package io.strimzi.kafka.oauth.server.authorizer;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.node.ArrayNode;
import com.fasterxml.jackson.databind.node.ObjectNode;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import io.strimzi.kafka.oauth.common.BearerTokenWithPayload;
import io.strimzi.kafka.oauth.common.HttpException;
import io.strimzi.kafka.oauth.common.JSONUtil;
import io.strimzi.kafka.oauth.common.LogUtil;
import io.strimzi.kafka.oauth.server.authorizer.Semaphores;
import io.strimzi.kafka.oauth.services.ServiceException;
import io.strimzi.kafka.oauth.services.Services;
import io.strimzi.kafka.oauth.validator.DaemonThreadFactory;
import java.io.Closeable;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import java.util.function.Function;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@SuppressFBWarnings({"THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION"})
/* loaded from: input_file:io/strimzi/kafka/oauth/server/authorizer/GrantsHandler.class */
class GrantsHandler implements Closeable {
    private static final Logger log = LoggerFactory.getLogger(GrantsHandler.class);
    private final HashMap<String, Info> grantsCache = new HashMap<>();
    private final Semaphores<JsonNode> semaphores = new Semaphores<>();
    private final ExecutorService refreshWorker;
    private final ScheduledExecutorService gcWorker;
    private final ScheduledExecutorService refreshScheduler;
    private final long gcPeriodMillis;
    private final Function<String, JsonNode> authorizationGrantsProvider;
    private final int httpRetries;
    private final long grantsMaxIdleMillis;
    private long lastGcRunTimeMillis;

    /* loaded from: input_file:io/strimzi/kafka/oauth/server/authorizer/GrantsHandler$Future.class */
    static class Future implements java.util.concurrent.Future<JsonNode> {
        private final java.util.concurrent.Future<JsonNode> delegate;
        private final String userId;
        private final Info grantsInfo;

        @SuppressFBWarnings({"EI_EXPOSE_REP2"})
        public Future(String str, Info info, java.util.concurrent.Future<JsonNode> future) {
            this.userId = str;
            this.grantsInfo = info;
            this.delegate = future;
        }

        @SuppressFBWarnings({"EI_EXPOSE_REP"})
        public Info getGrantsInfo() {
            return this.grantsInfo;
        }

        public String getUserId() {
            return this.userId;
        }

        @Override // java.util.concurrent.Future
        public boolean cancel(boolean z) {
            return this.delegate.cancel(z);
        }

        @Override // java.util.concurrent.Future
        public boolean isCancelled() {
            return this.delegate.isCancelled();
        }

        @Override // java.util.concurrent.Future
        public boolean isDone() {
            return this.delegate.isDone();
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.util.concurrent.Future
        public JsonNode get() throws InterruptedException, ExecutionException {
            return this.delegate.get();
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.util.concurrent.Future
        public JsonNode get(long j, TimeUnit timeUnit) throws InterruptedException, ExecutionException, TimeoutException {
            return this.delegate.get(j, timeUnit);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/strimzi/kafka/oauth/server/authorizer/GrantsHandler$Info.class */
    public static class Info {
        private volatile String accessToken;
        private volatile JsonNode grants;
        private volatile long expiresAt;
        private volatile long lastUsed = System.currentTimeMillis();

        Info(String str, long j) {
            this.accessToken = str;
            this.expiresAt = j;
        }

        synchronized void updateTokenIfExpiresLater(BearerTokenWithPayload bearerTokenWithPayload) {
            this.lastUsed = System.currentTimeMillis();
            if (bearerTokenWithPayload.lifetimeMs() > this.expiresAt) {
                this.accessToken = bearerTokenWithPayload.value();
                this.expiresAt = bearerTokenWithPayload.lifetimeMs();
            }
        }

