package org.apache.druid.security.basic.authentication.db.updater;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.base.Preconditions;
import com.google.inject.Inject;
import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ThreadLocalRandom;
import java.util.concurrent.TimeUnit;
import org.apache.druid.common.config.ConfigManager;
import org.apache.druid.concurrent.LifecycleLock;
import org.apache.druid.guice.ManageLifecycle;
import org.apache.druid.guice.annotations.Smile;
import org.apache.druid.java.util.common.ISE;
import org.apache.druid.java.util.common.StringUtils;
import org.apache.druid.java.util.common.concurrent.Execs;
import org.apache.druid.java.util.common.concurrent.ScheduledExecutors;
import org.apache.druid.java.util.common.lifecycle.LifecycleStart;
import org.apache.druid.java.util.common.lifecycle.LifecycleStop;
import org.apache.druid.java.util.emitter.EmittingLogger;
import org.apache.druid.metadata.MetadataCASUpdate;
import org.apache.druid.metadata.MetadataStorageConnector;
import org.apache.druid.metadata.MetadataStorageTablesConfig;
import org.apache.druid.security.basic.BasicAuthCommonCacheConfig;
import org.apache.druid.security.basic.BasicAuthDBConfig;
import org.apache.druid.security.basic.BasicAuthUtils;
import org.apache.druid.security.basic.BasicSecurityDBResourceException;
import org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator;
import org.apache.druid.security.basic.authentication.db.cache.BasicAuthenticatorCacheNotifier;
import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate;
import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials;
import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser;
import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUserMapBundle;
import org.apache.druid.server.security.Authenticator;
import org.apache.druid.server.security.AuthenticatorMapper;
import org.joda.time.Duration;

@ManageLifecycle
/* loaded from: input_file:org/apache/druid/security/basic/authentication/db/updater/CoordinatorBasicAuthenticatorMetadataStorageUpdater.class */
public class CoordinatorBasicAuthenticatorMetadataStorageUpdater implements BasicAuthenticatorMetadataStorageUpdater {
    private static final EmittingLogger LOG = new EmittingLogger(CoordinatorBasicAuthenticatorMetadataStorageUpdater.class);
    private static final String USERS = "users";
    private static final long UPDATE_RETRY_DELAY = 1000;
    private final AuthenticatorMapper authenticatorMapper;
    private final MetadataStorageConnector connector;
    private final MetadataStorageTablesConfig connectorConfig;
    private final BasicAuthCommonCacheConfig commonCacheConfig;
    private final ObjectMapper objectMapper;
    private final BasicAuthenticatorCacheNotifier cacheNotifier;
    private final int numRetries = 5;
    private final LifecycleLock lifecycleLock = new LifecycleLock();
    private volatile boolean stopped = false;
    private final ScheduledExecutorService exec = Execs.scheduledSingleThreaded("CoordinatorBasicAuthenticatorMetadataStorageUpdater-Exec--%d");
    private final Map<String, BasicAuthenticatorUserMapBundle> cachedUserMaps = new ConcurrentHashMap();
    private final Set<String> authenticatorPrefixes = new HashSet();

    @Inject
    public CoordinatorBasicAuthenticatorMetadataStorageUpdater(AuthenticatorMapper authenticatorMapper, MetadataStorageConnector metadataStorageConnector, MetadataStorageTablesConfig metadataStorageTablesConfig, BasicAuthCommonCacheConfig basicAuthCommonCacheConfig, @Smile ObjectMapper objectMapper, BasicAuthenticatorCacheNotifier basicAuthenticatorCacheNotifier, ConfigManager configManager) {
        this.authenticatorMapper = authenticatorMapper;
        this.connector = metadataStorageConnector;
        this.connectorConfig = metadataStorageTablesConfig;
        this.commonCacheConfig = basicAuthCommonCacheConfig;
        this.objectMapper = objectMapper;
        this.cacheNotifier = basicAuthenticatorCacheNotifier;
    }

