package org.apache.kafka.common.security.oauthbearer.internals.expiring;

import io.debezium.config.CommonConnectorConfig;
import java.util.Date;
import java.util.Objects;
import java.util.Random;
import javax.security.auth.Subject;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.utils.KafkaThread;
import org.apache.kafka.common.utils.Time;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-2.8.2.jar:org/apache/kafka/common/security/oauthbearer/internals/expiring/ExpiringCredentialRefreshingLogin.class */
public abstract class ExpiringCredentialRefreshingLogin implements AutoCloseable {
    private static final long DELAY_SECONDS_BEFORE_NEXT_RETRY_WHEN_RELOGIN_FAILS = 10;
    private final Time time;
    private Thread refresherThread;
    private final LoginContextFactory loginContextFactory;
    private final String contextName;
    private final Configuration configuration;
    private final ExpiringCredentialRefreshConfig expiringCredentialRefreshConfig;
    private final AuthenticateCallbackHandler callbackHandler;
    private volatile Subject subject;
    private boolean hasExpiringCredential;
    private String principalName;
    private LoginContext loginContext;
    private ExpiringCredential expiringCredential;
    private final Class<?> mandatoryClassToSynchronizeOnPriorToRefresh;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ExpiringCredentialRefreshingLogin.class);
    private static final Random RNG = new Random();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-2.8.2.jar:org/apache/kafka/common/security/oauthbearer/internals/expiring/ExpiringCredentialRefreshingLogin$ExitRefresherThreadDueToIllegalStateException.class */
    public static class ExitRefresherThreadDueToIllegalStateException extends Exception {
        private static final long serialVersionUID = -6108495378411920380L;

        public ExitRefresherThreadDueToIllegalStateException(String str) {
            super(str);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-2.8.2.jar:org/apache/kafka/common/security/oauthbearer/internals/expiring/ExpiringCredentialRefreshingLogin$LoginContextFactory.class */
    public static class LoginContextFactory {
        LoginContextFactory() {
        }

        public LoginContext createLoginContext(ExpiringCredentialRefreshingLogin expiringCredentialRefreshingLogin) throws LoginException {
            return new LoginContext(expiringCredentialRefreshingLogin.contextName(), expiringCredentialRefreshingLogin.subject(), expiringCredentialRefreshingLogin.callbackHandler(), expiringCredentialRefreshingLogin.configuration());
        }

        public void refresherThreadStarted() {
        }

        public void refresherThreadDone() {
        }
    }

    /* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-2.8.2.jar:org/apache/kafka/common/security/oauthbearer/internals/expiring/ExpiringCredentialRefreshingLogin$Refresher.class */
    private class Refresher implements Runnable {
        private Refresher() {
        }

