package com.neo4j.gds.arrow.server.auth;

import com.neo4j.gds.shaded.com.github.benmanes.caffeine.cache.Cache;
import com.neo4j.gds.shaded.com.github.benmanes.caffeine.cache.Caffeine;
import com.neo4j.gds.shaded.com.github.benmanes.caffeine.cache.RemovalCause;
import com.neo4j.gds.shaded.com.github.benmanes.caffeine.cache.Scheduler;
import com.neo4j.gds.shaded.com.github.benmanes.caffeine.cache.Ticker;
import com.neo4j.gds.shaded.org.agrona.concurrent.BackoffIdleStrategy;
import com.neo4j.gds.shaded.org.apache.arrow.flight.CallHeaders;
import com.neo4j.gds.shaded.org.apache.arrow.flight.CallStatus;
import com.neo4j.gds.shaded.org.apache.arrow.flight.auth2.Auth2Constants;
import com.neo4j.gds.shaded.org.apache.arrow.flight.auth2.AuthUtilities;
import com.neo4j.gds.shaded.org.apache.arrow.flight.auth2.BearerTokenAuthenticator;
import com.neo4j.gds.shaded.org.apache.arrow.flight.auth2.CallHeaderAuthenticator;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicInteger;
import org.neo4j.gds.core.concurrency.ExecutorServiceUtil;
import org.neo4j.gds.core.utils.ClockService;
import org.neo4j.logging.Log;

/* loaded from: input_file:com/neo4j/gds/arrow/server/auth/GdsBearerTokenAuthenticator.class */
public class GdsBearerTokenAuthenticator extends BearerTokenAuthenticator {
    private final Cache<String, Identity> tokenToIdentityCache;
    private final Map<String, Identity> userToIdentityMap;
    private final BearerTokenGenerator tokenGenerator;
    private final Log log;

    /* loaded from: input_file:com/neo4j/gds/arrow/server/auth/GdsBearerTokenAuthenticator$ClockServiceWrappingTicker.class */
    private static class ClockServiceWrappingTicker implements Ticker {
        private ClockServiceWrappingTicker() {
        }

        @Override // com.neo4j.gds.shaded.com.github.benmanes.caffeine.cache.Ticker
        public long read() {
            return ClockService.clock().millis() * BackoffIdleStrategy.DEFAULT_MAX_PARK_PERIOD_NS;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/neo4j/gds/arrow/server/auth/GdsBearerTokenAuthenticator$Identity.class */
    public static class Identity {
        private final String identity;
        private final AtomicInteger refCount = new AtomicInteger(0);

        Identity(String str) {
            this.identity = str;
        }

        String identity() {
            return this.identity;
        }

        Identity increment() {
            this.refCount.incrementAndGet();
            return this;
        }

        int decrement() {
            return this.refCount.decrementAndGet();
        }
    }

    /* loaded from: input_file:com/neo4j/gds/arrow/server/auth/GdsBearerTokenAuthenticator$InternalRemovalListener.class */
    private final class InternalRemovalListener implements com.neo4j.gds.shaded.com.github.benmanes.caffeine.cache.RemovalListener<String, Identity> {
        private final RemovalListener removalListener;

        private InternalRemovalListener(RemovalListener removalListener) {
            this.removalListener = removalListener;
        }

        @Override // com.neo4j.gds.shaded.com.github.benmanes.caffeine.cache.RemovalListener
        public void onRemoval(String str, Identity identity, RemovalCause removalCause) {
            if (str == null || identity == null || identity.decrement() != 0) {
                return;
            }
            this.removalListener.onRemoval(identity.identity());
            GdsBearerTokenAuthenticator.this.userToIdentityMap.remove(identity.identity());
        }
    }

    /* loaded from: input_file:com/neo4j/gds/arrow/server/auth/GdsBearerTokenAuthenticator$RemovalListener.class */
    public interface RemovalListener {
        void onRemoval(String str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public GdsBearerTokenAuthenticator(CallHeaderAuthenticator callHeaderAuthenticator, BearerTokenGenerator bearerTokenGenerator, RemovalListener removalListener, Log log) {
        super(callHeaderAuthenticator);
        this.tokenGenerator = bearerTokenGenerator;
        this.log = log;
        ScheduledExecutorService createSingleThreadScheduler = ExecutorServiceUtil.createSingleThreadScheduler("GDS-TokenCache");
        this.tokenToIdentityCache = Caffeine.newBuilder().expireAfterWrite(2L, TimeUnit.HOURS).removalListener(new InternalRemovalListener(removalListener)).ticker(new ClockServiceWrappingTicker()).executor(createSingleThreadScheduler).scheduler(Scheduler.forScheduledExecutorService(createSingleThreadScheduler)).build();
        this.userToIdentityMap = new ConcurrentHashMap();
    }

    private static void writeHttpHeader(CallHeaders callHeaders, String str) {
        callHeaders.insert("Authorization", "Bearer " + str);
    }

    @Override // com.neo4j.gds.shaded.org.apache.arrow.flight.auth2.BearerTokenAuthenticator
    protected CallHeaderAuthenticator.AuthResult validateBearer(final String str) {
        final Identity ifPresent = this.tokenToIdentityCache.getIfPresent(str);
        if (ifPresent != null) {
            this.log.info("Validated token for user '%s'.", new Object[]{ifPresent.identity()});
            return new CallHeaderAuthenticator.AuthResult() { // from class: com.neo4j.gds.arrow.server.auth.GdsBearerTokenAuthenticator.1
                @Override // com.neo4j.gds.shaded.org.apache.arrow.flight.auth2.CallHeaderAuthenticator.AuthResult
                public String getPeerIdentity() {
                    return ifPresent.identity();
                }

                @Override // com.neo4j.gds.shaded.org.apache.arrow.flight.auth2.CallHeaderAuthenticator.AuthResult
                public void appendToOutgoingHeaders(CallHeaders callHeaders) {
                    if (null == AuthUtilities.getValueFromAuthHeader(callHeaders, Auth2Constants.BEARER_PREFIX)) {
                        GdsBearerTokenAuthenticator.writeHttpHeader(callHeaders, str);
                    }
                }
            };
        }
        this.log.info("Failed to validate token.");
        this.tokenToIdentityCache.cleanUp();
        throw CallStatus.UNAUTHENTICATED.withDescription("Token expired, please re-authenticate").toRuntimeException();
    }

    @Override // com.neo4j.gds.shaded.org.apache.arrow.flight.auth2.BearerTokenAuthenticator
    protected CallHeaderAuthenticator.AuthResult getAuthResultWithBearerToken(CallHeaderAuthenticator.AuthResult authResult) {
        final String generateBearerToken = this.tokenGenerator.generateBearerToken();
        final Identity increment = this.userToIdentityMap.computeIfAbsent(authResult.getPeerIdentity(), Identity::new).increment();
        this.tokenToIdentityCache.put(generateBearerToken, increment);
        return new CallHeaderAuthenticator.AuthResult() { // from class: com.neo4j.gds.arrow.server.auth.GdsBearerTokenAuthenticator.2
            @Override // com.neo4j.gds.shaded.org.apache.arrow.flight.auth2.CallHeaderAuthenticator.AuthResult
            public String getPeerIdentity() {
                return increment.identity();
            }

            @Override // com.neo4j.gds.shaded.org.apache.arrow.flight.auth2.CallHeaderAuthenticator.AuthResult
            public void appendToOutgoingHeaders(CallHeaders callHeaders) {
                GdsBearerTokenAuthenticator.writeHttpHeader(callHeaders, generateBearerToken);
            }
        };
    }
}