    @LifecycleStart
    public void start() {
        if (!this.lifecycleLock.canStart()) {
            throw new ISE("can't start.", new Object[0]);
        }
        if (this.authenticatorMapper == null || this.authenticatorMapper.getAuthenticatorMap() == null) {
            return;
        }
        try {
            LOG.info("Starting CoordinatorBasicAuthenticatorMetadataStorageUpdater.", new Object[0]);
            BasicAuthUtils.maybeInitialize(() -> {
                for (Map.Entry entry : this.authenticatorMapper.getAuthenticatorMap().entrySet()) {
                    Authenticator authenticator = (Authenticator) entry.getValue();
                    if (authenticator instanceof BasicHTTPAuthenticator) {
                        String str = (String) entry.getKey();
                        this.authenticatorPrefixes.add(str);
                        BasicAuthDBConfig dbConfig = ((BasicHTTPAuthenticator) authenticator).getDbConfig();
                        byte[] currentUserMapBytes = getCurrentUserMapBytes(str);
                        Map<String, BasicAuthenticatorUser> deserializeAuthenticatorUserMap = BasicAuthUtils.deserializeAuthenticatorUserMap(this.objectMapper, currentUserMapBytes);
                        this.cachedUserMaps.put(str, new BasicAuthenticatorUserMapBundle(deserializeAuthenticatorUserMap, currentUserMapBytes));
                        if (dbConfig.getInitialAdminPassword() != null && !deserializeAuthenticatorUserMap.containsKey(BasicAuthUtils.ADMIN_NAME)) {
                            createUserInternal(str, BasicAuthUtils.ADMIN_NAME);
                            setUserCredentialsInternal(str, BasicAuthUtils.ADMIN_NAME, new BasicAuthenticatorCredentialUpdate(dbConfig.getInitialAdminPassword().getPassword(), Integer.valueOf(BasicAuthUtils.DEFAULT_KEY_ITERATIONS)));
                        }
                        if (dbConfig.getInitialInternalClientPassword() != null && !deserializeAuthenticatorUserMap.containsKey(BasicAuthUtils.INTERNAL_USER_NAME)) {
                            createUserInternal(str, BasicAuthUtils.INTERNAL_USER_NAME);
                            setUserCredentialsInternal(str, BasicAuthUtils.INTERNAL_USER_NAME, new BasicAuthenticatorCredentialUpdate(dbConfig.getInitialInternalClientPassword().getPassword(), Integer.valueOf(BasicAuthUtils.DEFAULT_KEY_ITERATIONS)));
                        }
                    }
                }
                return true;
            });
            ScheduledExecutors.scheduleWithFixedDelay(this.exec, new Duration(this.commonCacheConfig.getPollingPeriod()), new Duration(this.commonCacheConfig.getPollingPeriod()), new Callable<ScheduledExecutors.Signal>() { // from class: org.apache.druid.security.basic.authentication.db.updater.CoordinatorBasicAuthenticatorMetadataStorageUpdater.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public ScheduledExecutors.Signal call() {
                    if (CoordinatorBasicAuthenticatorMetadataStorageUpdater.this.stopped) {
                        return ScheduledExecutors.Signal.STOP;
                    }
                    try {
                        CoordinatorBasicAuthenticatorMetadataStorageUpdater.LOG.debug("Scheduled db userMap poll is running", new Object[0]);
                        for (String str : CoordinatorBasicAuthenticatorMetadataStorageUpdater.this.authenticatorPrefixes) {
                            byte[] currentUserMapBytes = CoordinatorBasicAuthenticatorMetadataStorageUpdater.this.getCurrentUserMapBytes(str);
                            Map<String, BasicAuthenticatorUser> deserializeAuthenticatorUserMap = BasicAuthUtils.deserializeAuthenticatorUserMap(CoordinatorBasicAuthenticatorMetadataStorageUpdater.this.objectMapper, currentUserMapBytes);
                            if (currentUserMapBytes != null) {
                                CoordinatorBasicAuthenticatorMetadataStorageUpdater.this.cachedUserMaps.put(str, new BasicAuthenticatorUserMapBundle(deserializeAuthenticatorUserMap, currentUserMapBytes));
                            }
                        }
                        CoordinatorBasicAuthenticatorMetadataStorageUpdater.LOG.debug("Scheduled db userMap poll is done", new Object[0]);
                    } catch (Throwable th) {
                        CoordinatorBasicAuthenticatorMetadataStorageUpdater.LOG.makeAlert(th, "Error occured while polling for cachedUserMaps.", new Object[0]).emit();
                    }
                    return ScheduledExecutors.Signal.REPEAT;
                }
            });
            this.lifecycleLock.started();
        } finally {
            this.lifecycleLock.exitStart();
        }
    }

