package org.yamcs.http.auth;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.TimeUnit;
import org.yamcs.InitException;
import org.yamcs.YamcsServer;
import org.yamcs.http.AbstractHttpService;
import org.yamcs.http.HttpServer;
import org.yamcs.http.UnauthorizedException;
import org.yamcs.http.auth.JwtHelper;
import org.yamcs.security.AuthenticationInfo;
import org.yamcs.security.CryptoUtils;
import org.yamcs.security.SessionExpiredException;
import org.yamcs.security.SessionListener;
import org.yamcs.security.SessionManager;
import org.yamcs.security.UserSession;

/* loaded from: input_file:org/yamcs/http/auth/TokenStore.class */
public class TokenStore extends AbstractHttpService implements SessionListener {
    private final ConcurrentMap<String, AuthenticationInfo> accessTokens = new ConcurrentHashMap();
    private int cleaningCounter = 0;
    private Map<Hmac, UserSession> refreshTokens = new HashMap();
    private Cache<Hmac, RefreshResult> refreshCache = CacheBuilder.newBuilder().expireAfterWrite(5, TimeUnit.SECONDS).build();
    private SessionManager sessionManager;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/yamcs/http/auth/TokenStore$Hmac.class */
    public static final class Hmac {
        private byte[] hmac;

        Hmac(String str) {
            this.hmac = CryptoUtils.calculateHmac(str, YamcsServer.getServer().getSecretKey());
        }

        public boolean equals(Object obj) {
            if (obj instanceof Hmac) {
                return Arrays.equals(this.hmac, ((Hmac) obj).hmac);
            }
            return false;
        }

        public int hashCode() {
            return Arrays.hashCode(this.hmac);
        }
    }

    /* loaded from: input_file:org/yamcs/http/auth/TokenStore$RefreshResult.class */
    static final class RefreshResult {
        UserSession session;
        String refreshToken;

        RefreshResult(UserSession userSession, String str) {
            this.session = userSession;
            this.refreshToken = str;
        }
    }

    @Override // org.yamcs.http.AbstractHttpService
    public void init(HttpServer httpServer) throws InitException {
    }

    protected void doStart() {
        this.sessionManager = YamcsServer.getServer().getSecurityStore().getSessionManager();
        this.sessionManager.addSessionListener(this);
        notifyStarted();
    }

    protected void doStop() {
        this.sessionManager.removeSessionListener(this);
        this.accessTokens.clear();
        this.refreshTokens.clear();
        this.refreshCache.invalidateAll();
        this.cleaningCounter = 0;
        notifyStopped();
    }

    public void registerAccessToken(String str, AuthenticationInfo authenticationInfo) {
        this.accessTokens.put(str, authenticationInfo);
    }

    public void revokeAccessToken(String str) {
        this.accessTokens.remove(str);
    }

    public AuthenticationInfo verifyAccessToken(String str) throws UnauthorizedException {
        this.cleaningCounter++;
        if (this.cleaningCounter > 1000) {
            this.cleaningCounter = 0;
            forgetExpiredAccessTokens();
        }
        try {
            if (new JwtToken(str, YamcsServer.getServer().getSecretKey()).isExpired()) {
                this.accessTokens.remove(str);
                throw new UnauthorizedException("Token expired");
            }
            AuthenticationInfo authenticationInfo = this.accessTokens.get(str);
            if (authenticationInfo == null) {
                throw new UnauthorizedException("Invalid access token");
            }
            return authenticationInfo;
        } catch (JwtHelper.JwtDecodeException e) {
            throw new UnauthorizedException("Failed to decode JWT: " + e.getMessage());
        }
    }

    private void forgetExpiredAccessTokens() {
        this.accessTokens.entrySet().removeIf(entry -> {
            try {
                return new JwtToken((String) entry.getKey(), YamcsServer.getServer().getSecretKey()).isExpired();
            } catch (JwtHelper.JwtDecodeException e) {
                return true;
            }
        });
    }

    public synchronized void forgetUser(String str) {
        this.refreshTokens.entrySet().removeIf(entry -> {
            return str.equals(((UserSession) entry.getValue()).getAuthenticationInfo().getUsername());
        });
        this.accessTokens.entrySet().removeIf(entry2 -> {
            return str.equals(((AuthenticationInfo) entry2.getValue()).getUsername());
        });
    }

    public synchronized String generateRefreshToken(UserSession userSession) {
        String uuid = UUID.randomUUID().toString();
        this.refreshTokens.put(new Hmac(uuid), userSession);
        return uuid;
    }

    public synchronized RefreshResult verifyRefreshToken(String str) {
        Hmac hmac = new Hmac(str);
        UserSession userSession = this.refreshTokens.get(hmac);
        if (userSession != null) {
            String generateRefreshToken = generateRefreshToken(userSession);
            try {
                renewSession(userSession);
                RefreshResult refreshResult = new RefreshResult(userSession, generateRefreshToken);
                this.refreshCache.put(hmac, refreshResult);
                this.refreshTokens.remove(hmac);
                return refreshResult;
            } catch (SessionExpiredException e) {
                throw new UnauthorizedException("Token expired");
            }
        }
        RefreshResult refreshResult2 = null;
        Object ifPresent = this.refreshCache.getIfPresent(hmac);
        while (true) {
            RefreshResult refreshResult3 = (RefreshResult) ifPresent;
            if (refreshResult3 == null) {
                return refreshResult2;
            }
            refreshResult2 = refreshResult3;
            ifPresent = this.refreshCache.getIfPresent(new Hmac(refreshResult3.refreshToken));
        }
    }

    private void renewSession(UserSession userSession) throws SessionExpiredException {
        this.sessionManager.renewSession(userSession.getId());
    }

    public synchronized void revokeRefreshToken(String str) {
        Hmac hmac = new Hmac(str);
        this.refreshTokens.remove(hmac);
        this.refreshCache.invalidate(hmac);
    }

    @Override // org.yamcs.security.SessionListener
    public void onCreated(UserSession userSession) {
    }

    @Override // org.yamcs.security.SessionListener
    public void onExpired(UserSession userSession) {
    }

    @Override // org.yamcs.security.SessionListener
    public void onInvalidated(UserSession userSession) {
        this.accessTokens.entrySet().removeIf(entry -> {
            return ((AuthenticationInfo) entry.getValue()).equals(userSession.getAuthenticationInfo());
        });
    }
}
