package com.floragunn.dlic.auth.http.jwt.keybyoidc;

import com.floragunn.searchguard.authc.AuthenticatorUnavailableException;
import com.google.common.base.Strings;
import java.util.List;
import java.util.concurrent.Future;
import java.util.concurrent.LinkedBlockingQueue;
import java.util.concurrent.RejectedExecutionException;
import java.util.concurrent.ThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:com/floragunn/dlic/auth/http/jwt/keybyoidc/SelfRefreshingKeySet.class */
public class SelfRefreshingKeySet implements KeyProvider {
    private static final Logger log = LogManager.getLogger(SelfRefreshingKeySet.class);
    private final KeySetProvider keySetProvider;
    private final ThreadPoolExecutor threadPoolExecutor = new ThreadPoolExecutor(1, 10, 1000, TimeUnit.MILLISECONDS, new LinkedBlockingQueue());
    private volatile JsonWebKeys jsonWebKeys = new JsonWebKeys();
    private boolean refreshInProgress = false;
    private long refreshCount = 0;
    private long queuedGetCount = 0;
    private long recentRefreshCount = 0;
    private long refreshTime = 0;
    private Throwable lastRefreshFailure = null;
    private int requestTimeoutMs = 5000;
    private int queuedThreadTimeoutMs = 2500;
    private int refreshRateLimitTimeWindowMs = 10000;
    private int refreshRateLimitCount = 10;

    public SelfRefreshingKeySet(KeySetProvider keySetProvider) {
        this.keySetProvider = keySetProvider;
    }

    @Override // com.floragunn.dlic.auth.http.jwt.keybyoidc.KeyProvider
    public JsonWebKey getKey(String str) throws AuthenticatorUnavailableException, BadCredentialsException {
        return Strings.isNullOrEmpty(str) ? getKeyWithoutKeyId() : getKeyWithKeyId(str);
    }

    @Override // com.floragunn.dlic.auth.http.jwt.keybyoidc.KeyProvider
    public synchronized JsonWebKey getKeyAfterRefresh(String str) throws AuthenticatorUnavailableException, BadCredentialsException {
        JsonWebKey keyAfterRefreshInternal = getKeyAfterRefreshInternal(str);
        if (keyAfterRefreshInternal != null) {
            return keyAfterRefreshInternal;
        }
        if (this.jsonWebKeys.getKeys().size() == 0) {
            throw new AuthenticatorUnavailableException("IdP error", "No JWK are available from IdP");
        }
        throw new BadCredentialsException("JWT did not contain KID which is required if IdP provides multiple JWK");
    }

    private synchronized JsonWebKey getKeyAfterRefreshInternal(String str) throws AuthenticatorUnavailableException {
        return this.refreshInProgress ? waitForRefreshToFinish(str) : performRefresh(str);
    }

    private JsonWebKey getKeyWithoutKeyId() throws AuthenticatorUnavailableException, BadCredentialsException {
        List keys = this.jsonWebKeys.getKeys();
        if (keys == null || keys.size() == 0) {
            JsonWebKey keyWithRefresh = getKeyWithRefresh(null);
            if (keyWithRefresh != null) {
                return keyWithRefresh;
            }
            throw new AuthenticatorUnavailableException("IdP error", "No JWK are available from IdP");
        }
        if (keys.size() == 1) {
            return (JsonWebKey) keys.get(0);
        }
        JsonWebKey keyWithRefresh2 = getKeyWithRefresh(null);
        if (keyWithRefresh2 != null) {
            return keyWithRefresh2;
        }
        throw new BadCredentialsException("JWT did not contain KID which is required if IdP provides multiple JWK");
    }

    private JsonWebKey getKeyWithKeyId(String str) throws AuthenticatorUnavailableException, BadCredentialsException {
        JsonWebKey key = this.jsonWebKeys.getKey(str);
        if (key != null) {
            return key;
        }
        JsonWebKey keyWithRefresh = getKeyWithRefresh(str);
        if (keyWithRefresh == null) {
            throw new BadCredentialsException("Unknown kid " + str);
        }
        return keyWithRefresh;
    }

    private synchronized JsonWebKey getKeyWithRefresh(String str) throws AuthenticatorUnavailableException {
        JsonWebKey keySimple = getKeySimple(str);
        return keySimple != null ? keySimple : getKeyAfterRefreshInternal(str);
    }

    private JsonWebKey getKeySimple(String str) {
        if (!Strings.isNullOrEmpty(str)) {
            return this.jsonWebKeys.getKey(str);
        }
        List keys = this.jsonWebKeys.getKeys();
        if (keys == null || keys.size() != 1) {
            return null;
        }
        return (JsonWebKey) keys.get(0);
    }

    private synchronized JsonWebKey waitForRefreshToFinish(String str) throws AuthenticatorUnavailableException {
        this.queuedGetCount++;
        long j = this.refreshCount;
        try {
            wait(this.queuedThreadTimeoutMs);
        } catch (InterruptedException e) {
            Thread.currentThread().interrupt();
            log.debug(e);
        }
        JsonWebKey keySimple = getKeySimple(str);
        if (keySimple != null) {
            return keySimple;
        }
        if (this.refreshInProgress && j == this.refreshCount) {
            throw new AuthenticatorUnavailableException("IdP error", "Authentication backend timed out");
        }
        if (this.lastRefreshFailure != null) {
            throw new AuthenticatorUnavailableException("Authentication backend failed", this.lastRefreshFailure);
        }
        return null;
    }

