package com.atlassian.crowd.manager.authentication;

import com.atlassian.cache.Cache;
import com.atlassian.crowd.dao.application.ApplicationDAO;
import com.atlassian.crowd.dao.token.SessionTokenStorage;
import com.atlassian.crowd.embedded.impl.IdentifierUtils;
import com.atlassian.crowd.event.application.ApplicationAuthenticatedEvent;
import com.atlassian.crowd.event.token.AllTokensInvalidatedEvent;
import com.atlassian.crowd.event.token.TokenInvalidatedEvent;
import com.atlassian.crowd.event.user.UserAuthenticationFailedAccessDeniedEvent;
import com.atlassian.crowd.event.user.UserAuthenticationSucceededEvent;
import com.atlassian.crowd.event.user.UserTokenVerificationSucceededEvent;
import com.atlassian.crowd.exception.ApplicationNotFoundException;
import com.atlassian.crowd.exception.ApplicationPermissionException;
import com.atlassian.crowd.exception.DirectoryNotFoundException;
import com.atlassian.crowd.exception.ExpiredCredentialException;
import com.atlassian.crowd.exception.InactiveAccountException;
import com.atlassian.crowd.exception.InvalidAuthenticationException;
import com.atlassian.crowd.exception.InvalidTokenException;
import com.atlassian.crowd.exception.ObjectAlreadyExistsException;
import com.atlassian.crowd.exception.ObjectNotFoundException;
import com.atlassian.crowd.exception.OperationFailedException;
import com.atlassian.crowd.exception.TokenExpiredException;
import com.atlassian.crowd.exception.TokenNotFoundException;
import com.atlassian.crowd.exception.UserNotFoundException;
import com.atlassian.crowd.manager.application.ApplicationAccessDeniedException;
import com.atlassian.crowd.manager.application.ApplicationManager;
import com.atlassian.crowd.manager.application.ApplicationService;
import com.atlassian.crowd.manager.directory.DirectoryManager;
import com.atlassian.crowd.manager.property.PropertyManager;
import com.atlassian.crowd.manager.token.factory.TokenFactory;
import com.atlassian.crowd.model.application.Application;
import com.atlassian.crowd.model.application.DirectoryMapping;
import com.atlassian.crowd.model.authentication.ApplicationAuthenticationContext;
import com.atlassian.crowd.model.authentication.AuthenticationContext;
import com.atlassian.crowd.model.authentication.UserAuthenticationContext;
import com.atlassian.crowd.model.authentication.ValidationFactor;
import com.atlassian.crowd.model.group.GroupType;
import com.atlassian.crowd.model.token.Token;
import com.atlassian.crowd.model.token.TokenLifetime;
import com.atlassian.crowd.model.user.User;
import com.atlassian.crowd.search.EntityDescriptor;
import com.atlassian.crowd.search.builder.QueryBuilder;
import com.atlassian.event.api.EventPublisher;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Predicate;
import com.google.common.base.Predicates;
import com.google.common.base.Strings;
import com.google.common.cache.CacheBuilder;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import java.time.Clock;
import java.util.Arrays;
import java.util.ConcurrentModificationException;
import java.util.Date;
import java.util.List;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import javax.annotation.Nullable;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.transaction.annotation.Transactional;

@Transactional
/* loaded from: input_file:com/atlassian/crowd/manager/authentication/TokenAuthenticationManagerImpl.class */
public class TokenAuthenticationManagerImpl implements TokenAuthenticationManager {

    @VisibleForTesting
    protected static final String RECENT_TOKENS_CACHE_SIZE_SYSTEM_PROPERTY_NAME = "crowd.token.last.accessed.time.update.cache.size";

