package com.google.bigtable.repackaged.com.google.cloud.bigtable.grpc.io;

import com.google.bigtable.repackaged.com.google.api.client.util.Clock;
import com.google.bigtable.repackaged.com.google.auth.oauth2.AccessToken;
import com.google.bigtable.repackaged.com.google.auth.oauth2.OAuth2Credentials;
import com.google.bigtable.repackaged.com.google.cloud.bigtable.config.Logger;
import com.google.bigtable.repackaged.com.google.common.annotations.VisibleForTesting;
import com.google.bigtable.repackaged.com.google.common.base.Preconditions;
import com.google.bigtable.repackaged.com.google.common.util.concurrent.RateLimiter;
import com.google.bigtable.repackaged.io.grpc.CallOptions;
import com.google.bigtable.repackaged.io.grpc.Channel;
import com.google.bigtable.repackaged.io.grpc.ClientCall;
import com.google.bigtable.repackaged.io.grpc.ClientInterceptor;
import com.google.bigtable.repackaged.io.grpc.ForwardingClientCall;
import com.google.bigtable.repackaged.io.grpc.ForwardingClientCallListener;
import com.google.bigtable.repackaged.io.grpc.Metadata;
import com.google.bigtable.repackaged.io.grpc.MethodDescriptor;
import com.google.bigtable.repackaged.io.grpc.Status;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Future;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import javax.annotation.concurrent.GuardedBy;
import org.apache.hadoop.hbase.replication.ReplicationQueuesZKImpl;

/* loaded from: input_file:com/google/bigtable/repackaged/com/google/cloud/bigtable/grpc/io/RefreshingOAuth2CredentialsInterceptor.class */
public class RefreshingOAuth2CredentialsInterceptor implements ClientInterceptor {
    private static final Logger LOG = new Logger(RefreshingOAuth2CredentialsInterceptor.class);
    private static final Metadata.Key<String> AUTHORIZATION_HEADER_KEY = Metadata.Key.of("Authorization", Metadata.ASCII_STRING_MARSHALLER);

    @VisibleForTesting
    static Clock clock = Clock.SYSTEM;
    private static final HeaderCacheElement EMPTY_HEADER = new HeaderCacheElement(null, 0);
    private final ExecutorService executor;
    private final OAuth2Credentials credentials;

    @VisibleForTesting
    final Object lock = new Object();

    @VisibleForTesting
    @GuardedBy(ReplicationQueuesZKImpl.RS_LOCK_ZNODE)
    volatile HeaderCacheElement headerCache = EMPTY_HEADER;

    @VisibleForTesting
    @GuardedBy(ReplicationQueuesZKImpl.RS_LOCK_ZNODE)
    boolean isRefreshing = false;

    @VisibleForTesting
    @GuardedBy(ReplicationQueuesZKImpl.RS_LOCK_ZNODE)
    Future<HeaderCacheElement> futureToken = null;

    @VisibleForTesting
    RateLimiter rateLimiter = RateLimiter.create(1.0d);

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    /* loaded from: input_file:com/google/bigtable/repackaged/com/google/cloud/bigtable/grpc/io/RefreshingOAuth2CredentialsInterceptor$CacheState.class */
    public enum CacheState {
        Good,
        Stale,
        Expired,
        Exception
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    /* loaded from: input_file:com/google/bigtable/repackaged/com/google/cloud/bigtable/grpc/io/RefreshingOAuth2CredentialsInterceptor$HeaderCacheElement.class */
    public static class HeaderCacheElement {
        static final long TOKEN_STALENESS_MS = TimeUnit.MINUTES.toMillis(6);
        static final long TOKEN_EXPIRES_MS = TimeUnit.MINUTES.toMillis(5);
        final Status status;
        final String header;
        final long actualExpirationTimeMs;

        HeaderCacheElement(AccessToken accessToken) {
            this.status = Status.OK;
            if (accessToken.getExpirationTime() == null) {
                this.actualExpirationTimeMs = Long.MAX_VALUE;
            } else {
                this.actualExpirationTimeMs = accessToken.getExpirationTime().getTime();
            }
            this.header = "Bearer " + accessToken.getTokenValue();
        }

        HeaderCacheElement(String str, long j) {
            this.status = Status.OK;
            this.header = str;
            this.actualExpirationTimeMs = j;
        }

