package org.apache.knox.gateway.session.control;

import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import org.apache.commons.lang3.StringUtils;
import org.apache.knox.gateway.GatewayMessages;
import org.apache.knox.gateway.config.GatewayConfig;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.services.ServiceLifecycleException;
import org.apache.knox.gateway.services.security.token.impl.JWT;

/* loaded from: input_file:org/apache/knox/gateway/session/control/InMemoryConcurrentSessionVerifier.class */
public class InMemoryConcurrentSessionVerifier implements ConcurrentSessionVerifier {
    private static final GatewayMessages LOG = (GatewayMessages) MessagesFactory.get(GatewayMessages.class);
    private Set<String> privilegedUsers;
    private Set<String> unlimitedUsers;
    private int privilegedUserConcurrentSessionLimit;
    private int nonPrivilegedUserConcurrentSessionLimit;
    private Map<String, Set<SessionJWT>> concurrentSessionCounter;
    private long cleaningPeriod;
    private final Lock sessionCountModifyLock = new ReentrantLock();
    private final ScheduledExecutorService expiredTokenRemover = Executors.newSingleThreadScheduledExecutor();

    /* loaded from: input_file:org/apache/knox/gateway/session/control/InMemoryConcurrentSessionVerifier$SessionJWT.class */
    public static class SessionJWT {
        private final Date expiry;
        private final String token;

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            return Objects.equals(this.token, ((SessionJWT) obj).token);
        }

        public int hashCode() {
            return Objects.hash(this.token);
        }

        public SessionJWT(JWT jwt) {
            this.expiry = jwt.getExpiresDate();
            this.token = jwt.toString();
        }

        public String getToken() {
            return this.token;
        }

        public boolean hasExpired() {
            return this.expiry != null && this.expiry.before(new Date());
        }
    }

    public boolean registerToken(String str, JWT jwt) {
        if (StringUtils.isBlank(str)) {
            LOG.errorRegisteringTokenForBlankUsername();
            return false;
        }
        if (this.unlimitedUsers.contains(str)) {
            return true;
        }
        this.sessionCountModifyLock.lock();
        try {
            if (checkLimitReached(str)) {
                return false;
            }
            this.concurrentSessionCounter.putIfAbsent(str, new HashSet());
            this.concurrentSessionCounter.compute(str, (str2, set) -> {
                return addTokenForUser(set, jwt);
            });
            this.sessionCountModifyLock.unlock();
            return true;
        } finally {
            this.sessionCountModifyLock.unlock();
        }
    }

    public boolean verifySessionForUser(String str) {
        if (StringUtils.isBlank(str)) {
            LOG.errorVerifyingUserBlankUsername();
            return false;
        }
        if (this.unlimitedUsers.contains(str)) {
            return true;
        }
        this.sessionCountModifyLock.lock();
        try {
            return !checkLimitReached(str);
        } finally {
            this.sessionCountModifyLock.unlock();
        }
    }

    private boolean checkLimitReached(String str) {
        int countValidTokensForUser = countValidTokensForUser(str);
        return privilegedUserCheckLimitReached(str, countValidTokensForUser) || nonPrivilegedUserCheckLimitReached(str, countValidTokensForUser);
    }

    int countValidTokensForUser(String str) {
        return (int) this.concurrentSessionCounter.getOrDefault(str, Collections.emptySet()).stream().filter(sessionJWT -> {
            return !sessionJWT.hasExpired();
        }).count();
    }

    private boolean privilegedUserCheckLimitReached(String str, int i) {
        return this.privilegedUserConcurrentSessionLimit >= 0 && this.privilegedUsers.contains(str) && i >= this.privilegedUserConcurrentSessionLimit;
    }

    private boolean nonPrivilegedUserCheckLimitReached(String str, int i) {
        return this.nonPrivilegedUserConcurrentSessionLimit >= 0 && !this.privilegedUsers.contains(str) && i >= this.nonPrivilegedUserConcurrentSessionLimit;
    }

    public void sessionEndedForUser(String str, String str2) {
        if (StringUtils.isNotBlank(str2) && StringUtils.isNotBlank(str)) {
            this.sessionCountModifyLock.lock();
            try {
                this.concurrentSessionCounter.computeIfPresent(str, (str3, set) -> {
                    return removeTokenFromUser(set, str2);
                });
            } finally {
                this.sessionCountModifyLock.unlock();
            }
        }
    }

    private Set<SessionJWT> removeTokenFromUser(Set<SessionJWT> set, String str) {
        set.removeIf(sessionJWT -> {
            return sessionJWT.getToken().equals(str);
        });
        if (set.isEmpty()) {
            return null;
        }
        return set;
    }

    private Set<SessionJWT> addTokenForUser(Set<SessionJWT> set, JWT jwt) {
        set.add(new SessionJWT(jwt));
        return set;
    }

    public void init(GatewayConfig gatewayConfig, Map<String, String> map) throws ServiceLifecycleException {
        this.privilegedUsers = gatewayConfig.getSessionVerificationPrivilegedUsers();
        this.unlimitedUsers = gatewayConfig.getSessionVerificationUnlimitedUsers();
        this.privilegedUserConcurrentSessionLimit = gatewayConfig.getPrivilegedUsersConcurrentSessionLimit();
        this.nonPrivilegedUserConcurrentSessionLimit = gatewayConfig.getNonPrivilegedUsersConcurrentSessionLimit();
        this.cleaningPeriod = gatewayConfig.getConcurrentSessionVerifierExpiredTokensCleaningPeriod();
        this.concurrentSessionCounter = new ConcurrentHashMap();
    }

    public void start() throws ServiceLifecycleException {
        this.expiredTokenRemover.scheduleAtFixedRate(this::removeExpiredTokens, this.cleaningPeriod, this.cleaningPeriod, TimeUnit.SECONDS);
    }

    public void stop() throws ServiceLifecycleException {
        this.expiredTokenRemover.shutdown();
    }

    void removeExpiredTokens() {
        this.sessionCountModifyLock.lock();
        try {
            Iterator<Map.Entry<String, Set<SessionJWT>>> it = this.concurrentSessionCounter.entrySet().iterator();
            while (it.hasNext()) {
                Set<SessionJWT> value = it.next().getValue();
                value.removeIf(sessionJWT -> {
                    return sessionJWT.hasExpired();
                });
                if (value.isEmpty()) {
                    it.remove();
                }
            }
        } finally {
            this.sessionCountModifyLock.unlock();
        }
    }

    Integer getTokenCountForUser(String str) {
        Integer num = null;
        if (this.concurrentSessionCounter.containsKey(str)) {
            num = Integer.valueOf(this.concurrentSessionCounter.get(str).size());
        }
        return num;
    }
}