    @VisibleForTesting
    protected static final String RECENT_TOKENS_CACHE_TTL_SYSTEM_PROPERTY_NAME = "crowd.token.last.accessed.time.update.threshold.millis";
    private final SessionTokenStorage tokenManager;
    private final ApplicationDAO applicationDao;
    private final TokenFactory tokenFactory;
    private final Cache<String, Boolean> cache;
    private final EventPublisher eventPublisher;
    private final PropertyManager propertyManager;
    private final DirectoryManager directoryManager;
    private final ApplicationManager applicationManager;
    private final ApplicationService applicationService;
    private final Clock clock;
    private static final Predicate<ValidationFactor> NOT_REMOTE_ADDRESS = new Predicate<ValidationFactor>() { // from class: com.atlassian.crowd.manager.authentication.TokenAuthenticationManagerImpl.1
        public boolean apply(ValidationFactor validationFactor) {
            return !validationFactor.getName().equals("remote_address");
        }
    };
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private final long lastAccessedTimeUpdateThresholdMillis = Integer.getInteger(RECENT_TOKENS_CACHE_TTL_SYSTEM_PROPERTY_NAME, 5000).intValue();
    private final com.google.common.cache.Cache<String, Long> recentTokens = CacheBuilder.newBuilder().maximumSize(Integer.getInteger(RECENT_TOKENS_CACHE_SIZE_SYSTEM_PROPERTY_NAME, 10000).intValue()).expireAfterWrite(this.lastAccessedTimeUpdateThresholdMillis, TimeUnit.MILLISECONDS).build();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/atlassian/crowd/manager/authentication/TokenAuthenticationManagerImpl$TokenValidationFailure.class */
    public static class TokenValidationFailure {
        private static final Logger logger = LoggerFactory.getLogger(TokenValidationFailure.class);

        TokenValidationFailure() {
        }

        static void mismatch(String str, String str2, String str3, ValidationFactor[] validationFactorArr) {
            if (logger.isDebugEnabled()) {
                logger.debug("Existing token '{}' for user '{}' does not match new token '{}' with validation factors '{}'", new Object[]{str, str2, str3, TokenAuthenticationManagerImpl.toString(validationFactorArr)});
            }
        }

        static void expired(String str, String str2) {
            if (logger.isDebugEnabled()) {
                logger.debug("Existing token '{}' for user '{}' has expired", str, str2);
            }
        }
    }

    public TokenAuthenticationManagerImpl(SessionTokenStorage sessionTokenStorage, ApplicationDAO applicationDAO, TokenFactory tokenFactory, Cache<String, Boolean> cache, EventPublisher eventPublisher, PropertyManager propertyManager, DirectoryManager directoryManager, ApplicationManager applicationManager, ApplicationService applicationService, Clock clock) {
        this.tokenManager = sessionTokenStorage;
        this.applicationDao = applicationDAO;
        this.tokenFactory = tokenFactory;
        this.cache = cache;
        this.eventPublisher = eventPublisher;
        this.propertyManager = propertyManager;
        this.directoryManager = directoryManager;
        this.applicationManager = applicationManager;
        this.applicationService = applicationService;
        this.clock = clock;
    }

    public Optional<Token> invalidateToken(String str) {
        try {
            if (Strings.isNullOrEmpty(str)) {
                return Optional.empty();
            }
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("InvalidateToken: token " + str);
            }
            Token findByRandomHash = this.tokenManager.findByRandomHash(str);
            this.logger.debug("Removing token from the database");
            this.tokenManager.remove(findByRandomHash);
            this.eventPublisher.publish(new TokenInvalidatedEvent(this, findByRandomHash));
            return Optional.of(findByRandomHash);
        } catch (ObjectNotFoundException e) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("Token does not exist", e);
            }
            return Optional.empty();
        }
    }

    public void invalidateAllTokens() {
        this.logger.info("Removing all user and application tokens");
        this.tokenManager.removeAll();
        this.eventPublisher.publish(new AllTokensInvalidatedEvent(this));
    }

    public void removeExpiredTokens() {
        long seconds = TimeUnit.MINUTES.toSeconds(this.propertyManager.getSessionTime());
        Date date = new Date();
        this.logger.debug("Removing expired tokens as of {} with a maximum lifetime of {} seconds", date, Long.valueOf(seconds));
        this.tokenManager.removeExpiredTokens(date, seconds);
    }

    public User findUserByToken(Token token, Application application) throws InvalidTokenException, OperationFailedException {
        try {
            return this.directoryManager.findUserByName(token.getDirectoryId(), token.getUnaliasedUsername());
        } catch (DirectoryNotFoundException | ObjectNotFoundException e) {
            throw new InvalidTokenException(e.getMessage(), e);
        }
    }

