package com.sap.cloud.security.token.validation.validators;

import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.github.benmanes.caffeine.cache.Ticker;
import com.sap.cloud.security.config.CacheConfiguration;
import com.sap.cloud.security.xsuaa.Assertions;
import com.sap.cloud.security.xsuaa.client.DefaultOAuth2TokenKeyService;
import com.sap.cloud.security.xsuaa.client.OAuth2ServiceException;
import com.sap.cloud.security.xsuaa.client.OAuth2TokenKeyService;
import com.sap.cloud.security.xsuaa.tokenflows.Cacheable;
import java.net.URI;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException;
import java.time.Duration;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/sap/cloud/security/token/validation/validators/OAuth2TokenKeyServiceWithCache.class */
public class OAuth2TokenKeyServiceWithCache implements Cacheable {
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth2TokenKeyServiceWithCache.class);
    private OAuth2TokenKeyService tokenKeyService;
    private Cache<String, JsonWebKeySet> cache;
    private CacheConfiguration cacheConfiguration = TokenKeyCacheConfiguration.defaultConfiguration();
    private Ticker cacheTicker;

    private OAuth2TokenKeyServiceWithCache() {
    }

    public static OAuth2TokenKeyServiceWithCache getInstance() {
        OAuth2TokenKeyServiceWithCache oAuth2TokenKeyServiceWithCache = new OAuth2TokenKeyServiceWithCache();
        oAuth2TokenKeyServiceWithCache.cacheTicker = Ticker.systemTicker();
        return oAuth2TokenKeyServiceWithCache;
    }

    static OAuth2TokenKeyServiceWithCache getInstance(Ticker ticker) {
        OAuth2TokenKeyServiceWithCache oAuth2TokenKeyServiceWithCache = new OAuth2TokenKeyServiceWithCache();
        oAuth2TokenKeyServiceWithCache.cacheTicker = ticker;
        return oAuth2TokenKeyServiceWithCache;
    }

    public OAuth2TokenKeyServiceWithCache withCacheConfiguration(CacheConfiguration cacheConfiguration) {
        this.cacheConfiguration = getCheckedConfiguration(cacheConfiguration);
        LOGGER.debug("Configured token key cache with cacheDuration={} seconds, cacheSize={} and statisticsRecording={}", new Object[]{Long.valueOf(getCacheConfiguration().getCacheDuration().getSeconds()), Integer.valueOf(getCacheConfiguration().getCacheSize()), Boolean.valueOf(getCacheConfiguration().isCacheStatisticsEnabled())});
        return this;
    }

    public OAuth2TokenKeyServiceWithCache withTokenKeyService(OAuth2TokenKeyService oAuth2TokenKeyService) {
        this.tokenKeyService = oAuth2TokenKeyService;
        return this;
    }

    @Nullable
    public PublicKey getPublicKey(JwtSignatureAlgorithm jwtSignatureAlgorithm, String str, URI uri, String str2) throws OAuth2ServiceException, InvalidKeySpecException, NoSuchAlgorithmException {
        Assertions.assertNotNull(jwtSignatureAlgorithm, "keyAlgorithm must not be null.");
        Assertions.assertHasText(str, "keyId must not be null.");
        Assertions.assertNotNull(uri, "keyUrl must not be null.");
        JsonWebKeySet jsonWebKeySet = (JsonWebKeySet) getCache().getIfPresent(uri.toString());
        if (jsonWebKeySet == null || !jsonWebKeySet.containsZoneId(str2)) {
            jsonWebKeySet = retrieveTokenKeysAndUpdateCache(uri, str2, jsonWebKeySet);
        }
        if (jsonWebKeySet == null || jsonWebKeySet.getAll().isEmpty()) {
            LOGGER.error("Retrieved no token keys from {}", uri);
            return null;
        }
        if (!jsonWebKeySet.isZoneIdAccepted(str2)) {
            throw new OAuth2ServiceException("Keys not accepted for zone_uuid " + str2);
        }
        for (JsonWebKey jsonWebKey : jsonWebKeySet.getAll()) {
            if (str.equals(jsonWebKey.getId()) && jsonWebKey.getKeyAlgorithm().equals(jwtSignatureAlgorithm)) {
                return jsonWebKey.getPublicKey();
            }
        }
        LOGGER.warn("No matching key found. Keys cached: {}", jsonWebKeySet);
        return null;
    }

