package com.aerospike.vector.client.internal.auth;

import com.aerospike.vector.client.auth.PasswordCredentials;
import com.aerospike.vector.client.internal.ClusterTenderer;
import com.aerospike.vector.client.proto.AuthRequest;
import com.aerospike.vector.client.proto.AuthResponse;
import com.aerospike.vector.client.proto.AuthServiceGrpc;
import com.aerospike.vector.client.proto.Credentials;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.util.concurrent.ThreadFactoryBuilder;
import io.grpc.CallCredentials;
import io.grpc.Deadline;
import io.grpc.ManagedChannel;
import io.grpc.Status;
import io.grpc.StatusException;
import io.grpc.StatusRuntimeException;
import io.grpc.stub.StreamObserver;
import io.netty.handler.traffic.AbstractTrafficShapingHandler;
import java.io.Closeable;
import java.io.IOException;
import java.util.Base64;
import java.util.Map;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.concurrent.atomic.AtomicReference;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/aerospike/vector/client/internal/auth/AuthTokenManager.class */
public class AuthTokenManager implements Closeable {
    private static final int REFRESH_MIN_TIME = 5000;
    private static final int MAX_EXPONENTIAL_BACKOFF = 15000;
    private static final float REFRESH_AFTER_FRACTION = 0.8f;
    private final ScheduledExecutorService executor;
    private final AtomicBoolean isFetchingToken = new AtomicBoolean(false);
    private final AtomicBoolean isClosed = new AtomicBoolean(false);
    private final AtomicInteger consecutiveRefreshErrors = new AtomicInteger(0);
    private final AtomicReference<Throwable> refreshError = new AtomicReference<>(null);
    private volatile AccessToken accessToken;
    private volatile boolean fetchScheduled;
    private ScheduledFuture<?> refreshFuture;
    private final PasswordCredentials passwordCredentials;
    private final ClusterTenderer clusterTenderer;
    private final String authIdentifier;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AuthTokenManager.class);
    private static final ObjectMapper objectMapper = new ObjectMapper();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/aerospike/vector/client/internal/auth/AuthTokenManager$AccessToken.class */
    public static class AccessToken {
        private final long expiry;
        private final long ttl;
        private final String token;

        public AccessToken(long j, long j2, String str) {
            this.expiry = j;
            this.ttl = j2;
            this.token = str;
        }

        public boolean hasExpired() {
            return System.currentTimeMillis() > this.expiry;
        }

        public String toString() {
            long j = this.expiry;
            long j2 = this.ttl;
            String str = this.token;
            return "AccessToken{expiry=" + j + ", ttl=" + j + ", token='" + j2 + "'}";
        }
    }

    /* loaded from: input_file:com/aerospike/vector/client/internal/auth/AuthTokenManager$TokenStatus.class */
    public static class TokenStatus {
        private final Throwable error;
        private final boolean isValid;

        private TokenStatus() {
            this.isValid = true;
            this.error = null;
        }

        private TokenStatus(Throwable th) {
            this.isValid = false;
            this.error = th;
        }

        public boolean isValid() {
            return this.isValid;
        }

        private Throwable getError() {
            return this.error;
        }
    }

    public AuthTokenManager(PasswordCredentials passwordCredentials, ClusterTenderer clusterTenderer) {
        this.passwordCredentials = passwordCredentials;
        this.clusterTenderer = clusterTenderer;
        this.authIdentifier = String.format("avs-%s-authmanager", clusterTenderer.identifier);
        this.executor = Executors.newScheduledThreadPool(Runtime.getRuntime().availableProcessors(), new ThreadFactoryBuilder().setNameFormat(this.authIdentifier).build());
        updateAccessToken(null);
        fetchToken(true);
    }

    private synchronized void updateAccessToken(AccessToken accessToken) {
        this.accessToken = accessToken;
    }

