package cern.accsoft.security.rba;

import cern.accsoft.commons.util.Assert;
import cern.accsoft.security.rba.serialization.decode.SerializedTokenFields;
import cern.accsoft.security.rba.serialization.decode.TokenDecoderFactory;
import cern.accsoft.security.rba.spi.AppPrincipalImpl;
import cern.accsoft.security.rba.spi.Constants;
import cern.accsoft.security.rba.spi.LocationPrincipalImpl;
import cern.accsoft.security.rba.spi.ServiceLocator;
import cern.accsoft.security.rba.spi.UserPrincipalImpl;
import cern.accsoft.security.rba.spi.exec.ExecutionService;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.Serializable;
import java.net.InetAddress;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.security.Signature;
import java.text.SimpleDateFormat;
import java.util.Arrays;
import java.util.Date;
import java.util.LinkedHashSet;
import java.util.Set;
import java.util.Timer;
import java.util.TimerTask;
import java.util.concurrent.Callable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:cern/accsoft/security/rba/RBAToken.class */
public final class RBAToken implements Serializable {
    private static final long serialVersionUID = -376146868388891764L;
    private static final long EXPIRATION_TIMER_DELAY = 100;
    private final byte[] encoded;
    private final TokenFormat tokenFormat;
    private transient int serialId;
    private transient Date authTime;
    private transient Date endTime;
    private transient AppPrincipal app;
    private transient LocationPrincipal loc;
    private transient UserPrincipal user;
    private transient ExtraFields extra;
    private transient TokenType tokenType;
    private transient Set<TokenExpirationListener> listeners;
    private transient Timer expirationTimer;
    private transient byte[] body;
    private transient byte[] signature;
    private static final Logger LOGGER = LoggerFactory.getLogger(RBAToken.class);
    static final byte[] EMPTY_TOKEN_ENCODED = {0};

    public RBAToken(TokenFormat tokenFormat, byte[] bArr) throws TokenFormatException {
        this(tokenFormat, bArr, 0, bArr.length);
    }

    public RBAToken(TokenFormat tokenFormat, byte[] bArr, int i, int i2) throws TokenFormatException {
        Assert.notNull(tokenFormat, "TokenFormat is null.");
        Assert.isTrue(bArr != null, "Encoded byte array is null.");
        this.tokenFormat = tokenFormat;
        this.encoded = new byte[i2];
        System.arraycopy(bArr, i, this.encoded, 0, i2);
        decode();
    }

    public boolean isEmpty() {
        return Arrays.equals(EMPTY_TOKEN_ENCODED, this.encoded);
    }

    public TokenType getType() {
        return this.tokenType;
    }

    public TokenFormat getTokenFormat() {
        return this.tokenFormat;
    }

    public int getSerialId() {
        return this.serialId;
    }

    public Date getAuthTime() {
        return (Date) this.authTime.clone();
    }

    public Date getEndTime() {
        return (Date) this.endTime.clone();
    }

    public Date getRenewTill() {
        return (this.extra == null || this.extra.getRenewTill() == null) ? getEndTime() : (Date) this.extra.getRenewTill().clone();
    }

    public AppPrincipal getApplication() {
        return this.app;
    }

    public LocationPrincipal getLocation() {
        return this.loc;
    }

    public UserPrincipal getUser() {
        return this.user;
    }

    public ExtraFields getExtra() {
        return this.extra;
    }

    public byte[] getEncoded() {
        return (byte[]) this.encoded.clone();
    }

    public boolean isValid() {
        return isValid(0);
    }

    public boolean isValid(int i) {
        return this.endTime.getTime() > System.currentTimeMillis() + (((long) i) * 1000);
    }

    public boolean verify(PublicKey[] publicKeyArr) throws GeneralSecurityException {
        Signature signature = Signature.getInstance(Constants.SIGNATURE_ALGORITHM);
        for (PublicKey publicKey : publicKeyArr) {
            signature.initVerify(publicKey);
            signature.update(this.body);
            if (signature.verify(this.signature)) {
                return true;
            }
        }
        return false;
    }

    public int hashCode() {
        return this.serialId;
    }

    public boolean equals(Object obj) {
        return (obj instanceof RBAToken) && ((RBAToken) obj).serialId == this.serialId;
    }

    public void addExpirationListener(TokenExpirationListener tokenExpirationListener) {
        LOGGER.debug("addExpirationListener() START ...");
        if (this.tokenType.isMaster()) {
            throw new IllegalStateException("Can't register token expiration listener for a master token");
        }
        if (!isValid()) {
            throw new IllegalStateException("Can't register token expiration listener, token is already expired");
        }
        synchronized (this.listeners) {
            this.listeners.add(tokenExpirationListener);
            if (this.expirationTimer == null) {
                this.expirationTimer = new Timer("RBATokenExpirationTimer", true);
                this.expirationTimer.schedule(new TimerTask() { // from class: cern.accsoft.security.rba.RBAToken.1
                    @Override // java.util.TimerTask, java.lang.Runnable
                    public void run() {
                        RBAToken.this.fireExpirationListeners();
                    }
                }, new Date(this.endTime.getTime() + EXPIRATION_TIMER_DELAY));
            }
        }
        LOGGER.debug("addExpirationListener() END");
    }