    public Token findUserTokenByKey(String str, Application application) throws InvalidTokenException, ApplicationAccessDeniedException, OperationFailedException {
        try {
            Token findByRandomHash = this.tokenManager.findByRandomHash(str);
            if (findByRandomHash.isApplicationToken()) {
                throw new InvalidTokenException("Found token was for an application, not a user");
            }
            if (isAllowedToAuthenticate(findByRandomHash, application)) {
                return findByRandomHash;
            }
            throw new ApplicationAccessDeniedException(application.getName());
        } catch (ObjectNotFoundException | DirectoryNotFoundException e) {
            throw new InvalidTokenException(e.getMessage(), e);
        }
    }

    public List<Application> findAuthorisedApplications(User user, String str) throws OperationFailedException, DirectoryNotFoundException {
        return this.applicationDao.findAuthorisedApplications(user.getDirectoryId(), this.directoryManager.searchNestedGroupRelationships(user.getDirectoryId(), QueryBuilder.queryFor(String.class, EntityDescriptor.group(GroupType.GROUP)).parentsOf(EntityDescriptor.user()).withName(user.getName()).returningAtMost(-1)));
    }

    public Token authenticateApplication(Application application, ApplicationAuthenticationContext applicationAuthenticationContext, TokenLifetime tokenLifetime) throws InvalidAuthenticationException {
        return authenticateApplication(application, applicationAuthenticationContext, tokenLifetime, true);
    }

    public Token authenticateApplicationWithoutValidatingPassword(Application application, ApplicationAuthenticationContext applicationAuthenticationContext, TokenLifetime tokenLifetime) throws InvalidAuthenticationException {
        return authenticateApplication(application, applicationAuthenticationContext, tokenLifetime, false);
    }

    private Token authenticateApplication(Application application, ApplicationAuthenticationContext applicationAuthenticationContext, TokenLifetime tokenLifetime, boolean z) throws InvalidAuthenticationException {
        try {
            if (!application.isActive()) {
                throw new InvalidAuthenticationException("Application is not active");
            }
            if (z && !this.applicationManager.authenticate(application, applicationAuthenticationContext.getCredential())) {
                throw new InvalidAuthenticationException("The password in the application's crowd.properties file does not match the password in Crowd.");
            }
            Token generateApplicationToken = generateApplicationToken(applicationAuthenticationContext, tokenLifetime);
            this.eventPublisher.publish(new ApplicationAuthenticatedEvent(this, application, generateApplicationToken));
            return generateApplicationToken;
        } catch (ApplicationNotFoundException | InvalidTokenException | OperationFailedException e) {
            throw new InvalidAuthenticationException(application.getName(), e);
        }
    }

    public Token authenticateUser(Application application, UserAuthenticationContext userAuthenticationContext, boolean z, TokenLifetime tokenLifetime) throws InvalidAuthenticationException, OperationFailedException, InactiveAccountException, ApplicationAccessDeniedException, ExpiredCredentialException {
        Preconditions.checkNotNull(tokenLifetime);
        if (userAuthenticationContext == null) {
            throw new InvalidAuthenticationException("Unable to authenticate with null context");
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Authenticating user: " + userAuthenticationContext.getName());
        }
        try {
            User authenticateUser = z ? this.applicationService.authenticateUser(application, userAuthenticationContext.getName(), userAuthenticationContext.getCredential()) : this.applicationService.userAuthenticated(application, userAuthenticationContext.getName());
            UserAuthenticationContext withName = userAuthenticationContext.withName(authenticateUser.getName());
            if (!this.applicationService.isUserAuthorised(application, withName.getName())) {
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("User <" + withName.getName() + "> does NOT have access to the application <" + application.getName() + ">");
                }
                this.eventPublisher.publish(new UserAuthenticationFailedAccessDeniedEvent(this, authenticateUser, application));
                throw new ApplicationAccessDeniedException(withName.getApplication());
            }
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("User <" + withName.getName() + "> has access to the application <" + application.getName() + ">");
            }
            Pair<Token, Boolean> generateUserToken = generateUserToken(authenticateUser.getDirectoryId(), withName, tokenLifetime);
            this.eventPublisher.publish(new UserAuthenticationSucceededEvent(this, authenticateUser, application, (Token) generateUserToken.getLeft()));
            if (((Boolean) generateUserToken.getRight()).booleanValue()) {
                updateUserLastActivity(application, authenticateUser.getName(), ((Token) generateUserToken.getLeft()).getLastAccessedTime());
            }
            return (Token) generateUserToken.getLeft();
        } catch (UserNotFoundException e) {
            throw InvalidAuthenticationException.newInstanceWithNameAndDescriptionFromCause(userAuthenticationContext.getName(), e);
        } catch (InvalidTokenException e2) {
            throw new InvalidAuthenticationException(userAuthenticationContext.getName(), e2);
        }
    }