        String getAccessToken() {
            return this.accessToken;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public JsonNode getGrants() {
            return this.grants;
        }

        void setGrants(JsonNode jsonNode) {
            this.grants = jsonNode;
        }

        long getLastUsed() {
            return this.lastUsed;
        }

        boolean isExpiredAt(long j) {
            return this.expiresAt < j;
        }
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        shutDownExecutorService("grants refresh scheduler", this.refreshScheduler);
        shutDownExecutorService("grants refresh worker", this.refreshWorker);
        shutDownExecutorService("gc worker", this.gcWorker);
    }

    private void shutDownExecutorService(String str, ExecutorService executorService) {
        try {
            log.trace("Shutting down {} [{}]", str, executorService);
            executorService.shutdownNow();
            if (!executorService.awaitTermination(10L, TimeUnit.SECONDS)) {
                log.debug("[IGNORED] Failed to cleanly shutdown {} within 10 seconds", str);
            }
        } catch (Throwable th) {
            log.warn("[IGNORED] Failed to cleanly shutdown {}: ", str, th);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @SuppressFBWarnings({"MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR"})
    public GrantsHandler(int i, int i2, int i3, Function<String, JsonNode> function, int i4, int i5) {
        this.authorizationGrantsProvider = function;
        this.httpRetries = i4;
        if (i3 <= 0) {
            throw new IllegalArgumentException("grantsMaxIdleTimeSeconds <= 0");
        }
        this.grantsMaxIdleMillis = i3 * 1000;
        DaemonThreadFactory daemonThreadFactory = new DaemonThreadFactory();
        if (i > 0) {
            this.refreshWorker = Executors.newFixedThreadPool(i2, daemonThreadFactory);
            this.refreshScheduler = Executors.newSingleThreadScheduledExecutor(daemonThreadFactory);
            this.refreshScheduler.scheduleAtFixedRate(this::performRefreshGrantsRun, i, i, TimeUnit.SECONDS);
        } else {
            this.refreshWorker = null;
            this.refreshScheduler = null;
        }
        if (i5 <= 0) {
            throw new IllegalArgumentException("gcPeriodSeconds <= 0");
        }
        this.gcPeriodMillis = i5 * 1000;
        this.gcWorker = Executors.newSingleThreadScheduledExecutor(daemonThreadFactory);
        this.gcWorker.scheduleAtFixedRate(this::gcGrantsCacheRunnable, i5, i5, TimeUnit.SECONDS);
    }

    private void gcGrantsCacheRunnable() {
        long currentTimeMillis = System.currentTimeMillis() - this.lastGcRunTimeMillis;
        if (currentTimeMillis < this.gcPeriodMillis - 1000) {
            log.debug("Skipped queued gc run (last run {} ms ago)", Long.valueOf(currentTimeMillis));
        } else {
            this.lastGcRunTimeMillis = System.currentTimeMillis();
            gcGrantsCache();
        }
    }

    private void gcGrantsCache() {
        int size;
        int size2;
        long currentTimeMillis = System.currentTimeMillis();
        HashSet hashSet = new HashSet(Services.getInstance().getSessions().map((v0) -> {
            return v0.principalName();
        }));
        log.trace("Grants gc: active users: {}", hashSet);
        synchronized (this.grantsCache) {
            size = this.grantsCache.size();
            this.grantsCache.keySet().retainAll(hashSet);
            size2 = this.grantsCache.size();
        }
        log.debug("Grants gc: active users count: {}, grantsCache size before: {}, grantsCache size after: {}, gc duration: {} ms", new Object[]{Integer.valueOf(hashSet.size()), Integer.valueOf(size), Integer.valueOf(size2), Long.valueOf(System.currentTimeMillis() - currentTimeMillis)});
    }

