package org.elasticsearch.xpack.security.authc.support;

import java.util.Arrays;
import java.util.HashSet;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.xpack.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.security.authc.RealmConfig;
import org.elasticsearch.xpack.security.user.User;

/* loaded from: input_file:lib/org.elasticsearch.plugin.xpack.api-6.1.3.jar:org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealm.class */
public abstract class CachingUsernamePasswordRealm extends UsernamePasswordRealm implements CachingRealm {
    public static final Setting<String> CACHE_HASH_ALGO_SETTING = Setting.simpleString("cache.hash_algo", Setting.Property.NodeScope);
    private static final TimeValue DEFAULT_TTL = TimeValue.timeValueMinutes(20);
    public static final Setting<TimeValue> CACHE_TTL_SETTING = Setting.timeSetting("cache.ttl", DEFAULT_TTL, Setting.Property.NodeScope);
    private static final int DEFAULT_MAX_USERS = 100000;
    public static final Setting<Integer> CACHE_MAX_USERS_SETTING = Setting.intSetting("cache.max_users", DEFAULT_MAX_USERS, Setting.Property.NodeScope);
    private final Cache<String, UserWithHash> cache;
    final Hasher hasher;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/org.elasticsearch.plugin.xpack.api-6.1.3.jar:org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealm$UserWithHash.class */
    public static class UserWithHash {
        User user;
        char[] hash;
        Hasher hasher;

        UserWithHash(User user, SecureString secureString, Hasher hasher) {
            this.user = user;
            this.hash = secureString == null ? null : hasher.hash(secureString);
            this.hasher = hasher;
        }

        boolean verify(SecureString secureString) {
            return this.hash != null && this.hasher.verify(secureString, this.hash);
        }

        boolean hasHash() {
            return this.hash != null;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CachingUsernamePasswordRealm(String str, RealmConfig realmConfig) {
        super(str, realmConfig);
        this.hasher = Hasher.resolve(CACHE_HASH_ALGO_SETTING.get(realmConfig.settings()), Hasher.SSHA256);
        TimeValue timeValue = CACHE_TTL_SETTING.get(realmConfig.settings());
        if (timeValue.getNanos() > 0) {
            this.cache = CacheBuilder.builder().setExpireAfterWrite(timeValue).setMaximumWeight(CACHE_MAX_USERS_SETTING.get(realmConfig.settings()).intValue()).build();
        } else {
            this.cache = null;
        }
    }

    @Override // org.elasticsearch.xpack.security.authc.support.CachingRealm
    public final void expire(String str) {
        if (this.cache != null) {
            this.logger.trace("invalidating cache for user [{}] in realm [{}]", str, name());
            this.cache.invalidate(str);
        }
    }

    @Override // org.elasticsearch.xpack.security.authc.support.CachingRealm
    public final void expireAll() {
        if (this.cache != null) {
            this.logger.trace("invalidating cache for all users in realm [{}]", name());
            this.cache.invalidateAll();
        }
    }

    @Override // org.elasticsearch.xpack.security.authc.Realm
    public final void authenticate(AuthenticationToken authenticationToken, ActionListener<AuthenticationResult> actionListener) {
        UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) authenticationToken;
        try {
            if (this.cache == null) {
                doAuthenticate(usernamePasswordToken, actionListener);
            } else {
                authenticateWithCache(usernamePasswordToken, actionListener);
            }
        } catch (Exception e) {
            actionListener.onFailure(e);
        }
    }

