package org.elasticsearch.xpack.security.authc;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.Closeable;
import java.io.IOException;
import java.io.OutputStream;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import java.time.Clock;
import java.time.Instant;
import java.time.ZoneOffset;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.atomic.AtomicLong;
import java.util.function.BiConsumer;
import java.util.stream.Stream;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.CipherOutputStream;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.logging.log4j.message.Message;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.apache.lucene.util.BytesRef;
import org.apache.lucene.util.BytesRefBuilder;
import org.apache.lucene.util.IOUtils;
import org.apache.lucene.util.StringHelper;
import org.apache.lucene.util.UnicodeUtil;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.DocWriteRequest;
import org.elasticsearch.action.DocWriteResponse;
import org.elasticsearch.action.get.GetResponse;
import org.elasticsearch.action.index.IndexResponse;
import org.elasticsearch.action.support.TransportActions;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.action.support.master.AcknowledgedRequest;
import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.AckedClusterStateUpdateTask;
import org.elasticsearch.cluster.ClusterState;
import org.elasticsearch.cluster.ack.AckedRequest;
import org.elasticsearch.cluster.ack.ClusterStateUpdateResponse;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.io.stream.InputStreamStreamInput;
import org.elasticsearch.common.io.stream.OutputStreamStreamOutput;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.common.io.stream.Writeable;
import org.elasticsearch.common.settings.SecureSetting;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.common.util.concurrent.AbstractRunnable;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.util.iterable.Iterables;
import org.elasticsearch.gateway.GatewayService;
import org.elasticsearch.index.engine.VersionConflictEngineException;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.xpack.ClientHelper;
import org.elasticsearch.xpack.XPackSettings;
import org.elasticsearch.xpack.security.SecurityLifecycleService;

/* loaded from: input_file:lib/org.elasticsearch.plugin.xpack.api-6.1.3.jar:org/elasticsearch/xpack/security/authc/TokenService.class */
public final class TokenService extends AbstractComponent {
    private static final int ITERATIONS = 100000;
    private static final String KDF_ALGORITHM = "PBKDF2withHMACSHA512";
    private static final int SALT_BYTES = 32;
    private static final int KEY_BYTES = 64;
    private static final int IV_BYTES = 12;
    private static final int VERSION_BYTES = 4;
    private static final String ENCRYPTION_CIPHER = "AES/GCM/NoPadding";
    private static final String EXPIRED_TOKEN_WWW_AUTH_VALUE = "Bearer realm=\"security\", error=\"invalid_token\", error_description=\"The access token expired\"";
    private static final String MALFORMED_TOKEN_WWW_AUTH_VALUE = "Bearer realm=\"security\", error=\"invalid_token\", error_description=\"The access token is malformed\"";
    private static final String TYPE = "doc";
    public static final String THREAD_POOL_NAME = "security-token-key";
    public static final Setting<SecureString> TOKEN_PASSPHRASE;
    public static final Setting<TimeValue> TOKEN_EXPIRATION;
    public static final Setting<TimeValue> DELETE_INTERVAL;
    public static final Setting<TimeValue> DELETE_TIMEOUT;
    static final String DOC_TYPE = "invalidated-token";
    static final int MINIMUM_BYTES = 49;
    static final int MINIMUM_BASE64_BYTES;
    private final SecureRandom secureRandom;
    private final ClusterService clusterService;
    private final Clock clock;
    private final TimeValue expirationDelay;
    private final TimeValue deleteInterval;
    private final Client client;
    private final SecurityLifecycleService lifecycleService;
    private final ExpiredTokenRemover expiredTokenRemover;
    private final boolean enabled;
    private final byte[] currentVersionBytes;
    private volatile TokenKeys keyCache;
    private volatile long lastExpirationRunMs;
    private final AtomicLong createdTimeStamps;
    private static final Version TOKEN_SERVICE_VERSION;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:lib/org.elasticsearch.plugin.xpack.api-6.1.3.jar:org/elasticsearch/xpack/security/authc/TokenService$BytesKey.class */
    public static class BytesKey {
        final byte[] bytes;
        private final int hashCode;

        BytesKey(byte[] bArr) {
            this.bytes = bArr;
            this.hashCode = StringHelper.murmurhash3_x86_32(bArr, 0, bArr.length, StringHelper.GOOD_FAST_HASH_SEED);
        }

        public int hashCode() {
            return this.hashCode;
        }

        public boolean equals(Object obj) {
            if (obj != null && (obj instanceof BytesKey)) {
                return Arrays.equals(((BytesKey) obj).bytes, this.bytes);
            }
            return false;
        }

        public String toString() {
            return new BytesRef(this.bytes).toString();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:lib/org.elasticsearch.plugin.xpack.api-6.1.3.jar:org/elasticsearch/xpack/security/authc/TokenService$KeyAndCache.class */
    public static final class KeyAndCache implements Closeable {
        private final KeyAndTimestamp keyAndTimestamp;
        private final Cache<BytesKey, SecretKey> keyCache;
        private final BytesKey salt;
        private final BytesKey keyHash;

        private KeyAndCache(KeyAndTimestamp keyAndTimestamp, BytesKey bytesKey) {
            this.keyAndTimestamp = keyAndTimestamp;
            this.keyCache = CacheBuilder.builder().setExpireAfterAccess(TimeValue.timeValueMinutes(60L)).setMaximumWeight(500L).build();
            try {
                this.keyCache.put(bytesKey, TokenService.computeSecretKey(keyAndTimestamp.key.getChars(), bytesKey.bytes));
                this.salt = bytesKey;
                this.keyHash = calculateKeyHash(keyAndTimestamp.key);
            } catch (Exception e) {
                throw new IllegalStateException(e);
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public SecretKey getKey(BytesKey bytesKey) {
            return this.keyCache.get(bytesKey);
        }

