package com.yahoo.athenz.zpe;

import com.yahoo.athenz.auth.token.AccessToken;
import com.yahoo.athenz.auth.token.RoleToken;
import com.yahoo.athenz.auth.util.Crypto;
import com.yahoo.athenz.common.utils.SignUtils;
import com.yahoo.athenz.zpe.match.ZpeMatch;
import com.yahoo.athenz.zpe.match.impl.ZpeMatchAll;
import com.yahoo.athenz.zpe.match.impl.ZpeMatchEqual;
import com.yahoo.athenz.zpe.match.impl.ZpeMatchRegex;
import com.yahoo.athenz.zpe.match.impl.ZpeMatchStartsWith;
import com.yahoo.athenz.zts.Assertion;
import com.yahoo.athenz.zts.AssertionEffect;
import com.yahoo.athenz.zts.DomainSignedPolicyData;
import com.yahoo.athenz.zts.Policy;
import com.yahoo.athenz.zts.PolicyData;
import com.yahoo.athenz.zts.SignedPolicyData;
import com.yahoo.rdl.JSON;
import com.yahoo.rdl.Struct;
import java.io.Closeable;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.TreeMap;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/zpe/ZpeUpdPolLoader.class */
public class ZpeUpdPolLoader implements Closeable {
    static long sleepTimeMillis;
    static long cleanupTokenInterval;
    private ZpeUpdMonitor updMonWorker;
    static ConcurrentHashMap<String, RoleToken> roleTokenCacheMap;
    static ConcurrentHashMap<String, AccessToken> accessTokenCacheMap;
    private String polDirName;
    private static final Logger LOG = LoggerFactory.getLogger(ZpeUpdPolLoader.class);
    static long lastRoleTokenCleanup = System.currentTimeMillis();
    static long lastAccessTokenCleanup = System.currentTimeMillis();
    static boolean skipPolicyDirCheck = Boolean.parseBoolean(System.getProperty(ZpeConsts.ZPE_PROP_SKIP_POLICY_DIR_CHECK, "false"));
    private final ScheduledExecutorService scheduledExecutorSvc = Executors.newScheduledThreadPool(1);
    ConcurrentHashMap<String, Map<String, List<Struct>>> domStandardRoleAllowMap = new ConcurrentHashMap<>();
    ConcurrentHashMap<String, Map<String, List<Struct>>> domWildcardRoleAllowMap = new ConcurrentHashMap<>();
    ConcurrentHashMap<String, Map<String, List<Struct>>> domStandardRoleDenyMap = new ConcurrentHashMap<>();
    ConcurrentHashMap<String, Map<String, List<Struct>>> domWildcardRoleDenyMap = new ConcurrentHashMap<>();
    private final Map<String, ZpeFileStatus> fileStatusRef = new ConcurrentHashMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/yahoo/athenz/zpe/ZpeUpdPolLoader$ZpeFileStatus.class */
    public static class ZpeFileStatus {
        long modifyTimeMillis;
        String domain = null;
        boolean validPolFile = false;

        ZpeFileStatus(long j) {
            this.modifyTimeMillis = j;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ZpeUpdPolLoader(String str) {
        if (null != str) {
            this.polDirName = str;
            try {
                loadDb();
            } catch (Exception e) {
                LOG.error("loadDb Failed", e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getDirName() {
        return this.polDirName;
    }

    Map<String, ZpeFileStatus> getFileStatusMap() {
        return this.fileStatusRef;
    }

    public Map<String, List<Struct>> getWildcardRoleAllowMap(String str) {
        return this.domWildcardRoleAllowMap.get(str);
    }

    public Map<String, List<Struct>> getStandardRoleAllowMap(String str) {
        return this.domStandardRoleAllowMap.get(str);
    }

    public Map<String, List<Struct>> getWildcardRoleDenyMap(String str) {
        return this.domWildcardRoleDenyMap.get(str);
    }

    public Map<String, List<Struct>> getStandardRoleDenyMap(String str) {
        return this.domStandardRoleDenyMap.get(str);
    }

    public static Map<String, RoleToken> getRoleTokenCacheMap() {
        return roleTokenCacheMap;
    }

    public static Map<String, AccessToken> getAccessTokenCacheMap() {
        return accessTokenCacheMap;
    }

    public void start() throws Exception {
        if (this.polDirName == null) {
            throw new Exception("ERROR: start: no policy directory name, can't monitor data files");
        }
        if (this.updMonWorker == null) {
            this.updMonWorker = new ZpeUpdMonitor(this);
        }
        this.scheduledExecutorSvc.scheduleAtFixedRate(this.updMonWorker, 0L, sleepTimeMillis, TimeUnit.MILLISECONDS);
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        if (this.updMonWorker != null) {
            this.updMonWorker.cancel();
        }
        this.scheduledExecutorSvc.shutdownNow();
    }

    public static void cleanupRoleTokenCache() {
        long currentTimeMillis = System.currentTimeMillis();
        if (currentTimeMillis < cleanupTokenInterval + lastRoleTokenCleanup) {
            return;
        }
        long j = currentTimeMillis / 1000;
        roleTokenCacheMap.entrySet().removeIf(entry -> {
            return ((RoleToken) entry.getValue()).getExpiryTime() < j;
        });
        lastRoleTokenCleanup = currentTimeMillis;
    }

