package co.cask.common.security.authentication;

import co.cask.common.io.Codec;
import co.cask.common.security.authentication.KeyManager;
import com.google.common.base.Throwables;
import com.google.common.util.concurrent.AbstractIdleService;
import com.google.inject.Inject;
import java.io.IOException;
import java.security.InvalidKeyException;

/* loaded from: input_file:co/cask/common/security/authentication/TokenManager.class */
public class TokenManager extends AbstractIdleService {
    protected final KeyManager keyManager;
    private final Codec<AccessTokenIdentifier> identifierCodec;

    @Inject
    public TokenManager(KeyManager keyManager, Codec<AccessTokenIdentifier> codec) {
        this.keyManager = keyManager;
        this.identifierCodec = codec;
    }

    public void startUp() {
        this.keyManager.startAndWait();
    }

    public void shutDown() {
        this.keyManager.stopAndWait();
    }

    public AccessToken signIdentifier(AccessTokenIdentifier accessTokenIdentifier) {
        try {
            KeyManager.DigestId generateMAC = this.keyManager.generateMAC(this.identifierCodec.encode(accessTokenIdentifier));
            return new AccessToken(accessTokenIdentifier, generateMAC.getId(), generateMAC.getDigest());
        } catch (IOException e) {
            throw Throwables.propagate(e);
        } catch (InvalidKeyException e2) {
            throw new IllegalStateException("Invalid key configured for KeyManager.", e2);
        }
    }

    public void validateSecret(AccessToken accessToken) throws InvalidTokenException {
        if (accessToken.getIdentifier().getExpireTimestamp() < System.currentTimeMillis()) {
            throw new InvalidTokenException(TokenState.EXPIRED, "Token is expired.");
        }
        try {
            this.keyManager.validateMAC(this.identifierCodec, accessToken);
        } catch (InvalidDigestException e) {
            throw new InvalidTokenException(TokenState.INVALID, "Token signature is not valid!");
        } catch (InvalidKeyException e2) {
            throw new InvalidTokenException(TokenState.INTERNAL, "Invalid key for token.", e2);
        }
    }
}