        public SecretKey getOrComputeKey(BytesKey bytesKey) throws ExecutionException {
            return this.keyCache.computeIfAbsent(bytesKey, bytesKey2 -> {
                SecureString m4031clone = this.keyAndTimestamp.key.m4031clone();
                Throwable th = null;
                try {
                    try {
                        SecretKey computeSecretKey = TokenService.computeSecretKey(m4031clone.getChars(), bytesKey2.bytes);
                        if (m4031clone != null) {
                            if (0 != 0) {
                                try {
                                    m4031clone.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                m4031clone.close();
                            }
                        }
                        return computeSecretKey;
                    } finally {
                    }
                } catch (Throwable th3) {
                    if (m4031clone != null) {
                        if (th != null) {
                            try {
                                m4031clone.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            m4031clone.close();
                        }
                    }
                    throw th3;
                }
            });
        }

        @Override // java.io.Closeable, java.lang.AutoCloseable
        public void close() throws IOException {
            this.keyAndTimestamp.key.close();
        }

        BytesKey getKeyHash() {
            return this.keyHash;
        }

        private static BytesKey calculateKeyHash(SecureString secureString) {
            try {
                MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
                BytesRefBuilder bytesRefBuilder = new BytesRefBuilder();
                try {
                    bytesRefBuilder.copyChars(secureString);
                    BytesRef bytesRef = bytesRefBuilder.toBytesRef();
                    try {
                        messageDigest.update(bytesRef.bytes, bytesRef.offset, bytesRef.length);
                        BytesKey bytesKey = new BytesKey(Arrays.copyOfRange(messageDigest.digest(), 0, 8));
                        Arrays.fill(bytesRef.bytes, (byte) 0);
                        Arrays.fill(bytesRefBuilder.bytes(), (byte) 0);
                        return bytesKey;
                    } catch (Throwable th) {
                        Arrays.fill(bytesRef.bytes, (byte) 0);
                        throw th;
                    }
                } catch (Throwable th2) {
                    Arrays.fill(bytesRefBuilder.bytes(), (byte) 0);
                    throw th2;
                }
            } catch (NoSuchAlgorithmException e) {
                throw new AssertionError(e);
            }
        }

        BytesKey getSalt() {
            return this.salt;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:lib/org.elasticsearch.plugin.xpack.api-6.1.3.jar:org/elasticsearch/xpack/security/authc/TokenService$KeyAndTimestamp.class */
    public static final class KeyAndTimestamp implements Writeable {
        private final SecureString key;
        private final long timestamp;

        private KeyAndTimestamp(SecureString secureString, long j) {
            this.key = secureString;
            this.timestamp = j;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public KeyAndTimestamp(StreamInput streamInput) throws IOException {
            this.timestamp = streamInput.readVLong();
            byte[] readByteArray = streamInput.readByteArray();
            char[] cArr = new char[readByteArray.length];
            this.key = new SecureString(Arrays.copyOfRange(cArr, 0, UnicodeUtil.UTF8toUTF16(readByteArray, 0, readByteArray.length, cArr)));
        }

        @Override // org.elasticsearch.common.io.stream.Writeable
        public void writeTo(StreamOutput streamOutput) throws IOException {
            streamOutput.writeVLong(this.timestamp);
            BytesRef bytesRef = new BytesRef(this.key);
            streamOutput.writeVInt(bytesRef.length);
            streamOutput.writeBytes(bytesRef.bytes, bytesRef.offset, bytesRef.length);
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            KeyAndTimestamp keyAndTimestamp = (KeyAndTimestamp) obj;
            if (this.timestamp != keyAndTimestamp.timestamp) {
                return false;
            }
            return this.key.equals(keyAndTimestamp.key);
        }

        public int hashCode() {
            return (31 * this.key.hashCode()) + ((int) (this.timestamp ^ (this.timestamp >>> 32)));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/org.elasticsearch.plugin.xpack.api-6.1.3.jar:org/elasticsearch/xpack/security/authc/TokenService$KeyComputingRunnable.class */
    public class KeyComputingRunnable extends AbstractRunnable {
        private final StreamInput in;
        private final Version version;
        private final BytesKey decodedSalt;
        private final ActionListener<UserToken> listener;
        private final byte[] iv;
        private final KeyAndCache keyAndCache;

        KeyComputingRunnable(StreamInput streamInput, byte[] bArr, Version version, BytesKey bytesKey, ActionListener<UserToken> actionListener, KeyAndCache keyAndCache) {
            this.in = streamInput;
            this.version = version;
            this.decodedSalt = bytesKey;
            this.listener = actionListener;
            this.iv = bArr;
            this.keyAndCache = keyAndCache;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.elasticsearch.common.util.concurrent.AbstractRunnable
        public void doRun() {
            try {
                TokenService.decryptToken(this.in, TokenService.this.getDecryptionCipher(this.iv, this.keyAndCache.getOrComputeKey(this.decodedSalt), this.version, this.decodedSalt), this.version, this.listener);
            } catch (IOException | GeneralSecurityException e) {
                TokenService.this.logger.debug("unable to decode bearer token", e);
                this.listener.onResponse(null);
            } catch (ExecutionException e2) {
                if (e2.getCause() == null || !((e2.getCause() instanceof GeneralSecurityException) || (e2.getCause() instanceof IOException) || (e2.getCause() instanceof IllegalArgumentException))) {
                    this.listener.onFailure(e2);
                } else {
                    TokenService.this.logger.debug("unable to decode bearer token", (Throwable) e2);
                    this.listener.onResponse(null);
                }
            }
        }

