package org.elasticsearch.xpack.security.authc.support;

import java.util.Collections;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.atomic.AtomicBoolean;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.util.concurrent.ListenableFuture;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.support.CachingRealm;
import org.elasticsearch.xpack.core.security.authc.support.CachingUsernamePasswordRealmSettings;
import org.elasticsearch.xpack.core.security.authc.support.Hasher;
import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken;
import org.elasticsearch.xpack.core.security.user.User;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealm.class */
public abstract class CachingUsernamePasswordRealm extends UsernamePasswordRealm implements CachingRealm {
    private final Cache<String, ListenableFuture<CachedResult>> cache;
    private final ThreadPool threadPool;
    private final boolean authenticationEnabled;
    final Hasher cacheHasher;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealm$CachedResult.class */
    public static class CachedResult {
        private final AuthenticationResult<User> authenticationResult;
        private final User user;
        private final char[] hash;

        private CachedResult(AuthenticationResult<User> authenticationResult, Hasher hasher, @Nullable User user, @Nullable SecureString secureString) {
            this.authenticationResult = (AuthenticationResult) Objects.requireNonNull(authenticationResult);
            if (this.authenticationResult.isAuthenticated() && user == null) {
                throw new IllegalArgumentException("authentication cannot be successful with a null user");
            }
            this.user = user;
            this.hash = secureString == null ? null : hasher.hash(secureString);
        }

        private boolean verify(SecureString secureString) {
            return this.hash != null && Hasher.verifyHash(secureString, this.hash);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CachingUsernamePasswordRealm(RealmConfig realmConfig, ThreadPool threadPool) {
        super(realmConfig);
        this.cacheHasher = Hasher.resolve((String) this.config.getSetting(CachingUsernamePasswordRealmSettings.CACHE_HASH_ALGO_SETTING));
        this.threadPool = threadPool;
        TimeValue timeValue = (TimeValue) this.config.getSetting(CachingUsernamePasswordRealmSettings.CACHE_TTL_SETTING);
        if (timeValue.getNanos() > 0) {
            this.cache = CacheBuilder.builder().setExpireAfterWrite(timeValue).setMaximumWeight(((Integer) this.config.getSetting(CachingUsernamePasswordRealmSettings.CACHE_MAX_USERS_SETTING)).intValue()).build();
        } else {
            this.cache = null;
        }
        this.authenticationEnabled = ((Boolean) realmConfig.getSetting(CachingUsernamePasswordRealmSettings.AUTHC_ENABLED_SETTING)).booleanValue();
    }

    public final void expire(String str) {
        if (this.cache != null) {
            this.logger.trace("invalidating cache for user [{}] in realm [{}]", str, name());
            this.cache.invalidate(str);
        }
    }

    public final void expireAll() {
        if (this.cache != null) {
            this.logger.trace("invalidating cache for all users in realm [{}]", name());
            this.cache.invalidateAll();
        }
    }

    @Override // org.elasticsearch.xpack.security.authc.support.UsernamePasswordRealm
    /* renamed from: token */
    public UsernamePasswordToken mo113token(ThreadContext threadContext) {
        if (this.authenticationEnabled) {
            return super.mo113token(threadContext);
        }
        return null;
    }

    @Override // org.elasticsearch.xpack.security.authc.support.UsernamePasswordRealm
    public boolean supports(AuthenticationToken authenticationToken) {
        return this.authenticationEnabled && super.supports(authenticationToken);
    }

    public final void authenticate(AuthenticationToken authenticationToken, ActionListener<AuthenticationResult<User>> actionListener) {
        if (!this.authenticationEnabled) {
            actionListener.onResponse(AuthenticationResult.notHandled());
            return;
        }
        UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) authenticationToken;
        try {
            if (this.cache == null) {
                doAuthenticate(usernamePasswordToken, actionListener);
            } else {
                authenticateWithCache(usernamePasswordToken, actionListener);
            }
        } catch (Exception e) {
            actionListener.onFailure(e);
        }
    }