        @Override // java.lang.Runnable
        public void run() {
            ExpiringCredentialRefreshingLogin.log.info("[Principal={}]: Expiring credential re-login thread started.", ExpiringCredentialRefreshingLogin.this.principalLogText());
            while (true) {
                long currentMs = ExpiringCredentialRefreshingLogin.this.currentMs();
                Long refreshMs = ExpiringCredentialRefreshingLogin.this.refreshMs(currentMs);
                if (refreshMs == null) {
                    ExpiringCredentialRefreshingLogin.this.loginContextFactory.refresherThreadDone();
                    return;
                }
                if (refreshMs.longValue() < currentMs) {
                    ExpiringCredentialRefreshingLogin.log.warn("[Principal={}]: Expiring credential re-login sleep time was calculated to be in the past! Will explicitly adjust. ({})", ExpiringCredentialRefreshingLogin.this.principalLogText(), new Date(refreshMs.longValue()));
                    refreshMs = Long.valueOf(currentMs + CommonConnectorConfig.DEFAULT_RETRIABLE_RESTART_WAIT);
                }
                ExpiringCredentialRefreshingLogin.log.info("[Principal={}]: Expiring credential re-login sleeping until: {}", ExpiringCredentialRefreshingLogin.this.principalLogText(), new Date(refreshMs.longValue()));
                ExpiringCredentialRefreshingLogin.this.time.sleep(refreshMs.longValue() - currentMs);
                if (Thread.currentThread().isInterrupted()) {
                    ExpiringCredentialRefreshingLogin.log.info("[Principal={}]: Expiring credential re-login thread has been interrupted and will exit.", ExpiringCredentialRefreshingLogin.this.principalLogText());
                    ExpiringCredentialRefreshingLogin.this.loginContextFactory.refresherThreadDone();
                    return;
                }
                do {
                    try {
                        ExpiringCredentialRefreshingLogin.this.reLogin();
                        break;
                    } catch (LoginException e) {
                        ExpiringCredentialRefreshingLogin.log.warn(String.format("[Principal=%s]: LoginException during login retry; will sleep %d seconds before trying again.", ExpiringCredentialRefreshingLogin.this.principalLogText(), Long.valueOf(ExpiringCredentialRefreshingLogin.DELAY_SECONDS_BEFORE_NEXT_RETRY_WHEN_RELOGIN_FAILS)), (Throwable) e);
                        ExpiringCredentialRefreshingLogin.this.time.sleep(CommonConnectorConfig.DEFAULT_RETRIABLE_RESTART_WAIT);
                    } catch (ExitRefresherThreadDueToIllegalStateException e2) {
                        ExpiringCredentialRefreshingLogin.log.error(e2.getMessage(), (Throwable) e2);
                        ExpiringCredentialRefreshingLogin.this.loginContextFactory.refresherThreadDone();
                        return;
                    }
                } while (!Thread.currentThread().isInterrupted());
                ExpiringCredentialRefreshingLogin.log.error("[Principal={}]: Interrupted while trying to perform a subsequent expiring credential re-login after one or more initial re-login failures: re-login thread exiting now: {}", ExpiringCredentialRefreshingLogin.this.principalLogText(), String.valueOf(e.getMessage()));
                ExpiringCredentialRefreshingLogin.this.loginContextFactory.refresherThreadDone();
                return;
            }
        }
    }

    public ExpiringCredentialRefreshingLogin(String str, Configuration configuration, ExpiringCredentialRefreshConfig expiringCredentialRefreshConfig, AuthenticateCallbackHandler authenticateCallbackHandler, Class<?> cls) {
        this(str, configuration, expiringCredentialRefreshConfig, authenticateCallbackHandler, cls, new LoginContextFactory(), Time.SYSTEM);
    }

    public ExpiringCredentialRefreshingLogin(String str, Configuration configuration, ExpiringCredentialRefreshConfig expiringCredentialRefreshConfig, AuthenticateCallbackHandler authenticateCallbackHandler, Class<?> cls, LoginContextFactory loginContextFactory, Time time) {
        this.subject = null;
        this.hasExpiringCredential = false;
        this.principalName = null;
        this.loginContext = null;
        this.expiringCredential = null;
        this.contextName = (String) Objects.requireNonNull(str);
        this.configuration = (Configuration) Objects.requireNonNull(configuration);
        this.expiringCredentialRefreshConfig = (ExpiringCredentialRefreshConfig) Objects.requireNonNull(expiringCredentialRefreshConfig);
        this.callbackHandler = authenticateCallbackHandler;
        this.mandatoryClassToSynchronizeOnPriorToRefresh = (Class) Objects.requireNonNull(cls);
        this.loginContextFactory = loginContextFactory;
        this.time = (Time) Objects.requireNonNull(time);
    }

    public Subject subject() {
        return this.subject;
    }

    public String contextName() {
        return this.contextName;
    }

    public Configuration configuration() {
        return this.configuration;
    }

    public AuthenticateCallbackHandler callbackHandler() {
        return this.callbackHandler;
    }

