package org.elasticsearch.shield.authc.support;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.util.concurrent.UncheckedExecutionException;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.shield.User;
import org.elasticsearch.shield.authc.RealmConfig;
import org.elasticsearch.shield.support.Exceptions;

/* loaded from: input_file:lib/shield-2.4.0.jar:org/elasticsearch/shield/authc/support/CachingUsernamePasswordRealm.class */
public abstract class CachingUsernamePasswordRealm extends UsernamePasswordRealm implements CachingRealm {
    public static final String CACHE_HASH_ALGO_SETTING = "cache.hash_algo";
    public static final String CACHE_TTL_SETTING = "cache.ttl";
    public static final String CACHE_MAX_USERS_SETTING = "cache.max_users";
    private static final TimeValue DEFAULT_TTL = TimeValue.timeValueMinutes(20);
    private static final int DEFAULT_MAX_USERS = 100000;
    private final Cache<String, UserWithHash> cache;
    final Hasher hasher;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/shield-2.4.0.jar:org/elasticsearch/shield/authc/support/CachingUsernamePasswordRealm$UserWithHash.class */
    public static class UserWithHash {
        User user;
        char[] hash;
        Hasher hasher;

        public UserWithHash(User user, SecuredString securedString, Hasher hasher) {
            this.user = user;
            this.hash = securedString == null ? null : hasher.hash(securedString);
            this.hasher = hasher;
        }

        public boolean verify(SecuredString securedString) {
            return this.hash != null && this.hasher.verify(securedString, this.hash);
        }

        public boolean hasHash() {
            return this.hash != null;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CachingUsernamePasswordRealm(String str, RealmConfig realmConfig) {
        super(str, realmConfig);
        this.hasher = Hasher.resolve(realmConfig.settings().get(CACHE_HASH_ALGO_SETTING, (String) null), Hasher.SSHA256);
        TimeValue asTime = realmConfig.settings().getAsTime(CACHE_TTL_SETTING, DEFAULT_TTL);
        if (asTime.millis() > 0) {
            this.cache = CacheBuilder.newBuilder().expireAfterWrite(asTime.getMillis(), TimeUnit.MILLISECONDS).maximumSize(realmConfig.settings().getAsInt(CACHE_MAX_USERS_SETTING, Integer.valueOf(DEFAULT_MAX_USERS)).intValue()).build();
        } else {
            this.cache = null;
        }
    }

    @Override // org.elasticsearch.shield.authc.support.CachingRealm
    public final void expire(String str) {
        if (this.cache != null) {
            this.logger.trace("invalidating cache for user [{}] in realm [{}]", new Object[]{str, name()});
            this.cache.invalidate(str);
        }
    }

    @Override // org.elasticsearch.shield.authc.support.CachingRealm
    public final void expireAll() {
        if (this.cache != null) {
            this.logger.trace("invalidating cache for all users in realm [{}]", new Object[]{name()});
            this.cache.invalidateAll();
        }
    }

    @Override // org.elasticsearch.shield.authc.Realm
    public final User authenticate(UsernamePasswordToken usernamePasswordToken) {
        if (this.cache == null) {
            return doAuthenticate(usernamePasswordToken);
        }
        try {
            UserWithHash userWithHash = (UserWithHash) this.cache.getIfPresent(usernamePasswordToken.principal());
            if (userWithHash == null) {
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("user not found in cache, proceeding with normal authentication", new Object[0]);
                }
                User doAuthenticate = doAuthenticate(usernamePasswordToken);
                if (doAuthenticate == null) {
                    return null;
                }
                this.cache.put(usernamePasswordToken.principal(), new UserWithHash(doAuthenticate, usernamePasswordToken.credentials(), this.hasher));
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("authenticated user [{}], with roles [{}]", new Object[]{usernamePasswordToken.principal(), doAuthenticate.roles()});
                }
                return doAuthenticate;
            }
            boolean hasHash = userWithHash.hasHash();
            if (hasHash && userWithHash.verify(usernamePasswordToken.credentials())) {
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("authenticated user [{}], with roles [{}]", new Object[]{usernamePasswordToken.principal(), userWithHash.user.roles()});
                }
                return userWithHash.user;
            }
            this.cache.invalidate(usernamePasswordToken.principal());
            User doAuthenticate2 = doAuthenticate(usernamePasswordToken);
            if (doAuthenticate2 == null) {
                return null;
            }
            UserWithHash userWithHash2 = new UserWithHash(doAuthenticate2, usernamePasswordToken.credentials(), this.hasher);
            this.cache.put(usernamePasswordToken.principal(), userWithHash2);
            if (this.logger.isDebugEnabled()) {
                if (hasHash) {
                    this.logger.debug("cached user's password changed. authenticated user [{}], with roles [{}]", new Object[]{usernamePasswordToken.principal(), userWithHash2.user.roles()});
                } else {
                    this.logger.debug("cached user came from a lookup and could not be used for authentication. authenticated user [{}], with roles [{}]", new Object[]{usernamePasswordToken.principal(), userWithHash2.user.roles()});
                }
            }
            return userWithHash2.user;
        } catch (Exception e) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("realm [" + type() + "] could not authenticate [" + usernamePasswordToken.principal() + "]", e, new Object[0]);
                return null;
            }
            if (!this.logger.isDebugEnabled()) {
                return null;
            }
            this.logger.debug("realm [" + type() + "] could not authenticate [" + usernamePasswordToken.principal() + "]", new Object[0]);
            return null;
        }
    }

    @Override // org.elasticsearch.shield.authc.Realm
    public final User lookupUser(final String str) {
        if (!userLookupSupported()) {
            return null;
        }
        try {
            return ((UserWithHash) this.cache.get(str, new Callable<UserWithHash>() { // from class: org.elasticsearch.shield.authc.support.CachingUsernamePasswordRealm.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public UserWithHash call() throws Exception {
                    if (CachingUsernamePasswordRealm.this.logger.isDebugEnabled()) {
                        CachingUsernamePasswordRealm.this.logger.debug("user not found in cache, proceeding with normal lookup", new Object[0]);
                    }
                    User doLookupUser = CachingUsernamePasswordRealm.this.doLookupUser(str);
                    if (doLookupUser == null) {
                        throw Exceptions.authenticationError("could not lookup [{}]", str);
                    }
                    return new UserWithHash(doLookupUser, null, null);
                }
            })).user;
        } catch (ExecutionException | UncheckedExecutionException e) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("realm [" + name() + "] could not lookup [" + str + "]", e, new Object[0]);
                return null;
            }
            if (!this.logger.isDebugEnabled()) {
                return null;
            }
            this.logger.debug("realm [" + name() + "] could not authenticate [" + str + "]", new Object[0]);
            return null;
        }
    }

    protected abstract User doAuthenticate(UsernamePasswordToken usernamePasswordToken);

    protected abstract User doLookupUser(String str);
}
