.tokenId;
        }

        @Override // org.apache.knox.gateway.services.token.impl.AliasBasedTokenStateService.TokenState
        public String getAlias() {
            return this.tokenId;
        }

        @Override // org.apache.knox.gateway.services.token.impl.AliasBasedTokenStateService.TokenState
        public String getAliasValue() {
            return String.valueOf(this.expiration);
        }

        public int hashCode() {
            return HashCodeBuilder.reflectionHashCode(this, new String[0]);
        }

        public boolean equals(Object obj) {
            return EqualsBuilder.reflectionEquals(this, obj, new String[0]);
        }
    }

    /* loaded from: input_file:org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService$TokenMaxLifetime.class */
    private static final class TokenMaxLifetime implements TokenState {
        private String tokenId;
        private long issueTime;
        private long maxLifetime;

        TokenMaxLifetime(String str, long j, long j2) {
            this.tokenId = str;
            this.issueTime = j;
            this.maxLifetime = j2;
        }

        @Override // org.apache.knox.gateway.services.token.impl.AliasBasedTokenStateService.TokenState
        public String getTokenId() {
            return this.tokenId;
        }

        @Override // org.apache.knox.gateway.services.token.impl.AliasBasedTokenStateService.TokenState
        public String getAlias() {
            return this.tokenId + AliasBasedTokenStateService.TOKEN_MAX_LIFETIME_POSTFIX;
        }

        @Override // org.apache.knox.gateway.services.token.impl.AliasBasedTokenStateService.TokenState
        public String getAliasValue() {
            return String.valueOf(this.issueTime + this.maxLifetime);
        }

        public int hashCode() {
            return HashCodeBuilder.reflectionHashCode(this, new String[0]);
        }

        public boolean equals(Object obj) {
            return EqualsBuilder.reflectionEquals(this, obj, new String[0]);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService$TokenState.class */
    public interface TokenState {
        String getTokenId();

        String getAlias();

        String getAliasValue();
    }

    public void setAliasService(AliasService aliasService) {
        this.aliasService = aliasService;
    }

    @Override // org.apache.knox.gateway.services.token.impl.DefaultTokenStateService
    public void init(GatewayConfig gatewayConfig, Map<String, String> map) throws ServiceLifecycleException {
        super.init(gatewayConfig, map);
        if (this.aliasService == null) {
            throw new ServiceLifecycleException("The required AliasService reference has not been set.");
        }
        try {
            this.journal = TokenStateJournalFactory.create(gatewayConfig);
            for (JournalEntry journalEntry : this.journal.get()) {
                String tokenId = journalEntry.getTokenId();
                try {
                    long parseLong = Long.parseLong(journalEntry.getIssueTime());
                    long parseLong2 = Long.parseLong(journalEntry.getExpiration());
                    super.addToken(tokenId, parseLong, parseLong2, Long.parseLong(journalEntry.getMaxLifetime()));
                    synchronized (this.unpersistedState) {
                        this.unpersistedState.add(new TokenExpiration(tokenId, parseLong2));
                    }
                } catch (Exception e) {
                    log.failedToLoadJournalEntry(tokenId, e);
                }
            }
            this.statePersistenceInterval = gatewayConfig.getKnoxTokenStateAliasPersistenceInterval();
            if (this.statePersistenceInterval > 0) {
                this.statePersistenceScheduler = Executors.newScheduledThreadPool(1);
            }
            if (this.tokenStateServiceStatistics != null) {
                this.gatewayCredentialsFilePath = Paths.get(gatewayConfig.getGatewayKeystoreDir(), new String[0]).resolve("__gateway-credentials." + gatewayConfig.getCredentialStoreType().toLowerCase(Locale.ROOT));
                this.tokenStateServiceStatistics.setGatewayCredentialsFileSize(this.gatewayCredentialsFilePath.toFile().length());
            }
        } catch (IOException e2) {
            throw new ServiceLifecycleException("Failed to load persisted state from the token state journal", e2);
        }
    }

