package io.warp10.quasar.filter;

import com.google.common.base.Strings;
import io.warp10.crypto.KeyStore;
import io.warp10.crypto.OrderPreservingBase64;
import io.warp10.crypto.SipHashInline;
import io.warp10.quasar.encoder.QuasarTokenDecoder;
import io.warp10.quasar.filter.exception.QuasarNoToken;
import io.warp10.quasar.filter.exception.QuasarTokenException;
import io.warp10.quasar.filter.exception.QuasarTokenExpired;
import io.warp10.quasar.filter.sensision.QuasarTokenFilterSensisionConstants;
import io.warp10.quasar.token.thrift.data.ReadToken;
import io.warp10.quasar.token.thrift.data.WriteToken;
import io.warp10.quasar.trl.QuasarTokenRevocationListLoader;
import io.warp10.sensision.Sensision;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import java.util.HashMap;
import java.util.Properties;

/* loaded from: input_file:io/warp10/quasar/filter/QuasarTokenFilter.class */
public class QuasarTokenFilter {
    private final QuasarTokenDecoder quasarTokenDecoder;
    private final QuasarTokensRevoked quasarTokenRevoked;
    private Properties properties;
    private long tokenSipHashKeyK0;
    private long tokenSipHashKeyK1;

    private QuasarTokenFilter(Properties properties, KeyStore keyStore, String str) {
        this.properties = (Properties) properties.clone();
        if (keyStore == null) {
            throw new RuntimeException("keystore is null");
        }
        ByteBuffer wrap = ByteBuffer.wrap(getKey(keyStore, "warp.siphash.token"));
        wrap.order(ByteOrder.BIG_ENDIAN);
        this.tokenSipHashKeyK0 = wrap.getLong();
        this.tokenSipHashKeyK1 = wrap.getLong();
        byte[] key = getKey(keyStore, "warp.siphash.appid");
        this.quasarTokenDecoder = new QuasarTokenDecoder(this.tokenSipHashKeyK0, this.tokenSipHashKeyK1, getKey(keyStore, str));
        this.quasarTokenRevoked = new QuasarTokensRevoked(this.properties, key);
    }

    public QuasarTokenFilter(Properties properties, KeyStore keyStore) {
        this(properties, keyStore, "warp.aes.token");
    }

    public ReadToken getReadToken(String str) throws QuasarTokenException {
        long nanoTime = System.nanoTime();
        HashMap hashMap = new HashMap();
        try {
            try {
                try {
                    hashMap.put("type", "READ");
                    this.quasarTokenRevoked.available();
                    if (Strings.isNullOrEmpty(str)) {
                        throw new QuasarNoToken("Read token missing.");
                    }
                    byte[] bytes = str.getBytes();
                    this.quasarTokenRevoked.isTokenRevoked(getTokenSipHash(bytes));
                    ReadToken decodeReadToken = this.quasarTokenDecoder.decodeReadToken(OrderPreservingBase64.decode(bytes));
                    long applicationHash = QuasarTokenRevocationListLoader.getApplicationHash(decodeReadToken.getAppName());
                    checkTokenExpired(decodeReadToken.getIssuanceTimestamp(), decodeReadToken.getExpiryTimestamp(), applicationHash);
                    this.quasarTokenRevoked.isRegisteredAppAuthorized(applicationHash);
                    long nanoTime2 = (System.nanoTime() - nanoTime) / 1000;
                    Sensision.update(QuasarTokenFilterSensisionConstants.SENSISION_CLASS_QUASAR_FILTER_TOKEN_COUNT, hashMap, 1);
                    Sensision.update(QuasarTokenFilterSensisionConstants.SENSISION_CLASS_QUASAR_FILTER_TOKEN_TIME_US, hashMap, Long.valueOf(nanoTime2));
                    return decodeReadToken;
                } catch (Exception e) {
                    throw new QuasarTokenException("Read token unexpected error.", e);
                }
            } catch (QuasarTokenException e2) {
                hashMap.put("error", e2.label);
                throw e2;
            }
        } catch (Throwable th) {
            long nanoTime3 = (System.nanoTime() - nanoTime) / 1000;
            Sensision.update(QuasarTokenFilterSensisionConstants.SENSISION_CLASS_QUASAR_FILTER_TOKEN_COUNT, hashMap, 1);
            Sensision.update(QuasarTokenFilterSensisionConstants.SENSISION_CLASS_QUASAR_FILTER_TOKEN_TIME_US, hashMap, Long.valueOf(nanoTime3));
            throw th;
        }
    }

