package edu.utexas.tacc.tapis.sharedapi.security;

import edu.utexas.tacc.tapis.client.shared.exceptions.TapisClientException;
import edu.utexas.tacc.tapis.shared.exceptions.TapisException;
import edu.utexas.tacc.tapis.shared.i18n.MsgUtils;
import edu.utexas.tacc.tapis.shared.utils.TapisGsonUtils;
import edu.utexas.tacc.tapis.tokens.client.TokensClient;
import edu.utexas.tacc.tapis.tokens.client.gen.model.InlineObject1;
import edu.utexas.tacc.tapis.tokens.client.model.CreateTokenParms;
import edu.utexas.tacc.tapis.tokens.client.model.RefreshTokenParms;
import edu.utexas.tacc.tapis.tokens.client.model.TokenResponsePackage;
import java.lang.Thread;
import java.time.Instant;
import java.util.Base64;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:edu/utexas/tacc/tapis/sharedapi/security/ServiceJWT.class */
public class ServiceJWT implements Thread.UncaughtExceptionHandler, IServiceJWT {
    private static final Logger _log = LoggerFactory.getLogger(ServiceJWT.class);
    private static final String THREADGROUP_NAME = "JwtTokRefreshGroup";
    private static final String REFRESH_THREAD_NAME = "JwtTokRefreshThread";
    private static final long REFRESH_TIME_MILLIS = 1800000;
    private static final double REFRESH_SHORT_FRACTION = 0.8d;
    private static final long DFT_REFRESH_RETRY_MILLIS = 300000;
    private static final long MIN_REFRESH_MILLIS = 8000;
    private final String _serviceName;
    private final String _tenant;
    private final String _tokensBaseUrl;
    private final int _accessTTL;
    private final int _refreshTTL;
    private final String _delegationTenant;
    private final String _delegationUser;
    private final String _additionalClaims;
    private final List<String> _targetSites;
    private volatile HashMap<String, TokenResponsePackage> _tokPkgMap;
    private int _refreshCount;
    private Instant _lastRefreshTime;
    private int _refreshJwtCount;
    private int _refreshJwtFailedCount;
    private TokenRefreshThread _refreshThread;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:edu/utexas/tacc/tapis/sharedapi/security/ServiceJWT$TokenRefreshThread.class */
    public final class TokenRefreshThread extends Thread {
        private TokenRefreshThread(ThreadGroup threadGroup, String str) {
            super(threadGroup, str);
        }

        @Override // java.lang.Thread, java.lang.Runnable
        public void run() {
            boolean z = true;
            while (z) {
                z = refreshToken(calculateNewTokenWaitMillis());
            }
            if (ServiceJWT._log.isInfoEnabled()) {
                ServiceJWT._log.info(MsgUtils.getMsg("TAPIS_TOKEN_REFRESH_THREAD_TERMINATING", new Object[]{ServiceJWT.this._serviceName, ServiceJWT.this._tenant, Thread.currentThread().getName()}));
            }
        }