    @Override // org.apache.knox.gateway.services.token.impl.DefaultTokenStateService
    public void start() throws ServiceLifecycleException {
        super.start();
        if (this.statePersistenceScheduler != null) {
            this.statePersistenceScheduler.scheduleAtFixedRate(this::persistTokenState, this.statePersistenceInterval, this.statePersistenceInterval, TimeUnit.SECONDS);
        }
        Executors.newSingleThreadExecutor(new BasicThreadFactory.Builder().namingPattern("GatewayCredentialsLoader").build()).execute(this::loadGatewayCredentialsOnStartup);
    }

    private void loadGatewayCredentialsOnStartup() {
        try {
            try {
                log.loadingGatewayCredentialsOnStartup();
                long currentTimeMillis = System.currentTimeMillis();
                Map passwordsForGateway = this.aliasService.getPasswordsForGateway();
                int i = 0;
                for (Map.Entry entry : passwordsForGateway.entrySet()) {
                    String str = (String) entry.getKey();
                    if (str.endsWith(TOKEN_MAX_LIFETIME_POSTFIX)) {
                        String substring = str.substring(0, str.indexOf(TOKEN_MAX_LIFETIME_POSTFIX));
                        long convertCharArrayToLong = convertCharArrayToLong((char[]) passwordsForGateway.get(substring));
                        long convertCharArrayToLong2 = convertCharArrayToLong((char[]) entry.getValue());
                        super.updateExpiration(substring, convertCharArrayToLong);
                        super.setMaxLifetime(substring, convertCharArrayToLong2);
                        i++;
                    }
                }
                log.loadedGatewayCredentialsOnStartup(i * 2, System.currentTimeMillis() - currentTimeMillis);
                this.readyForEviction.set(true);
            } catch (AliasServiceException e) {
                log.errorWhileLoadingGatewayCredentialsOnStartup(e.getMessage(), e);
                this.readyForEviction.set(true);
            }
        } catch (Throwable th) {
            this.readyForEviction.set(true);
            throw th;
        }
    }

    @Override // org.apache.knox.gateway.services.token.impl.DefaultTokenStateService
    protected boolean readyForEviction() {
        return this.readyForEviction.get();
    }

    @Override // org.apache.knox.gateway.services.token.impl.DefaultTokenStateService
    public void stop() throws ServiceLifecycleException {
        super.stop();
        if (this.statePersistenceScheduler != null) {
            this.statePersistenceScheduler.shutdown();
        }
        persistTokenState();
    }

    protected void persistTokenState() {
        ArrayList<TokenState> arrayList;
        HashSet<String> hashSet = new HashSet();
        synchronized (this.unpersistedState) {
            arrayList = new ArrayList(this.unpersistedState);
            this.unpersistedState.clear();
        }
        HashMap hashMap = new HashMap();
        for (TokenState tokenState : arrayList) {
            hashSet.add(tokenState.getTokenId());
            hashMap.put(tokenState.getAlias(), tokenState.getAliasValue());
        }
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            log.creatingTokenStateAliases((String) it.next());
        }
        if (hashMap.isEmpty()) {
            return;
        }
        log.creatingTokenStateAliases();
        try {
            this.aliasService.addAliasesForCluster("__gateway", hashMap);
            if (this.tokenStateServiceStatistics != null) {
                this.tokenStateServiceStatistics.interactKeystore(TokenStateServiceStatistics.KeystoreInteraction.SAVE_ALIAS);
                this.tokenStateServiceStatistics.setGatewayCredentialsFileSize(this.gatewayCredentialsFilePath.toFile().length());
            }
            for (String str : hashSet) {
                log.createdTokenStateAliases(str);
                try {
                    this.journal.remove(str);
                } catch (IOException e) {
                    log.failedToRemoveJournalEntry(str, e);
                }
            }
        } catch (AliasServiceException e2) {
            log.failedToCreateTokenStateAliases(e2);
            synchronized (this.unpersistedState) {
                this.unpersistedState.addAll(arrayList);
            }
        }
    }

    @Override // org.apache.knox.gateway.services.token.impl.DefaultTokenStateService
    public void addToken(String str, long j, long j2, long j3) {
        super.addToken(str, j, j2, j3);
        synchronized (this.unpersistedState) {
            this.unpersistedState.add(new TokenExpiration(str, j2));
        }
        try {
            this.journal.add(str, j, j2, j3);
        } catch (IOException e) {
            log.failedToAddJournalEntry(str, e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.knox.gateway.services.token.impl.DefaultTokenStateService
    public void setMaxLifetime(String str, long j, long j2) {
        super.setMaxLifetime(str, j, j2);
        synchronized (this.unpersistedState) {
            this.unpersistedState.add(new TokenMaxLifetime(str, j, j2));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.knox.gateway.services.token.impl.DefaultTokenStateService
    public long getMaxLifetime(String str) {
        long maxLifetime = super.getMaxLifetime(str);
        if (maxLifetime < 1) {
            try {
                char[] passwordUsingAliasService = getPasswordUsingAliasService(str + TOKEN_MAX_LIFETIME_POSTFIX);
                if (passwordUsingAliasService != null) {
                    maxLifetime = convertCharArrayToLong(passwordUsingAliasService);
                }
            } catch (AliasServiceException e) {
                log.errorAccessingTokenState(str, e);
            }
        }
        return maxLifetime;
    }

