package org.apache.nifi.web.security.otp;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.TimeUnit;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Base64;
import org.apache.nifi.web.security.token.OtpAuthenticationToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/web/security/otp/OtpService.class */
public class OtpService {
    private static final Logger logger = LoggerFactory.getLogger(OtpService.class);
    private static final String HMAC_SHA256 = "HmacSHA256";
    protected static final int MAX_CACHE_SOFT_LIMIT = 100;
    private final Cache<CacheKey, String> downloadTokenCache;
    private final Cache<CacheKey, String> uiExtensionCache;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/nifi/web/security/otp/OtpService$CacheKey.class */
    public static class CacheKey {
        final String token;

        public CacheKey(String str) {
            this.token = str;
        }

        public String getToken() {
            return this.token;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            return MessageDigest.isEqual(this.token.getBytes(StandardCharsets.UTF_8), ((CacheKey) obj).token.getBytes(StandardCharsets.UTF_8));
        }

        public int hashCode() {
            return this.token.hashCode();
        }

        public String toString() {
            return "CacheKey{token ending in '..." + this.token.substring(this.token.length() - 6) + "'}";
        }
    }

    public OtpService() {
        this(5, TimeUnit.MINUTES);
    }

    public OtpService(int i, TimeUnit timeUnit) {
        this.downloadTokenCache = CacheBuilder.newBuilder().expireAfterWrite(i, timeUnit).build();
        this.uiExtensionCache = CacheBuilder.newBuilder().expireAfterWrite(i, timeUnit).build();
    }

    public String generateDownloadToken(OtpAuthenticationToken otpAuthenticationToken) {
        return generateToken(this.downloadTokenCache.asMap(), otpAuthenticationToken);
    }

    public String getAuthenticationFromDownloadToken(String str) throws OtpAuthenticationException {
        return getAuthenticationFromToken(this.downloadTokenCache.asMap(), str);
    }

    public String generateUiExtensionToken(OtpAuthenticationToken otpAuthenticationToken) {
        return generateToken(this.uiExtensionCache.asMap(), otpAuthenticationToken);
    }

    public String getAuthenticationFromUiExtensionToken(String str) throws OtpAuthenticationException {
        return getAuthenticationFromToken(this.uiExtensionCache.asMap(), str);
    }

    private String generateToken(ConcurrentMap<CacheKey, String> concurrentMap, OtpAuthenticationToken otpAuthenticationToken) {
        if (concurrentMap.size() >= MAX_CACHE_SOFT_LIMIT) {
            throw new IllegalStateException("The maximum number of single use tokens have been issued.");
        }
        CacheKey cacheKey = new CacheKey(hash(otpAuthenticationToken));
        concurrentMap.putIfAbsent(cacheKey, otpAuthenticationToken.getName());
        return cacheKey.getToken();
    }

    private String getAuthenticationFromToken(ConcurrentMap<CacheKey, String> concurrentMap, String str) throws OtpAuthenticationException {
        String remove = concurrentMap.remove(new CacheKey(str));
        if (remove == null) {
            throw new OtpAuthenticationException("Unable to validate the access token.");
        }
        return remove;
    }

    private String hash(OtpAuthenticationToken otpAuthenticationToken) {
        try {
            String str = otpAuthenticationToken.getName() + "-" + System.nanoTime();
            byte[] bArr = new byte[32];
            new SecureRandom().nextBytes(bArr);
            SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, HMAC_SHA256);
            Mac mac = Mac.getInstance(HMAC_SHA256);
            mac.init(secretKeySpec);
            return Base64.encodeBase64URLSafeString(mac.doFinal(str.getBytes(StandardCharsets.UTF_8)));
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            logger.error("There was an error generating the OTP", e);
            throw new IllegalStateException("Unable to generate single use token.");
        }
    }
}