    private void authenticateWithCache(UsernamePasswordToken usernamePasswordToken, ActionListener<AuthenticationResult<User>> actionListener) {
        if (!$assertionsDisabled && this.cache == null) {
            throw new AssertionError();
        }
        try {
            AtomicBoolean atomicBoolean = new AtomicBoolean(true);
            ListenableFuture listenableFuture = (ListenableFuture) this.cache.computeIfAbsent(usernamePasswordToken.principal(), str -> {
                atomicBoolean.set(false);
                return new ListenableFuture();
            });
            if (atomicBoolean.get()) {
                CheckedConsumer checkedConsumer = cachedResult -> {
                    boolean verify = cachedResult.verify(usernamePasswordToken.credentials());
                    if (!cachedResult.authenticationResult.isAuthenticated()) {
                        if (verify) {
                            this.logger.trace("realm [{}], provided credentials for user [{}] are invalid (cached result) status:[{}] message:[{}]", name(), usernamePasswordToken.principal(), cachedResult.authenticationResult.getStatus(), cachedResult.authenticationResult.getMessage());
                            actionListener.onResponse(cachedResult.authenticationResult);
                            return;
                        } else {
                            this.logger.trace("realm [{}], provided credentials for user [{}] do not match (possibly invalid) cached credentials, invalidating cache and retrying", name(), usernamePasswordToken.principal());
                            this.cache.invalidate(usernamePasswordToken.principal(), listenableFuture);
                            authenticateWithCache(usernamePasswordToken, actionListener);
                            return;
                        }
                    }
                    if (!verify) {
                        this.logger.trace("realm [{}], provided credentials for user [{}] do not match (known good) cached credentials, invalidating cache and retrying", name(), usernamePasswordToken.principal());
                        this.cache.invalidate(usernamePasswordToken.principal(), listenableFuture);
                        authenticateWithCache(usernamePasswordToken, actionListener);
                    } else {
                        User user = cachedResult.user;
                        CheckedConsumer checkedConsumer2 = authenticationResult -> {
                            if (authenticationResult.isAuthenticated()) {
                                this.logger.debug("realm [{}] authenticated user [{}], with roles [{}] (cached)", name(), usernamePasswordToken.principal(), ((User) authenticationResult.getValue()).roles());
                            } else {
                                this.logger.debug("realm [{}] authenticated user [{}] from cache, but then failed [{}]", name(), usernamePasswordToken.principal(), authenticationResult.getMessage());
                            }
                            actionListener.onResponse(authenticationResult);
                        };
                        Objects.requireNonNull(actionListener);
                        handleCachedAuthentication(user, ActionListener.wrap(checkedConsumer2, actionListener::onFailure));
                    }
                };
                Objects.requireNonNull(actionListener);
                listenableFuture.addListener(ActionListener.wrap(checkedConsumer, actionListener::onFailure), this.threadPool.executor("generic"), this.threadPool.getThreadContext());
            } else {
                this.logger.trace("realm [{}] does not have a cached result for user [{}]; attempting fresh authentication", name(), usernamePasswordToken.principal());
                doAuthenticate(usernamePasswordToken, ActionListener.wrap(authenticationResult -> {
                    if (!authenticationResult.isAuthenticated()) {
                        this.logger.trace("realm [{}] did not authenticate user [{}] ([{}])", name(), usernamePasswordToken.principal(), authenticationResult);
                        this.cache.invalidate(usernamePasswordToken.principal(), listenableFuture);
                    } else if (((User) authenticationResult.getValue()).enabled()) {
                        this.logger.debug("realm [{}], successful authentication [{}] for [{}]", name(), authenticationResult, usernamePasswordToken.principal());
                    } else {
                        this.logger.debug("realm [{}] cannot authenticate [{}], user is not enabled ([{}])", name(), usernamePasswordToken.principal(), authenticationResult.getValue());
                        this.cache.invalidate(usernamePasswordToken.principal(), listenableFuture);
                    }
                    listenableFuture.onResponse(new CachedResult(authenticationResult, this.cacheHasher, (User) authenticationResult.getValue(), usernamePasswordToken.credentials()));
                    actionListener.onResponse(authenticationResult);
                }, exc -> {
                    this.cache.invalidate(usernamePasswordToken.principal(), listenableFuture);
                    listenableFuture.onFailure(exc);
                    actionListener.onFailure(exc);
                }));
            }
        } catch (ExecutionException e) {
            actionListener.onFailure(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void handleCachedAuthentication(User user, ActionListener<AuthenticationResult<User>> actionListener) {
        actionListener.onResponse(AuthenticationResult.success(user));
    }

    public void usageStats(ActionListener<Map<String, Object>> actionListener) {
        CheckedConsumer checkedConsumer = map -> {
            map.put("cache", Collections.singletonMap("size", Integer.valueOf(getCacheSize())));
            actionListener.onResponse(map);
        };
        Objects.requireNonNull(actionListener);
        super.usageStats(ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public int getCacheSize() {
        if (this.cache == null) {
            return -1;
        }
        return this.cache.count();
    }

    protected abstract void doAuthenticate(UsernamePasswordToken usernamePasswordToken, ActionListener<AuthenticationResult<User>> actionListener);

    public final void lookupUser(String str, ActionListener<User> actionListener) {
        try {
            if (this.cache == null) {
                doLookupUser(str, actionListener);
            } else {
                lookupWithCache(str, actionListener);
            }
        } catch (Exception e) {
            actionListener.onFailure(e);
        }
    }

    private void lookupWithCache(String str, ActionListener<User> actionListener) {
        if (!$assertionsDisabled && this.cache == null) {
            throw new AssertionError();
        }
        try {
            AtomicBoolean atomicBoolean = new AtomicBoolean(true);
            ListenableFuture listenableFuture = (ListenableFuture) this.cache.computeIfAbsent(str, str2 -> {
                atomicBoolean.set(false);
                return new ListenableFuture();
            });
            if (false == atomicBoolean.get()) {
                doLookupUser(str, ActionListener.wrap(user -> {
                    CachedResult cachedResult = new CachedResult(AuthenticationResult.notHandled(), this.cacheHasher, user, null);
                    if (user == null) {
                        this.cache.invalidate(str, listenableFuture);
                    }
                    listenableFuture.onResponse(cachedResult);
                }, exc -> {
                    this.cache.invalidate(str, listenableFuture);
                    listenableFuture.onFailure(exc);
                }));
            }
            CheckedConsumer checkedConsumer = cachedResult -> {
                if (cachedResult.user != null) {
                    actionListener.onResponse(cachedResult.user);
                } else {
                    actionListener.onResponse((Object) null);
                }
            };
            Objects.requireNonNull(actionListener);
            listenableFuture.addListener(ActionListener.wrap(checkedConsumer, actionListener::onFailure), this.threadPool.executor("generic"), this.threadPool.getThreadContext());
        } catch (ExecutionException e) {
            actionListener.onFailure(e);
        }
    }

    protected abstract void doLookupUser(String str, ActionListener<User> actionListener);

    static {
        $assertionsDisabled = !CachingUsernamePasswordRealm.class.desiredAssertionStatus();
    }
}