        HeaderCacheElement(Status status) {
            Preconditions.checkArgument(!status.isOk(), "Error status can't be OK");
            this.status = status;
            this.header = null;
            this.actualExpirationTimeMs = 0L;
        }

        CacheState getCacheState() {
            long currentTimeMillis = RefreshingOAuth2CredentialsInterceptor.clock.currentTimeMillis();
            return !this.status.isOk() ? CacheState.Exception : this.actualExpirationTimeMs - TOKEN_EXPIRES_MS <= currentTimeMillis ? CacheState.Expired : this.actualExpirationTimeMs - TOKEN_STALENESS_MS <= currentTimeMillis ? CacheState.Stale : CacheState.Good;
        }
    }

    /* loaded from: input_file:com/google/bigtable/repackaged/com/google/cloud/bigtable/grpc/io/RefreshingOAuth2CredentialsInterceptor$UnAuthResponseListener.class */
    class UnAuthResponseListener<RespT> extends ForwardingClientCallListener.SimpleForwardingClientCallListener<RespT> {
        private final HeaderCacheElement origToken;

        UnAuthResponseListener(ClientCall.Listener<RespT> listener, HeaderCacheElement headerCacheElement) {
            super(listener);
            this.origToken = headerCacheElement;
        }

        @Override // com.google.bigtable.repackaged.io.grpc.ForwardingClientCallListener, com.google.bigtable.repackaged.io.grpc.ClientCall.Listener
        public void onClose(Status status, Metadata metadata) {
            if (status == Status.UNAUTHENTICATED) {
                RefreshingOAuth2CredentialsInterceptor.this.revokeUnauthToken(this.origToken);
            }
            super.onClose(status, metadata);
        }
    }

    public RefreshingOAuth2CredentialsInterceptor(ExecutorService executorService, OAuth2Credentials oAuth2Credentials) {
        this.executor = (ExecutorService) Preconditions.checkNotNull(executorService);
        this.credentials = (OAuth2Credentials) Preconditions.checkNotNull(oAuth2Credentials);
    }

    @Override // com.google.bigtable.repackaged.io.grpc.ClientInterceptor
    public <ReqT, RespT> ClientCall<ReqT, RespT> interceptCall(MethodDescriptor<ReqT, RespT> methodDescriptor, CallOptions callOptions, Channel channel) {
        return new ForwardingClientCall.SimpleForwardingClientCall<ReqT, RespT>(channel.newCall(methodDescriptor, callOptions)) { // from class: com.google.bigtable.repackaged.com.google.cloud.bigtable.grpc.io.RefreshingOAuth2CredentialsInterceptor.1
            private boolean unauthorized = false;

            @Override // com.google.bigtable.repackaged.io.grpc.ForwardingClientCall, com.google.bigtable.repackaged.io.grpc.ClientCall
            public void start(ClientCall.Listener<RespT> listener, Metadata metadata) {
                HeaderCacheElement headerSafe = RefreshingOAuth2CredentialsInterceptor.this.getHeaderSafe();
                if (headerSafe.status.isOk()) {
                    metadata.put(RefreshingOAuth2CredentialsInterceptor.AUTHORIZATION_HEADER_KEY, headerSafe.header);
                    delegate().start(new UnAuthResponseListener(listener, headerSafe), metadata);
                } else {
                    listener.onClose(headerSafe.status, new Metadata());
                    this.unauthorized = true;
                }
            }

            @Override // com.google.bigtable.repackaged.io.grpc.ForwardingClientCall, com.google.bigtable.repackaged.io.grpc.ClientCall
            public void request(int i) {
                if (this.unauthorized) {
                    return;
                }
                delegate().request(i);
            }

            @Override // com.google.bigtable.repackaged.io.grpc.ForwardingClientCall, com.google.bigtable.repackaged.io.grpc.ClientCall
            public void sendMessage(ReqT reqt) {
                if (this.unauthorized) {
                    return;
                }
                delegate().sendMessage(reqt);
            }

            @Override // com.google.bigtable.repackaged.io.grpc.ForwardingClientCall, com.google.bigtable.repackaged.io.grpc.ClientCall
            public void halfClose() {
                if (this.unauthorized) {
                    return;
                }
                delegate().halfClose();
            }

            @Override // com.google.bigtable.repackaged.io.grpc.ForwardingClientCall, com.google.bigtable.repackaged.io.grpc.ClientCall
            public void cancel(String str, Throwable th) {
                if (this.unauthorized) {
                    return;
                }
                delegate().cancel(str, th);
            }
        };
    }