    private void authenticateWithCache(UsernamePasswordToken usernamePasswordToken, ActionListener<AuthenticationResult> actionListener) {
        UserWithHash userWithHash = this.cache.get(usernamePasswordToken.principal());
        if (userWithHash == null) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("user [{}] not found in cache for realm [{}], proceeding with normal authentication", usernamePasswordToken.principal(), name());
            }
            CheckedConsumer checkedConsumer = authenticationResult -> {
                if (authenticationResult.isAuthenticated()) {
                    this.logger.debug("realm [{}] authenticated user [{}], with roles [{}]", name(), usernamePasswordToken.principal(), authenticationResult.getUser().roles());
                }
                actionListener.onResponse(authenticationResult);
            };
            actionListener.getClass();
            doAuthenticateAndCache(usernamePasswordToken, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            return;
        }
        if (!userWithHash.hasHash()) {
            this.cache.invalidate(usernamePasswordToken.principal());
            CheckedConsumer checkedConsumer2 = authenticationResult2 -> {
                if (authenticationResult2.isAuthenticated()) {
                    this.logger.debug("cached user came from a lookup and could not be used for authentication. realm [{}] authenticated user [{}] with roles [{}]", name(), usernamePasswordToken.principal(), authenticationResult2.getUser().roles());
                }
                actionListener.onResponse(authenticationResult2);
            };
            actionListener.getClass();
            doAuthenticateAndCache(usernamePasswordToken, ActionListener.wrap(checkedConsumer2, actionListener::onFailure));
            return;
        }
        if (!userWithHash.verify(usernamePasswordToken.credentials())) {
            this.cache.invalidate(usernamePasswordToken.principal());
            CheckedConsumer checkedConsumer3 = authenticationResult3 -> {
                if (authenticationResult3.isAuthenticated()) {
                    this.logger.debug("cached user's password changed. realm [{}] authenticated user [{}], with roles [{}]", name(), usernamePasswordToken.principal(), authenticationResult3.getUser().roles());
                }
                actionListener.onResponse(authenticationResult3);
            };
            actionListener.getClass();
            doAuthenticateAndCache(usernamePasswordToken, ActionListener.wrap(checkedConsumer3, actionListener::onFailure));
            return;
        }
        if (userWithHash.user.enabled()) {
            User user = userWithHash.user;
            this.logger.debug("realm [{}] authenticated user [{}], with roles [{}]", name(), usernamePasswordToken.principal(), user.roles());
            actionListener.onResponse(AuthenticationResult.success(user));
        } else {
            this.cache.invalidate(usernamePasswordToken.principal());
            CheckedConsumer checkedConsumer4 = authenticationResult4 -> {
                if (authenticationResult4.isAuthenticated()) {
                    User user2 = authenticationResult4.getUser();
                    this.logger.debug("realm [{}] authenticated user [{}] (enabled:{}), with roles [{}]", name(), usernamePasswordToken.principal(), Boolean.valueOf(user2.enabled()), user2.roles());
                }
                actionListener.onResponse(authenticationResult4);
            };
            actionListener.getClass();
            doAuthenticateAndCache(usernamePasswordToken, ActionListener.wrap(checkedConsumer4, actionListener::onFailure));
        }
    }

    private void doAuthenticateAndCache(UsernamePasswordToken usernamePasswordToken, ActionListener<AuthenticationResult> actionListener) {
        CheckedConsumer checkedConsumer = authenticationResult -> {
            Objects.requireNonNull(authenticationResult, "AuthenticationResult cannot be null");
            if (authenticationResult.getStatus() == AuthenticationResult.Status.SUCCESS) {
                this.cache.put(usernamePasswordToken.principal(), new UserWithHash(authenticationResult.getUser(), usernamePasswordToken.credentials(), this.hasher));
            }
            actionListener.onResponse(authenticationResult);
        };
        actionListener.getClass();
        doAuthenticate(usernamePasswordToken, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    @Override // org.elasticsearch.xpack.security.authc.Realm
    public Map<String, Object> usageStats() {
        Map<String, Object> usageStats = super.usageStats();
        usageStats.put("size", Integer.valueOf(this.cache.count()));
        return usageStats;
    }

    protected abstract void doAuthenticate(UsernamePasswordToken usernamePasswordToken, ActionListener<AuthenticationResult> actionListener);

    @Override // org.elasticsearch.xpack.security.authc.Realm
    public final void lookupUser(String str, ActionListener<User> actionListener) {
        if (this.cache == null) {
            doLookupUser(str, actionListener);
            return;
        }
        UserWithHash userWithHash = this.cache.get(str);
        if (userWithHash != null) {
            actionListener.onResponse(userWithHash.user);
            return;
        }
        try {
            CheckedConsumer checkedConsumer = user -> {
                Runnable runnable = () -> {
                    actionListener.onResponse(null);
                };
                if (user != null) {
                    UserWithHash userWithHash2 = new UserWithHash(user, null, null);
                    try {
                        this.cache.computeIfAbsent(str, str2 -> {
                            return userWithHash2;
                        });
                        runnable = () -> {
                            actionListener.onResponse(userWithHash2.user);
                        };
                    } catch (ExecutionException e) {
                        runnable = () -> {
                            actionListener.onFailure(e);
                        };
                    }
                }
                runnable.run();
            };
            actionListener.getClass();
            doLookupUser(str, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        } catch (Exception e) {
            actionListener.onFailure(e);
        }
    }

    protected abstract void doLookupUser(String str, ActionListener<User> actionListener);

    /* JADX INFO: Access modifiers changed from: protected */
    public static Set<Setting<?>> getCachingSettings() {
        return new HashSet(Arrays.asList(CACHE_HASH_ALGO_SETTING, CACHE_TTL_SETTING, CACHE_MAX_USERS_SETTING));
    }

    @Override // org.elasticsearch.xpack.security.authc.support.UsernamePasswordRealm, org.elasticsearch.xpack.security.authc.Realm
    public /* bridge */ /* synthetic */ boolean supports(AuthenticationToken authenticationToken) {
        return super.supports(authenticationToken);
    }

    @Override // org.elasticsearch.xpack.security.authc.support.UsernamePasswordRealm, org.elasticsearch.xpack.security.authc.Realm
    public /* bridge */ /* synthetic */ UsernamePasswordToken token(ThreadContext threadContext) {
        return super.token(threadContext);
    }
}
