package cern.rbac.util.authentication;

import cern.accsoft.commons.util.concurrent.DefaultThreadFactory;
import cern.rbac.client.ClientConfiguration;
import cern.rbac.client.authentication.AuthenticationClient;
import cern.rbac.client.authentication.AuthenticationException;
import cern.rbac.client.impl.DefaultCallbackHandler;
import cern.rbac.client.impl.authentication.RbaLoginContext;
import cern.rbac.common.RbaToken;
import cern.rbac.common.Role;
import cern.rbac.common.RoleUtils;
import cern.rbac.common.authentication.LoginPolicy;
import cern.rbac.util.holder.ClientTierTokenHolder;
import cern.rbac.util.lookup.RbaTokenLookup;
import java.util.Arrays;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.ScheduledThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/rbac-util-4.3.2.jar:cern/rbac/util/authentication/LoginServiceImpl.class */
final class LoginServiceImpl implements LoginService, Runnable {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) LoginServiceImpl.class);
    private static final int DELAY_BEFORE_START_SEC = 10;
    private static final int TIMEOUT_FOR_EXECUTOR_SHUTDOWN_SEC = 2;
    private final ClientConfiguration configuration;
    private final boolean autoRefresh;
    private final int refreshRateSec;
    private AuthenticationClient authenticationClient;
    private final String userName;
    private final String userPassword;
    private final LoginPolicy loginPolicy;
    private final InitialLoginPolicy initialLoginPolicy;
    private CallbackHandler callbackHandler;
    private final String[] roles;
    private ScheduledThreadPoolExecutor executor;
    private ScheduledFuture<?> refreshTaskFuture;
    private final Object refreshTaskFutureLock = new Object();

    /* JADX INFO: Access modifiers changed from: package-private */
    public LoginServiceImpl(ClientConfiguration clientConfiguration, LoginServiceBuilder loginServiceBuilder) throws AuthenticationException {
        this.configuration = clientConfiguration;
        this.autoRefresh = loginServiceBuilder.isAutoRefresh();
        this.refreshRateSec = loginServiceBuilder.getRefreshRateSec();
        this.authenticationClient = AuthenticationClient.create(clientConfiguration);
        this.userName = loginServiceBuilder.getUserName();
        this.userPassword = loginServiceBuilder.getUserPassword();
        this.loginPolicy = loginServiceBuilder.getLoginPolicy();
        this.initialLoginPolicy = loginServiceBuilder.getInitialLoginPolicy();
        this.callbackHandler = loginServiceBuilder.getCallbackHandler();
        this.roles = loginServiceBuilder.getRoles();
        loginAndStart();
    }

    @Override // java.lang.Runnable
    public synchronized void run() {
        RbaToken findClientTierRbaToken = RbaTokenLookup.findClientTierRbaToken();
        if (findClientTierRbaToken != null) {
            LOGGER.debug("Rba token found as [{}], valid until: {}", findClientTierRbaToken.getUser(), findClientTierRbaToken.getEndTime());
            LOGGER.debug("Rba token details: [{}]", findClientTierRbaToken);
        } else {
            LOGGER.debug("No client Rba token found");
        }
        int tokenValidityPeriod = getTokenValidityPeriod();
        if (findClientTierRbaToken != null && findClientTierRbaToken.isValid(tokenValidityPeriod)) {
            LOGGER.debug("Token still valid within {} secs.", Integer.valueOf(tokenValidityPeriod));
            return;
        }
        LOGGER.debug("Token invalid within {} secs. Re-login in RBAC ...", Integer.valueOf(tokenValidityPeriod));
        try {
            reloginUser();
        } catch (AuthenticationException e) {
            LOGGER.error("Failed to automatically refresh Rba token: " + e.getMessage(), (Throwable) e);
        } catch (Exception e2) {
            LOGGER.error("Failed to automatically refresh Rba token: unexpected exception --> " + e2.getMessage(), (Throwable) e2);
        }
    }

    @Override // cern.rbac.util.authentication.LoginService
    public synchronized void loginNewUser() throws AuthenticationException {
        logout();
        login();
    }

    @Override // cern.rbac.util.authentication.LoginService
    public synchronized void reloginUser() throws AuthenticationException {
        login();
    }

    @Override // cern.rbac.util.authentication.LoginService
    public synchronized void logout() {
        ClientTierTokenHolder.setRbaToken(null);
    }

    private void login() throws AuthenticationException {
        RbaToken rbaToken = getRbaToken();
        ClientTierTokenHolder.setRbaToken(rbaToken);
        if (rbaToken == null) {
            LOGGER.error("Token was not acquired or not found !?");
        } else {
            LOGGER.debug("Rba token successfully acquired as [{}] valid until: {}", rbaToken.getUser().getName(), rbaToken.getEndTime());
            LOGGER.debug("User roles: {}", Arrays.toString(rbaToken.getUser().getRoles()));
        }
    }

    private RbaToken getRbaToken() throws AuthenticationException {
        if (this.callbackHandler == null && (this.roles == null || this.roles.length == 0)) {
            return loginWithoutRoles();
        }
        if (this.callbackHandler == null) {
            this.callbackHandler = createCallbackHandlerForRoles();
        }
        return loginUsingCallbackHandler();
    }