    @LifecycleStop
    public void stop() {
        if (!this.lifecycleLock.canStop()) {
            throw new ISE("can't stop.", new Object[0]);
        }
        LOG.info("CoordinatorBasicAuthenticatorMetadataStorageUpdater is stopping.", new Object[0]);
        this.stopped = true;
        LOG.info("CoordinatorBasicAuthenticatorMetadataStorageUpdater is stopped.", new Object[0]);
    }

    @Override // org.apache.druid.security.basic.authentication.db.updater.BasicAuthenticatorMetadataStorageUpdater
    public void createUser(String str, String str2) {
        Preconditions.checkState(this.lifecycleLock.awaitStarted(1L, TimeUnit.MILLISECONDS));
        createUserInternal(str, str2);
    }

    @Override // org.apache.druid.security.basic.authentication.db.updater.BasicAuthenticatorMetadataStorageUpdater
    public void deleteUser(String str, String str2) {
        Preconditions.checkState(this.lifecycleLock.awaitStarted(1L, TimeUnit.MILLISECONDS));
        deleteUserInternal(str, str2);
    }

    @Override // org.apache.druid.security.basic.authentication.db.updater.BasicAuthenticatorMetadataStorageUpdater
    public void setUserCredentials(String str, String str2, BasicAuthenticatorCredentialUpdate basicAuthenticatorCredentialUpdate) {
        Preconditions.checkState(this.lifecycleLock.awaitStarted(1L, TimeUnit.MILLISECONDS));
        setUserCredentialsInternal(str, str2, basicAuthenticatorCredentialUpdate);
    }

    @Override // org.apache.druid.security.basic.authentication.db.updater.BasicAuthenticatorMetadataStorageUpdater
    public Map<String, BasicAuthenticatorUser> getCachedUserMap(String str) {
        Preconditions.checkState(this.lifecycleLock.awaitStarted(1L, TimeUnit.MILLISECONDS));
        BasicAuthenticatorUserMapBundle basicAuthenticatorUserMapBundle = this.cachedUserMaps.get(str);
        if (basicAuthenticatorUserMapBundle == null) {
            return null;
        }
        return basicAuthenticatorUserMapBundle.getUserMap();
    }

    @Override // org.apache.druid.security.basic.authentication.db.updater.BasicAuthenticatorMetadataStorageUpdater
    public byte[] getCachedSerializedUserMap(String str) {
        Preconditions.checkState(this.lifecycleLock.awaitStarted(1L, TimeUnit.MILLISECONDS));
        BasicAuthenticatorUserMapBundle basicAuthenticatorUserMapBundle = this.cachedUserMaps.get(str);
        if (basicAuthenticatorUserMapBundle == null) {
            return null;
        }
        return basicAuthenticatorUserMapBundle.getSerializedUserMap();
    }

    @Override // org.apache.druid.security.basic.authentication.db.updater.BasicAuthenticatorMetadataStorageUpdater
    public byte[] getCurrentUserMapBytes(String str) {
        return this.connector.lookup(this.connectorConfig.getConfigTable(), "name", "payload", getPrefixedKeyColumn(str, USERS));
    }

    @Override // org.apache.druid.security.basic.authentication.db.updater.BasicAuthenticatorMetadataStorageUpdater
    public void refreshAllNotification() {
        this.cachedUserMaps.forEach((str, basicAuthenticatorUserMapBundle) -> {
            this.cacheNotifier.addUserUpdate(str, basicAuthenticatorUserMapBundle.getSerializedUserMap());
        });
    }

    private static String getPrefixedKeyColumn(String str, String str2) {
        return StringUtils.format("basic_authentication_%s_%s", new Object[]{str, str2});
    }

    private void createUserInternal(String str, String str2) {
        int i = 0;
        while (i < 5) {
            if (createUserOnce(str, str2)) {
                return;
            }
            i++;
            updateRetryDelay();
        }
        throw new ISE("Could not create user[%s] due to concurrent update contention.", new Object[]{str2});
    }

    private void deleteUserInternal(String str, String str2) {
        int i = 0;
        while (i < 5) {
            if (deleteUserOnce(str, str2)) {
                return;
            }
            i++;
            updateRetryDelay();
        }
        throw new ISE("Could not delete user[%s] due to concurrent update contention.", new Object[]{str2});
    }