        private boolean refreshToken(long j) {
            while (true) {
                if (j <= 0 && ServiceJWT._log.isWarnEnabled()) {
                    ServiceJWT._log.warn(MsgUtils.getMsg("TAPIS_TOKEN_REFRESH_TIMEOUT", new Object[]{ServiceJWT.this._serviceName, ServiceJWT.this._tenant, Thread.currentThread().getName(), Long.valueOf(j)}));
                    return false;
                }
                if (ServiceJWT._log.isInfoEnabled()) {
                    ServiceJWT._log.info(MsgUtils.getMsg("TAPIS_TOKEN_REFRESH_WAIT", new Object[]{ServiceJWT.this._serviceName, ServiceJWT.this._tenant, Thread.currentThread().getName(), Long.valueOf(j)}));
                }
                if (ServiceJWT.this._refreshThread.isInterrupted()) {
                    return false;
                }
                try {
                    Thread.sleep(j);
                    HashMap<String, TokenResponsePackage> hashMap = new HashMap<>(1 + (ServiceJWT.this._tokPkgMap.size() * 2));
                    boolean z = false;
                    for (String str : ServiceJWT.this._tokPkgMap.keySet()) {
                        try {
                            hashMap.put(str, ServiceJWT.this.refreshServiceJWT(str));
                            ServiceJWT.this._refreshJwtCount++;
                        } catch (Exception e) {
                            ServiceJWT._log.error(MsgUtils.getMsg("TAPIS_TOKEN_REFRESH_ERROR", new Object[]{ServiceJWT.this._serviceName, ServiceJWT.this._tenant, Thread.currentThread().getName(), Long.valueOf(j)}), e);
                            z = true;
                            ServiceJWT.this._refreshJwtFailedCount++;
                        }
                    }
                    if (!z) {
                        ServiceJWT.this._refreshCount++;
                        ServiceJWT.this._lastRefreshTime = Instant.now();
                        ServiceJWT.this._tokPkgMap = hashMap;
                        return true;
                    }
                    j = calculateRetryMillis();
                } catch (InterruptedException e2) {
                    if (!ServiceJWT._log.isWarnEnabled()) {
                        return false;
                    }
                    ServiceJWT._log.warn(MsgUtils.getMsg("TAPIS_TOKEN_REFRESH_THREAD_INTERRUPTED", new Object[]{ServiceJWT.this._serviceName, ServiceJWT.this._tenant, Thread.currentThread().getName()}));
                    return false;
                }
            }
        }

        private long calculateNewTokenWaitMillis() {
            long j = Long.MAX_VALUE;
            Iterator<String> it = ServiceJWT.this._tokPkgMap.keySet().iterator();
            while (it.hasNext()) {
                j = Math.min(j, ServiceJWT.this.getAccessExpiresAt(it.next()).minusMillis(Instant.now().toEpochMilli()).toEpochMilli());
                if (j <= 0) {
                    return 0L;
                }
            }
            long j2 = j - ServiceJWT.REFRESH_TIME_MILLIS;
            if (j2 <= 0) {
                j2 = (long) (j * ServiceJWT.REFRESH_SHORT_FRACTION);
            }
            return j2;
        }

        private long calculateRetryMillis() {
            long j = Long.MAX_VALUE;
            Iterator<String> it = ServiceJWT.this._tokPkgMap.keySet().iterator();
            while (it.hasNext()) {
                j = Math.min(j, ServiceJWT.this.getAccessExpiresAt(it.next()).minusMillis(Instant.now().toEpochMilli()).toEpochMilli());
                if (j <= 0) {
                    return 0L;
                }
            }
            return Math.min(j - ServiceJWT.MIN_REFRESH_MILLIS, ServiceJWT.DFT_REFRESH_RETRY_MILLIS);
        }
    }

    public ServiceJWT(ServiceJWTParms serviceJWTParms, String str) throws TapisException, TapisClientException {
        this._serviceName = serviceJWTParms.getServiceName();
        this._tenant = serviceJWTParms.getTenant();
        this._tokensBaseUrl = serviceJWTParms.getTokensBaseUrl();
        this._accessTTL = serviceJWTParms.getAccessTTL();
        this._refreshTTL = serviceJWTParms.getRefreshTTL();
        this._delegationTenant = serviceJWTParms.getDelegationSubjectTenant();
        this._delegationUser = serviceJWTParms.getDelegationSubjectUser();
        this._additionalClaims = getClaimsAsJson(serviceJWTParms.getAdditionalClaims());
        this._targetSites = serviceJWTParms.getTargetSites();
        validateInputs();
        this._tokPkgMap = createServiceJWTMap(str);
        startTokenRefreshThread();
    }

    @Override // edu.utexas.tacc.tapis.sharedapi.security.IServiceJWT
    public String getServiceName() {
        return this._serviceName;
    }