    private RbaToken loginWithoutRoles() throws AuthenticationException {
        switch (this.loginPolicy) {
            case KERBEROS:
                return this.authenticationClient.loginKerberos();
            case LOCATION:
                return this.authenticationClient.loginLocation();
            case EXPLICIT:
                return this.authenticationClient.loginExplicit(this.userName, this.userPassword);
            case DEFAULT:
                try {
                    return this.authenticationClient.loginLocation();
                } catch (AuthenticationException e) {
                    LOGGER.debug("Location login failed in DEFAULT loginPolicy", (Throwable) e);
                    try {
                        return this.authenticationClient.loginKerberos();
                    } catch (AuthenticationException e2) {
                        LOGGER.debug("Kerberos login failed in DEFAULT loginPolicy", (Throwable) e2);
                        return this.authenticationClient.loginExplicit(this.userName, this.userPassword);
                    }
                }
            default:
                throw new UnsupportedOperationException("Unsupported login policy " + this.loginPolicy);
        }
    }

    private DefaultCallbackHandler createCallbackHandlerForRoles() {
        return new DefaultCallbackHandler(this.configuration.getApplicationName(), this.userName, this.userPassword != null ? this.userPassword.toCharArray() : null) { // from class: cern.rbac.util.authentication.LoginServiceImpl.1
            @Override // cern.rbac.client.impl.DefaultCallbackHandler, cern.rbac.client.impl.AbstractCallbackHandler
            protected Role[] getSelectedRoles(Role[] roleArr, Role[] roleArr2, Date date) {
                return RoleUtils.createRoles(LoginServiceImpl.this.roles);
            }

            @Override // cern.rbac.client.impl.AbstractCallbackHandler
            public boolean isRolePickerEnabled() {
                return true;
            }
        };
    }

    private RbaToken loginUsingCallbackHandler() throws AuthenticationException {
        try {
            RbaLoginContext rbaLoginContext = new RbaLoginContext(this.configuration, this.loginPolicy, this.callbackHandler);
            rbaLoginContext.login();
            return rbaLoginContext.getRbaSubject().getAppToken();
        } catch (LoginException e) {
            throw new AuthenticationException(e);
        }
    }

    private void performInitialLogin() throws AuthenticationException {
        RbaToken findClientTierRbaToken = RbaTokenLookup.findClientTierRbaToken();
        if (findClientTierRbaToken != null) {
            LOGGER.debug("InitialLogin: Client token for [{}] already exists. Valid until: {}", findClientTierRbaToken.getUser().getName(), findClientTierRbaToken.getEndTime());
            if (findClientTierRbaToken.isValid(getTokenValidityPeriod()) && this.initialLoginPolicy == InitialLoginPolicy.NO_LOGIN_IF_TOKEN_PRESENT) {
                LOGGER.debug("InitialLogin: Client token still valid --> skipping initial login.");
                return;
            }
            LOGGER.debug("InitialLogin: Client token not valid or InitialLoginPolicy.PERFORM_LOGIN --> perform initial login.");
        } else {
            LOGGER.debug("InitialLogin: Client token not found --> perform initial login.");
        }
        login();
    }

    private int getTokenValidityPeriod() {
        return this.refreshRateSec * 2;
    }

    private void start() {
        synchronized (this.refreshTaskFutureLock) {
            if (this.autoRefresh && this.refreshTaskFuture == null) {
                startExecutorService();
                this.refreshTaskFuture = this.executor.scheduleAtFixedRate(this, 10L, this.refreshRateSec, TimeUnit.SECONDS);
                LOGGER.debug("Next token check in {} seconds ...", Integer.valueOf(this.refreshRateSec));
            }
        }
    }

    private void startExecutorService() {
        if (this.executor == null) {
            this.executor = new ScheduledThreadPoolExecutor(1, new DefaultThreadFactory("LoginServiceImpl-Thread-", true));
        }
    }

    private void stop() {
        synchronized (this.refreshTaskFutureLock) {
            if (this.refreshTaskFuture != null) {
                this.refreshTaskFuture.cancel(false);
                this.refreshTaskFuture = null;
            }
            stopExecutorService();
            this.executor = null;
        }
    }

    private void stopExecutorService() {
        if (this.executor == null) {
            return;
        }
        this.executor.shutdown();
        waitForRunningTasksToFinish();
        stopRunningTasksAndShutdownScheduler();
    }

    private void waitForRunningTasksToFinish() {
        try {
            if (this.executor.awaitTermination(2L, TimeUnit.SECONDS)) {
                LOGGER.info("Executor's tasks terminated before '{}' seconds deadline", (Object) 2);
            } else {
                LOGGER.info("Executor's tasks have not terminated before '{}' seconds deadline", (Object) 2);
            }
        } catch (InterruptedException e) {
            LOGGER.info("Executor was interrupted while awaiting tasks termination: {}", e.getMessage(), e);
        }
    }

    private void stopRunningTasksAndShutdownScheduler() {
        List<Runnable> shutdownNow = this.executor.shutdownNow();
        if (shutdownNow.isEmpty()) {
            return;
        }
        Iterator<Runnable> it = shutdownNow.iterator();
        while (it.hasNext()) {
            LOGGER.info("Interrupted task: '{}'", it.next());
        }
    }

    private void loginAndStart() throws AuthenticationException {
        performInitialLogin();
        start();
    }

    @Override // cern.rbac.util.authentication.LoginService, java.lang.AutoCloseable
    public void close() {
        stop();
        logout();
    }
}
