package org.apache.servicecomb.serviceregistry.auth;

import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.eventbus.Subscribe;
import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;
import javax.ws.rs.core.Response;
import org.apache.commons.lang3.StringUtils;
import org.apache.servicecomb.foundation.auth.Cipher;
import org.apache.servicecomb.foundation.common.concurrent.ConcurrentHashMapEx;
import org.apache.servicecomb.http.client.event.EngineConnectChangedEvent;
import org.apache.servicecomb.registry.api.event.ServiceCenterEventBus;
import org.apache.servicecomb.service.center.client.ServiceCenterClient;
import org.apache.servicecomb.service.center.client.model.RbacTokenRequest;
import org.apache.servicecomb.service.center.client.model.RbacTokenResponse;
import org.apache.servicecomb.serviceregistry.event.NotPermittedEvent;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/servicecomb/serviceregistry/auth/TokenCacheManager.class */
public final class TokenCacheManager {
    public static final String INVALID_TOKEN = "";
    private final Map<String, TokenCache> tokenCacheMap = new ConcurrentHashMapEx();
    private Map<String, ServiceCenterClient> serviceCenterClients;
    private static final Logger LOGGER = LoggerFactory.getLogger(TokenCacheManager.class);
    private static final TokenCacheManager INSTANCE = new TokenCacheManager();

    /* loaded from: input_file:org/apache/servicecomb/serviceregistry/auth/TokenCacheManager$TokenCache.class */
    public class TokenCache {
        private static final String UN_AUTHORIZED_CODE_HALF_OPEN = "401302";
        private static final long TOKEN_REFRESH_TIME_IN_SECONDS = 1200000;
        private final String registryName;
        private final String accountName;
        private final String password;
        private ExecutorService executorService;
        private LoadingCache<String, String> cache;
        private final Cipher cipher;
        private int lastStatusCode;
        private String lastErrorCode;

        public TokenCache(String str, String str2, String str3, Cipher cipher) {
            this.registryName = str;
            this.accountName = str2;
            this.password = str3;
            this.cipher = cipher;
            if (enabled()) {
                this.executorService = Executors.newFixedThreadPool(1, runnable -> {
                    return new Thread(runnable, "rbac-executor-" + this.registryName) { // from class: org.apache.servicecomb.serviceregistry.auth.TokenCacheManager.TokenCache.1
                        @Override // java.lang.Thread, java.lang.Runnable
                        public void run() {
                            try {
                                super.run();
                            } catch (Throwable th) {
                                TokenCacheManager.LOGGER.error(TokenCacheManager.INVALID_TOKEN, th);
                            }
                        }
                    };
                });
                this.cache = CacheBuilder.newBuilder().maximumSize(1L).refreshAfterWrite(refreshTime(), TimeUnit.MILLISECONDS).build(new CacheLoader<String, String>() { // from class: org.apache.servicecomb.serviceregistry.auth.TokenCacheManager.TokenCache.2
                    public String load(String str4) throws Exception {
                        return TokenCache.this.createHeaders();
                    }

                    public ListenableFuture<String> reload(String str4, String str5) throws Exception {
                        return Futures.submit(() -> {
                            return TokenCache.this.createHeaders();
                        }, TokenCache.this.executorService);
                    }
                });
                ServiceCenterEventBus.getEventBus().register(this);
            }
        }

        @Subscribe
        public void onNotPermittedEvent(NotPermittedEvent notPermittedEvent) {
            this.executorService.submit(() -> {
                if (this.lastStatusCode == Response.Status.UNAUTHORIZED.getStatusCode() && UN_AUTHORIZED_CODE_HALF_OPEN.equals(this.lastErrorCode)) {
                    this.cache.refresh(this.registryName);
                }
            });
        }

        @Subscribe
        public void onEngineConnectChangedEvent(EngineConnectChangedEvent engineConnectChangedEvent) {
            this.cache.refresh(this.registryName);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public String createHeaders() {
            TokenCacheManager.LOGGER.info("start to create RBAC headers");
            ServiceCenterClient serviceCenterClient = (ServiceCenterClient) TokenCacheManager.this.serviceCenterClients.get(this.registryName);
            RbacTokenRequest rbacTokenRequest = new RbacTokenRequest();
            rbacTokenRequest.setName(this.accountName);
            rbacTokenRequest.setPassword(new String(this.cipher.decrypt(this.password.toCharArray())));
            RbacTokenResponse queryToken = serviceCenterClient.queryToken(rbacTokenRequest);
            this.lastStatusCode = queryToken.getStatusCode();
            this.lastErrorCode = queryToken.getErrorCode();
            if (Response.Status.UNAUTHORIZED.getStatusCode() == queryToken.getStatusCode() || Response.Status.FORBIDDEN.getStatusCode() == queryToken.getStatusCode()) {
                TokenCacheManager.LOGGER.warn("username or password may be wrong, stop trying to query tokens.");
                return TokenCacheManager.INVALID_TOKEN;
            }
            if (Response.Status.NOT_FOUND.getStatusCode() == queryToken.getStatusCode()) {
                TokenCacheManager.LOGGER.warn("service center do not support RBAC token, you should not config account info");
                return TokenCacheManager.INVALID_TOKEN;
            }
            TokenCacheManager.LOGGER.info("refresh token successfully {}", Integer.valueOf(queryToken.getStatusCode()));
            return queryToken.getToken();
        }

        protected long refreshTime() {
            return TOKEN_REFRESH_TIME_IN_SECONDS;
        }

        public String getToken() {
            if (!enabled()) {
                return null;
            }
            try {
                return (String) this.cache.get(this.registryName);
            } catch (Exception e) {
                TokenCacheManager.LOGGER.error("failed to create token", e);
                return null;
            }
        }

        private boolean enabled() {
            return (StringUtils.isEmpty(this.accountName) || StringUtils.isEmpty(this.password)) ? false : true;
        }
    }

    public static TokenCacheManager getInstance() {
        return INSTANCE;
    }

    private TokenCacheManager() {
    }

    public void setServiceCenterClients(Map<String, ServiceCenterClient> map) {
        this.serviceCenterClients = map;
    }

    public void addTokenCache(String str, String str2, String str3, Cipher cipher) {
        Objects.requireNonNull(str, "registryName should not be null!");
        if (this.tokenCacheMap.containsKey(str)) {
            LOGGER.warn("duplicate token cache registration for serviceRegistry[{}]", str);
        } else {
            this.tokenCacheMap.put(str, new TokenCache(str, str2, str3, cipher));
        }
    }

    public String getToken(String str) {
        return (String) Optional.ofNullable(this.tokenCacheMap.get(str)).map((v0) -> {
            return v0.getToken();
        }).orElse(null);
    }
}
