package org.apache.kafka.common.security.oauthbearer.internals.secured;

import java.io.Closeable;
import java.io.IOException;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.locks.ReadWriteLock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import org.apache.kafka.common.utils.Time;
import org.jose4j.jwk.HttpsJwks;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.lang.JoseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/kafka-clients-3.4.0.jar:org/apache/kafka/common/security/oauthbearer/internals/secured/RefreshingHttpsJwks.class */
public final class RefreshingHttpsJwks implements Initable, Closeable {
    private static final int MISSING_KEY_ID_CACHE_MAX_ENTRIES = 16;
    static final long MISSING_KEY_ID_CACHE_IN_FLIGHT_MS = 60000;
    static final int MISSING_KEY_ID_MAX_KEY_LENGTH = 1000;
    private static final int SHUTDOWN_TIMEOUT = 10;
    private final HttpsJwks httpsJwks;
    private final ScheduledExecutorService executorService;
    private final Time time;
    private final long refreshMs;
    private final long refreshRetryBackoffMs;
    private final long refreshRetryBackoffMaxMs;
    private final Map<String, Long> missingKeyIds;
    private List<JsonWebKey> jsonWebKeys;
    private boolean isInitialized;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) RefreshingHttpsJwks.class);
    private static final TimeUnit SHUTDOWN_TIME_UNIT = TimeUnit.SECONDS;
    private final ReadWriteLock refreshLock = new ReentrantReadWriteLock();
    private final AtomicBoolean refreshInProgressFlag = new AtomicBoolean(false);

    public RefreshingHttpsJwks(Time time, HttpsJwks httpsJwks, long j, long j2, long j3) {
        if (j <= 0) {
            throw new IllegalArgumentException("JWKS validation key refresh configuration value retryWaitMs value must be positive");
        }
        this.httpsJwks = httpsJwks;
        this.time = time;
        this.refreshMs = j;
        this.refreshRetryBackoffMs = j2;
        this.refreshRetryBackoffMaxMs = j3;
        this.executorService = Executors.newSingleThreadScheduledExecutor();
        this.missingKeyIds = new LinkedHashMap<String, Long>(16, 0.75f, true) { // from class: org.apache.kafka.common.security.oauthbearer.internals.secured.RefreshingHttpsJwks.1
            @Override // java.util.LinkedHashMap
            protected boolean removeEldestEntry(Map.Entry<String, Long> entry) {
                return size() > 16;
            }
        };
    }

    @Override // org.apache.kafka.common.security.oauthbearer.internals.secured.Initable
    public void init() throws IOException {
        try {
            log.debug("init started");
            try {
                List jsonWebKeys = this.httpsJwks.getJsonWebKeys();
                try {
                    this.refreshLock.writeLock().lock();
                    this.jsonWebKeys = Collections.unmodifiableList(jsonWebKeys);
                    this.refreshLock.writeLock().unlock();
                    this.executorService.scheduleAtFixedRate(this::refresh, this.refreshMs, this.refreshMs, TimeUnit.MILLISECONDS);
                    log.info("JWKS validation key refresh thread started with a refresh interval of {} ms", Long.valueOf(this.refreshMs));
                    this.isInitialized = true;
                    log.debug("init completed");
                } catch (Throwable th) {
                    this.refreshLock.writeLock().unlock();
                    throw th;
                }
            } catch (JoseException e) {
                throw new IOException("Could not refresh JWKS", e);
            }
        } catch (Throwable th2) {
            this.isInitialized = true;
            log.debug("init completed");
            throw th2;
        }
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        try {
            log.debug("close started");
            try {
                log.debug("JWKS validation key refresh thread shutting down");
                this.executorService.shutdown();
                if (!this.executorService.awaitTermination(10L, SHUTDOWN_TIME_UNIT)) {
                    log.warn("JWKS validation key refresh thread termination did not end after {} {}", (Object) 10, (Object) SHUTDOWN_TIME_UNIT);
                }
            } catch (InterruptedException e) {
                log.warn("JWKS validation key refresh thread error during close", (Throwable) e);
            }
            log.debug("close completed");
        } catch (Throwable th) {
            log.debug("close completed");
            throw th;
        }
    }

    public List<JsonWebKey> getJsonWebKeys() throws JoseException, IOException {
        if (!this.isInitialized) {
            throw new IllegalStateException("Please call init() first");
        }
        try {
            this.refreshLock.readLock().lock();
            return this.jsonWebKeys;
        } finally {
            this.refreshLock.readLock().unlock();
        }
    }

    public String getLocation() {
        return this.httpsJwks.getLocation();
    }

    private void refresh() {
        try {
            if (!this.refreshInProgressFlag.compareAndSet(false, true)) {
                log.debug("OAuth JWKS refresh is already in progress; ignoring concurrent refresh");
                return;
            }
            try {
                log.info("OAuth JWKS refresh of {} starting", this.httpsJwks.getLocation());
                List list = (List) new Retry(this.refreshRetryBackoffMs, this.refreshRetryBackoffMaxMs).execute(() -> {
                    try {
                        log.debug("JWKS validation key calling refresh of {} starting", this.httpsJwks.getLocation());
                        this.httpsJwks.refresh();
                        List jsonWebKeys = this.httpsJwks.getJsonWebKeys();
                        log.debug("JWKS validation key refresh of {} complete", this.httpsJwks.getLocation());
                        return jsonWebKeys;
                    } catch (Exception e) {
                        throw new ExecutionException(e);
                    }
                });
                try {
                    this.refreshLock.writeLock().lock();
                    Iterator it = list.iterator();
                    while (it.hasNext()) {
                        this.missingKeyIds.remove(((JsonWebKey) it.next()).getKeyId());
                    }
                    this.jsonWebKeys = Collections.unmodifiableList(list);
                    this.refreshLock.writeLock().unlock();
                    log.info("OAuth JWKS refresh of {} complete", this.httpsJwks.getLocation());
                    this.refreshInProgressFlag.set(false);
                } catch (Throwable th) {
                    this.refreshLock.writeLock().unlock();
                    throw th;
                }
            } catch (ExecutionException e) {
                log.warn("OAuth JWKS refresh of {} encountered an error; not updating local JWKS cache", this.httpsJwks.getLocation(), e);
                this.refreshInProgressFlag.set(false);
            }
        } catch (Throwable th2) {
            this.refreshInProgressFlag.set(false);
            throw th2;
        }
    }

    public boolean maybeExpediteRefresh(String str) {
        if (str.length() > 1000) {
            log.warn("Key ID {} was too long to cache", String.format("%s (trimmed to first %s characters out of %s total)", str.substring(0, 1000), 1000, Integer.valueOf(str.length())));
            return false;
        }
        try {
            this.refreshLock.writeLock().lock();
            Long l = this.missingKeyIds.get(str);
            long milliseconds = this.time.milliseconds();
            log.debug("For key ID {}, nextCheckTime: {}, currTime: {}", str, l, Long.valueOf(milliseconds));
            if (l != null && l.longValue() > milliseconds) {
                return false;
            }
            this.missingKeyIds.put(str, Long.valueOf(milliseconds + 60000));
            this.executorService.schedule(this::refresh, 0L, TimeUnit.MILLISECONDS);
            this.refreshLock.writeLock().unlock();
            return true;
        } finally {
            this.refreshLock.writeLock().unlock();
        }
    }
}