    private JsonNode fetchAndSaveGrants(String str, Info info) {
        ObjectNode objectNode = null;
        try {
            log.debug("Fetching grants from Keycloak for user {}", str);
            objectNode = fetchGrantsWithRetry(info.getAccessToken());
            if (objectNode == null) {
                log.debug("Received null grants for user: {}, token: {}", str, LogUtil.mask(info.getAccessToken()));
                objectNode = JSONUtil.newObjectNode();
            }
        } catch (HttpException e) {
            if (e.getStatus() == 403) {
                objectNode = JSONUtil.newObjectNode();
            } else {
                log.warn("Unexpected status while fetching authorization data - will retry next time: {}", e.getMessage());
            }
        }
        if (objectNode != null) {
            log.debug("Saving non-null grants for user: {}, token: {}", str, LogUtil.mask(info.getAccessToken()));
            info.setGrants(objectNode);
        }
        return objectNode;
    }

    private JsonNode fetchGrantsWithRetry(String str) {
        int status;
        int i = 0;
        do {
            i++;
            if (i > 1) {
                try {
                    log.debug("Grants request attempt no. {}", Integer.valueOf(i));
                } catch (Exception e) {
                    if ((e instanceof HttpException) && (403 == (status = e.getStatus()) || 401 == status)) {
                        throw e;
                    }
                    if (log.isInfoEnabled()) {
                        log.info("Failed to fetch grants on try no. {}", Integer.valueOf(i), e);
                    }
                }
            }
            return this.authorizationGrantsProvider.apply(str);
        } while (i <= this.httpRetries);
        log.debug("Failed to fetch grants after {} tries", Integer.valueOf(i));
        throw e;
    }

    private void performRefreshGrantsRun() {
        HashMap hashMap;
        try {
            try {
                log.debug("Refreshing authorization grants ... [{}]", this);
                synchronized (this.grantsCache) {
                    hashMap = new HashMap(this.grantsCache);
                }
                Set<Map.Entry> entrySet = hashMap.entrySet();
                ArrayList<Future> arrayList = new ArrayList(entrySet.size());
                long currentTimeMillis = System.currentTimeMillis();
                for (Map.Entry entry : entrySet) {
                    String str = (String) entry.getKey();
                    Info info = (Info) entry.getValue();
                    if (info.getLastUsed() < currentTimeMillis - this.grantsMaxIdleMillis) {
                        log.debug("Skipping refreshing grants for user '{}' due to max idle time.", str);
                        removeUserFromCacheIfExpiredOrIdle(str);
                    }
                    arrayList.add(new Future(str, info, this.refreshWorker.submit(() -> {
                        JsonNode newObjectNode;
                        if (log.isTraceEnabled()) {
                            log.trace("Fetch grants for user: {}, token: {}", str, LogUtil.mask(info.getAccessToken()));
                        }
                        try {
                            newObjectNode = fetchGrantsWithRetry(info.getAccessToken());
                        } catch (HttpException e) {
                            if (403 != e.getStatus()) {
                                throw e;
                            }
                            newObjectNode = JSONUtil.newObjectNode();
                        }
                        JsonNode grants = info.getGrants();
                        if (!semanticGrantsEquals(newObjectNode, grants)) {
                            if (log.isDebugEnabled()) {
                                log.debug("Grants have changed for user: {}; before: {}; after: {}", new Object[]{str, grants, newObjectNode});
                            }
                            info.setGrants(newObjectNode);
                        }
                        return newObjectNode;
                    })));
                }
                for (Future future : arrayList) {
                    try {
                        future.get();
                    } catch (ExecutionException e) {
                        HttpException cause = e.getCause();
                        if (cause instanceof HttpException) {
                            log.debug("[IGNORED] Failed to fetch grants for user: {}", cause.getMessage());
                            if (401 == cause.getStatus()) {
                                this.grantsCache.remove(future.getUserId());
                                log.debug("Removed user from grants cache: {}", future.getUserId());
                                Services.getInstance().getSessions().removeAllWithMatchingAccessToken(future.getGrantsInfo().accessToken);
                            }
                        }
                        log.warn("[IGNORED] Failed to fetch grants for user: {}", e.getMessage(), e);
                    } catch (Throwable th) {
                        if (log.isWarnEnabled()) {
                            log.warn("[IGNORED] Failed to fetch grants for user: {}, token: {} - {}", new Object[]{future.getUserId(), LogUtil.mask(future.getGrantsInfo().accessToken), th.getMessage(), th});
                        }
                    }
                }
                log.debug("Done refreshing grants");
            } catch (Throwable th2) {
                log.error("{}", th2.getMessage(), th2);
                log.debug("Done refreshing grants");
            }
        } catch (Throwable th3) {
            log.debug("Done refreshing grants");
            throw th3;
        }
    }