    @Override // edu.utexas.tacc.tapis.sharedapi.security.IServiceJWT
    public String getTenant() {
        return this._tenant;
    }

    @Override // edu.utexas.tacc.tapis.sharedapi.security.IServiceJWT
    public String getTokensBaseUrl() {
        return this._tokensBaseUrl;
    }

    @Override // edu.utexas.tacc.tapis.sharedapi.security.IServiceJWT
    public int getAccessTTL() {
        return this._accessTTL;
    }

    @Override // edu.utexas.tacc.tapis.sharedapi.security.IServiceJWT
    public int getRefreshTTL() {
        return this._refreshTTL;
    }

    @Override // edu.utexas.tacc.tapis.sharedapi.security.IServiceJWT
    public String getDelegationTenant() {
        return this._delegationTenant;
    }

    @Override // edu.utexas.tacc.tapis.sharedapi.security.IServiceJWT
    public String getDelegationUser() {
        return this._delegationUser;
    }

    @Override // edu.utexas.tacc.tapis.sharedapi.security.IServiceJWT
    public String getAdditionalClaims() {
        return this._additionalClaims;
    }

    @Override // edu.utexas.tacc.tapis.sharedapi.security.IServiceJWT
    public List<String> getTargetSites() {
        return this._targetSites;
    }

    @Override // edu.utexas.tacc.tapis.sharedapi.security.IServiceJWT
    public TokenResponsePackage getTokPkg(String str) {
        return this._tokPkgMap.get(str);
    }

    @Override // edu.utexas.tacc.tapis.sharedapi.security.IServiceJWT
    public String getAccessJWT(String str) {
        return this._tokPkgMap.get(str).getAccessToken().getAccessToken();
    }

    @Override // edu.utexas.tacc.tapis.sharedapi.security.IServiceJWT
    public Instant getAccessExpiresAt(String str) {
        return this._tokPkgMap.get(str).getAccessToken().getExpiresAt();
    }

    @Override // edu.utexas.tacc.tapis.sharedapi.security.IServiceJWT
    public long getAccessExpiresIn(String str) {
        return this._tokPkgMap.get(str).getAccessToken().getExpiresIn();
    }

    private String getRefreshJWT(String str) {
        return this._tokPkgMap.get(str).getRefreshToken().getRefreshToken();
    }

    @Override // edu.utexas.tacc.tapis.sharedapi.security.IServiceJWT
    public boolean hasExpiredAccessJWT(String str) {
        return Instant.now().isAfter(getAccessExpiresAt(str));
    }

    public void interrupt() {
        this._refreshThread.interrupt();
    }

    @Override // edu.utexas.tacc.tapis.sharedapi.security.IServiceJWT
    public int getRefreshCount() {
        return this._refreshCount;
    }

    @Override // edu.utexas.tacc.tapis.sharedapi.security.IServiceJWT
    public Instant getLastRefreshTime() {
        return this._lastRefreshTime;
    }

    @Override // edu.utexas.tacc.tapis.sharedapi.security.IServiceJWT
    public int getRefreshJwtCount() {
        return this._refreshJwtCount;
    }

    @Override // edu.utexas.tacc.tapis.sharedapi.security.IServiceJWT
    public int getRefreshJwtFailedCount() {
        return this._refreshJwtFailedCount;
    }

    HashMap<String, TokenResponsePackage> createServiceJWTMap(String str) throws TapisException, TapisClientException {
        HashMap<String, TokenResponsePackage> hashMap = new HashMap<>(1 + (this._targetSites.size() * 2));
        for (String str2 : this._targetSites) {
            hashMap.put(str2, createServiceJWT(str, str2));
        }
        return hashMap;
    }