    private void updateRetryDelay() {
        try {
            Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
        } catch (InterruptedException e) {
            throw new RuntimeException(e);
        }
    }

    private void setUserCredentialsInternal(String str, String str2, BasicAuthenticatorCredentialUpdate basicAuthenticatorCredentialUpdate) {
        BasicAuthenticatorCredentials basicAuthenticatorCredentials = basicAuthenticatorCredentialUpdate.getIterations() == -1 ? new BasicAuthenticatorCredentials(new BasicAuthenticatorCredentialUpdate(basicAuthenticatorCredentialUpdate.getPassword(), Integer.valueOf(((BasicHTTPAuthenticator) this.authenticatorMapper.getAuthenticatorMap().get(str)).getDbConfig().getCredentialIterations()))) : new BasicAuthenticatorCredentials(basicAuthenticatorCredentialUpdate);
        int i = 0;
        while (i < 5) {
            if (setUserCredentialOnce(str, str2, basicAuthenticatorCredentials)) {
                return;
            }
            i++;
            try {
                Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
            } catch (InterruptedException e) {
                throw new RuntimeException(e);
            }
        }
        throw new ISE("Could not set credentials for user[%s] due to concurrent update contention.", new Object[]{str2});
    }

    private boolean createUserOnce(String str, String str2) {
        byte[] currentUserMapBytes = getCurrentUserMapBytes(str);
        Map<String, BasicAuthenticatorUser> deserializeAuthenticatorUserMap = BasicAuthUtils.deserializeAuthenticatorUserMap(this.objectMapper, currentUserMapBytes);
        if (deserializeAuthenticatorUserMap.get(str2) != null) {
            throw new BasicSecurityDBResourceException("User [%s] already exists.", str2);
        }
        deserializeAuthenticatorUserMap.put(str2, new BasicAuthenticatorUser(str2, null));
        return tryUpdateUserMap(str, deserializeAuthenticatorUserMap, currentUserMapBytes, BasicAuthUtils.serializeAuthenticatorUserMap(this.objectMapper, deserializeAuthenticatorUserMap));
    }

    private boolean deleteUserOnce(String str, String str2) {
        byte[] currentUserMapBytes = getCurrentUserMapBytes(str);
        Map<String, BasicAuthenticatorUser> deserializeAuthenticatorUserMap = BasicAuthUtils.deserializeAuthenticatorUserMap(this.objectMapper, currentUserMapBytes);
        if (deserializeAuthenticatorUserMap.get(str2) == null) {
            throw new BasicSecurityDBResourceException("User [%s] does not exist.", str2);
        }
        deserializeAuthenticatorUserMap.remove(str2);
        return tryUpdateUserMap(str, deserializeAuthenticatorUserMap, currentUserMapBytes, BasicAuthUtils.serializeAuthenticatorUserMap(this.objectMapper, deserializeAuthenticatorUserMap));
    }

    private boolean setUserCredentialOnce(String str, String str2, BasicAuthenticatorCredentials basicAuthenticatorCredentials) {
        byte[] currentUserMapBytes = getCurrentUserMapBytes(str);
        Map<String, BasicAuthenticatorUser> deserializeAuthenticatorUserMap = BasicAuthUtils.deserializeAuthenticatorUserMap(this.objectMapper, currentUserMapBytes);
        if (deserializeAuthenticatorUserMap.get(str2) == null) {
            throw new BasicSecurityDBResourceException("User [%s] does not exist.", str2);
        }
        deserializeAuthenticatorUserMap.put(str2, new BasicAuthenticatorUser(str2, basicAuthenticatorCredentials));
        return tryUpdateUserMap(str, deserializeAuthenticatorUserMap, currentUserMapBytes, BasicAuthUtils.serializeAuthenticatorUserMap(this.objectMapper, deserializeAuthenticatorUserMap));
    }

    private boolean tryUpdateUserMap(String str, Map<String, BasicAuthenticatorUser> map, byte[] bArr, byte[] bArr2) {
        try {
            if (!this.connector.compareAndSwap(Collections.singletonList(new MetadataCASUpdate(this.connectorConfig.getConfigTable(), "name", "payload", getPrefixedKeyColumn(str, USERS), bArr, bArr2)))) {
                return false;
            }
            this.cachedUserMaps.put(str, new BasicAuthenticatorUserMapBundle(map, bArr2));
            this.cacheNotifier.addUserUpdate(str, bArr2);
            return true;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}