        @Override // org.elasticsearch.common.util.concurrent.AbstractRunnable
        public void onFailure(Exception exc) {
            this.listener.onFailure(exc);
        }

        @Override // org.elasticsearch.common.util.concurrent.AbstractRunnable
        public void onAfter() {
            IOUtils.closeWhileHandlingException(this.in);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/org.elasticsearch.plugin.xpack.api-6.1.3.jar:org/elasticsearch/xpack/security/authc/TokenService$TokenKeys.class */
    public static final class TokenKeys {
        final Map<BytesKey, KeyAndCache> cache;
        final BytesKey currentTokenKeyHash;
        final KeyAndCache activeKeyCache;

        private TokenKeys(Map<BytesKey, KeyAndCache> map, BytesKey bytesKey) {
            this.cache = map;
            this.currentTokenKeyHash = bytesKey;
            this.activeKeyCache = map.get(bytesKey);
        }

        KeyAndCache get(BytesKey bytesKey) {
            return this.cache.get(bytesKey);
        }
    }

    /* loaded from: input_file:lib/org.elasticsearch.plugin.xpack.api-6.1.3.jar:org/elasticsearch/xpack/security/authc/TokenService$TokenMetadataPublishAction.class */
    private final class TokenMetadataPublishAction extends AckedClusterStateUpdateTask<ClusterStateUpdateResponse> {
        private final TokenMetaData tokenMetaData;

        protected TokenMetadataPublishAction(ActionListener<ClusterStateUpdateResponse> actionListener, TokenMetaData tokenMetaData) {
            super(new AckedRequest() { // from class: org.elasticsearch.xpack.security.authc.TokenService.TokenMetadataPublishAction.1
                @Override // org.elasticsearch.cluster.ack.AckedRequest
                public TimeValue ackTimeout() {
                    return AcknowledgedRequest.DEFAULT_ACK_TIMEOUT;
                }

                @Override // org.elasticsearch.cluster.ack.AckedRequest
                public TimeValue masterNodeTimeout() {
                    return AcknowledgedRequest.DEFAULT_MASTER_NODE_TIMEOUT;
                }
            }, actionListener);
            this.tokenMetaData = tokenMetaData;
        }

        @Override // org.elasticsearch.cluster.ClusterStateUpdateTask
        public ClusterState execute(ClusterState clusterState) throws Exception {
            return this.tokenMetaData.equals(clusterState.custom(TokenMetaData.TYPE)) ? clusterState : ClusterState.builder(clusterState).putCustom(TokenMetaData.TYPE, this.tokenMetaData).build();
        }

        /* JADX INFO: Access modifiers changed from: protected */
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.elasticsearch.cluster.AckedClusterStateUpdateTask
        public ClusterStateUpdateResponse newResponse(boolean z) {
            return new ClusterStateUpdateResponse(z);
        }
    }

    public TokenService(Settings settings, Clock clock, Client client, SecurityLifecycleService securityLifecycleService, ClusterService clusterService) throws GeneralSecurityException {
        super(settings);
        this.secureRandom = new SecureRandom();
        this.createdTimeStamps = new AtomicLong(-1L);
        byte[] bArr = new byte[32];
        this.secureRandom.nextBytes(bArr);
        SecureString secureString = TOKEN_PASSPHRASE.get(settings);
        SecureString generateTokenKey = secureString.length() == 0 ? generateTokenKey() : secureString;
        this.clock = clock.withZone(ZoneOffset.UTC);
        this.expirationDelay = TOKEN_EXPIRATION.get(settings);
        this.client = client;
        this.lifecycleService = securityLifecycleService;
        this.lastExpirationRunMs = client.threadPool().relativeTimeInMillis();
        this.deleteInterval = DELETE_INTERVAL.get(settings);
        this.enabled = XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.get(settings).booleanValue();
        this.expiredTokenRemover = new ExpiredTokenRemover(settings, client);
        this.currentVersionBytes = ByteBuffer.allocate(4).putInt(TOKEN_SERVICE_VERSION.id).array();
        ensureEncryptionCiphersSupported();
        KeyAndCache keyAndCache = new KeyAndCache(new KeyAndTimestamp(generateTokenKey.m4031clone(), this.createdTimeStamps.incrementAndGet()), new BytesKey(bArr));
        this.keyCache = new TokenKeys(Collections.singletonMap(keyAndCache.getKeyHash(), keyAndCache), keyAndCache.getKeyHash());
        this.clusterService = clusterService;
        initialize(clusterService);
        getTokenMetaData();
    }

    public UserToken createUserToken(Authentication authentication) throws IOException, GeneralSecurityException {
        ensureEnabled();
        return new UserToken(authentication, getExpirationTime());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void getAndValidateToken(ThreadContext threadContext, ActionListener<UserToken> actionListener) {
        if (!this.enabled) {
            actionListener.onResponse(null);
            return;
        }
        String fromHeader = getFromHeader(threadContext);
        if (fromHeader == null) {
            actionListener.onResponse(null);
            return;
        }
        try {
            CheckedConsumer checkedConsumer = userToken -> {
                if (userToken == null) {
                    actionListener.onResponse(null);
                } else if (this.clock.instant().isAfter(userToken.getExpirationTime())) {
                    actionListener.onFailure(expiredTokenException());
                } else {
                    checkIfTokenIsRevoked(userToken, actionListener);
                }
            };
            actionListener.getClass();
            decodeToken(fromHeader, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        } catch (IOException e) {
            this.logger.debug("invalid token", (Throwable) e);
            actionListener.onResponse(null);
        }
    }