    public boolean available() {
        return this.quasarTokenRevoked.loaded();
    }

    public WriteToken getWriteToken(String str) throws QuasarTokenException {
        long nanoTime = System.nanoTime();
        HashMap hashMap = new HashMap();
        try {
            try {
                try {
                    hashMap.put("type", "WRITE");
                    this.quasarTokenRevoked.available();
                    if (Strings.isNullOrEmpty(str)) {
                        throw new QuasarNoToken("Write token missing.");
                    }
                    byte[] bytes = str.getBytes();
                    this.quasarTokenRevoked.isTokenRevoked(getTokenSipHash(bytes));
                    WriteToken decodeWriteToken = this.quasarTokenDecoder.decodeWriteToken(OrderPreservingBase64.decode(bytes));
                    long applicationHash = QuasarTokenRevocationListLoader.getApplicationHash(decodeWriteToken.getAppName());
                    checkTokenExpired(decodeWriteToken.getIssuanceTimestamp(), decodeWriteToken.getExpiryTimestamp(), applicationHash);
                    this.quasarTokenRevoked.isRegisteredAppAuthorized(applicationHash);
                    long nanoTime2 = (System.nanoTime() - nanoTime) / 1000;
                    Sensision.update(QuasarTokenFilterSensisionConstants.SENSISION_CLASS_QUASAR_FILTER_TOKEN_COUNT, hashMap, 1);
                    Sensision.update(QuasarTokenFilterSensisionConstants.SENSISION_CLASS_QUASAR_FILTER_TOKEN_TIME_US, hashMap, Long.valueOf(nanoTime2));
                    return decodeWriteToken;
                } catch (Exception e) {
                    throw new QuasarTokenException("Write token unexpected error.", e);
                }
            } catch (QuasarTokenException e2) {
                hashMap.put("error", e2.label);
                throw e2;
            }
        } catch (Throwable th) {
            long nanoTime3 = (System.nanoTime() - nanoTime) / 1000;
            Sensision.update(QuasarTokenFilterSensisionConstants.SENSISION_CLASS_QUASAR_FILTER_TOKEN_COUNT, hashMap, 1);
            Sensision.update(QuasarTokenFilterSensisionConstants.SENSISION_CLASS_QUASAR_FILTER_TOKEN_TIME_US, hashMap, Long.valueOf(nanoTime3));
            throw th;
        }
    }

    private byte[] getKey(KeyStore keyStore, String str) {
        byte[] key = keyStore.getKey(str);
        if (key == null) {
            throw new RuntimeException("key not found: " + str);
        }
        return key;
    }

    public long getTokenSipHash(byte[] bArr) {
        return SipHashInline.hash24_palindromic(this.tokenSipHashKeyK0, this.tokenSipHashKeyK1, bArr, 0, bArr.length);
    }

    public void checkTokenExpired(long j, long j2, long j3) throws QuasarTokenExpired {
        if (isExpired(j, j2, j3)) {
            throw new QuasarTokenExpired("Token Expired.");
        }
    }

    private boolean isExpired(long j, long j2, long j3) {
        if (j2 < System.currentTimeMillis()) {
            return true;
        }
        Long clientIdRefreshTimeStamp = this.quasarTokenRevoked.getClientIdRefreshTimeStamp(j3);
        return clientIdRefreshTimeStamp != null && j < clientIdRefreshTimeStamp.longValue();
    }

    public QuasarTokenDecoder getTokenDecoder() {
        return this.quasarTokenDecoder;
    }

    public QuasarTokensRevoked getTokensRevoked() {
        return this.quasarTokenRevoked;
    }
}
