package io.warp10.quasar.encoder;

import io.warp10.crypto.CryptoUtils;
import io.warp10.crypto.SipHashInline;
import io.warp10.quasar.filter.exception.QuasarTokenException;
import io.warp10.quasar.filter.exception.QuasarTokenInvalid;
import io.warp10.quasar.token.thrift.data.ReadToken;
import io.warp10.quasar.token.thrift.data.TokenType;
import io.warp10.quasar.token.thrift.data.WriteToken;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import org.apache.thrift.TBase;
import org.apache.thrift.TException;
import org.apache.thrift.protocol.TCompactProtocol;
import org.apache.thrift.protocol.TProtocol;
import org.apache.thrift.transport.TMemoryInputTransport;

/* loaded from: input_file:io/warp10/quasar/encoder/QuasarTokenDecoder.class */
public class QuasarTokenDecoder {
    private long tokenSipHashKeyK0;
    private long tokenSipHashKeyK1;
    private byte[] tokenAESKey;

    public QuasarTokenDecoder(long j, long j2, byte[] bArr) {
        this.tokenSipHashKeyK0 = j;
        this.tokenSipHashKeyK1 = j2;
        this.tokenAESKey = bArr;
    }

    public ReadToken decodeReadToken(byte[] bArr) throws QuasarTokenException {
        ReadToken readToken = (ReadToken) decodeToken(bArr, new ReadToken());
        if (TokenType.READ.equals(readToken.getTokenType())) {
            return readToken;
        }
        throw new QuasarTokenInvalid("Token type invalid (READ expected).");
    }

    public WriteToken decodeWriteToken(byte[] bArr) throws QuasarTokenException {
        WriteToken writeToken = (WriteToken) decodeToken(bArr, new WriteToken());
        if (TokenType.WRITE.equals(writeToken.getTokenType())) {
            return writeToken;
        }
        throw new QuasarTokenInvalid("Token type invalid (WRITE expected).");
    }

    protected TBase<?, ?> decodeToken(byte[] bArr, TBase<?, ?> tBase) throws QuasarTokenException {
        try {
            byte[] unwrap = CryptoUtils.unwrap(this.tokenAESKey, bArr);
            if (unwrap == null) {
                throw new QuasarTokenInvalid("AES_INVALID", "Invalid token.");
            }
            checkTokenIntegrity(ByteBuffer.wrap(unwrap, 0, 8).order(ByteOrder.BIG_ENDIAN).getLong(), unwrap);
            deserializeThriftToken(tBase, unwrap);
            return tBase;
        } catch (QuasarTokenException e) {
            throw e;
        } catch (Exception e2) {
            throw new QuasarTokenInvalid("Invalid token.");
        }
    }

    private void checkTokenIntegrity(long j, byte[] bArr) throws QuasarTokenInvalid {
        if (SipHashInline.hash24_palindromic(this.tokenSipHashKeyK0, this.tokenSipHashKeyK1, bArr, 8, bArr.length - 8) != j) {
            throw new QuasarTokenInvalid("SIP_INVALID", "Invalid token.");
        }
    }

    private void deserializeThriftToken(TBase<?, ?> tBase, byte[] bArr) throws TException {
        TMemoryInputTransport tMemoryInputTransport = new TMemoryInputTransport();
        TProtocol protocol = new TCompactProtocol.Factory().getProtocol(tMemoryInputTransport);
        try {
            tMemoryInputTransport.reset(bArr);
            tMemoryInputTransport.consumeBuffer(8);
            tBase.read(protocol);
            tMemoryInputTransport.clear();
            protocol.reset();
        } catch (Throwable th) {
            tMemoryInputTransport.clear();
            protocol.reset();
            throw th;
        }
    }
}