    private char[] getPasswordUsingAliasService(String str) throws AliasServiceException {
        char[] passwordFromAliasForCluster = this.aliasService.getPasswordFromAliasForCluster("__gateway", str);
        if (this.tokenStateServiceStatistics != null) {
            this.tokenStateServiceStatistics.interactKeystore(TokenStateServiceStatistics.KeystoreInteraction.GET_PASSWORD);
        }
        return passwordFromAliasForCluster;
    }

    private long convertCharArrayToLong(char[] cArr) {
        return Long.parseLong(new String(cArr));
    }

    @Override // org.apache.knox.gateway.services.token.impl.DefaultTokenStateService
    public long getTokenExpiration(String str, boolean z) throws UnknownTokenException {
        char[] passwordUsingAliasService;
        try {
            return super.getTokenExpiration(str, z);
        } catch (UnknownTokenException e) {
            if (z) {
                validateToken(str);
            }
            long j = 0;
            try {
                passwordUsingAliasService = getPasswordUsingAliasService(str);
            } catch (UnknownTokenException e2) {
                throw e2;
            } catch (Exception e3) {
                log.errorAccessingTokenState(str, e3);
            }
            if (passwordUsingAliasService == null) {
                throw new UnknownTokenException(str);
            }
            j = Long.parseLong(new String(passwordUsingAliasService));
            super.updateExpiration(str, j);
            return j;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.knox.gateway.services.token.impl.DefaultTokenStateService
    public boolean isUnknown(String str) {
        boolean isUnknown = super.isUnknown(str);
        if (isUnknown) {
            try {
                isUnknown = getPasswordUsingAliasService(str) == null;
            } catch (AliasServiceException e) {
                log.errorAccessingTokenState(str, e);
            }
        }
        return isUnknown;
    }

    @Override // org.apache.knox.gateway.services.token.impl.DefaultTokenStateService
    protected void removeToken(String str) throws UnknownTokenException {
        removeTokens(Collections.singleton(str));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.knox.gateway.services.token.impl.DefaultTokenStateService
    public void removeTokens(Set<String> set) throws UnknownTokenException {
        synchronized (this.unpersistedState) {
            ArrayList arrayList = new ArrayList();
            for (TokenState tokenState : this.unpersistedState) {
                if (set.contains(tokenState.getTokenId())) {
                    arrayList.add(tokenState);
                }
            }
            this.unpersistedState.removeAll(arrayList);
        }
        HashSet hashSet = new HashSet(set);
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            hashSet.add(it.next() + TOKEN_MAX_LIFETIME_POSTFIX);
        }
        if (!hashSet.isEmpty()) {
            log.removingTokenStateAliases();
            try {
                this.aliasService.removeAliasesForCluster("__gateway", hashSet);
                if (this.tokenStateServiceStatistics != null) {
                    this.tokenStateServiceStatistics.interactKeystore(TokenStateServiceStatistics.KeystoreInteraction.REMOVE_ALIAS);
                    this.tokenStateServiceStatistics.setGatewayCredentialsFileSize(this.gatewayCredentialsFilePath.toFile().length());
                }
                log.removedTokenStateAliases(String.join(", ", set));
            } catch (AliasServiceException e) {
                log.failedToRemoveTokenStateAliases(e);
            }
        }
        super.removeTokens(set);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.knox.gateway.services.token.impl.DefaultTokenStateService
    public void updateExpiration(String str, long j) {
        super.updateExpiration(str, j);
        synchronized (this.unpersistedState) {
            Optional<TokenState> findFirst = this.unpersistedState.stream().filter(tokenState -> {
                return tokenState.getTokenId().equals(str);
            }).findFirst();
            if (findFirst.isPresent()) {
                this.unpersistedState.remove(findFirst.get());
            }
            this.unpersistedState.add(new TokenExpiration(str, j));
        }
    }
}