    private TokenResponsePackage createServiceJWT(String str, String str2) throws TapisException, TapisClientException {
        if (StringUtils.isBlank(str)) {
            String msg = MsgUtils.getMsg("TAPIS_NULL_PARAMETER", new Object[]{"createServiceJWT", "password"});
            _log.error(msg);
            throw new TapisException(msg);
        }
        if (StringUtils.isBlank(str2)) {
            String msg2 = MsgUtils.getMsg("TAPIS_NULL_PARAMETER", new Object[]{"createServiceJWT", "targetSite"});
            _log.error(msg2);
            throw new TapisException(msg2);
        }
        CreateTokenParms createTokenParms = new CreateTokenParms();
        createTokenParms.setTokenTenantId(this._tenant);
        createTokenParms.setTokenUsername(this._serviceName);
        createTokenParms.setAccountType(InlineObject1.AccountTypeEnum.SERVICE);
        createTokenParms.setGenerateRefreshToken(true);
        createTokenParms.setAccessTokenTtl(Integer.valueOf(this._accessTTL));
        createTokenParms.setRefreshTokenTtl(Integer.valueOf(this._refreshTTL));
        createTokenParms.setClaims(this._additionalClaims);
        createTokenParms.setTargetSiteId(str2);
        if (StringUtils.isNotBlank(this._delegationTenant)) {
            createTokenParms.setDelegationToken(Boolean.TRUE);
            createTokenParms.setDelegationSubTenantId(this._delegationTenant);
            createTokenParms.setDelegationSubUsername(this._delegationUser);
        }
        TokensClient tokensClient = new TokensClient(this._tokensBaseUrl);
        tokensClient.addDefaultHeader("Authorization", "Basic " + Base64.getEncoder().encodeToString((this._serviceName + ":" + str).getBytes()));
        TokenResponsePackage createToken = tokensClient.createToken(createTokenParms);
        if (!createToken.isValidAccessToken()) {
            String msg3 = MsgUtils.getMsg("TAPIS_SECURITY_BAD_TOKEN_RESP", new Object[]{"access", createTokenParms.getTokenUsername(), createTokenParms.getTokenTenantId()});
            _log.error(msg3);
            throw new TapisException(msg3);
        }
        if (createToken.isValidRefreshToken()) {
            return createToken;
        }
        String msg4 = MsgUtils.getMsg("TAPIS_SECURITY_BAD_TOKEN_RESP", new Object[]{"refresh", createTokenParms.getTokenUsername(), createTokenParms.getTokenTenantId()});
        _log.error(msg4);
        throw new TapisException(msg4);
    }

    private TokenResponsePackage refreshServiceJWT(String str) throws TapisException, TapisClientException {
        RefreshTokenParms refreshTokenParms = new RefreshTokenParms();
        refreshTokenParms.setRefreshToken(getRefreshJWT(str));
        TokenResponsePackage refreshToken = new TokensClient(this._tokensBaseUrl).refreshToken(refreshTokenParms);
        if (!refreshToken.isValidAccessToken()) {
            String msg = MsgUtils.getMsg("TAPIS_SECURITY_BAD_TOKEN_RESP", new Object[]{"access", this._serviceName, this._tenant});
            _log.error(msg);
            throw new TapisException(msg);
        }
        if (refreshToken.isValidRefreshToken()) {
            return refreshToken;
        }
        String msg2 = MsgUtils.getMsg("TAPIS_SECURITY_BAD_TOKEN_RESP", new Object[]{"refresh", this._serviceName, this._tenant});
        _log.error(msg2);
        throw new TapisException(msg2);
    }