    public Token authenticateUser(Application application, UserAuthenticationContext userAuthenticationContext, TokenLifetime tokenLifetime) throws InvalidAuthenticationException, OperationFailedException, InactiveAccountException, ApplicationAccessDeniedException, ExpiredCredentialException {
        return authenticateUser(application, userAuthenticationContext, true, tokenLifetime);
    }

    public Token authenticateUserWithoutValidatingPassword(Application application, UserAuthenticationContext userAuthenticationContext) throws InvalidAuthenticationException, OperationFailedException, InactiveAccountException, ApplicationAccessDeniedException {
        try {
            return authenticateUser(application, userAuthenticationContext, false, TokenLifetime.USE_DEFAULT);
        } catch (ExpiredCredentialException e) {
            this.logger.error("This should never happen! This user is not authenticated by validating the password.");
            throw InvalidAuthenticationException.newInstanceWithName(userAuthenticationContext.getName());
        }
    }

    public Token validateApplicationToken(String str, ValidationFactor[] validationFactorArr) throws InvalidTokenException {
        return (Token) genericValidateToken(str, validationFactorArr).getLeft();
    }

    public Token validateUserToken(Application application, String str, ValidationFactor[] validationFactorArr) throws InvalidTokenException, ApplicationAccessDeniedException, OperationFailedException {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("validateUserToken: " + str);
        }
        Pair<Token, Boolean> genericValidateToken = genericValidateToken(str, validationFactorArr);
        Token token = (Token) genericValidateToken.getLeft();
        try {
            if (!isAllowedToAuthenticate(token, application)) {
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("user does NOT have access to the application <" + application.getName() + ">");
                }
                throw new ApplicationAccessDeniedException(application.getName());
            }
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("user has access to the application <" + application.getName() + ">");
            }
            this.eventPublisher.publish(new UserTokenVerificationSucceededEvent(application, token));
            if (((Boolean) genericValidateToken.getRight()).booleanValue()) {
                updateUserLastActivity(application, token.getUnaliasedUsername(), token.getLastAccessedTime());
            }
            return token;
        } catch (DirectoryNotFoundException e) {
            throw new ConcurrentModificationException("Directory mapping removed while validating the user token");
        }
    }

    protected List<ValidationFactor> activeValidationFactors(ValidationFactor[] validationFactorArr) {
        return ImmutableList.copyOf(Iterables.filter(Arrays.asList(validationFactorArr), this.propertyManager.isIncludeIpAddressInValidationFactors() ? Predicates.alwaysTrue() : NOT_REMOTE_ADDRESS));
    }

    protected Pair<Token, Boolean> generateUserToken(long j, AuthenticationContext authenticationContext, TokenLifetime tokenLifetime) throws InvalidTokenException, OperationFailedException {
        Preconditions.checkNotNull(authenticationContext);
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("generateUserToken: user " + authenticationContext.getName());
        }
        ValidationFactor[] validationFactors = authenticationContext.getValidationFactors();
        if (validationFactors == null) {
            validationFactors = new ValidationFactor[0];
        }
        Token create = this.tokenFactory.create(j, authenticationContext.getName(), tokenLifetime, activeValidationFactors(validationFactors));
        try {
            return reuseExistingToken(create);
        } catch (ObjectNotFoundException e) {
            return Pair.of(saveNewToken(create), true);
        }
    }