    private void removeUserFromCacheIfExpiredOrIdle(String str) {
        synchronized (this.grantsCache) {
            Info info = this.grantsCache.get(str);
            if (info != null) {
                long currentTimeMillis = System.currentTimeMillis();
                boolean z = info.getLastUsed() < currentTimeMillis - this.grantsMaxIdleMillis;
                if (z || info.isExpiredAt(currentTimeMillis)) {
                    log.debug("Removed user from grants cache due to {}: {}", z ? "'idle'" : "'expired'", str);
                    this.grantsCache.remove(str);
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Info getGrantsInfoFromCache(BearerTokenWithPayload bearerTokenWithPayload) {
        Info computeIfAbsent;
        synchronized (this.grantsCache) {
            computeIfAbsent = this.grantsCache.computeIfAbsent(bearerTokenWithPayload.principalName(), str -> {
                return new Info(bearerTokenWithPayload.value(), bearerTokenWithPayload.lifetimeMs());
            });
        }
        computeIfAbsent.updateTokenIfExpiresLater(bearerTokenWithPayload);
        return computeIfAbsent;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JsonNode fetchGrantsForUserOrWaitForDelivery(String str, Info info) {
        Semaphores.SemaphoreResult<JsonNode> acquireSemaphore = this.semaphores.acquireSemaphore(str);
        try {
            if (acquireSemaphore.acquired()) {
                try {
                    log.debug("Acquired semaphore for '{}'", str);
                    JsonNode fetchAndSaveGrants = fetchAndSaveGrants(str, info);
                    acquireSemaphore.future().complete(fetchAndSaveGrants);
                    this.semaphores.releaseSemaphore(str);
                    log.debug("Released semaphore for '{}'", str);
                    return fetchAndSaveGrants;
                } catch (Throwable th) {
                    acquireSemaphore.future().completeExceptionally(th);
                    throw th;
                }
            }
            try {
                log.debug("Waiting on another thread to get grants for '{}'", str);
                return acquireSemaphore.future().get();
            } catch (InterruptedException e) {
                throw new ServiceException("InterruptedException waiting for grants result: ", e);
            } catch (ExecutionException e2) {
                ServiceException cause = e2.getCause();
                if (cause instanceof ServiceException) {
                    throw cause;
                }
                throw new ServiceException("ExecutionException waiting for grants result: ", e2);
            }
        } catch (Throwable th2) {
            this.semaphores.releaseSemaphore(str);
            log.debug("Released semaphore for '{}'", str);
            throw th2;
        }
    }

    private static boolean semanticGrantsEquals(JsonNode jsonNode, JsonNode jsonNode2) {
        if (jsonNode == jsonNode2) {
            return true;
        }
        if (jsonNode == null) {
            throw new IllegalArgumentException("Invalid grants: null");
        }
        if (jsonNode2 == null) {
            return false;
        }
        if (!jsonNode.isArray()) {
            throw new IllegalArgumentException("Invalid grants: not a JSON array");
        }
        if (jsonNode2.isArray()) {
            return JSONUtil.asSetOfNodes((ArrayNode) jsonNode).equals(JSONUtil.asSetOfNodes((ArrayNode) jsonNode2));
        }
        throw new IllegalArgumentException("Invalid grants: not a JSON array");
    }
}