    public void removeExpirationListener(TokenExpirationListener tokenExpirationListener) {
        LOGGER.debug("removeExpirationListener() START ...");
        synchronized (this.listeners) {
            this.listeners.remove(tokenExpirationListener);
            if (this.listeners.isEmpty() && this.expirationTimer != null) {
                this.expirationTimer.cancel();
                this.expirationTimer.purge();
                this.expirationTimer = null;
            }
        }
        LOGGER.debug("removeExpirationListener() END");
    }

    public void removeExpirationListeners() {
        LOGGER.debug("removeExpirationListeners() START ...");
        LOGGER.debug("removeExpirationListeners() {}", toString());
        synchronized (this.listeners) {
            this.listeners.clear();
            if (this.expirationTimer != null) {
                this.expirationTimer.cancel();
                this.expirationTimer.purge();
                this.expirationTimer = null;
            }
        }
        LOGGER.debug("removeExpirationListeners() END");
    }

    public String toString() {
        SimpleDateFormat simpleDateFormat = new SimpleDateFormat("yyyy-MM-dd'@'HH:mm:ss");
        return String.format("RBAToken[serial=0x%s; authTime=%s; endTime=%s; application=%s; location=%s; user=%s; extra=%s]", Long.toHexString(this.serialId & 4294967295L), simpleDateFormat.format(this.authTime), simpleDateFormat.format(this.endTime), this.app, this.loc, this.user, this.extra);
    }

    private void decode() throws TokenFormatException {
        try {
            if (isEmpty()) {
                initEmptyToken();
                return;
            }
            SerializedTokenFields decode = TokenDecoderFactory.getDecoder(this.tokenFormat).decode(this.encoded);
            this.serialId = decode.getSerialId();
            this.authTime = new Date(decode.getAuthenticationTime() * 1000);
            this.endTime = new Date(decode.getExpirationTime() * 1000);
            this.app = new AppPrincipalImpl(decode.getApplicationName(), decode.isApplicationCritical(), Integer.valueOf(decode.getApplicationTimeout()));
            this.loc = new LocationPrincipalImpl(decode.getLocationName(), InetAddress.getByAddress(decode.getLocationAddress()), decode.isLocationAuthReq());
            this.user = new UserPrincipalImpl(decode.getUserName(), decode.getUserFullName(), decode.getUserEmail(), decode.getRoles(), decode.getUserAccountType());
            this.extra = decode.getExtraFields();
            this.body = decode.getBody();
            this.signature = decode.getSignature();
            this.tokenType = this.extra == null ? TokenType.APPLICATION : this.extra.getTokenType();
            this.listeners = new LinkedHashSet();
        } catch (Exception e) {
            throw new TokenFormatException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void fireExpirationListeners() {
        LinkedHashSet<TokenExpirationListener> linkedHashSet;
        ensureTokenExpired();
        synchronized (this.listeners) {
            linkedHashSet = new LinkedHashSet(this.listeners);
            this.listeners.clear();
            this.expirationTimer.cancel();
            this.expirationTimer.purge();
            this.expirationTimer = null;
        }
        LOGGER.debug("Calling token expiration listeners");
        ExecutionService executionService = ServiceLocator.getExecutionService();
        for (final TokenExpirationListener tokenExpirationListener : linkedHashSet) {
            executionService.submit(new Callable<Void>() { // from class: cern.accsoft.security.rba.RBAToken.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public Void call() throws Exception {
                    try {
                        tokenExpirationListener.tokenExpired();
                        return null;
                    } catch (Exception e) {
                        RBAToken.LOGGER.error("Error calling token expiration listener", e);
                        return null;
                    }
                }
            });
        }
    }

    private void ensureTokenExpired() {
        if (isValid()) {
            LOGGER.warn("About to fire expiration notifications but token is still valid: {}", toString());
            try {
                Thread.sleep(EXPIRATION_TIMER_DELAY);
            } catch (InterruptedException e) {
                LOGGER.error(e.getMessage(), e);
            }
            if (isValid()) {
                throw new IllegalStateException("Waited for token to expire but it is still valid");
            }
        }
    }

    private void readObject(ObjectInputStream objectInputStream) throws IOException, ClassNotFoundException {
        objectInputStream.defaultReadObject();
        decode();
        this.listeners = new LinkedHashSet();
    }

    private void initEmptyToken() {
        this.serialId = 0;
        this.authTime = new Date(0L);
        this.endTime = new Date(0L);
        this.app = null;
        this.loc = null;
        this.user = null;
        this.extra = null;
        this.tokenType = TokenType.APPLICATION;
    }
}