    private TokenKeyCacheConfiguration getCheckedConfiguration(CacheConfiguration cacheConfiguration) {
        Assertions.assertNotNull(cacheConfiguration, "CacheConfiguration must not be null!");
        int cacheSize = cacheConfiguration.getCacheSize();
        Duration cacheDuration = cacheConfiguration.getCacheDuration();
        if (cacheSize < 1000) {
            int cacheSize2 = getCacheConfiguration().getCacheSize();
            LOGGER.error("Tried to set cache size to {} but the cache size must be 1000 or more. Cache size will remain at: {}", Integer.valueOf(cacheSize), Integer.valueOf(cacheSize2));
            cacheSize = cacheSize2;
        }
        if (cacheDuration.getSeconds() < 600) {
            Duration cacheDuration2 = getCacheConfiguration().getCacheDuration();
            LOGGER.error("Tried to set cache duration to {} seconds but the cache duration must be at least 600 seconds. Cache duration will remain at: {} seconds", Long.valueOf(cacheDuration.getSeconds()), Long.valueOf(cacheDuration2.getSeconds()));
            cacheDuration = cacheDuration2;
        }
        if (cacheDuration.getSeconds() > 900) {
            Duration cacheDuration3 = getCacheConfiguration().getCacheDuration();
            LOGGER.error("Tried to set cache duration to {} seconds but the cache duration must be maximum 900 seconds. Cache duration will remain at: {} seconds", Long.valueOf(cacheDuration.getSeconds()), Long.valueOf(cacheDuration3.getSeconds()));
            cacheDuration = cacheDuration3;
        }
        return TokenKeyCacheConfiguration.getInstance(cacheDuration, cacheSize, cacheConfiguration.isCacheStatisticsEnabled());
    }

    private JsonWebKeySet retrieveTokenKeysAndUpdateCache(URI uri, String str, @Nullable JsonWebKeySet jsonWebKeySet) throws OAuth2ServiceException {
        try {
            String retrieveTokenKeys = getTokenKeyService().retrieveTokenKeys(uri, str);
            if (jsonWebKeySet != null) {
                return jsonWebKeySet.withZoneId(str, true);
            }
            JsonWebKeySet withZoneId = JsonWebKeySetFactory.createFromJson(retrieveTokenKeys).withZoneId(str, true);
            getCache().put(uri.toString(), withZoneId);
            return withZoneId;
        } catch (OAuth2ServiceException e) {
            if (jsonWebKeySet != null) {
                jsonWebKeySet.withZoneId(str, false);
            }
            throw e;
        }
    }

    private Cache<String, JsonWebKeySet> getCache() {
        if (this.cache == null) {
            Caffeine maximumSize = Caffeine.newBuilder().ticker(this.cacheTicker).expireAfterWrite(getCacheConfiguration().getCacheDuration()).maximumSize(getCacheConfiguration().getCacheSize());
            if (getCacheConfiguration().isCacheStatisticsEnabled()) {
                maximumSize.recordStats();
            }
            this.cache = maximumSize.build();
        }
        return this.cache;
    }

    private OAuth2TokenKeyService getTokenKeyService() {
        if (this.tokenKeyService == null) {
            this.tokenKeyService = new DefaultOAuth2TokenKeyService();
        }
        return this.tokenKeyService;
    }

    @Nonnull
    public CacheConfiguration getCacheConfiguration() {
        return this.cacheConfiguration;
    }

    public void clearCache() {
        if (this.cache != null) {
            this.cache.invalidateAll();
        }
    }

    public Object getCacheStatistics() {
        if (getCacheConfiguration().isCacheStatisticsEnabled()) {
            return getCache().stats();
        }
        return null;
    }
}
