package net.shibboleth.shared.security.impl;

import java.security.KeyException;
import java.time.Duration;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Timer;
import java.util.TimerTask;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.crypto.SecretKey;
import javax.script.ScriptContext;
import javax.script.ScriptException;
import javax.script.SimpleScriptContext;
import net.shibboleth.shared.annotation.constraint.NonNegative;
import net.shibboleth.shared.annotation.constraint.NonnullAfterInit;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.collection.Pair;
import net.shibboleth.shared.component.AbstractInitializableComponent;
import net.shibboleth.shared.component.ComponentInitializationException;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.primitive.TimerSupport;
import net.shibboleth.shared.scripting.EvaluableScript;
import net.shibboleth.shared.security.DataSealerKeyStrategy;
import org.slf4j.Logger;

/* loaded from: input_file:WEB-INF/lib/shib-security-9.0.0.jar:net/shibboleth/shared/security/impl/ScriptedKeyStrategy.class */
public class ScriptedKeyStrategy extends AbstractInitializableComponent implements DataSealerKeyStrategy {

    @NonnullAfterInit
    private EvaluableScript keyScript;

    @Nullable
    private Object customObject;

    @NonnullAfterInit
    private String currentAlias;

    @NonnullAfterInit
    private SecretKey defaultKey;

    @Nullable
    private Timer updateTaskTimer;

    @Nullable
    private Timer internalTaskTimer;

    @Nullable
    private TimerTask updateTask;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Nonnull
    private Logger log = LoggerFactory.getLogger((Class<?>) ScriptedKeyStrategy.class);

    @NonNegative
    private long cacheSize = 30;

    @Nonnull
    private final LinkedHashMap<String, SecretKey> keyCache = new LinkedHashMap<>((int) this.cacheSize);

    @Nonnull
    private Duration updateInterval = Duration.ofMinutes(15);

    public void setKeyScript(@Nonnull EvaluableScript evaluableScript) {
        checkSetterPreconditions();
        this.keyScript = (EvaluableScript) Constraint.isNotNull(evaluableScript, "Script cannot be null");
    }

    public void setCustomObject(@Nullable Object obj) {
        checkSetterPreconditions();
        this.customObject = obj;
    }

    public void setUpdateInterval(@Nonnull Duration duration) {
        checkSetterPreconditions();
        Constraint.isNotNull(duration, "Interval cannot be null");
        Constraint.isFalse(duration.isNegative(), "Interval cannot be negative");
        this.updateInterval = duration;
    }

    public void setUpdateTaskTimer(@Nullable Timer timer) {
        checkSetterPreconditions();
        this.updateTaskTimer = timer;
    }

    public void setCacheSize(@NonNegative long j) {
        checkSetterPreconditions();
        this.cacheSize = Constraint.isGreaterThanOrEqual(0L, j, "Key cache size cannot be negative");
    }

    @Override // net.shibboleth.shared.component.AbstractInitializableComponent
    public void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.keyScript == null) {
            throw new ComponentInitializationException("Script cannot be null");
        }
        try {
            updateDefaultKey();
            if (this.updateInterval.isZero()) {
                return;
            }
            this.updateTask = new TimerTask() { // from class: net.shibboleth.shared.security.impl.ScriptedKeyStrategy.1
                @Override // java.util.TimerTask, java.lang.Runnable
                public void run() {
                    try {
                        ScriptedKeyStrategy.this.updateDefaultKey();
                    } catch (KeyException e) {
                    }
                }
            };
            if (this.updateTaskTimer == null) {
                this.internalTaskTimer = new Timer(TimerSupport.getTimerName(this), true);
            } else {
                this.internalTaskTimer = this.updateTaskTimer;
            }
            if (!$assertionsDisabled && this.internalTaskTimer == null) {
                throw new AssertionError();
            }
            this.internalTaskTimer.schedule(this.updateTask, this.updateInterval.toMillis(), this.updateInterval.toMillis());
        } catch (KeyException e) {
            this.log.error("Error loading default key: {}", e.getMessage());
            throw new ComponentInitializationException("Exception loading the default key", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.shared.component.AbstractInitializableComponent
    public void doDestroy() {
        if (this.updateTask != null) {
            this.updateTask.cancel();
            this.updateTask = null;
            if (this.updateTaskTimer == null && this.internalTaskTimer != null) {
                this.internalTaskTimer.cancel();
            }
            this.internalTaskTimer = null;
        }
        super.doDestroy();
    }