    public static void cleanupAccessTokenCache() {
        long currentTimeMillis = System.currentTimeMillis();
        if (currentTimeMillis < cleanupTokenInterval + lastAccessTokenCleanup) {
            return;
        }
        long j = currentTimeMillis / 1000;
        accessTokenCacheMap.entrySet().removeIf(entry -> {
            return ((AccessToken) entry.getValue()).getExpiryTime() < j;
        });
        lastAccessTokenCleanup = currentTimeMillis;
    }

    void loadDb() {
        if (this.updMonWorker == null) {
            this.updMonWorker = new ZpeUpdMonitor(this);
        }
        if (skipPolicyDirCheck) {
            return;
        }
        loadDb(this.updMonWorker.loadFileStatus());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void loadDb(File[] fileArr) {
        if (fileArr == null) {
            LOG.error("loadDb: no policy files to load");
            return;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("loadDb: START thrd={} directory={}", Long.valueOf(Thread.currentThread().getId()), this.polDirName);
        }
        for (File file : fileArr) {
            String name = file.getName();
            if (LOG.isDebugEnabled()) {
                LOG.debug("loadDb: START thrd={} file name={}", Long.valueOf(Thread.currentThread().getId()), name);
            }
            long lastModified = file.lastModified();
            Map<String, ZpeFileStatus> fileStatusMap = getFileStatusMap();
            ZpeFileStatus zpeFileStatus = fileStatusMap.get(name);
            if (zpeFileStatus != null) {
                if (!file.exists()) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("loadDb: file({}) was deleted or doesn't exist", name);
                    }
                    fileStatusMap.remove(name);
                    if (zpeFileStatus.validPolFile && zpeFileStatus.domain != null) {
                        this.domStandardRoleAllowMap.put(zpeFileStatus.domain, new TreeMap());
                        this.domWildcardRoleAllowMap.put(zpeFileStatus.domain, new TreeMap());
                        this.domStandardRoleDenyMap.put(zpeFileStatus.domain, new TreeMap());
                        this.domWildcardRoleDenyMap.put(zpeFileStatus.domain, new TreeMap());
                    }
                } else if (lastModified <= zpeFileStatus.modifyTimeMillis) {
                    String str = " last-file-mod-time=" + lastModified;
                    if (zpeFileStatus.validPolFile) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("loadDb: ignore reload file: {} since up to date: {}", name, str);
                        }
                    } else if (LOG.isDebugEnabled()) {
                        LOG.debug("loadDb: retry load file: {} since last load was bad: {}", name, str);
                    }
                }
            } else {
                fileStatusMap.put(name, new ZpeFileStatus(lastModified));
            }
            loadFile(file);
        }
    }

    ZpeMatch getMatchObject(String str) {
        ZpeMatch zpeMatchEqual;
        if ("*".equals(str)) {
            zpeMatchEqual = new ZpeMatchAll();
        } else {
            int indexOf = str.indexOf(42);
            int indexOf2 = str.indexOf(63);
            zpeMatchEqual = (indexOf == -1 && indexOf2 == -1) ? new ZpeMatchEqual(str) : (indexOf == str.length() - 1 && indexOf2 == -1) ? new ZpeMatchStartsWith(str.substring(0, str.length() - 1)) : new ZpeMatchRegex(str);
        }
        return zpeMatchEqual;
    }