    private Pair<Token, Boolean> reuseExistingToken(Token token) throws ObjectNotFoundException, OperationFailedException {
        Token findByIdentifierHash = this.tokenManager.findByIdentifierHash(token.getIdentifierHash());
        if (isExpired(findByIdentifierHash)) {
            TokenValidationFailure.expired(findByIdentifierHash.getRandomHash(), findByIdentifierHash.getName());
            this.logger.debug("Token exists matching identifierHash ({}), but is expired, so need to create a new token", findByIdentifierHash.getIdentifierHash());
            this.tokenManager.remove(findByIdentifierHash);
            throw new ObjectNotFoundException(Token.class, findByIdentifierHash.getIdentifierHash());
        }
        if (IdentifierUtils.equalsInLowerCase(token.getName(), findByIdentifierHash.getName()) && token.getDirectoryId() == findByIdentifierHash.getDirectoryId()) {
            this.logger.debug("Returning existing token that matched identifierHash");
            return maybeUpdateLastAccessedTime(findByIdentifierHash);
        }
        this.logger.error("Token exists matching identifierHash ({}), but it seems to be created for a different user ({}:{}), while generating the token for user ({}:{}). This might indicate a hash collision. Aborting.", new Object[]{findByIdentifierHash.getIdentifierHash(), Long.valueOf(findByIdentifierHash.getDirectoryId()), findByIdentifierHash.getName(), Long.valueOf(token.getDirectoryId()), token.getName()});
        throw new OperationFailedException("Failed to generate the token, check the logs for details");
    }

    private Token saveNewToken(Token token) {
        this.logger.debug("Saving and returning newly created token");
        try {
            this.tokenManager.add(token);
            return token;
        } catch (ObjectAlreadyExistsException e) {
            throw new ConcurrentModificationException("An authentication token was concurrently inserted, please retry", e);
        }
    }

    private Token generateApplicationToken(ApplicationAuthenticationContext applicationAuthenticationContext, TokenLifetime tokenLifetime) throws InvalidTokenException, OperationFailedException {
        return (Token) generateUserToken(-1L, applicationAuthenticationContext, tokenLifetime).getLeft();
    }

    static String toString(ValidationFactor[] validationFactorArr) {
        return StringUtils.join(validationFactorArr, ", ");
    }

    protected Pair<Token, Boolean> genericValidateToken(String str, ValidationFactor[] validationFactorArr) throws InvalidTokenException {
        Preconditions.checkNotNull(str, "A token key cannot be null");
        Preconditions.checkNotNull(validationFactorArr, "The array of ValidationFactors cannot be null");
        this.logger.debug("genericValidateToken");
        try {
            Token findByRandomHash = this.tokenManager.findByRandomHash(str);
            if (isExpired(findByRandomHash)) {
                this.logger.debug("token has expired. removing from db");
                this.tokenManager.remove(findByRandomHash);
                throw new TokenExpiredException("Token has expired.");
            }
            String createValidationHash = this.tokenFactory.createValidationHash(findByRandomHash.getDirectoryId(), findByRandomHash.getName(), activeValidationFactors(validationFactorArr), findByRandomHash.getRandomNumber());
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("Current Validation Factors: \n" + toString(validationFactorArr));
                this.logger.debug("comparing existing token " + findByRandomHash + " with a validation token " + createValidationHash);
            }
            if (findByRandomHash.getRandomHash().equals(createValidationHash)) {
                this.logger.debug("returning validated token, with updated last accessed time");
                return maybeUpdateLastAccessedTime(findByRandomHash);
            }
            TokenValidationFailure.mismatch(findByRandomHash.getRandomHash(), findByRandomHash.getName(), createValidationHash, validationFactorArr);
            this.logger.debug("The token keys don't match");
            throw new InvalidTokenException("Token doesn't match the existing token.");
        } catch (ObjectNotFoundException e) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("The token " + str + " was not found in db");
            }
            throw new TokenNotFoundException("Token does not validate.");
        }
    }

    @VisibleForTesting
    protected Pair<Token, Boolean> maybeUpdateLastAccessedTime(Token token) throws ObjectNotFoundException {
        long millis = this.clock.millis();
        long lastAccessedTime = millis - token.getLastAccessedTime();
        boolean z = false;
        if (lastAccessedTime > this.lastAccessedTimeUpdateThresholdMillis) {
            Long l = (Long) this.recentTokens.getIfPresent(token.getRandomHash());
            if (l == null || l.longValue() > lastAccessedTime) {
                l = Long.valueOf(lastAccessedTime);
            }
            if (l.longValue() > this.lastAccessedTimeUpdateThresholdMillis) {
                this.recentTokens.put(token.getRandomHash(), Long.valueOf(l.longValue() / 2));
                token.setLastAccessedTime(millis);
                z = true;
            }
        }
        return Pair.of(this.tokenManager.update(token), Boolean.valueOf(z));
    }