    @Override // net.shibboleth.shared.security.DataSealerKeyStrategy
    @Nonnull
    public Pair<String, SecretKey> getDefaultKey() throws KeyException {
        DataSealerKeyStrategy.NamedKey defaultKeyRecord = getDefaultKeyRecord();
        return new Pair<>(defaultKeyRecord.name(), defaultKeyRecord.key());
    }

    @Override // net.shibboleth.shared.security.DataSealerKeyStrategy
    @Nonnull
    public DataSealerKeyStrategy.NamedKey getDefaultKeyRecord() throws KeyException {
        DataSealerKeyStrategy.NamedKey namedKey;
        checkComponentActive();
        synchronized (this) {
            if (this.defaultKey == null) {
                throw new KeyException("Default key unavailable");
            }
            namedKey = new DataSealerKeyStrategy.NamedKey(this.currentAlias, this.defaultKey);
        }
        return namedKey;
    }

    @Override // net.shibboleth.shared.security.DataSealerKeyStrategy
    @Nonnull
    public SecretKey getKey(@Nonnull @NotEmpty String str) throws KeyException {
        synchronized (this) {
            if (this.defaultKey != null && str.equals(this.currentAlias)) {
                return this.defaultKey;
            }
            if (this.keyCache.containsKey(str)) {
                return this.keyCache.get(str);
            }
            try {
                ScriptContext simpleScriptContext = new SimpleScriptContext();
                simpleScriptContext.setAttribute("custom", this.customObject, 100);
                simpleScriptContext.setAttribute("name", str, 100);
                Object eval = this.keyScript.eval(simpleScriptContext);
                if (eval instanceof SecretKey) {
                    synchronized (this) {
                        this.keyCache.put(str, (SecretKey) eval);
                    }
                    this.log.debug("Loaded key '{}' from external script", str);
                    return (SecretKey) eval;
                }
                if (!(eval instanceof Pair) || !(((Pair) eval).getSecond() instanceof SecretKey)) {
                    throw new KeyException("Script did not return SecretKey or Pair<String,SecretKey> result.");
                }
                SecretKey secretKey = (SecretKey) ((Pair) eval).getSecond();
                if (!$assertionsDisabled && secretKey == null) {
                    throw new AssertionError();
                }
                synchronized (this) {
                    this.keyCache.put(str, secretKey);
                }
                this.log.debug("Loaded key '{}' from external script", str);
                return secretKey;
            } catch (ScriptException e) {
                throw new KeyException((Throwable) e);
            }
            throw new KeyException((Throwable) e);
        }
    }

    private void updateDefaultKey() throws KeyException {
        synchronized (this) {
            int size = this.keyCache.size();
            if (size > this.cacheSize) {
                Iterator<String> it = this.keyCache.keySet().iterator();
                while (size > this.cacheSize) {
                    it.next();
                    it.remove();
                    size--;
                }
            }
        }
        try {
            ScriptContext simpleScriptContext = new SimpleScriptContext();
            simpleScriptContext.setAttribute("custom", this.customObject, 100);
            Object eval = this.keyScript.eval(simpleScriptContext);
            if (!(eval instanceof Pair)) {
                throw new KeyException("Script did not return Pair<String,SecretKey> result.");
            }
            Pair pair = (Pair) eval;
            if (!(pair.getFirst() instanceof String) || !(pair.getSecond() instanceof SecretKey)) {
                throw new KeyException("Script did not return Pair<String,SecretKey> result.");
            }
            synchronized (this) {
                if (this.currentAlias == null) {
                    this.log.info("Loaded initial default key: {}", pair.getFirst());
                } else {
                    if (this.currentAlias.equals(pair.getFirst())) {
                        this.log.debug("Default key version has not changed, still {}", this.currentAlias);
                        return;
                    }
                    this.log.info("Updated default key from {} to {}", this.currentAlias, pair.getFirst());
                }
                this.currentAlias = (String) pair.getFirst();
                this.defaultKey = (SecretKey) pair.getSecond();
                this.keyCache.put((String) pair.getFirst(), (SecretKey) pair.getSecond());
            }
        } catch (ScriptException e) {
            throw new KeyException((Throwable) e);
        }
    }

    static {
        $assertionsDisabled = !ScriptedKeyStrategy.class.desiredAssertionStatus();
    }
}