    private void loadFile(File file) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("loadFile: file({})", file.getName());
        }
        DomainSignedPolicyData domainSignedPolicyData = null;
        try {
            domainSignedPolicyData = (DomainSignedPolicyData) JSON.fromBytes(Files.readAllBytes(Paths.get(this.polDirName + File.separator + file.getName(), new String[0])), DomainSignedPolicyData.class);
        } catch (Exception e) {
            LOG.error("loadFile: unable to decode policy file={} error: {}", file.getName(), e);
        }
        if (domainSignedPolicyData == null) {
            LOG.error("loadFile: unable to decode domain file={}", file.getName());
            ZpeFileStatus zpeFileStatus = getFileStatusMap().get(file.getName());
            if (zpeFileStatus != null) {
                zpeFileStatus.validPolFile = false;
                return;
            }
            return;
        }
        SignedPolicyData signedPolicyData = domainSignedPolicyData.getSignedPolicyData();
        String signature = domainSignedPolicyData.getSignature();
        String keyId = domainSignedPolicyData.getKeyId();
        boolean z = false;
        if (signedPolicyData != null) {
            PublicKey ztsPublicKey = AuthZpeClient.getZtsPublicKey(keyId);
            if (ztsPublicKey == null) {
                LOG.error("loadFile: unable to fetch zts public key for id: {}", keyId);
            } else {
                z = Crypto.verify(SignUtils.asCanonicalString(signedPolicyData), ztsPublicKey, signature);
            }
        }
        PolicyData policyData = null;
        if (z) {
            policyData = signedPolicyData.getPolicyData();
            String zmsSignature = signedPolicyData.getZmsSignature();
            String zmsKeyId = signedPolicyData.getZmsKeyId();
            if (policyData != null) {
                PublicKey zmsPublicKey = AuthZpeClient.getZmsPublicKey(zmsKeyId);
                if (zmsPublicKey == null) {
                    LOG.error("loadFile: unable to fetch zms public key for id: {}", zmsKeyId);
                } else {
                    z = Crypto.verify(SignUtils.asCanonicalString(policyData), zmsPublicKey, zmsSignature);
                }
            }
        }
        if (!z || policyData == null) {
            LOG.error("loadFile: policy file={} is invalid", file.getName());
            ZpeFileStatus zpeFileStatus2 = getFileStatusMap().get(file.getName());
            if (zpeFileStatus2 != null) {
                zpeFileStatus2.validPolFile = false;
                return;
            }
            return;
        }
        String domain = policyData.getDomain();
        if (LOG.isDebugEnabled()) {
            LOG.debug("loadFile: policy file({}) for domain({}) is valid", file.getName(), domain);
        }
        TreeMap treeMap = new TreeMap();
        TreeMap treeMap2 = new TreeMap();
        TreeMap treeMap3 = new TreeMap();
        TreeMap treeMap4 = new TreeMap();
        for (Policy policy : policyData.getPolicies()) {
            String name = policy.getName();
            if (LOG.isDebugEnabled()) {
                LOG.debug("loadFile: domain({}) policy({})", domain, name);
            }
            List<Assertion> assertions = policy.getAssertions();
            if (assertions != null) {
                for (Assertion assertion : assertions) {
                    Struct struct = new Struct();
                    struct.put(ZpeConsts.ZPE_FIELD_POLICY_NAME, name);
                    struct.put(ZpeConsts.ZPE_ACTION_MATCH_STRUCT, getMatchObject(assertion.getAction().toLowerCase()));
                    String lowerCase = assertion.getResource().toLowerCase();
                    String stripDomainPrefix = AuthZpeClient.stripDomainPrefix(lowerCase, domain, lowerCase);
                    struct.put(ZpeConsts.ZPE_FIELD_RESOURCE, stripDomainPrefix);
                    struct.put(ZpeConsts.ZPE_RESOURCE_MATCH_STRUCT, getMatchObject(stripDomainPrefix));
                    String role = assertion.getRole();
                    String replaceFirst = AuthZpeClient.stripDomainPrefix(role, domain, role).replaceFirst("^role.", "");
                    struct.put(ZpeConsts.ZPE_FIELD_ROLE, replaceFirst);
                    AssertionEffect effect = assertion.getEffect();
                    ZpeMatch matchObject = getMatchObject(replaceFirst);
                    struct.put(ZpeConsts.ZPE_ROLE_MATCH_STRUCT, matchObject);
                    ((List) ((effect == null || effect.toString().compareTo("DENY") != 0) ? matchObject instanceof ZpeMatchEqual ? treeMap : treeMap2 : matchObject instanceof ZpeMatchEqual ? treeMap3 : treeMap4).computeIfAbsent(replaceFirst, str -> {
                        return new ArrayList();
                    })).add(struct);
                }
            }
        }
        ZpeFileStatus zpeFileStatus3 = getFileStatusMap().get(file.getName());
        if (zpeFileStatus3 != null) {
            zpeFileStatus3.validPolFile = true;
            zpeFileStatus3.domain = domain;
        }
        this.domStandardRoleAllowMap.put(domain, treeMap);
        this.domWildcardRoleAllowMap.put(domain, treeMap2);
        this.domStandardRoleDenyMap.put(domain, treeMap3);
        this.domWildcardRoleDenyMap.put(domain, treeMap4);
    }

    static {
        sleepTimeMillis = -1L;
        cleanupTokenInterval = 600000L;
        String property = System.getProperty(ZpeConsts.ZPE_PROP_MON_TIMEOUT);
        if (property == null) {
            sleepTimeMillis = TimeUnit.MILLISECONDS.convert(5L, TimeUnit.MINUTES);
        } else {
            try {
                sleepTimeMillis = TimeUnit.MILLISECONDS.convert(Long.parseLong(property), TimeUnit.SECONDS);
            } catch (NumberFormatException e) {
                LOG.warn("{}, exc: {}", "start: WARNING: Failed using system property(athenz.zpe.monitor_timeout_secs) Got property value=" + property, e);
            }
        }
        String property2 = System.getProperty(ZpeConsts.ZPE_PROP_MON_CLEANUP_TOKENS);
        if (property2 != null) {
            try {
                cleanupTokenInterval = TimeUnit.MILLISECONDS.convert(Long.parseLong(property2), TimeUnit.SECONDS);
            } catch (NumberFormatException e2) {
                LOG.warn("{}, exc: {}", "start: WARNING: Failed using system property(athenz.zpe.cleanup_tokens_secs) Got property value=" + property2, e2);
            }
        }
        roleTokenCacheMap = new ConcurrentHashMap<>();
        accessTokenCacheMap = new ConcurrentHashMap<>();
    }
}