    private synchronized AccessToken getAccessToken() {
        return this.accessToken;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void fetchToken(boolean z) {
        this.fetchScheduled = false;
        if (this.isClosed.get() || this.isFetchingToken.get() || !shouldRefresh(z)) {
            return;
        }
        try {
            log.info("{}; Starting token refresh.", this.authIdentifier);
            AuthRequest build = AuthRequest.newBuilder().setCredentials(Credentials.newBuilder().setUsername(this.passwordCredentials.username()).setPasswordCredentials(com.aerospike.vector.client.proto.PasswordCredentials.newBuilder().setPassword(this.passwordCredentials.password()).build()).build()).build();
            try {
                ManagedChannel channel = this.clusterTenderer.getChannel();
                log.info("{}; Got successfully channel for token refresh.", this.authIdentifier);
                this.isFetchingToken.set(true);
                ((AuthServiceGrpc.AuthServiceStub) this.clusterTenderer.getAuthStub(channel).withDeadline(Deadline.after(5000L, TimeUnit.MILLISECONDS))).authenticate(build, new StreamObserver<AuthResponse>() { // from class: com.aerospike.vector.client.internal.auth.AuthTokenManager.1
                    @Override // io.grpc.stub.StreamObserver
                    public void onNext(AuthResponse authResponse) {
                        try {
                            AuthTokenManager.this.updateAccessToken(AuthTokenManager.this.parseToken(authResponse.getToken()));
                            AuthTokenManager.log.info("{}; Fetched token successfully with TTL {}ms.", AuthTokenManager.this.authIdentifier, Long.valueOf(AuthTokenManager.this.accessToken.ttl));
                            AuthTokenManager.this.unsafeScheduleNextRefresh();
                            AuthTokenManager.this.clearRefreshErrors();
                        } catch (Exception e) {
                            AuthTokenManager.log.error("{}; Error in fetching token.", AuthTokenManager.this.authIdentifier, e);
                            AuthTokenManager.this.onFetchError(e);
                        }
                    }

                    @Override // io.grpc.stub.StreamObserver
                    public void onError(Throwable th) {
                        AuthTokenManager.this.onFetchError(th);
                    }

                    @Override // io.grpc.stub.StreamObserver
                    public void onCompleted() {
                        AuthTokenManager.this.isFetchingToken.set(false);
                    }
                });
            } catch (Exception e) {
                log.error("{}; Error getting in getting tend channel, will referesh in 10 milliseconds.", this.authIdentifier, e);
                this.isFetchingToken.set(false);
                unsafeScheduleRefresh(10L, true);
            }
        } catch (Exception e2) {
            onFetchError(e2);
        }
    }

    private void clearRefreshErrors() {
        this.consecutiveRefreshErrors.set(0);
        this.refreshError.set(null);
    }

    private void updateRefreshErrors(Throwable th) {
        this.consecutiveRefreshErrors.incrementAndGet();
        this.refreshError.set(th);
    }

    private void onFetchError(Throwable th) {
        updateRefreshErrors(th);
        log.error("{}; onFetchError exception.", this.authIdentifier, new Exception("Error fetching access token.", th));
        unsafeScheduleNextRefresh();
        this.isFetchingToken.set(false);
    }

    private boolean shouldRefresh(boolean z) {
        boolean z2 = z || !isTokenValid();
        log.debug("{}; shouldRefresh: {}, isTokenValid:{}.", this.authIdentifier, Boolean.valueOf(z2), Boolean.valueOf(isTokenValid()));
        return z2;
    }

    private void unsafeScheduleNextRefresh() {
        long j = getAccessToken() != null ? getAccessToken().ttl : 5000L;
        long floor = (long) Math.floor(((float) j) * REFRESH_AFTER_FRACTION);
        if (j - floor < 5000) {
            floor = j - 5000;
        }
        if (!isTokenValid()) {
            log.warn("{}; Token not valid, setting delay to zero.", this.authIdentifier);
            floor = 0;
        }
        if (floor == 0 && this.consecutiveRefreshErrors.get() > 0) {
            floor = (long) (Math.pow(2.0d, this.consecutiveRefreshErrors.get()) * 1000.0d);
            if (floor > AbstractTrafficShapingHandler.DEFAULT_MAX_TIME) {
                floor = 15000;
            }
            if (floor < 0) {
                floor = 0;
            }
        }
        log.info("{}; delay:{}", this.authIdentifier, Long.valueOf(floor));
        unsafeScheduleRefresh(floor, true);
    }