    private synchronized JsonWebKey performRefresh(String str) throws AuthenticatorUnavailableException {
        boolean z;
        if (log.isDebugEnabled()) {
            log.debug("performRefresh({})", str);
        }
        if (System.currentTimeMillis() - this.refreshTime < this.refreshRateLimitTimeWindowMs) {
            this.recentRefreshCount++;
            z = true;
            if (this.recentRefreshCount > this.refreshRateLimitCount) {
                throw new AuthenticatorUnavailableException("Rate limiting error", "Too many unknown kids recently: " + this.recentRefreshCount);
            }
        } else {
            z = false;
        }
        this.refreshInProgress = true;
        this.refreshCount++;
        log.info("Performing refresh {}", Long.valueOf(this.refreshCount));
        long j = this.refreshCount;
        try {
            try {
                final boolean z2 = z;
                Future<?> submit = this.threadPoolExecutor.submit(new Runnable() { // from class: com.floragunn.dlic.auth.http.jwt.keybyoidc.SelfRefreshingKeySet.1
                    @Override // java.lang.Runnable
                    public void run() {
                        try {
                            try {
                                JsonWebKeys jsonWebKeys = SelfRefreshingKeySet.this.keySetProvider.get();
                                if (jsonWebKeys == null) {
                                    throw new RuntimeException("Refresh function " + SelfRefreshingKeySet.this.keySetProvider + " yielded null");
                                }
                                SelfRefreshingKeySet.log.info("KeySetProvider finished; got: " + jsonWebKeys);
                                synchronized (SelfRefreshingKeySet.this) {
                                    SelfRefreshingKeySet.this.jsonWebKeys = jsonWebKeys;
                                    SelfRefreshingKeySet.this.refreshInProgress = false;
                                    SelfRefreshingKeySet.this.lastRefreshFailure = null;
                                    SelfRefreshingKeySet.this.notifyAll();
                                }
                                if (z2) {
                                    return;
                                }
                                SelfRefreshingKeySet.this.recentRefreshCount = 0L;
                                SelfRefreshingKeySet.this.refreshTime = System.currentTimeMillis();
                            } catch (Throwable th) {
                                synchronized (SelfRefreshingKeySet.this) {
                                    SelfRefreshingKeySet.this.lastRefreshFailure = th;
                                    SelfRefreshingKeySet.this.refreshInProgress = false;
                                    SelfRefreshingKeySet.this.notifyAll();
                                    SelfRefreshingKeySet.log.warn("KeySetProvider threw error", th);
                                    if (z2) {
                                        return;
                                    }
                                    SelfRefreshingKeySet.this.recentRefreshCount = 0L;
                                    SelfRefreshingKeySet.this.refreshTime = System.currentTimeMillis();
                                }
                            }
                        } catch (Throwable th2) {
                            if (!z2) {
                                SelfRefreshingKeySet.this.recentRefreshCount = 0L;
                                SelfRefreshingKeySet.this.refreshTime = System.currentTimeMillis();
                            }
                            throw th2;
                        }
                    }
                });
                try {
                    wait(this.requestTimeoutMs);
                } catch (InterruptedException e) {
                    Thread.currentThread().interrupt();
                    log.debug(e);
                }
                JsonWebKey keySimple = getKeySimple(str);
                if (keySimple != null) {
                    return keySimple;
                }
                if (this.refreshInProgress && j == this.refreshCount) {
                    if (!submit.isDone()) {
                        submit.cancel(true);
                    }
                    this.lastRefreshFailure = new AuthenticatorUnavailableException("IdP error", "Authentication backend timed out");
                    throw new AuthenticatorUnavailableException("IdP error", "Authentication backend timed out");
                }
                if (this.lastRefreshFailure != null) {
                    throw new AuthenticatorUnavailableException("Authentication backend failed", this.lastRefreshFailure);
                }
                if (this.refreshInProgress && j == this.refreshCount) {
                    this.refreshInProgress = false;
                    notifyAll();
                }
                return null;
            } catch (RejectedExecutionException e2) {
                throw new AuthenticatorUnavailableException("Did not try to call authentication backend because of " + this.threadPoolExecutor.getActiveCount() + " pending threads", e2);
            }
        } finally {
            if (this.refreshInProgress && j == this.refreshCount) {
                this.refreshInProgress = false;
                notifyAll();
            }
        }
    }

    public int getRequestTimeoutMs() {
        return this.requestTimeoutMs;
    }

    public void setRequestTimeoutMs(int i) {
        this.requestTimeoutMs = i;
    }

    public int getQueuedThreadTimeoutMs() {
        return this.queuedThreadTimeoutMs;
    }

    public void setQueuedThreadTimeoutMs(int i) {
        this.queuedThreadTimeoutMs = i;
    }

    public long getRefreshCount() {
        return this.refreshCount;
    }

    public long getQueuedGetCount() {
        return this.queuedGetCount;
    }

    public int getRefreshRateLimitTimeWindowMs() {
        return this.refreshRateLimitTimeWindowMs;
    }

    public void setRefreshRateLimitTimeWindowMs(int i) {
        this.refreshRateLimitTimeWindowMs = i;
    }

    public int getRefreshRateLimitCount() {
        return this.refreshRateLimitCount;
    }

    public void setRefreshRateLimitCount(int i) {
        this.refreshRateLimitCount = i;
    }
}
