package org.elasticsearch.xpack.security.authc.service;

import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Objects;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Predicate;
import java.util.stream.Stream;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ListenableFuture;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.core.security.action.service.TokenInfo;
import org.elasticsearch.xpack.core.security.authc.support.Hasher;
import org.elasticsearch.xpack.security.authc.service.ServiceAccountTokenStore;
import org.elasticsearch.xpack.security.support.CacheInvalidatorRegistry;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/service/CachingServiceAccountTokenStore.class */
public abstract class CachingServiceAccountTokenStore implements ServiceAccountTokenStore, CacheInvalidatorRegistry.CacheInvalidator {
    private static final Logger logger;
    public static final Setting<String> CACHE_HASH_ALGO_SETTING;
    public static final Setting<TimeValue> CACHE_TTL_SETTING;
    public static final Setting<Integer> CACHE_MAX_TOKENS_SETTING;
    private final Settings settings;
    private final ThreadPool threadPool;
    private final Cache<String, ListenableFuture<CachedResult>> cache;
    private final Hasher hasher;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/service/CachingServiceAccountTokenStore$CachedResult.class */
    public static class CachedResult {
        private final boolean success;
        private final char[] hash;

        private CachedResult(Hasher hasher, boolean z, ServiceAccountToken serviceAccountToken) {
            this.success = z;
            this.hash = hasher.hash(serviceAccountToken.getSecret());
        }

        private boolean verify(ServiceAccountToken serviceAccountToken) {
            return this.hash != null && Hasher.verifyHash(serviceAccountToken.getSecret(), this.hash);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CachingServiceAccountTokenStore(Settings settings, ThreadPool threadPool) {
        this.settings = settings;
        this.threadPool = threadPool;
        TimeValue timeValue = (TimeValue) CACHE_TTL_SETTING.get(settings);
        if (timeValue.getNanos() > 0) {
            this.cache = CacheBuilder.builder().setExpireAfterWrite(timeValue).setMaximumWeight(((Integer) CACHE_MAX_TOKENS_SETTING.get(settings)).intValue()).build();
        } else {
            this.cache = null;
        }
        this.hasher = Hasher.resolve((String) CACHE_HASH_ALGO_SETTING.get(settings));
    }

    @Override // org.elasticsearch.xpack.security.authc.service.ServiceAccountTokenStore
    public void authenticate(ServiceAccountToken serviceAccountToken, ActionListener<ServiceAccountTokenStore.StoreAuthenticationResult> actionListener) {
        try {
            if (this.cache == null) {
                doAuthenticate(serviceAccountToken, actionListener);
            } else {
                authenticateWithCache(serviceAccountToken, actionListener);
            }
        } catch (Exception e) {
            actionListener.onFailure(e);
        }
    }

    private void authenticateWithCache(ServiceAccountToken serviceAccountToken, ActionListener<ServiceAccountTokenStore.StoreAuthenticationResult> actionListener) {
        if (!$assertionsDisabled && this.cache == null) {
            throw new AssertionError();
        }
        try {
            AtomicBoolean atomicBoolean = new AtomicBoolean(true);
            ListenableFuture listenableFuture = (ListenableFuture) this.cache.computeIfAbsent(serviceAccountToken.getQualifiedName(), str -> {
                atomicBoolean.set(false);
                return new ListenableFuture();
            });
            if (atomicBoolean.get()) {
                listenableFuture.addListener(actionListener.delegateFailureAndWrap((actionListener2, cachedResult) -> {
                    if (cachedResult.success) {
                        actionListener2.onResponse(new ServiceAccountTokenStore.StoreAuthenticationResult(cachedResult.verify(serviceAccountToken), getTokenSource()));
                    } else if (cachedResult.verify(serviceAccountToken)) {
                        actionListener2.onResponse(new ServiceAccountTokenStore.StoreAuthenticationResult(false, getTokenSource()));
                    } else {
                        this.cache.invalidate(serviceAccountToken.getQualifiedName(), listenableFuture);
                        authenticateWithCache(serviceAccountToken, actionListener2);
                    }
                }), this.threadPool.generic(), this.threadPool.getThreadContext());
            } else {
                doAuthenticate(serviceAccountToken, ActionListener.wrap(storeAuthenticationResult -> {
                    if (false == storeAuthenticationResult.isSuccess()) {
                        this.cache.invalidate(serviceAccountToken.getQualifiedName(), listenableFuture);
                    } else {
                        logger.trace("cache service token [{}] authentication result", serviceAccountToken.getQualifiedName());
                    }
                    listenableFuture.onResponse(new CachedResult(this.hasher, storeAuthenticationResult.isSuccess(), serviceAccountToken));
                    actionListener.onResponse(storeAuthenticationResult);
                }, exc -> {
                    this.cache.invalidate(serviceAccountToken.getQualifiedName(), listenableFuture);
                    listenableFuture.onFailure(exc);
                    actionListener.onFailure(exc);
                }));
            }
        } catch (ExecutionException e) {
            actionListener.onFailure(e);
        }
    }