    void decodeToken(String str, ActionListener<UserToken> actionListener) throws IOException {
        InputStreamStreamInput inputStreamStreamInput = new InputStreamStreamInput(Base64.getDecoder().wrap(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8))), r0.length);
        if (inputStreamStreamInput.available() < MINIMUM_BASE64_BYTES) {
            this.logger.debug("invalid token");
            actionListener.onResponse(null);
            return;
        }
        Version readVersion = Version.readVersion(inputStreamStreamInput);
        if (readVersion.before(Version.V_5_5_0)) {
            actionListener.onResponse(null);
            return;
        }
        BytesKey bytesKey = new BytesKey(inputStreamStreamInput.readByteArray());
        BytesKey bytesKey2 = readVersion.onOrAfter(Version.V_6_0_0_beta2) ? new BytesKey(inputStreamStreamInput.readByteArray()) : this.keyCache.currentTokenKeyHash;
        KeyAndCache keyAndCache = this.keyCache.get(bytesKey2);
        if (keyAndCache == null) {
            this.logger.debug("invalid key {} key: {}", bytesKey2, this.keyCache.cache.keySet());
            actionListener.onResponse(null);
            return;
        }
        SecretKey key = keyAndCache.getKey(bytesKey);
        byte[] readByteArray = inputStreamStreamInput.readByteArray();
        if (key == null) {
            this.client.threadPool().executor(THREAD_POOL_NAME).submit(new KeyComputingRunnable(inputStreamStreamInput, readByteArray, readVersion, bytesKey, actionListener, keyAndCache));
            return;
        }
        try {
            decryptToken(inputStreamStreamInput, getDecryptionCipher(readByteArray, key, readVersion, bytesKey), readVersion, actionListener);
        } catch (GeneralSecurityException e) {
            this.logger.warn("invalid token", (Throwable) e);
            actionListener.onResponse(null);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void decryptToken(StreamInput streamInput, Cipher cipher, Version version, ActionListener<UserToken> actionListener) throws IOException {
        CipherInputStream cipherInputStream = new CipherInputStream(streamInput, cipher);
        Throwable th = null;
        try {
            InputStreamStreamInput inputStreamStreamInput = new InputStreamStreamInput(cipherInputStream);
            Throwable th2 = null;
            try {
                inputStreamStreamInput.setVersion(version);
                actionListener.onResponse(new UserToken(inputStreamStreamInput));
                if (inputStreamStreamInput != null) {
                    if (0 != 0) {
                        try {
                            inputStreamStreamInput.close();
                        } catch (Throwable th3) {
                            th2.addSuppressed(th3);
                        }
                    } else {
                        inputStreamStreamInput.close();
                    }
                }
                if (cipherInputStream != null) {
                    if (0 == 0) {
                        cipherInputStream.close();
                        return;
                    }
                    try {
                        cipherInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                }
            } catch (Throwable th5) {
                if (inputStreamStreamInput != null) {
                    if (0 != 0) {
                        try {
                            inputStreamStreamInput.close();
                        } catch (Throwable th6) {
                            th2.addSuppressed(th6);
                        }
                    } else {
                        inputStreamStreamInput.close();
                    }
                }
                throw th5;
            }
        } catch (Throwable th7) {
            if (cipherInputStream != null) {
                if (0 != 0) {
                    try {
                        cipherInputStream.close();
                    } catch (Throwable th8) {
                        th.addSuppressed(th8);
                    }
                } else {
                    cipherInputStream.close();
                }
            }
            throw th7;
        }
    }

    public void invalidateToken(String str, ActionListener<Boolean> actionListener) {
        ensureEnabled();
        if (this.lifecycleService.isSecurityIndexOutOfDate()) {
            actionListener.onFailure(new IllegalStateException("Security index is not on the current version - the native realm will not be operational until the upgrade API is run on the security index"));
            return;
        }
        if (!this.lifecycleService.isSecurityIndexWriteable()) {
            actionListener.onFailure(new IllegalStateException("cannot write to the tokens index"));
            return;
        }
        if (Strings.isNullOrEmpty(str)) {
            actionListener.onFailure(new IllegalArgumentException("token must be provided"));
            return;
        }
        maybeStartTokenRemover();
        try {
            CheckedConsumer checkedConsumer = userToken -> {
                if (userToken == null) {
                    actionListener.onFailure(malformedTokenException());
                } else if (userToken.getExpirationTime().isBefore(this.clock.instant())) {
                    actionListener.onResponse(false);
                } else {
                    String documentId = getDocumentId(userToken);
                    this.lifecycleService.createIndexIfNeededThenExecute(actionListener, () -> {
                        ThreadContext threadContext = this.client.threadPool().getThreadContext();
                        ActionRequest request = this.client.prepareIndex(SecurityLifecycleService.SECURITY_INDEX_NAME, "doc", documentId).setOpType(DocWriteRequest.OpType.CREATE).setSource("doc_type", DOC_TYPE, "expiration_time", Long.valueOf(getExpirationTime().toEpochMilli())).setRefreshPolicy(WriteRequest.RefreshPolicy.WAIT_UNTIL).request();
                        ActionListener<IndexResponse> actionListener2 = new ActionListener<IndexResponse>() { // from class: org.elasticsearch.xpack.security.authc.TokenService.1
                            @Override // org.elasticsearch.action.ActionListener
                            public void onResponse(IndexResponse indexResponse) {
                                actionListener.onResponse(Boolean.valueOf(indexResponse.getResult() == DocWriteResponse.Result.CREATED));
                            }