    public String serviceName() {
        return "kafka";
    }

    public LoginContext login() throws LoginException {
        LoginContext createLoginContext = this.loginContextFactory.createLoginContext(this);
        createLoginContext.login();
        log.info("Successfully logged in.");
        this.loginContext = createLoginContext;
        this.subject = this.loginContext.getSubject();
        this.expiringCredential = expiringCredential();
        this.hasExpiringCredential = this.expiringCredential != null;
        if (!this.hasExpiringCredential) {
            log.debug("No Expiring Credential");
            this.principalName = null;
            this.refresherThread = null;
            return this.loginContext;
        }
        this.principalName = this.expiringCredential.principalName();
        long expireTimeMs = this.expiringCredential.expireTimeMs();
        long currentMs = currentMs();
        if (currentMs > expireTimeMs) {
            log.error("[Principal={}]: Current clock: {} is later than expiry {}. This may indicate a clock skew problem. Check that this host's and remote host's clocks are in sync. Not starting refresh thread. This process is likely unable to authenticate SASL connections (for example, it is unlikely to be able to authenticate a connection with a Kafka Broker).", principalLogText(), new Date(currentMs), new Date(expireTimeMs));
            return this.loginContext;
        }
        if (log.isDebugEnabled()) {
            log.debug("[Principal={}]: It is an expiring credential", principalLogText());
        }
        this.refresherThread = KafkaThread.daemon(String.format("kafka-expiring-relogin-thread-%s", this.principalName), new Refresher());
        this.refresherThread.start();
        this.loginContextFactory.refresherThreadStarted();
        return this.loginContext;
    }

    @Override // java.lang.AutoCloseable
    public void close() {
        if (this.refresherThread == null || !this.refresherThread.isAlive()) {
            return;
        }
        this.refresherThread.interrupt();
        try {
            this.refresherThread.join();
        } catch (InterruptedException e) {
            log.warn("[Principal={}]: Interrupted while waiting for re-login thread to shutdown.", principalLogText(), e);
            Thread.currentThread().interrupt();
        }
    }

    public abstract ExpiringCredential expiringCredential();

