package info.magnolia.cms.security;

import com.google.common.base.Strings;
import com.google.common.collect.Iterables;
import info.magnolia.cms.beans.config.ServerConfiguration;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.time.Duration;
import java.util.Collections;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Function;
import javax.crypto.KeyGenerator;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.inject.Inject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:info/magnolia/cms/security/HmacCsrfToken.class */
public class HmacCsrfToken implements CsrfTokenStrategy {
    private static final Logger LOG = LoggerFactory.getLogger(HmacCsrfToken.class);

    @Deprecated
    public static final String DEFAULT_MAC_ALGORITHM = "HmacSHA256";
    public static final String SHA512_MAC_ALGORITHM = "HmacSHA512";
    private final ServerConfiguration serverConfiguration;
    private final SecretKey macKey;
    private final SecureRandom random;
    private final int MAC_POOL_MAX_SIZE = Integer.getInteger("info.magnolia.cms.security.HmacCsrfToken.macPoolMaxSize", 100).intValue();
    private final int MAC_POOL_RETENTION_SECONDS = Integer.getInteger("info.magnolia.cms.security.HmacCsrfToken.macPoolRetentionMillis", 60000).intValue();
    private final String SECURE_RANDOM_ALGORITHM = System.getProperty("info.magnolia.cms.security.HmacCsrfToken.secureRandomAlgorithm");
    private final int SALT_SIZE = Integer.getInteger("info.magnolia.cms.security.HmacCsrfToken.saltSize", 16).intValue();
    private final Set<PooledMac> macPool = Collections.newSetFromMap(new ConcurrentHashMap());
    private Duration tokenRenewalInterval = Duration.ofMinutes(10);
    private String macAlgorithm = SHA512_MAC_ALGORITHM;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:info/magnolia/cms/security/HmacCsrfToken$PooledMac.class */
    public class PooledMac {
        private final Mac mac;
        private long touched = System.currentTimeMillis();

        PooledMac() {
            this.mac = HmacCsrfToken.createMac(HmacCsrfToken.this.macAlgorithm, HmacCsrfToken.this.macKey);
        }

        <T> T withMac(Function<Mac, T> function) {
            try {
                this.touched = System.currentTimeMillis();
                return function.apply(this.mac);
            } finally {
                if (HmacCsrfToken.this.macPool.size() < HmacCsrfToken.this.MAC_POOL_MAX_SIZE) {
                    HmacCsrfToken.this.macPool.add(this);
                }
                HmacCsrfToken.this.macPool.removeIf(pooledMac -> {
                    return System.currentTimeMillis() - pooledMac.touched > ((long) HmacCsrfToken.this.MAC_POOL_RETENTION_SECONDS);
                });
            }
        }
    }

    @Inject
    public HmacCsrfToken(ServerConfiguration serverConfiguration) {
        try {
            this.serverConfiguration = serverConfiguration;
            this.macKey = KeyGenerator.getInstance("AES").generateKey();
            this.random = Strings.isNullOrEmpty(this.SECURE_RANDOM_ALGORITHM) ? new SecureRandom() : SecureRandom.getInstance(this.SECURE_RANDOM_ALGORITHM);
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException(e);
        }
    }

    public String getMacAlgorithm() {
        return this.macAlgorithm;
    }

    public void setMacAlgorithm(String str) {
        createMac(str, this.macKey);
        this.macAlgorithm = str;
        this.macPool.clear();
    }

    private static Mac createMac(String str, SecretKey secretKey) {
        try {
            Mac mac = Mac.getInstance(str);
            mac.init(secretKey);
            return mac;
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            throw new IllegalArgumentException(e);
        }
    }

    public long getTokenRenewalIntervalMinutes() {
        return this.tokenRenewalInterval.toMinutes();
    }

    public void setTokenRenewalIntervalMinutes(long j) {
        if (j <= 0) {
            throw new IllegalArgumentException("CSRF token renewal interval must be greater than 0.");
        }
        this.tokenRenewalInterval = Duration.ofMinutes(j);
    }

    @Override // info.magnolia.cms.security.CsrfTokenStrategy
    public String newToken() {
        String hMacToken = ((HMacToken) withPooledMac(this::newToken)).toString();
        LOG.debug("Created new CSRF token {}", hMacToken);
        return hMacToken;
    }

    private HMacToken newToken(Mac mac) {
        byte[] bArr = new byte[this.SALT_SIZE];
        this.random.nextBytes(bArr);
        return new HMacToken(this.serverConfiguration.getInstanceUuid(), getCurrentMillis(), bArr, mac);
    }

    @Override // info.magnolia.cms.security.CsrfTokenStrategy
    public boolean isValid(String str) {
        HMacToken fromString = HMacToken.fromString(this.serverConfiguration.getInstanceUuid(), str);
        boolean isExpired = fromString.isExpired(getCurrentMillis(), 2 * this.tokenRenewalInterval.toMillis());
        Objects.requireNonNull(fromString);
        boolean z = ((Boolean) withPooledMac(fromString::isConsistent)).booleanValue() && !isExpired;
        LOG.debug("CSRF token {} is {}", str, z ? "valid" : "invalid");
        return z;
    }

    @Override // info.magnolia.cms.security.CsrfTokenStrategy
    public boolean needsRenewal(String str) {
        HMacToken fromString = HMacToken.fromString(this.serverConfiguration.getInstanceUuid(), str);
        long currentMillis = getCurrentMillis();
        boolean z = fromString.isExpired(currentMillis, this.tokenRenewalInterval.toMillis()) && !fromString.isExpired(currentMillis, 2 * this.tokenRenewalInterval.toMillis());
        Objects.requireNonNull(fromString);
        boolean z2 = ((Boolean) withPooledMac(fromString::isConsistent)).booleanValue() && z;
        LOG.debug("CSRF token {} {} renewal", str, z2 ? "needs" : "does not need");
        return z2;
    }

    protected long getCurrentMillis() {
        return System.currentTimeMillis();
    }

    private <T> T withPooledMac(Function<Mac, T> function) {
        PooledMac pooledMac;
        do {
            pooledMac = (PooledMac) Iterables.getFirst(this.macPool, (Object) null);
            if (pooledMac == null) {
                break;
            }
        } while (!this.macPool.remove(pooledMac));
        return (T) ((PooledMac) Optional.ofNullable(pooledMac).orElseGet(() -> {
            return new PooledMac();
        })).withMac(function);
    }
}