                            @Override // org.elasticsearch.action.ActionListener
                            public void onFailure(Exception exc) {
                                if (exc instanceof VersionConflictEngineException) {
                                    actionListener.onResponse(false);
                                } else {
                                    actionListener.onFailure(exc);
                                }
                            }
                        };
                        Client client = this.client;
                        client.getClass();
                        ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, actionListener2, (BiConsumer<ActionRequest, ActionListener<Response>>) client::index);
                    });
                }
            };
            actionListener.getClass();
            decodeToken(str, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        } catch (IOException e) {
            this.logger.error("received a malformed token as part of a invalidation request", (Throwable) e);
            actionListener.onFailure(malformedTokenException());
        }
    }

    private static String getDocumentId(UserToken userToken) {
        return "invalidated-token_" + userToken.getId();
    }

    private void ensureEnabled() {
        if (!this.enabled) {
            throw new IllegalStateException("tokens are not enabled");
        }
    }

    /* JADX WARN: Type inference failed for: r2v3, types: [org.elasticsearch.action.ActionRequest] */
    private void checkIfTokenIsRevoked(final UserToken userToken, final ActionListener<UserToken> actionListener) {
        if (!this.lifecycleService.isSecurityIndexAvailable()) {
            if (!this.lifecycleService.isSecurityIndexExisting()) {
                actionListener.onResponse(userToken);
                return;
            } else {
                this.logger.warn("could not validate token as the security index is not available");
                actionListener.onResponse(null);
                return;
            }
        }
        if (this.lifecycleService.isSecurityIndexOutOfDate()) {
            actionListener.onFailure(new IllegalStateException("Security index is not on the current version - the native realm will not be operational until the upgrade API is run on the security index"));
            return;
        }
        ThreadContext threadContext = this.client.threadPool().getThreadContext();
        ?? request = this.client.prepareGet(SecurityLifecycleService.SECURITY_INDEX_NAME, "doc", getDocumentId(userToken)).request();
        ActionListener<GetResponse> actionListener2 = new ActionListener<GetResponse>() { // from class: org.elasticsearch.xpack.security.authc.TokenService.2
            @Override // org.elasticsearch.action.ActionListener
            public void onResponse(GetResponse getResponse) {
                if (getResponse.isExists()) {
                    actionListener.onFailure(TokenService.access$400());
                } else {
                    actionListener.onResponse(userToken);
                }
            }

            @Override // org.elasticsearch.action.ActionListener
            public void onFailure(Exception exc) {
                if (TransportActions.isShardNotAvailableException(exc)) {
                    TokenService.this.logger.warn("failed to get token [{}] since index is not available", userToken.getId());
                    actionListener.onResponse(null);
                } else {
                    TokenService.this.logger.error((Message) new ParameterizedMessage("failed to get token [{}]", userToken.getId()), (Throwable) exc);
                    actionListener.onFailure(exc);
                }
            }
        };
        Client client = this.client;
        client.getClass();
        ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, actionListener2, (BiConsumer<??, ActionListener<Response>>) client::get);
    }

    public TimeValue getExpirationDelay() {
        return this.expirationDelay;
    }

    private Instant getExpirationTime() {
        return this.clock.instant().plusSeconds(this.expirationDelay.getSeconds());
    }

    private void maybeStartTokenRemover() {
        if (!this.lifecycleService.isSecurityIndexAvailable() || this.client.threadPool().relativeTimeInMillis() - this.lastExpirationRunMs <= this.deleteInterval.getMillis()) {
            return;
        }
        this.expiredTokenRemover.submit(this.client.threadPool());
        this.lastExpirationRunMs = this.client.threadPool().relativeTimeInMillis();
    }

    String getFromHeader(ThreadContext threadContext) {
        String header = threadContext.getHeader("Authorization");
        if (Strings.hasLength(header) && header.startsWith("Bearer ") && header.length() > "Bearer ".length()) {
            return header.substring("Bearer ".length());
        }
        return null;
    }

