package org.apache.druid.security.basic.authentication.validator;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheStats;
import com.google.common.hash.Hashing;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.time.Duration;
import java.util.Arrays;
import java.util.Objects;
import java.util.concurrent.ExecutionException;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import org.apache.druid.error.DruidException;
import org.apache.druid.java.util.common.RE;
import org.apache.druid.java.util.common.StringUtils;
import org.apache.druid.java.util.common.logger.Logger;
import org.apache.druid.security.basic.BasicAuthUtils;

/* loaded from: input_file:org/apache/druid/security/basic/authentication/validator/PasswordHashGenerator.class */
public class PasswordHashGenerator {
    private static final Logger log = new Logger(PasswordHashGenerator.class);
    public static final int KEY_LENGTH = 512;
    public static final String HASH_ALGORITHM = "PBKDF2WithHmacSHA512";
    private final byte[] shaSalt = BasicAuthUtils.generateSalt();
    private final Cache<CacheKey, byte[]> cache = CacheBuilder.newBuilder().maximumSize(1000).recordStats().expireAfterAccess(Duration.ofMinutes(60)).build();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/druid/security/basic/authentication/validator/PasswordHashGenerator$CacheKey.class */
    public static class CacheKey {
        final byte[] passwordSha;
        final byte[] salt;
        final int numIterations;

        CacheKey(byte[] bArr, byte[] bArr2, int i) {
            this.passwordSha = bArr;
            this.salt = bArr2;
            this.numIterations = i;
        }

        static CacheKey of(char[] cArr, byte[] bArr, int i, byte[] bArr2) {
            return new CacheKey(Hashing.sha256().newHasher().putBytes(StringUtils.toUtf8(new String(cArr))).putBytes(bArr2).hash().asBytes(), bArr, i);
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            CacheKey cacheKey = (CacheKey) obj;
            return this.numIterations == cacheKey.numIterations && Arrays.equals(this.passwordSha, cacheKey.passwordSha) && Arrays.equals(this.salt, cacheKey.salt);
        }

        public int hashCode() {
            return (31 * ((31 * Objects.hash(Integer.valueOf(this.numIterations))) + Arrays.hashCode(this.passwordSha))) + Arrays.hashCode(this.salt);
        }
    }

    public byte[] getOrComputePasswordHash(char[] cArr, byte[] bArr, int i) {
        try {
            return (byte[]) this.cache.get(CacheKey.of(cArr, bArr, i, this.shaSalt), () -> {
                return computePasswordHash(cArr, bArr, i);
            });
        } catch (ExecutionException e) {
            throw DruidException.defensive().build(e, "Could not compute hash of password", new Object[0]);
        }
    }

    public CacheStats getCacheStats() {
        return this.cache.stats();
    }

    public static byte[] computePasswordHash(char[] cArr, byte[] bArr, int i) {
        try {
            return SecretKeyFactory.getInstance(HASH_ALGORITHM).generateSecret(new PBEKeySpec(cArr, bArr, i, KEY_LENGTH)).getEncoded();
        } catch (NoSuchAlgorithmException e) {
            log.error("Hash algorithm[%s] is not supported on this system.", new Object[]{HASH_ALGORITHM});
            throw new RE(e, "Hash algorithm[%s] is not supported on this system.", new Object[]{HASH_ALGORITHM});
        } catch (InvalidKeySpecException e2) {
            log.error("Invalid keyspec", new Object[0]);
            throw new RuntimeException("Invalid keyspec", e2);
        }
    }
}