    private void validateInputs() throws TapisException {
        if (StringUtils.isBlank(this._tenant)) {
            String msg = MsgUtils.getMsg("TAPIS_NULL_PARAMETER", new Object[]{"validateInputs", "tenant"});
            _log.error(msg);
            throw new TapisException(msg);
        }
        if (StringUtils.isBlank(this._serviceName)) {
            String msg2 = MsgUtils.getMsg("TAPIS_NULL_PARAMETER", new Object[]{"validateInputs", "serviceName"});
            _log.error(msg2);
            throw new TapisException(msg2);
        }
        if (StringUtils.isBlank(this._tokensBaseUrl)) {
            String msg3 = MsgUtils.getMsg("TAPIS_NULL_PARAMETER", new Object[]{"validateInputs", "tokensBaseUrl"});
            _log.error(msg3);
            throw new TapisException(msg3);
        }
        if (this._accessTTL < 1) {
            String msg4 = MsgUtils.getMsg("TAPIS_PARAMETER_LESS_THAN_MIN", new Object[]{"accessTTL", Integer.valueOf(this._accessTTL), 1});
            _log.error(msg4);
            throw new TapisException(msg4);
        }
        if (this._refreshTTL < 1) {
            String msg5 = MsgUtils.getMsg("TAPIS_PARAMETER_LESS_THAN_MIN", new Object[]{"refreshTTL", Integer.valueOf(this._refreshTTL), 1});
            _log.error(msg5);
            throw new TapisException(msg5);
        }
        if (this._refreshTTL < this._accessTTL) {
            String msg6 = MsgUtils.getMsg("TAPIS_PARAMETER_LESS_THAN_MIN", new Object[]{"refreshTTL", Integer.valueOf(this._refreshTTL), this._accessTTL + " (accessTTL)"});
            _log.error(msg6);
            throw new TapisException(msg6);
        }
        if (StringUtils.isBlank(this._delegationTenant) && !StringUtils.isBlank(this._delegationUser)) {
            String msg7 = MsgUtils.getMsg("TAPIS_NULL_PARAMETER", new Object[]{"validateInputs", "delegationTenant"});
            _log.error(msg7);
            throw new TapisException(msg7);
        }
        if (!StringUtils.isBlank(this._delegationTenant) && StringUtils.isBlank(this._delegationUser)) {
            String msg8 = MsgUtils.getMsg("TAPIS_NULL_PARAMETER", new Object[]{"validateInputs", "delegationUser"});
            _log.error(msg8);
            throw new TapisException(msg8);
        }
        if (this._targetSites == null || this._targetSites.isEmpty()) {
            String msg9 = MsgUtils.getMsg("TAPIS_NULL_PARAMETER", new Object[]{"validateInputs", "targetSites"});
            _log.error(msg9);
            throw new TapisException(msg9);
        }
    }

    private String getClaimsAsJson(Map<String, Object> map) throws TapisException {
        if (map == null || map.isEmpty()) {
            return null;
        }
        Iterator<Map.Entry<String, Object>> it = map.entrySet().iterator();
        while (it.hasNext()) {
            if (StringUtils.isBlank(it.next().getKey())) {
                String msg = MsgUtils.getMsg("TAPIS_NULL_PARAMETER", new Object[]{"getClaimsAsJson", "claim entry"});
                _log.error(msg);
                throw new TapisException(msg);
            }
        }
        try {
            return TapisGsonUtils.getGson().toJson(map);
        } catch (Exception e) {
            String msg2 = MsgUtils.getMsg("TAPIS_JSON_SERIALIZATION_ERROR", new Object[]{map.getClass().getSimpleName(), e.getMessage()});
            _log.error(msg2, e);
            throw new TapisException(msg2);
        }
    }

    private void startTokenRefreshThread() {
        this._refreshThread = new TokenRefreshThread(new ThreadGroup(THREADGROUP_NAME), REFRESH_THREAD_NAME);
        this._refreshThread.setDaemon(true);
        this._refreshThread.setUncaughtExceptionHandler(this);
        this._refreshThread.start();
    }

    @Override // java.lang.Thread.UncaughtExceptionHandler
    public void uncaughtException(Thread thread, Throwable th) {
        _log.error(MsgUtils.getMsg("TAPIS_THREAD_UNCAUGHT_EXCEPTION", new Object[]{thread.getName(), th.toString()}));
        th.printStackTrace();
    }
}