    /* JADX WARN: Failed to calculate best type for var: r11v1 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Failed to calculate best type for var: r12v0 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Failed to calculate best type for var: r13v0 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Failed to calculate best type for var: r14v0 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Failed to calculate best type for var: r17v0 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Failed to calculate best type for var: r18v0 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Multi-variable type inference failed. Error: java.lang.NullPointerException
     */
    /* JADX WARN: Not initialized variable reg: 11, insn: 0x01e9: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r11 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:119:0x01e9 */
    /* JADX WARN: Not initialized variable reg: 12, insn: 0x01ee: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r12 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:121:0x01ee */
    /* JADX WARN: Not initialized variable reg: 13, insn: 0x01b8: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r13 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:106:0x01b8 */
    /* JADX WARN: Not initialized variable reg: 14, insn: 0x01bd: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r14 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:108:0x01bd */
    /* JADX WARN: Not initialized variable reg: 17, insn: 0x0187: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r17 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:87:0x0187 */
    /* JADX WARN: Not initialized variable reg: 18, insn: 0x018c: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r18 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:89:0x018c */
    /* JADX WARN: Type inference failed for: r11v1, types: [java.io.OutputStream] */
    /* JADX WARN: Type inference failed for: r12v0, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r13v0, types: [org.elasticsearch.common.io.stream.StreamOutput] */
    /* JADX WARN: Type inference failed for: r14v0, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r17v0, types: [javax.crypto.CipherOutputStream] */
    /* JADX WARN: Type inference failed for: r18v0, types: [java.lang.Throwable] */
    public String getUserTokenString(UserToken userToken) throws IOException, GeneralSecurityException {
        ?? r11;
        ?? r12;
        ?? r13;
        ?? r14;
        ?? r17;
        ?? r18;
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(MINIMUM_BASE64_BYTES);
        Throwable th = null;
        try {
            try {
                OutputStream wrap = Base64.getEncoder().wrap(byteArrayOutputStream);
                Throwable th2 = null;
                try {
                    OutputStreamStreamOutput outputStreamStreamOutput = new OutputStreamStreamOutput(wrap);
                    Throwable th3 = null;
                    try {
                        KeyAndCache keyAndCache = this.keyCache.activeKeyCache;
                        Version.writeVersion(TOKEN_SERVICE_VERSION, outputStreamStreamOutput);
                        outputStreamStreamOutput.writeByteArray(keyAndCache.getSalt().bytes);
                        outputStreamStreamOutput.writeByteArray(keyAndCache.getKeyHash().bytes);
                        byte[] newInitializationVector = getNewInitializationVector();
                        outputStreamStreamOutput.writeByteArray(newInitializationVector);
                        CipherOutputStream cipherOutputStream = new CipherOutputStream(outputStreamStreamOutput, getEncryptionCipher(newInitializationVector, keyAndCache));
                        Throwable th4 = null;
                        OutputStreamStreamOutput outputStreamStreamOutput2 = new OutputStreamStreamOutput(cipherOutputStream);
                        Throwable th5 = null;
                        try {
                            try {
                                userToken.writeTo(outputStreamStreamOutput2);
                                outputStreamStreamOutput2.close();
                                String str = new String(byteArrayOutputStream.toByteArray(), StandardCharsets.UTF_8);
                                if (outputStreamStreamOutput2 != null) {
                                    if (0 != 0) {
                                        try {
                                            outputStreamStreamOutput2.close();
                                        } catch (Throwable th6) {
                                            th5.addSuppressed(th6);
                                        }
                                    } else {
                                        outputStreamStreamOutput2.close();
                                    }
                                }
                                if (cipherOutputStream != null) {
                                    if (0 != 0) {
                                        try {
                                            cipherOutputStream.close();
                                        } catch (Throwable th7) {
                                            th4.addSuppressed(th7);
                                        }
                                    } else {
                                        cipherOutputStream.close();
                                    }
                                }
                                if (outputStreamStreamOutput != null) {
                                    if (0 != 0) {
                                        try {
                                            outputStreamStreamOutput.close();
                                        } catch (Throwable th8) {
                                            th3.addSuppressed(th8);
                                        }
                                    } else {
                                        outputStreamStreamOutput.close();
                                    }
                                }
                                if (wrap != null) {
                                    if (0 != 0) {
                                        try {
                                            wrap.close();
                                        } catch (Throwable th9) {
                                            th2.addSuppressed(th9);
                                        }
                                    } else {
                                        wrap.close();
                                    }
                                }
                                return str;
                            } finally {
                            }
                        } catch (Throwable th10) {
                            if (outputStreamStreamOutput2 != null) {
                                if (th5 != null) {
                                    try {
                                        outputStreamStreamOutput2.close();
                                    } catch (Throwable th11) {
                                        th5.addSuppressed(th11);
                                    }
                                } else {
                                    outputStreamStreamOutput2.close();
                                }
                            }
                            throw th10;
                        }
                    } catch (Throwable th12) {
                        if (r17 != 0) {
                            if (r18 != 0) {
                                try {
                                    r17.close();
                                } catch (Throwable th13) {
                                    r18.addSuppressed(th13);
                                }
                            } else {
                                r17.close();
                            }
                        }
                        throw th12;
                    }
                } catch (Throwable th14) {
                    if (r13 != 0) {
                        if (r14 != 0) {
                            try {
                                r13.close();
                            } catch (Throwable th15) {
                                r14.addSuppressed(th15);
                            }
                        } else {
                            r13.close();
                        }
                    }
                    throw th14;
                }
            } catch (Throwable th16) {
                if (r11 != 0) {
                    if (r12 != 0) {
                        try {
                            r11.close();
                        } catch (Throwable th17) {
                            r12.addSuppressed(th17);
                        }
                    } else {
                        r11.close();
                    }
                }
                throw th16;
            }
        } finally {
            if (byteArrayOutputStream != null) {
                if (0 != 0) {
                    try {
                        byteArrayOutputStream.close();
                    } catch (Throwable th18) {
                        th.addSuppressed(th18);
                    }
                } else {
                    byteArrayOutputStream.close();
                }
            }
        }
    }

    private void ensureEncryptionCiphersSupported() throws NoSuchPaddingException, NoSuchAlgorithmException {
        Cipher.getInstance(ENCRYPTION_CIPHER);
        SecretKeyFactory.getInstance(KDF_ALGORITHM);
    }

    private Cipher getEncryptionCipher(byte[] bArr, KeyAndCache keyAndCache) throws GeneralSecurityException {
        Cipher cipher = Cipher.getInstance(ENCRYPTION_CIPHER);
        BytesKey salt = keyAndCache.getSalt();
        try {
            cipher.init(1, keyAndCache.getOrComputeKey(salt), new GCMParameterSpec(128, bArr), this.secureRandom);
            cipher.updateAAD(this.currentVersionBytes);
            cipher.updateAAD(salt.bytes);
            return cipher;
        } catch (ExecutionException e) {
            throw new ElasticsearchSecurityException("Failed to compute secret key for active salt", e, new Object[0]);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Cipher getDecryptionCipher(byte[] bArr, SecretKey secretKey, Version version, BytesKey bytesKey) throws GeneralSecurityException {
        Cipher cipher = Cipher.getInstance(ENCRYPTION_CIPHER);
        cipher.init(2, secretKey, new GCMParameterSpec(128, bArr), this.secureRandom);
        cipher.updateAAD(ByteBuffer.allocate(4).putInt(version.id).array());
        cipher.updateAAD(bytesKey.bytes);
        return cipher;
    }

