package io.hops.hopsworks.common.security;

import com.auth0.jwt.interfaces.DecodedJWT;
import com.google.common.base.Strings;
import io.hops.hopsworks.common.util.DateUtils;
import io.hops.hopsworks.common.util.Settings;
import io.hops.hopsworks.jwt.JWTController;
import io.hops.hopsworks.jwt.exception.JWTException;
import java.security.NoSuchAlgorithmException;
import java.time.LocalDateTime;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.PostConstruct;
import javax.annotation.Resource;
import javax.ejb.DependsOn;
import javax.ejb.EJB;
import javax.ejb.Lock;
import javax.ejb.LockType;
import javax.ejb.Singleton;
import javax.ejb.Startup;
import javax.ejb.Timeout;
import javax.ejb.TimerConfig;
import javax.ejb.TimerService;
import javax.ejb.TransactionAttribute;
import javax.ejb.TransactionAttributeType;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.hadoop.util.BackOff;
import org.apache.hadoop.util.ExponentialBackOff;

@DependsOn({"Settings"})
@Singleton
@TransactionAttribute(TransactionAttributeType.NEVER)
@Startup
/* loaded from: input_file:io/hops/hopsworks/common/security/ServiceJWTKeepAlive.class */
public class ServiceJWTKeepAlive {
    private static final Logger LOGGER = Logger.getLogger(ServiceJWTKeepAlive.class.getName());
    private static final List<String> SERVICE_RENEW_JWT_AUDIENCE = new ArrayList(1);

    @EJB
    private Settings settings;

    @EJB
    private JWTController jwtController;

    @Resource
    private TimerService timerService;
    private String hostname;
    private BackOff backOff;

    @TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
    @PostConstruct
    public void init() {
        this.hostname = "hopsworks";
        this.backOff = new ExponentialBackOff.Builder().setInitialIntervalMillis(100L).setMaximumIntervalMillis(2000L).setMultiplier(2.0d).setMaximumRetries(4).build();
        this.timerService.createIntervalTimer(5000L, Math.min(10000L, Math.max(500L, this.settings.getServiceJWTLifetimeMS() / 2)), new TimerConfig("Service JWT renewer", false));
    }

    @TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
    @Timeout
    @Lock(LockType.WRITE)
    public void renewServiceToken() {
        try {
            doRenew(false);
        } catch (Exception e) {
            LOGGER.log(Level.SEVERE, "Error renewing service JWT", (Throwable) e);
        }
    }

    @Lock(LockType.WRITE)
    public void forceRenewServiceToken() throws JWTException {
        try {
            doRenew(true);
        } catch (InterruptedException e) {
            LOGGER.log(Level.SEVERE, "Could not renew service JWT", (Throwable) e);
            throw new JWTException(e.getMessage(), e);
        }
    }

    private void doRenew(boolean z) throws JWTException, InterruptedException {
        String serviceMasterJWT = this.settings.getServiceMasterJWT();
        if (Strings.isNullOrEmpty(serviceMasterJWT)) {
            throw new JWTException("Master token is empty!");
        }
        LocalDateTime now = DateUtils.getNow();
        DecodedJWT decodeToken = this.jwtController.decodeToken(serviceMasterJWT);
        if (z || maybeRenewMasterToken(decodeToken, now)) {
            String[] serviceRenewJWTs = this.settings.getServiceRenewJWTs();
            List<String> jWTRoles = getJWTRoles(decodeToken);
            String subject = decodeToken.getSubject();
            this.backOff.reset();
            int i = 0;
            while (i < serviceRenewJWTs.length) {
                try {
                    Pair<String, String[]> renewServiceToken = this.jwtController.renewServiceToken(serviceRenewJWTs[i], serviceMasterJWT, DateUtils.localDateTime2Date(now.plus(this.settings.getServiceJWTLifetimeMS(), (TemporalUnit) ChronoUnit.MILLIS)), DateUtils.localDateTime2Date(now), Long.valueOf(this.settings.getServiceJWTLifetimeMS()), subject, jWTRoles, SERVICE_RENEW_JWT_AUDIENCE, this.hostname, this.settings.getJWTIssuer(), this.settings.getJWTSigningKeyName(), z);
                    LOGGER.log(Level.FINEST, "New master JWT: " + ((String) renewServiceToken.getLeft()));
                    updateTokens(renewServiceToken);
                    LOGGER.log(Level.FINEST, "Invalidating JWT: " + serviceMasterJWT);
                    this.jwtController.invalidateServiceToken(serviceMasterJWT, this.settings.getJWTSigningKeyName());
                    break;
                } catch (JWTException | NoSuchAlgorithmException e) {
                    i++;
                    Long valueOf = Long.valueOf(this.backOff.getBackOffInMillis());
                    if (valueOf.longValue() == -1) {
                        this.backOff.reset();
                        throw new JWTException("Cannot renew service JWT");
                    }
                    LOGGER.log(Level.WARNING, "Failed to renew service JWT, retrying in " + valueOf + " ms");
                    TimeUnit.MILLISECONDS.sleep(valueOf.longValue());
                }
            }
            LOGGER.log(Level.FINE, "Successfully renewed service JWT");
        }
    }

    private void updateTokens(Pair<String, String[]> pair) {
        this.settings.setServiceMasterJWT((String) pair.getLeft());
        this.settings.setServiceRenewJWTs((String[]) pair.getRight());
    }

    private List<String> getJWTRoles(DecodedJWT decodedJWT) {
        return Arrays.asList(this.jwtController.getRolesClaim(decodedJWT));
    }

    private boolean maybeRenewMasterToken(DecodedJWT decodedJWT, LocalDateTime localDateTime) {
        LocalDateTime date2LocalDateTime = DateUtils.date2LocalDateTime(decodedJWT.getExpiresAt());
        return date2LocalDateTime.isBefore(localDateTime) || date2LocalDateTime.isEqual(localDateTime);
    }

    static {
        SERVICE_RENEW_JWT_AUDIENCE.add("services");
    }
}
