package com.huaweicloud.governance.authentication.provider;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.util.concurrent.UncheckedExecutionException;
import com.huaweicloud.governance.authentication.Const;
import com.huaweicloud.governance.authentication.RsaAuthenticationToken;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.security.spec.InvalidKeySpecException;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import org.apache.servicecomb.foundation.common.utils.RSAUtils;
import org.apache.servicecomb.service.center.client.ServiceCenterClient;
import org.apache.servicecomb.service.center.client.model.Microservice;
import org.apache.servicecomb.service.center.client.model.MicroserviceInstance;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/huaweicloud/governance/authentication/provider/RSAProviderTokenManager.class */
public class RSAProviderTokenManager {
    private final Cache<RsaAuthenticationToken, Boolean> validatedToken = CacheBuilder.newBuilder().expireAfterAccess(getExpiredTime(), TimeUnit.MILLISECONDS).build();
    private final AccessController accessController;
    private final ServiceCenterClient client;
    private static final Logger LOGGER = LoggerFactory.getLogger(RSAProviderTokenManager.class);
    private static final Cache<String, MicroserviceInstance> instances = CacheBuilder.newBuilder().maximumSize(1000).expireAfterAccess(30, TimeUnit.MINUTES).build();
    private static final Cache<String, Microservice> microservices = CacheBuilder.newBuilder().maximumSize(1000).expireAfterAccess(30, TimeUnit.MINUTES).build();

    public RSAProviderTokenManager(ServiceCenterClient serviceCenterClient, BlackWhiteListProperties blackWhiteListProperties) {
        this.client = serviceCenterClient;
        this.accessController = new AccessController(blackWhiteListProperties);
    }

    public boolean valid(String str) {
        try {
            RsaAuthenticationToken fromStr = RsaAuthenticationToken.fromStr(str);
            if (null == fromStr) {
                LOGGER.error("token format is error, perhaps you need to set auth handler at consumer");
                return false;
            }
            if (tokenExpired(fromStr)) {
                LOGGER.error("token is expired");
                return false;
            }
            if (this.validatedToken.asMap().containsKey(fromStr)) {
                return this.accessController.isAllowed(getOrCreate(fromStr.getServiceId()));
            }
            if (!isValidToken(fromStr) || tokenExpired(fromStr)) {
                return false;
            }
            this.validatedToken.put(fromStr, true);
            return this.accessController.isAllowed(getOrCreate(fromStr.getServiceId()));
        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException | InvalidKeySpecException e) {
            LOGGER.error("verify error", e);
            return false;
        }
    }

    public boolean isValidToken(RsaAuthenticationToken rsaAuthenticationToken) throws NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException, SignatureException {
        return RSAUtils.verify(getPublicKeyFromInstance(rsaAuthenticationToken.getInstanceId(), rsaAuthenticationToken.getServiceId()), rsaAuthenticationToken.getSign(), rsaAuthenticationToken.plainToken());
    }

    protected int getExpiredTime() {
        return 3600000;
    }

    private boolean tokenExpired(RsaAuthenticationToken rsaAuthenticationToken) {
        return System.currentTimeMillis() > (rsaAuthenticationToken.getGenerateTime() + RsaAuthenticationToken.TOKEN_ACTIVE_TIME) + 900000;
    }

    private String getPublicKeyFromInstance(String str, String str2) {
        MicroserviceInstance orCreate = getOrCreate(str2, str);
        if (orCreate != null) {
            return (String) orCreate.getProperties().get(Const.INSTANCE_PUBKEY_PRO);
        }
        LOGGER.error("not instance found {}-{}, maybe attack", str, str2);
        return "";
    }

    @VisibleForTesting
    Cache<RsaAuthenticationToken, Boolean> getValidatedToken() {
        return this.validatedToken;
    }

    public Microservice getOrCreate(String str) {
        try {
            return (Microservice) microservices.get(str, () -> {
                Microservice microserviceByServiceId = this.client.getMicroserviceByServiceId(str);
                if (microserviceByServiceId == null) {
                    throw new IllegalArgumentException("service id not exists.");
                }
                return microserviceByServiceId;
            });
        } catch (ExecutionException | UncheckedExecutionException e) {
            LOGGER.error("get microservice from cache failed, {}, {}", str, e.getMessage());
            return null;
        }
    }

    public MicroserviceInstance getOrCreate(String str, String str2) {
        try {
            return (MicroserviceInstance) instances.get(String.format("%s@%s", str, str2), () -> {
                MicroserviceInstance microserviceInstance = this.client.getMicroserviceInstance(str, str2);
                if (microserviceInstance == null) {
                    throw new IllegalArgumentException("instance id not exists.");
                }
                return microserviceInstance;
            });
        } catch (ExecutionException | UncheckedExecutionException e) {
            LOGGER.error("get microservice instance from cache failed, {}, {}", String.format("%s@%s", str, str2), e.getMessage());
            return null;
        }
    }
}