    private byte[] getNewInitializationVector() {
        byte[] bArr = new byte[12];
        this.secureRandom.nextBytes(bArr);
        return bArr;
    }

    static SecretKey computeSecretKey(char[] cArr, byte[] bArr) throws NoSuchAlgorithmException, InvalidKeySpecException {
        return new SecretKeySpec(SecretKeyFactory.getInstance(KDF_ALGORITHM).generateSecret(new PBEKeySpec(cArr, bArr, ITERATIONS, 128)).getEncoded(), "AES");
    }

    private static ElasticsearchSecurityException expiredTokenException() {
        ElasticsearchSecurityException elasticsearchSecurityException = new ElasticsearchSecurityException("token expired", RestStatus.UNAUTHORIZED, new Object[0]);
        elasticsearchSecurityException.addHeader("WWW-Authenticate", EXPIRED_TOKEN_WWW_AUTH_VALUE);
        return elasticsearchSecurityException;
    }

    private static ElasticsearchSecurityException malformedTokenException() {
        ElasticsearchSecurityException elasticsearchSecurityException = new ElasticsearchSecurityException("token malformed", RestStatus.UNAUTHORIZED, new Object[0]);
        elasticsearchSecurityException.addHeader("WWW-Authenticate", MALFORMED_TOKEN_WWW_AUTH_VALUE);
        return elasticsearchSecurityException;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isExpiredTokenException(ElasticsearchSecurityException elasticsearchSecurityException) {
        List<String> header = elasticsearchSecurityException.getHeader("WWW-Authenticate");
        if (header != null) {
            Stream<String> stream = header.stream();
            String str = EXPIRED_TOKEN_WWW_AUTH_VALUE;
            if (stream.anyMatch((v1) -> {
                return r1.equals(v1);
            })) {
                return true;
            }
        }
        return false;
    }

    boolean isExpirationInProgress() {
        return this.expiredTokenRemover.isExpirationInProgress();
    }

    synchronized TokenMetaData generateSpareKey() {
        KeyAndCache keyAndCache;
        if (this.keyCache.activeKeyCache != this.keyCache.cache.values().stream().max(Comparator.comparingLong(keyAndCache2 -> {
            return keyAndCache2.keyAndTimestamp.timestamp;
        })).get()) {
            return newTokenMetaData(this.keyCache.currentTokenKeyHash, this.keyCache.cache.values());
        }
        long incrementAndGet = this.createdTimeStamps.incrementAndGet();
        do {
            byte[] bArr = new byte[32];
            this.secureRandom.nextBytes(bArr);
            keyAndCache = new KeyAndCache(new KeyAndTimestamp(generateTokenKey(), incrementAndGet), new BytesKey(bArr));
        } while (this.keyCache.cache.containsKey(keyAndCache.getKeyHash()));
        return newTokenMetaData(this.keyCache.currentTokenKeyHash, Iterables.concat(this.keyCache.cache.values(), Collections.singletonList(keyAndCache)));
    }

    synchronized TokenMetaData rotateToSpareKey() {
        KeyAndCache keyAndCache = this.keyCache.cache.values().stream().max(Comparator.comparingLong(keyAndCache2 -> {
            return keyAndCache2.keyAndTimestamp.timestamp;
        })).get();
        if (keyAndCache == this.keyCache.activeKeyCache) {
            throw new IllegalStateException("call generateSpareKey first");
        }
        return newTokenMetaData(keyAndCache.getKeyHash(), this.keyCache.cache.values());
    }

    synchronized TokenMetaData pruneKeys(int i) {
        if (this.keyCache.cache.size() <= i) {
            return getTokenMetaData();
        }
        HashMap hashMap = new HashMap(this.keyCache.cache.size() + 1);
        KeyAndCache keyAndCache = this.keyCache.get(this.keyCache.currentTokenKeyHash);
        ArrayList arrayList = new ArrayList(this.keyCache.cache.values());
        Collections.sort(arrayList, (keyAndCache2, keyAndCache3) -> {
            return Long.compare(keyAndCache3.keyAndTimestamp.timestamp, keyAndCache2.keyAndTimestamp.timestamp);
        });
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            KeyAndCache keyAndCache4 = (KeyAndCache) it.next();
            if (hashMap.size() < i || keyAndCache4.keyAndTimestamp.timestamp >= keyAndCache.keyAndTimestamp.timestamp) {
                this.logger.debug("keeping key {} ", keyAndCache4.getKeyHash());
                hashMap.put(keyAndCache4.getKeyHash(), keyAndCache4);
            } else {
                this.logger.debug("prune key {} ", keyAndCache4.getKeyHash());
            }
        }
        if (!$assertionsDisabled && hashMap.isEmpty()) {
            throw new AssertionError();
        }
        if ($assertionsDisabled || hashMap.containsKey(this.keyCache.currentTokenKeyHash)) {
            return newTokenMetaData(this.keyCache.currentTokenKeyHash, hashMap.values());
        }
        throw new AssertionError();
    }

    public synchronized TokenMetaData getTokenMetaData() {
        return newTokenMetaData(this.keyCache.currentTokenKeyHash, this.keyCache.cache.values());
    }

