package com.alibaba.nacos.plugin.auth.impl.token.impl;

import com.alibaba.nacos.api.exception.runtime.NacosRuntimeException;
import com.alibaba.nacos.common.event.ServerConfigChangeEvent;
import com.alibaba.nacos.common.notify.Event;
import com.alibaba.nacos.common.notify.NotifyCenter;
import com.alibaba.nacos.common.notify.listener.Subscriber;
import com.alibaba.nacos.plugin.auth.exception.AccessException;
import com.alibaba.nacos.plugin.auth.impl.configuration.AuthConfigs;
import com.alibaba.nacos.plugin.auth.impl.constant.AuthConstants;
import com.alibaba.nacos.plugin.auth.impl.jwt.NacosJwtParser;
import com.alibaba.nacos.plugin.auth.impl.token.TokenManager;
import com.alibaba.nacos.plugin.auth.impl.users.NacosUser;
import com.alibaba.nacos.sys.env.EnvUtil;
import java.util.List;
import java.util.concurrent.TimeUnit;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;

/* loaded from: input_file:com/alibaba/nacos/plugin/auth/impl/token/impl/JwtTokenManager.class */
public class JwtTokenManager extends Subscriber<ServerConfigChangeEvent> implements TokenManager {
    private static final String AUTH_DISABLED_TOKEN = "AUTH_DISABLED";
    private volatile long tokenValidityInSeconds;
    private volatile NacosJwtParser jwtParser;
    private final AuthConfigs authConfigs;

    public JwtTokenManager(AuthConfigs authConfigs) {
        this.authConfigs = authConfigs;
        NotifyCenter.registerSubscriber(this);
        processProperties();
    }

    private void processProperties() {
        this.tokenValidityInSeconds = ((Long) EnvUtil.getProperty(AuthConstants.TOKEN_EXPIRE_SECONDS, Long.class, AuthConstants.DEFAULT_TOKEN_EXPIRE_SECONDS)).longValue();
        try {
            this.jwtParser = new NacosJwtParser(EnvUtil.getProperty(AuthConstants.TOKEN_SECRET_KEY, AuthConstants.DEFAULT_TOKEN_SECRET_KEY));
        } catch (Exception e) {
            this.jwtParser = null;
            if (this.authConfigs.isAuthEnabled() || this.authConfigs.isConsoleAuthEnabled()) {
                throw new IllegalArgumentException("the length of secret key must great than or equal 32 bytes; And the secret key  must be encoded by base64.Please see https://nacos.io/docs/latest/manual/admin/auth/", e);
            }
        }
    }

    @Override // com.alibaba.nacos.plugin.auth.impl.token.TokenManager
    @Deprecated
    public String createToken(Authentication authentication) {
        return createToken(authentication.getName());
    }

    @Override // com.alibaba.nacos.plugin.auth.impl.token.TokenManager
    public String createToken(String str) {
        if (!this.authConfigs.isAuthEnabled() && null == this.jwtParser) {
            return AUTH_DISABLED_TOKEN;
        }
        if (this.authConfigs.isAuthEnabled()) {
            checkJwtParser();
        }
        return this.jwtParser.jwtBuilder().setUserName(str).setExpiredTime(this.tokenValidityInSeconds).compact();
    }

    @Override // com.alibaba.nacos.plugin.auth.impl.token.TokenManager
    @Deprecated
    public Authentication getAuthentication(String str) throws AccessException {
        NacosUser parse = this.jwtParser.parse(str);
        List commaSeparatedStringToAuthorityList = AuthorityUtils.commaSeparatedStringToAuthorityList(AuthConstants.DEFAULT_TOKEN_SECRET_KEY);
        return new UsernamePasswordAuthenticationToken(new User(parse.getUserName(), AuthConstants.DEFAULT_TOKEN_SECRET_KEY, commaSeparatedStringToAuthorityList), AuthConstants.DEFAULT_TOKEN_SECRET_KEY, commaSeparatedStringToAuthorityList);
    }

    @Override // com.alibaba.nacos.plugin.auth.impl.token.TokenManager
    public void validateToken(String str) throws AccessException {
        parseToken(str);
    }

    @Override // com.alibaba.nacos.plugin.auth.impl.token.TokenManager
    public NacosUser parseToken(String str) throws AccessException {
        checkJwtParser();
        return this.jwtParser.parse(str);
    }

    @Override // com.alibaba.nacos.plugin.auth.impl.token.TokenManager
    public long getTokenValidityInSeconds() {
        return this.tokenValidityInSeconds;
    }

    @Override // com.alibaba.nacos.plugin.auth.impl.token.TokenManager
    public long getTokenTtlInSeconds(String str) throws AccessException {
        return !this.authConfigs.isAuthEnabled() ? this.tokenValidityInSeconds : this.jwtParser.getExpireTimeInSeconds(str) - TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis());
    }

    public long getExpiredTimeInSeconds(String str) throws AccessException {
        return !this.authConfigs.isAuthEnabled() ? this.tokenValidityInSeconds : this.jwtParser.getExpireTimeInSeconds(str);
    }

    public void onEvent(ServerConfigChangeEvent serverConfigChangeEvent) {
        processProperties();
    }

    public Class<? extends Event> subscribeType() {
        return ServerConfigChangeEvent.class;
    }

    private void checkJwtParser() {
        if (null == this.jwtParser) {
            throw new NacosRuntimeException(400, "Please config `nacos.core.auth.plugin.nacos.token.secret.key`, detail see https://nacos.io/docs/latest/manual/admin/auth/");
        }
    }
}