    @VisibleForTesting
    HeaderCacheElement getHeaderSafe() {
        try {
            return getHeader();
        } catch (Exception e) {
            return new HeaderCacheElement(Status.UNAUTHENTICATED.withDescription("Unexpected failure get auth token").withCause(e));
        }
    }

    @VisibleForTesting
    HeaderCacheElement getHeader() throws ExecutionException, InterruptedException, TimeoutException {
        HeaderCacheElement headerCacheElement = this.headerCache;
        if (headerCacheElement.getCacheState() == CacheState.Good) {
            return headerCacheElement;
        }
        synchronized (this.lock) {
            CacheState cacheState = this.headerCache.getCacheState();
            switch (cacheState) {
                case Good:
                    return this.headerCache;
                case Stale:
                    asyncRefresh();
                    return this.headerCache;
                case Expired:
                case Exception:
                    return asyncRefresh().get(5L, TimeUnit.SECONDS);
                default:
                    return new HeaderCacheElement(Status.UNAUTHENTICATED.withCause(new IllegalStateException("Could not process state: " + cacheState)));
            }
        }
    }

    HeaderCacheElement syncRefresh() {
        try {
            return asyncRefresh().get(5L, TimeUnit.SECONDS);
        } catch (Exception e) {
            return new HeaderCacheElement(Status.UNAUTHENTICATED.withCause(e));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Future<HeaderCacheElement> asyncRefresh() {
        LOG.trace("asyncRefresh", new Object[0]);
        synchronized (this.lock) {
            if (this.isRefreshing) {
                LOG.trace("asyncRefresh is already in progress", new Object[0]);
                return this.futureToken;
            }
            this.isRefreshing = true;
            LOG.trace("asyncRefresh taking ownership", new Object[0]);
            try {
                this.futureToken = this.executor.submit(new Callable<HeaderCacheElement>() { // from class: com.google.bigtable.repackaged.com.google.cloud.bigtable.grpc.io.RefreshingOAuth2CredentialsInterceptor.2
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.util.concurrent.Callable
                    public HeaderCacheElement call() throws Exception {
                        return RefreshingOAuth2CredentialsInterceptor.this.updateToken(RefreshingOAuth2CredentialsInterceptor.this.refreshCredentials());
                    }
                });
                return this.futureToken;
            } catch (RuntimeException e) {
                this.isRefreshing = false;
                throw e;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public HeaderCacheElement updateToken(HeaderCacheElement headerCacheElement) {
        HeaderCacheElement headerCacheElement2;
        synchronized (this.lock) {
            CacheState cacheState = headerCacheElement.getCacheState();
            boolean z = cacheState == CacheState.Good || cacheState == CacheState.Stale;
            CacheState cacheState2 = this.headerCache.getCacheState();
            boolean z2 = cacheState2 == CacheState.Good || cacheState2 == CacheState.Stale;
            if (z || !z2) {
                this.headerCache = headerCacheElement;
            } else {
                LOG.warn("Failed to refresh the access token. Falling back to existing token. New token state: {}, status: {}", cacheState, headerCacheElement.status);
            }
            this.futureToken = null;
            this.isRefreshing = false;
            headerCacheElement2 = this.headerCache;
        }
        return headerCacheElement2;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public HeaderCacheElement refreshCredentials() {
        if (!this.rateLimiter.tryAcquire()) {
            LOG.trace("Rate limited", new Object[0]);
            return new HeaderCacheElement(Status.UNAUTHENTICATED.withDescription("Authentication rate limit has been exceeded, failing fast"));
        }
        try {
            LOG.info("Refreshing the OAuth token", new Object[0]);
            return new HeaderCacheElement(this.credentials.refreshAccessToken());
        } catch (Exception e) {
            LOG.warn("Got an unexpected exception while trying to refresh google credentials.", e, new Object[0]);
            return new HeaderCacheElement(Status.UNAUTHENTICATED.withDescription("Unexpected error trying to authenticate").withCause(e));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void revokeUnauthToken(HeaderCacheElement headerCacheElement) {
        synchronized (this.lock) {
            if (this.headerCache == headerCacheElement) {
                LOG.warn("Got unauthenticated response from server, revoking the current token", new Object[0]);
                this.headerCache = EMPTY_HEADER;
            } else {
                LOG.info("Skipping revoke, since the revoked token has already changed", new Object[0]);
            }
        }
    }
}