    @Override // org.elasticsearch.xpack.security.support.CacheInvalidatorRegistry.CacheInvalidator
    public final void invalidate(Collection<String> collection) {
        if (this.cache != null) {
            logger.trace("invalidating cache for service token [{}]", Strings.collectionToCommaDelimitedString(collection));
            HashSet hashSet = new HashSet(collection);
            HashSet hashSet2 = new HashSet();
            Iterator it = hashSet.iterator();
            while (it.hasNext()) {
                String str = (String) it.next();
                if (str.endsWith("/")) {
                    hashSet2.add(str);
                    it.remove();
                }
            }
            Cache<String, ListenableFuture<CachedResult>> cache = this.cache;
            Objects.requireNonNull(cache);
            hashSet.forEach((v1) -> {
                r1.invalidate(v1);
            });
            if (false == hashSet2.isEmpty()) {
                Predicate predicate = str2 -> {
                    Stream stream = hashSet2.stream();
                    Objects.requireNonNull(str2);
                    return stream.anyMatch(str2::startsWith);
                };
                ArrayList arrayList = new ArrayList();
                this.cache.forEach((str3, listenableFuture) -> {
                    if (predicate.test(str3)) {
                        arrayList.add(str3);
                    }
                });
                Cache<String, ListenableFuture<CachedResult>> cache2 = this.cache;
                Objects.requireNonNull(cache2);
                arrayList.forEach((v1) -> {
                    r1.invalidate(v1);
                });
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.support.CacheInvalidatorRegistry.CacheInvalidator
    public final void invalidateAll() {
        if (this.cache != null) {
            logger.trace("invalidating cache for all service tokens");
            this.cache.invalidateAll();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Settings getSettings() {
        return this.settings;
    }

    protected ThreadPool getThreadPool() {
        return this.threadPool;
    }

    abstract void doAuthenticate(ServiceAccountToken serviceAccountToken, ActionListener<ServiceAccountTokenStore.StoreAuthenticationResult> actionListener);

    abstract TokenInfo.TokenSource getTokenSource();

    Cache<String, ListenableFuture<CachedResult>> getCache() {
        return this.cache;
    }

    static {
        $assertionsDisabled = !CachingServiceAccountTokenStore.class.desiredAssertionStatus();
        logger = LogManager.getLogger(CachingServiceAccountTokenStore.class);
        CACHE_HASH_ALGO_SETTING = Setting.simpleString("xpack.security.authc.service_token.cache.hash_algo", "ssha256", new Setting.Property[]{Setting.Property.NodeScope});
        CACHE_TTL_SETTING = Setting.timeSetting("xpack.security.authc.service_token.cache.ttl", TimeValue.timeValueMinutes(20L), new Setting.Property[]{Setting.Property.NodeScope});
        CACHE_MAX_TOKENS_SETTING = Setting.intSetting("xpack.security.authc.service_token.cache.max_tokens", 100000, new Setting.Property[]{Setting.Property.NodeScope});
    }
}
