package io.confluent.kafka.schemaregistry.client.security.bearerauth.oauth;

import java.time.Instant;
import java.util.Date;
import java.util.concurrent.TimeUnit;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/bundled-dependencies/kafka-schema-registry-client-7.8.2.jar:io/confluent/kafka/schemaregistry/client/security/bearerauth/oauth/OauthTokenCache.class */
public class OauthTokenCache {
    public static final float CACHE_EXPIRY_THRESHOLD = 0.8f;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) OauthTokenCache.class);
    private final short cacheExpiryBufferSeconds;
    private OAuthBearerToken currentToken;
    private long cacheExpiryMs = 0;

    public OauthTokenCache(short s) {
        this.cacheExpiryBufferSeconds = s;
    }

    public OAuthBearerToken getCurrentToken() {
        return this.currentToken;
    }

    public void setCurrentToken(OAuthBearerToken oAuthBearerToken) {
        if (oAuthBearerToken == null) {
            this.cacheExpiryMs = 0L;
        } else {
            this.cacheExpiryMs = calculateTokenExpiryTime(oAuthBearerToken);
            this.currentToken = oAuthBearerToken;
        }
    }

    protected long calculateTokenExpiryTime(OAuthBearerToken oAuthBearerToken) {
        long epochMilli = Instant.now().toEpochMilli();
        long lifetimeMs = oAuthBearerToken.lifetimeMs();
        if (epochMilli > lifetimeMs) {
            log.warn("Schema Registry OAuth Token [Principal={}]: Current clock: {} is later than expiry {}. This may indicate a clock skew problem. Check that this host's and remote host's clocks are in sync. This process is likely unable to authenticate SASL connections (for example, it is unlikely to be able to authenticate a connection with a Schema Registry).", oAuthBearerToken.principalName(), new Date(epochMilli), new Date(lifetimeMs));
            return lifetimeMs;
        }
        Long startTimeMs = oAuthBearerToken.startTimeMs();
        long longValue = startTimeMs != null ? startTimeMs.longValue() : epochMilli;
        long convert = TimeUnit.MILLISECONDS.convert(this.cacheExpiryBufferSeconds, TimeUnit.SECONDS);
        if (epochMilli + convert > lifetimeMs) {
            long floor = epochMilli + ((long) Math.floor(((float) (lifetimeMs - epochMilli)) * 0.8f));
            log.warn("Schema Registry OAuth Token [Principal={}]: OAuth token expires at {}, so buffer times {} seconds cannot be accommodated.  OAuth token cache expires at {}.", oAuthBearerToken.principalName(), new Date(lifetimeMs), Short.valueOf(this.cacheExpiryBufferSeconds), Long.valueOf(floor));
            return floor;
        }
        long j = longValue + (((float) (lifetimeMs - longValue)) * 0.8f);
        long j2 = lifetimeMs - convert;
        if (j <= j2) {
            return j;
        }
        log.info("Schema Registry OAuth Token [Principal={}]: Proposed token Cache expiry time of {} extends into the desired buffer time of {} seconds before token expiration, so invalidate token cache at the desired buffer begin point, at {}", oAuthBearerToken.principalName(), new Date(j), Short.valueOf(this.cacheExpiryBufferSeconds), new Date(j2));
        return j2;
    }

    public boolean isTokenExpired() {
        return Instant.now().toEpochMilli() >= this.cacheExpiryMs;
    }
}