    protected boolean isExpired(Token token) {
        Date date = new Date();
        Date tokenExpiryTime = getTokenExpiryTime(token);
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("checking if the token is expired:");
            this.logger.debug("\tnow: \t\t\t" + date);
            this.logger.debug("\tlast accessed: \t" + new Date(token.getLastAccessedTime()));
            this.logger.debug("\texpiry time: \t" + tokenExpiryTime);
            this.logger.debug("\tallowed session time (seconds): " + getEffectiveTokenSessionTime(token));
        }
        return !tokenExpiryTime.after(date);
    }

    private long getEffectiveTokenSessionTime(Token token) {
        long seconds = TimeUnit.MINUTES.toSeconds(this.propertyManager.getSessionTime());
        TokenLifetime lifetime = token.getLifetime();
        return lifetime.isDefault() ? seconds : Math.min(lifetime.getSeconds(), seconds);
    }

    protected boolean isAllowedToAuthenticate(String str, long j, Application application) throws OperationFailedException, DirectoryNotFoundException {
        if (!application.isActive()) {
            if (!this.logger.isDebugEnabled()) {
                return false;
            }
            this.logger.debug("User does not have access to application '" + application.getName() + "' as the application is inactive");
            return false;
        }
        DirectoryMapping directoryMapping = application.getDirectoryMapping(j);
        if (directoryMapping != null && (directoryMapping.isAllowAllToAuthenticate() || this.directoryManager.isUserNestedGroupMember(j, str, directoryMapping.getAuthorisedGroupNames()))) {
            return true;
        }
        if (!this.logger.isDebugEnabled()) {
            return false;
        }
        this.logger.debug("User does not have access to application '" + application.getName() + "' as the directory is not allow all to authenticate and the user is not a member of any of the authorised groups");
        return false;
    }

    private boolean isAllowedToAuthenticate(Token token, Application application, boolean z) throws OperationFailedException, DirectoryNotFoundException {
        if (z || !this.propertyManager.isCacheEnabled()) {
            return isAllowedToAuthenticate(token.getName(), token.getDirectoryId(), application);
        }
        if (Boolean.TRUE.equals((Boolean) this.cache.get(application.getName() + token.getRandomHash()))) {
            return true;
        }
        Boolean valueOf = Boolean.valueOf(isAllowedToAuthenticate(token.getName(), token.getDirectoryId(), application));
        this.cache.put(application.getName() + token.getRandomHash(), valueOf);
        return valueOf.booleanValue();
    }

    private boolean isAllowedToAuthenticate(Token token, Application application) throws OperationFailedException, DirectoryNotFoundException {
        return isAllowedToAuthenticate(token, application, false);
    }

    public void invalidateTokensForUser(String str, @Nullable String str2, String str3) throws UserNotFoundException, ApplicationNotFoundException {
        User findUserByName = this.applicationService.findUserByName(this.applicationManager.findByName(str3), str);
        if (StringUtils.isBlank(str2)) {
            this.tokenManager.remove(findUserByName.getDirectoryId(), findUserByName.getName());
        } else {
            this.tokenManager.removeExcept(findUserByName.getDirectoryId(), findUserByName.getName(), str2);
        }
    }

    public Date getTokenExpiryTime(Token token) {
        long millis = TimeUnit.SECONDS.toMillis(getEffectiveTokenSessionTime(token));
        long lastAccessedTime = token.getLastAccessedTime();
        Preconditions.checkArgument(millis >= 0);
        Preconditions.checkArgument(lastAccessedTime >= 0);
        long j = lastAccessedTime + millis;
        return j < 0 ? new Date(Long.MAX_VALUE) : new Date(j);
    }

    void updateUserLastActivity(Application application, String str, long j) {
        try {
            this.applicationService.storeUserAttributes(application, str, ImmutableMap.of("lastActive", ImmutableSet.of(Long.toString(j))));
        } catch (UserNotFoundException e) {
            this.logger.debug("Unable to update last active for user '{}' as they do not exist", str);
        } catch (ApplicationPermissionException e2) {
            this.logger.debug("Unable to update last active for user '{}' as there are insufficient permissions to write for application '{}'", str, application.getName());
        } catch (OperationFailedException e3) {
            this.logger.error("Operation to update last active for user '{}' failed", str, e3);
        }
    }
}