    /* JADX INFO: Access modifiers changed from: private */
    public Long refreshMs(long j) {
        if (this.expiringCredential == null) {
            long j2 = j + CommonConnectorConfig.DEFAULT_RETRIABLE_RESTART_WAIT;
            log.warn("[Principal={}]: No Expiring credential found: will try again at {}", principalLogText(), new Date(j2));
            return Long.valueOf(j2);
        }
        long expireTimeMs = this.expiringCredential.expireTimeMs();
        if (j > expireTimeMs) {
            if (isLogoutRequiredBeforeLoggingBackIn()) {
                log.error("[Principal={}]: Current clock: {} is later than expiry {}. This may indicate a clock skew problem. Check that this host's and remote host's clocks are in sync. Exiting refresh thread.", principalLogText(), new Date(j), new Date(expireTimeMs));
                return null;
            }
            long j3 = j + CommonConnectorConfig.DEFAULT_RETRIABLE_RESTART_WAIT;
            log.warn("[Principal={}]: Expiring credential already expired at {}: will try to refresh again at {}", principalLogText(), new Date(expireTimeMs), new Date(j3));
            return Long.valueOf(j3);
        }
        Long absoluteLastRefreshTimeMs = this.expiringCredential.absoluteLastRefreshTimeMs();
        if (absoluteLastRefreshTimeMs != null && absoluteLastRefreshTimeMs.longValue() < expireTimeMs) {
            log.warn("[Principal={}]: Expiring credential refresh thread exiting because the expiring credential's current expiration time ({}) exceeds the latest possible refresh time ({}). This process will not be able to authenticate new SASL connections after that time (for example, it will not be able to authenticate a new connection with a Kafka Broker).", principalLogText(), new Date(expireTimeMs), new Date(absoluteLastRefreshTimeMs.longValue()));
            return null;
        }
        Long startTimeMs = this.expiringCredential.startTimeMs();
        long longValue = startTimeMs != null ? startTimeMs.longValue() : j;
        log.info("[Principal={}]: Expiring credential valid from {} to {}", this.expiringCredential.principalName(), new Date(longValue), new Date(expireTimeMs));
        double loginRefreshWindowFactor = this.expiringCredentialRefreshConfig.loginRefreshWindowFactor() + (this.expiringCredentialRefreshConfig.loginRefreshWindowJitter() * RNG.nextDouble());
        long loginRefreshMinPeriodSeconds = this.expiringCredentialRefreshConfig.loginRefreshMinPeriodSeconds();
        long loginRefreshBufferSeconds = this.expiringCredentialRefreshConfig.loginRefreshBufferSeconds();
        if (j + (1000 * (loginRefreshMinPeriodSeconds + loginRefreshBufferSeconds)) > expireTimeMs) {
            long j4 = j + ((long) ((expireTimeMs - j) * loginRefreshWindowFactor));
            log.warn("[Principal={}]: Expiring credential expires at {}, so buffer times of {} and {} seconds at the front and back, respectively, cannot be accommodated.  We will refresh at {}.", principalLogText(), new Date(expireTimeMs), Long.valueOf(loginRefreshMinPeriodSeconds), Long.valueOf(loginRefreshBufferSeconds), new Date(j4));
            return Long.valueOf(j4);
        }
        long j5 = longValue + ((long) ((expireTimeMs - longValue) * loginRefreshWindowFactor));
        long j6 = expireTimeMs - (loginRefreshBufferSeconds * 1000);
        if (j5 > j6) {
            log.info("[Principal={}]: Proposed refresh time of {} extends into the desired buffer time of {} seconds before expiration, so refresh it at the desired buffer begin point, at {}", this.expiringCredential.principalName(), new Date(j5), Long.valueOf(loginRefreshBufferSeconds), new Date(j6));
            return Long.valueOf(j6);
        }
        long j7 = j + (1000 * loginRefreshMinPeriodSeconds);
        if (j5 >= j7) {
            return Long.valueOf(j5);
        }
        log.info("[Principal={}]: Expiring credential re-login thread time adjusted from {} to {} since the former is sooner than the minimum refresh interval ({} seconds from now).", principalLogText(), new Date(j5), new Date(j7), Long.valueOf(loginRefreshMinPeriodSeconds));
        return Long.valueOf(j7);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void reLogin() throws LoginException, ExitRefresherThreadDueToIllegalStateException {
        synchronized (this.mandatoryClassToSynchronizeOnPriorToRefresh) {
            boolean isLogoutRequiredBeforeLoggingBackIn = isLogoutRequiredBeforeLoggingBackIn();
            if (this.hasExpiringCredential && isLogoutRequiredBeforeLoggingBackIn) {
                log.info("Initiating logout for {}", principalLogText());
                this.loginContext.logout();
                this.expiringCredential = expiringCredential();
                this.hasExpiringCredential = this.expiringCredential != null;
                if (this.hasExpiringCredential) {
                    throw new ExitRefresherThreadDueToIllegalStateException(String.format("Subject's private credentials still contains an instance of %s even though logout() was invoked; exiting refresh thread", this.expiringCredential.getClass().getName()));
                }
            }
            ExpiringCredential expiringCredential = this.expiringCredential;
            LoginContext loginContext = this.loginContext;
            boolean z = false;
            try {
                this.loginContext = this.loginContextFactory.createLoginContext(this);
                log.info("Initiating re-login for {}, logout() still needs to be called on a previous login = {}", this.principalName, Boolean.valueOf(expiringCredential != null));
                this.loginContext.login();
                z = true;
                if (expiringCredential != null) {
                    loginContext.logout();
                }
                if (1 == 0) {
                    this.loginContext = loginContext;
                }
                this.expiringCredential = expiringCredential();
                this.hasExpiringCredential = this.expiringCredential != null;
                if (!this.hasExpiringCredential) {
                    log.error("No Expiring Credential after a supposedly-successful re-login");
                    this.principalName = null;
                } else {
                    if (this.expiringCredential == expiringCredential) {
                        throw new ExitRefresherThreadDueToIllegalStateException(String.format("Subject's private credentials still contains the previous, soon-to-expire instance of %s even though login() followed by logout() was invoked; exiting refresh thread", this.expiringCredential.getClass().getName()));
                    }
                    this.principalName = this.expiringCredential.principalName();
                    if (log.isDebugEnabled()) {
                        log.debug("[Principal={}]: It is an expiring credential after re-login as expected", principalLogText());
                    }
                }
            } catch (Throwable th) {
                if (!z) {
                    this.loginContext = loginContext;
                }
                throw th;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String principalLogText() {
        return this.expiringCredential == null ? this.principalName : this.expiringCredential.getClass().getSimpleName() + ":" + this.principalName;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public long currentMs() {
        return this.time.milliseconds();
    }

    private boolean isLogoutRequiredBeforeLoggingBackIn() {
        return !this.expiringCredentialRefreshConfig.loginRefreshReloginAllowedBeforeLogout();
    }
}
