package org.graylog2.security;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.Maps;
import com.mongodb.BasicDBObject;
import com.mongodb.BasicDBObjectBuilder;
import com.mongodb.DBObject;
import com.mongodb.DuplicateKeyException;
import jakarta.inject.Inject;
import jakarta.inject.Singleton;
import java.math.BigInteger;
import java.security.SecureRandom;
import java.util.HashMap;
import java.util.List;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import javax.annotation.Nullable;
import org.apache.commons.lang3.StringUtils;
import org.bson.types.ObjectId;
import org.graylog2.database.MongoConnection;
import org.graylog2.database.PersistedServiceImpl;
import org.graylog2.plugin.Tools;
import org.graylog2.plugin.database.ValidationException;
import org.graylog2.security.AccessTokenImpl;
import org.joda.time.DateTime;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:org/graylog2/security/AccessTokenServiceImpl.class */
public class AccessTokenServiceImpl extends PersistedServiceImpl implements AccessTokenService {
    private static final Logger LOG = LoggerFactory.getLogger(AccessTokenServiceImpl.class);
    private static final SecureRandom RANDOM = new SecureRandom();
    private final AccessTokenCipher cipher;
    private LoadingCache<String, DateTime> lastAccessCache;

    @Inject
    public AccessTokenServiceImpl(MongoConnection mongoConnection, AccessTokenCipher accessTokenCipher) {
        super(mongoConnection);
        this.cipher = accessTokenCipher;
        setLastAccessCache(30L, TimeUnit.SECONDS);
        collection(AccessTokenImpl.class).createIndex(new BasicDBObject(AccessTokenImpl.TOKEN_TYPE, 1));
        collection(AccessTokenImpl.class).createIndex(new BasicDBObject(AccessTokenImpl.TOKEN, 1), new BasicDBObject("unique", true));
    }

    @Override // org.graylog2.security.AccessTokenService
    public AccessToken load(String str) {
        BasicDBObject basicDBObject = new BasicDBObject();
        basicDBObject.put(AccessTokenImpl.TOKEN, this.cipher.encrypt(str));
        List<DBObject> query = query(AccessTokenImpl.class, (DBObject) basicDBObject);
        if (query.isEmpty()) {
            return null;
        }
        if (query.size() <= 1) {
            return fromDBObject(query.get(0));
        }
        LOG.error("Multiple access tokens found, this is a serious bug.");
        throw new IllegalStateException("Access tokens collection has no unique index!");
    }

    @Override // org.graylog2.security.AccessTokenService
    @Nullable
    public AccessToken loadById(String str) {
        try {
            DBObject dBObject = get(AccessTokenImpl.class, str);
            if (dBObject != null) {
                return fromDBObject(dBObject);
            }
            return null;
        } catch (IllegalArgumentException e) {
            LOG.debug("Couldn't load access token", e);
            return null;
        }
    }

    @Override // org.graylog2.security.AccessTokenService
    public List<AccessToken> loadAll(String str) {
        BasicDBObject basicDBObject = new BasicDBObject();
        basicDBObject.put("username", str);
        return (List) query(AccessTokenImpl.class, (DBObject) basicDBObject).stream().map(this::fromDBObject).collect(Collectors.toList());
    }

    @Override // org.graylog2.security.AccessTokenService
    public AccessToken create(String str, String str2) {
        AccessTokenImpl accessTokenImpl;
        HashMap newHashMap = Maps.newHashMap();
        String str3 = null;
        int i = 0;
        do {
            newHashMap.put(AccessTokenImpl.TOKEN, new BigInteger(256, RANDOM).toString(32));
            newHashMap.put("username", str);
            newHashMap.put(AccessTokenImpl.NAME, str2);
            newHashMap.put(AccessTokenImpl.LAST_ACCESS, Tools.dateTimeFromDouble(0.0d));
            accessTokenImpl = new AccessTokenImpl(newHashMap);
            try {
                str3 = saveWithoutValidation(encrypt(accessTokenImpl));
            } catch (DuplicateKeyException e) {
            }
            int i2 = i;
            i++;
            if (i2 >= 10) {
                break;
            }
        } while (str3 == null);
        if (str3 == null) {
            throw new IllegalStateException("Could not create unique access token, tried 10 times. This is bad.");
        }
        return accessTokenImpl;
    }

    @Override // org.graylog2.security.AccessTokenService
    public DateTime touch(AccessToken accessToken) throws ValidationException {
        try {
            return (DateTime) this.lastAccessCache.get(accessToken.getId());
        } catch (ExecutionException e) {
            LOG.debug("Ignoring error: " + e.getMessage());
            return null;
        }
    }

    @Override // org.graylog2.security.AccessTokenService
    public String save(AccessToken accessToken) throws ValidationException {
        return super.save((AccessTokenServiceImpl) encrypt(accessToken));
    }

    @Override // org.graylog2.security.AccessTokenService
    public int deleteAllForUser(String str) {
        LOG.debug("Deleting all access tokens of user \"{}\"", str);
        int destroy = destroy(BasicDBObjectBuilder.start("username", str).get(), AccessTokenImpl.COLLECTION_NAME);
        LOG.debug("Deleted {} access tokens of user \"{}\"", Integer.valueOf(destroy), str);
        return destroy;
    }

    private AccessTokenImpl fromDBObject(DBObject dBObject) {
        HashMap hashMap = new HashMap(dBObject.toMap());
        String str = (String) hashMap.get(AccessTokenImpl.TOKEN);
        if (StringUtils.isNotBlank(str)) {
            hashMap.put(AccessTokenImpl.TOKEN, this.cipher.decrypt(str));
            hashMap.remove(AccessTokenImpl.TOKEN_TYPE);
        }
        return new AccessTokenImpl((ObjectId) dBObject.get("_id"), hashMap);
    }

    private AccessTokenImpl encrypt(AccessToken accessToken) {
        HashMap hashMap = new HashMap(accessToken.getFields());
        String str = (String) hashMap.get(AccessTokenImpl.TOKEN);
        if (StringUtils.isNotBlank(str)) {
            hashMap.put(AccessTokenImpl.TOKEN, this.cipher.encrypt(str));
            hashMap.put(AccessTokenImpl.TOKEN_TYPE, Integer.valueOf(AccessTokenImpl.Type.AES_SIV.getIntValue()));
        }
        return accessToken.getId() == null ? new AccessTokenImpl(hashMap) : new AccessTokenImpl(new ObjectId(accessToken.getId()), hashMap);
    }

    @Override // org.graylog2.security.AccessTokenService
    @VisibleForTesting
    public void setLastAccessCache(long j, TimeUnit timeUnit) {
        this.lastAccessCache = CacheBuilder.newBuilder().expireAfterAccess(j, timeUnit).build(new CacheLoader<String, DateTime>() { // from class: org.graylog2.security.AccessTokenServiceImpl.1
            public DateTime load(String str) throws Exception {
                AccessToken loadById = AccessTokenServiceImpl.this.loadById(str);
                DateTime nowUTC = Tools.nowUTC();
                if (loadById != null) {
                    loadById.getFields().put(AccessTokenImpl.LAST_ACCESS, Tools.nowUTC());
                    AccessTokenServiceImpl.LOG.debug("Accesstoken: saving access time");
                    AccessTokenServiceImpl.this.save(loadById);
                }
                return nowUTC;
            }
        });
    }
}