    private void unsafeScheduleRefresh(long j, boolean z) {
        if (this.isClosed.get() || !z || this.fetchScheduled || this.executor.isShutdown()) {
            return;
        }
        this.refreshFuture = this.executor.schedule(() -> {
            fetchToken(z);
        }, j, TimeUnit.MILLISECONDS);
        this.fetchScheduled = true;
        log.info("{}; Scheduled token refresh after {} millis.", this.authIdentifier, Long.valueOf(j));
    }

    public TokenStatus getTokenStatus() {
        if (isTokenValid()) {
            return new TokenStatus();
        }
        Throwable th = this.refreshError.get();
        if (null != th) {
            return new TokenStatus(th);
        }
        AccessToken accessToken = getAccessToken();
        return (accessToken == null || !accessToken.hasExpired()) ? new TokenStatus(Status.UNAUTHENTICATED.asRuntimeException()) : new TokenStatus(Status.UNAUTHENTICATED.withDescription("token has expired.").asRuntimeException());
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        if (this.isClosed.getAndSet(true)) {
            return;
        }
        boolean isTerminated = this.executor.isTerminated();
        if (isTerminated) {
            return;
        }
        if (this.refreshFuture != null) {
            this.refreshFuture.cancel(true);
        }
        this.executor.shutdown();
        boolean z = false;
        while (!isTerminated) {
            try {
                isTerminated = this.executor.awaitTermination(5L, TimeUnit.SECONDS);
            } catch (InterruptedException e) {
                if (!z) {
                    this.executor.shutdownNow();
                    z = true;
                }
            }
        }
        if (z) {
            Thread.currentThread().interrupt();
        }
    }

    private AccessToken parseToken(String str) throws IOException {
        String[] split = str.split("\\.");
        if (split.length < 2) {
            throw new IllegalArgumentException("Invalid token format.");
        }
        Map map = (Map) objectMapper.readValue(new String(Base64.getUrlDecoder().decode(split[1])), Map.class);
        Object obj = map.get("exp");
        Object obj2 = map.get("iat");
        if (!(obj instanceof Number) || !(obj2 instanceof Number)) {
            throw new IllegalArgumentException("Unsupported access token format.");
        }
        long longValue = (((Number) obj).longValue() - ((Number) obj2).longValue()) * 1000;
        if (longValue <= 0) {
            throw new IllegalArgumentException("Token 'iat' > 'exp'");
        }
        return new AccessToken(System.currentTimeMillis() + longValue, longValue, str);
    }

    public CallCredentials getCallCredentials() throws StatusRuntimeException {
        if (!isTokenValid()) {
            log.info("{}; Starting a call with invalid token.", this.authIdentifier);
            unsafeScheduleRefresh(0L, false);
        }
        if (isTokenValid()) {
            if (getAccessToken() != null) {
                return new BearerTokenCallCredentials(getAccessToken().token);
            }
            throw new IllegalStateException("Access token has expired.");
        }
        Throwable th = this.refreshError.get();
        if (th == null) {
            throw Status.UNAUTHENTICATED.withDescription(getAccessToken() == null ? "Access token not fetched." : "Access token has expired.").asRuntimeException();
        }
        if ((th instanceof StatusRuntimeException) || (th instanceof StatusException)) {
            throw ((RuntimeException) th);
        }
        throw Status.UNAUTHENTICATED.withDescription(th.getMessage()).asRuntimeException();
    }

    private boolean isTokenValid() {
        AccessToken accessToken = getAccessToken();
        boolean z = (accessToken == null || accessToken.hasExpired()) ? false : true;
        log.debug("{}; tokenValid: {}, token: {}.", this.authIdentifier, Boolean.valueOf(z), accessToken);
        return z;
    }
}