    private TokenMetaData newTokenMetaData(BytesKey bytesKey, Iterable<KeyAndCache> iterable) {
        ArrayList arrayList = new ArrayList();
        Iterator<KeyAndCache> it = iterable.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().keyAndTimestamp);
        }
        return new TokenMetaData(arrayList, bytesKey.bytes);
    }

    synchronized void refreshMetaData(TokenMetaData tokenMetaData) {
        BytesKey bytesKey = new BytesKey(tokenMetaData.currentKeyHash);
        byte[] bArr = new byte[32];
        HashMap hashMap = new HashMap(tokenMetaData.keys.size());
        long j = this.createdTimeStamps.get();
        for (KeyAndTimestamp keyAndTimestamp : tokenMetaData.keys) {
            this.secureRandom.nextBytes(bArr);
            KeyAndCache keyAndCache = new KeyAndCache(keyAndTimestamp, new BytesKey(bArr));
            j = Math.max(keyAndCache.keyAndTimestamp.timestamp, j);
            if (this.keyCache.cache.containsKey(keyAndCache.getKeyHash())) {
                hashMap.put(keyAndCache.getKeyHash(), this.keyCache.get(keyAndCache.getKeyHash()));
            } else {
                hashMap.put(keyAndCache.getKeyHash(), keyAndCache);
            }
        }
        if (!hashMap.containsKey(bytesKey)) {
            throw new IllegalStateException("Current key is not in the map: " + hashMap.keySet() + " key: " + bytesKey);
        }
        this.createdTimeStamps.set(j);
        this.keyCache = new TokenKeys(Collections.unmodifiableMap(hashMap), bytesKey);
        this.logger.debug("refreshed keys current: {}, keys: {}", bytesKey, this.keyCache.cache.keySet());
    }

    private SecureString generateTokenKey() {
        byte[] bArr = new byte[64];
        byte[] bArr2 = new byte[0];
        char[] cArr = new char[0];
        try {
            this.secureRandom.nextBytes(bArr);
            bArr2 = Base64.getUrlEncoder().withoutPadding().encode(bArr);
            cArr = new char[bArr2.length];
            SecureString secureString = new SecureString(Arrays.copyOfRange(cArr, 0, UnicodeUtil.UTF8toUTF16(bArr2, 0, bArr2.length, cArr)));
            Arrays.fill(bArr, (byte) 0);
            Arrays.fill(bArr2, (byte) 0);
            Arrays.fill(cArr, (char) 0);
            return secureString;
        } catch (Throwable th) {
            Arrays.fill(bArr, (byte) 0);
            Arrays.fill(bArr2, (byte) 0);
            Arrays.fill(cArr, (char) 0);
            throw th;
        }
    }

    synchronized String getActiveKeyHash() {
        return new BytesRef(Base64.getUrlEncoder().withoutPadding().encode(this.keyCache.currentTokenKeyHash.bytes)).utf8ToString();
    }

    void rotateKeysOnMaster(ActionListener<ClusterStateUpdateResponse> actionListener) {
        this.logger.info("rotate keys on master");
        TokenMetaData generateSpareKey = generateSpareKey();
        ClusterService clusterService = this.clusterService;
        CheckedConsumer checkedConsumer = clusterStateUpdateResponse -> {
            if (!clusterStateUpdateResponse.isAcknowledged()) {
                actionListener.onFailure(new IllegalStateException("not acked"));
            } else {
                this.clusterService.submitStateUpdateTask("publish next key to prepare key rotation", new TokenMetadataPublishAction(actionListener, rotateToSpareKey()));
            }
        };
        actionListener.getClass();
        clusterService.submitStateUpdateTask("publish next key to prepare key rotation", new TokenMetadataPublishAction(ActionListener.wrap(checkedConsumer, actionListener::onFailure), generateSpareKey));
    }

    private void initialize(ClusterService clusterService) {
        clusterService.addListener(clusterChangedEvent -> {
            TokenMetaData tokenMetaData;
            if (clusterChangedEvent.state().getBlocks().hasGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK) || (tokenMetaData = (TokenMetaData) clusterChangedEvent.state().custom(TokenMetaData.TYPE)) == null || tokenMetaData.equals(getTokenMetaData())) {
                return;
            }
            this.logger.info("refresh keys");
            try {
                refreshMetaData(tokenMetaData);
            } catch (Exception e) {
                this.logger.warn(e);
            }
            this.logger.info("refreshed keys");
        });
    }

    void clearActiveKeyCache() {
        this.keyCache.activeKeyCache.keyCache.invalidateAll();
    }

    static /* synthetic */ ElasticsearchSecurityException access$400() {
        return expiredTokenException();
    }

    static {
        $assertionsDisabled = !TokenService.class.desiredAssertionStatus();
        TOKEN_PASSPHRASE = SecureSetting.secureString("xpack.security.authc.token.passphrase", null, Setting.Property.Deprecated);
        TOKEN_EXPIRATION = Setting.timeSetting("xpack.security.authc.token.timeout", TimeValue.timeValueMinutes(20L), TimeValue.timeValueSeconds(1L), Setting.Property.NodeScope);
        DELETE_INTERVAL = Setting.timeSetting("xpack.security.authc.token.delete.interval", TimeValue.timeValueMinutes(30L), Setting.Property.NodeScope);
        DELETE_TIMEOUT = Setting.timeSetting("xpack.security.authc.token.delete.timeout", TimeValue.MINUS_ONE, Setting.Property.NodeScope);
        MINIMUM_BASE64_BYTES = Double.valueOf(Math.ceil(65.0d)).intValue();
        TOKEN_SERVICE_VERSION = Version.CURRENT;
    }
}
